849 files changed, 58196 insertions, 17257 deletions

diff --git a/CHANGES b/CHANGES
index 8d1f22b..4f55ca2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,18 +1,258 @@
-	--- 9.4.3-P2 released ---
+
+	--- 9.6.1rc1 released ---
+
+2599.	[bug]		Address rapid memory growth when validation fails.
+			[RT #19654]
+
+2597.	[bug]		Handle a validation failure with a insecure delegation
+			from a NSEC3 signed master/slave zone.  [RT #19464]
+
+2596.	[bug]		Stale tree nodes of cache/dynamic rbtdb could stay
+			long, leading to inefficient memory usage or rejecting
+			newer cache entries in the worst case. [RT #19563]
+
+2595.	[bug]		Fix unknown extended rcodes in dig. [RT #19625]
+
+2592.	[bug]		Treat "any" as a type in nsupdate. [RT #19455]
+
+2591.	[bug]		named could die when processing a update in
+			removed_orphaned_ds(). [RT #19507]
+
+2588.	[bug]		SO_REUSEADDR could be set unconditionally after failure
+			of bind(2) call.  This should be rare and mostly
+			harmless, but may cause interference with other
+			processes that happen to use the same port. [RT #19642]
+
+2586.	[bug]		Missing cleanup of SIG rdataset in searching a DLZ DB
+			or SDB. [RT #19577]
+
+2585.	[bug]		Uninitialized socket name could be referenced via a
+			statistics channel, triggering an assertion failure in
+			XML rendering. [RT #19427]
+
+2584.	[bug]		alpha: gcc optimization could break atomic operations.
+			[RT #19227]
+
+2583.	[port]		netbsd: provide a control to not add the compile
+			date to the version string, -DNO_VERSION_DATE.
+
+2582.	[bug]		Don't emit warning log message when we attempt to
+			remove non-existant journal. [RT #19516]
 
 2579.	[bug]		DNSSEC lookaside validation failed to handle unknown
 			algorithms. [RT #19479]
 
-	--- 9.4.3-P1 released ---
+2578.	[bug]		Changed default sig-signing-type to 65534, because
+			65535 turns out to be reserved.  [RT #19477]
+
+2499.	[port]		solaris: lib/lwres/getaddrinfo.c namespace clash.
+			[RT #18837]
+
+	--- 9.6.1b1 released ---
+
+2577.	[doc]		Clarified some statistics counters. [RT #19454]
+
+2576.	[bug]		NSEC record were not being correctly signed when
+			a zone transitions from insecure to secure.
+			Handle such incorrectly signed zones. [RT #19114]
+
+2574.	[doc]		Document nsupdate -g and -o. [RT #19351]
+
+2573.	[bug]		Replacing a non-CNAME record with a CNAME record in a
+			single transaction in a signed zone failed. [RT #19397]
+
+2568.	[bug]		Report when the write to indicate a otherwise
+			successful start fails. [RT #19360]
+
+2567.	[bug]		dst__privstruct_writefile() could miss write errors.
+			write_public_key() could miss write errors.
+			dnssec-dsfromkey could miss write errors.
+			[RT #19360]
+
+2564.	[bug]		Only take EDNS fallback steps when processing timeouts.
+			[RT #19405]
+
+2563.	[bug]		Dig could leak a socket causing it to wait forever
+			to exit. [RT #19359]
+
+2562.	[doc]		ARM: miscellaneous improvements, reorganization,
+			and some new content.
+
+2561.	[doc]		Add isc-config.sh(1) man page. [RT #16378]
+
+2560.	[bug]		Add #include <config.h> to iptable.c. [RT #18258]
+
+2559.	[bug]		dnssec-dsfromkey could compute bad DS records when
+			reading from a K* files.  [RT #19357]
+
+2557.	[cleanup]	PCI compliance:
+			* new libisc log module file
+			* isc_dir_chroot() now also changes the working
+			  directory to "/".
+			* additional INSISTs
+			* additional logging when files can't be removed.
+
+2556.	[port]		Solaris: mkdir(2) on tmpfs filesystems does not do the
+			error checks in the correct order resulting in the
+			wrong error code sometimes being returned. [RT #19249]
+			
+2554.	[bug]		Validation of uppercase queries from NSEC3 zones could
+			fail. [RT #19297]
+
+2553.	[bug]		Reference leak on DNSSEC validation errors. [RT #19291]
+
+2552.	[bug]		zero-no-soa-ttl-cache was not being honoured.
+			[RT #19340]
+
+2551.	[bug]		Potential Reference leak on return. [RT #19341]
+
+2550.	[bug]		Check --with-openssl=<path> finds <openssl/opensslv.h>.
+			[RT #19343]
+
+2549.	[port]		linux: define NR_OPEN if not currently defined.
+			[RT #19344]
+
+2548.	[bug]		Install iterated_hash.h. [RT #19335]
+
+2547.	[bug]		openssl_link.c:mem_realloc() could reference an
+			out-of-range area of the source buffer.  New public
+			function isc_mem_reallocate() was introduced to address
+			this bug. [RT #19313]
+
+2545.	[doc]		ARM: Legal hostname checking (check-names) is
+			for SRV RDATA too. [RT #19304]
+
+2544.	[cleanup]	Removed unused structure members in adb.c. [RT #19225]
+
+2543.	[contrib]	Update contrib/zkt to version 0.98. [RT #19113]
+
+2542.	[doc]		Update the description of dig +adflag. [RT #19290]
+
+2541.	[bug]		Conditionally update dispatch manager statistics.
+			[RT #19247]
+
+2539.	[security]	Update the interaction between recursion, allow-query,
+			allow-query-cache and allow-recursion.  [RT #19198]
+
+2538.	[bug]		cache/ADB memory could grow over max-cache-size,
+			especially with threads and smaller max-cache-size
+			values. [RT #19240]
+
+2537.	[experimental]	Added more statistics counters including those on socket
+			I/O events and query RTT histograms. [RT #18802]
+
+2536.	[cleanup]	Silence some warnings when -Werror=format-security is
+			specified. [RT #19083]
+
+2535.	[bug]		dig +showsearh and +trace interacted badly. [RT #19091]
+
+2532.	[bug]		dig: check the question section of the response to
+			see if it matches the asked question. [RT #18495]
+
+2531.	[bug]		Change #2207 was incomplete. [RT #19098]
+
+2530.	[bug]		named failed to reject insecure to secure transitions
+			via UPDATE. [RT #19101]
+
+2529.	[cleanup]	Upgrade libtool to silence complaints from recent
+			version of autoconf. [RT #18657]
+
+2528.   [cleanup]       Silence spurious configure warning about
+                        --datarootdir [RT #19096]
+
+2527.	[bug]		named could reuse cache on reload with
+			enabling/disabling validation. [RT #19119]
+
+2525.	[experimental]	New logging category "query-errors" to provide detailed
+			internal information about query failures, especially
+			about server failures. [RT #19027]
+
+2524.	[port]		sunos: dnssec-signzone needs strtoul(). [RT #19129]
+
+2523.	[bug]		Random type rdata freed by dns_nsec_typepresent().
+			[RT #19112]
+
+2522.	[security]	Handle -1 from DSA_do_verify() and EVP_VerifyFinal().
+
+2521.	[bug]		Improve epoll cross compilation support. [RT #19047]
+
+2519.	[bug]		dig/host with -4 or -6 didn't work if more than two
+			nameserver addresses of the excluded address family
+			preceded in resolv.conf. [RT #19081]
+
+2517.	[bug]		dig +trace with -4 or -6 failed when it chose a
+			nameserver address of the excluded address.
+			[RT #18843]
+
+2516.	[bug]		glue sort for responses was performed even when not
+			needed. [RT #19039]
+
+2514.	[bug]		dig/host failed with -4 or -6 when resolv.conf contains
+			a nameserver of the excluded address family.
+			[RT #18848]
+
+2511.	[cleanup]	dns_rdata_tofmttext() add const to linebreak.
+			[RT #18885]
+
+2506.	[port]		solaris: Check at configure time if 
+			hack_shutup_pthreadonceinit is needed. [RT #19037]
+
+2505.	[port]		Treat amd64 similarly to x86_64 when determining
+			atomic operation support. [RT #19031]
+
+2503.	[port]		linux: improve compatibility with Linux Standard
+			Base. [RT #18793]
+
+2502.	[cleanup]	isc_radix: Improve compliance with coding style,
+			document function in <isc/radix.h>. [RT #18534]
+
+	--- 9.6.0 released ---
+
+2520.	[bug]		Update xml statistics version number to 2.0 as change
+			#2388 made the schema incompatible to the previous
+			version. [RT #19080]
+
+	--- 9.6.0rc2 released ---
+
+2515.	[port]		win32: build dnssec-dsfromkey and dnssec-keyfromlabel.
+			[RT #19063]
+
+2513	[bug]		Fix windows cli build. [RT #19062]
+
+2510.	[bug]		"dig +sigchase" could trigger REQUIRE failures.
+			[RT #19033]
+
+2509.	[bug]		Specifying a fixed query source port was broken.
+			[RT #19051]
+
+2504.	[bug]		Address race condition in the socket code. [RT #18899]
 
-2522.	[security]	Handle -1 from DSA_do_verify().
+	--- 9.6.0rc1 released ---
 
 2498.	[bug]		Removed a bogus function argument used with
 			ISC_SOCKET_USE_POLLWATCH: it could cause compiler
 			warning or crash named with the debug 1 level
 			of logging. [RT #18917]
 
-	--- 9.4.3 released ---
+2497.	[bug]		Don't add RRSIG bit to NSEC3 bit map for insecure
+			delegation.
+
+2496.	[bug]		Add sanity length checks to NSID option. [RT #18813]
+
+2495.	[bug]		Tighten RRSIG checks. [RT #18795]
+
+2494.	[bug]		isc/radix.h, dns/sdlz.h and dns/dlz.h were not being
+			installed. [RT #18826]
+
+2493.	[bug]		The linux capabilities code was not correctly cleaning
+			up after itself. [RT #18767]
+
+2492.	[func]		Rndc status now reports the number of cpus discovered
+			and the number of worker threads when running
+			multi-threaded. [RT #18273]
+
+2491.	[func]		Attempt to re-use a local port if we are already using
+			the port. [RT #18548]
 
 2490.	[port]		aix: work around a kernel bug where IPV6_RECVPKTINFO
 			is cleared when IPV6_V6ONLY is set. [RT #18785]
@@ -23,7 +263,58 @@
 			Define ISC_SOCKET_USE_POLLWATCH at build time to enable
 			this workaround. [RT #18870]
 
-	--- 9.4.3rc1 released ---
+2488.	[func]		Added a tool, dnssec-dsfromkey, to generate DS records
+			from keyset and .key files. [RT #18694]
+
+2487.	[bug]		Give TCP connections longer to complete. [RT #18675]
+
+2486.	[func]		The default locations for named.pid and lwresd.pid
+			are now /var/run/named/named.pid and
+			/var/run/lwresd/lwresd.pid respectively.
+
+			This allows the owner of the containing directory
+			to be set, for "named -u" support, and allows there
+			to be a permanent symbolic link in the path, for
+			"named -t" support.  [RT #18306]
+
+2485.	[bug]		Change update's the handling of obscured RRSIG
+			records.  Not all orphaned DS records were being
+			removed. [RT #18828]
+
+2484.	[bug]		It was possible to trigger a REQUIRE failure when
+			adding NSEC3 proofs to the response in
+			query_addwildcardproof().  [RT #18828]
+
+2483.	[port]		win32: chroot() is not supported. [RT #18805]
+
+2482.	[port]		libxml2: support versions 2.7.* in addition
+			to 2.6.*. [RT #18806]
+
+	--- 9.6.0b1 released ---
+
+2481.	[bug]		rbtdb.c:matchparams() failed to handle NSEC3 chain
+			collisions.  [RT #18812]
+
+2480.	[bug]		named could fail to emit all the required NSEC3
+			records.  [RT #18812]
+
+2479.	[bug]		xfrout:covers was not properly initialized. [RT #18801]
+
+2478.	[bug]		'addresses' could be used uninitialized in
+			configure_forward(). [RT #18800]
+	
+2477.	[bug]		dig: the global option to print the command line is
+			+cmd not print_cmd.  Update the output to reflect
+			this. [RT #17008]
+
+2476.	[doc]		ARM: improve documentation for max-journal-size and
+			ixfr-from-differences. [RT #15909] [RT #18541]
+
+2475.	[bug]		LRU cache cleanup under overmem condition could purge
+			particular entries more aggressively. [RT #17628]
+
+2474.	[bug]		ACL structures could be allocated with insufficient
+			space, causing an array overrun. [RT #18765]
 
 2473.	[port]		linux: raise the limit on open files to the possible
 			maximum value before spawning threads; 'files'
@@ -33,9 +324,12 @@
 2472.	[port]		linux: check the number of available cpu's before
 			calling chroot as it depends on "/proc". [RT #16923]
 
-2471.	[bug]		named-checkzone was not reporting missing manditory
+2471.	[bug]		named-checkzone was not reporting missing mandatory
 			glue when sibling checks were disabled. [RT #18768]
 
+2470.	[bug]		Elements of the isc_radix_node_t could be incorrectly
+			overwritten.  [RT# 18719]
+
 2469.	[port]		solaris: Work around Solaris's select() limitations.
 			[RT #18769]
 
@@ -50,10 +344,14 @@
 2465.	[bug]		Adb's handling of lame addresses was different
 			for IPv4 and IPv6. [RT #18738]
 
+2464.	[port]		linux: check that a capability is present before
+			trying to set it. [RT #18135]
+
 2463.   [port]          linux: POSIX doesn't include the IPv6 Advanced Socket
 			API and glibc hides parts of the IPv6 Advanced Socket
 			API as a result.  This is stupid as it breaks how the
-			two halves (Basic and Advanced) of the IPv6 Socket API				were designed to be used but we have to live with it.
+			two halves (Basic and Advanced) of the IPv6 Socket API
+			were designed to be used but we have to live with it.
 			Define _GNU_SOURCE to pull in the IPv6 Advanced Socket
 			API. [RT #18388]
 
@@ -62,17 +360,48 @@
 
 2461.	[port]		sunos: Change #2363 was not complete. [RT #17513]
 
+	--- 9.6.0a1 released ---
+
+2460.	[bug]		Don't call dns_db_getnsec3parameters() on the cache.
+			[RT #18697]
+
+2459.	[contrib]	Import dnssec-zkt to contrib/zkt. [RT #18448]
+
 2458.	[doc]		ARM: update and correction for max-cache-size.
 			[RT #18294]
 
-2455.	[bug]		Stop metadata being transfered via axfr/ixfr.
+2457.	[tuning]	max-cache-size is reverted to 0, the previous
+			default.  It should be safe because expired cache
+			entries are also purged. [RT #18684]
+
+2456.	[bug]		In ACLs, ::/0 and 0.0.0.0/0 would both match any
+			address, regardless of family.  They now correctly
+			distinguish IPv4 from IPv6.  [RT #18559]
+                        
+2455.	[bug]		Stop metadata being transferred via axfr/ixfr.
 			[RT #18639]
 
+2454.	[func]		nsupdate: you can now set a default ttl. [RT #18317]
+
 2453.	[bug]		Remove NULL pointer dereference in dns_journal_print().
 			[RT #18316]
 
-2449.	[bug]		libbind: Out of bounds reference in dns_ho.c:addrsort.
-			[RT #18044]
+2452.	[func]		Improve bin/test/journalprint. [RT #18316]
+
+2451.	[port]		solaris: handle runtime linking better. [RT #18356]
+
+2450.	[doc]		Fix lwresd docbook problem for manual page.
+			[RT #18672]
+
+2449.	[placeholder]
+
+2448.	[func]		Add NSEC3 support. [RT #15452]
+
+2447.	[cleanup]	libbind has been split out as a separate product.
+
+2446.	[func]		Add a new log message about build options on startup.
+			A new command-line option '-V' for named is also
+			provided to show this information. [RT# 18645]
 
 2445.	[doc]		ARM out-of-date on empty reverse zones (list includes
 			RFC1918 address, but these are not yet compiled in).
@@ -81,31 +410,46 @@
 2444.	[port]		Linux, FreeBSD, AIX: Turn off path mtu discovery
 			(clear DF) for UDP responses and requests.
 
-	--- 9.4.3b3 released ---
-
 2443.	[bug]		win32: UDP connect() would not generate an event,
 			and so connected UDP sockets would never clean up.
 			Fix this by doing an immediate WSAConnect() rather
 			than an io completion port type for UDP.
 
-2438.	[bug]		Timeouts could be logged incorrectly under win32.
-			[RT #18617]
+2442.	[bug]		A lock could be destroyed twice. [RT# 18626]
+
+2441.   [bug]           isc_radix_insert() could copy radix tree nodes
+			incompletely. [RT #18573]
+
+2440.   [bug]		named-checkconf used an incorrect test to determine
+			if an ACL was set to none.
+
+2439.   [bug]		Potential NULL dereference in dns_acl_isanyornone().
+			[RT #18559]
+
+2438.   [bug]		Timeouts could be logged incorrectly under win32.
 
 2437.	[bug]		Sockets could be closed too early, leading to
 			inconsistent states in the socket module. [RT #18298]
 
 2436.	[security]	win32: UDP client handler can be shutdown. [RT #18576]
 
+2435.	[bug]		Fixed an ACL memory leak affecting win32.
+
+2434.	[bug]		Fixed a minor error-reporting bug in
+			lib/isc/win32/socket.c.
+
 2433.	[tuning]	Set initial timeout to 800ms.
 
-2432.	[bug]		More Windows socket handling improvements.  Stop
+2432.   [bug]		More Windows socket handling improvements.  Stop
 			using I/O events and use IO Completion Ports
 			throughout.  Rewrite the receive path logic to make
 			it easier to support multiple simultaneous
-			requestrs in the future.  Add stricter consistency
+			requesters in the future.  Add stricter consistency
 			checking as a compile-time option (define
 			ISC_SOCKET_CONSISTENCY_CHECKS; defaults to off).
 
+2431.	[bug]		Acl processing could leak memory. [RT #18323]
+
 2430.	[bug]		win32: isc_interval_set() could round down to
 			zero if the input was less than NS_INTERVAL
 			nanoseconds.  Round up instead. [RT #18549]
@@ -113,8 +457,14 @@
 2429.	[doc]		nsupdate should be in section 1 of the man pages.
 			[RT #18283]
 
+2428.	[bug]		dns_iptable_merge() mishandled merges of negative
+			tables. [RT #18409]
+
+2427.	[func]		Treat DNSKEY queries as if "minimal-response yes;"
+			was set. [RT #18528]
+
 2426.	[bug]		libbind: inet_net_pton() can sometimes return the
-			wrong value if excessively large netmasks are
+			wrong value if excessively large net masks are
 			supplied. [RT #18512]
 
 2425.	[bug]		named didn't detect unavailable query source addresses
@@ -125,6 +475,12 @@
 			epoll and /dev/poll to be selected at compile
 			time. [RT #18277]
 			
+2423.   [security]	Randomize server selection on queries, so as to
+                        make forgery a little more difficult.  Instead of
+                        always preferring the server with the lowest RTT,
+                        pick a server with RTT within the same 128
+                        millisecond band.  [RT #18441]
+
 2422.	[bug]		Handle the special return value of a empty node as
 			if it was a NXRRSET in the validator. [RT #18447]
 
@@ -133,13 +489,20 @@
 			Use caution: this option may not work for some
 			operating systems without rebuilding named.
 
-2420.	[bug]		Windows socket handling cleanup.  Let the io
-			completion event send out cancelled read/write
-			done events, which keeps us from writing to memeory
+2420.   [bug]		Windows socket handling cleanup.  Let the io
+			completion event send out canceled read/write
+			done events, which keeps us from writing to memory
 			we no longer have ownership of.  Add debugging
 			socket_log() function.  Rework TCP socket handling
 			to not leak sockets.
 
+2419.	[cleanup]	Document that isc_socket_create() and isc_socket_open()
+			should not be used for isc_sockettype_fdwatch sockets.
+			[RT #18521]
+
+2418.	[bug]		AXFR request on a DLZ could trigger a REQUIRE failure
+			[RT #18430]
+
 2417.	[bug]		Connecting UDP sockets for outgoing queries could
 			unexpectedly fail with an 'address already in use'
 			error. [RT #18411]
@@ -147,26 +510,42 @@
 2416.	[func]		Log file descriptors that cause exceeding the
 			internal maximum. [RT #18460]
 
+2415.	[bug]		'rndc dumpdb' could trigger various assertion failures
+			in rbtdb.c. [RT #18455]
+
 2414.	[bug]		A masterdump context held the database lock too long,
 			causing various troubles such as dead lock and
 			recursive lock acquisition. [RT #18311, #18456]
 
 2413.	[bug]		Fixed an unreachable code path in socket.c. [RT #18442]
 
-2412.	[bug]		win32: address a resourse leak. [RT #18374]
+2412.	[bug]		win32: address a resource leak. [RT #18374]
 
 2411.	[bug]		Allow using a larger number of sockets than FD_SETSIZE
 			for select().  To enable this, set ISC_SOCKET_MAXSOCKETS
 			at compilation time.  [RT #18433]
 
+			Note: with changes #2469 and #2421 above, there is no
+			need to tweak ISC_SOCKET_MAXSOCKETS at compilation time
+			any more.
+
 2410.	[bug]		Correctly delete m_versionInfo. [RT #18432]
 
+2409.	[bug]		Only log that we disabled EDNS processing if we were
+			subsequently successful.  [RT #18029]
+
 2408.	[bug]		A duplicate TCP dispatch event could be sent, which
 			could then trigger an assertion failure in
 			resquery_response().  [RT #18275]
 
 2407.	[port]		hpux: test for sys/dyntune.h. [RT #18421]
 
+2406.	[placeholder]
+
+2405.   [cleanup]       The default value for dnssec-validation was changed to
+                        "yes" in 9.5.0-P1 and all subsequent releases; this
+                        was inadvertently omitted from CHANGES at the time.
+
 2404.	[port]		hpux: files unlimited support.
 
 2403.	[bug]		TSIG context leak. [RT #18341]
@@ -176,13 +555,17 @@
 2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
 			(from accept() or fcntl() system calls). [RT #18358]
 
-2399.	[bug]		Abort timeout queries to reduce the number of open
-			UDP sockets. [RT #18367]
+2400.	[bug]		Log if kqueue()/epoll_create()/open(/dev/poll) fails.
+			[RT #18297]
+
+2399.	[placeholder]
 
 2398.	[bug]           Improve file descriptor management.  New,
 			temporary, named.conf option reserved-sockets,
 			default 512. [RT #18344]
 
+2397.	[bug]		gssapi_functions had too many elements. [RT #18355]
+
 2396.	[bug]		Don't set SO_REUSEADDR for randomized ports.
 			[RT #18336]
 
@@ -193,35 +576,42 @@
 			open files to 'unlimited' as described in the
 			documentation. [RT #18331]
 
+2393.	[bug]		nested acls containing keys could trigger an
+			assertion in acl.c. [RT #18166]
+
 2392.	[bug]		remove 'grep -q' from acl test script, some platforms
 			don't support it. [RT #18253]
 
-2391	[port]		hpux: cover additional recvmsg() error codes.
+2391.	[port]		hpux: cover additional recvmsg() error codes.
 			[RT #18301]
 
-2390	[bug]		dispatch.c could make a false warning on 'odd socket'.
+2390.	[bug]		dispatch.c could make a false warning on 'odd socket'.
 			[RT #18301].
 
-2389	[bug]		Move the "working directory writable" check to after
+2389.	[bug]		Move the "working directory writable" check to after
 			the ns_os_changeuser() call. [RT #18326]
 
+2388.	[bug]		Avoid using tables for layout purposes in
+			statistics XSL [RT #18159].
+
+2387.	[bug]		Silence compiler warnings in lib/isc/radix.c.
+			[RT #18147] [RT #18258]
+
 2386.	[func]		Add warning about too small 'open files' limit.
 			[RT #18269]
 
-	--- 9.4.3b2 released ---
-
 2385.	[bug]		A condition variable in socket.c could leak in
 			rare error handling [RT #17968].
 
-2384.	[security]	Additional support for query port randomization (change
-			#2375) including performance improvement and port range
-			specification.  [RT #17949, #18098]
+2384.	[security]	Fully randomize UDP query ports to improve
+			forgery resilience. [RT #17949, #18098]
 
 2383.	[bug]		named could double queries when they resulted in
 			SERVFAIL due to overkilling EDNS0 failure detection.
 			[RT #18182]
 
-2382.	[doc]		Add descriptions of IPSECKEY, SPF and SSHFP to ARM.
+2382.	[doc]		Add descriptions of DHCID, IPSECKEY, SPF and SSHFP
+			to ARM.
 
 2381.	[port]		dlz/mysql: support multiple install layouts for
 			mysql.  <prefix>/include/{,mysql/}mysql.h and
@@ -235,41 +625,104 @@
 2379.	[contrib]	queryperf/gen-data-queryperf.py: removed redundant
 			TLDs and supported RRs with TTLs [RT #17972]
 
+2378.	[bug]		gssapi_functions{} had a redundant member in BIND 9.5.
+			[RT #18169]
+
 2377.	[bug]		Address race condition in dnssec-signzone. [RT #18142]
 
 2376.	[bug]		Change #2144 was not complete.
 
-2375.	[security]	Fully randomize UDP query ports to improve
-			forgery resilience. [RT #17949]
+2375.	[placeholder]
+
+2374.	[bug]		"blackhole" ACLs could cause named to segfault due
+			to some uninitialized memory. [RT #18095]
+
+2373.	[bug]		Default values of zone ACLs were re-parsed each time a
+			new zone was configured, causing an overconsumption
+			of memory. [RT #18092]
+
+2372.	[bug]		Fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
 
-2372.	[bug]		fixed incorrect TAG_HMACSHA256_BITS value [RT #18047]
+2371.	[doc]		Add +nsid option to dig man page. [RT #18039]
+
+2370.	[bug]		"rndc freeze" could trigger an assertion in named
+			when called on a nonexistent zone. [RT #18050]
 
 2369.	[bug]		libbind: Array bounds overrun on read in bitncmp().
 			[RT #18054]
 
+2368.	[port]		Linux: use libcap for capability management if
+			possible. [RT# 18026]
+
+2367.	[bug]		Improve counting of dns_resstatscounter_retry
+			[RT #18030]
+
+2366.	[bug]		Adb shutdown race. [RT #18021]
+
+2365.	[bug]		Fix a bug that caused dns_acl_isany() to return
+			spurious results. [RT #18000]
+
 2364.	[bug]		named could trigger a assertion when serving a
 			malformed signed zone. [RT #17828]
 
 2363.	[port]		sunos: pre-set "lt_cv_sys_max_cmd_len=4096;".
 			[RT #17513]
 
+2362.   [cleanup]	Make "rrset-order fixed" a compile-time option.
+			settable by "./configure --enable-fixed-rrset".
+			Disabled by default. [RT #17977]
+
 2361.	[bug]		"recursion" statistics counter could be counted
 			multiple times for a single query.  [RT #17990]
 
-	--- 9.4.3b1 released ---
+2360.	[bug]		Fix a condition where we release a database version
+			(which may acquire a lock) while holding the lock.
+
+2359.	[bug]		Fix NSID bug. [RT #17942]
 
 2358.	[doc]		Update host's default query description. [RT #17934]
 
+2357.	[port]		Don't use OpenSSL's engine support in versions before
+			OpenSSL 0.9.7f. [RT #17922]
+
 2356.	[bug]		Built in mutex profiler was not scalable enough.
 			[RT #17436]
 
-2353.	[func]		libbind: nsid support. [RT #17091]
+2355.	[func]		Extend the number statistics counters available.
+			[RT #17590]
+
+2354.	[bug]		Failed to initialize some rdatasetheader_t elements.
+			[RT #17927]
+
+2353.	[func]		Add support for Name Server ID (RFC 5001).
+			'dig +nsid' requests NSID from server.
+			'request-nsid yes;' causes recursive server to send
+			NSID requests to upstream servers.  Server responds
+			to NSID requests with the string configured by
+			'server-id' option.  [RT #17091]
+
+2352.	[bug]		Various GSS_API fixups. [RT #17729]
+
+2351.	[bug]		convertxsl.pl generated very long lines. [RT #17906]
 
 2350.	[port]		win32: IPv6 support. [RT #17797]
 
+2349.	[func]		Provide incremental re-signing support for secure
+			dynamic zones. [RT #1091]
+
+2348.	[func]		Use the EVP interface to OpenSSL. Add PKCS#11 support.
+			Documentation is in the new README.pkcs11 file.
+			New tool, dnssec-keyfromlabel, which takes the
+			label of a key pair in a HSM and constructs a DNS
+			key pair for use by named and dnssec-signzone.
+			[RT #16844]
+
 2347.	[bug]		Delete now traverses the RB tree in the canonical
 			order. [RT #17451]
 
+2346.	[func]		Memory statistics now cover all active memory contexts
+			in increased detail. [RT #17580]
+
 2345.	[bug]		named-checkconf failed to detect when forwarders
 			were set at both the options/view level and in
 			a root zone. [RT #17671]
@@ -280,6 +733,8 @@
 2343.	[bug]		(Seemingly) duplicate IPv6 entries could be
 			created in ADB. [RT #17837]
 
+2342.	[func]		Use getifaddrs() if available under Linux. [RT #17224]
+
 2341.	[bug]		libbind: add missing -I../include for off source
 			tree builds. [RT #17606]
 
@@ -292,12 +747,16 @@
 
 2337.	[bug]		BUILD_LDFLAGS was not being correctly set.  [RT #17614]
 
-2335.	[port]		sunos:  libbind and *printf() support for long long.
+2336.	[func]		If "named -6" is specified then listen on all IPv6
+			interfaces if there are not listen-on-v6 clauses in
+			named.conf.  [RT #17581]
+
+2335.	[port]		sunos:  libbind and *printf() support for long long. 
 			[RT #17513]
 
 2334.	[bug]		Bad REQUIRES in fromstruct_in_naptr(),  off by one
 			bug in fromstruct_txt(). [RT #17609]
-
+			
 2333.	[bug]		Fix off by one error in isc_time_nowplusinterval().
 			[RT #17608]
 
@@ -321,21 +780,40 @@
 			J.ROOT-SERVERS.NET, K.ROOT-SERVERS.NET and
 			M.ROOT-SERVERS.NET.
 
+2327.	[bug]		It was possible to dereference a NULL pointer in
+			rbtdb.c.  Implement dead node processing in zones as
+			we do for caches. [RT #17312]
+
 2326.	[bug]		It was possible to trigger a INSIST in the acache
 			processing.
 
 2325.	[port]		Linux: use capset() function if available. [RT #17557]
 
+2324.	[bug]		Fix IPv6 matching against "any;". [RT #17533]
+
 2323.	[port]		tru64: namespace clash. [RT #17547]
 
 2322.	[port]		MacOS: work around the limitation of setrlimit()
 			for RLIMIT_NOFILE. [RT #17526]
 
-2319.	[bug]		Silence Coverity warnings in
+2321.	[placeholder]
+
+2320.	[func]		Make statistics counters thread-safe for platforms
+			that support certain atomic operations. [RT #17466]
+
+2319.	[bug]		Silence Coverity warnings in 
 			lib/dns/rdata/in_1/apl_42.c. [RT #17469]
 
 2318.	[port]		sunos fixes for libbind.  [RT #17514]
 
+2317.	[bug]		"make distclean" removed bind9.xsl.h. [RT #17518]
+
+2316.	[port]		Missing #include <isc/print.h> in lib/dns/gssapictx.c.
+			[RT #17513]
+
+2315.   [bug]           Used incorrect address family for mapped IPv4
+                        addresses in acl.c. [RT #17519]
+
 2314.	[bug]		Uninitialized memory use on error path in
 			bin/named/lwdnoop.c.  [RT #17476]
 
@@ -345,11 +823,15 @@
 2312.	[cleanup]	Silence Coverity warning in lib/isc/unix/socket.c.
 			[RT #17458]
 
-2311.	[func]		Update ACL regression test. [RT #17462]
+2311.   [bug]           IPv6 addresses could match IPv4 ACL entries and
+                        vice versa. [RT #17462]
 
 2310.	[bug]		dig, host, nslookup: flush stdout before emitting
 			debug/fatal messages.  [RT #17501]
 
+2309.   [cleanup]       Fix Coverity warnings in lib/dns/acl.c and iptable.c.
+                        [RT #17455]
+
 2308.	[cleanup]	Silence Coverity warning in bin/named/controlconf.c.
 			[RT #17495]
 
@@ -371,7 +853,7 @@
 2301.	[bug]		Remove resource leak and fix error messages in
 			bin/tests/system/lwresd/lwtest.c. [RT #17474]
 
-2300.	[bug]		Fixed failure to close open file in
+2300.	[bug]		Fixed failure to close open file in 
 			bin/tests/names/t_names.c. [RT #17473]
 
 2299.	[bug]		Remove unnecessary NULL check in
@@ -389,22 +871,39 @@
 2295.	[bug]		Silence static overrun error in bin/named/lwaddr.c.
 			[RT #17459]
 
+2294.	[func]		Allow the experimental statistics channels to have
+			multiple connections and ACL.
+			Note: the stats-server and stats-server-v6 options
+			available in the previous beta releases are replaced
+			with the generic statistics-channels statement.
+
 2293.	[func]		Add ACL regression test. [RT #17375]
 
 2292.	[bug]		Log if the working directory is not writable.
 			[RT #17312]
 
-2291.	[bug]		PR_SET_DUMPABLE may be set too late.  Also report
+2291.   [bug]           PR_SET_DUMPABLE may be set too late.  Also report
 			failure to set PR_SET_DUMPABLE. [RT #17312]
 
 2290.	[bug]		Let AD in the query signal that the client wants AD
 			set in the response. [RT #17301]
 
+2289.	[func]		named-checkzone now reports the out-of-zone CNAME
+			found. [RT #17309]
+
 2288.	[port]		win32: mark service as running when we have finished
 			loading.  [RT #17441]
 
 2287.	[bug]		Use 'volatile' if the compiler supports it. [RT #17413]
 
+2286.	[func]		Allow a TCP connection to be used as a weak
+			authentication method for reverse zones.
+			New update-policy methods tcp-self and 6to4-self.
+			[RT #17378]
+
+2285.	[func]		Test framework for client memory context management.
+			[RT #17377]
+
 2284.	[bug]		Memory leak in UPDATE prerequisite processing.
 			[RT #17377]
 
@@ -413,7 +912,15 @@
 			memory context rather than the clients memory
 			context. [RT #17377]
 
-2279.	[bug]		Use setsockopt(SO_NOSIGPIPE), when available,
+2282.	[bug]		Acl code fixups. [RT #17346] [RT #17374]
+
+2281.	[bug]		Attempts to use undefined acls were not being logged.
+			[RT #17307]
+
+2280.	[func]		Allow the experimental http server to be reached
+			over IPv6 as well as IPv4. [RT #17332]
+
+2279.   [bug]           Use setsockopt(SO_NOSIGPIPE), when available,
 			to protect applications from receiving spurious
 			SIGPIPE signals when using the resolver.
 
@@ -423,12 +930,21 @@
 2277.	[bug]		Empty zone names were not correctly being caught at
 			in the post parse checks. [RT #17357]
 
+2276.	[bug]		Install <dst/gssapi.h>.  [RT# 17359]
+
+2275.	[func]		Add support to dig to perform IXFR queries over UDP.
+			[RT #17235]
+
+2274.	[func]		Log zone transfer statistics. [RT #17336]
+
 2273.	[bug]		Adjust log level to WARNING when saving inconsistent
 			stub/slave master and journal files. [RT# 17279]
 
 2272.	[bug]		Handle illegal dnssec-lookaside trust-anchor names.
 			[RT #17262]
 
+2271.	[bug]		Fix a memory leak in http server code [RT #17100]
+
 2270.	[bug]		dns_db_closeversion() version->writer could be reset
 			before it is tested. [RT #17290]
 
@@ -437,6 +953,12 @@
 2268.	[bug]		0.IN-ADDR.ARPA was missing from the empty zones
 			list.
 
+	--- 9.5.0b1 released ---
+
+2267.   [bug]           Radix tree node_num value could be set incorrectly,
+                        causing positive ACL matches to look like negative
+                        ones.  [RT #17311]
+
 2266.	[bug]		client.c:get_clientmctx() returned the same mctx
 			once the pool of mctx's was filled. [RT #17218]
 
@@ -451,21 +973,14 @@
 2262.	[bug]		Error status from all but the last view could be
 			lost. [RT #17292]
 
-2260.	[bug]		Reported wrong clients-per-query when increasing the
-			value. [RT #17236]
-
-2247.	[doc]		Sort doc/misc/options. [RT #17067]
+2261.   [bug]           Fix memory leak with "any" and "none" ACLs [RT #17272]
 
-2246.	[bug]		Make the startup of test servers (ans.pl) more
-			robust. [RT #17147]
-
-	--- 9.4.2 released ---
+2260.	[bug]		Reported wrong clients-per-query when increasing the
+                        value. [RT #17236]
 
-	--- 9.4.2rc2 released ---
+2259.	[placeholder]
 
-2259.	[bug]		Reverse incorrect LIBINTERFACE bump of libisc
-			in 9.4.2rc1.  Applications built against 9.4.2rc1
-			will need to be rebuilt.
+	--- 9.5.0a7 released ---
 
 2258.	[bug]		Fallback from IXFR/TSIG to SOA/AXFR/TSIG broken.
 			[RT #17241]
@@ -483,20 +998,52 @@
 			intermediate values as timer->idle was reset by
 			isc_timer_touch(). [RT #17243]
 
-	--- 9.4.2rc1 released ---
+2253.	[func]	 	"max-cache-size" defaults to 32M.
+			"max-acache-size" defaults to 16M.
 
-2251.	[doc]		Update memstatistics-file documentation to reflect
-			reality. Note there is behaviour change for BIND 9.5.
-			[RT #17113]
+2252.   [bug]           Fixed errors in sortlist code [RT #17216]
 
-2249.	[bug]		Only set Authentic Data bit if client requested
-			DNSSEC, per RFC 3655 [RT #17175]
+2251.	[placeholder]
+
+2250.	[func]		New flag 'memstatistics' to state whether the
+			memory statistics file should be written or not.
+			Additionally named's -m option will cause the
+			statistics file to be written. [RT #17113]
+			
+2249.   [bug]           Only set Authentic Data bit if client requested
+                        DNSSEC, per RFC 3655 [RT #17175]
 
-2248.	[cleanup]	Fix several errors reported by Coverity. [RT #17160]
+2248.   [cleanup]       Fix several errors reported by Coverity. [RT #17160]
+
+2247.	[doc]		Sort doc/misc/options. [RT #17067]
+
+2246.	[bug]		Make the startup of test servers (ans.pl) more
+			robust. [RT #17147]
 
 2245.	[bug]		Validating lack of DS records at trust anchors wasn't
 			working. [RT #17151]
 
+2244.	[func]		Allow the check of nameserver names against the
+			SOA MNAME field to be disabled by specifying
+			'notify-to-soa yes;'.  [RT #17073]
+
+2243.	[func]		Configuration files without a newline at the end now
+			parse without error. [RT #17120]
+
+2242.	[bug]		nsupdate: GSS-TSIG support using the Heimdal Kerberos
+			library could require a source of random data.
+			[RT #17127]
+
+2241.	[func]		nsupdate: add a interactive 'help' command. [RT #17099]
+
+2240.	[bug]		Cleanup nsupdates GSS-TSIG support.  Convert
+			a number of INSIST()s into plain fatal() errors
+			which report the triggering result code.
+			The 'key' command wasn't disabling GSS-TSIG.
+			[RT #17099]
+
+2239.	[func]		Ship a pre built bin/named/bind9.xsl.h. [RT #17114]
+
 2238.	[bug]		It was possible to trigger a REQUIRE when a
 			validation was canceled. [RT #17106]
 
@@ -507,7 +1054,11 @@
 
 2235.	[bug]		<isc/atomic.h> was not being installed. [RT #17135]
 
-2234.	[port]		Correct some compiler warnings on SCO OSr5 [RT #17134]
+2234.   [port]          Correct some compiler warnings on SCO OSr5 [RT #17134]
+  
+2233.   [func]          Add support for O(1) ACL processing, based on
+                        radix tree code originally written by Kevin
+                        Brintnall. [RT #16288]
 
 2232.	[bug]		dns_adb_findaddrinfo() could fail and return
 			ISC_R_SUCCESS. [RT #17137]
@@ -518,34 +1069,44 @@
 2230.	[bug]		We could INSIST reading a corrupted journal.
 			[RT #17132]
 
+2229.	[bug]		Null pointer dereference on query pool creation
+			failure. [RT #17133]
+
 2228.	[contrib]	contrib: Change 2188 was incomplete.
 
 2227.	[cleanup]	Tidied up the FAQ. [RT #17121]
 
+2226.	[placeholder]
+
 2225.	[bug]		More support for systems with no IPv4 addresses.
-			[RT #17111]
+		        [RT #17111]
 
 2224.	[bug]		Defer journal compaction if a xfrin is in progress.
 			[RT #17119]
 
 2223.	[bug]		Make a new journal when compacting. [RT #17119]
 
+2222.	[func]		named-checkconf now checks server key references.
+		        [RT #17097]
+
 2221.	[bug]		Set the event result code to reflect the actual
-			record returned to caller when a cache update is
+			record turned to caller when a cache update is
 			rejected due to a more credible answer existing.
 			[RT #17017]
 
 2220.	[bug]		win32: Address a race condition in final shutdown of
 			the Windows socket code. [RT #17028]
-
+			
 2219.	[bug]		Apply zone consistency checks to additions, not
 			removals, when updating. [RT #17049]
 
 2218.	[bug]		Remove unnecessary REQUIRE from dns_validator_create().
 			[RT #16976]
 
+2217.	[func]		Adjust update log levels. [RT #17092]
+
 2216.	[cleanup]	Fix a number of errors reported by Coverity.
-			[RT #17094]
+		        [RT #17094]
 
 2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
 
@@ -559,6 +1120,9 @@
 2212.	[func]		'host -m' now causes memory statistics and active
 			memory to be printed at exit. [RT 17028]
 
+2211.	[func]		Update "dynamic update temporarily disabled" message.
+			[RT #17065]
+
 2210.	[bug]		Deleting class specific records via UPDATE could
 			fail.  [RT #17074]
 
@@ -572,7 +1136,7 @@
 2207.	[port]		Some implementations of getaddrinfo() fail to set
 			ai_canonname correctly. [RT #17061]
 
-	--- 9.4.2b1 released ---
+	--- 9.5.0a6 released ---
 
 2206.	[security]	"allow-query-cache" and "allow-recursion" now
 			cross inherit from each other.
@@ -588,15 +1152,21 @@
 			localhost;) is used.
 
 			[RT #16987]
-
+	
 2205.	[bug]		libbind: change #2119 broke thread support. [RT #16982]
 
+2204.	[bug]		"rndc flushanme name unknown-view" caused named
+			to crash. [RT #16984]
+
 2203.	[security]	Query id generation was cryptographically weak.
 			[RT # 16915]
 
 2202.	[security]	The default acls for allow-query-cache and
 			allow-recursion were not being applied. [RT #16960]
 
+2201.	[bug]		The build failed in a separate object directory.
+			[RT #16943]
+
 2200.	[bug]		The search for cached NSEC records was stopping to
 			early leading to excessive DLV queries. [RT #16930]
 
@@ -613,8 +1183,13 @@
 2196.	[port]		win32: yield processor while waiting for once to
 			to complete. [RT #16958]
 
+2195.	[func]		dnssec-keygen now defaults to nametype "ZONE"
+			when generating DNSKEYs. [RT #16954]
+
 2194.	[bug]		Close journal before calling 'done' in xfrin.c.
 
+	--- 9.5.0a5 released ---
+
 2193.	[port]		win32: BINDInstall.exe is now linked statically.
 			[RT #16906]
 
@@ -622,6 +1197,17 @@
 			Studio's redistributable dlls if building with
 			Visual Stdio 2005 or later.
 
+2191.	[func]		named-checkzone now allows dumping to stdout (-).
+			named-checkconf now has -h for help.
+			named-checkzone now has -h for help.
+			rndc now has -h for help.
+			Better handling of '-?' for usage summaries.
+			[RT #16707]
+
+2190.	[func]		Make fallback to plain DNS from EDNS due to timeouts
+			more visible.  New logging category "edns-disabled".
+			[RT #16871]
+
 2189.	[bug]		Handle socket() returning EINTR. [RT #15949]
 
 2188.	[contrib]	queryperf: autoconf changes to make the search for
@@ -637,6 +1223,9 @@
 2185.	[port]		sunos: libbind: check for ssize_t, memmove() and
 			memchr(). [RT #16463]
 
+2184.	[bug]		bind9.xsl.h didn't build out of the source tree.
+			[RT #16830]
+
 2183.	[bug]		dnssec-signzone didn't handle offline private keys
 			well.  [RT #16832]
 
@@ -649,6 +1238,9 @@
 2180.	[cleanup]	Remove bit test from 'compress_test' as they
 			are no longer needed. [RT #16497]
 
+2179.	[func]		'rndc command zone' will now find 'zone' if it is
+			unique to all the views. [RT #16821]
+
 2178.	[bug]		'rndc reload' of a slave or stub zone resulted in
 			a reference leak. [RT #16867]
 
@@ -667,6 +1259,11 @@
 2173.	[port]		win32: When compiling with MSVS 2005 SP1 we also
 			need to ship Microsoft.VC80.MFCLOC.
 
+	--- 9.5.0a4 released ---
+
+2172.	[bug]		query_addsoa() was being called with a non zone db.
+			[RT #16834]
+
 2171.	[bug]		Handle breaks in DNSSEC trust chains where the parent
 			servers are not DS aware (DS queries to the parent
 			return a referral to the child).
@@ -683,27 +1280,43 @@
 2167.	[bug]		When re-using a automatic zone named failed to
 			attach it to the new view. [RT #16786]
 
+	--- 9.5.0a3 released ---
+
 2166.	[bug]		When running in batch mode, dig could misinterpret
 			a server address as a name to be looked up, causing
 			unexpected output. [RT #16743]
 
-2164.	[bug]		The code to determine how named-checkzone /
+2165.	[func]		Allow the destination address of a query to determine
+			if we will answer the query or recurse.
+			allow-query-on, allow-recursion-on and
+			allow-query-cache-on. [RT #16291]
+
+2164.	[bug]		The code to determine how named-checkzone / 
 			named-compilezone was called failed under windows.
 			[RT #16764]
 
+2163.	[bug]		If only one of query-source and query-source-v6
+			specified a port the query pools code broke (change
+			2129).  [RT #16768]
+
 2162.	[func]		Allow "rrset-order fixed" to be disabled at compile
 			time. [RT #16665]
 
-2161.	[bug]		'rndc flush' could report a false success. [RT #16698]
+2161.	[bug]		Fix which log messages are emitted for 'rndc flush'.
+			[RT #16698]
 
 2160.	[bug]		libisc wasn't handling NULL ifa_addr pointers returned
 			from getifaddrs(). [RT #16708]
 
+	--- 9.5.0a2 released ---
+
 2159.	[bug]		Array bounds overrun in acache processing. [RT #16710]
 
 2158.	[bug]		ns_client_isself() failed to initialize key
 			leading to a REQUIRE failure. [RT #16688]
 
+2157.	[func]		dns_db_transfernode() created. [RT #16685]
+
 2156.	[bug]		Fix node reference leaks in lookup.c:lookup_find(),
 			resolver.c:validated() and resolver.c:cache_name().
 			Fix a memory leak in rbtdb.c:free_noqname().
@@ -713,6 +1326,9 @@
 2155.	[contrib]	SQLite sdb module from jaboydjr@netwalk.com.
 			[RT #16694]
 
+2154.	[func]		Scoped (e.g. IPv6 link-local) addresses may now be
+			matched in acls by omitting the scope. [RT #16599]
+
 2153.	[bug]		nsupdate could leak memory. [RT #16691]
 
 2152.	[cleanup]	Use sizeof(buf) instead of fixed number in
@@ -729,6 +1345,8 @@
 			if there were still active memory contexts.
 			[RT #16672]
 
+2148.	[func]		Add positive logging for rndc commands. [RT #14623]
+
 2147.	[bug]		libbind: remove potential buffer overflow from
 			hmac_link.c. [RT #16437]
 
@@ -757,17 +1375,6 @@
 2139.	[bug]		dns_view_find() was being called with wrong type
 			in adb.c. [RT #16670]
 
-2119.	[compat]	libbind: allow res_init() to succeed enough to
-			return the default domain even if it was unable
-			to allocate memory.
-
-	--- 9.4.1 released ---
-
-2172.	[bug]		query_addsoa() was being called with a non zone db.
-			[RT #16834]
-
-	--- 9.4.0 released ---
-
 2138.	[bug]		Lock order reversal in resolver.c. [RT #16653]
 
 2137.	[port]		Mips little endian and/or mips 64 bit are now
@@ -778,6 +1385,8 @@
 
 2135.	[bug]		Uninitialized rdataset in sdlz.c. [RT# 16656]
 
+2134.	[func]		Additional statistics support. [RT #16666]
+
 2133.	[port]		powerpc:  Support both IBM and MacOS Power PC
 			assembler syntaxes. [RT #16647]
 
@@ -786,9 +1395,13 @@
 
 2131.	[contrib]	dlz/mysql: AXFR was broken. [RT #16630]
 
-2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
+2130.	[func]		Log if CD or DO were set. [RT #16640]
 
-	--- 9.4.0rc2 released ---
+2129.	[func]		Provide a pool of UDP sockets for queries to be
+			made over. See use-queryport-pool, queryport-pool-ports
+			and queryport-pool-updateinterval.  [RT #16415]
+
+2128.	[doc]		xsltproc --nonet, update DTD versions.  [RT #16635]
 
 2127.	[port]		Improved OpenSSL 0.9.8 support. [RT #16563]
 
@@ -800,9 +1413,22 @@
 2124.	[security]	It was possible to dereference a freed fetch
 			context. [RT #16584]
 
+	--- 9.5.0a1 released ---
+
+2123.	[func]		Use Doxygen to generate internal documentation.
+			[RT #11398]
+
+2122.	[func]		Experimental http server and statistics support
+			for named via xml.
+
+2121.	[func]		Add a 10 slot dead masters cache (LRU) with a 600
+			second timeout. [RT #16553]
+
 2120.	[doc]		Fix markup on nsupdate man page. [RT #16556]
 
-	--- 9.4.0rc1 released ---
+2119.	[compat]	libbind: allow res_init() to succeed enough to
+			return the default domain even if it was unable
+			to allocate memory.
 
 2118.	[bug]		Handle response with long chains of domain name
 			compression pointers which point to other compression
@@ -837,8 +1463,14 @@
 
 2109.	[port]		libbind: silence aix 5.3 compiler warnings. [RT #16502]
 
+2108.	[func]		DHCID support. [RT #16456]
+
 2107.	[bug]		dighost.c: more cleanup of buffers. [RT #16499]
 
+2106.	[func]		'rndc status' now reports named's version. [RT #16426]
+
+2105.	[func]		GSS-TSIG support (RFC 3645).
+
 2104.	[port]		Fix Solaris SMF error message.
 
 2103.	[port]		Add /usr/sfw to list of locations for OpenSSL
@@ -846,8 +1478,6 @@
 
 2102.	[port]		Silence Solaris 10 warnings.
 
-	--- 9.4.0b4 released ---
-
 2101.	[bug]		OpenSSL version checks were not quite right.
 			[RT #16476]
 
@@ -860,8 +1490,6 @@
 			triggered an INSIST failure about the node lock
 			reference.  [RT #16411]
 
-	--- 9.4.0b3 released ---
-
 2097.	[bug]		named could reference a destroyed memory context
 			after being reloaded / reconfigured. [RT #16428]
 
@@ -870,14 +1498,14 @@
 
 2095.	[port]		libbind: alway prototype inet_cidr_ntop_ipv6() and
 			net_cidr_ntop_ipv6(). [RT #16388]
-
+ 
 2094.	[contrib]	Update named-bootconf.  [RT# 16404]
 
 2093.	[bug]		named-checkzone -s was broken.
 
 2092.	[bug]		win32: dig, host, nslookup.  Use registry config
 			if resolv.conf does not exist or no nameservers
-			listed. [RT #15877]
+			listed. [RT #15877] 
 
 2091.	[port]		dighost.c: race condition on cleanup. [RT #16417]
 
@@ -906,8 +1534,6 @@
 
 2082.	[doc]		Document 'cache-file' as a test only option.
 
-	--- 9.4.0b2 released ---
-
 2081.	[port]		libbind: minor 64-bit portability fix in memcluster.c.
 			[RT #16360]
 
@@ -971,8 +1597,6 @@
 2060.	[bug]		Enabling DLZ support could leave views partially
 			configured. [RT #16295]
 
-	--- 9.4.0b1 released ---
-
 2059.	[bug]		Search into cache rbtdb could trigger an INSIST
 			failure while cleaning up a stale rdataset.
 			[RT #16292]
@@ -1052,13 +1676,15 @@
 2036.	[bug]		'rndc recursing' could cause trigger a REQUIRE.
 			[RT #16075]
 
+2035.	[func]		Make falling back to TCP on UDP refresh failure
+			optional. Default "try-tcp-refresh yes;" for BIND 8
+			compatibility. [RT #16123]
+
 2034.	[bug]		gcc: set -fno-strict-aliasing. [RT #16124]
 
 2033.	[bug]		We weren't creating multiple client memory contexts
 			on demand as expected. [RT #16095]
 
-	--- 9.4.0a6 released ---
-
 2032.	[bug]		Remove a INSIST in query_addadditional2(). [RT #16074]
 
 2031.	[bug]		Emit a error message when "rndc refresh" is called on
@@ -1105,8 +1731,6 @@
 			allowed but requested and we had the answer
 			to the original qname. [RT #15945]
 
-	--- 9.4.0a5 released ---
-
 2015.	[cleanup]	use-additional-cache is now acache-enable for
 			consistency.  Default acache-enable off in BIND 9.4
 			as it requires memory usage to be configured.
@@ -1126,7 +1750,7 @@
 			the signed zone, either as an increment or as the
 			system time(). [RT #15633]
 
-	--- 9.4.0a4 released ---
+2010.	[placeholder]	rt15958
 
 2009.	[bug]		libbind: Coverity fixes. [RT #15808]
 
@@ -1280,12 +1904,12 @@
 1966.	[bug]		Don't set CD when we have fallen back to plain DNS.
 			[RT #15727]
 
-1965.	[func]		Suppress spurious "recusion requested but not
+1965.	[func]		Suppress spurious "recursion requested but not
 			available" warning with 'dig +qr'. [RT #15780].
 
 1964.	[func]		Separate out MX and SRV to CNAME checks. [RT #15723]
 
-1963.	[port]		Tru64 4.0E doesn't support send() and recv().
+1963.	[port]		Tru64 4.0E doesn't support send() and recv(). 
 			[RT #15586]
 
 1962.	[bug]		Named failed to clear old update-policy when it
@@ -1328,7 +1952,7 @@
 1951.	[security]	Drop queries from particular well known ports.
 			Don't return FORMERR to queries from particular
 			well known ports.  [RT #15636]
-
+			
 1950.	[port]		Solaris 2.5.1 and earlier cannot bind() then connect()
 			a TCP socket. This prevents the source address being
 			set for TCP connections. [RT #15628]
@@ -1350,19 +1974,13 @@
 1945.	[cleanup]	dnssec-keygen: RSA (RSAMD5) is no longer recommended.
 			To generate a RSAMD5 key you must explicitly request
 			RSAMD5. [RT #13780]
-
+			
 1944.	[cleanup]	isc_hash_create() does not need a read/write lock.
 			[RT #15522]
 
 1943.	[bug]		Set the loadtime after rolling forward the journal.
 			[RT #15647]
 
-1597.	[func]		Allow notify-source and query-source to be specified
-			on a per server basis similar to transfer-source.
-			[RT #6496]
-
-	--- 9.4.0a3 released ---
-
 1942.	[bug]		If the name of a DNSKEY match that of one in
 			trusted-keys do not attempt to validate the DNSKEY
 			using the parents DS RRset. [RT #15649]
@@ -1390,12 +2008,6 @@
 			prior to returning them if it can be done without
 			requiring DNSKEYs to be fetched.  [RT #15430]
 
-1919.	[contrib]	queryperf: a set of new features: collecting/printing
-			response delays, printing intermediate results, and
-			adjusting query rate for the "target" qps.
-
-	--- 9.4.0a2 released ---
-
 1933.	[bug]		dump_rdataset_raw() had a incorrect INSIST. [RT #15534]
 
 1932.	[bug]		hpux: LDFLAGS was getting corrupted. [RT #15530]
@@ -1434,7 +2046,9 @@
 			have the desired performance characteristics.
 			[RT #15454]
 
-	--- 9.4.0a1 released ---
+1919.	[contrib]	queryperf: a set of new features: collecting/printing
+			response delays, printing intermediate results, and
+			adjusting query rate for the "target" qps.
 
 1918.	[bug]		Memory leak when checking acls. [RT #15391]
 
@@ -1472,7 +2086,7 @@
 			[RT #15034]
 
 1905.	[bug]		Strings returned from cfg_obj_asstring() should be
-			treated as read-only.  The prototype for
+			treated as read-only.  The prototype for 
 			cfg_obj_asstring() has been updated to reflect this.
 			[RT #15256]
 
@@ -1577,6 +2191,8 @@
 
 1872.	[port]		win32: Handle ERROR_NETNAME_DELETED.  [RT #13753]
 
+1871.	[placeholder]
+
 1870.	[func]		Added framework for handling multiple EDNS versions.
 			[RT #14873]
 
@@ -1602,10 +2218,10 @@
 1863.	[bug]		rrset-order "fixed" error messages not complete.
 
 1862.	[func]		Add additional zone data constancy checks.
-			named-checkzone has extended checking of NS, MX and
+			named-checkzone has extended checking of NS, MX and 
 			SRV record and the hosts they reference.
 			named has extended post zone load checks.
-			New zone options: check-mx and integrity-check.
+			New zone options: check-mx and integrity-check. 
 			[RT #4940]
 
 1861.	[bug]		dig could trigger a INSIST on certain malformed
@@ -1648,9 +2264,9 @@
 1848.	[bug]		Improve SMF integration. [RT #13238]
 
 1847.	[bug]		isc_ondestroy_init() is called too late in
-			dns_rbtdb_create()/dns_rbtdb64_create().
+			dns_rbtdb_create()/dns_rbtdb64_create(). 
 			[RT #13661]
-
+			
 1846.	[contrib]	query-loc-0.3.0 from Stephane Bortzmeyer
 			<bortzmeyer@nic.fr>.
 
@@ -1721,6 +2337,8 @@
 
 1822.	[bug]		check-names test for RT was reversed. [RT #13382]
 
+1821.	[placeholder]
+
 1820.	[bug]		Gracefully handle acl loops. [RT #13659]
 
 1819.	[bug]		The validator needed to check both the algorithm and
@@ -1870,6 +2488,10 @@
 
 1773.	[bug]		Fast retry on host / net unreachable. [RT #13153]
 
+1772.	[placeholder]
+
+1771.	[placeholder]
+
 1770.	[bug]		named-checkconf failed to report missing a missing
 			file clause for rbt{64} master/hint zones. [RT#13009]
 
@@ -1936,7 +2558,7 @@
 			[RT #12866]
 
 1748.	[func]		dig now returns the byte count for axfr/ixfr.
-
+			
 1747.	[bug]		BIND 8 compatibility: named/named-checkconf failed
 			to parse "host-statistics-max" in named.conf.
 
@@ -1954,7 +2576,7 @@
 			requested number of worker threads then destruction
 			of the manager would trigger an INSIST() failure.
 			[RT #12790]
-
+			
 1742.	[bug]		Deleting all records at a node then adding a
 			previously existing record, in a single UPDATE
 			transaction, failed to leave / regenerate the
@@ -1965,7 +2587,7 @@
 
 1740.	[bug]		Replace rbt's hash algorithm as it performed badly
 			with certain zones. [RT #12729]
-
+			
 			NOTE: a hash context now needs to be established
 			via isc_hash_create() if the application was not
 			already doing this.
@@ -1980,7 +2602,7 @@
 
 1736.	[bug]		dst_key_fromnamedfile() could fail to read a
 			public key. [RT #12687]
-
+			
 1735.	[bug]		'dig +sigtrace' could die with a REQUIRE failure.
 			[RE #12688]
 
@@ -2157,7 +2779,7 @@
 
 1675.	[bug]		named would sometimes add extra NSEC records to
 			the authority section.
-
+			
 1674.	[port]		linux: increase buffer size used to scan
 			/proc/net/if_inet6.
 
@@ -2173,6 +2795,8 @@
 1670.	[func]		Log UPDATE requests to slave zones without an acl as
 			"disabled" at debug level 3. [RT# 11657]
 
+1669.	[placeholder]
+
 1668.	[bug]		DIG_SIGCHASE was making bin/dig/host dump core.
 
 1667.	[port]		linux: not all versions have IF_NAMESIZE.
@@ -2229,7 +2853,7 @@
 
 1648.	[func]		Update dnssec-lookaside named.conf syntax to support
 			multiple dnssec-lookaside namespaces (not yet
-			implemented).
+			implemented).  
 
 1647.	[bug]		It was possible trigger a INSIST when chasing a DS
 			record that required walking back over a empty node.
@@ -2259,7 +2883,7 @@
 
 1638.	[bug]		"ixfr-from-differences" could generate a REQUIRE
 			failure if the journal open failed. [RT #11347]
-
+			
 1637.	[bug]		Node reference leak on error in addnoqname().
 
 1636.	[bug]		The dump done callback could get ISC_R_SUCCESS even if
@@ -2353,21 +2977,21 @@
 1607.	[bug]		dig, host and nslookup were still using random()
 			to generate query ids. [RT# 11013]
 
-1606.	[bug]		DLV insecurity proof was failing.
+1606.	[bug]	 	DLV insecurity proof was failing.
 
 1605.	[func]		New dns_db_find() option DNS_DBFIND_COVERINGNSEC.
 
 1604.	[bug]		A xfrout_ctx_create() failure would result in
 			xfrout_ctx_destroy() being called with a
 			partially initialized structure.
-
+			
 1603.	[bug]		nsupdate: set interactive based on isatty().
 			[RT# 10929]
 
 1602.	[bug]		Logging to a file failed unless a size was specified.
 			[RT# 10925]
 
-1601.	[bug]		Silence spurious warning 'both "recursion no;" and
+1601.	[bug]		Silence spurious warning 'both "recursion no;" and 
 			"allow-recursion" active' warning from view "_bind".
 			[RT# 10920]
 
@@ -2379,6 +3003,10 @@
 1598.	[func]		Specify that certain parts of the namespace must
 			be secure (dnssec-must-be-secure).
 
+1597.	[func]		Allow notify-source and query-source to be specified
+			on a per server basis similar to transfer-source.
+			[RT #6496]
+
 1596.	[func]		Accept 'notify-source' style syntax for query-source.
 
 1595.	[func]		New notify type 'master-only'.  Enable notify for
@@ -4280,7 +4908,7 @@
  963.	[bug]		Bad ISC_LANG_ENDDECLS. [RT #1645]
 
  962.	[bug]		libbind: bad "#undef", don't attempt to install
-			non-existant nlist.h. [RT #1640]
+			non-existent nlist.h. [RT #1640]
 
  961.	[bug]		Tried to use a IPV6 feature when ISC_PLATFORM_HAVEIPV6
 			was not defined. [RT #1482]
@@ -6918,7 +7546,7 @@
  188.	[func]		Log a warning message when an incoming zone transfer
 			contains out-of-zone data.
 
- 187.	[func]		isc_ratelimter_enqueue() has an additional argument
+ 187.	[func]		isc_ratelimiter_enqueue() has an additional argument
 			'task'.
 
  186.	[func]		dns_request_getresponse() has an additional argument
@@ -7061,7 +7689,7 @@
 
 				masters [ port xxx ] { y.y.y.y [ port zzz ] ; }
 
- 149.	[cleanup]	Removed usused argument 'olist' from
+ 149.	[cleanup]	Removed unused argument 'olist' from
 			dns_c_view_unsetordering().
 
  148.	[cleanup]	Stop issuing some warnings about some configuration
@@ -7137,7 +7765,7 @@
  128.	[cleanup]	<isc/dir.h> had ISC_LANG_BEGINDECLS instead of
 			ISC_LANG_ENDDECLS at end of header.
 
- 127.	[cleanup]	The contracts for the comparision routines
+ 127.	[cleanup]	The contracts for the comparison routines
 			dns_name_fullcompare(), dns_name_compare(),
 			dns_name_rdatacompare(), and dns_rdata_compare() now
 			specify that the order value returned is < 0, 0, or > 0
diff --git a/COPYRIGHT b/COPYRIGHT
index 8d6a0ce..620ee98 100644
--- a/COPYRIGHT
+++ b/COPYRIGHT
@@ -1,4 +1,4 @@
-Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
 Copyright (C) 1996-2003  Internet Software Consortium.
 
 Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.
 
-$Id: COPYRIGHT,v 1.9.18.5 2008/01/02 23:46:02 tbox Exp $
+$Id: COPYRIGHT,v 1.14.176.1 2009/01/05 23:47:22 tbox Exp $
 
 Portions Copyright (C) 1996-2001  Nominum, Inc.
 
diff --git a/FAQ b/FAQ
index 2c333be..2846b31 100644
--- a/FAQ
+++ b/FAQ
@@ -1,6 +1,6 @@
 Frequently Asked Questions about BIND 9
 
-Copyright © 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright © 2004-2009 Internet Systems Consortium, Inc. ("ISC")
 
 Copyright © 2000-2003 Internet Software Consortium.
 
@@ -600,7 +600,7 @@ Q: Why do queries for NSEC3 records fail to return the NSEC3 record?
 
 A: NSEC3 records are strictly meta data and can only be returned in the
    authority section. This is done so that signing the zone using NSEC3
-   records does not bring names into existance that do not exist in the
+   records does not bring names into existence that do not exist in the
    unsigned version of the zone.
 
 5. Operating-System Specific Questions
@@ -825,7 +825,6 @@ A: /dev/random is not configured. Use rndcontrol(8) to tell the kernel to
    use certain interrupts as a source of random events. You can make this
    permanent by setting rand_irqs in /etc/rc.conf.
 
-   /etc/rc.conf
    rand_irqs="3 14 15"
 
    See also <http://people.freebsd.org/~dougb/randomness.html>.
diff --git a/FAQ.xml b/FAQ.xml
index b624d06..95346f7 100644
--- a/FAQ.xml
+++ b/FAQ.xml
@@ -1,7 +1,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
        "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" []>
 <!--
- - Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: FAQ.xml,v 1.4.4.24 2008/09/10 01:32:25 tbox Exp $ -->
+<!-- $Id: FAQ.xml,v 1.46.56.4 2009/02/19 01:51:58 tbox Exp $ -->
 
 <article class="faq">
   <title>Frequently Asked Questions about BIND 9</title>
@@ -28,6 +28,7 @@
       <year>2006</year>
       <year>2007</year>
       <year>2008</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -1067,7 +1068,7 @@ empty:
 	  NSEC3 records are strictly meta data and can only be
 	  returned in the authority section.  This is done so that
 	  signing the zone using NSEC3 records does not bring names
-	  into existance that do not exist in the unsigned version
+	  into existence that do not exist in the unsigned version
 	  of the zone.
 	</para>
       </answer>
@@ -1470,7 +1471,6 @@ options {
 	</para>
 	<informalexample>
 	  <programlisting>
-/etc/rc.conf
 rand_irqs="3 14 15"</programlisting>
 	</informalexample>
 	<para>
diff --git a/Makefile.in b/Makefile.in
index 9ff0f64..662ee0f 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.43.18.6 2007/09/03 23:46:21 tbox Exp $
+# $Id: Makefile.in,v 1.52.48.2 2009/02/20 23:47:23 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,17 +21,16 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-SUBDIRS =	make lib bin doc @LIBBIND@
+SUBDIRS =	make lib bin doc
 TARGETS =
 
-@BIND9_MAKE_RULES@
+MANPAGES =	isc-config.sh.1
+ 
+HTMLPAGES =	isc-config.sh.html
+ 
+MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
-distclean::
-	@if [ "X@LIBBIND@" = "X" ] ; then \
-		i=lib/bind; \
-		echo "making $@ in `pwd`/$$i"; \
-		(cd $$i; ${MAKE} ${MAKEDEFS} $@) || exit 1; \
-	fi
+@BIND9_MAKE_RULES@
 
 distclean::
 	rm -f config.cache config.h config.log config.status TAGS
@@ -43,12 +42,19 @@ distclean::
 maintainer-clean::
 	rm -f configure
 
+docclean manclean maintainer-clean::
+	rm -f ${MANOBJS}
+
+doc man:: ${MANOBJS}
+
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${bindir} \
 	${DESTDIR}${localstatedir}/run ${DESTDIR}${sysconfdir}
+	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
 
 install:: isc-config.sh installdirs
 	${INSTALL_SCRIPT} isc-config.sh ${DESTDIR}${bindir}
+	${INSTALL_DATA} ${srcdir}/isc-config.sh.1 ${DESTDIR}${mandir}/man1
 
 tags:
 	rm -f TAGS
diff --git a/NSEC3-NOTES b/NSEC3-NOTES
new file mode 100644
index 0000000..d23b20e
--- /dev/null
+++ b/NSEC3-NOTES
@@ -0,0 +1,128 @@
+
+			DNSSEC and UPDATE
+
+		Converting from insecure to secure
+
+As of BIND 9.6.0 it is possible to move a zone between being insecure
+to secure and back again.  A secure zone can be using NSEC or NSEC3.
+
+To move a zone from insecure to secure you need to configure named
+so that it can see the K* files which contain the public and private
+parts of the keys that will be used to sign the zone.  These files
+will have been generated by dnssec-keygen.  You can do this by
+placing them in the key-directory as specified in named.conf.
+
+	zone example.net {
+		type master;
+		allow-update { .... };
+		file "dynamic/example.net/example.net";
+		key-directory "dynamic/example.net";
+	};
+
+Assuming one KSK and one ZSK DNSKEY key have been generated.  Then
+this will cause the zone to be signed with the ZSK and the DNSKEY
+RRset to be signed with the KSK DNSKEY.  A NSEC chain will also be
+generated as part of the initial signing process.
+
+	% nsupdate
+	> ttl 3600
+	> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+	> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+	> send
+
+While the update request will complete almost immediately the zone
+will not be completely signed until named has had time to walk the
+zone and generate the NSEC and RRSIG records.  Initially the NSEC
+record at the zone apex will have the OPT bit set.  When the NSEC
+chain is complete the OPT bit will be cleared.  Additionally when
+the zone is fully signed the private type (default TYPE65535) records
+will have a non zero value for the final octet. 
+
+The private type record has 5 octets.
+	algorithm (octet 1)
+	key id in network order (octet 2 and 3)
+	removal flag (octet 4)
+	complete flag (octet 5)
+
+If you wish to go straight to a secure zone using NSEC3 you should
+also add a NSECPARAM record to the update request with the flags
+field set to indicate whether the NSEC3 chain will have the OPTOUT
+bit set or not.
+
+	% nsupdate
+	> ttl 3600
+	> update add example.net DNSKEY 256 3 7 AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y I1m/SAQBxIqMfLtIwqWPdgthsu36azGQAX8=
+	> update add example.net DNSKEY 257 3 7 AwEAAd/7odU/64o2LGsifbLtQmtO8dFDtTAZXSX2+X3e/UNlq9IHq3Y0 XtC0Iuawl/qkaKVxXe2lo8Ct+dM6UehyCqk=
+	> update add example.net NSEC3PARAM 1 1 100 1234567890
+	> send
+
+Again the update request will complete almost immediately however the
+NSEC3PARAM record will have additional flag bits set indicating that the
+NSEC3 chain is under construction.  When the NSEC3 chain is complete the
+flags field will be set to zero. 
+
+While the initial signing and NSEC/NSEC3 chain generation is happening
+other updates are possible.
+
+		DNSKEY roll overs via UPDATE
+
+It is possible to perform key rollovers via update.  You need to
+add the K* files for the new keys so that named can find them.  You
+can then add the new DNSKEY RRs via update.  Named will then cause
+the zone to be signed with the new keys.  When the signing is
+complete the private type records will be updated so that the last
+octet is non zero.
+
+If this is for a KSK you need to inform the parent and any trust
+anchor repositories of the new KSK.
+
+You should then wait for the maximum TLL in the zone before removing the
+old DNSKEY.  If it is a KSK that is being updated you also need to wait
+for the DS RRset in the parent to be updated and its TTL to expire.
+This ensures that all clients will be able to verify at least a signature
+when you remove the old DNSKEY.
+
+The old DNSKEY can be removed via UPDATE.  Take care to specify
+the correct key.  Named will clean out any signatures generated by
+the old key after the update completes.
+
+		NSEC3PARAM rollovers via UPDATE.
+
+Add the new NSEC3PARAM record via update.  When the new NSEC3 chain
+has been generated the NSEC3PARAM flag field will be zero.  At this
+point you can remove the old NSEC3PARAM record.  The old chain will
+be removed after the update request completes.
+
+		Converting from NSEC to NSEC3
+
+To do this you just need to add a NSEC3PARAM record.  When the
+conversion is complete the NSEC chain will have been removed and
+the NSEC3PARAM record will have a zero flag field.  The NSEC3 chain
+will be generated before the NSEC chain is destroyed.
+
+		Converting from NSEC3 to NSEC
+
+To do this remove all NSEC3PARAM records with a zero flag field.  The
+NSEC chain will be generated before the NSEC3 chain is removed.
+
+		Converting from secure to insecure
+
+To do this remove all the DNSKEY records.  Any NSEC or NSEC3 chains
+will be removed as well as associated NSEC3PARAM records.  This will
+take place after the update requests completes.
+
+		Periodic re-signing.
+
+Named will periodically re-sign RRsets which have not been re-signed
+as a result of some update action.  The signature lifetimes will
+be adjusted so as to spread the re-sign load over time rather than
+all at once.
+
+		NSEC3 and OPTOUT
+
+Named only supports creating new NSEC3 chains where all the NSEC3
+records in the zone have the same OPTOUT state.  Named supports
+UPDATES to zones where the NSEC3 records in the chain have mixed
+OPTOUT state.  Named does not support changing the OPTOUT state of
+an individual NSEC3 record, the entire chain needs to be changed if
+the OPTOUT state of an individual NSEC3 needs to be changed.
diff --git a/README b/README
index 0a0bc9e..d151988 100644
--- a/README
+++ b/README
@@ -42,29 +42,50 @@ BIND 9
 		Stichting NLnet - NLnet Foundation
 		Nominum, Inc.
 
-BIND 9.4.3
+BIND 9.6.0
 
-	BIND 9.4.3 is a maintenance release, fixing bugs in 9.4.2.
+        BIND 9.6.0 includes a number of changes from BIND 9.5 and earlier
+        releases, including:
 
-BIND 9.4.2
+        Full NSEC3 support
 
-	BIND 9.4.2 is a maintenance release, containing fixes for
-	a number of bugs in 9.4.1.
+        Automatic zone re-signing
 
-	Warning: If you installed BIND 9.4.2rc1 then any applications
-	linked against this release candidate will need to be rebuilt.
+	New update-policy methods tcp-self and 6to4-self
 
-BIND 9.4.1
+        The BIND 8 resolver library, libbind, has been removed from the
+        BIND 9 distribution and is now available as a separate download.
 
-	BIND 9.4.1 is a security release, containing a fix for
-	a security bugs in 9.4.0.
+	Change the default pid file location from /var/run to
+	/var/run/{named,lwresd} for improved chroot/setuid support.
+
+BIND 9.5.0
+
+	BIND 9.5.0 has a number of new features over 9.4,
+	including:
+
+	GSS-TSIG support (RFC 3645).
+
+	DHCID support.
+
+	Experimental http server and statistics support for named via xml.
+
+	More detailed statistics counters including those supported in BIND 8.
+
+	Faster ACL processing.
+
+	Use Doxygen to generate internal documentation.
+
+        Efficient LRU cache-cleaning mechanism.
+
+        NSID support.
 
 BIND 9.4.0
 
 	BIND 9.4.0 has a number of new features over 9.3,
 	including:
 
-	Implemented "additional section caching" (or "acache"), an
+	Implemented "additional section caching (or acache)", an
 	internal cache framework for additional section content to
 	improve response performance.  Several configuration options
 	were provided to control the behavior.
@@ -76,13 +97,14 @@ BIND 9.4.0
 
 	rndc now allows addresses to be set in the server clauses.
 
-	New option "allow-query-cache".  This lets allow-query be
-	used to specify the default zone access level rather than
-	having to have every zone override the global value.
-	allow-query-cache can be set at both the options and view
-	levels. If allow-query-cache is not set then allow-recursion
-	is used if set, otherwise allow-query is used if set, otherwise
-	the default (localhost; localnets;) is used.
+	New option "allow-query-cache".  This lets "allow-query"
+	be used to specify the default zone access level rather
+	than having to have every zone override the global value.
+	"allow-query-cache" can be set at both the options and view
+	levels.  If "allow-query-cache" is not set then "allow-recursion"
+	is used if set, otherwise "allow-query" is used if set
+	unless "recursion no;" is set in which case "none;" is used,
+	otherwise the default (localhost; localnets;) is used.
 
 	rndc: the source address can now be specified.
 
@@ -155,11 +177,12 @@ BIND 9.4.0
 
 	Add support for CH A record.
 
-	Add additional zone data consistancy checks.  named-checkzone
+	Add additional zone data constancy checks.  named-checkzone
 	has extended checking of NS, MX and SRV record and the hosts
 	they reference.  named has extended post zone load checks.
 	New zone options: check-mx and integrity-check.
 
+
 	edns-udp-size can now be overridden on a per server basis.
 
 	dig can now specify the EDNS version when making a query.
@@ -172,7 +195,7 @@ BIND 9.4.0
 	Detect duplicates of UDP queries we are recursing on and
 	drop them.  New stats category "duplicates".
 
-	Memory management. "USE INTERNAL MALLOC" is now runtime selectable.
+	"USE INTERNAL MALLOC" is now runtime selectable.
 
 	The lame cache is now done on a <qname,qclass,qtype> basis
 	as some servers only appear to be lame for certain query
@@ -187,9 +210,9 @@ BIND 9.4.0
 
 	Support for IPSECKEY rdata type.
 
-	Raise the UDP receive buffer size to 32k if it is less than 32k.
+	Raise the UDP recieve buffer size to 32k if it is less than 32k.
 
-	x86 and x86_64 now have separate atomic locking implementations.
+	x86 and x86_64 now have seperate atomic locking implementations.
 
 	named-checkconf now validates update-policy entries.
 
@@ -217,69 +240,9 @@ BIND 9.4.0
 	to set 'RA' when 'RD' is set unless a server is explicitly
 	set.
 
-	Integrate contributed DLZ code into named.
-
-	Integrate contributed IDN code from JPNIC.
-
-	Validate pending NS RRsets, in the authority section, prior
-	to returning them if it can be done without requiring DNSKEYs
-	to be fetched.
-
-	It is now possible to configure named to accept expired
-	RRSIGs.  Default "dnssec-accept-expired no;".  Setting
-	"dnssec-accept-expired yes;" leaves named vulnerable to
-	replay attacks.
+	Integrate contibuted DLZ code into named.
 
-	Additional memory leakage checks.
-
-	The maximum EDNS UDP response named will send can now be
-	set in named.conf (max-udp-size).  This is independent of
-	the advertised receive buffer (edns-udp-size).
-
-	Named now falls back to advertising EDNS with a 512 byte
-	receive buffer if the initial EDNS queries fail.
-
-	Control the zeroing of the negative response TTL to a soa
-	query.  Defaults "zero-no-soa-ttl yes;" and
-	"zero-no-soa-ttl-cache no;".
-			
-	Separate out MX and SRV to CNAME checks.
-
-	dig/nslookup/host: warn about missing "QR".
-
-	TSIG HMACSHA1, HMACSHA224, HMACSHA256, HMACSHA384 and
-	HMACSHA512 support.
-
-	dnssec-signzone: output the SOA record as the first record
-	in the signed zone.
-
-	Two new update policies.  "selfsub" and "selfwild".
-
-	dig, nslookup and host now advertise a 4096 byte EDNS UDP
-	buffer size by default.
-
-	Report when a zone is removed.
-
-	DS/DLV SHA256 digest algorithm support.
-
-	Implement "rrset-order fixed".
-
-	Check the KSK flag when updating a secure dynamic zone.
-	New zone option "update-check-ksk yes;".
-
-	It is now possible to explicitly enable DNSSEC validation.
-	default dnssec-validation no; to be changed to yes in 9.5.0.
-
-	It is now possible to enable/disable DNSSEC validation
-	from rndc.  This is useful for the mobile hosts where the
-	current connection point breaks DNSSEC (firewall/proxy).
-
-		rndc validation newstate [view]
-
-	dnssec-signzone can now update the SOA record of the signed
-	zone, either as an increment or as the system time().
-
-	Statistics about acache now recorded and sent to log.
+	Integrate contibuted IDN code from JPNIC.
 
 	libbind: corresponds to that from BIND 8.4.7.
 
@@ -423,31 +386,35 @@ Building
 	We've had successful builds and tests on the following systems:
 
 		COMPAQ Tru64 UNIX 5.1B
+		Fedora Core 6
 		FreeBSD 4.10, 5.2.1, 6.2
 		HP-UX 11.11
-		NetBSD 1.5
-		Slackware Linux 8.1
-		Solaris 8, 9, 9 (x86)
+		Mac OS X 10.5
+		NetBSD 3.x and 4.0-beta
+		OpenBSD 3.3 and up
+		Solaris 8, 9, 9 (x86), 10
+		Ubuntu 7.04, 7.10
 		Windows XP/2003/2008
 
         NOTE:  As of BIND 9.5.1, 9.4.3, and 9.3.6, older versions of
         Windows, including Windows NT and Windows 2000, are no longer
         supported.
 
-	Additionally, we have unverified reports of success building
-	previous versions of BIND 9 from users of the following systems:
-
-		AIX 5L
-		SuSE Linux 7.0
-		Slackware Linux 7.x, 8.0
-	        Red Hat Linux 7.1
-		Debian GNU/Linux 2.2 and 3.0
-		Mandrake 8.1
-		OpenBSD 2.6, 2.8, 2.9, 3.1, 3.6, 3.8
-		UnixWare 7.1.1
-		HP-UX 10.20
-		BSD/OS 4.2
-		Mac OS X 10.1, 10.3.8
+	We have recent reports from the user community that a supported
+	version of BIND will build and run on the following systems:
+
+		AIX 4.3, 5L
+		CentOS 4, 4.5, 5
+		Darwin 9.0.0d1/ARM
+		Debian 4
+		Fedora Core 5, 7
+		FreeBSD 6.1
+		HP-UX 11.23 PA
+		MacOS X 10.4, 10.5
+		Red Hat Enterprise Linux 4, 5
+		SCO OpenServer 5.0.6
+		Slackware 9, 10
+		SuSE 9, 10
 
 	To build, just
 
@@ -484,12 +451,13 @@ Building
 				    -DDIG_SIGCHASE_BU=1)
 		Disable dropping queries from particular well known ports.
 		  -DNS_CLIENT_DROPPORT=0
-		Disable support for "rrset-order fixed".
-		  -DDNS_RDATASET_FIXED=0
-		Sibling glue checking in named-checkzone is enabled by default.
+	        Sibling glue checking in named-checkzone is enabled by default.
 		To disable the default check set.  -DCHECK_SIBLING=0
 		named-checkzone checks out-of-zone addresses by default.
 		To disable this default set.  -DCHECK_LOCAL=0
+		To create the default pid files in ${localstatedir}/run rather
+		than ${localstatedir}/run/{named,lwresd}/ set.
+		  -DNS_RUN_PID_DIR=0
 		Enable workaround for Solaris kernel bug about /dev/poll
 		  -DISC_SOCKET_USE_POLLWATCH=1
 		  The watch timeout is also configurable, e.g.,
@@ -519,9 +487,6 @@ Building
 	a nonstandard prefix, you can tell configure where to
 	look for it using "--with-openssl=/prefix".
 
-	To build libbind (the BIND 8 resolver library), specify
-	"--enable-libbind" on the configure command line.
-
 	On some platforms it is necessary to explictly request large
 	file support to handle files bigger than 2GB.  This can be
 	done by "--enable-largefile" on the configure command line.
@@ -533,6 +498,11 @@ Building
 	on the configure command line.  The default is operating
 	system dependent.
 
+        Support for the "fixed" rrset-order option can be enabled
+        or disabled by specifying "--enable-fixed-rrset" or
+        "--disable-fixed-rrset" on the configure command line.
+        The default is "disabled", to reduce memory footprint.
+
 	If your operating system has integrated support for IPv6, it
 	will be used automatically.  If you have installed KAME IPv6
 	separately, use "--with-kame[=PATH]" to specify its location.
@@ -613,8 +583,9 @@ Bug Reports and Mailing Lists
 		http://www.isc.org/ops/lists/
 
 	If you're planning on making changes to the BIND 9 source
-	code, you might want to join the BIND Forum as a Worker.
-	This gives you access to the bind-workers@isc.org mailing
-	list and pre-release access to the code.
+	code, you might want to join the BIND Workers mailing list.
+	Send mail to
+
+		bind-workers-request@isc.org
+
 
-		http://www.isc.org/sw/guild/bf/
diff --git a/README.idnkit b/README.idnkit
index 316f879..0eda0a5 100644
--- a/README.idnkit
+++ b/README.idnkit
@@ -55,7 +55,7 @@ at least specify `--with-idn' option to enable IDN support.
 
 	`--with-libiconv' assumes that your C compiler has `-R'
 	option, and that the option adds the specified run-time path
-	to an exacutable binary.  If `-R' option of your compiler has
+	to an executable binary.  If `-R' option of your compiler has
 	different meaning, or your compiler lacks the option, you
 	should use `--with-iconv' option instead.  Binary command
 	without run-time path information might be unexecutable.
@@ -68,7 +68,7 @@ at least specify `--with-idn' option to enable IDN support.
 	specified, `--with-iconv' is prior to `--with-libiconv'.
 
     --with-iconv=ICONV_LIBSPEC
-	If your libc doens't provide iconv(), you need to specify the
+	If your libc doesn't provide iconv(), you need to specify the
 	library containing iconv() with this option.  `ICONV_LIBSPEC'
 	is the argument(s) to `cc' or `ld' to link the library, for
 	example, `--with-iconv="-L/usr/local/lib -liconv"'.
@@ -82,7 +82,7 @@ at least specify `--with-idn' option to enable IDN support.
 	this option is not specified, `-L${PREFIX}/lib -lidnkit' is
 	assumed, where ${PREFIX} is the installation prefix specified
 	with `--with-idn' option above.  You may need to use this
-	option to specify extra argments, for example,
+	option to specify extra arguments, for example,
 	`--with-idnlib="-L/usr/local/lib -R/usr/local/lib -lidnkit"'.
 
 Please consult `README' for other configuration options.
@@ -109,4 +109,4 @@ about idnkit and this patch.
 Bug reports and comments on this kit should be sent to
 mdnkit-bugs@nic.ad.jp and idn-cmt@nic.ad.jp, respectively.
 
-; $Id: README.idnkit,v 1.2.2.2 2005/09/12 02:12:08 marka Exp $
+; $Id: README.idnkit,v 1.2.762.1 2009/01/18 23:25:14 marka Exp $
diff --git a/README.pkcs11 b/README.pkcs11
new file mode 100644
index 0000000..b58640d
--- /dev/null
+++ b/README.pkcs11
@@ -0,0 +1,61 @@
+
+			BIND-9 PKCS#11 support
+
+Prerequisite
+
+The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
+released the 2007-11-21 for OpenSSL 0.9.8g, with a bug fix (call to free)
+and some improvements, including user friendly PIN management.
+
+Compilation
+
+"configure --with-pkcs11 ..."
+
+PKCS#11 Libraries
+
+Tested with Solaris one with a SCA board and with openCryptoki with the
+software token.
+
+OpenSSL Engines
+
+With PKCS#11 support the PKCS#11 engine is statically loaded but at its
+initialization it dynamically loads the PKCS#11 objects.
+Even the pre commands are therefore unused they are defined with:
+ SO_PATH:
+   define: PKCS11_SO_PATH
+   default: /usr/local/lib/engines/engine_pkcs11.so
+ MODULE_PATH:
+   define: PKCS11_MODULE_PATH
+   default: /usr/lib/libpkcs11.so
+Without PKCS#11 support, a specific OpenSSL engine can be still used
+by defining ENGINE_ID at compile time.
+
+PKCS#11 tools
+
+The contrib/pkcs11-keygen directory contains a set of experimental tools
+to handle keys stored in a Hardware Security Module at the benefit of BIND.
+
+The patch for OpenSSL 0.9.8g is in this directory. Read its README.pkcs11
+for the way to use it (these are the original notes so with the original
+path, etc. Define OPENCRYPTOKI to use it with openCryptoki.)
+
+PIN management
+
+With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
+each time it is required. With the improved engine, the PIN should be
+entered the first time it is required or can be configured in the
+OpenSSL configuration file (aka. openssl.cnf) by adding in it:
+ - at the beginning:
+	openssl_conf = openssl_def
+ - at any place these sections:
+	[ openssl_def ]
+	engines = engine_section
+	[ engine_section ]
+	pkcs11 = pkcs11_section
+	[ pkcs11_section ]
+	PIN = put__your__pin__value__here
+
+Note
+
+Some names here are registered trademarks, at least Solaris is a trademark
+of Sun Microsystems Inc...
diff --git a/acconfig.h b/acconfig.h
index e8f7d52..eb19150 100644
--- a/acconfig.h
+++ b/acconfig.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acconfig.h,v 1.44.18.5 2005/04/29 00:15:20 marka Exp $ */
+/* $Id: acconfig.h,v 1.51.334.2 2009/02/16 23:47:15 tbox Exp $ */
 
 /*! \file */
 
@@ -25,9 +25,6 @@
  ***/
 @TOP@
 
-/** define to `int' if <sys/types.h> doesn't define.  */
-#undef ssize_t
-
 /** define on DEC OSF to enable 4.4BSD style sa_len support */
 #undef _SOCKADDR_LEN
 
@@ -61,9 +58,6 @@
 /** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
 #undef HAVE_IFLIST_SYSCTL
 
-/** define if chroot() is available */
-#undef HAVE_CHROOT
-
 /** define if tzset() is available */
 #undef HAVE_TZSET
 
@@ -115,7 +109,7 @@ int sigwait(const unsigned int *set, int *sig);
  * The silly continuation line is to keep configure from
  * commenting out the #undef.
  */
- 
+
 #undef \
 	va_start
 #define	va_start(ap, last) \
diff --git a/bin/Makefile.in b/bin/Makefile.in
index 2e29f94..ef28e0c 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.23 2004/03/05 04:57:10 marka Exp $
+# $Id: Makefile.in,v 1.25 2007/06/19 23:46:59 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/check/Makefile.in b/bin/check/Makefile.in
index cd9ecf6..06f5541 100644
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2003  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.24.18.6 2006/06/09 00:54:08 marka Exp $
+# $Id: Makefile.in,v 1.32 2007/06/19 23:46:59 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/check/check-tool.c b/bin/check/check-tool.c
index 2136a63..e0a7208 100644
--- a/bin/check/check-tool.c
+++ b/bin/check/check-tool.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.c,v 1.10.18.20 2008/10/24 01:43:17 tbox Exp $ */
+/* $Id: check-tool.c,v 1.35.36.3 2009/01/20 02:03:18 marka Exp $ */
 
 /*! \file */
 
@@ -24,16 +24,17 @@
 #include <stdio.h>
 
 #include "check-tool.h"
-#include <isc/util.h>
-
 #include <isc/buffer.h>
 #include <isc/log.h>
-#include <isc/net.h>
+#include <isc/mem.h>
 #include <isc/netdb.h>
+#include <isc/net.h>
 #include <isc/region.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
+#include <isc/symtab.h>
 #include <isc/types.h>
+#include <isc/util.h>
 
 #include <dns/fixedname.h>
 #include <dns/log.h>
@@ -69,6 +70,15 @@
 			goto cleanup; \
 	} while (0)
 
+#define ERR_IS_CNAME 1
+#define ERR_NO_ADDRESSES 2
+#define ERR_LOOKUP_FAILURE 3
+#define ERR_EXTRA_A 4
+#define ERR_EXTRA_AAAA 5
+#define ERR_MISSING_GLUE 5
+#define ERR_IS_MXCNAME 6
+#define ERR_IS_SRVCNAME 7
+
 static const char *dbtype[] = { "rbt" };
 
 int debug = 0;
@@ -105,9 +115,62 @@ static isc_logcategory_t categories[] = {
 	{ "queries",	     0 },
 	{ "unmatched", 	     0 },
 	{ "update-security", 0 },
+	{ "query-errors",    0 },
 	{ NULL,		     0 }
 };
 
+static isc_symtab_t *symtab = NULL;
+static isc_mem_t *sym_mctx;
+
+static void
+freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
+	UNUSED(type);
+	UNUSED(value);
+	isc_mem_free(userarg, key);
+}
+
+static void
+add(char *key, int value) {
+	isc_result_t result;
+	isc_symvalue_t symvalue;
+
+	if (sym_mctx == NULL) {
+		result = isc_mem_create(0, 0, &sym_mctx);
+		if (result != ISC_R_SUCCESS)
+			return;
+	}
+
+	if (symtab == NULL) {
+		result = isc_symtab_create(sym_mctx, 100, freekey, sym_mctx,
+					   ISC_FALSE, &symtab);
+		if (result != ISC_R_SUCCESS)
+			return;
+	}
+
+	key = isc_mem_strdup(sym_mctx, key);
+	if (key == NULL)
+		return;
+
+	symvalue.as_pointer = NULL;
+	result = isc_symtab_define(symtab, key, value, symvalue,
+				   isc_symexists_reject);
+	if (result != ISC_R_SUCCESS)
+		isc_mem_free(sym_mctx, key);
+}
+
+static isc_boolean_t
+logged(char *key, int value) {
+	isc_result_t result;
+
+	if (symtab == NULL)
+		return (ISC_FALSE);
+
+	result = isc_symtab_lookup(symtab, key, value, NULL);
+	if (result == ISC_R_SUCCESS)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
 static isc_boolean_t
 checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 	dns_rdataset_t *a, dns_rdataset_t *aaaa)
@@ -156,29 +219,39 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 		       cur->ai_next != NULL)
 			cur = cur->ai_next;
 		if (cur != NULL && cur->ai_canonname != NULL &&
-		    strcasecmp(ai->ai_canonname, namebuf) != 0) {
+		    strcasecmp(cur->ai_canonname, namebuf) != 0 &&
+		    !logged(namebuf, ERR_IS_CNAME)) {
 			dns_zone_log(zone, ISC_LOG_ERROR,
 				     "%s/NS '%s' (out of zone) "
-				     "is a CNAME (illegal)",
-				     ownerbuf, namebuf);
+				     "is a CNAME '%s' (illegal)",
+				     ownerbuf, namebuf,
+				     cur->ai_canonname);
 			/* XXX950 make fatal for 9.5.0 */
 			/* answer = ISC_FALSE; */
+			add(namebuf, ERR_IS_CNAME);
 		}
 		break;
 	case EAI_NONAME:
 #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
 	case EAI_NODATA:
 #endif
-		dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' (out of zone) "
-			     "has no addresses records (A or AAAA)",
-			     ownerbuf, namebuf);
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/NS '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
 		/* XXX950 make fatal for 9.5.0 */
 		return (ISC_TRUE);
 
 	default:
-		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "getaddrinfo(%s) failed: %s",
-			     namebuf, gai_strerror(result));
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "getaddrinfo(%s) failed: %s",
+				     namebuf, gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
 		return (ISC_TRUE);
 	}
 	if (a == NULL || aaaa == NULL)
@@ -201,12 +274,13 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 				break;
 			}
 		}
-		if (!match) {
+		if (!match && !logged(namebuf, ERR_EXTRA_A)) {
 			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
 				     "extra GLUE A record (%s)",
 				     ownerbuf, namebuf,
 				     inet_ntop(AF_INET, rdata.data,
 					       addrbuf, sizeof(addrbuf)));
+			add(namebuf, ERR_EXTRA_A);
 			/* XXX950 make fatal for 9.5.0 */
 			/* answer = ISC_FALSE; */
 		}
@@ -230,12 +304,13 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 				break;
 			}
 		}
-		if (!match) {
+		if (!match && !logged(namebuf, ERR_EXTRA_AAAA)) {
 			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
 				     "extra GLUE AAAA record (%s)",
 				     ownerbuf, namebuf,
 				     inet_ntop(AF_INET6, rdata.data,
 					       addrbuf, sizeof(addrbuf)));
+			add(namebuf, ERR_EXTRA_AAAA);
 			/* XXX950 make fatal for 9.5.0. */
 			/* answer = ISC_FALSE; */
 		}
@@ -247,42 +322,48 @@ checkns(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner,
 	/*
 	 * Check that all addresses appear in the glue.
 	 */
-	for (cur = ai; cur != NULL; cur = cur->ai_next) {
-		switch (cur->ai_family) {
-		case AF_INET:
-			rdataset = a;
-			ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
-			type = "A";
-			break;
-		case AF_INET6:
-			rdataset = aaaa;
-			ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
-			type = "AAAA";
-			break;
-		default:
-			 continue;
-		}
-		match = ISC_FALSE;
-		if (dns_rdataset_isassociated(rdataset))
-			result = dns_rdataset_first(rdataset);
-		else
-			result = ISC_R_FAILURE;
-		while (result == ISC_R_SUCCESS && !match) {
-			dns_rdataset_current(rdataset, &rdata);
-			if (memcmp(ptr, rdata.data, rdata.length) == 0)
-				match = ISC_TRUE;
-			dns_rdata_reset(&rdata);
-			result = dns_rdataset_next(rdataset);
-		}
-		if (!match) {
-			dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
-				     "missing GLUE %s record (%s)",
-				     ownerbuf, namebuf, type,
-				     inet_ntop(cur->ai_family, ptr,
-					       addrbuf, sizeof(addrbuf)));
-			/* XXX950 make fatal for 9.5.0. */
-			/* answer = ISC_FALSE; */
+	if (!logged(namebuf, ERR_MISSING_GLUE)) {
+		isc_boolean_t missing_glue = ISC_FALSE;
+		for (cur = ai; cur != NULL; cur = cur->ai_next) {
+			switch (cur->ai_family) {
+			case AF_INET:
+				rdataset = a;
+				ptr = &((struct sockaddr_in *)(cur->ai_addr))->sin_addr;
+				type = "A";
+				break;
+			case AF_INET6:
+				rdataset = aaaa;
+				ptr = &((struct sockaddr_in6 *)(cur->ai_addr))->sin6_addr;
+				type = "AAAA";
+				break;
+			default:
+				 continue;
+			}
+			match = ISC_FALSE;
+			if (dns_rdataset_isassociated(rdataset))
+				result = dns_rdataset_first(rdataset);
+			else
+				result = ISC_R_FAILURE;
+			while (result == ISC_R_SUCCESS && !match) {
+				dns_rdataset_current(rdataset, &rdata);
+				if (memcmp(ptr, rdata.data, rdata.length) == 0)
+					match = ISC_TRUE;
+				dns_rdata_reset(&rdata);
+				result = dns_rdataset_next(rdataset);
+			}
+			if (!match) {
+				dns_zone_log(zone, ISC_LOG_ERROR, "%s/NS '%s' "
+					     "missing GLUE %s record (%s)",
+					     ownerbuf, namebuf, type,
+					     inet_ntop(cur->ai_family, ptr,
+						       addrbuf, sizeof(addrbuf)));
+				/* XXX950 make fatal for 9.5.0. */
+				/* answer = ISC_FALSE; */
+				missing_glue = ISC_TRUE;
+			}
 		}
+		if (missing_glue)
+			add(namebuf, ERR_MISSING_GLUE);
 	}
 	freeaddrinfo(ai);
 	return (answer);
@@ -332,10 +413,15 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 			if ((zone_options & DNS_ZONEOPT_WARNMXCNAME) != 0)
 				level = ISC_LOG_WARNING;
 			if ((zone_options & DNS_ZONEOPT_IGNOREMXCNAME) == 0) {
-				dns_zone_log(zone, ISC_LOG_WARNING,
-					     "%s/MX '%s' (out of zone) "
-					     "is a CNAME (illegal)",
-					     ownerbuf, namebuf);
+				if (!logged(namebuf, ERR_IS_MXCNAME)) {
+					dns_zone_log(zone, level,
+						     "%s/MX '%s' (out of zone)"
+						     " is a CNAME '%s' "
+						     "(illegal)",
+						     ownerbuf, namebuf,
+						     cur->ai_canonname);
+					add(namebuf, ERR_IS_MXCNAME);
+				}
 				if (level == ISC_LOG_ERROR)
 					answer = ISC_FALSE;
 			}
@@ -347,16 +433,23 @@ checkmx(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
 	case EAI_NODATA:
 #endif
-		dns_zone_log(zone, ISC_LOG_ERROR, "%s/MX '%s' (out of zone) "
-			     "has no addresses records (A or AAAA)",
-			     ownerbuf, namebuf);
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/MX '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
 		/* XXX950 make fatal for 9.5.0. */
 		return (ISC_TRUE);
 
 	default:
-		dns_zone_log(zone, ISC_LOG_WARNING,
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
 			     "getaddrinfo(%s) failed: %s",
 			     namebuf, gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
 		return (ISC_TRUE);
 	}
 #else
@@ -405,10 +498,14 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 			if ((zone_options & DNS_ZONEOPT_WARNSRVCNAME) != 0)
 				level = ISC_LOG_WARNING;
 			if ((zone_options & DNS_ZONEOPT_IGNORESRVCNAME) == 0) {
-				dns_zone_log(zone, level,
-					     "%s/SRV '%s' (out of zone) "
-					     "is a CNAME (illegal)",
-					     ownerbuf, namebuf);
+				if (!logged(namebuf, ERR_IS_SRVCNAME)) {
+					dns_zone_log(zone, level, "%s/SRV '%s'"
+						     " (out of zone) is a "
+						     "CNAME '%s' (illegal)",
+						     ownerbuf, namebuf,
+						     cur->ai_canonname);
+					add(namebuf, ERR_IS_SRVCNAME);
+				}
 				if (level == ISC_LOG_ERROR)
 					answer = ISC_FALSE;
 			}
@@ -420,16 +517,23 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 #if defined(EAI_NODATA) && (EAI_NODATA != EAI_NONAME)
 	case EAI_NODATA:
 #endif
-		dns_zone_log(zone, ISC_LOG_ERROR, "%s/SRV '%s' (out of zone) "
-			     "has no addresses records (A or AAAA)",
-			     ownerbuf, namebuf);
+		if (!logged(namebuf, ERR_NO_ADDRESSES)) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "%s/SRV '%s' (out of zone) "
+				     "has no addresses records (A or AAAA)",
+				     ownerbuf, namebuf);
+			add(namebuf, ERR_NO_ADDRESSES);
+		}
 		/* XXX950 make fatal for 9.5.0. */
 		return (ISC_TRUE);
 
 	default:
-		dns_zone_log(zone, ISC_LOG_WARNING,
-			     "getaddrinfo(%s) failed: %s",
-			     namebuf, gai_strerror(result));
+		if (!logged(namebuf, ERR_LOOKUP_FAILURE)) {
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "getaddrinfo(%s) failed: %s",
+				     namebuf, gai_strerror(result));
+			add(namebuf, ERR_LOOKUP_FAILURE);
+		}
 		return (ISC_TRUE);
 	}
 #else
@@ -438,7 +542,7 @@ checksrv(dns_zone_t *zone, dns_name_t *name, dns_name_t *owner) {
 }
 
 isc_result_t
-setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
 	isc_logdestination_t destination;
 	isc_logconfig_t *logconfig = NULL;
 	isc_log_t *log = NULL;
@@ -450,7 +554,7 @@ setup_logging(isc_mem_t *mctx, isc_log_t **logp) {
 	dns_log_setcontext(log);
 	cfg_log_init(log);
 
-	destination.file.stream = stdout;
+	destination.file.stream = errout;
 	destination.file.name = NULL;
 	destination.file.versions = ISC_LOG_ROLLNEVER;
 	destination.file.maximum_size = 0;
@@ -534,14 +638,14 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 	FILE *output = stdout;
 
 	if (debug) {
-		if (filename != NULL)
+		if (filename != NULL && strcmp(filename, "-") != 0)
 			fprintf(stderr, "dumping \"%s\" to \"%s\"\n",
 				zonename, filename);
 		else
 			fprintf(stderr, "dumping \"%s\"\n", zonename);
 	}
 
-	if (filename != NULL) {
+	if (filename != NULL && strcmp(filename, "-") != 0) {
 		result = isc_stdio_open(filename, "w+", &output);
 
 		if (result != ISC_R_SUCCESS) {
@@ -553,7 +657,7 @@ dump_zone(const char *zonename, dns_zone_t *zone, const char *filename,
 
 	result = dns_zone_dumptostream2(zone, output, fileformat, style);
 
-	if (filename != NULL)
+	if (output != stdout)
 		(void)isc_stdio_close(output);
 
 	return (result);
diff --git a/bin/check/check-tool.h b/bin/check/check-tool.h
index ef9017f..b0ba7e0 100644
--- a/bin/check/check-tool.h
+++ b/bin/check/check-tool.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check-tool.h,v 1.7.18.4 2005/06/20 01:19:25 marka Exp $ */
+/* $Id: check-tool.h,v 1.14 2007/06/18 23:47:17 tbox Exp $ */
 
 #ifndef CHECK_TOOL_H
 #define CHECK_TOOL_H
@@ -23,6 +23,7 @@
 /*! \file */
 
 #include <isc/lang.h>
+#include <isc/stdio.h>
 #include <isc/types.h>
 
 #include <dns/masterdump.h>
@@ -31,7 +32,7 @@
 ISC_LANG_BEGINDECLS
 
 isc_result_t
-setup_logging(isc_mem_t *mctx, isc_log_t **logp);
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp);
 
 isc_result_t
 load_zone(isc_mem_t *mctx, const char *zonename, const char *filename,
diff --git a/bin/check/named-checkconf.8 b/bin/check/named-checkconf.8
index 364e6b9..852b133 100644
--- a/bin/check/named-checkconf.8
+++ b/bin/check/named-checkconf.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkconf.8,v 1.16.18.13 2007/06/20 02:26:58 marka Exp $
+.\" $Id: named-checkconf.8,v 1.30 2007/06/20 02:27:32 marka Exp $
 .\"
 .hy 0
 .ad l
@@ -33,13 +33,18 @@
 named\-checkconf \- named configuration file syntax checking tool
 .SH "SYNOPSIS"
 .HP 16
-\fBnamed\-checkconf\fR [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
+\fBnamed\-checkconf\fR [\fB\-h\fR] [\fB\-v\fR] [\fB\-j\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] {filename} [\fB\-z\fR]
 .SH "DESCRIPTION"
 .PP
 \fBnamed\-checkconf\fR
 checks the syntax, but not the semantics, of a named configuration file.
 .SH "OPTIONS"
 .PP
+\-h
+.RS 4
+Print the usage summary and exit.
+.RE
+.PP
 \-t \fIdirectory\fR
 .RS 4
 Chroot to
diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c
index 96efd79..eba0d93 100644
--- a/bin/check/named-checkconf.c
+++ b/bin/check/named-checkconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkconf.c,v 1.28.18.16 2007/11/26 23:46:18 tbox Exp $ */
+/* $Id: named-checkconf.c,v 1.46.222.2 2009/02/16 23:47:15 tbox Exp $ */
 
 /*! \file */
 
@@ -47,6 +47,8 @@
 
 #include "check-tool.h"
 
+static const char *program = "named-checkconf";
+
 isc_log_t *logc = NULL;
 
 #define CHECK(r)\
@@ -59,9 +61,9 @@ isc_log_t *logc = NULL;
 /*% usage */
 static void
 usage(void) {
-        fprintf(stderr, "usage: named-checkconf [-j] [-v] [-z] [-t directory] "
-		"[named.conf]\n");
-        exit(1);
+	fprintf(stderr, "usage: %s [-h] [-j] [-v] [-z] [-t directory] "
+		"[named.conf]\n", program);
+	exit(1);
 }
 
 /*% directory callback */
@@ -171,9 +173,9 @@ configure_zone(const char *vclass, const char *view,
 
 	zname = cfg_obj_asstring(cfg_tuple_get(zconfig, "name"));
 	classobj = cfg_tuple_get(zconfig, "class");
-        if (!cfg_obj_isstring(classobj))
-                zclass = vclass;
-        else
+	if (!cfg_obj_isstring(classobj))
+		zclass = vclass;
+	else
 		zclass = cfg_obj_asstring(classobj);
 
 	zoptions = cfg_tuple_get(zconfig, "options");
@@ -192,9 +194,9 @@ configure_zone(const char *vclass, const char *view,
 		return (ISC_R_FAILURE);
 	if (strcasecmp(cfg_obj_asstring(typeobj), "master") != 0)
 		return (ISC_R_SUCCESS);
-        cfg_map_get(zoptions, "database", &dbobj);
-        if (dbobj != NULL)
-                return (ISC_R_SUCCESS);
+	cfg_map_get(zoptions, "database", &dbobj);
+	if (dbobj != NULL)
+		return (ISC_R_SUCCESS);
 	cfg_map_get(zoptions, "file", &fileobj);
 	if (fileobj == NULL)
 		return (ISC_R_FAILURE);
@@ -285,8 +287,8 @@ configure_zone(const char *vclass, const char *view,
 		} else
 			INSIST(0);
 	} else {
-               zone_options |= DNS_ZONEOPT_CHECKNAMES;
-               zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
+	       zone_options |= DNS_ZONEOPT_CHECKNAMES;
+	       zone_options |= DNS_ZONEOPT_CHECKNAMESFAIL;
 	}
 
 	masterformat = dns_masterformat_text;
@@ -397,8 +399,10 @@ main(int argc, char **argv) {
 	int exit_status = 0;
 	isc_entropy_t *ectx = NULL;
 	isc_boolean_t load_zones = ISC_FALSE;
-	
-	while ((c = isc_commandline_parse(argc, argv, "djt:vz")) != EOF) {
+
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((c = isc_commandline_parse(argc, argv, "dhjt:vz")) != EOF) {
 		switch (c) {
 		case 'd':
 			debug++;
@@ -415,12 +419,6 @@ main(int argc, char **argv) {
 					isc_result_totext(result));
 				exit(1);
 			}
-			result = isc_dir_chdir("/");
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "isc_dir_chdir: %s\n",
-					isc_result_totext(result));
-				exit(1);
-			}
 			break;
 
 		case 'v':
@@ -434,11 +432,22 @@ main(int argc, char **argv) {
 			dochecksrv = ISC_FALSE;
 			break;
 
-		default:
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+		case 'h':
 			usage();
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
 		}
 	}
 
+	if (isc_commandline_index + 1 < argc)
+		usage();
 	if (argv[isc_commandline_index] != NULL)
 		conffile = argv[isc_commandline_index];
 	if (conffile == NULL || conffile[0] == '\0')
@@ -446,7 +455,7 @@ main(int argc, char **argv) {
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 
-	RUNTIME_CHECK(setup_logging(mctx, &logc) == ISC_R_SUCCESS);
+	RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
 
 	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
diff --git a/bin/check/named-checkconf.docbook b/bin/check/named-checkconf.docbook
index af7a73d..5359239 100644
--- a/bin/check/named-checkconf.docbook
+++ b/bin/check/named-checkconf.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkconf.docbook,v 1.8.18.10 2007/08/28 07:19:55 tbox Exp $ -->
+<!-- $Id: named-checkconf.docbook,v 1.19 2007/06/19 06:58:03 marka Exp $ -->
 <refentry id="man.named-checkconf">
   <refentryinfo>
     <date>June 14, 2000</date>
@@ -53,6 +53,7 @@
   <refsynopsisdiv>
     <cmdsynopsis>
       <command>named-checkconf</command>
+      <arg><option>-h</option></arg>
       <arg><option>-v</option></arg>
       <arg><option>-j</option></arg>
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
@@ -74,6 +75,15 @@
 
     <variablelist>
       <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Print the usage summary and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-t <replaceable class="parameter">directory</replaceable></term>
         <listitem>
           <para>
diff --git a/bin/check/named-checkconf.html b/bin/check/named-checkconf.html
index 910df0d..34bec80 100644
--- a/bin/check/named-checkconf.html
+++ b/bin/check/named-checkconf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named-checkconf.html,v 1.9.18.20 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: named-checkconf.html,v 1.30 2007/06/20 02:27:32 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,18 +29,22 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543383"></a><h2>DESCRIPTION</h2>
+<a name="id2543387"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       checks the syntax, but not the semantics, of a named
       configuration file.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543395"></a><h2>OPTIONS</h2>
+<a name="id2543399"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Print the usage summary and exit.
+          </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Chroot to <code class="filename">directory</code> so that
@@ -70,21 +74,21 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543489"></a><h2>RETURN VALUES</h2>
+<a name="id2543507"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543500"></a><h2>SEE ALSO</h2>
+<a name="id2543518"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543530"></a><h2>AUTHOR</h2>
+<a name="id2543548"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/check/named-checkzone.8 b/bin/check/named-checkzone.8
index bd538ac..5520da3 100644
--- a/bin/check/named-checkzone.8
+++ b/bin/check/named-checkzone.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named-checkzone.8,v 1.18.18.23 2007/06/20 02:26:58 marka Exp $
+.\" $Id: named-checkzone.8,v 1.42.334.1 2009/01/23 01:53:33 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 named\-checkzone, named\-compilezone \- zone file validity checking or converting tool
 .SH "SYNOPSIS"
 .HP 16
-\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
+\fBnamed\-checkzone\fR [\fB\-d\fR] [\fB\-h\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-M\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-S\ \fR\fB\fImode\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
 .HP 18
 \fBnamed\-compilezone\fR [\fB\-d\fR] [\fB\-j\fR] [\fB\-q\fR] [\fB\-v\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-C\ \fR\fB\fImode\fR\fR] [\fB\-f\ \fR\fB\fIformat\fR\fR] [\fB\-F\ \fR\fB\fIformat\fR\fR] [\fB\-i\ \fR\fB\fImode\fR\fR] [\fB\-k\ \fR\fB\fImode\fR\fR] [\fB\-m\ \fR\fB\fImode\fR\fR] [\fB\-n\ \fR\fB\fImode\fR\fR] [\fB\-o\ \fR\fB\fIfilename\fR\fR] [\fB\-s\ \fR\fB\fIstyle\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-w\ \fR\fB\fIdirectory\fR\fR] [\fB\-D\fR] [\fB\-W\ \fR\fB\fImode\fR\fR] {zonename} {filename}
 .SH "DESCRIPTION"
@@ -58,6 +58,11 @@ configuration file.
 Enable debugging.
 .RE
 .PP
+\-h
+.RS 4
+Print the usage summary and exit.
+.RE
+.PP
 \-q
 .RS 4
 Quiet mode \- exit code only.
@@ -77,7 +82,7 @@ When loading the zone file read the journal if it exists.
 .PP
 \-c \fIclass\fR
 .RS 4
-Specify the class of the zone. If not specified "IN" is assumed.
+Specify the class of the zone. If not specified, "IN" is assumed.
 .RE
 .PP
 \-i \fImode\fR
@@ -188,7 +193,11 @@ Specify whether NS records should be checked to see if they are addresses. Possi
 \-o \fIfilename\fR
 .RS 4
 Write zone output to
-\fIfilename\fR. This is mandatory for
+\fIfilename\fR. If
+\fIfilename\fR
+is
+\fI\-\fR
+then write to standard out. This is mandatory for
 \fBnamed\-compilezone\fR.
 .RE
 .PP
@@ -263,7 +272,7 @@ BIND 9 Administrator Reference Manual.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2007 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2002 Internet Software Consortium.
 .br
diff --git a/bin/check/named-checkzone.c b/bin/check/named-checkzone.c
index f16053b..e91cbea 100644
--- a/bin/check/named-checkzone.c
+++ b/bin/check/named-checkzone.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named-checkzone.c,v 1.29.18.21 2008/10/24 01:43:17 tbox Exp $ */
+/* $Id: named-checkzone.c,v 1.51.34.2 2009/02/16 23:47:15 tbox Exp $ */
 
 /*! \file */
 
@@ -106,6 +106,7 @@ main(int argc, char **argv) {
 	const char *outputformatstr = NULL;
 	dns_masterformat_t inputformat = dns_masterformat_text;
 	dns_masterformat_t outputformat = dns_masterformat_text;
+	FILE *errout = stdout;
 
 	outputstyle = &dns_master_style_full;
 
@@ -140,8 +141,10 @@ main(int argc, char **argv) {
 
 #define ARGCMP(X) (strcmp(isc_commandline_argument, X) == 0)
 
+	isc_commandline_errprint = ISC_FALSE;
+
 	while ((c = isc_commandline_parse(argc, argv,
-					  "c:df:i:jk:m:n:qs:t:o:vw:DF:M:S:W:"))
+					 "c:df:hi:jk:m:n:qs:t:o:vw:DF:M:S:W:"))
 	       != EOF) {
 		switch (c) {
 		case 'c':
@@ -265,12 +268,6 @@ main(int argc, char **argv) {
 					isc_result_totext(result));
 				exit(1);
 			}
-			result = isc_dir_chdir("/");
-			if (result != ISC_R_SUCCESS) {
-				fprintf(stderr, "isc_dir_chdir: %s\n",
-					isc_result_totext(result));
-				exit(1);
-			}
 			break;
 
 		case 's':
@@ -343,17 +340,17 @@ main(int argc, char **argv) {
 				zone_options &= ~DNS_ZONEOPT_CHECKWILDCARD;
 			break;
 
-		default:
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					prog_name, isc_commandline_option);
+		case 'h':
 			usage();
-		}
-	}
 
-	if (progmode == progmode_compile) {
-		dumpzone = 1;	/* always dump */
-		if (output_filename == NULL) {
-			fprintf(stderr,
-				"output file required, but not specified\n");
-			usage();
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				prog_name, isc_commandline_option);
+			exit(1);
 		}
 	}
 
@@ -390,12 +387,36 @@ main(int argc, char **argv) {
 		}
 	}
 
-	if (isc_commandline_index + 2 > argc)
+	if (progmode == progmode_compile) {
+		dumpzone = 1;	/* always dump */
+		if (output_filename == NULL) {
+			fprintf(stderr,
+				"output file required, but not specified\n");
+			usage();
+		}
+	}
+
+	if (output_filename != NULL)
+		dumpzone = 1;
+
+	/*
+	 * If we are outputing to stdout then send the informational
+	 * output to stderr.
+	 */
+	if (dumpzone &&
+	    (output_filename == NULL ||
+	     strcmp(output_filename, "-") == 0 ||
+	     strcmp(output_filename, "/dev/fd/1") == 0 ||
+	     strcmp(output_filename, "/dev/stdout") == 0))
+		errout = stderr;
+
+	if (isc_commandline_index + 2 != argc)
 		usage();
 
 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
 	if (!quiet)
-		RUNTIME_CHECK(setup_logging(mctx, &lctx) == ISC_R_SUCCESS);
+		RUNTIME_CHECK(setup_logging(mctx, errout, &lctx)
+			      == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_entropy_create(mctx, &ectx) == ISC_R_SUCCESS);
 	RUNTIME_CHECK(isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE)
 		      == ISC_R_SUCCESS);
@@ -409,17 +430,17 @@ main(int argc, char **argv) {
 
 	if (result == ISC_R_SUCCESS && dumpzone) {
 		if (!quiet && progmode == progmode_compile) {
-			fprintf(stdout, "dump zone to %s...", output_filename);
-			fflush(stdout);
+			fprintf(errout, "dump zone to %s...", output_filename);
+			fflush(errout);
 		}
 		result = dump_zone(origin, zone, output_filename,
 				   outputformat, outputstyle);
 		if (!quiet && progmode == progmode_compile)
-			fprintf(stdout, "done\n");
+			fprintf(errout, "done\n");
 	}
 
 	if (!quiet && result == ISC_R_SUCCESS)
-		fprintf(stdout, "OK\n");
+		fprintf(errout, "OK\n");
 	destroy();
 	if (lctx != NULL)
 		isc_log_destroy(&lctx);
diff --git a/bin/check/named-checkzone.docbook b/bin/check/named-checkzone.docbook
index 11b85ef..d863447 100644
--- a/bin/check/named-checkzone.docbook
+++ b/bin/check/named-checkzone.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named-checkzone.docbook,v 1.11.18.21 2007/08/28 07:19:55 tbox Exp $ -->
+<!-- $Id: named-checkzone.docbook,v 1.34.334.2 2009/01/22 23:47:04 tbox Exp $ -->
 <refentry id="man.named-checkzone">
   <refentryinfo>
     <date>June 13, 2000</date>
@@ -36,6 +36,7 @@
       <year>2005</year>
       <year>2006</year>
       <year>2007</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -56,6 +57,7 @@
     <cmdsynopsis>
       <command>named-checkzone</command>
       <arg><option>-d</option></arg>
+      <arg><option>-h</option></arg>
       <arg><option>-j</option></arg>
       <arg><option>-q</option></arg>
       <arg><option>-v</option></arg>
@@ -137,6 +139,15 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Print the usage summary and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-q</term>
         <listitem>
           <para>
@@ -168,7 +179,7 @@
         <term>-c <replaceable class="parameter">class</replaceable></term>
         <listitem>
           <para>
-            Specify the class of the zone.  If not specified "IN" is assumed.
+            Specify the class of the zone.  If not specified, "IN" is assumed.
           </para>
         </listitem>
       </varlistentry>
@@ -301,6 +312,8 @@
         <listitem>
           <para>
             Write zone output to <filename>filename</filename>.
+	    If <filename>filename</filename> is <filename>-</filename> then
+	    write to standard out.
 	    This is mandatory for <command>named-compilezone</command>.
           </para>
         </listitem>
diff --git a/bin/check/named-checkzone.html b/bin/check/named-checkzone.html
index 0e1015d..71dc445 100644
--- a/bin/check/named-checkzone.html
+++ b/bin/check/named-checkzone.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2007, 2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named-checkzone.html,v 1.11.18.30 2007/06/20 02:26:58 marka Exp $ -->
+<!-- $Id: named-checkzone.html,v 1.42.334.1 2009/01/23 01:53:33 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,11 +29,11 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
 <div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543665"></a><h2>DESCRIPTION</h2>
+<a name="id2543672"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -53,12 +53,16 @@
      </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543700"></a><h2>OPTIONS</h2>
+<a name="id2543707"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
             Enable debugging.
           </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Print the usage summary and exit.
+          </p></dd>
 <dt><span class="term">-q</span></dt>
 <dd><p>
             Quiet mode - exit code only.
@@ -74,7 +78,7 @@
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
-            Specify the class of the zone.  If not specified "IN" is assumed.
+            Specify the class of the zone.  If not specified, "IN" is assumed.
           </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
 <dd>
@@ -169,6 +173,8 @@
 <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
 <dd><p>
             Write zone output to <code class="filename">filename</code>.
+	    If <code class="filename">filename</code> is <code class="filename">-</code> then
+	    write to standard out.
 	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
           </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
@@ -233,14 +239,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544299"></a><h2>RETURN VALUES</h2>
+<a name="id2544328"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544311"></a><h2>SEE ALSO</h2>
+<a name="id2544340"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
@@ -248,7 +254,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544344"></a><h2>AUTHOR</h2>
+<a name="id2544373"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/dig/Makefile.in b/bin/dig/Makefile.in
index 836b7f2..bc9d34f 100644
--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.33.18.6 2005/09/09 14:11:04 marka Exp $
+# $Id: Makefile.in,v 1.41 2007/06/19 23:46:59 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/dig/dig.1 b/bin/dig/dig.1
index c9df21e..f7f4370 100644
--- a/bin/dig/dig.1
+++ b/bin/dig/dig.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dig.1,v 1.23.18.24 2008/10/14 01:30:11 tbox Exp $
+.\" $Id: dig.1,v 1.50.44.2 2009/02/03 01:52:10 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -291,7 +291,7 @@ A synonym for
 .PP
 \fB+[no]adflag\fR
 .RS 4
-Set [do not set] the AD (authentic data) bit in the query. The AD bit currently has a standard meaning only in responses, not in queries, but the ability to set the bit in the query is provided for completeness.
+Set [do not set] the AD (authentic data) bit in the query. This requests the server to return whether all of the answer and authority sections have all been validated as secure according to the security policy of the server. AD=1 indicates that all records have been validated as secure and the answer is not from a OPT\-OUT range. AD=0 indicate that some part of the answer was insecure or not validated.
 .RE
 .PP
 \fB+[no]cdflag\fR
@@ -480,7 +480,7 @@ Chase DNSSEC signature chains. Requires dig be compiled with \-DDIG_SIGCHASE.
 Specifies a file containing trusted keys to be used with
 \fB+sigchase\fR. Each DNSKEY record must be on its own line.
 .sp
-If not specified
+If not specified,
 \fBdig\fR
 will look for
 \fI/etc/trusted\-key.key\fR
@@ -495,6 +495,11 @@ Requires dig be compiled with \-DDIG_SIGCHASE.
 .RS 4
 When chasing DNSSEC signature chains perform a top\-down validation. Requires dig be compiled with \-DDIG_SIGCHASE.
 .RE
+.PP
+\fB+[no]nsid\fR
+.RS 4
+Include an EDNS name server ID request when sending a query.
+.RE
 .SH "MULTIPLE QUERIES"
 .PP
 The BIND 9 implementation of
@@ -557,7 +562,7 @@ RFC1035.
 .PP
 There are probably too many query options.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
diff --git a/bin/dig/dig.c b/bin/dig/dig.c
index 5cde9c4..f740a1d 100644
--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.c,v 1.186.18.33 2008/10/15 02:19:18 marka Exp $ */
+/* $Id: dig.c,v 1.225.26.4 2009/05/06 10:18:33 fdupont Exp $ */
 
 /*! \file */
 
@@ -111,6 +111,24 @@ static const char * const rcodetext[] = {
 	"BADVERS"
 };
 
+/*% safe rcodetext[] */
+static char *
+rcode_totext(dns_rcode_t rcode)
+{
+	static char buf[sizeof("?65535")];
+	union {
+		const char *consttext;
+		char *deconsttext;
+	} totext;
+
+	if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
+		snprintf(buf, sizeof(buf), "?%u", rcode);
+		totext.deconsttext = buf;
+	} else
+		totext.consttext = rcodetext[rcode];
+	return totext.deconsttext;
+}
+
 /*% print usage */
 static void
 print_usage(FILE *fp) {
@@ -195,6 +213,7 @@ help(void) {
 "                 +[no]identify       (ID responders in short answers)\n"
 "                 +[no]trace          (Trace delegation down from root)\n"
 "                 +[no]dnssec         (Request DNSSEC records)\n"
+"                 +[no]nsid           (Request Name Server ID)\n"
 #ifdef DIG_SIGCHASE
 "                 +[no]sigchase       (Chase DNSSEC signatures)\n"
 "                 +trusted-key=####   (Trusted Key when chasing DNSSEC sigs)\n"
@@ -468,7 +487,8 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 		if (headers) {
 			printf(";; ->>HEADER<<- opcode: %s, status: %s, "
 			       "id: %u\n",
-			       opcodetext[msg->opcode], rcodetext[msg->rcode],
+			       opcodetext[msg->opcode],
+			       rcode_totext(msg->rcode),
 			       msg->id);
 			printf(";; flags:");
 			if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0)
@@ -640,9 +660,9 @@ printgreeting(int argc, char **argv, dig_lookup_t *lookup) {
 		}
 		if (first) {
 			snprintf(append, sizeof(append),
-				 ";; global options: %s %s\n",
-			       short_form ? "short_form" : "",
-			       printcmd ? "printcmd" : "");
+				 ";; global options:%s%s\n",
+				 short_form ? " +short" : "",
+				 printcmd ? " +cmd" : "");
 			first = ISC_FALSE;
 			remaining = sizeof(lookup->cmdline) -
 				    strlen(lookup->cmdline) - 1;
@@ -800,7 +820,9 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 		switch (cmd[1]) {
 		case 'e': /* defname */
 			FULLCHECK("defname");
-			usesearch = state;
+			if (!lookup->trace) {
+				usesearch = state;
+			}
 			break;
 		case 'n': /* dnssec */
 			FULLCHECK("dnssec");
@@ -842,7 +864,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 			lookup->identify = state;
 			break;
 		case 'g': /* ignore */
-		default: /* Inherets default for compatibility */
+		default: /* Inherits default for compatibility */
 			FULLCHECK("ignore");
 			lookup->ignore = ISC_TRUE;
 		}
@@ -861,21 +883,33 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 				goto invalid_option;
 			ndots = parse_uint(value, "ndots", MAXNDOTS);
 			break;
-		case 's': /* nssearch */
-			FULLCHECK("nssearch");
-			lookup->ns_search_only = state;
-			if (state) {
-				lookup->trace_root = ISC_TRUE;
-				lookup->recurse = ISC_TRUE;
-				lookup->identify = ISC_TRUE;
-				lookup->stats = ISC_FALSE;
-				lookup->comments = ISC_FALSE;
-				lookup->section_additional = ISC_FALSE;
-				lookup->section_authority = ISC_FALSE;
-				lookup->section_question = ISC_FALSE;
-				lookup->rdtype = dns_rdatatype_ns;
-				lookup->rdtypeset = ISC_TRUE;
-				short_form = ISC_TRUE;
+		case 's':
+			switch (cmd[2]) {
+			case 'i': /* nsid */
+				FULLCHECK("nsid");
+				if (state && lookup->edns == -1)
+					lookup->edns = 0;
+				lookup->nsid = state;
+				break;
+			case 's': /* nssearch */
+				FULLCHECK("nssearch");
+				lookup->ns_search_only = state;
+				if (state) {
+					lookup->trace_root = ISC_TRUE;
+					lookup->recurse = ISC_TRUE;
+					lookup->identify = ISC_TRUE;
+					lookup->stats = ISC_FALSE;
+					lookup->comments = ISC_FALSE;
+					lookup->section_additional = ISC_FALSE;
+					lookup->section_authority = ISC_FALSE;
+					lookup->section_question = ISC_FALSE;
+					lookup->rdtype = dns_rdatatype_ns;
+					lookup->rdtypeset = ISC_TRUE;
+					short_form = ISC_TRUE;
+				}
+				break;
+			default:
+				goto invalid_option;
 			}
 			break;
 		default:
@@ -928,7 +962,9 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 		switch (cmd[1]) {
 		case 'e': /* search */
 			FULLCHECK("search");
-			usesearch = state;
+			if (!lookup->trace) {
+				usesearch = state;
+			}
 			break;
 		case 'h':
 			if (cmd[2] != 'o')
@@ -949,8 +985,10 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 				break;
 			case 'w': /* showsearch */
 				FULLCHECK("showsearch");
-				showsearch = state;
-				usesearch = state;
+				if (!lookup->trace) {
+					showsearch = state;
+					usesearch = state;
+				}
 				break;
 			default:
 				goto invalid_option;
@@ -1009,6 +1047,7 @@ plus_option(char *option, isc_boolean_t is_batchfile,
 					lookup->section_additional = ISC_FALSE;
 					lookup->section_authority = ISC_TRUE;
 					lookup->section_question = ISC_FALSE;
+					usesearch = ISC_FALSE;
 				}
 				break;
 			case 'i': /* tries */
@@ -1254,6 +1293,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 						MAXSERIAL);
 				(*lookup)->section_question = plusquest;
 				(*lookup)->comments = pluscomm;
+				(*lookup)->tcp_mode = ISC_TRUE;
 			} else {
 				(*lookup)->rdtype = rdtype;
 				(*lookup)->rdtypeset = ISC_TRUE;
@@ -1594,6 +1634,7 @@ parse_args(isc_boolean_t is_batchfile, isc_boolean_t config_only,
 						lookup->section_question =
 							plusquest;
 						lookup->comments = pluscomm;
+						lookup->tcp_mode = ISC_TRUE;
 					} else {
 						lookup->rdtype = rdtype;
 						lookup->rdtypeset = ISC_TRUE;
diff --git a/bin/dig/dig.docbook b/bin/dig/dig.docbook
index 92be180..f987465b 100644
--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dig.docbook,v 1.17.18.24 2008/10/14 00:54:40 marka Exp $ -->
+<!-- $Id: dig.docbook,v 1.42.44.3 2009/02/02 04:42:48 marka Exp $ -->
 <refentry id="man.dig">
 
   <refentryinfo>
@@ -43,6 +43,7 @@
       <year>2006</year>
       <year>2007</year>
       <year>2008</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -449,17 +450,19 @@
 
         <varlistentry>
           <term><option>+[no]adflag</option></term>
-          <listitem>
-            <para>
-              Set [do not set] the AD (authentic data) bit in the query.  The
-              AD bit
-              currently has a standard meaning only in responses, not in
-              queries,
-              but the ability to set the bit in the query is provided for
-              completeness.
-            </para>
-          </listitem>
-        </varlistentry>
+	  <listitem>
+	    <para>
+	      Set [do not set] the AD (authentic data) bit in the
+	      query.  This requests the server to return whether
+	      all of the answer and authority sections have all
+	      been validated as secure according to the security
+	      policy of the server.  AD=1 indicates that all records
+	      have been validated as secure and the answer is not
+	      from a OPT-OUT range.  AD=0 indicate that some part
+	      of the answer was insecure or not validated.
+	    </para>
+	  </listitem>
+	</varlistentry>
 
         <varlistentry>
           <term><option>+[no]cdflag</option></term>
@@ -816,7 +819,7 @@
 	      on its own line.
             </para>
 	    <para>
-	      If not specified <command>dig</command> will look for
+	      If not specified, <command>dig</command> will look for
 	      <filename>/etc/trusted-key.key</filename> then
 	      <filename>trusted-key.key</filename> in the current directory.
 	    </para>
@@ -837,6 +840,14 @@
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term><option>+[no]nsid</option></term>
+          <listitem>
+            <para>
+              Include an EDNS name server ID request when sending a query.
+            </para>
+          </listitem>
+        </varlistentry>
 
 
       </variablelist>
diff --git a/bin/dig/dig.html b/bin/dig/dig.html
index a8c4594..11b55cc 100644
--- a/bin/dig/dig.html
+++ b/bin/dig/dig.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dig.html,v 1.13.18.30 2008/10/14 01:30:11 tbox Exp $ -->
+<!-- $Id: dig.html,v 1.45.44.2 2009/02/03 01:52:10 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -34,7 +34,7 @@
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543515"></a><h2>DESCRIPTION</h2>
+<a name="id2543518"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dig</strong></span>
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -80,7 +80,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543589"></a><h2>SIMPLE USAGE</h2>
+<a name="id2543592"></a><h2>SIMPLE USAGE</h2>
 <p>
       A typical invocation of <span><strong class="command">dig</strong></span> looks like:
       </p>
@@ -126,7 +126,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543680"></a><h2>OPTIONS</h2>
+<a name="id2543683"></a><h2>OPTIONS</h2>
 <p>
       The <code class="option">-b</code> option sets the source IP address of the query
       to <em class="parameter"><code>address</code></em>.  This must be a valid
@@ -230,7 +230,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544028"></a><h2>QUERY OPTIONS</h2>
+<a name="id2544032"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -308,13 +308,15 @@
             </p></dd>
 <dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
 <dd><p>
-              Set [do not set] the AD (authentic data) bit in the query.  The
-              AD bit
-              currently has a standard meaning only in responses, not in
-              queries,
-              but the ability to set the bit in the query is provided for
-              completeness.
-            </p></dd>
+	      Set [do not set] the AD (authentic data) bit in the
+	      query.  This requests the server to return whether
+	      all of the answer and authority sections have all
+	      been validated as secure according to the security
+	      policy of the server.  AD=1 indicates that all records
+	      have been validated as secure and the answer is not
+	      from a OPT-OUT range.  AD=0 indicate that some part
+	      of the answer was insecure or not validated.
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
 <dd><p>
               Set [do not set] the CD (checking disabled) bit in the query.
@@ -529,7 +531,7 @@
 	      on its own line.
             </p>
 <p>
-	      If not specified <span><strong class="command">dig</strong></span> will look for
+	      If not specified, <span><strong class="command">dig</strong></span> will look for
 	      <code class="filename">/etc/trusted-key.key</code> then
 	      <code class="filename">trusted-key.key</code> in the current directory.
 	    </p>
@@ -543,13 +545,17 @@
               validation.
               Requires dig be compiled with -DDIG_SIGCHASE.
             </p></dd>
+<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
+<dd><p>
+              Include an EDNS name server ID request when sending a query.
+            </p></dd>
 </dl></div>
 <p>
 
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545149"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2545166"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig </strong></span>
       supports
@@ -595,7 +601,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545211"></a><h2>IDN SUPPORT</h2>
+<a name="id2545228"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -609,14 +615,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545234"></a><h2>FILES</h2>
+<a name="id2545251"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545251"></a><h2>SEE ALSO</h2>
+<a name="id2545336"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -624,7 +630,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545356"></a><h2>BUGS</h2>
+<a name="id2545373"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>
diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
index 8736c0c..470261c 100644
--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dighost.c,v 1.259.18.49 2008/07/23 23:33:02 marka Exp $ */
+/* $Id: dighost.c,v 1.311.70.8 2009/02/25 02:39:21 marka Exp $ */
 
 /*! \file
  *  \note
@@ -583,6 +583,11 @@ copy_server_list(lwres_conf_t *confdata, dig_serverlist_t *dest) {
 	for (i = 0; i < confdata->nsnext; i++) {
 		af = addr2af(confdata->nameservers[i].family);
 
+		if (af == AF_INET && !have_ipv4)
+			continue;
+		if (af == AF_INET6 && !have_ipv6)
+			continue;
+
 		lwres_net_ntop(af, confdata->nameservers[i].address,
 				   tmp, sizeof(tmp));
 		newsrv = make_server(tmp, tmp);
@@ -724,6 +729,7 @@ make_empty_lookup(void) {
 	looknew->servfail_stops = ISC_TRUE;
 	looknew->besteffort = ISC_TRUE;
 	looknew->dnssec = ISC_FALSE;
+	looknew->nsid = ISC_FALSE;
 #ifdef DIG_SIGCHASE
 	looknew->sigchase = ISC_FALSE;
 #if DIG_SIGCHASE_TD
@@ -770,7 +776,7 @@ make_empty_lookup(void) {
  * the query list, since it will be regenerated by the setup_lookup()
  * function, nor does it queue up the new lookup for processing.
  * Caution: If you don't clone the servers, you MUST clone the server
- * list seperately from somewhere else, or construct it by hand.
+ * list separately from somewhere else, or construct it by hand.
  */
 dig_lookup_t *
 clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
@@ -803,6 +809,7 @@ clone_lookup(dig_lookup_t *lookold, isc_boolean_t servers) {
 	looknew->servfail_stops = lookold->servfail_stops;
 	looknew->besteffort = lookold->besteffort;
 	looknew->dnssec = lookold->dnssec;
+	looknew->nsid = lookold->nsid;
 #ifdef DIG_SIGCHASE
 	looknew->sigchase = lookold->sigchase;
 #if DIG_SIGCHASE_TD
@@ -1004,10 +1011,18 @@ void
 setup_system(void) {
 	dig_searchlist_t *domain = NULL;
 	lwres_result_t lwresult;
+	unsigned int lwresflags;
 
 	debug("setup_system()");
 
-	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
+	lwresflags = LWRES_CONTEXT_SERVERMODE;
+	if (have_ipv4)
+		lwresflags |= LWRES_CONTEXT_USEIPV4;
+	if (have_ipv6)
+		lwresflags |= LWRES_CONTEXT_USEIPV6;
+
+	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free,
+					lwresflags);
 	if (lwresult != LWRES_R_SUCCESS)
 		fatal("lwres_context_create failed");
 
@@ -1033,8 +1048,10 @@ setup_system(void) {
 		debug("ndots is %d.", ndots);
 	}
 
+	copy_server_list(lwconf, &server_list);
+
 	/* If we don't find a nameserver fall back to localhost */
-	if (lwconf->nsnext == 0) {
+	if (ISC_LIST_EMPTY(server_list)) {
 		if (have_ipv4) {
 			lwresult = add_nameserver(lwconf, "127.0.0.1", AF_INET);
 			if (lwresult != ISC_R_SUCCESS)
@@ -1045,10 +1062,9 @@ setup_system(void) {
 			if (lwresult != ISC_R_SUCCESS)
 				fatal("add_nameserver failed");
 		}
-	}
 
-	if (ISC_LIST_EMPTY(server_list))
 		copy_server_list(lwconf, &server_list);
+	}
 
 #ifdef WITH_IDN
 	initialize_idn();
@@ -1155,11 +1171,11 @@ setup_libs(void) {
 
 /*%
  * Add EDNS0 option record to a message.  Currently, the only supported
- * options are UDP buffer size and the DO bit.
+ * options are UDP buffer size, the DO bit, and NSID request.
  */
 static void
 add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
-	isc_boolean_t dnssec)
+	isc_boolean_t dnssec, isc_boolean_t nsid)
 {
 	dns_rdataset_t *rdataset = NULL;
 	dns_rdatalist_t *rdatalist = NULL;
@@ -1182,8 +1198,19 @@ add_opt(dns_message_t *msg, isc_uint16_t udpsize, isc_uint16_t edns,
 	rdatalist->ttl = edns << 16;
 	if (dnssec)
 		rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
-	rdata->data = NULL;
-	rdata->length = 0;
+	if (nsid) {
+		unsigned char data[4];
+		isc_buffer_t buf;
+
+		isc_buffer_init(&buf, data, sizeof(data));
+		isc_buffer_putuint16(&buf, DNS_OPT_NSID);
+		isc_buffer_putuint16(&buf, 0);
+		rdata->data = data;
+		rdata->length = sizeof(data);
+	} else {
+		rdata->data = NULL;
+		rdata->length = 0;
+	}
 	ISC_LIST_INIT(rdatalist->rdata);
 	ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
 	dns_rdatalist_tordataset(rdatalist, rdataset);
@@ -1387,7 +1414,7 @@ start_lookup(void) {
 							 key_name) == ISC_TRUE)
 					trustedkey = tk_list.key[i];
 				/*
-				 * Verifier que la temp est bien la plus basse
+				 * Verify temp is really the lowest
 				 * WARNING
 				 */
 			}
@@ -1848,7 +1875,7 @@ setup_lookup(dig_lookup_t *lookup) {
 						&lookup->name);
 			dns_message_puttempname(lookup->sendmsg,
 						&lookup->oname);
-			fatal("Origin '%s' is not in legal name syntax (%s)",
+			fatal("'%s' is not in legal name syntax (%s)",
 			      lookup->origin->origin,
 			      isc_result_totext(result));
 		}
@@ -1953,12 +1980,15 @@ setup_lookup(dig_lookup_t *lookup) {
 
 	if ((lookup->rdtype == dns_rdatatype_axfr) ||
 	    (lookup->rdtype == dns_rdatatype_ixfr)) {
-		lookup->doing_xfr = ISC_TRUE;
 		/*
-		 * Force TCP mode if we're doing an xfr.
-		 * XXX UDP ixfr's would be useful
+		 * Force TCP mode if we're doing an axfr.
 		 */
-		lookup->tcp_mode = ISC_TRUE;
+		if (lookup->rdtype == dns_rdatatype_axfr) {
+			lookup->doing_xfr = ISC_TRUE;
+			lookup->tcp_mode = ISC_TRUE;
+		} else if (lookup->tcp_mode) {
+			lookup->doing_xfr = ISC_TRUE;
+		}
 	}
 
 	add_question(lookup->sendmsg, lookup->name, lookup->rdclass,
@@ -1995,7 +2025,7 @@ setup_lookup(dig_lookup_t *lookup) {
 		if (lookup->edns < 0)
 			lookup->edns = 0;
 		add_opt(lookup->sendmsg, lookup->udpsize,
-			lookup->edns, lookup->dnssec);
+			lookup->edns, lookup->dnssec, lookup->nsid);
 	}
 
 	result = dns_message_rendersection(lookup->sendmsg,
@@ -2175,6 +2205,21 @@ bringup_timer(dig_query_t *query, unsigned int default_timeout) {
 }
 
 static void
+force_timeout(dig_lookup_t *l, dig_query_t *query) {
+	isc_event_t *event;
+
+	event = isc_event_allocate(mctx, query, ISC_TIMEREVENT_IDLE,
+				   connect_timeout, l,
+				   sizeof(isc_event_t));
+	if (event == NULL) {
+		fatal("isc_event_allocate: %s",
+		      isc_result_totext(ISC_R_NOMEMORY));
+	}
+	isc_task_send(global_task, &event);
+}
+
+
+static void
 connect_done(isc_task_t *task, isc_event_t *event);
 
 /*%
@@ -2193,7 +2238,16 @@ send_tcp_connect(dig_query_t *query) {
 	l = query->lookup;
 	query->waiting_connect = ISC_TRUE;
 	query->lookup->current_query = query;
-	get_address(query->servname, port, &query->sockaddr);
+	result = get_address(query->servname, port, &query->sockaddr);
+	if (result == ISC_R_NOTFOUND) {
+		/*
+		 * This servname doesn't have an address.  Try the next server
+		 * by triggering an immediate 'timeout' (we lie, but the effect
+		 * is the same).
+		 */
+		force_timeout(l, query);
+		return;
+	}
 
 	if (specified_source &&
 	    (isc_sockaddr_pf(&query->sockaddr) !=
@@ -2266,7 +2320,12 @@ send_udp(dig_query_t *query) {
 	if (!query->recv_made) {
 		/* XXX Check the sense of this, need assertion? */
 		query->waiting_connect = ISC_FALSE;
-		get_address(query->servname, port, &query->sockaddr);
+		result = get_address(query->servname, port, &query->sockaddr);
+		if (result == ISC_R_NOTFOUND) {
+			/* This servname doesn't have an address. */
+			force_timeout(l, query);
+			return;
+		}
 
 		result = isc_socket_create(socketmgr,
 					   isc_sockaddr_pf(&query->sockaddr),
@@ -2337,8 +2396,14 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
 		cq = query->lookup->current_query;
 		if (!l->tcp_mode)
 			send_udp(ISC_LIST_NEXT(cq, link));
-		else
+		else {
+			isc_socket_cancel(query->sock, NULL,
+					  ISC_SOCKCANCEL_ALL);
+			isc_socket_detach(&query->sock);
+			sockcount--;
+			debug("sockcount=%d", sockcount);
 			send_tcp_connect(ISC_LIST_NEXT(cq, link));
+		}
 		UNLOCK_LOOKUP;
 		return;
 	}
@@ -2892,18 +2957,8 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	if (result == ISC_R_SUCCESS && (msgflags & DNS_MESSAGEFLAG_QR) == 0)
 		printf(";; Warning: query response not set\n");
 
-	if (!match) {
-		isc_buffer_invalidate(&query->recvbuf);
-		isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
-		ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
-		result = isc_socket_recvv(query->sock, &query->recvlist, 1,
-					  global_task, recv_done, query);
-		check_result(result, "isc_socket_recvv");
-		recvcount++;
-		isc_event_free(&event);
-		UNLOCK_LOOKUP;
-		return;
-	}
+	if (!match)
+		goto udp_mismatch;
 
 	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &msg);
 	check_result(result, "dns_message_create");
@@ -2958,6 +3013,52 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 		UNLOCK_LOOKUP;
 		return;
 	}
+	if (msg->counts[DNS_SECTION_QUESTION] != 0) {
+		match = ISC_TRUE;
+		for (result = dns_message_firstname(msg, DNS_SECTION_QUESTION);
+		     result == ISC_R_SUCCESS && match;
+		     result = dns_message_nextname(msg, DNS_SECTION_QUESTION)) {
+			dns_name_t *name = NULL;
+			dns_rdataset_t *rdataset;
+
+			dns_message_currentname(msg, DNS_SECTION_QUESTION,
+						&name);
+			for (rdataset = ISC_LIST_HEAD(name->list);
+			     rdataset != NULL;
+			     rdataset = ISC_LIST_NEXT(rdataset, link)) {
+				if (l->rdtype != rdataset->type ||
+				    l->rdclass != rdataset->rdclass ||
+				    !dns_name_equal(l->name, name)) {
+					char namestr[DNS_NAME_FORMATSIZE];
+					char typebuf[DNS_RDATATYPE_FORMATSIZE];
+					char classbuf[DNS_RDATACLASS_FORMATSIZE];
+					dns_name_format(name, namestr,
+							sizeof(namestr));
+					dns_rdatatype_format(rdataset->type,
+							     typebuf,
+							     sizeof(typebuf));
+					dns_rdataclass_format(rdataset->rdclass,
+							      classbuf,
+							      sizeof(classbuf));
+					printf(";; Question section mismatch: "
+					       "got %s/%s/%s\n",
+					       namestr, typebuf, classbuf);
+					match = ISC_FALSE;
+				}
+			}
+		}
+		if (!match) {
+			dns_message_destroy(&msg);
+			if (l->tcp_mode) {
+				isc_event_free(&event);
+				clear_query(query);
+				check_next_lookup(l);
+				UNLOCK_LOOKUP;
+				return;
+			} else
+				goto udp_mismatch;
+		}
+	}
 	if ((msg->flags & DNS_MESSAGEFLAG_TC) != 0 &&
 	    !l->ignore && !l->tcp_mode) {
 		printf(";; Truncated, retrying in TCP mode.\n");
@@ -3212,6 +3313,19 @@ recv_done(isc_task_t *task, isc_event_t *event) {
 	}
 	isc_event_free(&event);
 	UNLOCK_LOOKUP;
+	return;
+
+ udp_mismatch:
+	isc_buffer_invalidate(&query->recvbuf);
+	isc_buffer_init(&query->recvbuf, query->recvspace, COMMSIZE);
+	ISC_LIST_ENQUEUE(query->recvlist, &query->recvbuf, link);
+	result = isc_socket_recvv(query->sock, &query->recvlist, 1,
+				  global_task, recv_done, query);
+	check_result(result, "isc_socket_recvv");
+	recvcount++;
+	isc_event_free(&event);
+	UNLOCK_LOOKUP;
+	return;
 }
 
 /*%
@@ -3219,7 +3333,7 @@ recv_done(isc_task_t *task, isc_event_t *event) {
  * used in looking up server names, etc... and needs to use system-supplied
  * routines, since they may be using a non-DNS system for these lookups.
  */
-void
+isc_result_t
 get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
 	int count;
 	isc_result_t result;
@@ -3228,9 +3342,11 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
 	result = bind9_getaddresses(host, port, sockaddr, 1, &count);
 	isc_app_unblock();
 	if (result != ISC_R_SUCCESS)
-		fatal("couldn't get address for '%s': %s",
-		      host, isc_result_totext(result));
+		return (result);
+
 	INSIST(count == 1);
+
+	return (ISC_R_SUCCESS);
 }
 
 /*%
@@ -3284,7 +3400,7 @@ cancel_all(void) {
 			isc_timer_detach(&current_lookup->timer);
 		q = ISC_LIST_HEAD(current_lookup->q);
 		while (q != NULL) {
-			debug("cancelling query %p, belonging to %p",
+			debug("canceling query %p, belonging to %p",
 			      q, current_lookup);
 			nq = ISC_LIST_NEXT(q, link);
 			if (q->sock != NULL) {
@@ -3600,7 +3716,7 @@ dns_rdataset_t *
 search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) {
 	dns_rdataset_t *rdataset;
 	dns_rdata_sig_t siginfo;
-	dns_rdata_t sigrdata;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
 	isc_result_t result;
 
 	for (rdataset = ISC_LIST_HEAD(name->list); rdataset != NULL;
@@ -3610,7 +3726,6 @@ search_type(dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers) {
 				return (rdataset);
 		} else if ((type == dns_rdatatype_rrsig) &&
 			   (rdataset->type == dns_rdatatype_rrsig)) {
-			dns_rdata_init(&sigrdata);
 			result = dns_rdataset_first(rdataset);
 			check_result(result, "empty rdataset");
 			dns_rdataset_current(rdataset, &sigrdata);
@@ -4133,7 +4248,7 @@ isc_result_t
 grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset)
 {
 	isc_result_t result;
-	dns_rdata_t sigrdata;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
 	dns_rdata_sig_t siginfo;
 
 	result = dns_rdataset_first(sigrdataset);
@@ -4153,6 +4268,7 @@ grandfather_pb_test(dns_name_t *zone_name, dns_rdataset_t  *sigrdataset)
 		}
 
 		dns_rdata_freestruct(&siginfo);
+		dns_rdata_reset(&sigrdata);
 
 	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
 
@@ -4239,7 +4355,7 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
 		     isc_mem_t *mctx)
 {
 	isc_result_t result;
-	dns_rdata_t rdata;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dst_key_t *trustedKey = NULL;
 	dst_key_t *dnsseckey = NULL;
 	int i;
@@ -4249,7 +4365,6 @@ contains_trusted_key(dns_name_t *name, dns_rdataset_t *rdataset,
 
 	result = dns_rdataset_first(rdataset);
 	check_result(result, "empty rdataset");
-	dns_rdata_init(&rdata);
 
 	do {
 		dns_rdataset_current(rdataset, &rdata);
@@ -4299,7 +4414,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
 		    isc_mem_t *mctx)
 {
 	isc_result_t result;
-	dns_rdata_t keyrdata;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT;
 	dst_key_t *dnsseckey = NULL;
 
 	result = dns_rdataset_first(keyrdataset);
@@ -4322,6 +4437,7 @@ sigchase_verify_sig(dns_name_t *name, dns_rdataset_t *rdataset,
 			return (ISC_R_SUCCESS);
 		}
 		dst_key_free(&dnsseckey);
+		dns_rdata_reset(&keyrdata);
 	} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
 
 	dns_rdata_reset(&keyrdata);
@@ -4335,7 +4451,7 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
 			isc_mem_t *mctx)
 {
 	isc_result_t result;
-	dns_rdata_t sigrdata;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
 	dns_rdata_sig_t siginfo;
 
 	result = dns_rdataset_first(sigrdataset);
@@ -4373,6 +4489,7 @@ sigchase_verify_sig_key(dns_name_t *name, dns_rdataset_t *rdataset,
 			}
 		}
 		dns_rdata_freestruct(&siginfo);
+		dns_rdata_reset(&sigrdata);
 
 	} while (dns_rdataset_next(chase_sigkeyrdataset) == ISC_R_SUCCESS);
 
@@ -4387,25 +4504,23 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 		   dns_rdataset_t *dsrdataset, isc_mem_t *mctx)
 {
 	isc_result_t result;
-	dns_rdata_t keyrdata;
-	dns_rdata_t newdsrdata;
-	dns_rdata_t dsrdata;
+	dns_rdata_t keyrdata = DNS_RDATA_INIT;
+	dns_rdata_t newdsrdata = DNS_RDATA_INIT;
+	dns_rdata_t dsrdata = DNS_RDATA_INIT;
 	dns_rdata_ds_t dsinfo;
 	dst_key_t *dnsseckey = NULL;
 	unsigned char dsbuf[DNS_DS_BUFFERSIZE];
 
 	result = dns_rdataset_first(dsrdataset);
 	check_result(result, "empty DSset dataset");
-	dns_rdata_init(&dsrdata);
 	do {
 		dns_rdataset_current(dsrdataset, &dsrdata);
 
 		result = dns_rdata_tostruct(&dsrdata, &dsinfo, NULL);
-		check_result(result, "dns_rdata_tostruct  for DS");
+		check_result(result, "dns_rdata_tostruct for DS");
 
 		result = dns_rdataset_first(keyrdataset);
 		check_result(result, "empty KEY dataset");
-		dns_rdata_init(&keyrdata);
 
 		do {
 			dns_rdataset_current(keyrdataset, &keyrdata);
@@ -4420,7 +4535,6 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 			 * id of DNSKEY referenced by the DS
 			 */
 			if (dsinfo.key_tag == dst_key_id(dnsseckey)) {
-				dns_rdata_init(&newdsrdata);
 
 				result = dns_ds_buildrdata(name, &keyrdata,
 							   dsinfo.digest_type,
@@ -4468,14 +4582,16 @@ sigchase_verify_ds(dns_name_t *name, dns_rdataset_t *keyrdataset,
 				dns_rdata_reset(&newdsrdata);
 			}
 			dst_key_free(&dnsseckey);
+			dns_rdata_reset(&keyrdata);
 			dnsseckey = NULL;
 		} while (dns_rdataset_next(chase_keyrdataset) == ISC_R_SUCCESS);
-		dns_rdata_reset(&keyrdata);
+		dns_rdata_reset(&dsrdata);
 
 	} while (dns_rdataset_next(chase_dsrdataset) == ISC_R_SUCCESS);
-#if 0
-	dns_rdata_reset(&dsrdata); WARNING
-#endif
+
+	dns_rdata_reset(&keyrdata);
+	dns_rdata_reset(&newdsrdata);
+	dns_rdata_reset(&dsrdata);
 
 	return (ISC_R_NOTFOUND);
 }
@@ -4868,7 +4984,7 @@ getneededrr(dns_message_t *msg)
 {
 	isc_result_t result;
 	dns_name_t *name = NULL;
-	dns_rdata_t sigrdata;
+	dns_rdata_t sigrdata = DNS_RDATA_INIT;
 	dns_rdata_sig_t siginfo;
 	isc_boolean_t   true = ISC_TRUE;
 
@@ -4922,7 +5038,6 @@ getneededrr(dns_message_t *msg)
 	/* first find the DNSKEY name */
 	result = dns_rdataset_first(chase_sigrdataset);
 	check_result(result, "empty RRSIG dataset");
-	dns_rdata_init(&sigrdata);
 	dns_rdataset_current(chase_sigrdataset, &sigrdata);
 	result = dns_rdata_tostruct(&sigrdata, &siginfo, NULL);
 	check_result(result, "sigrdata tostruct siginfo");
@@ -5300,6 +5415,7 @@ prove_nx_domain(dns_message_t *msg,
 			}
 
 			dns_rdata_freestruct(&nsecstruct);
+			dns_rdata_reset(&nsec);
 		}
 	} while (dns_message_nextname(msg, DNS_SECTION_AUTHORITY)
 		 == ISC_R_SUCCESS);
@@ -5367,7 +5483,7 @@ prove_nx(dns_message_t *msg, dns_name_t *name, dns_rdataclass_t class,
 	isc_result_t ret;
 	dns_rdataset_t *nsecset = NULL;
 
-	printf("We want to prove the non-existance of a type of rdata %d"
+	printf("We want to prove the non-existence of a type of rdata %d"
 	       " or of the zone: \n", type);
 
 	if ((ret = dns_message_firstname(msg, DNS_SECTION_AUTHORITY))
diff --git a/bin/dig/host.1 b/bin/dig/host.1
index 9993c0e..eebdad8 100644
--- a/bin/dig/host.1
+++ b/bin/dig/host.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2002 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: host.1,v 1.14.18.16 2008/04/06 01:31:04 tbox Exp $
+.\" $Id: host.1,v 1.29.114.1 2009/01/23 01:53:33 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -132,7 +132,7 @@ option enables
 \fBhost\fR
 to mimic the behavior of a name server by making non\-recursive queries and expecting to receive answers to those queries that are usually referrals to other name servers.
 .PP
-By default
+By default,
 \fBhost\fR
 uses UDP when making queries. The
 \fB\-T\fR
@@ -154,7 +154,7 @@ option is used to select the query type.
 \fItype\fR
 can be any recognized query type: CNAME, NS, SOA, SIG, KEY, AXFR, etc. When no query type is specified,
 \fBhost\fR
-automatically selects an appropriate query type. By default it looks for A, AAAA, and MX records, but if the
+automatically selects an appropriate query type. By default, it looks for A, AAAA, and MX records, but if the
 \fB\-C\fR
 option was given, queries will be made for SOA records, and if
 \fIname\fR
@@ -213,7 +213,7 @@ runs.
 \fBdig\fR(1),
 \fBnamed\fR(8).
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2002 Internet Software Consortium.
 .br
diff --git a/bin/dig/host.c b/bin/dig/host.c
index 33025d5..9f30206 100644
--- a/bin/dig/host.c
+++ b/bin/dig/host.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: host.c,v 1.94.18.19 2007/08/28 07:19:55 tbox Exp $ */
+/* $Id: host.c,v 1.116.216.2 2009/05/06 23:47:18 tbox Exp $ */
 
 /*! \file */
 
@@ -124,6 +124,23 @@ struct rtype rtypes[] = {
 	{ 0, NULL }
 };
 
+static char *
+rcode_totext(dns_rcode_t rcode)
+{
+	static char buf[sizeof("?65535")];
+	union {
+		const char *consttext;
+		char *deconsttext;
+	} totext;
+
+	if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
+		snprintf(buf, sizeof(buf), "?%u", rcode);
+		totext.deconsttext = buf;
+	} else
+		totext.consttext = rcodetext[rcode];
+	return totext.deconsttext;
+}
+
 static void
 show_usage(void) {
 	fputs(
@@ -270,10 +287,10 @@ printsection(dns_message_t *msg, dns_section_t sectionid,
 			if (query->lookup->rdtype == dns_rdatatype_axfr &&
 			    !((!list_addresses &&
 			       (list_type == dns_rdatatype_any ||
-			        rdataset->type == list_type)) ||
+				rdataset->type == list_type)) ||
 			      (list_addresses &&
 			       (rdataset->type == dns_rdatatype_a ||
-			        rdataset->type == dns_rdatatype_aaaa ||
+				rdataset->type == dns_rdatatype_aaaa ||
 				rdataset->type == dns_rdatatype_ns ||
 				rdataset->type == dns_rdatatype_ptr))))
 				continue;
@@ -377,7 +394,7 @@ chase_cnamechain(dns_message_t *msg, dns_name_t *qname) {
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	unsigned int i = msg->counts[DNS_SECTION_ANSWER];
 
- 	while (i-- > 0) {
+	while (i-- > 0) {
 		rdataset = NULL;
 		result = dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
 					      dns_rdatatype_cname, 0, NULL,
@@ -429,7 +446,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 		printf("Host %s not found: %d(%s)\n",
 		       (msg->rcode != dns_rcode_nxdomain) ? namestr :
 		       query->lookup->textname, msg->rcode,
-		       rcodetext[msg->rcode]);
+		       rcode_totext(msg->rcode));
 		return (ISC_R_SUCCESS);
 	}
 
@@ -451,7 +468,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 				sizeof(lookup->textname));
 			lookup->textname[sizeof(lookup->textname)-1] = 0;
 			lookup->rdtype = dns_rdatatype_aaaa;
-                        lookup->rdtypeset = ISC_TRUE;
+			lookup->rdtypeset = ISC_TRUE;
 			lookup->origin = NULL;
 			lookup->retries = tries;
 			ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -462,7 +479,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 				sizeof(lookup->textname));
 			lookup->textname[sizeof(lookup->textname)-1] = 0;
 			lookup->rdtype = dns_rdatatype_mx;
-                        lookup->rdtypeset = ISC_TRUE;
+			lookup->rdtypeset = ISC_TRUE;
 			lookup->origin = NULL;
 			lookup->retries = tries;
 			ISC_LIST_APPEND(lookup_list, lookup, link);
@@ -471,7 +488,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 
 	if (!short_form) {
 		printf(";; ->>HEADER<<- opcode: %s, status: %s, id: %u\n",
-		       opcodetext[msg->opcode], rcodetext[msg->rcode],
+		       opcodetext[msg->opcode], rcode_totext(msg->rcode),
 		       msg->id);
 		printf(";; flags: ");
 		if ((msg->flags & DNS_MESSAGEFLAG_QR) != 0) {
@@ -689,6 +706,7 @@ parse_args(isc_boolean_t is_batchfile, int argc, char **argv) {
 				lookup->tcp_mode = ISC_TRUE;
 			} else if (rdtype == dns_rdatatype_ixfr) {
 				lookup->ixfr_serial = serial;
+				lookup->tcp_mode = ISC_TRUE;
 				list_type = rdtype;
 #ifdef WITH_IDN
 			} else if (rdtype == dns_rdatatype_a ||
@@ -837,7 +855,7 @@ main(int argc, char **argv) {
 	ISC_LIST_INIT(lookup_list);
 	ISC_LIST_INIT(server_list);
 	ISC_LIST_INIT(search_list);
-	
+
 	fatalexit = 1;
 #ifdef WITH_IDN
 	idnoptions = IDN_ASCCHECK;
diff --git a/bin/dig/host.docbook b/bin/dig/host.docbook
index 2c0ad3d..3e75b05 100644
--- a/bin/dig/host.docbook
+++ b/bin/dig/host.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: host.docbook,v 1.5.18.13 2008/04/05 23:46:04 tbox Exp $ -->
+<!-- $Id: host.docbook,v 1.18.114.2 2009/01/22 23:47:05 tbox Exp $ -->
 <refentry id="man.host">
 
   <refentryinfo>
@@ -42,6 +42,7 @@
       <year>2005</year>
       <year>2007</year>
       <year>2008</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -180,7 +181,7 @@
     </para>
 
     <para>
-      By default <command>host</command> uses UDP when making
+      By default, <command>host</command> uses UDP when making
       queries.  The
       <option>-T</option> option makes it use a TCP connection when querying
       the name server.  TCP will be automatically selected for queries that
@@ -200,7 +201,7 @@
       NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
       <command>host</command> automatically selects an appropriate
       query
-      type.  By default it looks for A, AAAA, and MX records, but if the
+      type.  By default, it looks for A, AAAA, and MX records, but if the
       <option>-C</option> option was given, queries will be made for SOA
       records, and if <parameter>name</parameter> is a
       dotted-decimal IPv4
diff --git a/bin/dig/host.html b/bin/dig/host.html
index 88cd830..f210731 100644
--- a/bin/dig/host.html
+++ b/bin/dig/host.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2002 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: host.html,v 1.7.18.22 2008/04/06 01:31:04 tbox Exp $ -->
+<!-- $Id: host.html,v 1.28.114.1 2009/01/23 01:53:33 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543431"></a><h2>DESCRIPTION</h2>
+<a name="id2543434"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -130,7 +130,7 @@
       referrals to other name servers.
     </p>
 <p>
-      By default <span><strong class="command">host</strong></span> uses UDP when making
+      By default, <span><strong class="command">host</strong></span> uses UDP when making
       queries.  The
       <code class="option">-T</code> option makes it use a TCP connection when querying
       the name server.  TCP will be automatically selected for queries that
@@ -148,7 +148,7 @@
       NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
       <span><strong class="command">host</strong></span> automatically selects an appropriate
       query
-      type.  By default it looks for A, AAAA, and MX records, but if the
+      type.  By default, it looks for A, AAAA, and MX records, but if the
       <code class="option">-C</code> option was given, queries will be made for SOA
       records, and if <em class="parameter"><code>name</code></em> is a
       dotted-decimal IPv4
@@ -184,7 +184,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543797"></a><h2>IDN SUPPORT</h2>
+<a name="id2543800"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -198,12 +198,12 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543819"></a><h2>FILES</h2>
+<a name="id2543822"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543831"></a><h2>SEE ALSO</h2>
+<a name="id2543834"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
diff --git a/bin/dig/include/dig/dig.h b/bin/dig/include/dig/dig.h
index 02ae4d2..d9ee757 100644
--- a/bin/dig/include/dig/dig.h
+++ b/bin/dig/include/dig/dig.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dig.h,v 1.82.18.23 2007/08/28 07:19:55 tbox Exp $ */
+/* $Id: dig.h,v 1.107.120.2 2009/01/06 23:47:26 tbox Exp $ */
 
 #ifndef DIG_H
 #define DIG_H
@@ -102,7 +102,7 @@ typedef struct dig_searchlist dig_searchlist_t;
 /*% The dig_lookup structure */
 struct dig_lookup {
 	isc_boolean_t
-	        pending, /*%< Pending a successful answer */
+		pending, /*%< Pending a successful answer */
 		waiting_connect,
 		doing_xfr,
 		ns_search_only, /*%< dig +nssearch, host -C */
@@ -129,27 +129,28 @@ struct dig_lookup {
 		need_search,
 		done_as_is,
 		besteffort,
-		dnssec;
+		dnssec,
+		nsid;   /*% Name Server ID (RFC 5001) */
 #ifdef DIG_SIGCHASE
 isc_boolean_t	sigchase;
 #if DIG_SIGCHASE_TD
- 	isc_boolean_t do_topdown,
-	        trace_root_sigchase,
-	        rdtype_sigchaseset,
-	        rdclass_sigchaseset;
+	isc_boolean_t do_topdown,
+		trace_root_sigchase,
+		rdtype_sigchaseset,
+		rdclass_sigchaseset;
 	/* Name we are going to validate RRset */
-  	char textnamesigchase[MXNAME];
+	char textnamesigchase[MXNAME];
 #endif
 #endif
-	
+
 	char textname[MXNAME]; /*% Name we're going to be looking up */
 	char cmdline[MXNAME];
 	dns_rdatatype_t rdtype;
 	dns_rdatatype_t qrdtype;
 #if DIG_SIGCHASE_TD
-        dns_rdatatype_t rdtype_sigchase;
-        dns_rdatatype_t qrdtype_sigchase;
-        dns_rdataclass_t rdclass_sigchase;
+	dns_rdatatype_t rdtype_sigchase;
+	dns_rdatatype_t qrdtype_sigchase;
+	dns_rdataclass_t rdclass_sigchase;
 #endif
 	dns_rdataclass_t rdclass;
 	isc_boolean_t rdtypeset;
@@ -231,7 +232,7 @@ struct dig_searchlist {
 };
 #ifdef DIG_SIGCHASE
 struct dig_message {
-	        dns_message_t *msg;
+		dns_message_t *msg;
 		ISC_LINK(dig_message_t) link;
 };
 #endif
@@ -249,7 +250,7 @@ extern dig_searchlistlist_t search_list;
 extern unsigned int extrabytes;
 
 extern isc_boolean_t check_ra, have_ipv4, have_ipv6, specified_source,
-        usesearch, showsearch, qr;
+	usesearch, showsearch, qr;
 extern in_port_t port;
 extern unsigned int timeout;
 extern isc_mem_t *mctx;
@@ -284,7 +285,7 @@ extern int idnoptions;
 /*
  * Routines in dighost.c.
  */
-void
+isc_result_t
 get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr);
 
 isc_result_t
diff --git a/bin/dig/nslookup.1 b/bin/dig/nslookup.1
index a453c2f..2d19534 100644
--- a/bin/dig/nslookup.1
+++ b/bin/dig/nslookup.1
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nslookup.1,v 1.1.10.14 2007/05/16 06:11:27 marka Exp $
+.\" $Id: nslookup.1,v 1.14 2007/05/16 06:12:01 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/dig/nslookup.c b/bin/dig/nslookup.c
index 3327c6e..5679626 100644
--- a/bin/dig/nslookup.c
+++ b/bin/dig/nslookup.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nslookup.c,v 1.101.18.15 2007/08/28 07:19:55 tbox Exp $ */
+/* $Id: nslookup.c,v 1.117.334.4 2009/05/06 11:41:57 fdupont Exp $ */
 
 #include <config.h>
 
@@ -26,6 +26,7 @@
 #include <isc/commandline.h>
 #include <isc/event.h>
 #include <isc/parseint.h>
+#include <isc/print.h>
 #include <isc/string.h>
 #include <isc/timer.h>
 #include <isc/util.h>
@@ -129,6 +130,23 @@ static const char *rtypetext[] = {
 static void flush_lookup_list(void);
 static void getinput(isc_task_t *task, isc_event_t *event);
 
+static char *
+rcode_totext(dns_rcode_t rcode)
+{
+	static char buf[sizeof("?65535")];
+	union {
+		const char *consttext;
+		char *deconsttext;
+	} totext;
+
+	if (rcode >= (sizeof(rcodetext)/sizeof(rcodetext[0]))) {
+		snprintf(buf, sizeof(buf), "?%u", rcode);
+		totext.deconsttext = buf;
+	} else
+		totext.consttext = rcodetext[rcode];
+	return totext.deconsttext;
+}
+
 void
 dighost_shutdown(void) {
 	isc_event_t *event = global_event;
@@ -385,14 +403,14 @@ trying(char *frm, dig_lookup_t *lookup) {
 
 isc_result_t
 printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
-	char servtext[ISC_SOCKADDR_FORMATSIZE];	
+	char servtext[ISC_SOCKADDR_FORMATSIZE];
 
 	debug("printmessage()");
 
 	isc_sockaddr_format(&query->sockaddr, servtext, sizeof(servtext));
 	printf("Server:\t\t%s\n", query->userarg);
 	printf("Address:\t%s\n", servtext);
-	
+
 	puts("");
 
 	if (!short_form) {
@@ -412,7 +430,7 @@ printmessage(dig_query_t *query, dns_message_t *msg, isc_boolean_t headers) {
 				nametext, sizeof(nametext));
 		printf("** server can't find %s: %s\n",
 		       (msg->rcode != dns_rcode_nxdomain) ? nametext :
-		       query->lookup->textname, rcodetext[msg->rcode]);
+		       query->lookup->textname, rcode_totext(msg->rcode));
 		debug("returning with rcode == 0");
 		return (ISC_R_SUCCESS);
 	}
@@ -441,13 +459,16 @@ show_settings(isc_boolean_t full, isc_boolean_t serv_only) {
 	dig_server_t *srv;
 	isc_sockaddr_t sockaddr;
 	dig_searchlist_t *listent;
+	isc_result_t result;
 
 	srv = ISC_LIST_HEAD(server_list);
 
 	while (srv != NULL) {
 		char sockstr[ISC_SOCKADDR_FORMATSIZE];
 
-		get_address(srv->servername, port, &sockaddr);
+		result = get_address(srv->servername, port, &sockaddr);
+		check_result(result, "get_address");
+
 		isc_sockaddr_format(&sockaddr, sockstr, sizeof(sockstr));
 		printf("Default server: %s\nAddress: %s\n",
 			srv->userarg, sockstr);
@@ -505,7 +526,7 @@ testclass(char *typetext) {
 	tr.base = typetext;
 	tr.length = strlen(typetext);
 	result = dns_rdataclass_fromtext(&rdclass, &tr);
-	if (result == ISC_R_SUCCESS) 
+	if (result == ISC_R_SUCCESS)
 		return (ISC_TRUE);
 	else {
 		printf("unknown query class: %s\n", typetext);
@@ -603,7 +624,7 @@ setoption(char *opt) {
 		set_timeout(&opt[8]);
 	} else if (strncasecmp(opt, "t=", 2) == 0) {
 		set_timeout(&opt[2]);
- 	} else if (strncasecmp(opt, "rec", 3) == 0) {
+	} else if (strncasecmp(opt, "rec", 3) == 0) {
 		recurse = ISC_TRUE;
 	} else if (strncasecmp(opt, "norec", 5) == 0) {
 		recurse = ISC_FALSE;
@@ -611,21 +632,21 @@ setoption(char *opt) {
 		set_tries(&opt[6]);
 	} else if (strncasecmp(opt, "ret=", 4) == 0) {
 		set_tries(&opt[4]);
- 	} else if (strncasecmp(opt, "def", 3) == 0) {
+	} else if (strncasecmp(opt, "def", 3) == 0) {
 		usesearch = ISC_TRUE;
 	} else if (strncasecmp(opt, "nodef", 5) == 0) {
 		usesearch = ISC_FALSE;
- 	} else if (strncasecmp(opt, "vc", 3) == 0) {
+	} else if (strncasecmp(opt, "vc", 3) == 0) {
 		tcpmode = ISC_TRUE;
 	} else if (strncasecmp(opt, "novc", 5) == 0) {
 		tcpmode = ISC_FALSE;
- 	} else if (strncasecmp(opt, "deb", 3) == 0) {
+	} else if (strncasecmp(opt, "deb", 3) == 0) {
 		short_form = ISC_FALSE;
 		showsearch = ISC_TRUE;
 	} else if (strncasecmp(opt, "nodeb", 5) == 0) {
 		short_form = ISC_TRUE;
 		showsearch = ISC_FALSE;
- 	} else if (strncasecmp(opt, "d2", 2) == 0) {
+	} else if (strncasecmp(opt, "d2", 2) == 0) {
 		debugging = ISC_TRUE;
 	} else if (strncasecmp(opt, "nod2", 4) == 0) {
 		debugging = ISC_FALSE;
@@ -640,7 +661,7 @@ setoption(char *opt) {
 	} else if (strncasecmp(opt, "nofail", 3) == 0) {
 		nofail=ISC_TRUE;
 	} else {
-		printf("*** Invalid option: %s\n", opt);	
+		printf("*** Invalid option: %s\n", opt);
 	}
 }
 
diff --git a/bin/dig/nslookup.docbook b/bin/dig/nslookup.docbook
index dff5fa3..6c94809 100644
--- a/bin/dig/nslookup.docbook
+++ b/bin/dig/nslookup.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nslookup.docbook,v 1.4.2.13 2007/08/28 07:19:55 tbox Exp $ -->
+<!-- $Id: nslookup.docbook,v 1.16 2007/06/18 23:47:17 tbox Exp $ -->
 <!--
  - Copyright (c) 1985, 1989
  -    The Regents of the University of California.  All rights reserved.
diff --git a/bin/dig/nslookup.html b/bin/dig/nslookup.html
index 46ae43c..0f38176 100644
--- a/bin/dig/nslookup.html
+++ b/bin/dig/nslookup.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: nslookup.html,v 1.1.10.21 2007/05/16 06:11:27 marka Exp $ -->
+<!-- $Id: nslookup.html,v 1.21 2007/05/16 06:12:01 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index b94dca7..d59a38fb 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.26.18.4 2005/05/02 00:26:11 marka Exp $
+# $Id: Makefile.in,v 1.35 2008/11/07 02:28:49 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -39,20 +39,32 @@ DEPLIBS =	${DNSDEPLIBS} ${ISCDEPLIBS}
 LIBS =		${DNSLIBS} ${ISCLIBS} @LIBS@
 
 # Alphabetically
-TARGETS =	dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@
+TARGETS =	dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
+		dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@
 
 OBJS =		dnssectool.@O@
 
-SRCS =		dnssec-keygen.c dnssec-signzone.c dnssectool.c
+SRCS =		dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \
+		dnssec-signzone.c dnssectool.c
 
-MANPAGES =	dnssec-keygen.8 dnssec-signzone.8
+MANPAGES =	dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \
+		dnssec-signzone.8
 
-HTMLPAGES =	dnssec-keygen.html dnssec-signzone.html
+HTMLPAGES =	dnssec-dsfromkey.html dnssec-keyfromlabel.html \
+		dnssec-keygen.html dnssec-signzone.html 
 
 MANOBJS =	${MANPAGES} ${HTMLPAGES}
 
 @BIND9_MAKE_RULES@
 
+dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dnssec-dsfromkey.@O@ ${OBJS} ${LIBS}
+
+dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
+	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
+	dnssec-keyfromlabel.@O@ ${OBJS} ${LIBS}
+
 dnssec-keygen@EXEEXT@: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
 	${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \
 	dnssec-keygen.@O@ ${OBJS} ${LIBS}
diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8
new file mode 100644
index 0000000..4d4cbc9
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.8
@@ -0,0 +1,124 @@
+.\" Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-dsfromkey.8,v 1.5 2008/11/08 01:11:47 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\"     Title: dnssec\-dsfromkey
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: November 29, 2008
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DNSSEC\-DSFROMKEY" "8" "November 29, 2008" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-dsfromkey \- DNSSEC DS RR generation tool
+.SH "SYNOPSIS"
+.HP 17
+\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] {keyfile}
+.HP 17
+\fBdnssec\-dsfromkey\fR {\-s} [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdir\fR\fR] {dnsname}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-dsfromkey\fR
+outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
+.SH "OPTIONS"
+.PP
+\-1
+.RS 4
+Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256).
+.RE
+.PP
+\-2
+.RS 4
+Use SHA\-256 as the digest algorithm.
+.RE
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Select the digest algorithm. The value of
+\fBalgorithm\fR
+must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256). These values are case insensitive.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level.
+.RE
+.PP
+\-s
+.RS 4
+Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Specifies the DNS class (default is IN), useful only in the keyset mode.
+.RE
+.PP
+\-d \fIdirectory\fR
+.RS 4
+Look for
+\fIkeyset\fR
+files in
+\fBdirectory\fR
+as the directory, ignored when not in the keyset mode.
+.RE
+.SH "EXAMPLE"
+.PP
+To build the SHA\-256 DS RR from the
+\fBKexample.com.+003+26160\fR
+keyfile name, the following command would be issued:
+.PP
+\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fR
+.PP
+The command would print something like:
+.PP
+\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
+.SH "FILES"
+.PP
+The keyfile can be designed by the key identification
+\fIKnnnn.+aaa+iiiii\fR
+or the full file name
+\fIKnnnn.+aaa+iiiii.key\fR
+as generated by
+dnssec\-keygen(8).
+.PP
+The keyset file name is built from the
+\fBdirectory\fR, the string
+\fIkeyset\-\fR
+and the
+\fBdnsname\fR.
+.SH "CAVEAT"
+.PP
+A keyfile error can give a "file not found" even if the file exists.
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-keygen\fR(8),
+\fBdnssec\-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 3658,
+RFC 4509.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c
new file mode 100644
index 0000000..653aa3e
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -0,0 +1,396 @@
+/*
+ * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-dsfromkey.c,v 1.2.14.3 2009/03/02 02:54:15 marka Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/ds.h>
+#include <dns/fixedname.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatatype.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-dsfromkey";
+int verbose;
+
+static dns_rdataclass_t rdclass;
+static dns_fixedname_t  fixed;
+static dns_name_t       *name = NULL;
+static dns_db_t         *db = NULL;
+static dns_dbnode_t     *node = NULL;
+static dns_rdataset_t   keyset;
+static isc_mem_t        *mctx = NULL;
+
+static void
+loadkeys(char *dirname, char *setname)
+{
+	isc_result_t     result;
+	char             filename[1024];
+	isc_buffer_t     buf;
+
+	dns_rdataset_init(&keyset);
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+
+	isc_buffer_init(&buf, setname, strlen(setname));
+	isc_buffer_add(&buf, strlen(setname));
+	result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't convert DNS name %s", setname);
+
+	isc_buffer_init(&buf, filename, sizeof(filename));
+	if (dirname != NULL) {
+		isc_buffer_putstr(&buf, dirname);
+		if (dirname[strlen(dirname) - 1] != '/')
+			isc_buffer_putstr(&buf, "/");
+	}
+	isc_buffer_putstr(&buf, "keyset-");
+	result = dns_name_tofilenametext(name, ISC_FALSE, &buf);
+	check_result(result, "dns_name_tofilenametext()");
+	if (isc_buffer_availablelength(&buf) == 0)
+		fatal("name %s too long", setname);
+	isc_buffer_putuint8(&buf, 0);
+
+	result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone,
+			       rdclass, 0, NULL, &db);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't create database");
+
+	result = dns_db_load(db, filename);
+	if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE)
+		fatal("can't load %s: %s", filename, isc_result_totext(result));
+
+	result = dns_db_findnode(db, name, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't find %s node in %s", setname, filename);
+
+	result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey,
+				     0, 0, &keyset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		fatal("no DNSKEY RR for %s in %s", setname, filename);
+	else if (result != ISC_R_SUCCESS)
+		fatal("dns_db_findrdataset");
+}
+
+static void
+loadkey(char *filename, unsigned char *key_buf, unsigned int key_buf_size,
+	dns_rdata_t *rdata)
+{
+	isc_result_t  result;
+	dst_key_t     *key = NULL;
+	isc_buffer_t  keyb;
+	isc_region_t  r;
+
+	dns_rdataset_init(&keyset);
+	dns_rdata_init(rdata);
+
+	isc_buffer_init(&keyb, key_buf, key_buf_size);
+
+	result = dst_key_fromnamedfile(filename, DST_TYPE_PUBLIC, mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		fatal("invalid keyfile name %s: %s",
+		      filename, isc_result_totext(result));
+
+	if (verbose > 2) {
+		char keystr[KEY_FORMATSIZE];
+
+		key_format(key, keystr, sizeof(keystr));
+		fprintf(stderr, "%s: %s\n", program, keystr);
+	}
+
+	result = dst_key_todns(key, &keyb);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't decode key");
+
+	isc_buffer_usedregion(&keyb, &r);
+	dns_rdata_fromregion(rdata, dst_key_class(key),
+			     dns_rdatatype_dnskey, &r);
+
+	rdclass = dst_key_class(key);
+
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	result = dns_name_copy(dst_key_name(key), name, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't copy name");
+
+	dst_key_free(&key);
+}
+
+static void
+logkey(dns_rdata_t *rdata)
+{
+	isc_result_t result;
+	dst_key_t    *key = NULL;
+	isc_buffer_t buf;
+	char         keystr[KEY_FORMATSIZE];
+
+	isc_buffer_init(&buf, rdata->data, rdata->length);
+	isc_buffer_add(&buf, rdata->length);
+	result = dst_key_fromdns(name, rdclass, &buf, mctx, &key);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	key_format(key, keystr, sizeof(keystr));
+	fprintf(stderr, "%s: %s\n", program, keystr);
+
+	dst_key_free(&key);
+}
+
+static void
+emitds(unsigned int dtype, dns_rdata_t *rdata)
+{
+	isc_result_t   result;
+	unsigned char  buf[DNS_DS_BUFFERSIZE];
+	char           text_buf[DST_KEY_MAXTEXTSIZE];
+	char           class_buf[10];
+	isc_buffer_t   textb, classb;
+	isc_region_t   r;
+	dns_rdata_t    ds;
+
+	isc_buffer_init(&textb, text_buf, sizeof(text_buf));
+	isc_buffer_init(&classb, class_buf, sizeof(class_buf));
+
+	dns_rdata_init(&ds);
+
+	result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't build DS");
+
+	result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't print DS rdata");
+
+	result = dns_rdataclass_totext(rdclass, &classb);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't print DS class");
+
+	result = dns_name_print(name, stdout);
+	if (result != ISC_R_SUCCESS)
+		fatal("can't print DS name");
+
+	putchar(' ');
+
+	isc_buffer_usedregion(&classb, &r);
+	fwrite(r.base, 1, r.length, stdout);
+
+	printf(" DS ");
+
+	isc_buffer_usedregion(&textb, &r);
+	fwrite(r.base, 1, r.length, stdout);
+	putchar('\n');
+}
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr,	"    %s options keyfile\n\n", program);
+	fprintf(stderr, "    %s options [-c class] [-d dir] -s dnsname\n\n",
+		program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "Options:\n");
+	fprintf(stderr, "    -v <verbose level>\n");
+	fprintf(stderr, "    -1: use SHA-1\n");
+	fprintf(stderr, "    -2: use SHA-256\n");
+	fprintf(stderr, "    -a algorithm: use algorithm\n");
+	fprintf(stderr, "Keyset options:\n");
+	fprintf(stderr, "    -s: keyset mode\n");
+	fprintf(stderr, "    -c class\n");
+	fprintf(stderr, "    -d directory\n");
+	fprintf(stderr, "Output: DS RRs\n");
+
+	exit (-1);
+}
+
+int
+main(int argc, char **argv) {
+	char           *algname = NULL, *classname = NULL, *dirname = NULL;
+	char           *endp;
+	int            ch;
+	unsigned int   dtype = DNS_DSDIGEST_SHA1;
+	isc_boolean_t  both = ISC_TRUE;
+	isc_boolean_t  usekeyset = ISC_FALSE;
+	isc_result_t   result;
+	isc_log_t      *log = NULL;
+	isc_entropy_t  *ectx = NULL;
+	dns_rdata_t    rdata;
+
+	dns_rdata_init(&rdata);
+
+	if (argc == 1)
+		usage();
+
+	result = isc_mem_create(0, 0, &mctx);
+	if (result != ISC_R_SUCCESS)
+		fatal("out of memory");
+
+	dns_result_register();
+
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					   "12a:c:d:sv:h")) != -1) {
+		switch (ch) {
+		case '1':
+			dtype = DNS_DSDIGEST_SHA1;
+			both = ISC_FALSE;
+			break;
+		case '2':
+			dtype = DNS_DSDIGEST_SHA256;
+			both = ISC_FALSE;
+			break;
+		case 'a':
+			algname = isc_commandline_argument;
+			both = ISC_FALSE;
+			break;
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+		case 'd':
+			dirname = isc_commandline_argument;
+			break;
+		case 's':
+			usekeyset = ISC_TRUE;
+			break;
+		case 'v':
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("-v must be followed by a number");
+			break;
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+			/* Falls into */
+		case 'h':
+			usage();
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (algname != NULL) {
+		if (strcasecmp(algname, "SHA1") == 0 ||
+		    strcasecmp(algname, "SHA-1") == 0)
+			dtype = DNS_DSDIGEST_SHA1;
+		else if (strcasecmp(algname, "SHA256") == 0 ||
+			 strcasecmp(algname, "SHA-256") == 0)
+			dtype = DNS_DSDIGEST_SHA256;
+		else
+			fatal("unknown algorithm %s", algname);
+	}
+
+	rdclass = strtoclass(classname);
+
+	if (argc < isc_commandline_index + 1)
+		fatal("the key file name was not specified");
+	if (argc > isc_commandline_index + 1)
+		fatal("extraneous arguments");
+
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
+	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+	if (result != ISC_R_SUCCESS)
+		fatal("could not initialize hash");
+	result = dst_lib_init(mctx, ectx,
+			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	if (result != ISC_R_SUCCESS)
+		fatal("could not initialize dst");
+	isc_entropy_stopcallbacksources(ectx);
+
+	setup_logging(verbose, mctx, &log);
+
+	if (usekeyset) {
+		loadkeys(dirname, argv[isc_commandline_index]);
+
+		for (result = dns_rdataset_first(&keyset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&keyset)) {
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(&keyset, &rdata);
+
+			if (verbose > 2)
+				logkey(&rdata);
+
+			if (both) {
+				emitds(DNS_DSDIGEST_SHA1, &rdata);
+				emitds(DNS_DSDIGEST_SHA256, &rdata);
+			} else
+				emitds(dtype, &rdata);
+		}
+	} else {
+		unsigned char key_buf[DST_KEY_MAXSIZE];
+
+		loadkey(argv[isc_commandline_index], key_buf,
+			DST_KEY_MAXSIZE, &rdata);
+
+		if (both) {
+			emitds(DNS_DSDIGEST_SHA1, &rdata);
+			emitds(DNS_DSDIGEST_SHA256, &rdata);
+		} else
+			emitds(dtype, &rdata);
+	}
+
+	if (dns_rdataset_isassociated(&keyset))
+		dns_rdataset_disassociate(&keyset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (db != NULL)
+		dns_db_detach(&db);
+	cleanup_logging(&log);
+	dst_lib_destroy();
+	isc_hash_destroy();
+	cleanup_entropy(&ectx);
+	dns_name_destroy();
+	if (verbose > 10)
+		isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	fflush(stdout);
+	if (ferror(stdout)) {
+		fprintf(stderr, "write error\n");
+		return (1);
+	} else
+		return (0);
+}
diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook
new file mode 100644
index 0000000..c2c6b85
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.docbook
@@ -0,0 +1,214 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+               [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-dsfromkey.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ -->
+<refentry id="man.dnssec-dsfromkey">
+  <refentryinfo>
+    <date>November 29, 2008</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-dsfromkey</application></refname>
+    <refpurpose>DNSSEC DS RR generation tool</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2008</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>dnssec-dsfromkey</command>
+      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-1</option></arg>
+      <arg><option>-2</option></arg>
+      <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg choice="req">keyfile</arg>
+    </cmdsynopsis>
+    <cmdsynopsis>
+      <command>dnssec-dsfromkey</command>
+      <arg choice="req">-s</arg>
+      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-1</option></arg>
+      <arg><option>-2</option></arg>
+      <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-d <replaceable class="parameter">dir</replaceable></option></arg>
+      <arg choice="req">dnsname</arg>
+   </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>dnssec-dsfromkey</command>
+      outputs the Delegation Signer (DS) resource record (RR), as defined in
+      RFC 3658 and RFC 4509, for the given key(s).
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-1</term>
+        <listitem>
+          <para>
+            Use SHA-1 as the digest algorithm (the default is to use
+            both SHA-1 and SHA-256).
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-2</term>
+        <listitem>
+          <para>
+            Use SHA-256 as the digest algorithm.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+        <listitem>
+          <para>
+            Select the digest algorithm. The value of
+            <option>algorithm</option> must be one of SHA-1 (SHA1) or
+            SHA-256 (SHA256). These values are case insensitive.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
+        <listitem>
+          <para>
+            Sets the debugging level.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-s</term>
+        <listitem>
+          <para>
+            Keyset mode: in place of the keyfile name, the argument is
+            the DNS domain name of a keyset file. Following options make sense
+            only in this mode.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">class</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the DNS class (default is IN), useful only
+            in the keyset mode.
+          </para>
+	  </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-d <replaceable class="parameter">directory</replaceable></term>
+        <listitem>
+          <para>
+            Look for <filename>keyset</filename> files in
+            <option>directory</option> as the directory, ignored when
+            not in the keyset mode.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLE</title>
+    <para>
+      To build the SHA-256 DS RR from the
+      <userinput>Kexample.com.+003+26160</userinput>
+      keyfile name, the following command would be issued:
+    </para>
+    <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
+    </para>
+    <para>
+      The command would print something like:
+    </para>
+    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+    <para>
+      The keyfile can be designed by the key identification
+      <filename>Knnnn.+aaa+iiiii</filename> or the full file name
+      <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
+      <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
+    </para>
+    <para>
+      The keyset file name is built from the <option>directory</option>,
+      the string <filename>keyset-</filename> and the
+      <option>dnsname</option>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>CAVEAT</title>
+    <para>
+      A keyfile error can give a "file not found" even if the file exists.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 3658</citetitle>,
+      <citetitle>RFC 4509</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/dnssec/dnssec-dsfromkey.html b/bin/dnssec/dnssec-dsfromkey.html
new file mode 100644
index 0000000..72dfd3a
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.html
@@ -0,0 +1,133 @@
+<!--
+ - Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-dsfromkey.html,v 1.5 2008/11/08 01:11:47 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-dsfromkey</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543424"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-dsfromkey</strong></span>
+      outputs the Delegation Signer (DS) resource record (RR), as defined in
+      RFC 3658 and RFC 4509, for the given key(s).
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543435"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-1</span></dt>
+<dd><p>
+            Use SHA-1 as the digest algorithm (the default is to use
+            both SHA-1 and SHA-256).
+          </p></dd>
+<dt><span class="term">-2</span></dt>
+<dd><p>
+            Use SHA-256 as the digest algorithm.
+          </p></dd>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd><p>
+            Select the digest algorithm. The value of
+            <code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
+            SHA-256 (SHA256). These values are case insensitive.
+          </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+<dt><span class="term">-s</span></dt>
+<dd><p>
+            Keyset mode: in place of the keyfile name, the argument is
+            the DNS domain name of a keyset file. Following options make sense
+            only in this mode.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Specifies the DNS class (default is IN), useful only
+            in the keyset mode.
+          </p></dd>
+<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Look for <code class="filename">keyset</code> files in
+            <code class="option">directory</code> as the directory, ignored when
+            not in the keyset mode.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543563"></a><h2>EXAMPLE</h2>
+<p>
+      To build the SHA-256 DS RR from the
+      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+      keyfile name, the following command would be issued:
+    </p>
+<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
+    </p>
+<p>
+      The command would print something like:
+    </p>
+<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543593"></a><h2>FILES</h2>
+<p>
+      The keyfile can be designed by the key identification
+      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
+      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
+      <span class="refentrytitle">dnssec-keygen</span>(8).
+    </p>
+<p>
+      The keyset file name is built from the <code class="option">directory</code>,
+      the string <code class="filename">keyset-</code> and the
+      <code class="option">dnsname</code>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543628"></a><h2>CAVEAT</h2>
+<p>
+      A keyfile error can give a "file not found" even if the file exists.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543638"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 3658</em>,
+      <em class="citetitle">RFC 4509</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543674"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/dnssec/dnssec-keyfromlabel.8 b/bin/dnssec/dnssec-keyfromlabel.8
new file mode 100644
index 0000000..6222058
--- /dev/null
+++ b/bin/dnssec/dnssec-keyfromlabel.8
@@ -0,0 +1,149 @@
+.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
+.\" 
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\" 
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-keyfromlabel.8,v 1.6 2008/11/08 01:11:47 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\"     Title: dnssec\-keyfromlabel
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: February 8, 2008
+.\"    Manual: BIND9
+.\"    Source: BIND9
+.\"
+.TH "DNSSEC\-KEYFROMLABEL" "8" "February 8, 2008" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-keyfromlabel \- DNSSEC key generation tool
+.SH "SYNOPSIS"
+.HP 20
+\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-keyfromlabel\fR
+gets keys with the given label from a crypto hardware and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034.
+.SH "OPTIONS"
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Selects the cryptographic algorithm. The value of
+\fBalgorithm\fR
+must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). These values are case insensitive.
+.sp
+Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended.
+.sp
+Note 2: DH automatically sets the \-k flag.
+.RE
+.PP
+\-l \fIlabel\fR
+.RS 4
+Specifies the label of keys in the crypto hardware (PKCS#11 device).
+.RE
+.PP
+\-n \fInametype\fR
+.RS 4
+Specifies the owner type of the key. The value of
+\fBnametype\fR
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
+.RE
+.PP
+\-c \fIclass\fR
+.RS 4
+Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
+.RE
+.PP
+\-f \fIflag\fR
+.RS 4
+Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of the options and arguments to
+\fBdnssec\-keygen\fR.
+.RE
+.PP
+\-k
+.RS 4
+Generate KEY records rather than DNSKEY records.
+.RE
+.PP
+\-p \fIprotocol\fR
+.RS 4
+Sets the protocol value for the generated key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
+.RE
+.PP
+\-t \fItype\fR
+.RS 4
+Indicates the use of the key.
+\fBtype\fR
+must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level.
+.RE
+.SH "GENERATED KEY FILES"
+.PP
+When
+\fBdnssec\-keyfromlabel\fR
+completes successfully, it prints a string of the form
+\fIKnnnn.+aaa+iiiii\fR
+to the standard output. This is an identification string for the key files it has generated.
+.TP 4
+\(bu
+\fInnnn\fR
+is the key name.
+.TP 4
+\(bu
+\fIaaa\fR
+is the numeric representation of the algorithm.
+.TP 4
+\(bu
+\fIiiiii\fR
+is the key identifier (or footprint).
+.PP
+\fBdnssec\-keyfromlabel\fR
+creates two files, with names based on the printed string.
+\fIKnnnn.+aaa+iiiii.key\fR
+contains the public key, and
+\fIKnnnn.+aaa+iiiii.private\fR
+contains the private key.
+.PP
+The
+\fI.key\fR
+file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
+.PP
+The
+\fI.private\fR
+file contains algorithm specific fields. For obvious security reasons, this file does not have general read permission.
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-keygen\fR(8),
+\fBdnssec\-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 2539,
+RFC 2845,
+RFC 4033.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC")
+.br
diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c
new file mode 100644
index 0000000..e7587c3
--- /dev/null
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -0,0 +1,327 @@
+/*
+ * Copyright (C) 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-keyfromlabel.c,v 1.4 2008/09/24 02:46:21 marka Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/mem.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+#include <dns/name.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/secalg.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+#define MAX_RSA 4096 /* should be long enough... */
+
+const char *program = "dnssec-keyfromlabel";
+int verbose;
+
+static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 |"
+			  " NSEC3DSA | NSEC3RSASHA1";
+
+static void
+usage(void) {
+	fprintf(stderr, "Usage:\n");
+	fprintf(stderr, "    %s -a alg -l label [options] name\n\n",
+		program);
+	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "Required options:\n");
+	fprintf(stderr, "    -a algorithm: %s\n", algs);
+	fprintf(stderr, "    -l label: label of the key\n");
+	fprintf(stderr, "    name: owner of the key\n");
+	fprintf(stderr, "Other options:\n");
+	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
+	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
+	fprintf(stderr, "    -c <class> (default: IN)\n");
+	fprintf(stderr, "    -f keyflag: KSK\n");
+	fprintf(stderr, "    -t <type>: "
+		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
+		"(default: AUTHCONF)\n");
+	fprintf(stderr, "    -p <protocol>: "
+	       "default: 3 [dnssec]\n");
+	fprintf(stderr, "    -v <verbose level>\n");
+	fprintf(stderr, "    -k : generate a TYPE=KEY key\n");
+	fprintf(stderr, "Output:\n");
+	fprintf(stderr, "     K<name>+<alg>+<id>.key, "
+		"K<name>+<alg>+<id>.private\n");
+
+	exit (-1);
+}
+
+int
+main(int argc, char **argv) {
+	char		*algname = NULL, *nametype = NULL, *type = NULL;
+	char		*classname = NULL;
+	char		*endp;
+	dst_key_t	*key = NULL, *oldkey;
+	dns_fixedname_t	fname;
+	dns_name_t	*name;
+	isc_uint16_t	flags = 0, ksk = 0;
+	dns_secalg_t	alg;
+	isc_boolean_t	null_key = ISC_FALSE;
+	isc_mem_t	*mctx = NULL;
+	int		ch;
+	int		protocol = -1, signatory = 0;
+	isc_result_t	ret;
+	isc_textregion_t r;
+	char		filename[255];
+	isc_buffer_t	buf;
+	isc_log_t	*log = NULL;
+	isc_entropy_t	*ectx = NULL;
+	dns_rdataclass_t rdclass;
+	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
+	char		*label = NULL;
+
+	if (argc == 1)
+		usage();
+
+	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+
+	dns_result_register();
+
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((ch = isc_commandline_parse(argc, argv,
+					 "a:c:f:kl:n:p:t:v:h")) != -1)
+	{
+	    switch (ch) {
+		case 'a':
+			algname = isc_commandline_argument;
+			break;
+		case 'c':
+			classname = isc_commandline_argument;
+			break;
+		case 'f':
+			if (strcasecmp(isc_commandline_argument, "KSK") == 0)
+				ksk = DNS_KEYFLAG_KSK;
+			else
+				fatal("unknown flag '%s'",
+				      isc_commandline_argument);
+			break;
+		case 'k':
+			options |= DST_TYPE_KEY;
+			break;
+		case 'l':
+			label = isc_commandline_argument;
+			break;
+		case 'n':
+			nametype = isc_commandline_argument;
+			break;
+		case 'p':
+			protocol = strtol(isc_commandline_argument, &endp, 10);
+			if (*endp != '\0' || protocol < 0 || protocol > 255)
+				fatal("-p must be followed by a number "
+				      "[0..255]");
+			break;
+		case 't':
+			type = isc_commandline_argument;
+			break;
+		case 'v':
+			verbose = strtol(isc_commandline_argument, &endp, 0);
+			if (*endp != '\0')
+				fatal("-v must be followed by a number");
+			break;
+
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+		case 'h':
+			usage();
+
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+		}
+	}
+
+	if (ectx == NULL)
+		setup_entropy(mctx, NULL, &ectx);
+	ret = dst_lib_init(mctx, ectx,
+			   ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+	if (ret != ISC_R_SUCCESS)
+		fatal("could not initialize dst");
+
+	setup_logging(verbose, mctx, &log);
+
+	if (label == NULL)
+		fatal("the key label was not specified");
+	if (argc < isc_commandline_index + 1)
+		fatal("the key name was not specified");
+	if (argc > isc_commandline_index + 1)
+		fatal("extraneous arguments");
+
+	if (algname == NULL)
+		fatal("no algorithm was specified");
+	if (strcasecmp(algname, "RSA") == 0) {
+		fprintf(stderr, "The use of RSA (RSAMD5) is not recommended.\n"
+				"If you still wish to use RSA (RSAMD5) please "
+				"specify \"-a RSAMD5\"\n");
+		return (1);
+	} else {
+		r.base = algname;
+		r.length = strlen(algname);
+		ret = dns_secalg_fromtext(&alg, &r);
+		if (ret != ISC_R_SUCCESS)
+			fatal("unknown algorithm %s", algname);
+		if (alg == DST_ALG_DH)
+			options |= DST_TYPE_KEY;
+	}
+
+	if (type != NULL && (options & DST_TYPE_KEY) != 0) {
+		if (strcasecmp(type, "NOAUTH") == 0)
+			flags |= DNS_KEYTYPE_NOAUTH;
+		else if (strcasecmp(type, "NOCONF") == 0)
+			flags |= DNS_KEYTYPE_NOCONF;
+		else if (strcasecmp(type, "NOAUTHCONF") == 0) {
+			flags |= (DNS_KEYTYPE_NOAUTH | DNS_KEYTYPE_NOCONF);
+		}
+		else if (strcasecmp(type, "AUTHCONF") == 0)
+			/* nothing */;
+		else
+			fatal("invalid type %s", type);
+	}
+
+	if (nametype == NULL) {
+		if ((options & DST_TYPE_KEY) != 0) /* KEY */
+			fatal("no nametype specified");
+		flags |= DNS_KEYOWNER_ZONE;	/* DNSKEY */
+	} else if (strcasecmp(nametype, "zone") == 0)
+		flags |= DNS_KEYOWNER_ZONE;
+	else if ((options & DST_TYPE_KEY) != 0)	{ /* KEY */
+		if (strcasecmp(nametype, "host") == 0 ||
+			 strcasecmp(nametype, "entity") == 0)
+			flags |= DNS_KEYOWNER_ENTITY;
+		else if (strcasecmp(nametype, "user") == 0)
+			flags |= DNS_KEYOWNER_USER;
+		else
+			fatal("invalid KEY nametype %s", nametype);
+	} else if (strcasecmp(nametype, "other") != 0) /* DNSKEY */
+		fatal("invalid DNSKEY nametype %s", nametype);
+
+	rdclass = strtoclass(classname);
+
+	if ((options & DST_TYPE_KEY) != 0)  /* KEY */
+		flags |= signatory;
+	else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
+		flags |= ksk;
+
+	if (protocol == -1)
+		protocol = DNS_KEYPROTO_DNSSEC;
+	else if ((options & DST_TYPE_KEY) == 0 &&
+		 protocol != DNS_KEYPROTO_DNSSEC)
+		fatal("invalid DNSKEY protocol: %d", protocol);
+
+	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
+		if ((flags & DNS_KEYFLAG_SIGNATORYMASK) != 0)
+			fatal("specified null key with signing authority");
+	}
+
+	if ((flags & DNS_KEYFLAG_OWNERMASK) == DNS_KEYOWNER_ZONE &&
+	    alg == DNS_KEYALG_DH)
+		fatal("a key with algorithm '%s' cannot be a zone key",
+		      algname);
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	isc_buffer_init(&buf, argv[isc_commandline_index],
+			strlen(argv[isc_commandline_index]));
+	isc_buffer_add(&buf, strlen(argv[isc_commandline_index]));
+	ret = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL);
+	if (ret != ISC_R_SUCCESS)
+		fatal("invalid key name %s: %s", argv[isc_commandline_index],
+		      isc_result_totext(ret));
+
+	if ((flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
+		null_key = ISC_TRUE;
+
+	isc_buffer_init(&buf, filename, sizeof(filename) - 1);
+
+	/* associate the key */
+	ret = dst_key_fromlabel(name, alg, flags, protocol,
+				rdclass, "", label, NULL, mctx, &key);
+	isc_entropy_stopcallbacksources(ectx);
+
+	if (ret != ISC_R_SUCCESS) {
+		char namestr[DNS_NAME_FORMATSIZE];
+		char algstr[ALG_FORMATSIZE];
+		dns_name_format(name, namestr, sizeof(namestr));
+		alg_format(alg, algstr, sizeof(algstr));
+		fatal("failed to generate key %s/%s: %s\n",
+		      namestr, algstr, isc_result_totext(ret));
+		exit(-1);
+	}
+
+	/*
+	 * Try to read a key with the same name, alg and id from disk.
+	 * If there is one we must continue generating a new one
+	 * unless we were asked to generate a null key, in which
+	 * case we return failure.
+	 */
+	ret = dst_key_fromfile(name, dst_key_id(key), alg,
+			       DST_TYPE_PRIVATE, NULL, mctx, &oldkey);
+	/* do not overwrite an existing key  */
+	if (ret == ISC_R_SUCCESS) {
+		isc_buffer_clear(&buf);
+		ret = dst_key_buildfilename(key, 0, NULL, &buf);
+		fprintf(stderr, "%s: %s already exists\n",
+			program, filename);
+		dst_key_free(&key);
+		exit (1);
+	}
+
+	ret = dst_key_tofile(key, options, NULL);
+	if (ret != ISC_R_SUCCESS) {
+		char keystr[KEY_FORMATSIZE];
+		key_format(key, keystr, sizeof(keystr));
+		fatal("failed to write key %s: %s\n", keystr,
+		      isc_result_totext(ret));
+	}
+
+	isc_buffer_clear(&buf);
+	ret = dst_key_buildfilename(key, 0, NULL, &buf);
+	printf("%s\n", filename);
+	dst_key_free(&key);
+
+	cleanup_logging(&log);
+	cleanup_entropy(&ectx);
+	dst_lib_destroy();
+	dns_name_destroy();
+	if (verbose > 10)
+		isc_mem_stats(mctx, stdout);
+	isc_mem_destroy(&mctx);
+
+	return (0);
+}
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook
new file mode 100644
index 0000000..2bcf0a4
--- /dev/null
+++ b/bin/dnssec/dnssec-keyfromlabel.docbook
@@ -0,0 +1,265 @@
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+	       [<!ENTITY mdash "&#8212;">]>
+<!--
+ - Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ -->
+<refentry id="man.dnssec-keyfromlabel">
+  <refentryinfo>
+    <date>February 8, 2008</date>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo>BIND9</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname><application>dnssec-keyfromlabel</application></refname>
+    <refpurpose>DNSSEC key generation tool</refpurpose>
+  </refnamediv>
+
+  <docinfo>
+    <copyright>
+      <year>2008</year>
+      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+    </copyright>
+  </docinfo>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>dnssec-keyfromlabel</command>
+      <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
+      <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
+      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
+      <arg><option>-k</option></arg>
+      <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
+      <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
+      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg choice="req">name</arg>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>DESCRIPTION</title>
+    <para><command>dnssec-keyfromlabel</command>
+      gets keys with the given label from a crypto hardware and builds
+      key files for DNSSEC (Secure DNS), as defined in RFC 2535
+      and RFC 4034.  
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>OPTIONS</title>
+
+    <variablelist>
+      <varlistentry>
+        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+        <listitem>
+	  <para>
+	    Selects the cryptographic algorithm.  The value of
+	    <option>algorithm</option> must be one of RSAMD5 (RSA)
+	    or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+	    These values are case insensitive.
+	  </para>
+          <para>
+            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+            algorithm, and DSA is recommended.
+          </para>
+          <para>
+            Note 2: DH automatically sets the -k flag.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-l <replaceable class="parameter">label</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the label of keys in the crypto hardware
+            (PKCS#11 device).
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-n <replaceable class="parameter">nametype</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the owner type of the key.  The value of
+            <option>nametype</option> must either be ZONE (for a DNSSEC
+            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+            a host (KEY)),
+            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+            These values are
+            case insensitive.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-c <replaceable class="parameter">class</replaceable></term>
+        <listitem>
+          <para>
+            Indicates that the DNS record containing the key should have
+            the specified class.  If not specified, class IN is used.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-f <replaceable class="parameter">flag</replaceable></term>
+        <listitem>
+          <para>
+            Set the specified flag in the flag field of the KEY/DNSKEY record.
+            The only recognized flag is KSK (Key Signing Key) DNSKEY.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-h</term>
+        <listitem>
+          <para>
+            Prints a short summary of the options and arguments to
+            <command>dnssec-keygen</command>.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-k</term>
+        <listitem>
+          <para>
+            Generate KEY records rather than DNSKEY records.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-p <replaceable class="parameter">protocol</replaceable></term>
+        <listitem>
+          <para>
+            Sets the protocol value for the generated key.  The protocol
+            is a number between 0 and 255.  The default is 3 (DNSSEC).
+            Other possible values for this argument are listed in
+            RFC 2535 and its successors.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-t <replaceable class="parameter">type</replaceable></term>
+        <listitem>
+          <para>
+            Indicates the use of the key.  <option>type</option> must be
+            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+            is AUTHCONF.  AUTH refers to the ability to authenticate
+            data, and CONF the ability to encrypt data.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-v <replaceable class="parameter">level</replaceable></term>
+        <listitem>
+          <para>
+            Sets the debugging level.
+          </para>
+        </listitem>
+      </varlistentry>
+
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>GENERATED KEY FILES</title>
+    <para>
+      When <command>dnssec-keyfromlabel</command> completes
+      successfully,
+      it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
+      to the standard output.  This is an identification string for
+      the key files it has generated.
+    </para>
+    <itemizedlist>
+      <listitem>
+        <para><filename>nnnn</filename> is the key name.
+        </para>
+      </listitem>
+      <listitem>
+        <para><filename>aaa</filename> is the numeric representation
+          of the
+          algorithm.
+        </para>
+      </listitem>
+      <listitem>
+        <para><filename>iiiii</filename> is the key identifier (or
+          footprint).
+        </para>
+      </listitem>
+    </itemizedlist>
+    <para><command>dnssec-keyfromlabel</command> 
+      creates two files, with names based
+      on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
+      contains the public key, and
+      <filename>Knnnn.+aaa+iiiii.private</filename> contains the
+      private
+      key.
+    </para>
+    <para>
+      The <filename>.key</filename> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
+    </para>
+    <para>
+      The <filename>.private</filename> file contains algorithm
+      specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>SEE ALSO</title>
+    <para><citerefentry>
+        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+      <citetitle>RFC 2539</citetitle>,
+      <citetitle>RFC 2845</citetitle>,
+      <citetitle>RFC 4033</citetitle>.
+    </para>
+  </refsect1>
+
+  <refsect1>
+    <title>AUTHOR</title>
+    <para><corpauthor>Internet Systems Consortium</corpauthor>
+    </para>
+  </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
diff --git a/bin/dnssec/dnssec-keyfromlabel.html b/bin/dnssec/dnssec-keyfromlabel.html
new file mode 100644
index 0000000..cbea64b
--- /dev/null
+++ b/bin/dnssec/dnssec-keyfromlabel.html
@@ -0,0 +1,171 @@
+<!--
+ - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: dnssec-keyfromlabel.html,v 1.5 2008/10/15 01:11:35 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-keyfromlabel</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543413"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
+      gets keys with the given label from a crypto hardware and builds
+      key files for DNSSEC (Secure DNS), as defined in RFC 2535
+      and RFC 4034.  
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543425"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+<p>
+	    Selects the cryptographic algorithm.  The value of
+	    <code class="option">algorithm</code> must be one of RSAMD5 (RSA)
+	    or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+	    These values are case insensitive.
+	  </p>
+<p>
+            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+            algorithm, and DSA is recommended.
+          </p>
+<p>
+            Note 2: DH automatically sets the -k flag.
+          </p>
+</dd>
+<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
+<dd><p>
+            Specifies the label of keys in the crypto hardware
+            (PKCS#11 device).
+          </p></dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd><p>
+            Specifies the owner type of the key.  The value of
+            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+            a host (KEY)),
+            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+            These values are
+            case insensitive.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Indicates that the DNS record containing the key should have
+            the specified class.  If not specified, class IN is used.
+          </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
+<dd><p>
+            Set the specified flag in the flag field of the KEY/DNSKEY record.
+            The only recognized flag is KSK (Key Signing Key) DNSKEY.
+          </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Prints a short summary of the options and arguments to
+            <span><strong class="command">dnssec-keygen</strong></span>.
+          </p></dd>
+<dt><span class="term">-k</span></dt>
+<dd><p>
+            Generate KEY records rather than DNSKEY records.
+          </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
+<dd><p>
+            Sets the protocol value for the generated key.  The protocol
+            is a number between 0 and 255.  The default is 3 (DNSSEC).
+            Other possible values for this argument are listed in
+            RFC 2535 and its successors.
+          </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
+<dd><p>
+            Indicates the use of the key.  <code class="option">type</code> must be
+            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+            is AUTHCONF.  AUTH refers to the ability to authenticate
+            data, and CONF the ability to encrypt data.
+          </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543619"></a><h2>GENERATED KEY FILES</h2>
+<p>
+      When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
+      successfully,
+      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
+      to the standard output.  This is an identification string for
+      the key files it has generated.
+    </p>
+<div class="itemizedlist"><ul type="disc">
+<li><p><code class="filename">nnnn</code> is the key name.
+        </p></li>
+<li><p><code class="filename">aaa</code> is the numeric representation
+          of the
+          algorithm.
+        </p></li>
+<li><p><code class="filename">iiiii</code> is the key identifier (or
+          footprint).
+        </p></li>
+</ul></div>
+<p><span><strong class="command">dnssec-keyfromlabel</strong></span> 
+      creates two files, with names based
+      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
+      contains the public key, and
+      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
+      private
+      key.
+    </p>
+<p>
+      The <code class="filename">.key</code> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
+    </p>
+<p>
+      The <code class="filename">.private</code> file contains algorithm
+      specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543691"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 2539</em>,
+      <em class="citetitle">RFC 2845</em>,
+      <em class="citetitle">RFC 4033</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543731"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div></body>
+</html>
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index e667ba9..13db3d9 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-keygen.8,v 1.23.18.16 2008/10/16 01:29:40 tbox Exp $
+.\" $Id: dnssec-keygen.8,v 1.40 2008/10/15 01:11:35 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -44,7 +44,7 @@ generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It
 .RS 4
 Selects the cryptographic algorithm. The value of
 \fBalgorithm\fR
-must be one of RSAMD5 (RSA) or RSASHA1, DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive.
+must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive.
 .sp
 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
 .sp
@@ -60,7 +60,7 @@ Specifies the number of bits in the key. The choice of key size depends on the a
 .RS 4
 Specifies the owner type of the key. The value of
 \fBnametype\fR
-must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive.
+must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation.
 .RE
 .PP
 \-c \fIclass\fR
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index 0b57f6d..614d388 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -1,6 +1,19 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.66.18.10 2007/08/28 07:19:55 tbox Exp $ */
+/* $Id: dnssec-keygen.c,v 1.81 2008/09/25 04:02:38 tbox Exp $ */
 
 /*! \file */
 
@@ -49,8 +62,9 @@
 const char *program = "dnssec-keygen";
 int verbose;
 
-static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5 |"
-			  " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | "
+static const char *algs = "RSA | RSAMD5 | DH | DSA | RSASHA1 | NSEC3DSA |"
+			  " NSEC3RSASHA1 | HMAC-MD5 |"
+			  " HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |"
 			  " HMAC-SHA384 | HMAC-SHA512";
 
 static isc_boolean_t
@@ -61,7 +75,7 @@ dsa_size_ok(int size) {
 static void
 usage(void) {
 	fprintf(stderr, "Usage:\n");
-	fprintf(stderr, "    %s -a alg -b bits -n type [options] name\n\n",
+	fprintf(stderr, "    %s -a alg -b bits [-n type] [options] name\n\n",
 		program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Required options:\n");
@@ -69,8 +83,10 @@ usage(void) {
 	fprintf(stderr, "    -b key size, in bits:\n");
 	fprintf(stderr, "        RSAMD5:\t\t[512..%d]\n", MAX_RSA);
 	fprintf(stderr, "        RSASHA1:\t\t[512..%d]\n", MAX_RSA);
+	fprintf(stderr, "        NSEC3RSASHA1:\t\t[512..%d]\n", MAX_RSA);
 	fprintf(stderr, "        DH:\t\t[128..4096]\n");
 	fprintf(stderr, "        DSA:\t\t[512..1024] and divisible by 64\n");
+	fprintf(stderr, "        NSEC3DSA:\t\t[512..1024] and divisible by 64\n");
 	fprintf(stderr, "        HMAC-MD5:\t[1..512]\n");
 	fprintf(stderr, "        HMAC-SHA1:\t[1..160]\n");
 	fprintf(stderr, "        HMAC-SHA224:\t[1..224]\n");
@@ -78,6 +94,7 @@ usage(void) {
 	fprintf(stderr, "        HMAC-SHA384:\t[1..384]\n");
 	fprintf(stderr, "        HMAC-SHA512:\t[1..512]\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
+	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
 	fprintf(stderr, "    -c <class> (default: IN)\n");
@@ -134,8 +151,10 @@ main(int argc, char **argv) {
 
 	dns_result_register();
 
+	isc_commandline_errprint = ISC_FALSE;
+
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
+					 "a:b:c:d:ef:g:kn:t:p:s:r:v:h")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -202,12 +221,17 @@ main(int argc, char **argv) {
 				fatal("-v must be followed by a number");
 			break;
 
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
 		case 'h':
 			usage();
+
 		default:
-			fprintf(stderr, "%s: invalid argument -%c\n",
-				program, ch);
-			usage();
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
 		}
 	}
 
@@ -282,6 +306,7 @@ main(int argc, char **argv) {
 	switch (alg) {
 	case DNS_KEYALG_RSAMD5:
 	case DNS_KEYALG_RSASHA1:
+	case DNS_KEYALG_NSEC3RSASHA1:
 		if (size != 0 && (size < 512 || size > MAX_RSA))
 			fatal("RSA key size %d out of range", size);
 		break;
@@ -290,6 +315,7 @@ main(int argc, char **argv) {
 			fatal("DH key size %d out of range", size);
 		break;
 	case DNS_KEYALG_DSA:
+	case DNS_KEYALG_NSEC3DSA:
 		if (size != 0 && !dsa_size_ok(size))
 			fatal("invalid DSS key size: %d", size);
 		break;
@@ -349,18 +375,20 @@ main(int argc, char **argv) {
 		break;
 	}
 
-	if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1) &&
-	    rsa_exp != 0)
+	if (!(alg == DNS_KEYALG_RSAMD5 || alg == DNS_KEYALG_RSASHA1 ||
+	      alg == DNS_KEYALG_NSEC3RSASHA1) && rsa_exp != 0)
 		fatal("specified RSA exponent for a non-RSA key");
 
 	if (alg != DNS_KEYALG_DH && generator != 0)
 		fatal("specified DH generator for a non-DH key");
 
-	if (nametype == NULL)
-		fatal("no nametype specified");
-	if (strcasecmp(nametype, "zone") == 0)
+	if (nametype == NULL) {
+		if ((options & DST_TYPE_KEY) != 0) /* KEY / HMAC */
+			fatal("no nametype specified");
+		flags |= DNS_KEYOWNER_ZONE;	/* DNSKEY */
+	} else if (strcasecmp(nametype, "zone") == 0)
 		flags |= DNS_KEYOWNER_ZONE;
-	else if ((options & DST_TYPE_KEY) != 0)	{ /* KEY */
+	else if ((options & DST_TYPE_KEY) != 0)	{ /* KEY / HMAC */
 		if (strcasecmp(nametype, "host") == 0 ||
 			 strcasecmp(nametype, "entity") == 0)
 			flags |= DNS_KEYOWNER_ENTITY;
@@ -373,7 +401,7 @@ main(int argc, char **argv) {
 
 	rdclass = strtoclass(classname);
 
-	if ((options & DST_TYPE_KEY) != 0)  /* KEY */
+	if ((options & DST_TYPE_KEY) != 0)  /* KEY / HMAC */
 		flags |= signatory;
 	else if ((flags & DNS_KEYOWNER_ZONE) != 0) /* DNSKEY */
 		flags |= ksk;
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index ec7b69b..c267a1b 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.docbook,v 1.7.18.13 2008/10/15 23:46:06 tbox Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.22 2008/10/14 14:32:50 jreed Exp $ -->
 <refentry id="man.dnssec-keygen">
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -92,13 +92,13 @@
           <para>
             Selects the cryptographic algorithm.  The value of
             <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
-            	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
-            are case insensitive.
+	    DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
+	    These values are case insensitive.
           </para>
           <para>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
-            algorithm,
-            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
+            algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
+	    mandatory.
           </para>
           <para>
             Note 2: HMAC-MD5 and DH automatically set the -k flag.
@@ -130,8 +130,8 @@
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are
-            case insensitive.
+            These values are case insensitive.  Defaults to ZONE for DNSKEY
+	    generation.
           </para>
         </listitem>
       </varlistentry>
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
index e0b0bfe..696ef88 100644
--- a/bin/dnssec/dnssec-keygen.html
+++ b/bin/dnssec/dnssec-keygen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-keygen.html,v 1.9.18.22 2008/10/16 01:29:40 tbox Exp $ -->
+<!-- $Id: dnssec-keygen.html,v 1.32 2008/10/15 01:11:35 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,13 +47,13 @@
 <p>
             Selects the cryptographic algorithm.  The value of
             <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
-            	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
-            are case insensitive.
+	    DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
+	    These values are case insensitive.
           </p>
 <p>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
-            algorithm,
-            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
+            algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
+	    mandatory.
           </p>
 <p>
             Note 2: HMAC-MD5 and DH automatically set the -k flag.
@@ -76,8 +76,8 @@
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are
-            case insensitive.
+            These values are case insensitive.  Defaults to ZONE for DNSKEY
+	    generation.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index 680960a..ca0ed36 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: dnssec-signzone.8,v 1.28.18.19 2008/10/16 01:29:40 tbox Exp $
+.\" $Id: dnssec-signzone.8,v 1.47 2008/10/15 01:11:35 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 dnssec\-signzone \- DNSSEC zone signing tool
 .SH "SYNOPSIS"
 .HP 16
-\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {zonefile} [key...]
+\fBdnssec\-signzone\fR [\fB\-a\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdirectory\fR\fR] [\fB\-e\ \fR\fB\fIend\-time\fR\fR] [\fB\-f\ \fR\fB\fIoutput\-file\fR\fR] [\fB\-g\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkey\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-I\ \fR\fB\fIinput\-format\fR\fR] [\fB\-j\ \fR\fB\fIjitter\fR\fR] [\fB\-N\ \fR\fB\fIsoa\-serial\-format\fR\fR] [\fB\-o\ \fR\fB\fIorigin\fR\fR] [\fB\-O\ \fR\fB\fIoutput\-format\fR\fR] [\fB\-p\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstart\-time\fR\fR] [\fB\-t\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] [\fB\-3\ \fR\fB\fIsalt\fR\fR] [\fB\-H\ \fR\fB\fIiterations\fR\fR] [\fB\-A\fR] {zonefile} [key...]
 .SH "DESCRIPTION"
 .PP
 \fBdnssec\-signzone\fR
@@ -212,6 +212,21 @@ Sets the debugging level.
 Ignore KSK flag on key when determining what to sign.
 .RE
 .PP
+\-3 \fIsalt\fR
+.RS 4
+Generate a NSEC3 chain with the given hex encoded salt. A dash (\fIsalt\fR) can be used to indicate that no salt is to be used when generating the NSEC3 chain.
+.RE
+.PP
+\-H \fIiterations\fR
+.RS 4
+When generating a NSEC3 chain use this many interations. The default is 100.
+.RE
+.PP
+\-A
+.RS 4
+When generating a NSEC3 chain set the OPTOUT flag on all NSEC3 records and do not generate NSEC3 records for insecure delegations.
+.RE
+.PP
 zonefile
 .RS 4
 The file containing the zone to be signed.
diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c
index 9b49169..1da280f 100644
--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -1,6 +1,19 @@
 /*
- * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.177.18.26 2008/06/02 23:46:01 tbox Exp $ */
+/* $Id: dnssec-signzone.c,v 1.209.12.3 2009/01/18 23:25:15 marka Exp $ */
 
 /*! \file */
 
@@ -26,11 +39,13 @@
 #include <time.h>
 
 #include <isc/app.h>
+#include <isc/base32.h>
 #include <isc/commandline.h>
 #include <isc/entropy.h>
 #include <isc/event.h>
 #include <isc/file.h>
 #include <isc/hash.h>
+#include <isc/hex.h>
 #include <isc/mem.h>
 #include <isc/mutex.h>
 #include <isc/os.h>
@@ -38,10 +53,11 @@
 #include <isc/random.h>
 #include <isc/serial.h>
 #include <isc/stdio.h>
+#include <isc/stdlib.h>
 #include <isc/string.h>
 #include <isc/task.h>
-#include <isc/util.h>
 #include <isc/time.h>
+#include <isc/util.h>
 
 #include <dns/db.h>
 #include <dns/dbiterator.h>
@@ -54,7 +70,9 @@
 #include <dns/master.h>
 #include <dns/masterdump.h>
 #include <dns/nsec.h>
+#include <dns/nsec3.h>
 #include <dns/rdata.h>
+#include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatasetiter.h>
@@ -71,6 +89,13 @@
 const char *program = "dnssec-signzone";
 int verbose;
 
+typedef struct hashlist hashlist_t;
+
+static int nsec_datatype = dns_rdatatype_nsec;
+
+#define IS_NSEC3	(nsec_datatype == dns_rdatatype_nsec3)
+#define OPTOUT(x)	(((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
+
 #define BUFSIZE 2048
 #define MAXDSKEYS 8
 
@@ -125,6 +150,7 @@ static dns_dbversion_t *gversion;	/* The database version */
 static dns_dbiterator_t *gdbiter;	/* The database iterator */
 static dns_rdataclass_t gclass;		/* The class */
 static dns_name_t *gorigin;		/* The database origin */
+static int nsec3flags = 0;
 static isc_task_t *master = NULL;
 static unsigned int ntasks = 0;
 static isc_boolean_t shuttingdown = ISC_FALSE, finished = ISC_FALSE;
@@ -136,6 +162,8 @@ static dns_name_t *dlv = NULL;
 static dns_fixedname_t dlv_fixed;
 static dns_master_style_t *dsstyle = NULL;
 static unsigned int serialformat = SOA_SERIAL_KEEP;
+static unsigned int hash_length = 0;
+static isc_boolean_t unknownalg = ISC_FALSE;
 
 #define INCSTAT(counter)		\
 	if (printstats) {		\
@@ -147,19 +175,8 @@ static unsigned int serialformat = SOA_SERIAL_KEEP;
 static void
 sign(isc_task_t *task, isc_event_t *event);
 
-
-static inline void
-set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
-	unsigned int shift, mask;
-
-	shift = 7 - (index % 8);
-	mask = 1 << shift;
-
-	if (bit != 0)
-		array[index / 8] |= mask;
-	else
-		array[index / 8] &= (~mask & 0xFF);
-}
+static isc_boolean_t
+nsec3only(dns_dbnode_t *node);
 
 static void
 dumpnode(dns_name_t *name, dns_dbnode_t *node) {
@@ -549,6 +566,169 @@ signset(dns_diff_t *del, dns_diff_t *add, dns_dbnode_t *node, dns_name_t *name,
 	isc_mem_put(mctx, nowsignedby, arraysize * sizeof(isc_boolean_t));
 }
 
+struct hashlist {
+	unsigned char *hashbuf;
+	size_t entries;
+	size_t size;
+	size_t length;
+};
+
+static void
+hashlist_init(hashlist_t *l, unsigned int nodes, unsigned int length) {
+
+	l->entries = 0;
+	l->length = length + 1;
+
+	if (nodes != 0) {
+		l->size = nodes;
+		l->hashbuf = malloc(l->size * l->length);
+		if (l->hashbuf == NULL)
+			l->size = 0;
+	} else {
+		l->size = 0;
+		l->hashbuf = NULL;
+	}
+}
+
+static void
+hashlist_add(hashlist_t *l, const unsigned char *hash, size_t len)
+{
+
+	REQUIRE(len <= l->length);
+
+	if (l->entries == l->size) {
+		l->size = l->size * 2 + 100;
+		l->hashbuf = realloc(l->hashbuf, l->size * l->length);
+	}
+	memset(l->hashbuf + l->entries * l->length, 0, l->length);
+	memcpy(l->hashbuf + l->entries * l->length, hash, len);
+	l->entries++;
+}
+
+static void
+hashlist_add_dns_name(hashlist_t *l, /*const*/ dns_name_t *name,
+		      unsigned int hashalg, unsigned int iterations,
+		      const unsigned char *salt, size_t salt_length,
+		      isc_boolean_t speculative)
+{
+	char nametext[DNS_NAME_FORMATSIZE];
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
+	unsigned int len;
+	size_t i;
+
+	len = isc_iterated_hash(hash, hashalg, iterations, salt, salt_length,
+				name->ndata, name->length);
+	if (verbose) {
+		dns_name_format(name, nametext, sizeof nametext);
+		for (i = 0 ; i < len; i++)
+			fprintf(stderr, "%02x", hash[i]);
+		fprintf(stderr, " %s\n", nametext);
+	}
+	hash[len++] = speculative ? 1 : 0;
+	hashlist_add(l, hash, len);
+}
+
+static int
+hashlist_comp(const void *a, const void *b) {
+	return (memcmp(a, b, hash_length + 1));
+}
+
+static void
+hashlist_sort(hashlist_t *l) {
+	qsort(l->hashbuf, l->entries, l->length, hashlist_comp);
+}
+
+static isc_boolean_t
+hashlist_hasdup(hashlist_t *l) {
+	unsigned char *current;
+	unsigned char *next = l->hashbuf;
+	size_t entries = l->entries;
+
+	/*
+	 * Skip initial speculative wild card hashs.
+	 */
+	while (entries > 0U && next[l->length-1] != 0U) {
+		next += l->length;
+		entries--;
+	}
+
+	current = next;
+	while (entries-- > 1U) {
+		next += l->length;
+		if (next[l->length-1] != 0)
+			continue;
+		if (memcmp(current, next, l->length - 1) == 0)
+			return (ISC_TRUE);
+		current = next;
+	}
+	return (ISC_FALSE);
+}
+
+static const unsigned char *
+hashlist_findnext(const hashlist_t *l,
+		  const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
+{
+	unsigned int entries = l->entries;
+	const unsigned char *next = bsearch(hash, l->hashbuf, l->entries,
+					    l->length, hashlist_comp);
+	INSIST(next != NULL);
+
+	do {
+		if (next < l->hashbuf + (l->entries - 1) * l->length)
+			next += l->length;
+		else
+			next = l->hashbuf;
+		if (next[l->length - 1] == 0)
+			break;
+	} while (entries-- > 1);
+	INSIST(entries != 0);
+	return (next);
+}
+
+static isc_boolean_t
+hashlist_exists(const hashlist_t *l,
+		const unsigned char hash[NSEC3_MAX_HASH_LENGTH])
+{
+	if (bsearch(hash, l->hashbuf, l->entries, l->length, hashlist_comp))
+		return (ISC_TRUE);
+	else
+		return (ISC_FALSE);
+}
+
+static void
+addnowildcardhash(hashlist_t *l, /*const*/ dns_name_t *name,
+		  unsigned int hashalg, unsigned int iterations,
+		  const unsigned char *salt, size_t salt_length)
+{
+	dns_fixedname_t fixed;
+	dns_name_t *wild;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+	char namestr[DNS_NAME_FORMATSIZE];
+
+	dns_fixedname_init(&fixed);
+	wild = dns_fixedname_name(&fixed);
+
+	result = dns_name_concatenate(dns_wildcardname, name, wild, NULL);
+	if (result == ISC_R_NOSPACE)
+		return;
+	check_result(result,"addnowildcardhash: dns_name_concatenate()");
+
+	result = dns_db_findnode(gdb, wild, ISC_FALSE, &node);
+	if (result == ISC_R_SUCCESS) {
+		dns_db_detachnode(gdb, &node);
+		return;
+	}
+
+	if (verbose) {
+		dns_name_format(wild, namestr, sizeof(namestr));
+		fprintf(stderr, "adding no-wildcardhash for %s\n", namestr);
+	}
+
+	hashlist_add_dns_name(l, wild, hashalg, iterations, salt, salt_length,
+			      ISC_TRUE);
+}
+
 static void
 opendb(const char *prefix, dns_name_t *name, dns_rdataclass_t rdclass,
        dns_db_t **dbp)
@@ -665,91 +845,6 @@ loadds(dns_name_t *name, isc_uint32_t ttl, dns_rdataset_t *dsset) {
 }
 
 static isc_boolean_t
-nsec_setbit(dns_name_t *name, dns_rdataset_t *rdataset, dns_rdatatype_t type,
-	   unsigned int val)
-{
-	isc_result_t result;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
-	dns_rdata_nsec_t nsec;
-	unsigned int newlen;
-	unsigned char bitmap[8192 + 512];
-	unsigned char nsecdata[8192 + 512 + DNS_NAME_MAXWIRE];
-	isc_boolean_t answer = ISC_FALSE;
-	unsigned int i, len, window;
-	int octet;
-
-	result = dns_rdataset_first(rdataset);
-	check_result(result, "dns_rdataset_first()");
-	dns_rdataset_current(rdataset, &rdata);
-	result = dns_rdata_tostruct(&rdata, &nsec, NULL);
-	check_result(result, "dns_rdata_tostruct");
-
-	INSIST(nsec.len <= sizeof(bitmap));
-
-	newlen = 0;
-
-	memset(bitmap, 0, sizeof(bitmap));
-	for (i = 0; i < nsec.len; i += len) {
-		INSIST(i + 2 <= nsec.len);
-		window = nsec.typebits[i];
-		len = nsec.typebits[i+1];
-		i += 2;
-		INSIST(len > 0 && len <= 32);
-		INSIST(i + len <= nsec.len);
-		memmove(&bitmap[window * 32 + 512], &nsec.typebits[i], len);
-	}
-	set_bit(bitmap + 512, type, val);
-	for (window = 0; window < 256; window++) {
-		for (octet = 31; octet >= 0; octet--)
-			if (bitmap[window * 32 + 512 + octet] != 0)
-				break;
-		if (octet < 0)
-			continue;
-		bitmap[newlen] = window;
-		bitmap[newlen + 1] = octet + 1;
-		newlen += 2;
-		/*
-		 * Overlapping move.
-		 */
-		memmove(&bitmap[newlen], &bitmap[window * 32 + 512], octet + 1);
-		newlen += octet + 1;
-	}
-	if (newlen != nsec.len ||
-	    memcmp(nsec.typebits, bitmap, newlen) != 0) {
-		dns_rdata_t newrdata = DNS_RDATA_INIT;
-		isc_buffer_t b;
-		dns_diff_t diff;
-		dns_difftuple_t *tuple = NULL;
-
-		dns_diff_init(mctx, &diff);
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_DEL, name,
-					      rdataset->ttl, &rdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-
-		nsec.typebits = bitmap;
-		nsec.len = newlen;
-		isc_buffer_init(&b, nsecdata, sizeof(nsecdata));
-		result = dns_rdata_fromstruct(&newrdata, rdata.rdclass,
-					      dns_rdatatype_nsec, &nsec,
-					      &b);
-		check_result(result, "dns_rdata_fromstruct");
-
-		result = dns_difftuple_create(mctx, DNS_DIFFOP_ADD,
-					      name, rdataset->ttl,
-					      &newrdata, &tuple);
-		check_result(result, "dns_difftuple_create");
-		dns_diff_append(&diff, &tuple);
-		result = dns_diff_apply(&diff, gdb, gversion);
-		check_result(result, "dns_difftuple_apply");
-		dns_diff_clear(&diff);
-		answer = ISC_TRUE;
-	}
-	dns_rdata_freestruct(&nsec);
-	return (answer);
-}
-
-static isc_boolean_t
 delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
 	dns_rdataset_t nsset;
 	isc_result_t result;
@@ -769,10 +864,25 @@ delegation(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t *ttlp) {
 	return (ISC_TF(result == ISC_R_SUCCESS));
 }
 
+static isc_boolean_t
+secure(dns_name_t *name, dns_dbnode_t *node) {
+	dns_rdataset_t dsset;
+	isc_result_t result;
+
+	if (dns_name_equal(name, gorigin))
+		return (ISC_FALSE);
+
+	dns_rdataset_init(&dsset);
+	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_ds,
+				     0, 0, &dsset, NULL);
+	if (dns_rdataset_isassociated(&dsset))
+		dns_rdataset_disassociate(&dsset);
+
+	return (ISC_TF(result == ISC_R_SUCCESS));
+}
+
 /*%
- * Signs all records at a name.  This mostly just signs each set individually,
- * but also adds the RRSIG bit to any NSECs generated earlier, deals with
- * parent/child KEY signatures, and handles other exceptional cases.
+ * Signs all records at a name.
  */
 static void
 signname(dns_dbnode_t *node, dns_name_t *name) {
@@ -780,89 +890,19 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 	dns_rdataset_t rdataset;
 	dns_rdatasetiter_t *rdsiter;
 	isc_boolean_t isdelegation = ISC_FALSE;
-	isc_boolean_t hasds = ISC_FALSE;
-	isc_boolean_t changed = ISC_FALSE;
 	dns_diff_t del, add;
 	char namestr[DNS_NAME_FORMATSIZE];
-	isc_uint32_t nsttl = 0;
 
+	dns_rdataset_init(&rdataset);
 	dns_name_format(name, namestr, sizeof(namestr));
 
 	/*
 	 * Determine if this is a delegation point.
 	 */
-	if (delegation(name, node, &nsttl))
+	if (delegation(name, node, NULL))
 		isdelegation = ISC_TRUE;
 
 	/*
-	 * If this is a delegation point, look for a DS set.
-	 */
-	if (isdelegation) {
-		dns_rdataset_t dsset;
-		dns_rdataset_t sigdsset;
-
-		dns_rdataset_init(&dsset);
-		dns_rdataset_init(&sigdsset);
-		result = dns_db_findrdataset(gdb, node, gversion,
-					     dns_rdatatype_ds,
-					     0, 0, &dsset, &sigdsset);
-		if (result == ISC_R_SUCCESS) {
-			dns_rdataset_disassociate(&dsset);
-			if (generateds) {
-				result = dns_db_deleterdataset(gdb, node,
-							       gversion,
-							       dns_rdatatype_ds,
-							       0);
-				check_result(result, "dns_db_deleterdataset");
-			} else
-				hasds = ISC_TRUE;
-		}
-		if (generateds) {
-			result = loadds(name, nsttl, &dsset);
-			if (result == ISC_R_SUCCESS) {
-				result = dns_db_addrdataset(gdb, node,
-							    gversion, 0,
-							    &dsset, 0, NULL);
-				check_result(result, "dns_db_addrdataset");
-				hasds = ISC_TRUE;
-				dns_rdataset_disassociate(&dsset);
-				if (dns_rdataset_isassociated(&sigdsset))
-					dns_rdataset_disassociate(&sigdsset);
-			} else if (dns_rdataset_isassociated(&sigdsset)) {
-				result = dns_db_deleterdataset(gdb, node,
-							    gversion,
-							    dns_rdatatype_rrsig,
-							    dns_rdatatype_ds);
-				check_result(result, "dns_db_deleterdataset");
-				dns_rdataset_disassociate(&sigdsset);
-			}
-		} else if (dns_rdataset_isassociated(&sigdsset))
-			dns_rdataset_disassociate(&sigdsset);
-	}
-
-	/*
-	 * Make sure that NSEC bits are appropriately set.
-	 */
-	dns_rdataset_init(&rdataset);
-	RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion,
-					  dns_rdatatype_nsec, 0, 0, &rdataset,
-					  NULL) == ISC_R_SUCCESS);
-	if (!nokeys)
-		changed = nsec_setbit(name, &rdataset, dns_rdatatype_rrsig, 1);
-	if (changed) {
-		dns_rdataset_disassociate(&rdataset);
-		RUNTIME_CHECK(dns_db_findrdataset(gdb, node, gversion,
-						  dns_rdatatype_nsec, 0, 0,
-						  &rdataset,
-						  NULL) == ISC_R_SUCCESS);
-	}
-	if (hasds)
-		(void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 1);
-	else
-		(void)nsec_setbit(name, &rdataset, dns_rdatatype_ds, 0);
-	dns_rdataset_disassociate(&rdataset);
-
-	/*
 	 * Now iterate through the rdatasets.
 	 */
 	dns_diff_init(mctx, &del);
@@ -884,7 +924,7 @@ signname(dns_dbnode_t *node, dns_name_t *name) {
 		 * isn't a DS record.
 		 */
 		if (isdelegation) {
-			if (rdataset.type != dns_rdatatype_nsec &&
+			if (rdataset.type != nsec_datatype &&
 			    rdataset.type != dns_rdatatype_ds)
 				goto skip;
 		} else if (rdataset.type == dns_rdatatype_ds) {
@@ -938,6 +978,7 @@ active_node(dns_dbnode_t *node) {
 	while (result == ISC_R_SUCCESS) {
 		dns_rdatasetiter_current(rdsiter, &rdataset);
 		if (rdataset.type != dns_rdatatype_nsec &&
+		    rdataset.type != dns_rdatatype_nsec3 &&
 		    rdataset.type != dns_rdatatype_rrsig)
 			active = ISC_TRUE;
 		dns_rdataset_disassociate(&rdataset);
@@ -950,7 +991,7 @@ active_node(dns_dbnode_t *node) {
 		fatal("rdataset iteration failed: %s",
 		      isc_result_totext(result));
 
-	if (!active) {
+	if (!active && nsec_datatype == dns_rdatatype_nsec) {
 		/*%
 		 * The node is empty of everything but NSEC / RRSIG records.
 		 */
@@ -1009,6 +1050,32 @@ active_node(dns_dbnode_t *node) {
 			fatal("rdataset iteration failed: %s",
 			      isc_result_totext(result));
 		dns_rdatasetiter_destroy(&rdsiter2);
+
+#if 0
+		/*
+		 * Delete all NSEC records and RRSIG(NSEC) if we are in
+		 * NSEC3 mode and vica versa.
+		 */
+		for (result = dns_rdatasetiter_first(rdsiter2);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(rdsiter2)) {
+			dns_rdatasetiter_current(rdsiter, &rdataset);
+			type = rdataset.type;
+			covers = rdataset.covers;
+			if (type == dns_rdatatype_rrsig)
+				type = covers;
+			dns_rdataset_disassociate(&rdataset);
+			if (type == nsec_datatype ||
+			    (type != dns_rdatatype_nsec &&
+			     type != dns_rdatatype_nsec3))
+				continue;
+			if (covers != 0)
+				type = dns_rdatatype_rrsig;
+			result = dns_db_deleterdataset(gdb, node, gversion,
+						       type, covers);
+			check_result(result, "dns_db_deleterdataset()");
+		}
+#endif
 	}
 	dns_rdatasetiter_destroy(&rdsiter);
 
@@ -1169,11 +1236,8 @@ presign(void) {
 	isc_result_t result;
 
 	gdbiter = NULL;
-	result = dns_db_createiterator(gdb, ISC_FALSE, &gdbiter);
+	result = dns_db_createiterator(gdb, 0, &gdbiter);
 	check_result(result, "dns_db_createiterator()");
-
-	result = dns_dbiterator_first(gdbiter);
-	check_result(result, "dns_dbiterator_first()");
 }
 
 /*%
@@ -1186,6 +1250,8 @@ postsign(void) {
 
 /*%
  * Sign the apex of the zone.
+ * Note the origin may not be the first node if there are out of zone
+ * records.
  */
 static void
 signapex(void) {
@@ -1196,13 +1262,15 @@ signapex(void) {
 
 	dns_fixedname_init(&fixed);
 	name = dns_fixedname_name(&fixed);
+	result = dns_dbiterator_seek(gdbiter, gorigin);
+	check_result(result, "dns_dbiterator_seek()");
 	result = dns_dbiterator_current(gdbiter, &node, name);
 	check_result(result, "dns_dbiterator_current()");
 	signname(node, name);
 	dumpnode(name, node);
 	cleannode(gdb, gversion, node);
 	dns_db_detachnode(gdb, &node);
-	result = dns_dbiterator_next(gdbiter);
+	result = dns_dbiterator_first(gdbiter);
 	if (result == ISC_R_NOMORE)
 		finished = ISC_TRUE;
 	else if (result != ISC_R_SUCCESS)
@@ -1223,6 +1291,8 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
 	dns_rdataset_t nsec;
 	isc_boolean_t found;
 	isc_result_t result;
+	static dns_name_t *zonecut = NULL;	/* Protected by namelock. */
+	static dns_fixedname_t fzonecut;	/* Protected by namelock. */
 	static unsigned int ended = 0;		/* Protected by namelock. */
 
 	if (shuttingdown)
@@ -1250,19 +1320,51 @@ assignwork(isc_task_t *task, isc_task_t *worker) {
 		if (result != ISC_R_SUCCESS)
 			fatal("failure iterating database: %s",
 			      isc_result_totext(result));
+		/*
+		 * The origin was handled by signapex().
+		 */
+		if (dns_name_equal(name, gorigin)) {
+			dns_db_detachnode(gdb, &node);
+			goto next;
+		}
+		/*
+		 * Sort the zone data from the glue and out-of-zone data.
+		 * For NSEC zones nodes with zone data have NSEC records.
+		 * For NSEC3 zones the NSEC3 nodes are zone data but
+		 * outside of the zone name space.  For the rest we need
+		 * to track the bottom of zone cuts.
+		 * Nodes which don't need to be signed are dumped here.
+		 */
 		dns_rdataset_init(&nsec);
 		result = dns_db_findrdataset(gdb, node, gversion,
-					     dns_rdatatype_nsec, 0, 0,
+					     nsec_datatype, 0, 0,
 					     &nsec, NULL);
-		if (result == ISC_R_SUCCESS)
-			found = ISC_TRUE;
-		else
-			dumpnode(name, node);
 		if (dns_rdataset_isassociated(&nsec))
 			dns_rdataset_disassociate(&nsec);
-		if (!found)
+		if (result == ISC_R_SUCCESS) {
+			found = ISC_TRUE;
+		} else if (nsec_datatype == dns_rdatatype_nsec3) {
+			if (dns_name_issubdomain(name, gorigin) &&
+			    (zonecut == NULL ||
+			     !dns_name_issubdomain(name, zonecut))) {
+				if (delegation(name, node, NULL)) {
+					dns_fixedname_init(&fzonecut);
+					zonecut = dns_fixedname_name(&fzonecut);
+					dns_name_copy(name, zonecut, NULL);
+					if (!OPTOUT(nsec3flags) ||
+					    secure(name, node))
+						found = ISC_TRUE;
+				} else
+					found = ISC_TRUE;
+			}
+		}
+
+		if (!found) {
+			dumpnode(name, node);
 			dns_db_detachnode(gdb, &node);
+		}
 
+ next:
 		result = dns_dbiterator_next(gdbiter);
 		if (result == ISC_R_NOMORE) {
 			finished = ISC_TRUE;
@@ -1348,6 +1450,43 @@ sign(isc_task_t *task, isc_event_t *event) {
 }
 
 /*%
+ * Update / remove the DS RRset.  Preserve RRSIG(DS) if possible.
+ */
+static void
+add_ds(dns_name_t *name, dns_dbnode_t *node, isc_uint32_t nsttl) {
+	dns_rdataset_t dsset;
+	dns_rdataset_t sigdsset;
+	isc_result_t result;
+
+	dns_rdataset_init(&dsset);
+	dns_rdataset_init(&sigdsset);
+	result = dns_db_findrdataset(gdb, node, gversion,
+				     dns_rdatatype_ds,
+				     0, 0, &dsset, &sigdsset);
+	if (result == ISC_R_SUCCESS) {
+		dns_rdataset_disassociate(&dsset);
+		result = dns_db_deleterdataset(gdb, node, gversion,
+					       dns_rdatatype_ds, 0);
+		check_result(result, "dns_db_deleterdataset");
+	}
+	result = loadds(name, nsttl, &dsset);
+	if (result == ISC_R_SUCCESS) {
+		result = dns_db_addrdataset(gdb, node, gversion, 0,
+					    &dsset, 0, NULL);
+		check_result(result, "dns_db_addrdataset");
+		dns_rdataset_disassociate(&dsset);
+		if (dns_rdataset_isassociated(&sigdsset))
+			dns_rdataset_disassociate(&sigdsset);
+	} else if (dns_rdataset_isassociated(&sigdsset)) {
+		result = dns_db_deleterdataset(gdb, node, gversion,
+					       dns_rdatatype_rrsig,
+					       dns_rdatatype_ds);
+		check_result(result, "dns_db_deleterdataset");
+		dns_rdataset_disassociate(&sigdsset);
+	}
+}
+
+/*%
  * Generate NSEC records for the zone.
  */
 static void
@@ -1358,6 +1497,7 @@ nsecify(void) {
 	dns_name_t *name, *nextname, *zonecut;
 	isc_boolean_t done = ISC_FALSE;
 	isc_result_t result;
+	isc_uint32_t nsttl = 0;
 
 	dns_fixedname_init(&fname);
 	name = dns_fixedname_name(&fname);
@@ -1366,7 +1506,7 @@ nsecify(void) {
 	dns_fixedname_init(&fzonecut);
 	zonecut = NULL;
 
-	result = dns_db_createiterator(gdb, ISC_FALSE, &dbiter);
+	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
 	check_result(result, "dns_db_createiterator()");
 
 	result = dns_dbiterator_first(dbiter);
@@ -1374,9 +1514,11 @@ nsecify(void) {
 
 	while (!done) {
 		dns_dbiterator_current(dbiter, &node, name);
-		if (delegation(name, node, NULL)) {
+		if (delegation(name, node, &nsttl)) {
 			zonecut = dns_fixedname_name(&fzonecut);
 			dns_name_copy(name, zonecut, NULL);
+			if (generateds)
+				add_ds(name, node, nsttl);
 		}
 		result = dns_dbiterator_next(dbiter);
 		nextnode = NULL;
@@ -1419,6 +1561,451 @@ nsecify(void) {
 }
 
 /*%
+ * Does this node only contain NSEC3 records or RRSIG records or is empty.
+ */
+static isc_boolean_t
+nsec3only(dns_dbnode_t *node) {
+	dns_rdatasetiter_t *rdsiter = NULL;
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	isc_boolean_t answer = ISC_TRUE;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_allrdatasets(gdb, node, gversion, 0, &rdsiter);
+	check_result(result, "dns_db_allrdatasets()");
+	result = dns_rdatasetiter_first(rdsiter);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_nsec3 &&
+		    rdataset.type != dns_rdatatype_rrsig) {
+			answer = ISC_FALSE;
+			result = ISC_R_NOMORE;
+		} else
+			result = dns_rdatasetiter_next(rdsiter);
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (result != ISC_R_NOMORE)
+		fatal("rdataset iteration failed: %s",
+		      isc_result_totext(result));
+	dns_rdatasetiter_destroy(&rdsiter);
+	return (answer);
+}
+
+static void
+addnsec3param(const unsigned char *salt, size_t salt_length,
+	      unsigned int iterations)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	unsigned char nsec3parambuf[5 + 255];
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t b;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+
+	nsec3param.common.rdclass = gclass;
+	nsec3param.common.rdtype = dns_rdatatype_nsec3param;
+	ISC_LINK_INIT(&nsec3param.common, link);
+	nsec3param.mctx = NULL;
+	nsec3param.flags = 0;
+	nsec3param.hash = unknownalg ? DNS_NSEC3_UNKNOWNALG : dns_hash_sha1;
+	nsec3param.iterations = iterations;
+	nsec3param.salt_length = salt_length;
+	DE_CONST(salt, nsec3param.salt);
+
+	isc_buffer_init(&b, nsec3parambuf, sizeof(nsec3parambuf));
+	result = dns_rdata_fromstruct(&rdata, gclass,
+				      dns_rdatatype_nsec3param,
+				      &nsec3param, &b);
+	rdatalist.rdclass = rdata.rdclass;
+	rdatalist.type = rdata.type;
+	rdatalist.covers = 0;
+	rdatalist.ttl = 0;
+	ISC_LIST_INIT(rdatalist.rdata);
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	check_result(result, "dns_rdatalist_tordataset()");
+
+	result = dns_db_findnode(gdb, gorigin, ISC_TRUE, &node);
+	check_result(result, "dns_db_find(gorigin)");
+	result = dns_db_addrdataset(gdb, node, gversion, 0, &rdataset,
+				    DNS_DBADD_MERGE, NULL);
+	if (result == DNS_R_UNCHANGED)
+		result = ISC_R_SUCCESS;
+	check_result(result, "addnsec3param: dns_db_addrdataset()");
+	dns_db_detachnode(gdb, &node);
+}
+
+static void
+addnsec3(dns_name_t *name, dns_dbnode_t *node,
+	 const unsigned char *salt, size_t salt_length,
+	 unsigned int iterations, hashlist_t *hashlist,
+	 dns_ttl_t ttl)
+{
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	const unsigned char *nexthash;
+	unsigned char nsec3buffer[DNS_NSEC3_BUFFERSIZE];
+	dns_fixedname_t hashname;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	dns_dbnode_t *nsec3node = NULL;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	size_t hash_length;
+
+	dns_name_format(name, namebuf, sizeof(namebuf));
+
+	dns_fixedname_init(&hashname);
+	dns_rdataset_init(&rdataset);
+
+	dns_name_downcase(name, name, NULL);
+	result = dns_nsec3_hashname(&hashname, hash, &hash_length,
+				    name, gorigin, dns_hash_sha1, iterations,
+				    salt, salt_length);
+	check_result(result, "addnsec3: dns_nsec3_hashname()");
+	nexthash = hashlist_findnext(hashlist, hash);
+	result = dns_nsec3_buildrdata(gdb, gversion, node,
+				      unknownalg ?
+					  DNS_NSEC3_UNKNOWNALG : dns_hash_sha1,
+				      nsec3flags, iterations,
+				      salt, salt_length,
+				      nexthash, ISC_SHA1_DIGESTLENGTH,
+				      nsec3buffer, &rdata);
+	check_result(result, "addnsec3: dns_nsec3_buildrdata()");
+	rdatalist.rdclass = rdata.rdclass;
+	rdatalist.type = rdata.type;
+	rdatalist.covers = 0;
+	rdatalist.ttl = ttl;
+	ISC_LIST_INIT(rdatalist.rdata);
+	ISC_LIST_APPEND(rdatalist.rdata, &rdata, link);
+	result = dns_rdatalist_tordataset(&rdatalist, &rdataset);
+	check_result(result, "dns_rdatalist_tordataset()");
+	result = dns_db_findnsec3node(gdb, dns_fixedname_name(&hashname),
+				      ISC_TRUE, &nsec3node);
+	check_result(result, "addnsec3: dns_db_findnode()");
+	result = dns_db_addrdataset(gdb, nsec3node, gversion, 0, &rdataset,
+				    0, NULL);
+	if (result == DNS_R_UNCHANGED)
+		result = ISC_R_SUCCESS;
+	check_result(result, "addnsec3: dns_db_addrdataset()");
+	dns_db_detachnode(gdb, &nsec3node);
+}
+
+/*%
+ * Clean out NSEC3 record and RRSIG(NSEC3) that are not in the hash list.
+ *
+ * Extract the hash from the first label of 'name' then see if it
+ * is in hashlist.  If 'name' is not in the hashlist then delete the
+ * any NSEC3 records which have the same parameters as the chain we
+ * are building.
+ *
+ * XXXMPA Should we also check that it of the form <hash>.<origin>?
+ */
+static void
+nsec3clean(dns_name_t *name, dns_dbnode_t *node,
+	   unsigned int hashalg, unsigned int iterations,
+	   const unsigned char *salt, size_t salt_length, hashlist_t *hashlist)
+{
+	dns_label_t label;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata, delrdata;
+	dns_rdatalist_t rdatalist;
+	dns_rdataset_t rdataset, delrdataset;
+	isc_boolean_t delete_rrsigs = ISC_FALSE;
+	isc_buffer_t target;
+	isc_result_t result;
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH + 1];
+
+	/*
+	 * Get the first label.
+	 */
+	dns_name_getlabel(name, 0, &label);
+
+	/*
+	 * We want just the label contents.
+	 */
+	isc_region_consume(&label, 1);
+
+	/*
+	 * Decode base32hex string.
+	 */
+	isc_buffer_init(&target, hash, sizeof(hash) - 1);
+	result = isc_base32hex_decoderegion(&label, &target);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	hash[isc_buffer_usedlength(&target)] = 0;
+
+	if (hashlist_exists(hashlist, hash))
+		return;
+
+	/*
+	 * Verify that the NSEC3 parameters match the current ones
+	 * otherwise we are dealing with a different NSEC3 chain.
+	 */
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_init(&delrdataset);
+
+	result = dns_db_findrdataset(gdb, node, gversion, dns_rdatatype_nsec3,
+				     0, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	/*
+	 * Delete any matching NSEC3 records which have parameters that
+	 * match the NSEC3 chain we are building.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(&rdataset, &rdata);
+		dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		if (nsec3.hash == hashalg &&
+		    nsec3.iterations == iterations &&
+		    nsec3.salt_length == salt_length &&
+		    !memcmp(nsec3.salt, salt, salt_length))
+			break;
+		rdatalist.rdclass = rdata.rdclass;
+		rdatalist.type = rdata.type;
+		rdatalist.covers = 0;
+		rdatalist.ttl = rdataset.ttl;
+		ISC_LIST_INIT(rdatalist.rdata);
+		dns_rdata_init(&delrdata);
+		dns_rdata_clone(&rdata, &delrdata);
+		ISC_LIST_APPEND(rdatalist.rdata, &delrdata, link);
+		result = dns_rdatalist_tordataset(&rdatalist, &delrdataset);
+		check_result(result, "dns_rdatalist_tordataset()");
+		result = dns_db_subtractrdataset(gdb, node, gversion,
+						 &delrdataset, 0, NULL);
+		dns_rdataset_disassociate(&delrdataset);
+		if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED)
+			check_result(result, "dns_db_subtractrdataset(NSEC3)");
+		delete_rrsigs = ISC_TRUE;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result != ISC_R_NOMORE)
+		check_result(result, "dns_rdataset_first/next");
+
+	if (!delete_rrsigs)
+		return;
+	/*
+	 * Delete the NSEC3 RRSIGs
+	 */
+	result = dns_db_deleterdataset(gdb, node, gversion,
+				       dns_rdatatype_rrsig,
+				       dns_rdatatype_nsec3);
+	if (result != ISC_R_SUCCESS && result != DNS_R_UNCHANGED)
+		check_result(result, "dns_db_deleterdataset(RRSIG(NSEC3))");
+}
+
+/*
+ * Generate NSEC3 records for the zone.
+ */
+static void
+nsec3ify(unsigned int hashalg, unsigned int iterations,
+	 const unsigned char *salt, size_t salt_length, hashlist_t *hashlist)
+{
+	dns_dbiterator_t *dbiter = NULL;
+	dns_dbnode_t *node = NULL, *nextnode = NULL;
+	dns_fixedname_t fname, fnextname, fzonecut;
+	dns_name_t *name, *nextname, *zonecut;
+	isc_boolean_t done = ISC_FALSE;
+	isc_result_t result;
+	isc_boolean_t active;
+	isc_uint32_t nsttl = 0;
+	unsigned int count, nlabels;
+	int order;
+
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
+	dns_fixedname_init(&fnextname);
+	nextname = dns_fixedname_name(&fnextname);
+	dns_fixedname_init(&fzonecut);
+	zonecut = NULL;
+
+	/*
+	 * Walk the zone generating the hash names.
+	 */
+	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+
+	while (!done) {
+		dns_dbiterator_current(dbiter, &node, name);
+		result = dns_dbiterator_next(dbiter);
+		nextnode = NULL;
+		while (result == ISC_R_SUCCESS) {
+			result = dns_dbiterator_current(dbiter, &nextnode,
+							nextname);
+			if (result != ISC_R_SUCCESS)
+				break;
+			active = active_node(nextnode);
+			if (!active) {
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (!dns_name_issubdomain(nextname, gorigin) ||
+			    (zonecut != NULL &&
+			     dns_name_issubdomain(nextname, zonecut))) {
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (delegation(nextname, nextnode, &nsttl)) {
+				zonecut = dns_fixedname_name(&fzonecut);
+				dns_name_copy(nextname, zonecut, NULL);
+				if (generateds)
+					add_ds(nextname, nextnode, nsttl);
+				if (OPTOUT(nsec3flags) &&
+				    !secure(nextname, nextnode)) {
+					dns_db_detachnode(gdb, &nextnode);
+					result = dns_dbiterator_next(dbiter);
+					continue;
+				}
+			}
+			dns_db_detachnode(gdb, &nextnode);
+			break;
+		}
+		if (result == ISC_R_NOMORE) {
+			dns_name_copy(gorigin, nextname, NULL);
+			done = ISC_TRUE;
+		} else if (result != ISC_R_SUCCESS)
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
+		dns_name_downcase(name, name, NULL);
+		hashlist_add_dns_name(hashlist, name, hashalg, iterations,
+				      salt, salt_length, ISC_FALSE);
+		dns_db_detachnode(gdb, &node);
+		/*
+		 * Add hashs for empty nodes.  Use closest encloser logic.
+		 * The closest encloser either has data or is a empty
+		 * node for another <name,nextname> span so we don't add
+		 * it here.  Empty labels on nextname are within the span.
+		 */
+		dns_name_downcase(nextname, nextname, NULL);
+		dns_name_fullcompare(name, nextname, &order, &nlabels);
+		addnowildcardhash(hashlist, name, hashalg, iterations,
+				  salt, salt_length);
+		count = dns_name_countlabels(nextname);
+		while (count > nlabels + 1) {
+			count--;
+			dns_name_split(nextname, count, NULL, nextname);
+			hashlist_add_dns_name(hashlist, nextname, hashalg,
+					      iterations, salt, salt_length,
+					      ISC_FALSE);
+			addnowildcardhash(hashlist, nextname, hashalg,
+					  iterations, salt, salt_length);
+		}
+	}
+	dns_dbiterator_destroy(&dbiter);
+
+	/*
+	 * We have all the hashes now so we can sort them.
+	 */
+	hashlist_sort(hashlist);
+
+	/*
+	 * Check for duplicate hashes.  If found the salt needs to
+	 * be changed.
+	 */
+	if (hashlist_hasdup(hashlist))
+		fatal("Duplicate hash detected. Pick a different salt.");
+
+	/*
+	 * Generate the nsec3 records.
+	 */
+	zonecut = NULL;
+	done = ISC_FALSE;
+
+	addnsec3param(salt, salt_length, iterations);
+
+	result = dns_db_createiterator(gdb, DNS_DB_NONSEC3, &dbiter);
+	check_result(result, "dns_db_createiterator()");
+
+	result = dns_dbiterator_first(dbiter);
+	check_result(result, "dns_dbiterator_first()");
+
+	while (!done) {
+		dns_dbiterator_current(dbiter, &node, name);
+		result = dns_dbiterator_next(dbiter);
+		nextnode = NULL;
+		while (result == ISC_R_SUCCESS) {
+			result = dns_dbiterator_current(dbiter, &nextnode,
+							nextname);
+			if (result != ISC_R_SUCCESS)
+				break;
+			/*
+			 * Cleanout NSEC3 RRsets which don't exist in the
+			 * hash table.
+			 */
+			nsec3clean(nextname, nextnode, hashalg, iterations,
+				   salt, salt_length, hashlist);
+			/*
+			 * Skip NSEC3 only nodes when looking for the next
+			 * node in the zone.  Also skips now empty nodes.
+			 */
+			if (nsec3only(nextnode)) {
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (!dns_name_issubdomain(nextname, gorigin) ||
+			    (zonecut != NULL &&
+			     dns_name_issubdomain(nextname, zonecut))) {
+				dns_db_detachnode(gdb, &nextnode);
+				result = dns_dbiterator_next(dbiter);
+				continue;
+			}
+			if (delegation(nextname, nextnode, NULL)) {
+				zonecut = dns_fixedname_name(&fzonecut);
+				dns_name_copy(nextname, zonecut, NULL);
+				if (OPTOUT(nsec3flags) &&
+				    !secure(nextname, nextnode)) {
+					dns_db_detachnode(gdb, &nextnode);
+					result = dns_dbiterator_next(dbiter);
+					continue;
+				}
+			}
+			dns_db_detachnode(gdb, &nextnode);
+			break;
+		}
+		if (result == ISC_R_NOMORE) {
+			dns_name_copy(gorigin, nextname, NULL);
+			done = ISC_TRUE;
+		} else if (result != ISC_R_SUCCESS)
+			fatal("iterating through the database failed: %s",
+			      isc_result_totext(result));
+		/*
+		 * We need to pause here to release the lock on the database.
+		 */
+		dns_dbiterator_pause(dbiter);
+		addnsec3(name, node, salt, salt_length, iterations,
+			 hashlist, zonettl);
+		dns_db_detachnode(gdb, &node);
+		/*
+		 * Add NSEC3's for empty nodes.  Use closest encloser logic.
+		 */
+		dns_name_fullcompare(name, nextname, &order, &nlabels);
+		count = dns_name_countlabels(nextname);
+		while (count > nlabels + 1) {
+			count--;
+			dns_name_split(nextname, count, NULL, nextname);
+			addnsec3(nextname, NULL, salt, salt_length,
+				 iterations, hashlist, zonettl);
+		}
+	}
+	dns_dbiterator_destroy(&dbiter);
+}
+
+/*%
  * Load the zone file from disk
  */
 static void
@@ -1788,6 +2375,9 @@ usage(void) {
 	fprintf(stderr, "\t-n ncpus (number of cpus present)\n");
 	fprintf(stderr, "\t-k key_signing_key\n");
 	fprintf(stderr, "\t-l lookasidezone\n");
+	fprintf(stderr, "\t-3 salt (NSEC3 salt)\n");
+	fprintf(stderr, "\t-H iterations (NSEC3 iterations)\n");
+	fprintf(stderr, "\t-A (NSEC3 optout)\n");
 	fprintf(stderr, "\t-z:\t");
 	fprintf(stderr, "ignore KSK flag in DNSKEYs");
 
@@ -1852,6 +2442,36 @@ main(int argc, char *argv[]) {
 	isc_task_t **tasks = NULL;
 	isc_buffer_t b;
 	int len;
+	unsigned int iterations = 100U;
+	const unsigned char *salt = NULL;
+	size_t salt_length = 0;
+	unsigned char saltbuf[255];
+	hashlist_t hashlist;
+
+#define CMDLINE_FLAGS "3:aAc:d:e:f:ghH:i:I:j:k:l:m:n:N:o:O:pr:s:StUv:z"
+
+	/*
+	 * Process memory debugging argument first.
+	 */
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
+		switch (ch) {
+		case 'm':
+			if (strcasecmp(isc_commandline_argument, "record") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
+			if (strcasecmp(isc_commandline_argument, "trace") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGTRACE;
+			if (strcasecmp(isc_commandline_argument, "usage") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGUSAGE;
+			if (strcasecmp(isc_commandline_argument, "size") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGSIZE;
+			if (strcasecmp(isc_commandline_argument, "mctx") == 0)
+				isc_mem_debugging |= ISC_MEM_DEBUGCTX;
+			break;
+		default:
+			break;
+		}
+	}
+	isc_commandline_reset = ISC_TRUE;
 
 	masterstyle = &dns_master_style_explicitttl;
 
@@ -1863,10 +2483,34 @@ main(int argc, char *argv[]) {
 
 	dns_result_register();
 
-	while ((ch = isc_commandline_parse(argc, argv,
-					   "ac:d:e:f:ghi:I:j:k:l:n:N:o:O:pr:s:Stv:z"))
-	       != -1) {
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
+		case '3':
+			if (strcmp(isc_commandline_argument, "-")) {
+				isc_buffer_t target;
+				char *sarg;
+
+				sarg = isc_commandline_argument;
+				isc_buffer_init(&target, saltbuf,
+						sizeof(saltbuf));
+				result = isc_hex_decodestring(sarg, &target);
+				check_result(result,
+					     "isc_hex_decodestring(salt)");
+				salt = saltbuf;
+				salt_length = isc_buffer_usedlength(&target);
+			} else {
+				salt = saltbuf;
+				salt_length = 0;
+			}
+			nsec_datatype = dns_rdatatype_nsec3;
+			break;
+
+		case 'A':
+			nsec3flags |= DNS_NSEC3FLAG_OPTOUT;
+			break;
+
 		case 'a':
 			tryverify = ISC_TRUE;
 			break;
@@ -1891,11 +2535,19 @@ main(int argc, char *argv[]) {
 			generateds = ISC_TRUE;
 			break;
 
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
 		case 'h':
-		default:
 			usage();
 			break;
 
+		default:
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
+
 		case 'i':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
@@ -1934,6 +2586,9 @@ main(int argc, char *argv[]) {
 			dskeyfile[ndskeys++] = isc_commandline_argument;
 			break;
 
+		case 'm':
+			break;
+
 		case 'n':
 			endp = NULL;
 			ntasks = strtol(isc_commandline_argument, &endp, 0);
@@ -1945,6 +2600,15 @@ main(int argc, char *argv[]) {
 			serialformatstr = isc_commandline_argument;
 			break;
 
+		case 'H':
+			iterations = strtoul(isc_commandline_argument,
+					     &endp, 0);
+			if (*endp != '\0')
+				fatal("iterations must be numeric");
+			if (iterations > 0xffffU)
+				fatal("iterations too big");
+			break;
+
 		case 'o':
 			origin = isc_commandline_argument;
 			break;
@@ -1975,6 +2639,10 @@ main(int argc, char *argv[]) {
 			printstats = ISC_TRUE;
 			break;
 
+		case 'U':	/* Undocumented for testing only. */
+			unknownalg = ISC_TRUE;
+			break;
+
 		case 'v':
 			endp = NULL;
 			verbose = strtol(isc_commandline_argument, &endp, 0);
@@ -2018,7 +2686,7 @@ main(int argc, char *argv[]) {
 		cycle = (endtime - starttime) / 4;
 
 	if (ntasks == 0)
-		ntasks = isc_os_ncpus();
+		ntasks = isc_os_ncpus() * 2;
 	vbprintf(4, "using %d cpus\n", ntasks);
 
 	rdclass = strtoclass(classname);
@@ -2082,7 +2750,6 @@ main(int argc, char *argv[]) {
 					0, 24, 0, 0, 0, 8, mctx);
 	check_result(result, "dns_master_stylecreate");
 
-
 	gdb = NULL;
 	TIME_NOW(&timer_start);
 	loadzone(file, origin, rdclass, &gdb);
@@ -2090,6 +2757,18 @@ main(int argc, char *argv[]) {
 	gclass = dns_db_class(gdb);
 	zonettl = soattl();
 
+	if (IS_NSEC3) {
+		isc_boolean_t answer;
+		hash_length = dns_nsec3_hashlength(dns_hash_sha1);
+		hashlist_init(&hashlist, dns_db_nodecount(gdb) * 2,
+			      hash_length);
+		result = dns_nsec_nseconly(gdb, gversion, &answer);
+		check_result(result, "dns_nsec_nseconly");
+		if (answer)
+			fatal("NSEC3 generation requested with "
+			      "NSEC only DNSKEY");
+	}
+
 	ISC_LIST_INIT(keylist);
 
 	if (argc == 0) {
@@ -2106,6 +2785,9 @@ main(int argc, char *argv[]) {
 				fatal("cannot load dnskey %s: %s", argv[i],
 				      isc_result_totext(result));
 
+			if (!dns_name_equal(gorigin, dst_key_name(newkey)))
+				fatal("key %s not at origin\n", argv[i]);
+
 			key = ISC_LIST_HEAD(keylist);
 			while (key != NULL) {
 				dst_key_t *dkey = key->key;
@@ -2143,6 +2825,9 @@ main(int argc, char *argv[]) {
 			fatal("cannot load dnskey %s: %s", dskeyfile[i],
 			      isc_result_totext(result));
 
+		if (!dns_name_equal(gorigin, dst_key_name(newkey)))
+			fatal("key %s not at origin\n", dskeyfile[i]);
+
 		key = ISC_LIST_HEAD(keylist);
 		while (key != NULL) {
 			dst_key_t *dkey = key->key;
@@ -2176,6 +2861,15 @@ main(int argc, char *argv[]) {
 		nokeys = ISC_TRUE;
 	}
 
+	if (IS_NSEC3) {
+		unsigned int max;
+		result = dns_nsec3_maxiterations(gdb, NULL, mctx, &max);
+		check_result(result, "dns_nsec3_maxiterations()");
+		if (iterations > max)
+			fatal("NSEC3 iterations too big for weakest DNSKEY "
+			      "strength. Maximum iterations allowed %u.", max);
+	}
+
 	warnifallksk(gdb);
 
 	gversion = NULL;
@@ -2195,7 +2889,11 @@ main(int argc, char *argv[]) {
 			break;
 	}
 
-	nsecify();
+	if (IS_NSEC3)
+		nsec3ify(dns_hash_sha1, iterations, salt, salt_length,
+			 &hashlist);
+	else
+		nsecify();
 
 	if (!nokeys) {
 		writeset("keyset-", dns_rdatatype_dnskey);
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
index 67eacc1..2f26ba4 100644
--- a/bin/dnssec/dnssec-signzone.docbook
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.10.18.19 2008/10/15 23:46:06 tbox Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.31 2008/10/14 14:28:25 jreed Exp $ -->
 <refentry id="man.dnssec-signzone">
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -77,6 +77,9 @@
       <arg><option>-t</option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
       <arg><option>-z</option></arg>
+      <arg><option>-3 <replaceable class="parameter">salt</replaceable></option></arg>
+      <arg><option>-H <replaceable class="parameter">iterations</replaceable></option></arg>
+      <arg><option>-A</option></arg>
       <arg choice="req">zonefile</arg>
       <arg rep="repeat">key</arg>
     </cmdsynopsis>
@@ -400,6 +403,38 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-3 <replaceable class="parameter">salt</replaceable></term>
+        <listitem>
+          <para>
+            Generate a NSEC3 chain with the given hex encoded salt.
+	    A dash (<replaceable class="parameter">salt</replaceable>) can
+	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-H <replaceable class="parameter">iterations</replaceable></term>
+        <listitem>
+          <para>
+	    When generating a NSEC3 chain use this many interations.  The
+	    default is 100.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-A</term>
+        <listitem>
+          <para>
+	    When generating a NSEC3 chain set the OPTOUT flag on all
+	    NSEC3 records and do not generate NSEC3 records for insecure
+	    delegations.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>zonefile</term>
         <listitem>
           <para>
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
index 18d851d..6548d84 100644
--- a/bin/dnssec/dnssec-signzone.html
+++ b/bin/dnssec/dnssec-signzone.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: dnssec-signzone.html,v 1.8.18.25 2008/10/16 01:29:40 tbox Exp $ -->
+<!-- $Id: dnssec-signzone.html,v 1.33 2008/10/15 01:11:35 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,10 +29,10 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543529"></a><h2>DESCRIPTION</h2>
+<a name="id2543550"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -43,7 +43,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543544"></a><h2>OPTIONS</h2>
+<a name="id2543565"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -226,6 +226,23 @@
 <dd><p>
             Ignore KSK flag on key when determining what to sign.
           </p></dd>
+<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
+<dd><p>
+            Generate a NSEC3 chain with the given hex encoded salt.
+	    A dash (<em class="replaceable"><code>salt</code></em>) can
+	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
+          </p></dd>
+<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
+<dd><p>
+	    When generating a NSEC3 chain use this many interations.  The
+	    default is 100.
+          </p></dd>
+<dt><span class="term">-A</span></dt>
+<dd><p>
+	    When generating a NSEC3 chain set the OPTOUT flag on all
+	    NSEC3 records and do not generate NSEC3 records for insecure
+	    delegations.
+          </p></dd>
 <dt><span class="term">zonefile</span></dt>
 <dd><p>
             The file containing the zone to be signed.
@@ -241,7 +258,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544330"></a><h2>EXAMPLE</h2>
+<a name="id2544404"></a><h2>EXAMPLE</h2>
 <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -270,14 +287,14 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544381"></a><h2>SEE ALSO</h2>
+<a name="id2544523"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544406"></a><h2>AUTHOR</h2>
+<a name="id2544548"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c
index 4f95540..e933a06 100644
--- a/bin/dnssec/dnssectool.c
+++ b/bin/dnssec/dnssectool.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.c,v 1.40.18.3 2005/07/01 03:55:28 marka Exp $ */
+/* $Id: dnssectool.c,v 1.45 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h
index c5f3648..ee476f4 100644
--- a/bin/dnssec/dnssectool.h
+++ b/bin/dnssec/dnssectool.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssectool.h,v 1.18 2004/03/05 04:57:41 marka Exp $ */
+/* $Id: dnssectool.h,v 1.22 2008/09/25 04:02:38 tbox Exp $ */
 
 #ifndef DNSSECTOOL_H
 #define DNSSECTOOL_H 1
@@ -41,7 +41,7 @@ vbprintf(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
 
 void
 type_format(const dns_rdatatype_t type, char *cp, unsigned int size);
-#define TYPE_FORMATSIZE 10
+#define TYPE_FORMATSIZE 20
 
 void
 alg_format(const dns_secalg_t alg, char *cp, unsigned int size);
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index a809e59c..4d800a6 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2002  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.80.18.7 2005/09/05 00:18:10 marka Exp $
+# $Id: Makefile.in,v 1.101 2008/09/23 17:25:47 jinmei Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,6 +21,8 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
+@BIND9_CONFIGARGS@
+
 @BIND9_MAKE_INCLUDES@
 
 #
@@ -38,7 +40,7 @@ DLZDRIVER_SRCS =	@DLZ_DRIVER_SRCS@
 DLZDRIVER_INCLUDES =	@DLZ_DRIVER_INCLUDES@
 DLZDRIVER_LIBS =	@DLZ_DRIVER_LIBS@
 
-CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include \
+CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 		${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
@@ -75,7 +77,7 @@ TARGETS =	named@EXEEXT@ lwresd@EXEEXT@
 OBJS =		builtin.@O@ client.@O@ config.@O@ control.@O@ \
 		controlconf.@O@ interfacemgr.@O@ \
 		listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \
-		query.@O@ server.@O@ sortlist.@O@ \
+		query.@O@ server.@O@ sortlist.@O@ statschannel.@O@ \
 		tkeyconf.@O@ tsigconf.@O@ update.@O@ xfrout.@O@ \
 		zoneconf.@O@ \
 		lwaddr.@O@ lwresd.@O@ lwdclient.@O@ lwderror.@O@ lwdgabn.@O@ \
@@ -87,7 +89,7 @@ UOBJS =		unix/os.@O@
 SRCS =		builtin.c client.c config.c control.c \
 		controlconf.c interfacemgr.c \
 		listenlist.c log.c logconf.c main.c notify.c \
-		query.c server.c sortlist.c \
+		query.c server.c sortlist.c statschannel.c \
 		tkeyconf.c tsigconf.c update.c xfrout.c \
 		zoneconf.c \
 		lwaddr.c lwresd.c lwdclient.c lwderror.c lwdgabn.c \
@@ -105,6 +107,7 @@ MANOBJS =	${MANPAGES} ${HTMLPAGES}
 main.@O@: main.c
 	${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
 		-DVERSION=\"${VERSION}\" \
+		-DCONFIGARGS="\"${CONFIGARGS}\"" \
 		-DNS_LOCALSTATEDIR=\"${localstatedir}\" \
 		-DNS_SYSCONFDIR=\"${sysconfdir}\" -c ${srcdir}/main.c
 
@@ -130,6 +133,12 @@ docclean manclean maintainer-clean::
 clean distclean maintainer-clean::
 	rm -f ${TARGETS} ${OBJS}
 
+bind9.xsl.h: bind9.xsl convertxsl.pl
+	${PERL} ${srcdir}/convertxsl.pl < ${srcdir}/bind9.xsl > bind9.xsl.h
+
+depend: bind9.xsl.h
+statschannel.@O@: bind9.xsl.h
+
 installdirs:
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
 	$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man5
diff --git a/bin/named/bind9.xsl b/bin/named/bind9.xsl
new file mode 100644
index 0000000..2cadbfd
--- /dev/null
+++ b/bin/named/bind9.xsl
@@ -0,0 +1,492 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ - Copyright (C) 2006-2009  Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: bind9.xsl,v 1.19.82.2 2009/01/29 23:47:43 tbox Exp $ -->
+
+<xsl:stylesheet version="1.0"
+   xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+   xmlns="http://www.w3.org/1999/xhtml">
+  <xsl:template match="isc/bind/statistics">
+    <html>
+      <head>
+        <style type="text/css">
+body {
+	font-family: sans-serif;
+	background-color: #ffffff;
+	color: #000000;
+}
+
+table {
+	border-collapse: collapse;
+}
+
+tr.rowh {
+	text-align: center;
+	border: 1px solid #000000;
+	background-color: #8080ff;
+	color: #ffffff;
+}
+
+tr.row {
+	text-align: right;
+	border: 1px solid #000000;
+	background-color: teal;
+	color: #ffffff;
+}
+
+tr.lrow {
+	text-align: left;
+	border: 1px solid #000000;
+	background-color: teal;
+	color: #ffffff;
+}
+
+td, th {
+	padding-right: 5px;
+	padding-left: 5px;
+}
+
+.header h1 {
+	background-color: teal;
+	color: #ffffff;
+	padding: 4px;
+}
+
+.content {
+	background-color: #ffffff;
+	color: #000000;
+	padding: 4px;
+}
+
+.item {
+	padding: 4px;
+	align: right;
+}
+
+.value {
+	padding: 4px;
+	font-weight: bold;
+}
+
+div.statcounter h2 {
+	text-align: center;
+	font-size: large;
+	border: 1px solid #000000;
+	background-color: #8080ff;
+	color: #ffffff;
+}
+
+div.statcounter dl {
+	float: left;
+	margin-top: 0;
+	margin-bottom: 0;
+	margin-left: 0;
+	margin-right: 0;
+}
+
+div.statcounter dt {
+	width: 200px;
+	text-align: center;
+	font-weight: bold;
+	border: 0.5px solid #000000;
+	background-color: #8080ff;
+	color: #ffffff;
+}
+
+div.statcounter dd {
+	width: 200px;
+	text-align: right;
+	border: 0.5px solid #000000;
+	background-color: teal;
+	color: #ffffff;
+	margin-left: 0;
+	margin-right: 0;
+}
+
+div.statcounter br {
+	clear: left;
+}
+        </style>
+        <title>BIND 9 Statistics</title>
+      </head>
+      <body>
+	<div class="header">
+	  <h1>Bind 9 Configuration and Statistics</h1>
+	</div>
+
+	<br/>
+
+	<table>
+	  <tr class="rowh"><th colspan="2">Times</th></tr>
+	  <tr class="lrow">
+	    <td>boot-time</td>
+	    <td><xsl:value-of select="server/boot-time"/></td>
+	  </tr>
+	  <tr class="lrow">
+	    <td>current-time</td>
+	    <td><xsl:value-of select="server/current-time"/></td>
+	  </tr>
+	</table>
+
+	<br/>
+
+	<table>
+	  <tr class="rowh"><th colspan="2">Incoming Requests</th></tr>
+	  <xsl:for-each select="server/requests/opcode">
+	    <tr class="lrow">
+	      <td><xsl:value-of select="name"/></td>
+	      <td><xsl:value-of select="counter"/></td>
+	    </tr>
+	  </xsl:for-each>
+	</table>
+
+	<br/>
+
+	<table>
+	  <tr class="rowh"><th colspan="2">Incoming Queries</th></tr>
+	  <xsl:for-each select="server/queries-in/rdtype">
+	    <tr class="lrow">
+	      <td><xsl:value-of select="name"/></td>
+	      <td><xsl:value-of select="counter"/></td>
+	    </tr>
+	  </xsl:for-each>
+	</table>
+
+	<br/>
+
+	<xsl:for-each select="views/view">
+	  <table>
+	    <tr class="rowh">
+	      <th colspan="2">Outgoing Queries from View <xsl:value-of select="name"/></th>
+	    </tr>
+	    <xsl:for-each select="rdtype">
+	      <tr class="lrow">
+		<td><xsl:value-of select="name"/></td>
+		<td><xsl:value-of select="counter"/></td>
+	      </tr>
+	    </xsl:for-each>
+	  </table>
+	  <br/>
+	</xsl:for-each>
+
+	<br/>
+
+	<div class="statcounter">
+	  <h2>Server Statistics</h2>
+	  <xsl:for-each select="server/nsstat">
+	    <dl>
+	      <dt><xsl:value-of select="name"/></dt>
+	      <dd><xsl:value-of select="counter"/></dd>
+	    </dl>
+	  </xsl:for-each>
+	  <br/>
+	</div>
+
+	<div class="statcounter">
+	  <h2>Zone Maintenance Statistics</h2>
+	  <xsl:for-each select="server/zonestat">
+	    <dl>
+	      <dt><xsl:value-of select="name"/></dt>
+	      <dd><xsl:value-of select="counter"/></dd>
+	    </dl>
+	  </xsl:for-each>
+	  <br />
+	</div>
+
+	<div class="statcounter">
+	  <h2>Resolver Statistics (Common)</h2>
+	  <xsl:for-each select="server/resstat">
+	    <dl>
+	      <dt><xsl:value-of select="name"/></dt>
+	      <dd><xsl:value-of select="counter"/></dd>
+	    </dl>
+	  </xsl:for-each>
+	  <br />
+	</div>
+
+	<xsl:for-each select="views/view">
+	  <div class="statcounter">
+	    <h2>Resolver Statistics for View <xsl:value-of select="name"/></h2>
+	    <xsl:for-each select="resstat">
+	      <dl>
+		<dt><xsl:value-of select="name"/></dt>
+		<dd><xsl:value-of select="counter"/></dd>
+	      </dl>
+	    </xsl:for-each>
+	    <br />
+	  </div>
+	</xsl:for-each>
+
+	<br />
+
+	<xsl:for-each select="views/view">
+	  <table>
+	    <tr class="rowh">
+	      <th colspan="2">Cache DB RRsets for View <xsl:value-of select="name"/></th>
+	    </tr>
+	    <xsl:for-each select="cache/rrset">
+	      <tr class="lrow">
+		<td><xsl:value-of select="name"/></td>
+		<td><xsl:value-of select="counter"/></td>
+	      </tr>
+	    </xsl:for-each>
+	  </table>
+	  <br/>
+	</xsl:for-each>
+
+	<div class="statcounter">
+	  <h2>Socket I/O Statistics</h2>
+	  <xsl:for-each select="server/sockstat">
+	    <dl>
+	      <dt><xsl:value-of select="name"/></dt>
+	      <dd><xsl:value-of select="counter"/></dd>
+	    </dl>
+	  </xsl:for-each>
+	  <br/>
+	</div>
+
+	<br/>
+
+        <xsl:for-each select="views/view">
+          <table>
+            <tr class="rowh">
+              <th colspan="10">Zones for View <xsl:value-of select="name"/></th>
+            </tr>
+            <tr class="rowh">
+              <th>Name</th>
+              <th>Class</th>
+              <th>Serial</th>
+              <th>Success</th>
+              <th>Referral</th>
+              <th>NXRRSET</th>
+              <th>NXDOMAIN</th>
+              <th>Failure</th>
+	      <th>XfrReqDone</th>
+	      <th>XfrRej</th>
+            </tr>
+            <xsl:for-each select="zones/zone">
+              <tr class="lrow">
+                <td>
+                  <xsl:value-of select="name"/>
+                </td>
+                <td>
+                  <xsl:value-of select="rdataclass"/>
+                </td>
+                <td>
+                  <xsl:value-of select="serial"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/QrySuccess"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/QryReferral"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/QryNxrrset"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/QryNXDOMAIN"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/QryFailure"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/XfrReqDone"/>
+                </td>
+                <td>
+                  <xsl:value-of select="counters/XfrRej"/>
+                </td>
+              </tr>
+            </xsl:for-each>
+          </table>
+          <br/>
+        </xsl:for-each>
+
+        <br/>
+
+        <table>
+          <tr class="rowh">
+            <th colspan="7">Network Status</th>
+          </tr>
+          <tr class="rowh">
+            <th>ID</th>
+	    <th>Name</th>
+            <th>Type</th>
+            <th>References</th>
+            <th>LocalAddress</th>
+            <th>PeerAddress</th>
+            <th>State</th>
+          </tr>
+          <xsl:for-each select="socketmgr/sockets/socket">
+            <tr class="lrow">
+              <td>
+                <xsl:value-of select="id"/>
+              </td>
+              <td>
+                <xsl:value-of select="name"/>
+              </td>
+              <td>
+                <xsl:value-of select="type"/>
+              </td>
+              <td>
+                <xsl:value-of select="references"/>
+              </td>
+              <td>
+                <xsl:value-of select="local-address"/>
+              </td>
+              <td>
+                <xsl:value-of select="peer-address"/>
+              </td>
+              <td>
+                <xsl:for-each select="states">
+                  <xsl:value-of select="."/>
+                </xsl:for-each>
+              </td>
+            </tr>
+          </xsl:for-each>
+        </table>
+        <br/>
+        <table>
+          <tr class="rowh">
+            <th colspan="2">Task Manager Configuration</th>
+          </tr>
+          <tr class="lrow">
+            <td>Thread-Model</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/type"/>
+            </td>
+          </tr>
+          <tr class="lrow">
+            <td>Worker Threads</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/worker-threads"/>
+            </td>
+          </tr>
+          <tr class="lrow">
+            <td>Default Quantum</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/default-quantum"/>
+            </td>
+          </tr>
+          <tr class="lrow">
+            <td>Tasks Running</td>
+            <td>
+              <xsl:value-of select="taskmgr/thread-model/tasks-running"/>
+            </td>
+          </tr>
+        </table>
+        <br/>
+        <table>
+          <tr class="rowh">
+            <th colspan="5">Tasks</th>
+          </tr>
+          <tr class="rowh">
+            <th>ID</th>
+            <th>Name</th>
+            <th>References</th>
+            <th>State</th>
+            <th>Quantum</th>
+          </tr>
+          <xsl:for-each select="taskmgr/tasks/task">
+            <tr class="lrow">
+              <td>
+                <xsl:value-of select="id"/>
+              </td>
+              <td>
+                <xsl:value-of select="name"/>
+              </td>
+              <td>
+                <xsl:value-of select="references"/>
+              </td>
+              <td>
+                <xsl:value-of select="state"/>
+              </td>
+              <td>
+                <xsl:value-of select="quantum"/>
+              </td>
+            </tr>
+          </xsl:for-each>
+        </table>
+	<br />
+	<table>
+          <tr class="rowh">
+            <th colspan="4">Memory Usage Summary</th>
+          </tr>
+	  <xsl:for-each select="memory/summary/*">
+	    <tr class="lrow">
+	      <td><xsl:value-of select="name()"/></td>
+	      <td><xsl:value-of select="."/></td>
+	    </tr>
+	  </xsl:for-each>
+	</table>
+	<br />
+	<table>
+          <tr class="rowh">
+            <th colspan="10">Memory Contexts</th>
+          </tr>
+	  <tr class="rowh">
+	    <th>ID</th>
+	    <th>Name</th>
+	    <th>References</th>
+	    <th>TotalUse</th>
+	    <th>InUse</th>
+	    <th>MaxUse</th>
+	    <th>BlockSize</th>
+	    <th>Pools</th>
+	    <th>HiWater</th>
+	    <th>LoWater</th>
+	  </tr>
+	  <xsl:for-each select="memory/contexts/context">
+	    <tr class="lrow">
+	      <td>
+		<xsl:value-of select="id"/>
+	      </td>
+              <td>
+                <xsl:value-of select="name"/>
+              </td>
+	      <td>
+		<xsl:value-of select="references"/>
+	      </td>
+	      <td>
+		<xsl:value-of select="total"/>
+	      </td>
+	      <td>
+		<xsl:value-of select="inuse"/>
+	      </td>
+	      <td>
+		<xsl:value-of select="maxinuse"/>
+	      </td>
+	      <td>
+		<xsl:value-of select="blocksize"/>
+	      </td>
+	      <td>
+		<xsl:value-of select="pools"/>
+	      </td>
+	      <td>
+		<xsl:value-of select="hiwater"/>
+	      </td>
+	      <td>
+		<xsl:value-of select="lowater"/>
+	      </td>
+	    </tr>
+	  </xsl:for-each>
+	</table>
+
+      </body>
+    </html>
+  </xsl:template>
+</xsl:stylesheet>
diff --git a/bin/named/bind9.xsl.h b/bin/named/bind9.xsl.h
new file mode 100644
index 0000000..e42fda0
--- /dev/null
+++ b/bin/named/bind9.xsl.h
@@ -0,0 +1,497 @@
+/*
+ * Generated by convertxsl.pl 1.14 2008/07/17 23:43:26 jinmei Exp  
+ * From bind9.xsl 1.19.82.2 2009/01/29 23:47:43 tbox Exp 
+ */
+static char xslmsg[] =
+	"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+	"<!--\n"
+	" - Copyright (C) 2006-2009 Internet Systems Consortium, Inc. (\"ISC\")\n"
+	" -\n"
+	" - Permission to use, copy, modify, and/or distribute this software for any\n"
+	" - purpose with or without fee is hereby granted, provided that the above\n"
+	" - copyright notice and this permission notice appear in all copies.\n"
+	" -\n"
+	" - THE SOFTWARE IS PROVIDED \"AS IS\" AND ISC DISCLAIMS ALL WARRANTIES WITH\n"
+	" - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY\n"
+	" - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,\n"
+	" - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM\n"
+	" - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE\n"
+	" - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR\n"
+	" - PERFORMANCE OF THIS SOFTWARE.\n"
+	"-->\n"
+	"\n"
+	"<!-- \045Id: bind9.xsl,v 1.19.82.2 2009/01/29 23:47:43 tbox Exp \045 -->\n"
+	"\n"
+	"<xsl:stylesheet version=\"1.0\"\n"
+	" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\"\n"
+	" xmlns=\"http://www.w3.org/1999/xhtml\">\n"
+	" <xsl:template match=\"isc/bind/statistics\">\n"
+	" <html>\n"
+	" <head>\n"
+	" <style type=\"text/css\">\n"
+	"body {\n"
+	" font-family: sans-serif;\n"
+	" background-color: #ffffff;\n"
+	" color: #000000;\n"
+	"}\n"
+	"\n"
+	"table {\n"
+	" border-collapse: collapse;\n"
+	"}\n"
+	"\n"
+	"tr.rowh {\n"
+	" text-align: center;\n"
+	" border: 1px solid #000000;\n"
+	" background-color: #8080ff;\n"
+	" color: #ffffff;\n"
+	"}\n"
+	"\n"
+	"tr.row {\n"
+	" text-align: right;\n"
+	" border: 1px solid #000000;\n"
+	" background-color: teal;\n"
+	" color: #ffffff;\n"
+	"}\n"
+	"\n"
+	"tr.lrow {\n"
+	" text-align: left;\n"
+	" border: 1px solid #000000;\n"
+	" background-color: teal;\n"
+	" color: #ffffff;\n"
+	"}\n"
+	"\n"
+	"td, th {\n"
+	" padding-right: 5px;\n"
+	" padding-left: 5px;\n"
+	"}\n"
+	"\n"
+	".header h1 {\n"
+	" background-color: teal;\n"
+	" color: #ffffff;\n"
+	" padding: 4px;\n"
+	"}\n"
+	"\n"
+	".content {\n"
+	" background-color: #ffffff;\n"
+	" color: #000000;\n"
+	" padding: 4px;\n"
+	"}\n"
+	"\n"
+	".item {\n"
+	" padding: 4px;\n"
+	" align: right;\n"
+	"}\n"
+	"\n"
+	".value {\n"
+	" padding: 4px;\n"
+	" font-weight: bold;\n"
+	"}\n"
+	"\n"
+	"div.statcounter h2 {\n"
+	" text-align: center;\n"
+	" font-size: large;\n"
+	" border: 1px solid #000000;\n"
+	" background-color: #8080ff;\n"
+	" color: #ffffff;\n"
+	"}\n"
+	"\n"
+	"div.statcounter dl {\n"
+	" float: left;\n"
+	" margin-top: 0;\n"
+	" margin-bottom: 0;\n"
+	" margin-left: 0;\n"
+	" margin-right: 0;\n"
+	"}\n"
+	"\n"
+	"div.statcounter dt {\n"
+	" width: 200px;\n"
+	" text-align: center;\n"
+	" font-weight: bold;\n"
+	" border: 0.5px solid #000000;\n"
+	" background-color: #8080ff;\n"
+	" color: #ffffff;\n"
+	"}\n"
+	"\n"
+	"div.statcounter dd {\n"
+	" width: 200px;\n"
+	" text-align: right;\n"
+	" border: 0.5px solid #000000;\n"
+	" background-color: teal;\n"
+	" color: #ffffff;\n"
+	" margin-left: 0;\n"
+	" margin-right: 0;\n"
+	"}\n"
+	"\n"
+	"div.statcounter br {\n"
+	" clear: left;\n"
+	"}\n"
+	" </style>\n"
+	" <title>BIND 9 Statistics</title>\n"
+	" </head>\n"
+	" <body>\n"
+	" <div class=\"header\">\n"
+	" <h1>Bind 9 Configuration and Statistics</h1>\n"
+	" </div>\n"
+	"\n"
+	" <br/>\n"
+	"\n"
+	" <table>\n"
+	" <tr class=\"rowh\"><th colspan=\"2\">Times</th></tr>\n"
+	" <tr class=\"lrow\">\n"
+	" <td>boot-time</td>\n"
+	" <td><xsl:value-of select=\"server/boot-time\"/></td>\n"
+	" </tr>\n"
+	" <tr class=\"lrow\">\n"
+	" <td>current-time</td>\n"
+	" <td><xsl:value-of select=\"server/current-time\"/></td>\n"
+	" </tr>\n"
+	" </table>\n"
+	"\n"
+	" <br/>\n"
+	"\n"
+	" <table>\n"
+	" <tr class=\"rowh\"><th colspan=\"2\">Incoming Requests</th></tr>\n"
+	" <xsl:for-each select=\"server/requests/opcode\">\n"
+	" <tr class=\"lrow\">\n"
+	" <td><xsl:value-of select=\"name\"/></td>\n"
+	" <td><xsl:value-of select=\"counter\"/></td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	"\n"
+	" <br/>\n"
+	"\n"
+	" <table>\n"
+	" <tr class=\"rowh\"><th colspan=\"2\">Incoming Queries</th></tr>\n"
+	" <xsl:for-each select=\"server/queries-in/rdtype\">\n"
+	" <tr class=\"lrow\">\n"
+	" <td><xsl:value-of select=\"name\"/></td>\n"
+	" <td><xsl:value-of select=\"counter\"/></td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	"\n"
+	" <br/>\n"
+	"\n"
+	" <xsl:for-each select=\"views/view\">\n"
+	" <table>\n"
+	" <tr class=\"rowh\">\n"
+	" <th colspan=\"2\">Outgoing Queries from View <xsl:value-of select=\"name\"/></th>\n"
+	" </tr>\n"
+	" <xsl:for-each select=\"rdtype\">\n"
+	" <tr class=\"lrow\">\n"
+	" <td><xsl:value-of select=\"name\"/></td>\n"
+	" <td><xsl:value-of select=\"counter\"/></td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:for-each>\n"
+	"\n"
+	" <br/>\n"
+	"\n"
+	" <div class=\"statcounter\">\n"
+	" <h2>Server Statistics</h2>\n"
+	" <xsl:for-each select=\"server/nsstat\">\n"
+	" <dl>\n"
+	" <dt><xsl:value-of select=\"name\"/></dt>\n"
+	" <dd><xsl:value-of select=\"counter\"/></dd>\n"
+	" </dl>\n"
+	" </xsl:for-each>\n"
+	" <br/>\n"
+	" </div>\n"
+	"\n"
+	" <div class=\"statcounter\">\n"
+	" <h2>Zone Maintenance Statistics</h2>\n"
+	" <xsl:for-each select=\"server/zonestat\">\n"
+	" <dl>\n"
+	" <dt><xsl:value-of select=\"name\"/></dt>\n"
+	" <dd><xsl:value-of select=\"counter\"/></dd>\n"
+	" </dl>\n"
+	" </xsl:for-each>\n"
+	" <br />\n"
+	" </div>\n"
+	"\n"
+	" <div class=\"statcounter\">\n"
+	" <h2>Resolver Statistics (Common)</h2>\n"
+	" <xsl:for-each select=\"server/resstat\">\n"
+	" <dl>\n"
+	" <dt><xsl:value-of select=\"name\"/></dt>\n"
+	" <dd><xsl:value-of select=\"counter\"/></dd>\n"
+	" </dl>\n"
+	" </xsl:for-each>\n"
+	" <br />\n"
+	" </div>\n"
+	"\n"
+	" <xsl:for-each select=\"views/view\">\n"
+	" <div class=\"statcounter\">\n"
+	" <h2>Resolver Statistics for View <xsl:value-of select=\"name\"/></h2>\n"
+	" <xsl:for-each select=\"resstat\">\n"
+	" <dl>\n"
+	" <dt><xsl:value-of select=\"name\"/></dt>\n"
+	" <dd><xsl:value-of select=\"counter\"/></dd>\n"
+	" </dl>\n"
+	" </xsl:for-each>\n"
+	" <br />\n"
+	" </div>\n"
+	" </xsl:for-each>\n"
+	"\n"
+	" <br />\n"
+	"\n"
+	" <xsl:for-each select=\"views/view\">\n"
+	" <table>\n"
+	" <tr class=\"rowh\">\n"
+	" <th colspan=\"2\">Cache DB RRsets for View <xsl:value-of select=\"name\"/></th>\n"
+	" </tr>\n"
+	" <xsl:for-each select=\"cache/rrset\">\n"
+	" <tr class=\"lrow\">\n"
+	" <td><xsl:value-of select=\"name\"/></td>\n"
+	" <td><xsl:value-of select=\"counter\"/></td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:for-each>\n"
+	"\n"
+	" <div class=\"statcounter\">\n"
+	" <h2>Socket I/O Statistics</h2>\n"
+	" <xsl:for-each select=\"server/sockstat\">\n"
+	" <dl>\n"
+	" <dt><xsl:value-of select=\"name\"/></dt>\n"
+	" <dd><xsl:value-of select=\"counter\"/></dd>\n"
+	" </dl>\n"
+	" </xsl:for-each>\n"
+	" <br/>\n"
+	" </div>\n"
+	"\n"
+	" <br/>\n"
+	"\n"
+	" <xsl:for-each select=\"views/view\">\n"
+	" <table>\n"
+	" <tr class=\"rowh\">\n"
+	" <th colspan=\"10\">Zones for View <xsl:value-of select=\"name\"/></th>\n"
+	" </tr>\n"
+	" <tr class=\"rowh\">\n"
+	" <th>Name</th>\n"
+	" <th>Class</th>\n"
+	" <th>Serial</th>\n"
+	" <th>Success</th>\n"
+	" <th>Referral</th>\n"
+	" <th>NXRRSET</th>\n"
+	" <th>NXDOMAIN</th>\n"
+	" <th>Failure</th>\n"
+	" <th>XfrReqDone</th>\n"
+	" <th>XfrRej</th>\n"
+	" </tr>\n"
+	" <xsl:for-each select=\"zones/zone\">\n"
+	" <tr class=\"lrow\">\n"
+	" <td>\n"
+	" <xsl:value-of select=\"name\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"rdataclass\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"serial\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"counters/QrySuccess\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"counters/QryReferral\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"counters/QryNxrrset\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"counters/QryNXDOMAIN\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"counters/QryFailure\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"counters/XfrReqDone\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"counters/XfrRej\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" </xsl:for-each>\n"
+	"\n"
+	" <br/>\n"
+	"\n"
+	" <table>\n"
+	" <tr class=\"rowh\">\n"
+	" <th colspan=\"7\">Network Status</th>\n"
+	" </tr>\n"
+	" <tr class=\"rowh\">\n"
+	" <th>ID</th>\n"
+	" <th>Name</th>\n"
+	" <th>Type</th>\n"
+	" <th>References</th>\n"
+	" <th>LocalAddress</th>\n"
+	" <th>PeerAddress</th>\n"
+	" <th>State</th>\n"
+	" </tr>\n"
+	" <xsl:for-each select=\"socketmgr/sockets/socket\">\n"
+	" <tr class=\"lrow\">\n"
+	" <td>\n"
+	" <xsl:value-of select=\"id\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"name\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"type\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"references\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"local-address\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"peer-address\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:for-each select=\"states\">\n"
+	" <xsl:value-of select=\".\"/>\n"
+	" </xsl:for-each>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br/>\n"
+	" <table>\n"
+	" <tr class=\"rowh\">\n"
+	" <th colspan=\"2\">Task Manager Configuration</th>\n"
+	" </tr>\n"
+	" <tr class=\"lrow\">\n"
+	" <td>Thread-Model</td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"taskmgr/thread-model/type\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" <tr class=\"lrow\">\n"
+	" <td>Worker Threads</td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"taskmgr/thread-model/worker-threads\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" <tr class=\"lrow\">\n"
+	" <td>Default Quantum</td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"taskmgr/thread-model/default-quantum\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" <tr class=\"lrow\">\n"
+	" <td>Tasks Running</td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"taskmgr/thread-model/tasks-running\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </table>\n"
+	" <br/>\n"
+	" <table>\n"
+	" <tr class=\"rowh\">\n"
+	" <th colspan=\"5\">Tasks</th>\n"
+	" </tr>\n"
+	" <tr class=\"rowh\">\n"
+	" <th>ID</th>\n"
+	" <th>Name</th>\n"
+	" <th>References</th>\n"
+	" <th>State</th>\n"
+	" <th>Quantum</th>\n"
+	" </tr>\n"
+	" <xsl:for-each select=\"taskmgr/tasks/task\">\n"
+	" <tr class=\"lrow\">\n"
+	" <td>\n"
+	" <xsl:value-of select=\"id\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"name\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"references\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"state\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"quantum\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br />\n"
+	" <table>\n"
+	" <tr class=\"rowh\">\n"
+	" <th colspan=\"4\">Memory Usage Summary</th>\n"
+	" </tr>\n"
+	" <xsl:for-each select=\"memory/summary/*\">\n"
+	" <tr class=\"lrow\">\n"
+	" <td><xsl:value-of select=\"name()\"/></td>\n"
+	" <td><xsl:value-of select=\".\"/></td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	" <br />\n"
+	" <table>\n"
+	" <tr class=\"rowh\">\n"
+	" <th colspan=\"10\">Memory Contexts</th>\n"
+	" </tr>\n"
+	" <tr class=\"rowh\">\n"
+	" <th>ID</th>\n"
+	" <th>Name</th>\n"
+	" <th>References</th>\n"
+	" <th>TotalUse</th>\n"
+	" <th>InUse</th>\n"
+	" <th>MaxUse</th>\n"
+	" <th>BlockSize</th>\n"
+	" <th>Pools</th>\n"
+	" <th>HiWater</th>\n"
+	" <th>LoWater</th>\n"
+	" </tr>\n"
+	" <xsl:for-each select=\"memory/contexts/context\">\n"
+	" <tr class=\"lrow\">\n"
+	" <td>\n"
+	" <xsl:value-of select=\"id\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"name\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"references\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"total\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"inuse\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"maxinuse\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"blocksize\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"pools\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"hiwater\"/>\n"
+	" </td>\n"
+	" <td>\n"
+	" <xsl:value-of select=\"lowater\"/>\n"
+	" </td>\n"
+	" </tr>\n"
+	" </xsl:for-each>\n"
+	" </table>\n"
+	"\n"
+	" </body>\n"
+	" </html>\n"
+	" </xsl:template>\n"
+	"</xsl:stylesheet>\n";
diff --git a/bin/named/builtin.c b/bin/named/builtin.c
index 06cbd4a..7927737 100644
--- a/bin/named/builtin.c
+++ b/bin/named/builtin.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: builtin.c,v 1.5.18.5 2005/08/23 04:12:38 marka Exp $ */
+/* $Id: builtin.c,v 1.12 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/bin/named/client.c b/bin/named/client.c
index 03cfdb6..ae5386c 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.219.18.31 2008/05/22 23:46:03 tbox Exp $ */
+/* $Id: client.c,v 1.259.12.3 2009/01/29 22:40:33 jinmei Exp $ */
 
 #include <config.h>
 
@@ -24,6 +24,7 @@
 #include <isc/once.h>
 #include <isc/platform.h>
 #include <isc/print.h>
+#include <isc/stats.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
 #include <isc/task.h>
@@ -41,6 +42,7 @@
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
 #include <dns/resolver.h>
+#include <dns/stats.h>
 #include <dns/tsig.h>
 #include <dns/view.h>
 #include <dns/zone.h>
@@ -48,6 +50,7 @@
 #include <named/interfacemgr.h>
 #include <named/log.h>
 #include <named/notify.h>
+#include <named/os.h>
 #include <named/server.h>
 #include <named/update.h>
 
@@ -119,9 +122,9 @@ struct ns_clientmgr {
 	isc_mutex_t			lock;
 	/* Locked by lock. */
 	isc_boolean_t			exiting;
-	client_list_t			active; 	/*%< Active clients */
-	client_list_t			recursing; 	/*%< Recursing clients */
-	client_list_t 			inactive;	/*%< To be recycled */
+	client_list_t			active;		/*%< Active clients */
+	client_list_t			recursing;	/*%< Recursing clients */
+	client_list_t			inactive;	/*%< To be recycled */
 #if NMCTXS > 0
 	/*%< mctx pool for clients. */
 	unsigned int			nextmctx;
@@ -463,6 +466,8 @@ exit_check(ns_client_t *client) {
 
 		if (client->state == client->newstate) {
 			client->newstate = NS_CLIENTSTATE_MAX;
+			if (client->needshutdown)
+				isc_task_shutdown(client->task);
 			goto unlock;
 		}
 	}
@@ -519,6 +524,14 @@ exit_check(ns_client_t *client) {
 
 		CTRACE("free");
 		client->magic = 0;
+		/*
+		 * Check that there are no other external references to
+		 * the memory context.
+		 */
+		if (ns_g_clienttest && isc_mem_references(client->mctx) != 1) {
+			isc_mem_stats(client->mctx, stderr);
+			INSIST(0);
+		}
 		isc_mem_putanddetach(&client->mctx, client, sizeof(*client));
 
 		goto unlock;
@@ -592,6 +605,7 @@ client_shutdown(isc_task_t *task, isc_event_t *event) {
 	}
 
 	client->newstate = NS_CLIENTSTATE_FREED;
+	client->needshutdown = ISC_FALSE;
 	(void)exit_check(client);
 }
 
@@ -640,11 +654,11 @@ ns_client_checkactive(ns_client_t *client) {
 		/*
 		 * This client object should normally go inactive
 		 * at this point, but if we have fewer active client
-		 * objects than  desired due to earlier quota exhaustion,
+		 * objects than desired due to earlier quota exhaustion,
 		 * keep it active to make up for the shortage.
 		 */
 		isc_boolean_t need_another_client = ISC_FALSE;
-		if (TCP_CLIENT(client)) {
+		if (TCP_CLIENT(client) && !ns_g_clienttest) {
 			LOCK(&client->interface->lock);
 			if (client->interface->ntcpcurrent <
 			    client->interface->ntcptarget)
@@ -906,6 +920,7 @@ ns_client_send(ns_client_t *client) {
 	unsigned char sendbuf[SEND_BUFFER_SIZE];
 	unsigned int dnssec_opts;
 	unsigned int preferred_glue;
+	isc_boolean_t opt_included = ISC_FALSE;
 
 	REQUIRE(NS_CLIENT_VALID(client));
 
@@ -943,11 +958,10 @@ ns_client_send(ns_client_t *client) {
 	result = dns_message_renderbegin(client->message, &cctx, &buffer);
 	if (result != ISC_R_SUCCESS)
 		goto done;
+
 	if (client->opt != NULL) {
 		result = dns_message_setopt(client->message, client->opt);
-		/*
-		 * XXXRTH dns_message_setopt() should probably do this...
-		 */
+		opt_included = ISC_TRUE;
 		client->opt = NULL;
 		if (result != ISC_R_SUCCESS)
 			goto done;
@@ -1003,6 +1017,25 @@ ns_client_send(ns_client_t *client) {
 		result = client_sendpkg(client, &tcpbuffer);
 	} else
 		result = client_sendpkg(client, &buffer);
+
+	/* update statistics (XXXJT: is it okay to access message->xxxkey?) */
+	isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_response);
+	if (opt_included) {
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_edns0out);
+	}
+	if (client->message->tsigkey != NULL) {
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_tsigout);
+	}
+	if (client->message->sig0key != NULL) {
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_sig0out);
+	}
+	if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0)
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_truncatedresp);
+
 	if (result == ISC_R_SUCCESS)
 		return;
 
@@ -1179,11 +1212,46 @@ client_addopt(ns_client_t *client) {
 	 */
 	rdatalist->ttl = (client->extflags & DNS_MESSAGEEXTFLAG_REPLYPRESERVE);
 
-	/*
-	 * No EDNS options in the default case.
-	 */
-	rdata->data = NULL;
-	rdata->length = 0;
+	/* Set EDNS options if applicable */
+	if (client->attributes & NS_CLIENTATTR_WANTNSID &&
+	    (ns_g_server->server_id != NULL ||
+	     ns_g_server->server_usehostname)) {
+		/*
+		 * Space required for NSID data:
+		 *   2 bytes for opt code
+		 * + 2 bytes for NSID length
+		 * + NSID itself
+		 */
+		char nsid[BUFSIZ], *nsidp;
+		isc_buffer_t *buffer = NULL;
+
+		if (ns_g_server->server_usehostname) {
+			isc_result_t result;
+			result = ns_os_gethostname(nsid, sizeof(nsid));
+			if (result != ISC_R_SUCCESS) {
+				goto no_nsid;
+			}
+			nsidp = nsid;
+		} else
+			nsidp = ns_g_server->server_id;
+
+		rdata->length = strlen(nsidp) + 4;
+		result = isc_buffer_allocate(client->mctx, &buffer,
+					     rdata->length);
+		if (result != ISC_R_SUCCESS)
+			goto no_nsid;
+
+		isc_buffer_putuint16(buffer, DNS_OPT_NSID);
+		isc_buffer_putuint16(buffer, strlen(nsidp));
+		isc_buffer_putstr(buffer, nsidp);
+		rdata->data = buffer->base;
+		dns_message_takebuffer(client->message, &buffer);
+	} else {
+no_nsid:
+		rdata->data = NULL;
+		rdata->length = 0;
+	}
+
 	rdata->rdclass = rdatalist->rdclass;
 	rdata->type = rdatalist->type;
 	rdata->flags = 0;
@@ -1218,7 +1286,7 @@ allowed(isc_netaddr_t *addr, dns_name_t *signer, dns_acl_t *acl) {
  * delivered to 'myview'.
  *
  * We run this unlocked as both the view list and the interface list
- * are updated when the approprite task has exclusivity.
+ * are updated when the appropriate task has exclusivity.
  */
 isc_boolean_t
 ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
@@ -1253,14 +1321,14 @@ ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
 			isc_boolean_t match;
 			isc_result_t result;
 
-			tsig = &mykey->name;
-			result = dns_view_gettsig(view, tsig, &key);
+			result = dns_view_gettsig(view, &mykey->name, &key);
 			if (result != ISC_R_SUCCESS)
 				continue;
 			match = dst_key_compare(mykey->key, key->key);
 			dns_tsigkey_detach(&key);
 			if (!match)
 				continue;
+			tsig = dns_tsigkey_identity(mykey);
 		}
 
 		if (allowed(&netsrc, tsig, view->matchclients) &&
@@ -1284,13 +1352,16 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	isc_buffer_t tbuffer;
 	dns_view_t *view;
 	dns_rdataset_t *opt;
-	isc_boolean_t ra; 	/* Recursion available. */
+	dns_name_t *signame;
+	isc_boolean_t ra;	/* Recursion available. */
 	isc_netaddr_t netaddr;
 	isc_netaddr_t destaddr;
 	int match;
 	dns_messageid_t id;
 	unsigned int flags;
 	isc_boolean_t notimp;
+	dns_rdata_t rdata;
+	isc_uint16_t optcode;
 
 	REQUIRE(event != NULL);
 	client = event->ev_arg;
@@ -1440,6 +1511,20 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	}
 
 	/*
+	 * Update some statistics counters.  Don't count responses.
+	 */
+	if (isc_sockaddr_pf(&client->peeraddr) == PF_INET) {
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_requestv4);
+	} else {
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_requestv6);
+	}
+	if (TCP_CLIENT(client))
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_tcp);
+
+	/*
 	 * It's a request.  Parse it.
 	 */
 	result = dns_message_parse(client->message, buffer, 0);
@@ -1452,6 +1537,8 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		goto cleanup;
 	}
 
+	dns_opcodestats_increment(ns_g_server->opcodestats,
+				  client->message->opcode);
 	switch (client->message->opcode) {
 	case dns_opcode_query:
 	case dns_opcode_update:
@@ -1499,12 +1586,35 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		 */
 		client->ednsversion = (opt->ttl & 0x00FF0000) >> 16;
 		if (client->ednsversion > 0) {
+			isc_stats_increment(ns_g_server->nsstats,
+					    dns_nsstatscounter_badednsver);
 			result = client_addopt(client);
 			if (result == ISC_R_SUCCESS)
 				result = DNS_R_BADVERS;
 			ns_client_error(client, result);
 			goto cleanup;
 		}
+
+		/* Check for NSID request */
+		result = dns_rdataset_first(opt);
+		if (result == ISC_R_SUCCESS) {
+			dns_rdata_init(&rdata);
+			dns_rdataset_current(opt, &rdata);
+			if (rdata.length >= 2) {
+				isc_buffer_t nsidbuf;
+				isc_buffer_init(&nsidbuf,
+						rdata.data, rdata.length);
+				isc_buffer_add(&nsidbuf, rdata.length);
+				optcode = isc_buffer_getuint16(&nsidbuf);
+				if (optcode == DNS_OPT_NSID)
+					client->attributes |=
+						NS_CLIENTATTR_WANTNSID;
+			}
+		}
+
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_edns0in);
+
 		/*
 		 * Create an OPT for our reply.
 		 */
@@ -1591,10 +1701,11 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		    client->message->rdclass == dns_rdataclass_any)
 		{
 			dns_name_t *tsig = NULL;
+
 			sigresult = dns_message_rechecksig(client->message,
 							   view);
 			if (sigresult == ISC_R_SUCCESS)
-				tsig = client->message->tsigname;
+				tsig = dns_tsigkey_identity(client->message->tsigkey);
 
 			if (allowed(&netaddr, tsig, view->matchclients) &&
 			    allowed(&destaddr, tsig, view->matchdestinations) &&
@@ -1648,6 +1759,17 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	client->signer = NULL;
 	dns_name_init(&client->signername, NULL);
 	result = dns_message_signer(client->message, &client->signername);
+	if (result != ISC_R_NOTFOUND) {
+		signame = NULL;
+		if (dns_message_gettsig(client->message, &signame) != NULL) {
+			isc_stats_increment(ns_g_server->nsstats,
+					    dns_nsstatscounter_tsigin);
+		} else {
+			isc_stats_increment(ns_g_server->nsstats,
+					    dns_nsstatscounter_sig0in);
+		}
+
+	}
 	if (result == ISC_R_SUCCESS) {
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
@@ -1664,24 +1786,42 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	} else {
 		char tsigrcode[64];
 		isc_buffer_t b;
-		dns_name_t *name = NULL;
 		dns_rcode_t status;
 		isc_result_t tresult;
 
 		/* There is a signature, but it is bad. */
-		if (dns_message_gettsig(client->message, &name) != NULL) {
+		isc_stats_increment(ns_g_server->nsstats,
+				    dns_nsstatscounter_invalidsig);
+		signame = NULL;
+		if (dns_message_gettsig(client->message, &signame) != NULL) {
 			char namebuf[DNS_NAME_FORMATSIZE];
-			dns_name_format(name, namebuf, sizeof(namebuf));
+			char cnamebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(signame, namebuf, sizeof(namebuf));
 			status = client->message->tsigstatus;
 			isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
 			tresult = dns_tsigrcode_totext(status, &b);
 			INSIST(tresult == ISC_R_SUCCESS);
 			tsigrcode[isc_buffer_usedlength(&b)] = '\0';
-			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_CLIENT, ISC_LOG_ERROR,
-				      "request has invalid signature: "
-				      "TSIG %s: %s (%s)", namebuf,
-				      isc_result_totext(result), tsigrcode);
+			if (client->message->tsigkey->generated) {
+				dns_name_format(client->message->tsigkey->creator,
+						cnamebuf, sizeof(cnamebuf));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_CLIENT,
+					      ISC_LOG_ERROR,
+					      "request has invalid signature: "
+					      "TSIG %s (%s): %s (%s)", namebuf,
+					      cnamebuf,
+					      isc_result_totext(result),
+					      tsigrcode);
+			} else {
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_CLIENT,
+					      ISC_LOG_ERROR,
+					      "request has invalid signature: "
+					      "TSIG %s: %s (%s)", namebuf,
+					      isc_result_totext(result),
+					      tsigrcode);
+			}
 		} else {
 			status = client->message->sig0status;
 			isc_buffer_init(&b, tsigrcode, sizeof(tsigrcode) - 1);
@@ -1715,9 +1855,17 @@ client_request(isc_task_t *task, isc_event_t *event) {
 	ra = ISC_FALSE;
 	if (client->view->resolver != NULL &&
 	    client->view->recursion == ISC_TRUE &&
-	    ns_client_checkaclsilent(client, client->view->recursionacl,
+	    ns_client_checkaclsilent(client, NULL,
+				     client->view->recursionacl,
+				     ISC_TRUE) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, NULL,
+				     client->view->queryacl,
+				     ISC_TRUE) == ISC_R_SUCCESS &&
+	    ns_client_checkaclsilent(client, &client->interface->addr,
+				     client->view->recursiononacl,
 				     ISC_TRUE) == ISC_R_SUCCESS &&
-	    ns_client_checkaclsilent(client, client->view->queryacl,
+	    ns_client_checkaclsilent(client, &client->interface->addr,
+				     client->view->queryonacl,
 				     ISC_TRUE) == ISC_R_SUCCESS)
 		ra = ISC_TRUE;
 
@@ -1804,13 +1952,17 @@ client_timeout(isc_task_t *task, isc_event_t *event) {
 static isc_result_t
 get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) {
 	isc_mem_t *clientmctx;
-#if NMCTXS > 0
 	isc_result_t result;
-#endif
 
 	/*
 	 * Caller must be holding the manager lock.
 	 */
+	if (ns_g_clienttest) {
+		result = isc_mem_create(0, 0, mctxp);
+		if (result == ISC_R_SUCCESS)
+			isc_mem_setname(*mctxp, "client", NULL);
+		return (result);
+	}
 #if NMCTXS > 0
 	INSIST(manager->nextmctx < NMCTXS);
 	clientmctx = manager->mctxpool[manager->nextmctx];
@@ -1818,6 +1970,7 @@ get_clientmctx(ns_clientmgr_t *manager, isc_mem_t **mctxp) {
 		result = isc_mem_create(0, 0, &clientmctx);
 		if (result != ISC_R_SUCCESS)
 			return (result);
+		isc_mem_setname(clientmctx, "client", NULL);
 
 		manager->mctxpool[manager->nextmctx] = clientmctx;
 	}
@@ -1966,6 +2119,8 @@ client_create(ns_clientmgr_t *manager, ns_client_t **clientp) {
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_query;
 
+	client->needshutdown = ns_g_clienttest;
+
 	CTRACE("create");
 
 	*clientp = client;
@@ -2056,6 +2211,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 	 */
 	if (nevent->result == ISC_R_SUCCESS) {
 		client->tcpsocket = nevent->newsocket;
+		isc_socket_setname(client->tcpsocket, "client-tcp", NULL);
 		client->state = NS_CLIENTSTATE_READING;
 		INSIST(client->recursionquota == NULL);
 
@@ -2068,7 +2224,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 	} else {
 		/*
 		 * XXXRTH  What should we do?  We're trying to accept but
-		 *         it didn't work.  If we just give up, then TCP
+		 *	   it didn't work.  If we just give up, then TCP
 		 *	   service may eventually stop.
 		 *
 		 *	   For now, we just go idle.
@@ -2115,7 +2271,7 @@ client_newconn(isc_task_t *task, isc_event_t *event) {
 		 * Let a new client take our place immediately, before
 		 * we wait for a request packet.  If we don't,
 		 * telnetting to port 53 (once per CPU) will
-		 * deny service to legititmate TCP clients.
+		 * deny service to legitimate TCP clients.
 		 */
 		result = isc_quota_attach(&ns_g_server->tcpquota,
 					  &client->tcpquota);
@@ -2149,7 +2305,7 @@ client_accept(ns_client_t *client) {
 				 isc_result_totext(result));
 		/*
 		 * XXXRTH  What should we do?  We're trying to accept but
-		 *         it didn't work.  If we just give up, then TCP
+		 *	   it didn't work.  If we just give up, then TCP
 		 *	   service may eventually stop.
 		 *
 		 *	   For now, we just go idle.
@@ -2386,7 +2542,9 @@ ns_clientmgr_createclients(ns_clientmgr_t *manager, unsigned int n,
 		 * Allocate a client.  First try to get a recycled one;
 		 * if that fails, make a new one.
 		 */
-		client = ISC_LIST_HEAD(manager->inactive);
+		client = NULL;
+		if (!ns_g_clienttest)
+			client = ISC_LIST_HEAD(manager->inactive);
 		if (client != NULL) {
 			MTRACE("recycle");
 			ISC_LIST_UNLINK(manager->inactive, client, link);
@@ -2442,8 +2600,8 @@ ns_client_getsockaddr(ns_client_t *client) {
 }
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
-			 isc_boolean_t default_allow)
+ns_client_checkaclsilent(ns_client_t *client, isc_sockaddr_t *sockaddr,
+			 dns_acl_t *acl, isc_boolean_t default_allow)
 {
 	isc_result_t result;
 	int match;
@@ -2456,11 +2614,16 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
 			goto deny;
 	}
 
-	isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+
+	if (sockaddr == NULL)
+		isc_netaddr_fromsockaddr(&netaddr, &client->peeraddr);
+	else
+		isc_netaddr_fromsockaddr(&netaddr, sockaddr);
 
 	result = dns_acl_match(&netaddr, client->signer, acl,
 			       &ns_g_server->aclenv,
 			       &match, NULL);
+
 	if (result != ISC_R_SUCCESS)
 		goto deny; /* Internal error, already logged. */
 	if (match > 0)
@@ -2475,12 +2638,12 @@ ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
 }
 
 isc_result_t
-ns_client_checkacl(ns_client_t *client,
+ns_client_checkacl(ns_client_t *client, isc_sockaddr_t *sockaddr,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow, int log_level)
 {
 	isc_result_t result =
-		ns_client_checkaclsilent(client, acl, default_allow);
+		ns_client_checkaclsilent(client, sockaddr, acl, default_allow);
 
 	if (result == ISC_R_SUCCESS)
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
@@ -2503,7 +2666,7 @@ ns_client_name(ns_client_t *client, char *peerbuf, size_t len) {
 
 void
 ns_client_logv(ns_client_t *client, isc_logcategory_t *category,
-	   isc_logmodule_t *module, int level, const char *fmt, va_list ap)
+	       isc_logmodule_t *module, int level, const char *fmt, va_list ap)
 {
 	char msgbuf[2048];
 	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
diff --git a/bin/named/config.c b/bin/named/config.c
index 233d9e0..8b96050 100644
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.47.18.35 2008/09/04 08:03:07 marka Exp $ */
+/* $Id: config.c,v 1.93.14.2 2009/03/17 23:47:28 tbox Exp $ */
 
 /*! \file */
 
@@ -69,7 +69,7 @@ options {\n\
 	memstatistics-file \"named.memstats\";\n\
 	multiple-cnames no;\n\
 #	named-xfer <obsolete>;\n\
-#	pid-file \"" NS_LOCALSTATEDIR "/named.pid\"; /* or /lwresd.pid */\n\
+#	pid-file \"" NS_LOCALSTATEDIR "/run/named/named.pid\"; /* or /lwresd.pid */\n\
 	port 53;\n\
 	recursing-file \"named.recursing\";\n\
 "
@@ -99,13 +99,16 @@ options {\n\
 	use-ixfr true;\n\
 	edns-udp-size 4096;\n\
 	max-udp-size 4096;\n\
+	request-nsid false;\n\
 	reserved-sockets 512;\n\
 \n\
 	/* view */\n\
 	allow-notify {none;};\n\
 	allow-update-forwarding {none;};\n\
 	allow-query-cache { localnets; localhost; };\n\
+	allow-query-cache-on { any; };\n\
 	allow-recursion { localnets; localhost; };\n\
+	allow-recursion-on { any; };\n\
 #	allow-v6-synthesis <obsolete>;\n\
 #	sortlist <none>\n\
 #	topology <none>\n\
@@ -122,7 +125,7 @@ options {\n\
 	query-source-v6 address *;\n\
 	notify-source *;\n\
 	notify-source-v6 *;\n\
-	cleaning-interval 60;\n\
+	cleaning-interval 0;  /* now meaningless */\n\
 	min-roots 2;\n\
 	lame-ttl 600;\n\
 	max-ncache-ttl 10800; /* 3 hours */\n\
@@ -135,21 +138,24 @@ options {\n\
 	check-mx warn;\n\
 	acache-enable no;\n\
 	acache-cleaning-interval 60;\n\
-	max-acache-size 0;\n\
+	max-acache-size 16M;\n\
 	dnssec-enable yes;\n\
-	dnssec-validation no; /* Make yes for 9.5. */ \n\
+	dnssec-validation yes; \n\
 	dnssec-accept-expired no;\n\
 	clients-per-query 10;\n\
 	max-clients-per-query 100;\n\
 	zero-no-soa-ttl-cache no;\n\
+	nsec3-test-zone no;\n\
 "
 
 "	/* zone */\n\
 	allow-query {any;};\n\
+	allow-query-on {any;};\n\
 	allow-transfer {any;};\n\
 	notify yes;\n\
 #	also-notify <none>\n\
 	notify-delay 5;\n\
+	notify-to-soa no;\n\
 	dialup no;\n\
 #	forward <none>\n\
 #	forwarders <none>\n\
@@ -169,6 +175,9 @@ options {\n\
 	min-refresh-time 300;\n\
 	multi-master no;\n\
 	sig-validity-interval 30; /* days */\n\
+	sig-signing-nodes 100;\n\
+	sig-signing-signatures 10;\n\
+	sig-signing-type 65534;\n\
 	zone-statistics false;\n\
 	max-journal-size unlimited;\n\
 	ixfr-from-differences false;\n\
@@ -179,6 +188,7 @@ options {\n\
 	check-srv-cname warn;\n\
 	zero-no-soa-ttl yes;\n\
 	update-check-ksk yes;\n\
+	try-tcp-refresh yes; /* BIND 8 compat */\n\
 };\n\
 "
 
diff --git a/bin/named/control.c b/bin/named/control.c
index 3f2d52e..8bd8f6c 100644
--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.c,v 1.20.10.10 2007/09/13 23:46:26 tbox Exp $ */
+/* $Id: control.c,v 1.33 2007/09/13 04:45:18 each Exp $ */
 
 /*! \file */
 
@@ -63,6 +63,7 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 	isccc_sexpr_t *data;
 	char *command;
 	isc_result_t result;
+	int log_level;
 #ifdef HAVE_LIBSCF
 	ns_smf_want_disable = 0;
 #endif
@@ -83,14 +84,20 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		return (result);
 	}
 
+	/*
+	 * Compare the 'command' parameter against all known control commands.
+	 */
+	if (command_compare(command, NS_COMMAND_NULL) ||
+	    command_compare(command, NS_COMMAND_STATUS)) {
+		log_level = ISC_LOG_DEBUG(1);
+	} else {
+		log_level = ISC_LOG_INFO;
+	}
 	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-		      NS_LOGMODULE_CONTROL, ISC_LOG_DEBUG(1),
+		      NS_LOGMODULE_CONTROL, log_level,
 		      "received control channel command '%s'",
 		      command);
 
-	/*
-	 * Compare the 'command' parameter against all known control commands.
-	 */
 	if (command_compare(command, NS_COMMAND_RELOAD)) {
 		result = ns_server_reloadcommand(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_RECONFIG)) {
@@ -158,6 +165,10 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ns_server_flushname(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_STATUS)) {
 		result = ns_server_status(ns_g_server, text);
+	} else if (command_compare(command, NS_COMMAND_TSIGLIST)) {
+		result = ns_server_tsiglist(ns_g_server, text);
+	} else if (command_compare(command, NS_COMMAND_TSIGDELETE)) {
+		result = ns_server_tsigdelete(ns_g_server, command, text);
 	} else if (command_compare(command, NS_COMMAND_FREEZE)) {
 		result = ns_server_freeze(ns_g_server, ISC_TRUE, command);
 	} else if (command_compare(command, NS_COMMAND_UNFREEZE) ||
diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c
index e8e36f3..766f013 100644
--- a/bin/named/controlconf.c
+++ b/bin/named/controlconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: controlconf.c,v 1.40.18.14 2008/07/23 23:33:02 marka Exp $ */
+/* $Id: controlconf.c,v 1.60 2008/07/23 23:27:54 marka Exp $ */
 
 /*! \file */
 
@@ -597,6 +597,7 @@ control_newconn(isc_task_t *task, isc_event_t *event) {
 	}
 
 	sock = nevent->newsocket;
+	isc_socket_setname(sock, "control", NULL);
 	(void)isc_socket_getpeername(sock, &peeraddr);
 	if (listener->type == isc_sockettype_tcp &&
 	    !address_ok(&peeraddr, listener->acl)) {
@@ -1007,7 +1008,7 @@ update_listener(ns_controls_t *cp, controllistener_t **listenerp,
 	if (control != NULL && type == isc_sockettype_tcp) {
 		allow = cfg_tuple_get(control, "allow");
 		result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
-					    aclconfctx, listener->mctx,
+					    aclconfctx, listener->mctx, 0,
 					    &new_acl);
 	} else {
 		result = dns_acl_any(listener->mctx, &new_acl);
@@ -1094,7 +1095,8 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		if (control != NULL && type == isc_sockettype_tcp) {
 			allow = cfg_tuple_get(control, "allow");
 			result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
-						    aclconfctx, mctx, &new_acl);
+						    aclconfctx, mctx, 0,
+						    &new_acl);
 		} else {
 			result = dns_acl_any(mctx, &new_acl);
 		}
@@ -1143,6 +1145,8 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp,
 		result = isc_socket_create(ns_g_socketmgr,
 					   isc_sockaddr_pf(&listener->address),
 					   type, &listener->sock);
+	if (result == ISC_R_SUCCESS)
+		isc_socket_setname(listener->sock, "control", NULL);
 
 	if (result == ISC_R_SUCCESS)
 		result = isc_socket_bind(listener->sock, &listener->address,
diff --git a/bin/named/convertxsl.pl b/bin/named/convertxsl.pl
new file mode 100755
index 0000000..87550b3
--- /dev/null
+++ b/bin/named/convertxsl.pl
@@ -0,0 +1,57 @@
+#!/usr/bin/env perl
+#
+# Copyright (C) 2006-2008  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $
+
+use strict;
+use warnings;
+
+my $rev = '$Id: convertxsl.pl,v 1.14 2008/07/17 23:43:26 jinmei Exp $';
+$rev =~ s/\$//g;
+$rev =~ s/,v//g;
+$rev =~ s/Id: //;
+
+my $xsl = "unknown";
+my $lines = '';
+
+while (<>) {
+    chomp;
+    # pickout the id for comment.
+    $xsl = $_ if (/<!-- .Id:.* -->/);
+    # convert Id string to a form not recognisable by cvs.
+    $_ =~ s/<!-- .Id:(.*). -->/<!-- \\045Id: $1\\045 -->/;
+    s/[\ \t]+/ /g;
+    s/\>\ \</\>\</g;
+    s/\"/\\\"/g;
+    s/^/\t\"/;
+    s/$/\\n\"/;
+    if ($lines eq "") {
+	    $lines .= $_;
+    } else {
+	    $lines .= "\n" . $_;
+    }
+}
+
+$xsl =~ s/\$//g;
+$xsl =~ s/<!-- Id: //;
+$xsl =~ s/ -->.*//;
+$xsl =~ s/,v//;
+
+print "/*\n * Generated by $rev \n * From $xsl\n */\n";
+print 'static char xslmsg[] =',"\n";
+print $lines;
+
+print ';', "\n";
diff --git a/bin/named/include/named/builtin.h b/bin/named/include/named/builtin.h
index 37a3e76..a5185ba 100644
--- a/bin/named/include/named/builtin.h
+++ b/bin/named/include/named/builtin.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: builtin.h,v 1.2.18.2 2005/04/29 00:15:34 marka Exp $ */
+/* $Id: builtin.h,v 1.6 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_BUILTIN_H
 #define NAMED_BUILTIN_H 1
diff --git a/bin/named/include/named/client.h b/bin/named/include/named/client.h
index 0cf7985..3ebed3f 100644
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.h,v 1.69.18.9 2006/06/06 00:11:41 marka Exp $ */
+/* $Id: client.h,v 1.86.120.2 2009/01/18 23:47:34 tbox Exp $ */
 
 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file 
+/*! \file
  * \brief
  * This module defines two objects, ns_client_t and ns_clientmgr_t.
  *
@@ -97,6 +97,13 @@ struct ns_client {
 	int			nupdates;
 	int			nctls;
 	int			references;
+	isc_boolean_t		needshutdown; 	/*
+						 * Used by clienttest to get
+						 * the client to go from
+						 * inactive to free state
+						 * by shutting down the
+						 * client's task.
+						 */
 	unsigned int		attributes;
 	isc_task_t *		task;
 	dns_view_t *		view;
@@ -155,10 +162,11 @@ struct ns_client {
 #define NS_CLIENT_VALID(c)		ISC_MAGIC_VALID(c, NS_CLIENT_MAGIC)
 
 #define NS_CLIENTATTR_TCP		0x01
-#define NS_CLIENTATTR_RA		0x02 /*%< Client gets recusive service */
+#define NS_CLIENTATTR_RA		0x02 /*%< Client gets recursive service */
 #define NS_CLIENTATTR_PKTINFO		0x04 /*%< pktinfo is valid */
 #define NS_CLIENTATTR_MULTICAST		0x08 /*%< recv'd from multicast */
 #define NS_CLIENTATTR_WANTDNSSEC	0x10 /*%< include dnssec records */
+#define NS_CLIENTATTR_WANTNSID          0x20 /*%< include nameserver ID */
 
 extern unsigned int ns_client_requests;
 
@@ -266,7 +274,9 @@ ns_client_getsockaddr(ns_client_t *client);
  */
 
 isc_result_t
-ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
+ns_client_checkaclsilent(ns_client_t *client,
+			 isc_sockaddr_t *sockaddr,
+			 dns_acl_t *acl,
 			 isc_boolean_t default_allow);
 
 /*%
@@ -274,6 +284,8 @@ ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
  *
  * Check the current client request against 'acl'.  If 'acl'
  * is NULL, allow the request iff 'default_allow' is ISC_TRUE.
+ * If netaddr is NULL, check the ACL against client->peeraddr;
+ * otherwise check it against netaddr.
  *
  * Notes:
  *\li	This is appropriate for checking allow-update,
@@ -284,6 +296,7 @@ ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
  *
  * Requires:
  *\li	'client' points to a valid client.
+ *\li	'sockaddr' points to a valid address, or is NULL.
  *\li	'acl' points to a valid ACL, or is NULL.
  *
  * Returns:
@@ -294,18 +307,19 @@ ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
 
 isc_result_t
 ns_client_checkacl(ns_client_t  *client,
+		   isc_sockaddr_t *sockaddr,
 		   const char *opname, dns_acl_t *acl,
 		   isc_boolean_t default_allow,
 		   int log_level);
 /*%
- * Like ns_client_checkacl, but also logs the outcome of the
- * check at log level 'log_level' if denied, and at debug 3
- * if approved.  Log messages will refer to the request as
- * an 'opname' request.
+ * Like ns_client_checkaclsilent, except the outcome of the check is
+ * logged at log level 'log_level' if denied, and at debug 3 if approved.
+ * Log messages will refer to the request as an 'opname' request.
  *
  * Requires:
- *\li	Those of ns_client_checkaclsilent(), and:
- *
+ *\li	'client' points to a valid client.
+ *\li	'sockaddr' points to a valid address, or is NULL.
+ *\li	'acl' points to a valid ACL, or is NULL.
  *\li	'opname' points to a null-terminated string.
  */
 
@@ -352,8 +366,8 @@ ns_client_qnamereplace(ns_client_t *client, dns_name_t *name);
 
 isc_boolean_t
 ns_client_isself(dns_view_t *myview, dns_tsigkey_t *mykey,
-                 isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
-                 dns_rdataclass_t rdclass, void *arg);
+		 isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		 dns_rdataclass_t rdclass, void *arg);
 /*%
  * Isself callback.
  */
diff --git a/bin/named/include/named/config.h b/bin/named/include/named/config.h
index e8e6038..f7ceed8 100644
--- a/bin/named/include/named/config.h
+++ b/bin/named/include/named/config.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h,v 1.6.18.6 2006/02/28 03:10:47 marka Exp $ */
+/* $Id: config.h,v 1.14 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_CONFIG_H
 #define NAMED_CONFIG_H 1
diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h
index 5b7e5f4..d382ffe 100644
--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: control.h,v 1.14.18.8 2006/03/09 23:46:20 marka Exp $ */
+/* $Id: control.h,v 1.25 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -47,6 +47,8 @@
 #define NS_COMMAND_FLUSH	"flush"
 #define NS_COMMAND_FLUSHNAME	"flushname"
 #define NS_COMMAND_STATUS	"status"
+#define NS_COMMAND_TSIGLIST	"tsig-list"
+#define NS_COMMAND_TSIGDELETE	"tsig-delete"
 #define NS_COMMAND_FREEZE	"freeze"
 #define NS_COMMAND_UNFREEZE	"unfreeze"
 #define NS_COMMAND_THAW		"thaw"
diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h
index 9c86afd..6040dc3 100644
--- a/bin/named/include/named/globals.h
+++ b/bin/named/include/named/globals.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.64.18.6 2008/10/24 01:43:17 tbox Exp $ */
+/* $Id: globals.h,v 1.80 2008/11/16 22:49:18 marka Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
@@ -42,6 +42,10 @@
 #define INIT(v)
 #endif
 
+#ifndef NS_RUN_PID_DIR
+#define NS_RUN_PID_DIR 1
+#endif
+
 EXTERN isc_mem_t *		ns_g_mctx		INIT(NULL);
 EXTERN unsigned int		ns_g_cpus		INIT(0);
 EXTERN isc_taskmgr_t *		ns_g_taskmgr		INIT(NULL);
@@ -59,6 +63,7 @@ EXTERN isc_timermgr_t *		ns_g_timermgr		INIT(NULL);
 EXTERN isc_socketmgr_t *	ns_g_socketmgr		INIT(NULL);
 EXTERN cfg_parser_t *		ns_g_parser		INIT(NULL);
 EXTERN const char *		ns_g_version		INIT(VERSION);
+EXTERN const char *		ns_g_configargs		INIT(CONFIGARGS);
 EXTERN in_port_t		ns_g_port		INIT(0);
 EXTERN in_port_t		lwresd_g_listenport	INIT(0);
 
@@ -107,13 +112,26 @@ EXTERN const char *		ns_g_chrootdir		INIT(NULL);
 EXTERN isc_boolean_t		ns_g_foreground		INIT(ISC_FALSE);
 EXTERN isc_boolean_t		ns_g_logstderr		INIT(ISC_FALSE);
 
+#if NS_RUN_PID_DIR
+EXTERN const char *		ns_g_defaultpidfile 	INIT(NS_LOCALSTATEDIR
+							     "/run/named/"
+							     "named.pid");
+EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
+							     "/run/lwresd/"
+							     "lwresd.pid");
+#else
 EXTERN const char *		ns_g_defaultpidfile 	INIT(NS_LOCALSTATEDIR
 							     "/run/named.pid");
 EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
-							    "/run/lwresd.pid");
+							     "/run/lwresd.pid");
+#endif
+
 EXTERN const char *		ns_g_username		INIT(NULL);
 
 EXTERN int			ns_g_listen		INIT(3);
+EXTERN isc_time_t		ns_g_boottime;
+EXTERN isc_boolean_t		ns_g_memstatistics	INIT(ISC_FALSE);
+EXTERN isc_boolean_t		ns_g_clienttest		INIT(ISC_FALSE);
 
 #undef EXTERN
 #undef INIT
diff --git a/bin/named/include/named/interfacemgr.h b/bin/named/include/named/interfacemgr.h
index 42279ff..2724c39 100644
--- a/bin/named/include/named/interfacemgr.h
+++ b/bin/named/include/named/interfacemgr.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfacemgr.h,v 1.26.18.4 2005/04/27 05:00:35 sra Exp $ */
+/* $Id: interfacemgr.h,v 1.33 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_INTERFACEMGR_H
 #define NAMED_INTERFACEMGR_H 1
diff --git a/bin/named/include/named/listenlist.h b/bin/named/include/named/listenlist.h
index cdca026..9e65d5d 100644
--- a/bin/named/include/named/listenlist.h
+++ b/bin/named/include/named/listenlist.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: listenlist.h,v 1.11.18.2 2005/04/29 00:15:34 marka Exp $ */
+/* $Id: listenlist.h,v 1.15 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_LISTENLIST_H
 #define NAMED_LISTENLIST_H 1
diff --git a/bin/named/include/named/log.h b/bin/named/include/named/log.h
index 6d6e648..444fe50 100644
--- a/bin/named/include/named/log.h
+++ b/bin/named/include/named/log.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.21.18.2 2005/04/29 00:15:35 marka Exp $ */
+/* $Id: log.h,v 1.25.332.2 2009/01/07 23:47:16 tbox Exp $ */
 
 #ifndef NAMED_LOG_H
 #define NAMED_LOG_H 1
@@ -36,6 +36,7 @@
 #define NS_LOGCATEGORY_QUERIES		(&ns_g_categories[4])
 #define NS_LOGCATEGORY_UNMATCHED	(&ns_g_categories[5])
 #define NS_LOGCATEGORY_UPDATE_SECURITY	(&ns_g_categories[6])
+#define NS_LOGCATEGORY_QUERY_EERRORS	(&ns_g_categories[7])
 
 /*
  * Backwards compatibility.
diff --git a/bin/named/include/named/logconf.h b/bin/named/include/named/logconf.h
index 79df5c6..0354345 100644
--- a/bin/named/include/named/logconf.h
+++ b/bin/named/include/named/logconf.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.h,v 1.11.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: logconf.h,v 1.17 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_LOGCONF_H
 #define NAMED_LOGCONF_H 1
diff --git a/bin/named/include/named/lwaddr.h b/bin/named/include/named/lwaddr.h
index 552d1d4..962aa91 100644
--- a/bin/named/include/named/lwaddr.h
+++ b/bin/named/include/named/lwaddr.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwaddr.h,v 1.4.18.2 2005/04/29 00:15:35 marka Exp $ */
+/* $Id: lwaddr.h,v 1.8 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/include/named/lwdclient.h b/bin/named/include/named/lwdclient.h
index 591b86c..f0ab057 100644
--- a/bin/named/include/named/lwdclient.h
+++ b/bin/named/include/named/lwdclient.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdclient.h,v 1.14.18.2 2005/04/29 00:15:36 marka Exp $ */
+/* $Id: lwdclient.h,v 1.18.332.2 2009/01/18 23:47:34 tbox Exp $ */
 
 #ifndef NAMED_LWDCLIENT_H
 #define NAMED_LWDCLIENT_H 1
@@ -39,7 +39,7 @@
 
 #define LWRD_SHUTDOWN		(LWRD_EVENTCLASS + 0x0001)
 
-/*% Lighweight Resolver Daemon Client */
+/*% Lightweight Resolver Daemon Client */
 struct ns_lwdclient {
 	isc_sockaddr_t		address;	/*%< where to reply */
 	struct in6_pktinfo	pktinfo;
diff --git a/bin/named/include/named/lwresd.h b/bin/named/include/named/lwresd.h
index ef93fcd..565e58d 100644
--- a/bin/named/include/named/lwresd.h
+++ b/bin/named/include/named/lwresd.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.h,v 1.13.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: lwresd.h,v 1.19 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_LWRESD_H
 #define NAMED_LWRESD_H 1
diff --git a/bin/named/include/named/lwsearch.h b/bin/named/include/named/lwsearch.h
index b85e401..c1b4f48 100644
--- a/bin/named/include/named/lwsearch.h
+++ b/bin/named/include/named/lwsearch.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwsearch.h,v 1.5.18.2 2005/04/29 00:15:36 marka Exp $ */
+/* $Id: lwsearch.h,v 1.9 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_LWSEARCH_H
 #define NAMED_LWSEARCH_H 1
diff --git a/bin/named/include/named/main.h b/bin/named/include/named/main.h
index dd4fe8c..e834539 100644
--- a/bin/named/include/named/main.h
+++ b/bin/named/include/named/main.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.h,v 1.11.18.2 2005/04/29 00:15:37 marka Exp $ */
+/* $Id: main.h,v 1.15 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_MAIN_H
 #define NAMED_MAIN_H 1
diff --git a/bin/named/include/named/notify.h b/bin/named/include/named/notify.h
index 106d70c..e8df0a1 100644
--- a/bin/named/include/named/notify.h
+++ b/bin/named/include/named/notify.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: notify.h,v 1.10.18.2 2005/04/29 00:15:37 marka Exp $ */
+/* $Id: notify.h,v 1.14.332.2 2009/01/18 23:47:34 tbox Exp $ */
 
 #ifndef NAMED_NOTIFY_H
 #define NAMED_NOTIFY_H 1
@@ -41,7 +41,7 @@ void
 ns_notify_start(ns_client_t *client);
 
 /*%<
- *	Examines the incoming message to determine apporiate zone.
+ *	Examines the incoming message to determine appropriate zone.
  *	Returns FORMERR if there is not exactly one question.
  *	Returns REFUSED if we do not serve the listed zone.
  *	Pass the message to the zone module for processing
diff --git a/bin/named/include/named/ns_smf_globals.h b/bin/named/include/named/ns_smf_globals.h
index 06df2ba..3a35743 100644
--- a/bin/named/include/named/ns_smf_globals.h
+++ b/bin/named/include/named/ns_smf_globals.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ns_smf_globals.h,v 1.2.2.4 2005/05/13 01:32:46 marka Exp $ */
+/* $Id: ns_smf_globals.h,v 1.7 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NS_SMF_GLOBALS_H
 #define NS_SMF_GLOBALS_H 1
diff --git a/bin/named/include/named/query.h b/bin/named/include/named/query.h
index 741212f..500b577 100644
--- a/bin/named/include/named/query.h
+++ b/bin/named/include/named/query.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.h,v 1.36.18.2 2005/04/29 00:15:37 marka Exp $ */
+/* $Id: query.h,v 1.40 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_QUERY_H
 #define NAMED_QUERY_H 1
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h
index 54d1dae..43eccc4 100644
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.h,v 1.73.18.8 2006/03/09 23:46:20 marka Exp $ */
+/* $Id: server.h,v 1.93.120.2 2009/01/29 23:47:44 tbox Exp $ */
 
 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -23,13 +23,14 @@
 /*! \file */
 
 #include <isc/log.h>
-#include <isc/sockaddr.h>
 #include <isc/magic.h>
-#include <isc/types.h>
 #include <isc/quota.h>
+#include <isc/sockaddr.h>
+#include <isc/types.h>
+#include <isc/xml.h>
 
-#include <dns/types.h>
 #include <dns/acl.h>
+#include <dns/types.h>
 
 #include <named/types.h>
 
@@ -62,7 +63,7 @@ struct ns_server {
 	isc_boolean_t		server_usehostname;
 	char *			server_id;	/*%< User-specified server id */
 
-        /*%
+	/*%
 	 * Current ACL environment.  This defines the
 	 * current values of the localhost and localnets
 	 * ACLs.
@@ -90,18 +91,74 @@ struct ns_server {
 	isc_boolean_t		flushonshutdown;
 	isc_boolean_t		log_queries;	/*%< For BIND 8 compatibility */
 
-	isc_uint64_t *		querystats;	/*%< Query statistics counters */
+	isc_stats_t *		nsstats;	/*%< Server statistics */
+	dns_stats_t *		rcvquerystats;	/*% Incoming query statistics */
+	dns_stats_t *		opcodestats;	/*%< Incoming message statistics */
+	isc_stats_t *		zonestats;	/*% Zone management statistics */
+	isc_stats_t *		resolverstats;	/*% Resolver statistics */
 
+	isc_stats_t *		sockstats;	/*%< Socket statistics */
 	ns_controls_t *		controls;	/*%< Control channels */
 	unsigned int		dispatchgen;
 	ns_dispatchlist_t	dispatches;
 
 	dns_acache_t		*acache;
+
+	ns_statschannellist_t	statschannels;
 };
 
 #define NS_SERVER_MAGIC			ISC_MAGIC('S','V','E','R')
 #define NS_SERVER_VALID(s)		ISC_MAGIC_VALID(s, NS_SERVER_MAGIC)
 
+/*%
+ * Server statistics counters.  Used as isc_statscounter_t values.
+ */
+enum {
+	dns_nsstatscounter_requestv4 = 0,
+	dns_nsstatscounter_requestv6 = 1,
+	dns_nsstatscounter_edns0in = 2,
+	dns_nsstatscounter_badednsver = 3,
+	dns_nsstatscounter_tsigin = 4,
+	dns_nsstatscounter_sig0in = 5,
+	dns_nsstatscounter_invalidsig = 6,
+	dns_nsstatscounter_tcp = 7,
+
+	dns_nsstatscounter_authrej = 8,
+	dns_nsstatscounter_recurserej = 9,
+	dns_nsstatscounter_xfrrej = 10,
+	dns_nsstatscounter_updaterej = 11,
+
+	dns_nsstatscounter_response = 12,
+	dns_nsstatscounter_truncatedresp = 13,
+	dns_nsstatscounter_edns0out = 14,
+	dns_nsstatscounter_tsigout = 15,
+	dns_nsstatscounter_sig0out = 16,
+
+	dns_nsstatscounter_success = 17,
+	dns_nsstatscounter_authans = 18,
+	dns_nsstatscounter_nonauthans = 19,
+	dns_nsstatscounter_referral = 20,
+	dns_nsstatscounter_nxrrset = 21,
+	dns_nsstatscounter_servfail = 22,
+	dns_nsstatscounter_formerr = 23,
+	dns_nsstatscounter_nxdomain = 24,
+	dns_nsstatscounter_recursion = 25,
+	dns_nsstatscounter_duplicate = 26,
+	dns_nsstatscounter_dropped = 27,
+	dns_nsstatscounter_failure = 28,
+
+	dns_nsstatscounter_xfrdone = 29,
+
+	dns_nsstatscounter_updatereqfwd = 30,
+	dns_nsstatscounter_updaterespfwd = 31,
+	dns_nsstatscounter_updatefwdfail = 32,
+	dns_nsstatscounter_updatedone = 33,
+	dns_nsstatscounter_updatefail = 34,
+	dns_nsstatscounter_updatebadprereq = 35,
+
+	dns_nsstatscounter_max = 36
+};
+
 void
 ns_server_create(isc_mem_t *mctx, ns_server_t **serverp);
 /*%<
@@ -204,6 +261,18 @@ isc_result_t
 ns_server_status(ns_server_t *server, isc_buffer_t *text);
 
 /*%
+ * Report a list of dynamic and static tsig keys, per view.
+ */
+isc_result_t
+ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text);
+
+/*%
+ * Delete a specific key (with optional view).
+ */
+isc_result_t
+ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text);
+
+/*%
  * Enable or disable updates for a zone.
  */
 isc_result_t
diff --git a/bin/named/include/named/sortlist.h b/bin/named/include/named/sortlist.h
index f849be2..b9f6076 100644
--- a/bin/named/include/named/sortlist.h
+++ b/bin/named/include/named/sortlist.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.h,v 1.5.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: sortlist.h,v 1.11 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_SORTLIST_H
 #define NAMED_SORTLIST_H 1
diff --git a/bin/named/include/named/statschannel.h b/bin/named/include/named/statschannel.h
new file mode 100644
index 0000000..0c36d8c
--- /dev/null
+++ b/bin/named/include/named/statschannel.h
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: statschannel.h,v 1.3 2008/04/03 05:55:51 marka Exp $ */
+
+#ifndef NAMED_STATSCHANNEL_H
+#define NAMED_STATSCHANNEL_H 1
+
+/*! \file
+ * \brief
+ * The statistics channels built-in the name server.
+ */
+
+#include <isccc/types.h>
+
+#include <isccfg/aclconf.h>
+
+#include <named/types.h>
+
+#define NS_STATSCHANNEL_HTTPPORT		80
+
+isc_result_t
+ns_statschannels_configure(ns_server_t *server, const cfg_obj_t *config,
+			   cfg_aclconfctx_t *aclconfctx);
+/*%<
+ * [Re]configure the statistics channels.
+ *
+ * If it is no longer there but was previously configured, destroy
+ * it here.
+ *
+ * If the IP address or port has changed, destroy the old server
+ * and create a new one.
+ */
+
+
+void
+ns_statschannels_shutdown(ns_server_t *server);
+/*%<
+ * Initiate shutdown of all the statistics channel listeners.
+ */
+
+isc_result_t
+ns_stats_dump(ns_server_t *server, FILE *fp);
+/*%<
+ * Dump statistics counters managed by the server to the file fp.
+ */
+
+#endif	/* NAMED_STATSCHANNEL_H */
diff --git a/bin/named/include/named/tkeyconf.h b/bin/named/include/named/tkeyconf.h
index 946944d..02bd718 100644
--- a/bin/named/include/named/tkeyconf.h
+++ b/bin/named/include/named/tkeyconf.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: tkeyconf.h,v 1.16 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NS_TKEYCONF_H
 #define NS_TKEYCONF_H 1
diff --git a/bin/named/include/named/tsigconf.h b/bin/named/include/named/tsigconf.h
index a18eede..49ad82a 100644
--- a/bin/named/include/named/tsigconf.h
+++ b/bin/named/include/named/tsigconf.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.h,v 1.10.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: tsigconf.h,v 1.16 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NS_TSIGCONF_H
 #define NS_TSIGCONF_H 1
diff --git a/bin/named/include/named/types.h b/bin/named/include/named/types.h
index abc25d5..eb25520 100644
--- a/bin/named/include/named/types.h
+++ b/bin/named/include/named/types.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.21.18.2 2005/04/29 00:15:38 marka Exp $ */
+/* $Id: types.h,v 1.29 2008/01/17 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_TYPES_H
 #define NAMED_TYPES_H 1
@@ -28,6 +28,8 @@ typedef struct ns_client		ns_client_t;
 typedef struct ns_clientmgr		ns_clientmgr_t;
 typedef struct ns_query			ns_query_t;
 typedef struct ns_server 		ns_server_t;
+typedef struct ns_xmld			ns_xmld_t;
+typedef struct ns_xmldmgr		ns_xmldmgr_t;
 typedef struct ns_interface 		ns_interface_t;
 typedef struct ns_interfacemgr		ns_interfacemgr_t;
 typedef struct ns_lwresd		ns_lwresd_t;
@@ -39,5 +41,6 @@ typedef struct ns_lwsearchctx		ns_lwsearchctx_t;
 typedef struct ns_controls		ns_controls_t;
 typedef struct ns_dispatch		ns_dispatch_t;
 typedef ISC_LIST(ns_dispatch_t)		ns_dispatchlist_t;
-
+typedef struct ns_statschannel		ns_statschannel_t;
+typedef ISC_LIST(ns_statschannel_t)	ns_statschannellist_t;
 #endif /* NAMED_TYPES_H */
diff --git a/bin/named/include/named/update.h b/bin/named/include/named/update.h
index 37daa95..a34570c 100644
--- a/bin/named/include/named/update.h
+++ b/bin/named/include/named/update.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.h,v 1.9.18.2 2005/04/29 00:15:39 marka Exp $ */
+/* $Id: update.h,v 1.13 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_UPDATE_H
 #define NAMED_UPDATE_H 1
diff --git a/bin/named/include/named/xfrout.h b/bin/named/include/named/xfrout.h
index 82e0e66..4bb79a3 100644
--- a/bin/named/include/named/xfrout.h
+++ b/bin/named/include/named/xfrout.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.h,v 1.8.18.2 2005/04/29 00:15:39 marka Exp $ */
+/* $Id: xfrout.h,v 1.12 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NAMED_XFROUT_H
 #define NAMED_XFROUT_H 1
diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h
index 61737a2..b973013 100644
--- a/bin/named/include/named/zoneconf.h
+++ b/bin/named/include/named/zoneconf.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.h,v 1.19.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: zoneconf.h,v 1.26 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef NS_ZONECONF_H
 #define NS_ZONECONF_H 1
diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c
index 08d33d9..46eb96e 100644
--- a/bin/named/interfacemgr.c
+++ b/bin/named/interfacemgr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfacemgr.c,v 1.76.18.11 2008/07/23 23:33:02 marka Exp $ */
+/* $Id: interfacemgr.c,v 1.93.70.2 2009/01/18 23:47:34 tbox Exp $ */
 
 /*! \file */
 
@@ -304,6 +304,7 @@ ns_interface_accepttcp(ns_interface_t *ifp) {
 				 isc_result_totext(result));
 		goto tcp_socket_failure;
 	}
+	isc_socket_setname(ifp->tcpsocket, "dispatcher", NULL);
 #ifndef ISC_ALLOW_MAPPED
 	isc_socket_ipv6only(ifp->tcpsocket, ISC_TRUE);
 #endif
@@ -483,7 +484,7 @@ static isc_result_t
 clearacl(isc_mem_t *mctx, dns_acl_t **aclp) {
 	dns_acl_t *newacl = NULL;
 	isc_result_t result;
-	result = dns_acl_create(mctx, 10, &newacl);
+	result = dns_acl_create(mctx, 0, &newacl);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	dns_acl_detach(aclp);
@@ -494,36 +495,31 @@ clearacl(isc_mem_t *mctx, dns_acl_t **aclp) {
 
 static isc_boolean_t
 listenon_is_ip6_any(ns_listenelt_t *elt) {
-	if (elt->acl->length != 1)
-		return (ISC_FALSE);
-	if (elt->acl->elements[0].negative == ISC_FALSE &&
-	    elt->acl->elements[0].type == dns_aclelementtype_any)
-		return (ISC_TRUE);  /* listen-on-v6 { any; } */
-	return (ISC_FALSE); /* All others */
+	REQUIRE(elt && elt->acl);
+	return dns_acl_isany(elt->acl);
 }
 
 static isc_result_t
 setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) {
 	isc_result_t result;
-	dns_aclelement_t elt;
-	unsigned int family;
 	unsigned int prefixlen;
+	isc_netaddr_t *netaddr;
 
-	family = interface->address.family;
+	netaddr = &interface->address;
 
-	elt.type = dns_aclelementtype_ipprefix;
-	elt.negative = ISC_FALSE;
-	elt.u.ip_prefix.address = interface->address;
-	elt.u.ip_prefix.prefixlen = (family == AF_INET) ? 32 : 128;
-	result = dns_acl_appendelement(mgr->aclenv.localhost, &elt);
+	/* First add localhost address */
+	prefixlen = (netaddr->family == AF_INET) ? 32 : 128;
+	result = dns_iptable_addprefix(mgr->aclenv.localhost->iptable,
+				       netaddr, prefixlen, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	/* Then add localnets prefix */
 	result = isc_netaddr_masktoprefixlen(&interface->netmask,
 					     &prefixlen);
 
-	/* Non contigious netmasks not allowed by IPv6 arch. */
-	if (result != ISC_R_SUCCESS && family == AF_INET6)
+	/* Non contiguous netmasks not allowed by IPv6 arch. */
+	if (result != ISC_R_SUCCESS && netaddr->family == AF_INET6)
 		return (result);
 
 	if (result != ISC_R_SUCCESS) {
@@ -533,17 +529,14 @@ setup_locals(ns_interfacemgr_t *mgr, isc_interface_t *interface) {
 			      "localnets ACL: %s",
 			      interface->name,
 			      isc_result_totext(result));
-	} else {
-		elt.u.ip_prefix.prefixlen = prefixlen;
-		if (dns_acl_elementmatch(mgr->aclenv.localnets, &elt,
-					 NULL) == ISC_R_NOTFOUND) {
-			result = dns_acl_appendelement(mgr->aclenv.localnets,
-						       &elt);
-			if (result != ISC_R_SUCCESS)
-				return (result);
-		}
+		return (ISC_R_SUCCESS);
 	}
 
+	result = dns_iptable_addprefix(mgr->aclenv.localnets->iptable,
+				       netaddr, prefixlen, ISC_TRUE);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
 	return (ISC_R_SUCCESS);
 }
 
@@ -803,7 +796,9 @@ do_scan(ns_interfacemgr_t *mgr, ns_listenlist_t *ext_listen,
 					(void)dns_acl_match(&listen_netaddr,
 							    NULL, ele->acl,
 							    NULL, &match, NULL);
-					if (match > 0 && ele->port == le->port)
+					if (match > 0 &&
+					    (ele->port == le->port ||
+					    ele->port == 0))
 						break;
 					else
 						match = 0;
diff --git a/bin/named/listenlist.c b/bin/named/listenlist.c
index 7e70ac9..513fe9c 100644
--- a/bin/named/listenlist.c
+++ b/bin/named/listenlist.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: listenlist.c,v 1.10.18.2 2005/04/29 00:15:22 marka Exp $ */
+/* $Id: listenlist.c,v 1.14 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/log.c b/bin/named/log.c
index af75bab..359ab9f 100644
--- a/bin/named/log.c
+++ b/bin/named/log.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.37.18.6 2006/06/09 00:54:08 marka Exp $ */
+/* $Id: log.c,v 1.46.334.3 2009/01/07 01:50:14 jinmei Exp $ */
 
 /*! \file */
 
@@ -33,7 +33,7 @@
 
 /*%
  * When adding a new category, be sure to add the appropriate
- * #define to <named/log.h> and to update the list in
+ * \#define to <named/log.h> and to update the list in
  * bin/check/check-tool.c.
  */
 static isc_logcategory_t categories[] = {
@@ -44,12 +44,13 @@ static isc_logcategory_t categories[] = {
 	{ "queries",	 		0 },
 	{ "unmatched",	 		0 },
 	{ "update-security",		0 },
+	{ "query-errors",		0 },
 	{ NULL, 			0 }
 };
 
 /*%
  * When adding a new module, be sure to add the appropriate
- * #define to <dns/log.h>.
+ * \#define to <dns/log.h>.
  */
 static isc_logmodule_t modules[] = {
 	{ "main",	 		0 },
@@ -120,7 +121,7 @@ ns_log_setdefaultchannels(isc_logconfig_t *lcfg) {
 	/*
 	 * By default, the logging library makes "default_debug" log to
 	 * stderr.  In BIND, we want to override this and log to named.run
-	 * instead, unless the the -g option was given.
+	 * instead, unless the -g option was given.
 	 */
 	if (! ns_g_logstderr) {
 		destination.file.stream = NULL;
diff --git a/bin/named/logconf.c b/bin/named/logconf.c
index ce815f4..e324965 100644
--- a/bin/named/logconf.c
+++ b/bin/named/logconf.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: logconf.c,v 1.35.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: logconf.c,v 1.42 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwaddr.c b/bin/named/lwaddr.c
index 02e8f4d..ed7880a 100644
--- a/bin/named/lwaddr.c
+++ b/bin/named/lwaddr.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwaddr.c,v 1.4.18.4 2008/01/11 23:45:59 tbox Exp $ */
+/* $Id: lwaddr.c,v 1.10 2008/01/11 23:46:56 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdclient.c b/bin/named/lwdclient.c
index 68069ed..a843134 100644
--- a/bin/named/lwdclient.c
+++ b/bin/named/lwdclient.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdclient.c,v 1.17.18.2 2005/04/29 00:15:23 marka Exp $ */
+/* $Id: lwdclient.c,v 1.22 2007/06/18 23:47:18 tbox Exp $ */
 
 /*! \file */
 
@@ -102,6 +102,7 @@ ns_lwdclientmgr_create(ns_lwreslistener_t *listener, unsigned int nclients,
 	result = isc_task_create(taskmgr, 0, &cm->task);
 	if (result != ISC_R_SUCCESS)
 		goto errout;
+	isc_task_setname(cm->task, "lwdclient", NULL);
 
 	/*
 	 * This MUST be last, since there is no way to cancel an onshutdown...
diff --git a/bin/named/lwderror.c b/bin/named/lwderror.c
index db25824..33f247a 100644
--- a/bin/named/lwderror.c
+++ b/bin/named/lwderror.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwderror.c,v 1.8.18.2 2005/04/29 00:15:24 marka Exp $ */
+/* $Id: lwderror.c,v 1.12 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdgabn.c b/bin/named/lwdgabn.c
index 454d4df..dec1e1a 100644
--- a/bin/named/lwdgabn.c
+++ b/bin/named/lwdgabn.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgabn.c,v 1.15.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: lwdgabn.c,v 1.22 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdgnba.c b/bin/named/lwdgnba.c
index a54d443..dfc2ad6 100644
--- a/bin/named/lwdgnba.c
+++ b/bin/named/lwdgnba.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgnba.c,v 1.16.18.4 2008/01/14 23:45:59 tbox Exp $ */
+/* $Id: lwdgnba.c,v 1.22 2008/01/14 23:46:56 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdgrbn.c b/bin/named/lwdgrbn.c
index c1b2b1e..b54e83d 100644
--- a/bin/named/lwdgrbn.c
+++ b/bin/named/lwdgrbn.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdgrbn.c,v 1.13.18.5 2006/12/07 23:57:58 marka Exp $ */
+/* $Id: lwdgrbn.c,v 1.20 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwdnoop.c b/bin/named/lwdnoop.c
index 69cc957..14d8e0c 100644
--- a/bin/named/lwdnoop.c
+++ b/bin/named/lwdnoop.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwdnoop.c,v 1.7.18.4 2008/01/22 23:27:05 tbox Exp $ */
+/* $Id: lwdnoop.c,v 1.13 2008/01/22 23:28:04 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/lwresd.8 b/bin/named/lwresd.8
index 827edcd..c0862aa 100644
--- a/bin/named/lwresd.8
+++ b/bin/named/lwresd.8
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000, 2001 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwresd.8,v 1.15.18.13 2008/10/17 01:29:23 tbox Exp $
+.\" $Id: lwresd.8,v 1.29.14.1 2009/01/23 01:53:33 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -42,7 +42,7 @@ is the daemon providing name lookup services to clients that use the BIND 9 ligh
 \fBlwresd\fR
 listens for resolver queries on a UDP port on the IPv4 loopback interface, 127.0.0.1. This means that
 \fBlwresd\fR
-can only be used by processes running on the local machine. By default UDP port number 921 is used for lightweight resolver requests and responses.
+can only be used by processes running on the local machine. By default, UDP port number 921 is used for lightweight resolver requests and responses.
 .PP
 Incoming lightweight resolver requests are decoded by the server which then resolves them using the DNS protocol. When the DNS lookup completes,
 \fBlwresd\fR
@@ -125,7 +125,7 @@ Run the server in the foreground and force all logging to
 Use
 \fIpid\-file\fR
 as the PID file instead of the default,
-\fI/var/run/lwresd.pid\fR.
+\fI/var/run/lwresd/lwresd.pid\fR.
 .RE
 .PP
 \-m \fIflag\fR
@@ -217,7 +217,7 @@ The default process\-id file.
 .PP
 Internet Systems Consortium
 .SH "COPYRIGHT"
-Copyright \(co 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004, 2005, 2007\-2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000, 2001 Internet Software Consortium.
 .br
diff --git a/bin/named/lwresd.c b/bin/named/lwresd.c
index 8a89b1c..4e245fd 100644
--- a/bin/named/lwresd.c
+++ b/bin/named/lwresd.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresd.c,v 1.46.18.10 2008/07/23 23:33:02 marka Exp $ */
+/* $Id: lwresd.c,v 1.58 2008/07/23 23:27:54 marka Exp $ */
 
 /*! \file
  * \brief
diff --git a/bin/named/lwresd.docbook b/bin/named/lwresd.docbook
index 6dd2c40..8d9985a 100644
--- a/bin/named/lwresd.docbook
+++ b/bin/named/lwresd.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwresd.docbook,v 1.7.18.10 2008/10/16 23:46:00 tbox Exp $ -->
+<!-- $Id: lwresd.docbook,v 1.18.14.2 2009/01/22 23:47:05 tbox Exp $ -->
 <refentry>
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -41,6 +41,7 @@
       <year>2005</year>
       <year>2007</year>
       <year>2008</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -87,7 +88,7 @@
       listens for resolver queries on a
       UDP port on the IPv4 loopback interface, 127.0.0.1.  This
       means that <command>lwresd</command> can only be used by
-      processes running on the local machine.  By default UDP port
+      processes running on the local machine.  By default, UDP port
       number 921 is used for lightweight resolver requests and
       responses.
     </para>
@@ -199,7 +200,7 @@
           <para>
             Use <replaceable class="parameter">pid-file</replaceable> as the
             PID file instead of the default,
-            <filename>/var/run/lwresd.pid</filename>.
+            <filename>/var/run/lwresd/lwresd.pid</filename>.
           </para>
         </listitem>
       </varlistentry>
diff --git a/bin/named/lwresd.html b/bin/named/lwresd.html
index 463e6b0..4c2b059 100644
--- a/bin/named/lwresd.html
+++ b/bin/named/lwresd.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000, 2001 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwresd.html,v 1.5.18.19 2008/10/17 01:29:23 tbox Exp $ -->
+<!-- $Id: lwresd.html,v 1.25.14.1 2009/01/23 01:53:33 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -32,7 +32,7 @@
 <div class="cmdsynopsis"><p><code class="command">lwresd</code>  [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-C <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-i <em class="replaceable"><code>pid-file</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-P <em class="replaceable"><code>port</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-4</code>] [<code class="option">-6</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543464"></a><h2>DESCRIPTION</h2>
+<a name="id2543467"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">lwresd</strong></span>
       is the daemon providing name lookup
       services to clients that use the BIND 9 lightweight resolver
@@ -44,7 +44,7 @@
       listens for resolver queries on a
       UDP port on the IPv4 loopback interface, 127.0.0.1.  This
       means that <span><strong class="command">lwresd</strong></span> can only be used by
-      processes running on the local machine.  By default UDP port
+      processes running on the local machine.  By default, UDP port
       number 921 is used for lightweight resolver requests and
       responses.
     </p>
@@ -67,7 +67,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543511"></a><h2>OPTIONS</h2>
+<a name="id2543514"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -115,7 +115,7 @@
 <dd><p>
             Use <em class="replaceable"><code>pid-file</code></em> as the
             PID file instead of the default,
-            <code class="filename">/var/run/lwresd.pid</code>.
+            <code class="filename">/var/run/lwresd/lwresd.pid</code>.
           </p></dd>
 <dt><span class="term">-m <em class="replaceable"><code>flag</code></em></span></dt>
 <dd><p>
@@ -197,7 +197,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543928"></a><h2>FILES</h2>
+<a name="id2543931"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/resolv.conf</code></span></dt>
 <dd><p>
@@ -210,14 +210,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543968"></a><h2>SEE ALSO</h2>
+<a name="id2543971"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">lwres</span>(3)</span>,
       <span class="citerefentry"><span class="refentrytitle">resolver</span>(5)</span>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544002"></a><h2>AUTHOR</h2>
+<a name="id2544005"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/named/lwsearch.c b/bin/named/lwsearch.c
index 4a61f96..6754c98 100644
--- a/bin/named/lwsearch.c
+++ b/bin/named/lwsearch.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwsearch.c,v 1.8.18.3 2005/07/12 01:22:17 marka Exp $ */
+/* $Id: lwsearch.c,v 1.13 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/main.c b/bin/named/main.c
index d8b0a33..f97ab45 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.136.18.21 2008/10/24 01:28:08 marka Exp $ */
+/* $Id: main.c,v 1.166.34.3 2009/04/03 20:18:59 marka Exp $ */
 
 /*! \file */
 
@@ -139,7 +139,7 @@ assertion_failed(const char *file, int line, isc_assertiontype_t type,
 
 	if (ns_g_lctx != NULL) {
 		/*
-		 * Reset the assetion callback in case it is the log
+		 * Reset the assertion callback in case it is the log
 		 * routines causing the assertion.
 		 */
 		isc_assertion_setcallback(NULL);
@@ -359,7 +359,7 @@ parse_command_line(int argc, char *argv[]) {
 	isc_commandline_errprint = ISC_FALSE;
 	while ((ch = isc_commandline_parse(argc, argv,
 					   "46c:C:d:fgi:lm:n:N:p:P:"
-					   "sS:t:u:vx:")) != -1) {
+					   "sS:t:T:u:vVx:")) != -1) {
 		switch (ch) {
 		case '4':
 			if (disable4)
@@ -446,14 +446,31 @@ parse_command_line(int argc, char *argv[]) {
 			/* XXXJAB should we make a copy? */
 			ns_g_chrootdir = isc_commandline_argument;
 			break;
+		case 'T':
+			/*
+			 * clienttest: make clients single shot with their
+			 * 	       own memory context.
+			 */
+			if (strcmp(isc_commandline_argument, "clienttest") == 0)
+				ns_g_clienttest = ISC_TRUE;
+			else
+				fprintf(stderr, "unknown -T flag '%s\n",
+					isc_commandline_argument);
+			break;
 		case 'u':
 			ns_g_username = isc_commandline_argument;
 			break;
 		case 'v':
 			printf("BIND %s\n", ns_g_version);
 			exit(0);
+		case 'V':
+			printf("BIND %s built with %s\n", ns_g_version,
+				ns_g_configargs);
+			exit(0);
 		case '?':
 			usage();
+			if (isc_commandline_option == '?')
+				exit(0);
 			ns_main_earlyfatal("unknown option '-%c'",
 					   isc_commandline_option);
 		default:
@@ -661,6 +678,9 @@ setup(void) {
 		      ISC_LOG_NOTICE, "starting BIND %s%s", ns_g_version,
 		      saved_command_line);
 
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_MAIN,
+		      ISC_LOG_NOTICE, "built with %s", ns_g_configargs);
+
 	/*
 	 * Get the initial resource limits.
 	 */
@@ -705,6 +725,14 @@ setup(void) {
 		ns_g_conffile = absolute_conffile;
 	}
 
+	/*
+	 * Record the server's startup time.
+	 */
+	result = isc_time_now(&ns_g_boottime);
+	if (result != ISC_R_SUCCESS)
+		ns_main_earlyfatal("isc_time_now() failed: %s",
+				   isc_result_totext(result));
+
 	result = create_managers();
 	if (result != ISC_R_SUCCESS)
 		ns_main_earlyfatal("create_managers() failed: %s",
@@ -719,7 +747,7 @@ setup(void) {
 
 #ifdef DLZ
 	/*
-	 * Registyer any DLZ drivers.
+	 * Register any DLZ drivers.
 	 */
 	result = dlz_drivers_init();
 	if (result != ISC_R_SUCCESS)
@@ -851,10 +879,10 @@ main(int argc, char *argv[]) {
 	 * strings named.core | grep "named version:"
 	 */
 	strlcat(version,
-#ifdef __DATE__
-		"named version: BIND " VERSION " (" __DATE__ ")",
-#else
+#if defined(NO_VERSION_DATE) || !defined(__DATE__)
 		"named version: BIND " VERSION,
+#else
+		"named version: BIND " VERSION " (" __DATE__ ")",
 #endif
 		sizeof(version));
 	result = isc_file_progname(*argv, program_name, sizeof(program_name));
@@ -892,6 +920,7 @@ main(int argc, char *argv[]) {
 	if (result != ISC_R_SUCCESS)
 		ns_main_earlyfatal("isc_mem_create() failed: %s",
 				   isc_result_totext(result));
+	isc_mem_setname(ns_g_mctx, "main", NULL);
 
 	setup();
 
@@ -937,7 +966,8 @@ main(int argc, char *argv[]) {
 		isc_mem_stats(ns_g_mctx, stdout);
 		isc_mutex_stats(stdout);
 	}
-	if (memstats != NULL) {
+
+	if (ns_g_memstatistics && memstats != NULL) {
 		FILE *fp = NULL;
 		result = isc_stdio_open(memstats, "w", &fp);
 		if (result == ISC_R_SUCCESS) {
diff --git a/bin/named/named.8 b/bin/named/named.8
index 9487dac..3408403 100644
--- a/bin/named/named.8
+++ b/bin/named/named.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.8,v 1.20.18.16 2008/09/01 02:29:00 tbox Exp $
+.\" $Id: named.8,v 1.38 2008/11/07 01:11:19 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 named \- Internet domain name server
 .SH "SYNOPSIS"
 .HP 6
-\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
+\fBnamed\fR [\fB\-4\fR] [\fB\-6\fR] [\fB\-c\ \fR\fB\fIconfig\-file\fR\fR] [\fB\-d\ \fR\fB\fIdebug\-level\fR\fR] [\fB\-f\fR] [\fB\-g\fR] [\fB\-m\ \fR\fB\fIflag\fR\fR] [\fB\-n\ \fR\fB\fI#cpus\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-s\fR] [\fB\-S\ \fR\fB\fI#max\-socks\fR\fR] [\fB\-t\ \fR\fB\fIdirectory\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR] [\fB\-v\fR] [\fB\-V\fR] [\fB\-x\ \fR\fB\fIcache\-file\fR\fR]
 .SH "DESCRIPTION"
 .PP
 \fBnamed\fR
@@ -186,6 +186,11 @@ is run on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since previou
 Report the version number and exit.
 .RE
 .PP
+\-V
+.RS 4
+Report the version number and build options, and exit.
+.RE
+.PP
 \-x \fIcache\-file\fR
 .RS 4
 Load data from
@@ -226,7 +231,7 @@ BIND 9 Administrator Reference Manual.
 The default configuration file.
 .RE
 .PP
-\fI/var/run/named.pid\fR
+\fI/var/run/named/named.pid\fR
 .RS 4
 The default process\-id file.
 .RE
diff --git a/bin/named/named.conf.5 b/bin/named/named.conf.5
index a2ccbe0..039c795 100644
--- a/bin/named/named.conf.5
+++ b/bin/named/named.conf.5
@@ -12,7 +12,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: named.conf.5,v 1.1.2.27 2008/09/05 01:32:08 tbox Exp $
+.\" $Id: named.conf.5,v 1.36 2008/09/25 04:45:04 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -193,6 +193,7 @@ options {
 	use\-ixfr \fIboolean\fR;
 	version ( \fIquoted_string\fR | none );
 	allow\-recursion { \fIaddress_match_element\fR; ... };
+	allow\-recursion\-on { \fIaddress_match_element\fR; ... };
 	sortlist { \fIaddress_match_element\fR; ... };
 	topology { \fIaddress_match_element\fR; ... }; // not implemented
 	auth\-nxdomain \fIboolean\fR; // default changed
@@ -209,14 +210,17 @@ options {
 	additional\-from\-cache \fIboolean\fR;
 	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
 	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
+	use\-queryport\-pool \fIboolean\fR;
+	queryport\-pool\-ports \fIinteger\fR;
+	queryport\-pool\-updateinterval \fIinteger\fR;
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
 	max\-ncache\-ttl \fIinteger\fR;
 	max\-cache\-ttl \fIinteger\fR;
 	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize_no_default\fR;
-	max\-acache\-size \fIsize_no_default\fR;
+	max\-cache\-size \fIsize\fR;
+	max\-acache\-size \fIsize\fR;
 	clients\-per\-query \fInumber\fR;
 	max\-clients\-per\-query \fInumber\fR;
 	check\-names ( master | slave | response )
@@ -249,7 +253,9 @@ options {
 	dialup \fIdialuptype\fR;
 	ixfr\-from\-differences \fIixfrdiff\fR;
 	allow\-query { \fIaddress_match_element\fR; ... };
+	allow\-query\-on { \fIaddress_match_element\fR; ... };
 	allow\-query\-cache { \fIaddress_match_element\fR; ... };
+	allow\-query\-cache\-on { \fIaddress_match_element\fR; ... };
 	allow\-transfer { \fIaddress_match_element\fR; ... };
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
@@ -259,6 +265,7 @@ options {
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-delay \fIseconds\fR;
+	notify\-to\-soa \fIboolean\fR;
 	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
 		[ port \fIinteger\fR ]; ... };
 	allow\-notify { \fIaddress_match_element\fR; ... };
@@ -277,6 +284,10 @@ options {
 	min\-refresh\-time \fIinteger\fR;
 	multi\-master \fIboolean\fR;
 	sig\-validity\-interval \fIinteger\fR;
+	sig\-re\-signing\-interval \fIinteger\fR;
+	sig\-signing\-nodes \fIinteger\fR;
+	sig\-signing\-signatures \fIinteger\fR;
+	sig\-signing\-type \fIinteger\fR;
 	transfer\-source ( \fIipv4_address\fR | * )
 		[ port ( \fIinteger\fR | * ) ];
 	transfer\-source\-v6 ( \fIipv6_address\fR | * )
@@ -288,8 +299,10 @@ options {
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
+	try\-tcp\-refresh \fIboolean\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
+	nsec3\-test\-zone \fIboolean\fR;  // testing only
 	allow\-v6\-synthesis { \fIaddress_match_element\fR; ... }; // obsolete
 	deallocate\-on\-exit \fIboolean\fR; // obsolete
 	fake\-iquery \fIboolean\fR; // obsolete
@@ -327,6 +340,7 @@ view \fIstring\fR \fIoptional_class\fR {
 		\fIstring\fR \fIinteger\fR \fIinteger\fR \fIinteger\fR \fIquoted_string\fR; ...
 	};
 	allow\-recursion { \fIaddress_match_element\fR; ... };
+	allow\-recursion\-on { \fIaddress_match_element\fR; ... };
 	sortlist { \fIaddress_match_element\fR; ... };
 	topology { \fIaddress_match_element\fR; ... }; // not implemented
 	auth\-nxdomain \fIboolean\fR; // default changed
@@ -343,14 +357,17 @@ view \fIstring\fR \fIoptional_class\fR {
 	additional\-from\-cache \fIboolean\fR;
 	query\-source ( ( \fIipv4_address\fR | * ) | [ address ( \fIipv4_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
 	query\-source\-v6 ( ( \fIipv6_address\fR | * ) | [ address ( \fIipv6_address\fR | * ) ] ) [ port ( \fIinteger\fR | * ) ];
+	use\-queryport\-pool \fIboolean\fR;
+	queryport\-pool\-ports \fIinteger\fR;
+	queryport\-pool\-updateinterval \fIinteger\fR;
 	cleaning\-interval \fIinteger\fR;
 	min\-roots \fIinteger\fR; // not implemented
 	lame\-ttl \fIinteger\fR;
 	max\-ncache\-ttl \fIinteger\fR;
 	max\-cache\-ttl \fIinteger\fR;
 	transfer\-format ( many\-answers | one\-answer );
-	max\-cache\-size \fIsize_no_default\fR;
-	max\-acache\-size \fIsize_no_default\fR;
+	max\-cache\-size \fIsize\fR;
+	max\-acache\-size \fIsize\fR;
 	clients\-per\-query \fInumber\fR;
 	max\-clients\-per\-query \fInumber\fR;
 	check\-names ( master | slave | response )
@@ -383,7 +400,9 @@ view \fIstring\fR \fIoptional_class\fR {
 	dialup \fIdialuptype\fR;
 	ixfr\-from\-differences \fIixfrdiff\fR;
 	allow\-query { \fIaddress_match_element\fR; ... };
+	allow\-query\-on { \fIaddress_match_element\fR; ... };
 	allow\-query\-cache { \fIaddress_match_element\fR; ... };
+	allow\-query\-cache\-on { \fIaddress_match_element\fR; ... };
 	allow\-transfer { \fIaddress_match_element\fR; ... };
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
@@ -393,6 +412,7 @@ view \fIstring\fR \fIoptional_class\fR {
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-delay \fIseconds\fR;
+	notify\-to\-soa \fIboolean\fR;
 	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
 		[ port \fIinteger\fR ]; ... };
 	allow\-notify { \fIaddress_match_element\fR; ... };
@@ -421,6 +441,7 @@ view \fIstring\fR \fIoptional_class\fR {
 		[ port ( \fIinteger\fR | * ) ];
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
+	try\-tcp\-refresh \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	zero\-no\-soa\-ttl\-cache \fIboolean\fR;
@@ -456,12 +477,15 @@ zone \fIstring\fR \fIoptional_class\fR {
 	journal \fIquoted_string\fR;
 	zero\-no\-soa\-ttl \fIboolean\fR;
 	allow\-query { \fIaddress_match_element\fR; ... };
+	allow\-query\-on { \fIaddress_match_element\fR; ... };
 	allow\-transfer { \fIaddress_match_element\fR; ... };
 	allow\-update { \fIaddress_match_element\fR; ... };
 	allow\-update\-forwarding { \fIaddress_match_element\fR; ... };
 	update\-policy {
 		( grant | deny ) \fIstring\fR
-		( name | subdomain | wildcard | self ) \fIstring\fR
+		( name | subdomain | wildcard | self | selfsub | selfwild |
+                  krb5\-self | ms\-self | krb5\-subdomain | ms\-subdomain |
+		  tcp\-self | 6to4\-self ) \fIstring\fR
 		\fIrrtypelist\fR; ...
 	};
 	update\-check\-ksk \fIboolean\fR;
@@ -470,6 +494,7 @@ zone \fIstring\fR \fIoptional_class\fR {
 	notify\-source ( \fIipv4_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-source\-v6 ( \fIipv6_address\fR | * ) [ port ( \fIinteger\fR | * ) ];
 	notify\-delay \fIseconds\fR;
+	notify\-to\-soa \fIboolean\fR;
 	also\-notify [ port \fIinteger\fR ] { ( \fIipv4_address\fR | \fIipv6_address\fR )
 		[ port \fIinteger\fR ]; ... };
 	allow\-notify { \fIaddress_match_element\fR; ... };
@@ -498,7 +523,9 @@ zone \fIstring\fR \fIoptional_class\fR {
 		[ port ( \fIinteger\fR | * ) ];
 	use\-alt\-transfer\-source \fIboolean\fR;
 	zone\-statistics \fIboolean\fR;
+	try\-tcp\-refresh \fIboolean\fR;
 	key\-directory \fIquoted_string\fR;
+	nsec3\-test\-zone \fIboolean\fR;  // testing only
 	ixfr\-base \fIquoted_string\fR; // obsolete
 	ixfr\-tmp\-file \fIquoted_string\fR; // obsolete
 	maintain\-ixfr\-base \fIboolean\fR; // obsolete
diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 32aa537..a4a8044 100644
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.conf.docbook,v 1.1.2.31 2008/09/04 23:46:08 tbox Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.39 2008/09/24 02:46:21 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -221,6 +221,7 @@ options {
 	use-ixfr <replaceable>boolean</replaceable>;
 	version ( <replaceable>quoted_string</replaceable> | none );
 	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
+	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
 	sortlist { <replaceable>address_match_element</replaceable>; ... };
 	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
 	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
@@ -237,14 +238,17 @@ options {
 	additional-from-cache <replaceable>boolean</replaceable>;
 	query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	use-queryport-pool <replaceable>boolean</replaceable>;
+	queryport-pool-ports <replaceable>integer</replaceable>;
+	queryport-pool-updateinterval <replaceable>integer</replaceable>;
 	cleaning-interval <replaceable>integer</replaceable>;
 	min-roots <replaceable>integer</replaceable>; // not implemented
 	lame-ttl <replaceable>integer</replaceable>;
 	max-ncache-ttl <replaceable>integer</replaceable>;
 	max-cache-ttl <replaceable>integer</replaceable>;
 	transfer-format ( many-answers | one-answer );
-	max-cache-size <replaceable>size_no_default</replaceable>;
-	max-acache-size <replaceable>size_no_default</replaceable>;
+	max-cache-size <replaceable>size</replaceable>;
+	max-acache-size <replaceable>size</replaceable>;
 	clients-per-query <replaceable>number</replaceable>;
 	max-clients-per-query <replaceable>number</replaceable>;
 	check-names ( master | slave | response )
@@ -280,7 +284,9 @@ options {
 	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
@@ -291,6 +297,7 @@ options {
 	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	notify-delay <replaceable>seconds</replaceable>;
+	notify-to-soa <replaceable>boolean</replaceable>;
 	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
 		<optional> port <replaceable>integer</replaceable> </optional>; ... };
 	allow-notify { <replaceable>address_match_element</replaceable>; ... };
@@ -310,7 +317,12 @@ options {
 	max-refresh-time <replaceable>integer</replaceable>;
 	min-refresh-time <replaceable>integer</replaceable>;
 	multi-master <replaceable>boolean</replaceable>;
+
 	sig-validity-interval <replaceable>integer</replaceable>;
+	sig-re-signing-interval <replaceable>integer</replaceable>;
+	sig-signing-nodes <replaceable>integer</replaceable>;
+	sig-signing-signatures <replaceable>integer</replaceable>;
+	sig-signing-type <replaceable>integer</replaceable>;
 
 	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
 		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
@@ -325,9 +337,12 @@ options {
 
 	zone-statistics <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
+	try-tcp-refresh <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
 
+	nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only
+
 	allow-v6-synthesis { <replaceable>address_match_element</replaceable>; ... }; // obsolete
 	deallocate-on-exit <replaceable>boolean</replaceable>; // obsolete
 	fake-iquery <replaceable>boolean</replaceable>; // obsolete
@@ -370,6 +385,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	};
 
 	allow-recursion { <replaceable>address_match_element</replaceable>; ... };
+	allow-recursion-on { <replaceable>address_match_element</replaceable>; ... };
 	sortlist { <replaceable>address_match_element</replaceable>; ... };
 	topology { <replaceable>address_match_element</replaceable>; ... }; // not implemented
 	auth-nxdomain <replaceable>boolean</replaceable>; // default changed
@@ -386,14 +402,17 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	additional-from-cache <replaceable>boolean</replaceable>;
 	query-source ( ( <replaceable>ipv4_address</replaceable> | * ) | <optional> address ( <replaceable>ipv4_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	query-source-v6 ( ( <replaceable>ipv6_address</replaceable> | * ) | <optional> address ( <replaceable>ipv6_address</replaceable> | * ) </optional> ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
+	use-queryport-pool <replaceable>boolean</replaceable>;
+	queryport-pool-ports <replaceable>integer</replaceable>;
+	queryport-pool-updateinterval <replaceable>integer</replaceable>;
 	cleaning-interval <replaceable>integer</replaceable>;
 	min-roots <replaceable>integer</replaceable>; // not implemented
 	lame-ttl <replaceable>integer</replaceable>;
 	max-ncache-ttl <replaceable>integer</replaceable>;
 	max-cache-ttl <replaceable>integer</replaceable>;
 	transfer-format ( many-answers | one-answer );
-	max-cache-size <replaceable>size_no_default</replaceable>;
-	max-acache-size <replaceable>size_no_default</replaceable>;
+	max-cache-size <replaceable>size</replaceable>;
+	max-acache-size <replaceable>size</replaceable>;
 	clients-per-query <replaceable>number</replaceable>;
 	max-clients-per-query <replaceable>number</replaceable>;
 	check-names ( master | slave | response )
@@ -429,7 +448,9 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	ixfr-from-differences <replaceable>ixfrdiff</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-query-cache { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-cache-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
@@ -440,6 +461,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	notify-delay <replaceable>seconds</replaceable>;
+	notify-to-soa <replaceable>boolean</replaceable>;
 	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
 		<optional> port <replaceable>integer</replaceable> </optional>; ... };
 	allow-notify { <replaceable>address_match_element</replaceable>; ... };
@@ -473,6 +495,7 @@ view <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	use-alt-transfer-source <replaceable>boolean</replaceable>;
 
 	zone-statistics <replaceable>boolean</replaceable>;
+	try-tcp-refresh <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 	zero-no-soa-ttl-cache <replaceable>boolean</replaceable>;
@@ -512,12 +535,15 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	zero-no-soa-ttl <replaceable>boolean</replaceable>;
 
 	allow-query { <replaceable>address_match_element</replaceable>; ... };
+	allow-query-on { <replaceable>address_match_element</replaceable>; ... };
 	allow-transfer { <replaceable>address_match_element</replaceable>; ... };
 	allow-update { <replaceable>address_match_element</replaceable>; ... };
 	allow-update-forwarding { <replaceable>address_match_element</replaceable>; ... };
 	update-policy {
 		( grant | deny ) <replaceable>string</replaceable>
-		( name | subdomain | wildcard | self ) <replaceable>string</replaceable>
+		( name | subdomain | wildcard | self | selfsub | selfwild |
+                  krb5-self | ms-self | krb5-subdomain | ms-subdomain |
+		  tcp-self | 6to4-self ) <replaceable>string</replaceable>
 		<replaceable>rrtypelist</replaceable>; ...
 	};
 	update-check-ksk <replaceable>boolean</replaceable>;
@@ -527,6 +553,7 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	notify-source ( <replaceable>ipv4_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) <optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
 	notify-delay <replaceable>seconds</replaceable>;
+	notify-to-soa <replaceable>boolean</replaceable>;
 	also-notify <optional> port <replaceable>integer</replaceable> </optional> { ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> )
 		<optional> port <replaceable>integer</replaceable> </optional>; ... };
 	allow-notify { <replaceable>address_match_element</replaceable>; ... };
@@ -560,8 +587,11 @@ zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable>
 	use-alt-transfer-source <replaceable>boolean</replaceable>;
 
 	zone-statistics <replaceable>boolean</replaceable>;
+	try-tcp-refresh <replaceable>boolean</replaceable>;
 	key-directory <replaceable>quoted_string</replaceable>;
 
+	nsec3-test-zone <replaceable>boolean</replaceable>;  // testing only
+
 	ixfr-base <replaceable>quoted_string</replaceable>; // obsolete
 	ixfr-tmp-file <replaceable>quoted_string</replaceable>; // obsolete
 	maintain-ixfr-base <replaceable>boolean</replaceable>; // obsolete
diff --git a/bin/named/named.conf.html b/bin/named/named.conf.html
index f729988..7bbbd0a 100644
--- a/bin/named/named.conf.html
+++ b/bin/named/named.conf.html
@@ -13,7 +13,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named.conf.html,v 1.1.2.36 2008/09/05 01:32:08 tbox Exp $ -->
+<!-- $Id: named.conf.html,v 1.45 2008/09/25 04:45:04 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -191,6 +191,7 @@ options {<br>
 	use-ixfr <em class="replaceable"><code>boolean</code></em>;<br>
 	version ( <em class="replaceable"><code>quoted_string</code></em> | none );<br>
 	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
 	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
@@ -207,14 +208,17 @@ options {<br>
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
+	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
+	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
+	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
 	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
 	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
 	check-names ( master | slave | response )<br>
@@ -250,7 +254,9 @@ options {<br>
 	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
 <br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -261,6 +267,7 @@ options {<br>
 	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
 	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
 		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -280,7 +287,12 @@ options {<br>
 	max-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 	min-refresh-time <em class="replaceable"><code>integer</code></em>;<br>
 	multi-master <em class="replaceable"><code>boolean</code></em>;<br>
+<br>
 	sig-validity-interval <em class="replaceable"><code>integer</code></em>;<br>
+	sig-re-signing-interval <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-nodes <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-signatures <em class="replaceable"><code>integer</code></em>;<br>
+	sig-signing-type <em class="replaceable"><code>integer</code></em>;<br>
 <br>
 	transfer-source ( <em class="replaceable"><code>ipv4_address</code></em> | * )<br>
 		[<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
@@ -295,9 +307,12 @@ options {<br>
 <br>
 	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
+	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
+<br>
 	allow-v6-synthesis { <em class="replaceable"><code>address_match_element</code></em>; ... }; // obsolete<br>
 	deallocate-on-exit <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
 	fake-iquery <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
@@ -314,7 +329,7 @@ options {<br>
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544407"></a><h2>VIEW</h2>
+<a name="id2544452"></a><h2>VIEW</h2>
 <div class="literallayout"><p><br>
 view <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	match-clients { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -339,6 +354,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	};<br>
 <br>
 	allow-recursion { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-recursion-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	sortlist { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	topology { <em class="replaceable"><code>address_match_element</code></em>; ... }; // not implemented<br>
 	auth-nxdomain <em class="replaceable"><code>boolean</code></em>; // default changed<br>
@@ -355,14 +371,17 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	additional-from-cache <em class="replaceable"><code>boolean</code></em>;<br>
 	query-source ( ( <em class="replaceable"><code>ipv4_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv4_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	query-source-v6 ( ( <em class="replaceable"><code>ipv6_address</code></em> | * ) | [<span class="optional"> address ( <em class="replaceable"><code>ipv6_address</code></em> | * ) </span>] ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
+	use-queryport-pool <em class="replaceable"><code>boolean</code></em>;<br>
+	queryport-pool-ports <em class="replaceable"><code>integer</code></em>;<br>
+	queryport-pool-updateinterval <em class="replaceable"><code>integer</code></em>;<br>
 	cleaning-interval <em class="replaceable"><code>integer</code></em>;<br>
 	min-roots <em class="replaceable"><code>integer</code></em>; // not implemented<br>
 	lame-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-ncache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	max-cache-ttl <em class="replaceable"><code>integer</code></em>;<br>
 	transfer-format ( many-answers | one-answer );<br>
-	max-cache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
-	max-acache-size <em class="replaceable"><code>size_no_default</code></em>;<br>
+	max-cache-size <em class="replaceable"><code>size</code></em>;<br>
+	max-acache-size <em class="replaceable"><code>size</code></em>;<br>
 	clients-per-query <em class="replaceable"><code>number</code></em>;<br>
 	max-clients-per-query <em class="replaceable"><code>number</code></em>;<br>
 	check-names ( master | slave | response )<br>
@@ -398,7 +417,9 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	ixfr-from-differences <em class="replaceable"><code>ixfrdiff</code></em>;<br>
 <br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-query-cache { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-cache-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -409,6 +430,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
 	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
 		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -442,6 +464,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 	zero-no-soa-ttl-cache <em class="replaceable"><code>boolean</code></em>;<br>
@@ -454,7 +477,7 @@ view <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544972"></a><h2>ZONE</h2>
+<a name="id2545113"></a><h2>ZONE</h2>
 <div class="literallayout"><p><br>
 zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>optional_class</code></em> {<br>
 	type ( master | slave | stub | hint |<br>
@@ -480,12 +503,15 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	zero-no-soa-ttl <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	allow-query { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
+	allow-query-on { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-transfer { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	allow-update-forwarding { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
 	update-policy {<br>
 		( grant | deny ) <em class="replaceable"><code>string</code></em><br>
-		( name | subdomain | wildcard | self ) <em class="replaceable"><code>string</code></em><br>
+		( name | subdomain | wildcard | self | selfsub | selfwild |<br>
+                  krb5-self | ms-self | krb5-subdomain | ms-subdomain |<br>
+		  tcp-self | 6to4-self ) <em class="replaceable"><code>string</code></em><br>
 		<em class="replaceable"><code>rrtypelist</code></em>; ...<br>
 	};<br>
 	update-check-ksk <em class="replaceable"><code>boolean</code></em>;<br>
@@ -495,6 +521,7 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	notify-source ( <em class="replaceable"><code>ipv4_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	notify-source-v6 ( <em class="replaceable"><code>ipv6_address</code></em> | * ) [<span class="optional"> port ( <em class="replaceable"><code>integer</code></em> | * ) </span>];<br>
 	notify-delay <em class="replaceable"><code>seconds</code></em>;<br>
+	notify-to-soa <em class="replaceable"><code>boolean</code></em>;<br>
 	also-notify [<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>] { ( <em class="replaceable"><code>ipv4_address</code></em> | <em class="replaceable"><code>ipv6_address</code></em> )<br>
 		[<span class="optional"> port <em class="replaceable"><code>integer</code></em> </span>]; ... };<br>
 	allow-notify { <em class="replaceable"><code>address_match_element</code></em>; ... };<br>
@@ -528,8 +555,11 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 	use-alt-transfer-source <em class="replaceable"><code>boolean</code></em>;<br>
 <br>
 	zone-statistics <em class="replaceable"><code>boolean</code></em>;<br>
+	try-tcp-refresh <em class="replaceable"><code>boolean</code></em>;<br>
 	key-directory <em class="replaceable"><code>quoted_string</code></em>;<br>
 <br>
+	nsec3-test-zone <em class="replaceable"><code>boolean</code></em>;  // testing only<br>
+<br>
 	ixfr-base <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
 	ixfr-tmp-file <em class="replaceable"><code>quoted_string</code></em>; // obsolete<br>
 	maintain-ixfr-base <em class="replaceable"><code>boolean</code></em>; // obsolete<br>
@@ -539,12 +569,12 @@ zone <em class="replaceable"><code>string</code></em> <em class="replaceable"><c
 </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545325"></a><h2>FILES</h2>
+<a name="id2545410"></a><h2>FILES</h2>
 <p><code class="filename">/etc/named.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2545337"></a><h2>SEE ALSO</h2>
+<a name="id2545421"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
diff --git a/bin/named/named.docbook b/bin/named/named.docbook
index 15d554c..f47eae1 100644
--- a/bin/named/named.docbook
+++ b/bin/named/named.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.docbook,v 1.7.18.14 2008/08/21 23:46:01 tbox Exp $ -->
+<!-- $Id: named.docbook,v 1.23 2008/11/06 05:30:24 marka Exp $ -->
 <refentry id="man.named">
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -69,6 +69,7 @@
       <arg><option>-t <replaceable class="parameter">directory</replaceable></option></arg>
       <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
       <arg><option>-v</option></arg>
+      <arg><option>-V</option></arg>
       <arg><option>-x <replaceable class="parameter">cache-file</replaceable></option></arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -300,6 +301,15 @@
       </varlistentry>
 
       <varlistentry>
+        <term>-V</term>
+        <listitem>
+          <para>
+            Report the version number and build options, and exit.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
         <term>-x <replaceable class="parameter">cache-file</replaceable></term>
         <listitem>
           <para>
@@ -381,7 +391,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><filename>/var/run/named.pid</filename></term>
+        <term><filename>/var/run/named/named.pid</filename></term>
         <listitem>
           <para>
             The default process-id file.
diff --git a/bin/named/named.html b/bin/named/named.html
index ed4f16a..23c9a7c 100644
--- a/bin/named/named.html
+++ b/bin/named/named.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: named.html,v 1.6.18.22 2008/09/01 02:29:00 tbox Exp $ -->
+<!-- $Id: named.html,v 1.30 2008/11/07 01:11:19 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -29,10 +29,10 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543464"></a><h2>DESCRIPTION</h2>
+<a name="id2543468"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -47,7 +47,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543489"></a><h2>OPTIONS</h2>
+<a name="id2543493"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -198,6 +198,10 @@
 <dd><p>
             Report the version number and exit.
           </p></dd>
+<dt><span class="term">-V</span></dt>
+<dd><p>
+            Report the version number and build options, and exit.
+          </p></dd>
 <dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
 <dd>
 <p>
@@ -216,7 +220,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543911"></a><h2>SIGNALS</h2>
+<a name="id2543928"></a><h2>SIGNALS</h2>
 <p>
       In routine operation, signals should not be used to control
       the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -237,7 +241,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543959"></a><h2>CONFIGURATION</h2>
+<a name="id2543976"></a><h2>CONFIGURATION</h2>
 <p>
       The <span><strong class="command">named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -246,20 +250,20 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543976"></a><h2>FILES</h2>
+<a name="id2543993"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
             The default configuration file.
           </p></dd>
-<dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt>
+<dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt>
 <dd><p>
             The default process-id file.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544016"></a><h2>SEE ALSO</h2>
+<a name="id2544033"></a><h2>SEE ALSO</h2>
 <p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
@@ -272,7 +276,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544086"></a><h2>AUTHOR</h2>
+<a name="id2544171"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/bin/named/notify.c b/bin/named/notify.c
index db2be71..de52b8c 100644
--- a/bin/named/notify.c
+++ b/bin/named/notify.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: notify.c,v 1.30.18.3 2005/04/29 00:15:26 marka Exp $ */
+/* $Id: notify.c,v 1.37 2007/06/19 23:46:59 tbox Exp $ */
 
 #include <config.h>
 
@@ -25,6 +25,7 @@
 #include <dns/message.h>
 #include <dns/rdataset.h>
 #include <dns/result.h>
+#include <dns/tsig.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
@@ -80,7 +81,7 @@ ns_notify_start(ns_client_t *client) {
 	dns_zone_t *zone = NULL;
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char tsigbuf[DNS_NAME_FORMATSIZE + sizeof(": TSIG ''")];
-	dns_name_t *tsigname;
+	dns_tsigkey_t *tsigkey;
 
 	/*
 	 * Interpret the question section.
@@ -119,10 +120,20 @@ ns_notify_start(ns_client_t *client) {
 		goto formerr;
 	}
 
-	tsigname = NULL;
-	if (dns_message_gettsig(request, &tsigname) != NULL) {
-		dns_name_format(tsigname, namebuf, sizeof(namebuf));
-		snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'", namebuf);
+	tsigkey = dns_message_gettsigkey(request);
+	if (tsigkey != NULL) {
+		dns_name_format(&tsigkey->name, namebuf, sizeof(namebuf));
+
+		if (tsigkey->generated) {
+			char cnamebuf[DNS_NAME_FORMATSIZE];
+			dns_name_format(tsigkey->creator, cnamebuf,
+					sizeof(cnamebuf));
+			snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s' (%s)",
+				 namebuf, cnamebuf);
+		} else {
+			snprintf(tsigbuf, sizeof(tsigbuf), ": TSIG '%s'",
+				 namebuf);
+		}
 	} else
 		tsigbuf[0] = '\0';
 	dns_name_format(zonename, namebuf, sizeof(namebuf));
diff --git a/bin/named/query.c b/bin/named/query.c
index 5cafbc9..ffd9b35 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: query.c,v 1.257.18.46 2008/10/15 22:33:01 marka Exp $ */
+/* $Id: query.c,v 1.313.20.7 2009/03/13 01:38:51 marka Exp $ */
 
 /*! \file */
 
@@ -23,7 +23,9 @@
 
 #include <string.h>
 
+#include <isc/hex.h>
 #include <isc/mem.h>
+#include <isc/stats.h>
 #include <isc/util.h>
 
 #include <dns/adb.h>
@@ -36,6 +38,7 @@
 #include <dns/events.h>
 #include <dns/message.h>
 #include <dns/ncache.h>
+#include <dns/nsec3.h>
 #include <dns/order.h>
 #include <dns/rdata.h>
 #include <dns/rdataclass.h>
@@ -89,6 +92,10 @@
 #define SECURE(c)		(((c)->query.attributes & \
 				  NS_QUERYATTR_SECURE) != 0)
 
+/*% No QNAME Proof? */
+#define NOQNAME(r)		(((r)->attributes & \
+				  DNS_RDATASETATTR_NOQNAME) != 0)
+
 #if 0
 #define CTRACE(m)       isc_log_write(ns_g_lctx, \
 				      NS_LOGCATEGORY_CLIENT, \
@@ -114,68 +121,96 @@ typedef struct client_additionalctx {
 	dns_rdataset_t *rdataset;
 } client_additionalctx_t;
 
-static void
+static isc_result_t
 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype);
 
 static isc_boolean_t
 validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 	 dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset);
 
+static void
+query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
+		       dns_dbversion_t *version, ns_client_t *client,
+		       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		       dns_name_t *fname, isc_boolean_t exact,
+		       dns_name_t *found);
+
+static inline void
+log_queryerror(ns_client_t *client, isc_result_t result, int line, int level);
+
 /*%
  * Increment query statistics counters.
  */
 static inline void
-inc_stats(ns_client_t *client, dns_statscounter_t counter) {
+inc_stats(ns_client_t *client, isc_statscounter_t counter) {
 	dns_zone_t *zone = client->query.authzone;
 
-	REQUIRE(counter < DNS_STATS_NCOUNTERS);
-
-	ns_g_server->querystats[counter]++;
+	isc_stats_increment(ns_g_server->nsstats, counter);
 
 	if (zone != NULL) {
-		isc_uint64_t *zonestats = dns_zone_getstatscounters(zone);
+		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
 		if (zonestats != NULL)
-			zonestats[counter]++;
+			isc_stats_increment(zonestats, counter);
 	}
 }
 
 static void
 query_send(ns_client_t *client) {
-	dns_statscounter_t counter;
+	isc_statscounter_t counter;
+	if ((client->message->flags & DNS_MESSAGEFLAG_AA) == 0)
+		inc_stats(client, dns_nsstatscounter_nonauthans);
+	else
+		inc_stats(client, dns_nsstatscounter_authans);
 	if (client->message->rcode == dns_rcode_noerror) {
 		if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER])) {
 			if (client->query.isreferral) {
-				counter = dns_statscounter_referral;
+				counter = dns_nsstatscounter_referral;
 			} else {
-				counter = dns_statscounter_nxrrset;
+				counter = dns_nsstatscounter_nxrrset;
 			}
 		} else {
-			counter = dns_statscounter_success;
+			counter = dns_nsstatscounter_success;
 		}
 	} else if (client->message->rcode == dns_rcode_nxdomain) {
-		counter = dns_statscounter_nxdomain;
+		counter = dns_nsstatscounter_nxdomain;
 	} else {
 		/* We end up here in case of YXDOMAIN, and maybe others */
-		counter = dns_statscounter_failure;
+		counter = dns_nsstatscounter_failure;
 	}
 	inc_stats(client, counter);
 	ns_client_send(client);
 }
 
 static void
-query_error(ns_client_t *client, isc_result_t result) {
-	inc_stats(client, dns_statscounter_failure);
+query_error(ns_client_t *client, isc_result_t result, int line) {
+	int loglevel = ISC_LOG_DEBUG(3);
+
+	switch (result) {
+	case DNS_R_SERVFAIL:
+		loglevel = ISC_LOG_DEBUG(1);
+		inc_stats(client, dns_nsstatscounter_servfail);
+		break;
+	case DNS_R_FORMERR:
+		inc_stats(client, dns_nsstatscounter_formerr);
+		break;
+	default:
+		inc_stats(client, dns_nsstatscounter_failure);
+		break;
+	}
+
+	log_queryerror(client, result, line, loglevel);
+
 	ns_client_error(client, result);
 }
 
 static void
 query_next(ns_client_t *client, isc_result_t result) {
 	if (result == DNS_R_DUPLICATE)
-		inc_stats(client, dns_statscounter_duplicate);
+		inc_stats(client, dns_nsstatscounter_duplicate);
 	else if (result == DNS_R_DROP)
-		inc_stats(client, dns_statscounter_dropped);
+		inc_stats(client, dns_nsstatscounter_dropped);
 	else
-		inc_stats(client, dns_statscounter_failure);
+		inc_stats(client, dns_nsstatscounter_failure);
 	ns_client_next(client, result);
 }
 
@@ -640,7 +675,8 @@ query_validatezonedb(ns_client_t *client, dns_name_t *name,
 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
 
-		result = ns_client_checkaclsilent(client, queryacl, ISC_TRUE);
+		result = ns_client_checkaclsilent(client, NULL, queryacl,
+						  ISC_TRUE);
 		if (log) {
 			char msg[NS_CLIENT_ACLMSGSIZE("query")];
 			if (result == ISC_R_SUCCESS) {
@@ -804,7 +840,7 @@ query_getcachedb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
 		char msg[NS_CLIENT_ACLMSGSIZE("query (cache)")];
 
-		result = ns_client_checkaclsilent(client,
+		result = ns_client_checkaclsilent(client, NULL,
 						  client->view->queryacl,
 						  ISC_TRUE);
 		if (result == ISC_R_SUCCESS) {
@@ -940,7 +976,7 @@ query_getdb(ns_client_t *client, dns_name_t *name, dns_rdatatype_t qtype,
 				 zonep, dbp, versionp);
 #endif
 
-	/* If successfull, Transfer ownership of zone. */
+	/* If successful, Transfer ownership of zone. */
 	if (result == ISC_R_SUCCESS) {
 #ifdef DLZ
 		*zonep = zone;
@@ -1086,8 +1122,12 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 	result = dns_db_find(db, name, version, type, client->query.dboptions,
 			     client->now, &node, fname, rdataset,
 			     sigrdataset);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
+		if (sigrdataset != NULL && !dns_db_issecure(db) &&
+		    dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
 		goto found;
+	}
 
 	if (dns_rdataset_isassociated(rdataset))
 		dns_rdataset_disassociate(rdataset);
@@ -1157,7 +1197,7 @@ query_addadditional(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		goto cleanup;
 
 	/*
-	 * Don't poision caches using the bailiwick protection model.
+	 * Don't poison caches using the bailiwick protection model.
 	 */
 	if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
 		goto cleanup;
@@ -1631,7 +1671,7 @@ query_addadditional2(void *arg, dns_name_t *name, dns_rdatatype_t qtype) {
 		goto cleanup;
 
 	/*
-	 * Don't poision caches using the bailiwick protection model.
+	 * Don't poison caches using the bailiwick protection model.
 	 */
 	if (!dns_name_issubdomain(name, dns_db_origin(client->query.gluedb)))
 		goto cleanup;
@@ -2024,7 +2064,7 @@ query_addsoa(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version,
 		eresult = DNS_R_SERVFAIL;
 		goto cleanup;
 	}
-	if (WANTDNSSEC(client)) {
+	if (WANTDNSSEC(client) && dns_db_issecure(db)) {
 		sigrdataset = query_newrdataset(client);
 		if (sigrdataset == NULL) {
 			eresult = DNS_R_SERVFAIL;
@@ -2142,7 +2182,7 @@ query_addns(ns_client_t *client, dns_db_t *db, dns_dbversion_t *version) {
 		eresult = DNS_R_SERVFAIL;
 		goto cleanup;
 	}
-	if (WANTDNSSEC(client)) {
+	if (WANTDNSSEC(client) && dns_db_issecure(db)) {
 		sigrdataset = query_newrdataset(client);
 		if (sigrdataset == NULL) {
 			CTRACE("query_addns: query_newrdataset failed");
@@ -2268,7 +2308,8 @@ query_addcnamelike(ns_client_t *client, dns_name_t *qname, dns_name_t *tname,
  */
 static void
 mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
-	    dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+	    isc_uint32_t ttl, dns_rdataset_t *rdataset,
+	    dns_rdataset_t *sigrdataset)
 {
 	isc_result_t result;
 	dns_dbnode_t *node = NULL;
@@ -2282,6 +2323,18 @@ mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 	result = dns_db_findnode(db, name, ISC_TRUE, &node);
 	if (result != ISC_R_SUCCESS)
 		return;
+	/*
+	 * Bound the validated ttls then minimise.
+	 */
+	if (sigrdataset->ttl > ttl)
+		sigrdataset->ttl = ttl;
+	if (rdataset->ttl > ttl)
+		rdataset->ttl = ttl;
+	if (rdataset->ttl > sigrdataset->ttl)
+		rdataset->ttl = sigrdataset->ttl;
+	else
+		sigrdataset->ttl = rdataset->ttl;
+
 	(void)dns_db_addrdataset(db, node, NULL, client->now, rdataset,
 				 0, NULL);
 	(void)dns_db_addrdataset(db, node, NULL, client->now, sigrdataset,
@@ -2291,7 +2344,7 @@ mark_secure(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 
 /*
  * Find the secure key that corresponds to rrsig.
- * Note: 'keyrdataset' maintains state between sucessive calls,
+ * Note: 'keyrdataset' maintains state between successive calls,
  * there may be multiple keys with the same keyid.
  * Return ISC_FALSE if we have exhausted all the possible keys.
  */
@@ -2405,8 +2458,9 @@ validate(ns_client_t *client, dns_db_t *db, dns_name_t *name,
 				   client->view->acceptexpired)) {
 				dst_key_free(&key);
 				dns_rdataset_disassociate(&keyrdataset);
-				mark_secure(client, db, name, rdataset,
-					    sigrdataset);
+				mark_secure(client, db, name,
+					    rrsig.originalttl,
+					    rdataset, sigrdataset);
 				return (ISC_TRUE);
 			}
 			dst_key_free(&key);
@@ -2592,12 +2646,36 @@ query_addbestns(ns_client_t *client) {
 }
 
 static void
+fixrdataset(ns_client_t *client, dns_rdataset_t **rdataset) {
+	if (*rdataset == NULL)
+		*rdataset = query_newrdataset(client);
+	else  if (dns_rdataset_isassociated(*rdataset))
+		dns_rdataset_disassociate(*rdataset);
+}
+
+static void
+fixfname(ns_client_t *client, dns_name_t **fname, isc_buffer_t **dbuf,
+	 isc_buffer_t *nbuf)
+{
+	if (*fname == NULL) {
+		*dbuf = query_getnamebuf(client);
+		if (*dbuf == NULL)
+			return;
+		*fname = query_newname(client, *dbuf, nbuf);
+	}
+}
+
+static void
 query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node,
-	    dns_dbversion_t *version)
+	    dns_dbversion_t *version, dns_name_t *name)
 {
+	dns_fixedname_t fixed;
+	dns_name_t *fname = NULL;
 	dns_name_t *rname;
 	dns_rdataset_t *rdataset, *sigrdataset;
+	isc_buffer_t *dbuf, b;
 	isc_result_t result;
+	unsigned int count;
 
 	CTRACE("query_addds");
 	rname = NULL;
@@ -2618,16 +2696,17 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node,
 	result = dns_db_findrdataset(db, node, version, dns_rdatatype_ds, 0,
 				     client->now, rdataset, sigrdataset);
 	/*
-	 * If we didn't find it, look for an NSEC. */
+	 * If we didn't find it, look for an NSEC.
+	 */
 	if (result == ISC_R_NOTFOUND)
 		result = dns_db_findrdataset(db, node, version,
 					     dns_rdatatype_nsec, 0, client->now,
 					     rdataset, sigrdataset);
 	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND)
-		goto cleanup;
+		goto addnsec3;
 	if (!dns_rdataset_isassociated(rdataset) ||
 	    !dns_rdataset_isassociated(sigrdataset))
-		goto cleanup;
+		goto addnsec3;
 
 	/*
 	 * We've already added the NS record, so if the name's not there,
@@ -2649,12 +2728,60 @@ query_addds(ns_client_t *client, dns_db_t *db, dns_dbnode_t *node,
 	ISC_LIST_APPEND(rname->list, sigrdataset, link);
 	rdataset = NULL;
 	sigrdataset = NULL;
+	return;
+
+   addnsec3:
+	if (dns_db_iscache(db))
+		goto cleanup;
+	/*
+	 * Add the NSEC3 which proves the DS does not exist.
+	 */
+	dbuf = query_getnamebuf(client);
+	if (dbuf == NULL)
+		goto cleanup;
+	fname = query_newname(client, dbuf, &b);
+	dns_fixedname_init(&fixed);
+	if (dns_rdataset_isassociated(rdataset))
+		dns_rdataset_disassociate(rdataset);
+	if (dns_rdataset_isassociated(sigrdataset))
+		dns_rdataset_disassociate(sigrdataset);
+	query_findclosestnsec3(name, db, version, client, rdataset,
+			       sigrdataset, fname, ISC_TRUE,
+			       dns_fixedname_name(&fixed));
+	if (!dns_rdataset_isassociated(rdataset))
+		goto cleanup;
+	query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
+		       DNS_SECTION_AUTHORITY);
+	/*
+	 * Did we find the closest provable encloser instead?
+	 * If so add the nearest to the closest provable encloser.
+	 */
+	if (!dns_name_equal(name, dns_fixedname_name(&fixed))) {
+		count = dns_name_countlabels(dns_fixedname_name(&fixed)) + 1;
+		dns_name_getlabelsequence(name,
+					  dns_name_countlabels(name) - count,
+					  count, dns_fixedname_name(&fixed));
+		fixfname(client, &fname, &dbuf, &b);
+		fixrdataset(client, &rdataset);
+		fixrdataset(client, &sigrdataset);
+		if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
+				goto cleanup;
+		query_findclosestnsec3(dns_fixedname_name(&fixed), db, version,
+				       client, rdataset, sigrdataset, fname,
+				       ISC_FALSE, NULL);
+		if (!dns_rdataset_isassociated(rdataset))
+			goto cleanup;
+		query_addrrset(client, &fname, &rdataset, &sigrdataset, dbuf,
+			       DNS_SECTION_AUTHORITY);
+	}
 
  cleanup:
 	if (rdataset != NULL)
 		query_putrdataset(client, &rdataset);
 	if (sigrdataset != NULL)
 		query_putrdataset(client, &sigrdataset);
+	if (fname != NULL)
+		query_releasename(client, &fname);
 }
 
 static void
@@ -2669,12 +2796,14 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 	dns_name_t *wname;
 	dns_dbnode_t *node;
 	unsigned int options;
-	unsigned int olabels, nlabels;
+	unsigned int olabels, nlabels, labels;
 	isc_result_t result;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
 	dns_rdata_nsec_t nsec;
 	isc_boolean_t have_wname;
 	int order;
+	dns_fixedname_t cfixed;
+	dns_name_t *cname;
 
 	CTRACE("query_addwildcardproof");
 	fname = NULL;
@@ -2683,7 +2812,7 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 	node = NULL;
 
 	/*
-	 * Get the NOQNAME proof then if !ispositve
+	 * Get the NOQNAME proof then if !ispositive
 	 * get the NOWILDCARD proof.
 	 *
 	 * DNS_DBFIND_NOWILD finds the NSEC records that covers the
@@ -2745,7 +2874,115 @@ query_addwildcardproof(ns_client_t *client, dns_db_t *db,
 			     0, &node, fname, rdataset, sigrdataset);
 	if (node != NULL)
 		dns_db_detachnode(db, &node);
-	if (result == DNS_R_NXDOMAIN) {
+
+	if (!dns_rdataset_isassociated(rdataset)) {
+		/*
+		 * No NSEC proof available, return NSEC3 proofs instead.
+		 */
+		dns_fixedname_init(&cfixed);
+		cname = dns_fixedname_name(&cfixed);
+		/*
+		 * Find the closest encloser.
+		 */
+		dns_name_copy(name, cname, NULL);
+		while (result == DNS_R_NXDOMAIN) {
+			labels = dns_name_countlabels(cname) - 1;
+			dns_name_split(cname, labels, NULL, cname);
+			result = dns_db_find(db, cname, version,
+					     dns_rdatatype_nsec,
+					     options, 0, NULL, fname,
+					     NULL, NULL);
+		}
+		/*
+		 * Add closest (provable) encloser NSEC3.
+		 */
+		query_findclosestnsec3(cname, db, NULL, client, rdataset,
+				       sigrdataset, fname, ISC_TRUE, cname);
+		if (!dns_rdataset_isassociated(rdataset))
+			goto cleanup;
+		query_addrrset(client, &fname, &rdataset, &sigrdataset,
+			       dbuf, DNS_SECTION_AUTHORITY);
+
+		/*
+		 * Replace resources which were consumed by query_addrrset.
+		 */
+		if (fname == NULL) {
+			dbuf = query_getnamebuf(client);
+			if (dbuf == NULL)
+				goto cleanup;
+			fname = query_newname(client, dbuf, &b);
+		}
+
+		if (rdataset == NULL)
+			rdataset = query_newrdataset(client);
+		else if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+
+		if (sigrdataset == NULL)
+			sigrdataset = query_newrdataset(client);
+		else if (dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+
+		if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
+			goto cleanup;
+		/*
+		 * Add no qname proof.
+		 */
+		labels = dns_name_countlabels(cname) + 1;
+		if (dns_name_countlabels(name) == labels)
+			dns_name_copy(name, wname, NULL);
+		else
+			dns_name_split(name, labels, NULL, wname);
+
+		query_findclosestnsec3(wname, db, NULL, client, rdataset,
+				       sigrdataset, fname, ISC_FALSE, NULL);
+		if (!dns_rdataset_isassociated(rdataset))
+			goto cleanup;
+		query_addrrset(client, &fname, &rdataset, &sigrdataset,
+			       dbuf, DNS_SECTION_AUTHORITY);
+
+		if (ispositive)
+			goto cleanup;
+
+		/*
+		 * Replace resources which were consumed by query_addrrset.
+		 */
+		if (fname == NULL) {
+			dbuf = query_getnamebuf(client);
+			if (dbuf == NULL)
+				goto cleanup;
+			fname = query_newname(client, dbuf, &b);
+		}
+
+		if (rdataset == NULL)
+			rdataset = query_newrdataset(client);
+		else if (dns_rdataset_isassociated(rdataset))
+			dns_rdataset_disassociate(rdataset);
+
+		if (sigrdataset == NULL)
+			sigrdataset = query_newrdataset(client);
+		else if (dns_rdataset_isassociated(sigrdataset))
+			dns_rdataset_disassociate(sigrdataset);
+
+		if (fname == NULL || rdataset == NULL || sigrdataset == NULL)
+			goto cleanup;
+		/*
+		 * Add the no wildcard proof.
+		 */
+		result = dns_name_concatenate(dns_wildcardname,
+					      cname, wname, NULL);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup;
+
+		query_findclosestnsec3(wname, db, NULL, client, rdataset,
+				       sigrdataset, fname, ISC_FALSE, NULL);
+		if (!dns_rdataset_isassociated(rdataset))
+			goto cleanup;
+		query_addrrset(client, &fname, &rdataset, &sigrdataset,
+			       dbuf, DNS_SECTION_AUTHORITY);
+
+		goto cleanup;
+	} else if (result == DNS_R_NXDOMAIN) {
 		if (!ispositive)
 			result = dns_rdataset_first(rdataset);
 		if (result == ISC_R_SUCCESS) {
@@ -2822,6 +3059,7 @@ query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db,
 
 	if (sigrdatasetp == NULL)
 		return;
+
 	sigrdataset = *sigrdatasetp;
 	if (sigrdataset == NULL || !dns_rdataset_isassociated(sigrdataset))
 		return;
@@ -2862,8 +3100,12 @@ query_addnxrrsetnsec(ns_client_t *client, dns_db_t *db,
 static void
 query_resume(isc_task_t *task, isc_event_t *event) {
 	dns_fetchevent_t *devent = (dns_fetchevent_t *)event;
+	dns_fetch_t *fetch;
 	ns_client_t *client;
-	isc_boolean_t fetch_cancelled, client_shuttingdown;
+	isc_boolean_t fetch_canceled, client_shuttingdown;
+	isc_result_t result;
+	isc_logcategory_t *logcategory = NS_LOGCATEGORY_QUERY_EERRORS;
+	int errorloglevel;
 
 	/*
 	 * Resume a query after recursion.
@@ -2884,30 +3126,31 @@ query_resume(isc_task_t *task, isc_event_t *event) {
 		 */
 		INSIST(devent->fetch == client->query.fetch);
 		client->query.fetch = NULL;
-		fetch_cancelled = ISC_FALSE;
+		fetch_canceled = ISC_FALSE;
 		/*
 		 * Update client->now.
 		 */
 		isc_stdtime_get(&client->now);
 	} else {
 		/*
-		 * This is a fetch completion event for a cancelled fetch.
+		 * This is a fetch completion event for a canceled fetch.
 		 * Clean up and don't resume the find.
 		 */
-		fetch_cancelled = ISC_TRUE;
+		fetch_canceled = ISC_TRUE;
 	}
 	UNLOCK(&client->query.fetchlock);
 	INSIST(client->query.fetch == NULL);
 
 	client->query.attributes &= ~NS_QUERYATTR_RECURSING;
-	dns_resolver_destroyfetch(&devent->fetch);
+	fetch = devent->fetch;
+	devent->fetch = NULL;
 
 	/*
 	 * If this client is shutting down, or this transaction
 	 * has timed out, do not resume the find.
 	 */
 	client_shuttingdown = ns_client_shuttingdown(client);
-	if (fetch_cancelled || client_shuttingdown) {
+	if (fetch_canceled || client_shuttingdown) {
 		if (devent->node != NULL)
 			dns_db_detachnode(devent->db, &devent->node);
 		if (devent->db != NULL)
@@ -2916,8 +3159,8 @@ query_resume(isc_task_t *task, isc_event_t *event) {
 		if (devent->sigrdataset != NULL)
 			query_putrdataset(client, &devent->sigrdataset);
 		isc_event_free(&event);
-		if (fetch_cancelled)
-			query_error(client, DNS_R_SERVFAIL);
+		if (fetch_canceled)
+			query_error(client, DNS_R_SERVFAIL, __LINE__);
 		else
 			query_next(client, ISC_R_CANCELED);
 		/*
@@ -2925,8 +3168,22 @@ query_resume(isc_task_t *task, isc_event_t *event) {
 		 */
 		ns_client_detach(&client);
 	} else {
-		query_find(client, devent, 0);
+		result = query_find(client, devent, 0);
+		if (result != ISC_R_SUCCESS) {
+			if (result == DNS_R_SERVFAIL)
+				errorloglevel = ISC_LOG_DEBUG(2);
+			else
+				errorloglevel = ISC_LOG_DEBUG(4);
+			if (isc_log_wouldlog(ns_g_lctx, errorloglevel)) {
+				dns_resolver_logfetch(fetch, ns_g_lctx,
+						      logcategory,
+						      NS_LOGMODULE_QUERY,
+						      errorloglevel, ISC_FALSE);
+			}
+		}
 	}
+
+	dns_resolver_destroyfetch(&fetch);
 }
 
 static isc_result_t
@@ -2938,7 +3195,7 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 	isc_sockaddr_t *peeraddr;
 
 	if (!resuming)
-		inc_stats(client, dns_statscounter_recursion);
+		inc_stats(client, dns_nsstatscounter_recursion);
 
 	/*
 	 * We are about to recurse, which means that this client will
@@ -3053,6 +3310,7 @@ query_recurse(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qdomain,
 do { \
 	eresult = r; \
 	want_restart = ISC_FALSE; \
+	line = __LINE__; \
 } while (0)
 
 /*
@@ -3144,35 +3402,60 @@ static void
 query_addnoqnameproof(ns_client_t *client, dns_rdataset_t *rdataset) {
 	isc_buffer_t *dbuf, b;
 	dns_name_t *fname;
-	dns_rdataset_t *nsec, *nsecsig;
+	dns_rdataset_t *neg, *negsig;
 	isc_result_t result = ISC_R_NOMEMORY;
 
 	CTRACE("query_addnoqnameproof");
 
 	fname = NULL;
-	nsec = NULL;
-	nsecsig = NULL;
+	neg = NULL;
+	negsig = NULL;
 
 	dbuf = query_getnamebuf(client);
 	if (dbuf == NULL)
 		goto cleanup;
 	fname = query_newname(client, dbuf, &b);
-	nsec = query_newrdataset(client);
-	nsecsig = query_newrdataset(client);
-	if (fname == NULL || nsec == NULL || nsecsig == NULL)
+	neg = query_newrdataset(client);
+	negsig = query_newrdataset(client);
+	if (fname == NULL || neg == NULL || negsig == NULL)
 		goto cleanup;
 
-	result = dns_rdataset_getnoqname(rdataset, fname, nsec, nsecsig);
+	result = dns_rdataset_getnoqname(rdataset, fname, neg, negsig);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
-	query_addrrset(client, &fname, &nsec, &nsecsig, dbuf,
+	query_addrrset(client, &fname, &neg, &negsig, dbuf,
+		       DNS_SECTION_AUTHORITY);
+
+	if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) == 0)
+		goto cleanup;
+
+	if (fname == NULL) {
+		dbuf = query_getnamebuf(client);
+		if (dbuf == NULL)
+			goto cleanup;
+		fname = query_newname(client, dbuf, &b);
+	}
+	if (neg == NULL)
+		neg = query_newrdataset(client);
+	else if (dns_rdataset_isassociated(neg))
+		dns_rdataset_disassociate(neg);
+	if (negsig == NULL)
+		negsig = query_newrdataset(client);
+	else if (dns_rdataset_isassociated(negsig))
+		dns_rdataset_disassociate(negsig);
+	if (fname == NULL || neg == NULL || negsig == NULL)
+		goto cleanup;
+	result = dns_rdataset_getclosest(rdataset, fname, neg, negsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	query_addrrset(client, &fname, &neg, &negsig, dbuf,
 		       DNS_SECTION_AUTHORITY);
 
  cleanup:
-	if (nsec != NULL)
-		query_putrdataset(client, &nsec);
-	if (nsecsig != NULL)
-		query_putrdataset(client, &nsecsig);
+	if (neg != NULL)
+		query_putrdataset(client, &neg);
+	if (negsig != NULL)
+		query_putrdataset(client, &negsig);
 	if (fname != NULL)
 		query_releasename(client, &fname);
 }
@@ -3292,8 +3575,7 @@ warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) {
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 			dns_rdataset_current(&found, &rdata);
 			result = dns_rdata_tostruct(&rdata, &soa, NULL);
-			if (result != ISC_R_SUCCESS)
-				return;
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
 			if (dns_name_equal(&soa.origin, &prisoner) &&
 			    dns_name_equal(&soa.contact, &hostmaster)) {
 				char buf[DNS_NAME_FORMATSIZE];
@@ -3310,12 +3592,101 @@ warn_rfc1918(ns_client_t *client, dns_name_t *fname, dns_rdataset_t *rdataset) {
 	}
 }
 
+static void
+query_findclosestnsec3(dns_name_t *qname, dns_db_t *db,
+		       dns_dbversion_t *version, ns_client_t *client,
+		       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset,
+		       dns_name_t *fname, isc_boolean_t exact,
+		       dns_name_t *found)
+{
+	unsigned char salt[256];
+	size_t salt_length = sizeof(salt);
+	isc_uint16_t iterations;
+	isc_result_t result;
+	unsigned int dboptions;
+	dns_fixedname_t fixed;
+	dns_hash_t hash;
+	dns_name_t name;
+	int order;
+	unsigned int count;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_boolean_t optout;
+
+	salt_length = sizeof(salt);
+	result = dns_db_getnsec3parameters(db, version, &hash, NULL,
+					   &iterations, salt, &salt_length);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	dns_name_init(&name, NULL);
+	dns_name_clone(qname, &name);
+
+	/*
+	 * Map unknown algorithm to known value.
+	 */
+	if (hash == DNS_NSEC3_UNKNOWNALG)
+		hash = 1;
+
+ again:
+	dns_fixedname_init(&fixed);
+	result = dns_nsec3_hashname(&fixed, NULL, NULL, &name,
+				    dns_db_origin(db), hash,
+				    iterations, salt, salt_length);
+	if (result != ISC_R_SUCCESS)
+		return;
+
+	dboptions = client->query.dboptions | DNS_DBFIND_FORCENSEC3;
+	result = dns_db_find(db, dns_fixedname_name(&fixed), version,
+			     dns_rdatatype_nsec3, dboptions, client->now,
+			     NULL, fname, rdataset, sigrdataset);
+
+	if (result == DNS_R_NXDOMAIN) {
+		if (!dns_rdataset_isassociated(rdataset)) {
+			return;
+		}
+		result = dns_rdataset_first(rdataset);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_rdataset_current(rdataset, &rdata);
+		dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		dns_rdata_reset(&rdata);
+		optout = ISC_TF((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0);
+		if (found != NULL && optout &&
+		    dns_name_fullcompare(&name, dns_db_origin(db), &order,
+					 &count) == dns_namereln_subdomain) {
+			dns_rdataset_disassociate(rdataset);
+			if (dns_rdataset_isassociated(sigrdataset))
+				dns_rdataset_disassociate(sigrdataset);
+			count = dns_name_countlabels(&name) - 1;
+			dns_name_getlabelsequence(&name, 1, count, &name);
+			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+				      NS_LOGMODULE_QUERY, ISC_LOG_DEBUG(3),
+				      "looking for closest provable encloser");
+			goto again;
+		}
+		if (exact)
+			ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+				      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+				      "expected a exact match NSEC3, got "
+				      "a covering record");
+
+	} else if (result != ISC_R_SUCCESS) {
+		return;
+	} else if (!exact)
+		ns_client_log(client, DNS_LOGCATEGORY_DNSSEC,
+			      NS_LOGMODULE_QUERY, ISC_LOG_WARNING,
+			      "expected covering NSEC3, got an exact match");
+	if (found != NULL)
+		dns_name_copy(&name, found, NULL);
+	return;
+}
+
 /*
  * Do the bulk of query processing for the current query of 'client'.
  * If 'event' is non-NULL, we are returning from recursion and 'qtype'
  * is ignored.  Otherwise, 'qtype' is the query type.
  */
-static void
+static isc_result_t
 query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 {
 	dns_db_t *db, *zdb;
@@ -3336,7 +3707,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	isc_result_t result, eresult;
 	dns_fixedname_t fixed;
 	dns_fixedname_t wildcardname;
-	dns_dbversion_t *version;
+	dns_dbversion_t *version, *zversion;
 	dns_zone_t *zone;
 	dns_rdata_cname_t cname;
 	dns_rdata_dname_t dname;
@@ -3344,6 +3715,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	isc_boolean_t empty_wild;
 	dns_rdataset_t *noqname;
 	isc_boolean_t resuming;
+	int line = -1;
 
 	CTRACE("query_find");
 
@@ -3361,6 +3733,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	zrdataset = NULL;
 	sigrdataset = NULL;
 	zsigrdataset = NULL;
+	zversion = NULL;
 	node = NULL;
 	db = NULL;
 	zdb = NULL;
@@ -3500,6 +3873,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 	}
 	if (result != ISC_R_SUCCESS) {
 		if (result == DNS_R_REFUSED) {
+			if (WANTRECURSION(client)) {
+				inc_stats(client,
+					  dns_nsstatscounter_recurserej);
+			} else
+				inc_stats(client, dns_nsstatscounter_authrej);
 			if (!PARTIALANSWER(client))
 				QUERY_ERROR(DNS_R_REFUSED);
 		} else
@@ -3544,7 +3922,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		QUERY_ERROR(DNS_R_SERVFAIL);
 		goto cleanup;
 	}
-	if (WANTDNSSEC(client)) {
+	if (WANTDNSSEC(client) && (!is_zone || dns_db_issecure(db))) {
 		sigrdataset = query_newrdataset(client);
 		if (sigrdataset == NULL) {
 			QUERY_ERROR(DNS_R_SERVFAIL);
@@ -3685,6 +4063,12 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 * We're authoritative for an ancestor of QNAME.
 			 */
 			if (!USECACHE(client) || !RECURSIONOK(client)) {
+				dns_fixedname_t fixed;
+
+				dns_fixedname_init(&fixed);
+				dns_name_copy(fname,
+					      dns_fixedname_name(&fixed), NULL);
+
 				/*
 				 * If we don't have a cache, this is the best
 				 * answer.
@@ -3718,8 +4102,9 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 					       &rdataset, sigrdatasetp,
 					       dbuf, DNS_SECTION_AUTHORITY);
 				client->query.gluedb = NULL;
-				if (WANTDNSSEC(client) && dns_db_issecure(db))
-					query_addds(client, db, node, version);
+				if (WANTDNSSEC(client))
+					query_addds(client, db, node, version,
+						   dns_fixedname_name(&fixed));
 			} else {
 				/*
 				 * We might have a better answer or delegation
@@ -3738,6 +4123,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				zsigrdataset = sigrdataset;
 				sigrdataset = NULL;
 				dns_db_detachnode(db, &node);
+				zversion = version;
 				version = NULL;
 				db = NULL;
 				dns_db_attach(client->view->cachedb, &db);
@@ -3771,6 +4157,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				zrdataset = NULL;
 				sigrdataset = zsigrdataset;
 				zsigrdataset = NULL;
+				version = zversion;
+				zversion = NULL;
 				/*
 				 * We don't clean up zdb here because we
 				 * may still need it.  It will get cleaned
@@ -3799,6 +4187,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				else
 					QUERY_ERROR(DNS_R_SERVFAIL);
 			} else {
+				dns_fixedname_t fixed;
+
+				dns_fixedname_init(&fixed);
+				dns_name_copy(fname,
+					      dns_fixedname_name(&fixed), NULL);
 				/*
 				 * This is the best answer.
 				 */
@@ -3825,7 +4218,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				client->query.attributes &=
 					~NS_QUERYATTR_CACHEGLUEOK;
 				if (WANTDNSSEC(client))
-					query_addds(client, db, node, version);
+					query_addds(client, db, node, version,
+						   dns_fixedname_name(&fixed));
 			}
 		}
 		goto cleanup;
@@ -3834,6 +4228,80 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		/* FALLTHROUGH */
 	case DNS_R_NXRRSET:
 		INSIST(is_zone);
+		/*
+		 * Look for a NSEC3 record if we don't have a NSEC record.
+		 */
+		if (!dns_rdataset_isassociated(rdataset) &&
+		     WANTDNSSEC(client)) {
+			if ((fname->attributes & DNS_NAMEATTR_WILDCARD) == 0) {
+				dns_name_t *found;
+				dns_name_t *qname;
+
+				dns_fixedname_init(&fixed);
+				found = dns_fixedname_name(&fixed);
+				qname = client->query.qname;
+
+				query_findclosestnsec3(qname, db, version,
+						       client, rdataset,
+						       sigrdataset, fname,
+						       ISC_TRUE, found);
+				/*
+				 * Did we find the closest provable encloser
+				 * instead? If so add the nearest to the
+				 * closest provable encloser.
+				 */
+				if (found &&
+				    dns_rdataset_isassociated(rdataset) &&
+				    !dns_name_equal(qname, found))
+				{
+					unsigned int count;
+					unsigned int skip;
+
+					/*
+					 * Add the closest provable encloser.
+					 */
+					query_addrrset(client, &fname,
+						       &rdataset, &sigrdataset,
+						       dbuf,
+						       DNS_SECTION_AUTHORITY);
+
+					count = dns_name_countlabels(found)
+							 + 1;
+					skip = dns_name_countlabels(qname) -
+							 count;
+					dns_name_getlabelsequence(qname, skip,
+								  count,
+								  found);
+
+					fixfname(client, &fname, &dbuf, &b);
+					fixrdataset(client, &rdataset);
+					fixrdataset(client, &sigrdataset);
+					if (fname == NULL ||
+					    rdataset == NULL ||
+					    sigrdataset == NULL) {
+						QUERY_ERROR(DNS_R_SERVFAIL);
+						goto cleanup;
+					}
+					/*
+					 * 'nearest' doesn't exist so
+					 * 'exist' is set to ISC_FALSE.
+					 */
+					query_findclosestnsec3(found, db,
+							       version,
+							       client,
+							       rdataset,
+							       sigrdataset,
+							       fname,
+							       ISC_FALSE,
+							       NULL);
+				}
+			} else {
+				query_releasename(client, &fname);
+				query_addwildcardproof(client, db, version,
+						       client->query.qname,
+						       ISC_FALSE);
+			}
+		}
 		if (dns_rdataset_isassociated(rdataset)) {
 			/*
 			 * If we've got a NSEC record, we need to save the
@@ -3841,7 +4309,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 * below, and it needs to use the name buffer.
 			 */
 			query_keepname(client, fname, dbuf);
-		} else {
+		} else if (fname != NULL) {
 			/*
 			 * We're not going to use fname, and need to release
 			 * our hold on the name buffer so query_addsoa()
@@ -3867,9 +4335,11 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 						     &sigrdataset);
 		}
 		goto cleanup;
+
 	case DNS_R_EMPTYWILD:
 		empty_wild = ISC_TRUE;
 		/* FALLTHROUGH */
+
 	case DNS_R_NXDOMAIN:
 		INSIST(is_zone);
 		if (dns_rdataset_isassociated(rdataset)) {
@@ -3879,7 +4349,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 * below, and it needs to use the name buffer.
 			 */
 			query_keepname(client, fname, dbuf);
-		} else {
+		} else if (fname != NULL) {
 			/*
 			 * We're not going to use fname, and need to release
 			 * our hold on the name buffer so query_addsoa()
@@ -3905,19 +4375,19 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			QUERY_ERROR(result);
 			goto cleanup;
 		}
-		/*
-		 * Add NSEC record if we found one.
-		 */
-		if (dns_rdataset_isassociated(rdataset)) {
-			if (WANTDNSSEC(client)) {
+
+		if (WANTDNSSEC(client)) {
+			/*
+			 * Add NSEC record if we found one.
+			 */
+			if (dns_rdataset_isassociated(rdataset))
 				query_addrrset(client, &fname, &rdataset,
 					       &sigrdataset,
 					       NULL, DNS_SECTION_AUTHORITY);
-				query_addwildcardproof(client, db, version,
-						       client->query.qname,
-						       ISC_FALSE);
-			}
+			query_addwildcardproof(client, db, version,
+					       client->query.qname, ISC_FALSE);
 		}
+
 		/*
 		 * Set message rcode.
 		 */
@@ -3926,6 +4396,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		else
 			client->message->rcode = dns_rcode_nxdomain;
 		goto cleanup;
+
 	case DNS_R_NCACHENXDOMAIN:
 	case DNS_R_NCACHENXRRSET:
 		INSIST(!is_zone);
@@ -3954,6 +4425,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		fname = NULL;
 		rdataset = NULL;
 		goto cleanup;
+
 	case DNS_R_CNAME:
 		/*
 		 * Keep a copy of the rdataset.  We have to do this because
@@ -3976,8 +4448,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 				      NULL);
 			need_wildcardproof = ISC_TRUE;
 		}
-		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
-		     WANTDNSSEC(client))
+		if (NOQNAME(rdataset) && WANTDNSSEC(client))
 			noqname = rdataset;
 		else
 			noqname = NULL;
@@ -4185,17 +4656,32 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		result = dns_rdatasetiter_first(rdsiter);
 		while (result == ISC_R_SUCCESS) {
 			dns_rdatasetiter_current(rdsiter, rdataset);
-			if ((qtype == dns_rdatatype_any ||
+			if (is_zone && qtype == dns_rdatatype_any &&
+			    !dns_db_issecure(db) &&
+			    dns_rdatatype_isdnssec(rdataset->type)) {
+				/*
+				 * The zone is transitioning from insecure
+				 * to secure. Hide the dnssec records from
+				 * ANY queries.
+				 */
+				dns_rdataset_disassociate(rdataset);
+			} else if ((qtype == dns_rdatatype_any ||
 			     rdataset->type == qtype) && rdataset->type != 0) {
+				if (NOQNAME(rdataset) && WANTDNSSEC(client))
+					noqname = rdataset;
+				else
+					noqname = NULL;
 				query_addrrset(client,
 					       fname != NULL ? &fname : &tname,
 					       &rdataset, NULL,
 					       NULL, DNS_SECTION_ANSWER);
+				if (noqname != NULL)
+					query_addnoqnameproof(client, noqname);
 				n++;
 				INSIST(tname != NULL);
 				/*
-				 * rdataset is non-NULL only in certain pathological
-				 * cases involving DNAMEs.
+				 * rdataset is non-NULL only in certain
+				 * pathological cases involving DNAMEs.
 				 */
 				if (rdataset != NULL)
 					query_putrdataset(client, &rdataset);
@@ -4214,7 +4700,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		if (fname != NULL)
 			dns_message_puttempname(client->message, &fname);
 
-		if (n == 0) {
+		if (n == 0 && is_zone) {
 			/*
 			 * We didn't match any rdatasets.
 			 */
@@ -4275,8 +4761,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			sigrdatasetp = &sigrdataset;
 		else
 			sigrdatasetp = NULL;
-		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0 &&
-		     WANTDNSSEC(client))
+		if (NOQNAME(rdataset) && WANTDNSSEC(client))
 			noqname = rdataset;
 		else
 			noqname = NULL;
@@ -4388,7 +4873,8 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			 * or if the client requested recursion and thus wanted
 			 * the complete answer, send an error response.
 			 */
-			query_error(client, eresult);
+			INSIST(line >= 0);
+			query_error(client, eresult, line);
 		}
 		ns_client_detach(&client);
 	} else if (!RECURSING(client)) {
@@ -4405,7 +4891,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		 * is in the glue sort it to the start of the additional
 		 * section.
 		 */
-		if (client->message->counts[DNS_SECTION_ANSWER] == 0 &&
+		if (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) &&
 		    client->message->rcode == dns_rcode_noerror &&
 		    (qtype == dns_rdatatype_a || qtype == dns_rdatatype_aaaa))
 			answer_in_glue(client, qtype);
@@ -4414,14 +4900,26 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 		    client->view->auth_nxdomain == ISC_TRUE)
 			client->message->flags |= DNS_MESSAGEFLAG_AA;
 
+		/*
+		 * If the response is somehow unexpected for the client and this
+		 * is a result of recursion, return an error to the caller
+		 * to indicate it may need to be logged.
+		 */
+		if (resuming &&
+		    (ISC_LIST_EMPTY(client->message->sections[DNS_SECTION_ANSWER]) ||
+		     client->message->rcode != dns_rcode_noerror))
+			eresult = ISC_R_FAILURE;
+
 		query_send(client);
 		ns_client_detach(&client);
 	}
 	CTRACE("query_find: done");
+
+	return (eresult);
 }
 
 static inline void
-log_query(ns_client_t *client) {
+log_query(ns_client_t *client, unsigned int flags, unsigned int extflags) {
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char typename[DNS_RDATATYPE_FORMATSIZE];
 	char classname[DNS_RDATACLASS_FORMATSIZE];
@@ -4438,10 +4936,54 @@ log_query(ns_client_t *client) {
 	dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
 
 	ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
-		      level, "query: %s %s %s %s%s%s", namebuf, classname,
+		      level, "query: %s %s %s %s%s%s%s%s", namebuf, classname,
 		      typename, WANTRECURSION(client) ? "+" : "-",
 		      (client->signer != NULL) ? "S": "",
-		      (client->opt != NULL) ? "E" : "");
+		      (client->opt != NULL) ? "E" : "",
+		      ((extflags & DNS_MESSAGEEXTFLAG_DO) != 0) ? "D" : "",
+		      ((flags & DNS_MESSAGEFLAG_CD) != 0) ? "C" : "");
+}
+
+static inline void
+log_queryerror(ns_client_t *client, isc_result_t result, int line, int level) {
+	char namebuf[DNS_NAME_FORMATSIZE];
+	char typename[DNS_RDATATYPE_FORMATSIZE];
+	char classname[DNS_RDATACLASS_FORMATSIZE];
+	const char *namep, *typep, *classp, *sep1, *sep2;
+	dns_rdataset_t *rdataset;
+
+	if (!isc_log_wouldlog(ns_g_lctx, level))
+		return;
+
+	namep = typep = classp = sep1 = sep2 = "";
+
+	/*
+	 * Query errors can happen for various reasons.  In some cases we cannot
+	 * even assume the query contains a valid question section, so we should
+	 * expect exceptional cases.
+	 */
+	if (client->query.origqname != NULL) {
+		dns_name_format(client->query.origqname, namebuf,
+				sizeof(namebuf));
+		namep = namebuf;
+		sep1 = " for ";
+
+		rdataset = ISC_LIST_HEAD(client->query.origqname->list);
+		if (rdataset != NULL) {
+			dns_rdataclass_format(rdataset->rdclass, classname,
+					      sizeof(classname));
+			classp = classname;
+			dns_rdatatype_format(rdataset->type, typename,
+					     sizeof(typename));
+			typep = typename;
+			sep2 = "/";
+		}
+	}
+
+	ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, NS_LOGMODULE_QUERY,
+		      level, "query failed (%s)%s%s%s%s%s%s at %s:%d",
+		      isc_result_totext(result), sep1, namep, sep2,
+		      classp, sep2, typep, __FILE__, line);
 }
 
 void
@@ -4451,11 +4993,19 @@ ns_query_start(ns_client_t *client) {
 	dns_rdataset_t *rdataset;
 	ns_client_t *qclient;
 	dns_rdatatype_t qtype;
+	unsigned int saved_extflags = client->extflags;
+	unsigned int saved_flags = client->message->flags;
 	isc_boolean_t want_ad;
 
 	CTRACE("ns_query_start");
 
 	/*
+	 * Test only.
+	 */
+	if (ns_g_clienttest && (client->attributes & NS_CLIENTATTR_TCP) == 0)
+		RUNTIME_CHECK(ns_client_replace(client) == ISC_R_SUCCESS);
+
+	/*
 	 * Ensure that appropriate cleanups occur.
 	 */
 	client->next = query_next_callback;
@@ -4504,7 +5054,7 @@ ns_query_start(ns_client_t *client) {
 	 */
 	result = dns_message_firstname(message, DNS_SECTION_QUESTION);
 	if (result != ISC_R_SUCCESS) {
-		query_error(client, result);
+		query_error(client, result, __LINE__);
 		return;
 	}
 	dns_message_currentname(message, DNS_SECTION_QUESTION,
@@ -4517,20 +5067,20 @@ ns_query_start(ns_client_t *client) {
 			 * There's more than one QNAME in the question
 			 * section.
 			 */
-			query_error(client, DNS_R_FORMERR);
+			query_error(client, DNS_R_FORMERR, __LINE__);
 		} else
-			query_error(client, result);
+			query_error(client, result, __LINE__);
 		return;
 	}
 
 	if (ns_g_server->log_queries)
-		log_query(client);
+		log_query(client, saved_flags, saved_extflags);
 
 	/*
 	 * Check for multiple question queries, since edns1 is dead.
 	 */
 	if (message->counts[DNS_SECTION_QUESTION] > 1) {
-		query_error(client, DNS_R_FORMERR);
+		query_error(client, DNS_R_FORMERR, __LINE__);
 		return;
 	}
 
@@ -4540,6 +5090,7 @@ ns_query_start(ns_client_t *client) {
 	rdataset = ISC_LIST_HEAD(client->query.qname->list);
 	INSIST(rdataset != NULL);
 	qtype = rdataset->type;
+	dns_rdatatypestats_increment(ns_g_server->rcvquerystats, qtype);
 	if (dns_rdatatype_ismeta(qtype)) {
 		switch (qtype) {
 		case dns_rdatatype_any:
@@ -4550,7 +5101,7 @@ ns_query_start(ns_client_t *client) {
 			return;
 		case dns_rdatatype_maila:
 		case dns_rdatatype_mailb:
-			query_error(client, DNS_R_NOTIMP);
+			query_error(client, DNS_R_NOTIMP, __LINE__);
 			return;
 		case dns_rdatatype_tkey:
 			result = dns_tkey_processquery(client->message,
@@ -4559,15 +5110,22 @@ ns_query_start(ns_client_t *client) {
 			if (result == ISC_R_SUCCESS)
 				query_send(client);
 			else
-				query_error(client, result);
+				query_error(client, result, __LINE__);
 			return;
 		default: /* TSIG, etc. */
-			query_error(client, DNS_R_FORMERR);
+			query_error(client, DNS_R_FORMERR, __LINE__);
 			return;
 		}
 	}
 
 	/*
+	 * Turn on minimal response for DNSKEY queries.
+	 */
+	if (qtype == dns_rdatatype_dnskey)
+		client->query.attributes |= (NS_QUERYATTR_NOAUTHORITY |
+					     NS_QUERYATTR_NOADDITIONAL);
+
+	/*
 	 * If the client has requested that DNSSEC checking be disabled,
 	 * allow lookups to return pending data and instruct the resolver
 	 * to return data before validation has completed.
@@ -4623,5 +5181,5 @@ ns_query_start(ns_client_t *client) {
 
 	qclient = NULL;
 	ns_client_attach(client, &qclient);
-	query_find(qclient, NULL, qtype);
+	(void)query_find(qclient, NULL, qtype);
 }
diff --git a/bin/named/server.c b/bin/named/server.c
index 784ff94..e685e18 100644
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.419.18.68 2008/09/04 23:46:08 tbox Exp $ */
+/* $Id: server.c,v 1.520.12.7 2009/01/30 03:53:38 marka Exp $ */
 
 /*! \file */
 
@@ -30,17 +30,20 @@
 #include <isc/entropy.h>
 #include <isc/file.h>
 #include <isc/hash.h>
+#include <isc/httpd.h>
 #include <isc/lex.h>
 #include <isc/parseint.h>
 #include <isc/portset.h>
 #include <isc/print.h>
 #include <isc/resource.h>
 #include <isc/socket.h>
+#include <isc/stats.h>
 #include <isc/stdio.h>
 #include <isc/string.h>
 #include <isc/task.h>
 #include <isc/timer.h>
 #include <isc/util.h>
+#include <isc/xml.h>
 
 #include <isccfg/namedconf.h>
 
@@ -63,6 +66,7 @@
 #include <dns/order.h>
 #include <dns/peer.h>
 #include <dns/portlist.h>
+#include <dns/rbt.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/rdatastruct.h>
@@ -71,6 +75,7 @@
 #include <dns/secalg.h>
 #include <dns/stats.h>
 #include <dns/tkey.h>
+#include <dns/tsig.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
@@ -88,6 +93,7 @@
 #include <named/main.h>
 #include <named/os.h>
 #include <named/server.h>
+#include <named/statschannel.h>
 #include <named/tkeyconf.h>
 #include <named/tsigconf.h>
 #include <named/zoneconf.h>
@@ -101,12 +107,12 @@
  * using it has a 'result' variable and a 'cleanup' label.
  */
 #define CHECK(op) \
-	do { result = (op); 				  	 \
-	       if (result != ISC_R_SUCCESS) goto cleanup; 	 \
+	do { result = (op);					 \
+	       if (result != ISC_R_SUCCESS) goto cleanup;	 \
 	} while (0)
 
 #define CHECKM(op, msg) \
-	do { result = (op); 				  	  \
+	do { result = (op);					  \
 	       if (result != ISC_R_SUCCESS) {			  \
 			isc_log_write(ns_g_lctx,		  \
 				      NS_LOGCATEGORY_GENERAL,	  \
@@ -119,7 +125,7 @@
 	} while (0)						  \
 
 #define CHECKMF(op, msg, file) \
-	do { result = (op); 				  	  \
+	do { result = (op);					  \
 	       if (result != ISC_R_SUCCESS) {			  \
 			isc_log_write(ns_g_lctx,		  \
 				      NS_LOGCATEGORY_GENERAL,	  \
@@ -132,7 +138,7 @@
 	} while (0)						  \
 
 #define CHECKFATAL(op, msg) \
-	do { result = (op); 				  	  \
+	do { result = (op);					  \
 	       if (result != ISC_R_SUCCESS)			  \
 			fatal(msg, result);			  \
 	} while (0)						  \
@@ -209,7 +215,7 @@ static const struct {
 	/* Local IPv6 Unicast Addresses */
 	{ "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
 	{ "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA", ISC_FALSE },
-	/* LOCALLY ASSIGNED LOCAL ADDRES S SCOPE */
+	/* LOCALLY ASSIGNED LOCAL ADDRESS SCOPE */
 	{ "D.F.IP6.ARPA", ISC_FALSE },
 	{ "8.E.F.IP6.ARPA", ISC_FALSE },	/* LINK LOCAL */
 	{ "9.E.F.IP6.ARPA", ISC_FALSE },	/* LINK LOCAL */
@@ -251,9 +257,8 @@ static void
 end_reserved_dispatches(ns_server_t *server, isc_boolean_t all);
 
 /*%
- * Configure a single view ACL at '*aclp'.  Get its configuration by
- * calling 'getvcacl' (for per-view configuration) and maybe 'getscacl'
- * (for a global default).
+ * Configure a single view ACL at '*aclp'.  Get its configuration from
+ * 'vconfig' (for per-view configuration) and maybe from 'config'
  */
 static isc_result_t
 configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
@@ -280,12 +285,56 @@ configure_view_acl(const cfg_obj_t *vconfig, const cfg_obj_t *config,
 	(void)ns_config_get(maps, aclname, &aclobj);
 	if (aclobj == NULL)
 		/*
-		 * No value available.  *aclp == NULL.
+		 * No value available.	*aclp == NULL.
 		 */
 		return (ISC_R_SUCCESS);
 
 	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
-				    actx, mctx, aclp);
+				    actx, mctx, 0, aclp);
+
+	return (result);
+}
+
+
+/*%
+ * Configure a sortlist at '*aclp'.  Essentially the same as
+ * configure_view_acl() except it calls cfg_acl_fromconfig with a
+ * nest_level value of 2.
+ */
+static isc_result_t
+configure_view_sortlist(const cfg_obj_t *vconfig, const cfg_obj_t *config,
+			cfg_aclconfctx_t *actx, isc_mem_t *mctx,
+			dns_acl_t **aclp)
+{
+	isc_result_t result;
+	const cfg_obj_t *maps[3];
+	const cfg_obj_t *aclobj = NULL;
+	int i = 0;
+
+	if (*aclp != NULL)
+		dns_acl_detach(aclp);
+	if (vconfig != NULL)
+		maps[i++] = cfg_tuple_get(vconfig, "options");
+	if (config != NULL) {
+		const cfg_obj_t *options = NULL;
+		(void)cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			maps[i++] = options;
+	}
+	maps[i] = NULL;
+
+	(void)ns_config_get(maps, "sortlist", &aclobj);
+	if (aclobj == NULL)
+		return (ISC_R_SUCCESS);
+
+	/*
+	 * Use a nest level of 3 for the "top level" of the sortlist;
+	 * this means each entry in the top three levels will be stored
+	 * as lists of separate, nested ACLs, rather than merged together
+	 * into IP tables as is usually done with ACLs.
+	 */
+	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx,
+				    actx, mctx, 3, aclp);
 
 	return (result);
 }
@@ -398,7 +447,7 @@ configure_view_dnsseckey(const cfg_obj_t *vconfig, const cfg_obj_t *key,
  * the security roots.
  *
  * The per-view configuration values and the server-global defaults are read
- * from 'vconfig' and 'config'.  The variable to be configured is '*target'.
+ * from 'vconfig' and 'config'.	 The variable to be configured is '*target'.
  */
 static isc_result_t
 configure_view_dnsseckeys(const cfg_obj_t *vconfig, const cfg_obj_t *config,
@@ -694,6 +743,11 @@ configure_peer(const cfg_obj_t *cpeer, isc_mem_t *mctx, dns_peer_t **peerp) {
 		CHECK(dns_peer_setrequestixfr(peer, cfg_obj_asboolean(obj)));
 
 	obj = NULL;
+	(void)cfg_map_get(cpeer, "request-nsid", &obj);
+	if (obj != NULL)
+		CHECK(dns_peer_setrequestnsid(peer, cfg_obj_asboolean(obj)));
+
+	obj = NULL;
 	(void)cfg_map_get(cpeer, "edns", &obj);
 	if (obj != NULL)
 		CHECK(dns_peer_setsupportedns(peer, cfg_obj_asboolean(obj)));
@@ -901,6 +955,41 @@ check_dbtype(dns_zone_t **zonep, unsigned int dbtypec, const char **dbargv,
 	isc_mem_free(mctx, argv);
 }
 
+static isc_result_t
+setquerystats(dns_zone_t *zone, isc_mem_t *mctx, isc_boolean_t on) {
+	isc_result_t result;
+	isc_stats_t *zoneqrystats;
+
+	zoneqrystats = NULL;
+	if (on) {
+		result = isc_stats_create(mctx, &zoneqrystats,
+					  dns_nsstatscounter_max);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	dns_zone_setrequeststats(zone, zoneqrystats);
+	if (zoneqrystats != NULL)
+		isc_stats_detach(&zoneqrystats);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_boolean_t
+cache_reusable(dns_view_t *originview, dns_view_t *view,
+	       isc_boolean_t new_zero_no_soattl)
+{
+	if (originview->checknames != view->checknames ||
+	    dns_resolver_getzeronosoattl(originview->resolver) !=
+	    new_zero_no_soattl ||
+	    originview->acceptexpired != view->acceptexpired ||
+	    originview->enablevalidation != view->enablevalidation ||
+	    originview->maxcachettl != view->maxcachettl ||
+	    originview->maxncachettl != view->maxncachettl) {
+		return (ISC_FALSE);
+	}
+
+	return (ISC_TRUE);
+}
 
 /*
  * Configure 'view' according to 'vconfig', taking defaults from 'config'
@@ -947,7 +1036,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	const char *str;
 	dns_order_t *order = NULL;
 	isc_uint32_t udpsize;
-	unsigned int check = 0;
+	unsigned int resopts = 0;
 	dns_zone_t *zone = NULL;
 	isc_uint32_t max_clients_per_query;
 	const char *sep = ": view ";
@@ -956,6 +1045,9 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	isc_boolean_t rfc1918;
 	isc_boolean_t empty_zones_enable;
 	const cfg_obj_t *disablelist = NULL;
+	isc_stats_t *resstats = NULL;
+	dns_stats_t *resquerystats = NULL;
+	isc_boolean_t zero_no_soattl;
 
 	REQUIRE(DNS_VIEW_VALID(view));
 
@@ -1005,6 +1097,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		CHECK(isc_mem_create(0, 0, &cmctx));
 		CHECK(dns_acache_create(&view->acache, cmctx, ns_g_taskmgr,
 					ns_g_timermgr));
+		isc_mem_setname(cmctx, "acache", NULL);
 		isc_mem_detach(&cmctx);
 	}
 	if (view->acache != NULL) {
@@ -1096,17 +1189,70 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 #endif
 
 	/*
+	 * Obtain configuration parameters that affect the decision of whether
+	 * we can reuse/share an existing cache.
+	 */
+	/* Check-names. */
+	obj = NULL;
+	result = ns_checknames_get(maps, "response", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+
+	str = cfg_obj_asstring(obj);
+	if (strcasecmp(str, "fail") == 0) {
+		resopts |= DNS_RESOLVER_CHECKNAMES |
+			DNS_RESOLVER_CHECKNAMESFAIL;
+		view->checknames = ISC_TRUE;
+	} else if (strcasecmp(str, "warn") == 0) {
+		resopts |= DNS_RESOLVER_CHECKNAMES;
+		view->checknames = ISC_FALSE;
+	} else if (strcasecmp(str, "ignore") == 0) {
+		view->checknames = ISC_FALSE;
+	} else
+		INSIST(0);
+
+	obj = NULL;
+	result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	zero_no_soattl = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-accept-expired", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->acceptexpired = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "dnssec-validation", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->enablevalidation = cfg_obj_asboolean(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "max-cache-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->maxcachettl = cfg_obj_asuint32(obj);
+
+	obj = NULL;
+	result = ns_config_get(maps, "max-ncache-ttl", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->maxncachettl = cfg_obj_asuint32(obj);
+	if (view->maxncachettl > 7 * 24 * 3600)
+		view->maxncachettl = 7 * 24 * 3600;
+
+	/*
 	 * Configure the view's cache.  Try to reuse an existing
 	 * cache if possible, otherwise create a new cache.
 	 * Note that the ADB is not preserved in either case.
+	 * When a matching view is found, the associated statistics are
+	 * also retrieved and reused.
 	 *
-	 * XXX Determining when it is safe to reuse a cache is
-	 * tricky.  When the view's configuration changes, the cached
-	 * data may become invalid because it reflects our old
-	 * view of the world.  As more view attributes become
-	 * configurable, we will have to add code here to check
-	 * whether they have changed in ways that could
-	 * invalidate the cache.
+	 * XXX Determining when it is safe to reuse a cache is tricky.
+	 * When the view's configuration changes, the cached data may become
+	 * invalid because it reflects our old view of the world.  We check
+	 * some of the configuration parameters that could invalidate the cache,
+	 * but there are other configuration options that should be checked.
+	 * For example, if a view uses a forwarder, changes in the forwarder
+	 * configuration may invalidate the cache.  At the moment, it's the
+	 * administrator's responsibility to ensure these configuration options
+	 * don't invalidate reusing.
 	 */
 	result = dns_viewlist_find(&ns_g_server->viewlist,
 				   view->name, view->rdclass,
@@ -1114,17 +1260,29 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	if (result != ISC_R_NOTFOUND && result != ISC_R_SUCCESS)
 		goto cleanup;
 	if (pview != NULL) {
-		INSIST(pview->cache != NULL);
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(3),
-			      "reusing existing cache");
-		reused_cache = ISC_TRUE;
-		dns_cache_attach(pview->cache, &cache);
+		if (cache_reusable(pview, view, zero_no_soattl)) {
+			INSIST(pview->cache != NULL);
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(3),
+				      "reusing existing cache");
+			reused_cache = ISC_TRUE;
+			dns_cache_attach(pview->cache, &cache);
+		} else {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_DEBUG(1),
+				      "cache cannot be reused for view %s "
+				      "due to configuration parameter mismatch",
+				      view->name);
+		}
+		dns_view_getresstats(pview, &resstats);
+		dns_view_getresquerystats(pview, &resquerystats);
 		dns_view_detach(&pview);
-	} else {
+	}
+	if (cache == NULL) {
 		CHECK(isc_mem_create(0, 0, &cmctx));
 		CHECK(dns_cache_create(cmctx, ns_g_taskmgr, ns_g_timermgr,
 				       view->rdclass, "rbt", 0, NULL, &cache));
+		isc_mem_setname(cmctx, "cache", NULL);
 	}
 	dns_view_setcache(view, cache);
 
@@ -1170,27 +1328,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	dns_cache_detach(&cache);
 
 	/*
-	 * Check-names.
-	 */
-	obj = NULL;
-	result = ns_checknames_get(maps, "response", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-
-	str = cfg_obj_asstring(obj);
-	if (strcasecmp(str, "fail") == 0) {
-		check = DNS_RESOLVER_CHECKNAMES |
-			DNS_RESOLVER_CHECKNAMESFAIL;
-		view->checknames = ISC_TRUE;
-	} else if (strcasecmp(str, "warn") == 0) {
-		check = DNS_RESOLVER_CHECKNAMES;
-		view->checknames = ISC_FALSE;
-	} else if (strcasecmp(str, "ignore") == 0) {
-		check = 0;
-		view->checknames = ISC_FALSE;
-	} else
-		INSIST(0);
-
-	/*
 	 * Resolver.
 	 *
 	 * XXXRTH  Hardwired number of tasks.
@@ -1210,9 +1347,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	}
 	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
 				      ns_g_socketmgr, ns_g_timermgr,
-				      check, ns_g_dispatchmgr,
+				      resopts, ns_g_dispatchmgr,
 				      dispatch4, dispatch6));
 
+	if (resstats == NULL) {
+		CHECK(isc_stats_create(mctx, &resstats,
+				       dns_resstatscounter_max));
+	}
+	dns_view_setresstats(view, resstats);
+	if (resquerystats == NULL)
+		CHECK(dns_rdatatypestats_create(mctx, &resquerystats));
+	dns_view_setresquerystats(view, resquerystats);
+
 	/*
 	 * Set the ADB cache size to 1/8th of the max-cache-size.
 	 */
@@ -1235,11 +1381,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		lame_ttl = 1800;
 	dns_resolver_setlamettl(view->resolver, lame_ttl);
 
-	obj = NULL;
-	result = ns_config_get(maps, "zero-no-soa-ttl-cache", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	dns_resolver_setzeronosoattl(view->resolver, cfg_obj_asboolean(obj));
-
 	/*
 	 * Set the resolver's EDNS UDP size.
 	 */
@@ -1460,28 +1601,26 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	}
 
 	/*
-	 * Set "allow-query-cache" and "allow-recursion" acls if
+	 * Set "allow-query-cache", "allow-query-cache-on",
+	 * "allow-recursion", and "allow-recursion-on" acls if
 	 * configured in named.conf.
 	 */
 	CHECK(configure_view_acl(vconfig, config, "allow-query-cache",
 				 actx, ns_g_mctx, &view->queryacl));
-
-	if (strcmp(view->name, "_bind") != 0)
+	CHECK(configure_view_acl(vconfig, config, "allow-query-cache-on",
+				 actx, ns_g_mctx, &view->queryonacl));
+	if (view->queryonacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_config,
+					 "allow-query-cache-on", actx,
+					 ns_g_mctx, &view->queryonacl));
+	if (strcmp(view->name, "_bind") != 0) {
 		CHECK(configure_view_acl(vconfig, config, "allow-recursion",
-					 actx, ns_g_mctx, &view->recursionacl));
-
-	/*
-	 * Warning if both "recursion no;" and allow-recursion are active
-	 * except for "allow-recursion { none; };".
-	 */
-	if (!view->recursion && view->recursionacl != NULL &&
-	    (view->recursionacl->length != 1 ||
-	     view->recursionacl->elements[0].type != dns_aclelementtype_any ||
-	     view->recursionacl->elements[0].negative != ISC_TRUE))
-		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-			      "both \"recursion no;\" and \"allow-recursion\" "
-			      "active%s%s", forview, viewname);
+					 actx, ns_g_mctx,
+					 &view->recursionacl));
+		CHECK(configure_view_acl(vconfig, config, "allow-recursion-on",
+					 actx, ns_g_mctx,
+					 &view->recursiononacl));
+	}
 
 	/*
 	 * "allow-query-cache" inherits from "allow-recursion" if set,
@@ -1491,25 +1630,66 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	 */
 	if (view->queryacl == NULL && view->recursionacl != NULL)
 		dns_acl_attach(view->recursionacl, &view->queryacl);
-	if (view->queryacl == NULL)
+	if (view->queryacl == NULL && view->recursion)
 		CHECK(configure_view_acl(vconfig, config, "allow-query",
 					 actx, ns_g_mctx, &view->queryacl));
-	if (view->recursionacl == NULL && view->queryacl != NULL)
+	if (view->recursion &&
+	    view->recursionacl == NULL && view->queryacl != NULL)
 		dns_acl_attach(view->queryacl, &view->recursionacl);
 
 	/*
-	 * Set default "allow-recursion" and "allow-query-cache" acls.
+	 * Set default "allow-recursion", "allow-recursion-on" and
+	 * "allow-query-cache" acls.
 	 */
 	if (view->recursionacl == NULL && view->recursion)
-		CHECK(configure_view_acl(NULL, ns_g_config, "allow-recursion",
-					 actx, ns_g_mctx, &view->recursionacl));
-	if (view->queryacl == NULL)
 		CHECK(configure_view_acl(NULL, ns_g_config,
-					 "allow-query-cache", actx,
-					 ns_g_mctx, &view->queryacl));
+					 "allow-recursion",
+					 actx, ns_g_mctx,
+					 &view->recursionacl));
+	if (view->recursiononacl == NULL && view->recursion)
+		CHECK(configure_view_acl(NULL, ns_g_config,
+					 "allow-recursion-on",
+					 actx, ns_g_mctx,
+					 &view->recursiononacl));
+	if (view->queryacl == NULL) {
+		if (view->recursion)
+			CHECK(configure_view_acl(NULL, ns_g_config,
+						 "allow-query-cache", actx,
+						 ns_g_mctx, &view->queryacl));
+		else {
+			if (view->queryacl != NULL)
+				dns_acl_detach(&view->queryacl);
+			CHECK(dns_acl_none(ns_g_mctx, &view->queryacl));
+		}
+	}
+
+	/*
+	 * Configure sortlist, if set
+	 */
+	CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
+				      &view->sortlist));
 
-	CHECK(configure_view_acl(vconfig, config, "sortlist",
-				 actx, ns_g_mctx, &view->sortlist));
+	/*
+	 * Configure default allow-transfer, allow-notify, allow-update
+	 * and allow-update-forwarding ACLs, if set, so they can be
+	 * inherited by zones.
+	 */
+	if (view->notifyacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_config,
+					 "allow-notify", actx,
+					 ns_g_mctx, &view->notifyacl));
+	if (view->transferacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_config,
+					 "allow-transfer", actx,
+					 ns_g_mctx, &view->transferacl));
+	if (view->updateacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_config,
+					 "allow-update", actx,
+					 ns_g_mctx, &view->updateacl));
+	if (view->upfwdacl == NULL)
+		CHECK(configure_view_acl(NULL, ns_g_config,
+					 "allow-update-forwarding", actx,
+					 ns_g_mctx, &view->upfwdacl));
 
 	obj = NULL;
 	result = ns_config_get(maps, "request-ixfr", &obj);
@@ -1522,6 +1702,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	view->provideixfr = cfg_obj_asboolean(obj);
 
 	obj = NULL;
+	result = ns_config_get(maps, "request-nsid", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	view->requestnsid = cfg_obj_asboolean(obj);
+
+	obj = NULL;
 	result = ns_config_get(maps, "max-clients-per-query", &obj);
 	INSIST(result == ISC_R_SUCCESS);
 	max_clients_per_query = cfg_obj_asuint32(obj);
@@ -1539,16 +1724,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 	view->enablednssec = cfg_obj_asboolean(obj);
 
 	obj = NULL;
-	result = ns_config_get(maps, "dnssec-accept-expired", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->acceptexpired = cfg_obj_asboolean(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "dnssec-validation", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->enablevalidation = cfg_obj_asboolean(obj);
-
-	obj = NULL;
 	result = ns_config_get(maps, "dnssec-lookaside", &obj);
 	if (result == ISC_R_SUCCESS) {
 		for (element = cfg_list_first(obj);
@@ -1603,18 +1778,6 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		CHECK(mustbesecure(obj, view->resolver));
 
 	obj = NULL;
-	result = ns_config_get(maps, "max-cache-ttl", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->maxcachettl = cfg_obj_asuint32(obj);
-
-	obj = NULL;
-	result = ns_config_get(maps, "max-ncache-ttl", &obj);
-	INSIST(result == ISC_R_SUCCESS);
-	view->maxncachettl = cfg_obj_asuint32(obj);
-	if (view->maxncachettl > 7 * 24 * 3600)
-		view->maxncachettl = 7 * 24 * 3600;
-
-	obj = NULL;
 	result = ns_config_get(maps, "preferred-glue", &obj);
 	if (result == ISC_R_SUCCESS) {
 		str = cfg_obj_asstring(obj);
@@ -1690,6 +1853,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		const char *empty_dbtype[4] =
 				    { "_builtin", "empty", NULL, NULL };
 		int empty_dbtypec = 4;
+		isc_boolean_t zonestats_on;
 
 		dns_fixedname_init(&fixed);
 		name = dns_fixedname_name(&fixed);
@@ -1724,6 +1888,11 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		} else
 			empty_dbtype[3] = ".";
 
+		obj = NULL;
+		result = ns_config_get(maps, "zone-statistics", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		zonestats_on = cfg_obj_asboolean(obj);
+
 		logit = ISC_TRUE;
 		for (empty = empty_zones[empty_zone].zone;
 		     empty != NULL;
@@ -1748,6 +1917,7 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			 */
 			(void)dns_view_findzone(view, name, &zone);
 			if (zone != NULL) {
+				CHECK(setquerystats(zone, mctx, zonestats_on));
 				dns_zone_detach(&zone);
 				continue;
 			}
@@ -1798,6 +1968,8 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 				if (zone != NULL) {
 					dns_zone_setview(zone, view);
 					CHECK(dns_view_addzone(view, zone));
+					CHECK(setquerystats(zone, mctx,
+							    zonestats_on));
 					dns_zone_detach(&zone);
 					continue;
 				}
@@ -1809,14 +1981,18 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 			CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
 			dns_zone_setclass(zone, view->rdclass);
 			dns_zone_settype(zone, dns_zone_master);
+			dns_zone_setstats(zone, ns_g_server->zonestats);
 			CHECK(dns_zone_setdbtype(zone, empty_dbtypec,
 						 empty_dbtype));
 			if (view->queryacl != NULL)
 				dns_zone_setqueryacl(zone, view->queryacl);
+			if (view->queryonacl != NULL)
+				dns_zone_setqueryonacl(zone, view->queryonacl);
 			dns_zone_setdialup(zone, dns_dialuptype_no);
 			dns_zone_setnotifytype(zone, dns_notifytype_no);
 			dns_zone_setoption(zone, DNS_ZONEOPT_NOCHECKNS,
 					   ISC_TRUE);
+			CHECK(setquerystats(zone, mctx, zonestats_on));
 			CHECK(dns_view_addzone(view, zone));
 			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
@@ -1835,6 +2011,10 @@ configure_view(dns_view_t *view, const cfg_obj_t *config,
 		dns_dispatch_detach(&dispatch4);
 	if (dispatch6 != NULL)
 		dns_dispatch_detach(&dispatch6);
+	if (resstats != NULL)
+		isc_stats_detach(&resstats);
+	if (resquerystats != NULL)
+		dns_stats_detach(&resquerystats);
 	if (order != NULL)
 		dns_order_detach(&order);
 	if (cmctx != NULL)
@@ -1959,6 +2139,8 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
 	isc_result_t result;
 	in_port_t port;
 
+	ISC_LIST_INIT(addresses);
+
 	/*
 	 * Determine which port to send forwarded requests to.
 	 */
@@ -1984,8 +2166,6 @@ configure_forward(const cfg_obj_t *config, dns_view_t *view, dns_name_t *origin,
 	if (forwarders != NULL)
 		faddresses = cfg_tuple_get(forwarders, "addresses");
 
-	ISC_LIST_INIT(addresses);
-
 	for (element = cfg_list_first(faddresses);
 	     element != NULL;
 	     element = cfg_list_next(element))
@@ -2283,6 +2463,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
 		if (view->acache != NULL)
 			dns_zone_setacache(zone, view->acache);
 		CHECK(dns_zonemgr_managezone(ns_g_server->zonemgr, zone));
+		dns_zone_setstats(zone, ns_g_server->zonestats);
 	}
 
 	/*
@@ -2398,25 +2579,23 @@ add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
 {
 	ns_listenelt_t *lelt = NULL;
 	dns_acl_t *src_acl = NULL;
-	dns_aclelement_t aelt;
 	isc_result_t result;
 	isc_sockaddr_t any_sa6;
+	isc_netaddr_t netaddr;
 
 	REQUIRE(isc_sockaddr_pf(addr) == AF_INET6);
 
 	isc_sockaddr_any6(&any_sa6);
 	if (!isc_sockaddr_equal(&any_sa6, addr) &&
 	    (wcardport_ok || isc_sockaddr_getport(addr) != 0)) {
-		aelt.type = dns_aclelementtype_ipprefix;
-		aelt.negative = ISC_FALSE;
-		aelt.u.ip_prefix.prefixlen = 128;
-		isc_netaddr_fromin6(&aelt.u.ip_prefix.address,
-				    &addr->type.sin6.sin6_addr);
+		isc_netaddr_fromin6(&netaddr, &addr->type.sin6.sin6_addr);
 
-		result = dns_acl_create(mctx, 1, &src_acl);
+		result = dns_acl_create(mctx, 0, &src_acl);
 		if (result != ISC_R_SUCCESS)
 			return (result);
-		result = dns_acl_appendelement(src_acl, &aelt);
+
+		result = dns_iptable_addprefix(src_acl->iptable,
+					       &netaddr, 128, ISC_TRUE);
 		if (result != ISC_R_SUCCESS)
 			goto clean;
 
@@ -2900,6 +3079,9 @@ load_configuration(const char *filename, ns_server_t *server,
 	INSIST(result == ISC_R_SUCCESS);
 	server->aclenv.match_mapped = cfg_obj_asboolean(obj);
 
+	CHECKM(ns_statschannels_configure(ns_g_server, config, &aclconfctx),
+	       "configuring statistics server(s)");
+
 	/*
 	 * Configure sets of UDP query source ports.
 	 */
@@ -3059,11 +3241,13 @@ load_configuration(const char *filename, ns_server_t *server,
 							  ns_g_mctx,
 							  &listenon);
 		} else if (!ns_g_lwresdonly) {
+			isc_boolean_t enable;
 			/*
 			 * Not specified, use default.
 			 */
+			enable = ISC_TF(isc_net_probeipv4() != ISC_R_SUCCESS);
 			CHECK(ns_listenlist_default(ns_g_mctx, listen_port,
-						    ISC_FALSE, &listenon));
+						    enable, &listenon));
 		}
 		if (listenon != NULL) {
 			ns_interfacemgr_setlistenon6(server->interfacemgr,
@@ -3370,8 +3554,17 @@ load_configuration(const char *filename, ns_server_t *server,
 
 	obj = NULL;
 	if (options != NULL &&
-	    cfg_map_get(options, "memstatistics-file", &obj) == ISC_R_SUCCESS)
+	    cfg_map_get(options, "memstatistics", &obj) == ISC_R_SUCCESS)
+		ns_g_memstatistics = cfg_obj_asboolean(obj);
+	else
+		ns_g_memstatistics =
+			ISC_TF((isc_mem_debugging & ISC_MEM_DEBUGRECORD) != 0);
+
+	obj = NULL;
+	if (ns_config_get(maps, "memstatistics-file", &obj) == ISC_R_SUCCESS)
 		ns_main_setmemstats(cfg_obj_asstring(obj));
+	else if (ns_g_memstatistics)
+		ns_main_setmemstats("named.memstats");
 	else
 		ns_main_setmemstats(NULL);
 
@@ -3415,8 +3608,12 @@ load_configuration(const char *filename, ns_server_t *server,
 	result = ns_config_get(maps, "server-id", &obj);
 	server->server_usehostname = ISC_FALSE;
 	if (result == ISC_R_SUCCESS && cfg_obj_isboolean(obj)) {
-		server->server_usehostname = ISC_TRUE;
+		/* The parser translates "hostname" to ISC_TRUE */
+		server->server_usehostname = cfg_obj_asboolean(obj);
+		result = setstring(server, &server->server_id, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 	} else if (result == ISC_R_SUCCESS) {
+		/* Found a quoted string */
 		CHECKM(setoptstring(server, &server->server_id, obj), "strdup");
 	} else {
 		result = setstring(server, &server->server_id, NULL);
@@ -3555,6 +3752,8 @@ run_server(isc_task_t *task, isc_event_t *event) {
 					  &ns_g_dispatchmgr),
 		   "creating dispatch manager");
 
+	dns_dispatchmgr_setstats(ns_g_dispatchmgr, server->resolverstats);
+
 	CHECKFATAL(ns_interfacemgr_create(ns_g_mctx, ns_g_taskmgr,
 					  ns_g_socketmgr, ns_g_dispatchmgr,
 					  &server->interfacemgr),
@@ -3622,6 +3821,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
 		      ISC_LOG_INFO, "shutting down%s",
 		      flush ? ": flushing changes" : "");
 
+	ns_statschannels_shutdown(server);
 	ns_controls_shutdown(server->controls);
 	end_reserved_dispatches(server, ISC_TRUE);
 
@@ -3742,7 +3942,16 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->statsfile = isc_mem_strdup(server->mctx, "named.stats");
 	CHECKFATAL(server->statsfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "isc_mem_strdup");
-	server->querystats = NULL;
+	server->nsstats = NULL;
+	server->rcvquerystats = NULL;
+	server->opcodestats = NULL;
+	server->zonestats = NULL;
+	server->resolverstats = NULL;
+	server->sockstats = NULL;
+	CHECKFATAL(isc_stats_create(server->mctx, &server->sockstats,
+				    isc_sockstatscounter_max),
+		   "isc_stats_create");
+	isc_socketmgr_setstats(ns_g_socketmgr, server->sockstats);
 
 	server->dumpfile = isc_mem_strdup(server->mctx, "named_dump.db");
 	CHECKFATAL(server->dumpfile == NULL ? ISC_R_NOMEMORY : ISC_R_SUCCESS,
@@ -3759,8 +3968,24 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->server_usehostname = ISC_FALSE;
 	server->server_id = NULL;
 
-	CHECKFATAL(dns_stats_alloccounters(ns_g_mctx, &server->querystats),
-		   "dns_stats_alloccounters");
+	CHECKFATAL(isc_stats_create(ns_g_mctx, &server->nsstats,
+				    dns_nsstatscounter_max),
+		   "dns_stats_create (server)");
+
+	CHECKFATAL(dns_rdatatypestats_create(ns_g_mctx,
+					     &server->rcvquerystats),
+		   "dns_stats_create (rcvquery)");
+
+	CHECKFATAL(dns_opcodestats_create(ns_g_mctx, &server->opcodestats),
+		   "dns_stats_create (opcode)");
+
+	CHECKFATAL(isc_stats_create(ns_g_mctx, &server->zonestats,
+				    dns_zonestatscounter_max),
+		   "dns_stats_create (zone)");
+
+	CHECKFATAL(isc_stats_create(ns_g_mctx, &server->resolverstats,
+				    dns_resstatscounter_max),
+		   "dns_stats_create (resolver)");
 
 	server->flushonshutdown = ISC_FALSE;
 	server->log_queries = ISC_FALSE;
@@ -3771,6 +3996,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 	server->dispatchgen = 0;
 	ISC_LIST_INIT(server->dispatches);
 
+	ISC_LIST_INIT(server->statschannels);
+
 	server->magic = NS_SERVER_MAGIC;
 	*serverp = server;
 }
@@ -3782,7 +4009,12 @@ ns_server_destroy(ns_server_t **serverp) {
 
 	ns_controls_destroy(&server->controls);
 
-	dns_stats_freecounters(server->mctx, &server->querystats);
+	isc_stats_detach(&server->nsstats);
+	dns_stats_detach(&server->rcvquerystats);
+	dns_stats_detach(&server->opcodestats);
+	isc_stats_detach(&server->zonestats);
+	isc_stats_detach(&server->resolverstats);
+	isc_stats_detach(&server->sockstats);
 
 	isc_mem_free(server->mctx, server->statsfile);
 	isc_mem_free(server->mctx, server->dumpfile);
@@ -3936,13 +4168,17 @@ loadconfig(ns_server_t *server) {
 	result = load_configuration(ns_g_lwresdonly ?
 				    lwresd_g_conffile : ns_g_conffile,
 				    server, ISC_FALSE);
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
 		end_reserved_dispatches(server, ISC_FALSE);
-	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "reloading configuration succeeded");
+	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "reloading configuration failed: %s",
 			      isc_result_totext(result));
+	}
 	return (result);
 }
 
@@ -3952,12 +4188,16 @@ reload(ns_server_t *server) {
 	CHECK(loadconfig(server));
 
 	result = load_zones(server, ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "reloading zones succeeded");
+	else
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "reloading zones failed: %s",
 			      isc_result_totext(result));
-	}
+
  cleanup:
 	return (result);
 }
@@ -3968,12 +4208,16 @@ reconfig(ns_server_t *server) {
 	CHECK(loadconfig(server));
 
 	result = load_new_zones(server, ISC_FALSE);
-	if (result != ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "any newly configured zones are now loaded");
+	else
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "loading new zones failed: %s",
 			      isc_result_totext(result));
-	}
+
  cleanup: ;
 }
 
@@ -3987,6 +4231,9 @@ ns_server_reload(isc_task_t *task, isc_event_t *event) {
 	INSIST(task = server->task);
 	UNUSED(task);
 
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "received SIGHUP signal to reload zones");
 	(void)reload(server);
 
 	LOCK(&server->reload_event_lock);
@@ -4068,23 +4315,28 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep) {
 		result = dns_rdataclass_fromtext(&rdclass, &r);
 		if (result != ISC_R_SUCCESS)
 			goto fail1;
-	} else {
+	} else
 		rdclass = dns_rdataclass_in;
-	}
 
-	if (viewtxt == NULL)
-		viewtxt = "_default";
-	result = dns_viewlist_find(&server->viewlist, viewtxt,
-				   rdclass, &view);
-	if (result != ISC_R_SUCCESS)
-		goto fail1;
+	if (viewtxt == NULL) {
+		result = dns_viewlist_findzone(&server->viewlist,
+					       dns_fixedname_name(&name),
+					       ISC_TF(classtxt == NULL),
+					       rdclass, zonep);
+	} else {
+		result = dns_viewlist_find(&server->viewlist, viewtxt,
+					   rdclass, &view);
+		if (result != ISC_R_SUCCESS)
+			goto fail1;
+
+		result = dns_zt_find(view->zonetable, dns_fixedname_name(&name),
+				     0, NULL, zonep);
+		dns_view_detach(&view);
+	}
 
-	result = dns_zt_find(view->zonetable, dns_fixedname_name(&name),
-			     0, NULL, zonep);
 	/* Partial match? */
 	if (result != ISC_R_SUCCESS && *zonep != NULL)
 		dns_zone_detach(zonep);
-	dns_view_detach(&view);
  fail1:
 	return (result);
 }
@@ -4313,7 +4565,8 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 		return (result);
 
 	result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"),
-				   config, ns_g_lctx, actx, mctx, &delt->acl);
+				   config, ns_g_lctx, actx, mctx, 0,
+				   &delt->acl);
 	if (result != ISC_R_SUCCESS) {
 		ns_listenelt_destroy(delt);
 		return (result);
@@ -4325,61 +4578,26 @@ ns_listenelt_fromconfig(const cfg_obj_t *listener, const cfg_obj_t *config,
 isc_result_t
 ns_server_dumpstats(ns_server_t *server) {
 	isc_result_t result;
-	dns_zone_t *zone, *next;
-	isc_stdtime_t now;
 	FILE *fp = NULL;
-	int i;
-	int ncounters;
-
-	isc_stdtime_get(&now);
 
 	CHECKMF(isc_stdio_open(server->statsfile, "a", &fp),
 		"could not open statistics dump file", server->statsfile);
 
-	ncounters = DNS_STATS_NCOUNTERS;
-	fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now);
-
-	for (i = 0; i < ncounters; i++)
-		fprintf(fp, "%s %" ISC_PRINT_QUADFORMAT "u\n",
-			dns_statscounter_names[i],
-			server->querystats[i]);
-
-	zone = NULL;
-	for (result = dns_zone_first(server->zonemgr, &zone);
-	     result == ISC_R_SUCCESS;
-	     next = NULL, result = dns_zone_next(zone, &next), zone = next)
-	{
-		isc_uint64_t *zonestats = dns_zone_getstatscounters(zone);
-		if (zonestats != NULL) {
-			char zonename[DNS_NAME_FORMATSIZE];
-			dns_view_t *view;
-			char *viewname;
-
-			dns_name_format(dns_zone_getorigin(zone),
-					zonename, sizeof(zonename));
-			view = dns_zone_getview(zone);
-			viewname = view->name;
-			for (i = 0; i < ncounters; i++) {
-				fprintf(fp, "%s %" ISC_PRINT_QUADFORMAT
-					"u %s",
-					dns_statscounter_names[i],
-					zonestats[i],
-					zonename);
-				if (strcmp(viewname, "_default") != 0)
-					fprintf(fp, " %s", viewname);
-				fprintf(fp, "\n");
-			}
-		}
-	}
-	if (result == ISC_R_NOMORE)
-		result = ISC_R_SUCCESS;
+	result = ns_stats_dump(server, fp);
 	CHECK(result);
 
-	fprintf(fp, "--- Statistics Dump --- (%lu)\n", (unsigned long)now);
-
  cleanup:
 	if (fp != NULL)
 		(void)isc_stdio_close(fp);
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumpstats complete");
+	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dumpstats failed: %s",
+			      dns_result_totext(result));
 	return (result);
 }
 
@@ -4564,7 +4782,7 @@ dumpdone(void *arg, isc_result_t result) {
  cleanup:
 	if (result != ISC_R_SUCCESS)
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
-			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
 			      "dumpdb failed: %s", dns_result_totext(result));
 	dumpcontext_destroy(dctx);
 }
@@ -4661,6 +4879,15 @@ ns_server_dumprecursing(ns_server_t *server) {
  cleanup:
 	if (fp != NULL)
 		result = isc_stdio_close(fp);
+	if (result == ISC_R_SUCCESS)
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+			      "dumprecursing complete");
+	else
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+			      "dumprecursing failed: %s",
+			      dns_result_totext(result));
 	return (result);
 }
 
@@ -4690,6 +4917,9 @@ ns_server_setdebuglevel(ns_server_t *server, char *args) {
 		ns_g_debuglevel = (unsigned int)newlevel;
 	}
 	isc_log_setdebuglevel(ns_g_lctx, ns_g_debuglevel);
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+		      "debug level is now %d", ns_g_debuglevel);
 	return (ISC_R_SUCCESS);
 }
 
@@ -4774,15 +5004,33 @@ ns_server_flushcache(ns_server_t *server, char *args) {
 			continue;
 		found = ISC_TRUE;
 		result = dns_view_flushcache(view);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			flushed = ISC_FALSE;
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing cache in view '%s' failed: %s",
+				      view->name, isc_result_totext(result));
+		}
 	}
 	if (flushed && found) {
+		if (viewname != NULL)
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing cache in view '%s' succeeded",
+				      viewname);
+		else
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing caches in all views succeeded");
 		result = ISC_R_SUCCESS;
 	} else {
-		if (!found)
+		if (!found) {
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing cache in view '%s' failed: "
+				      "view not found", viewname);
 			result = ISC_R_NOTFOUND;
-		else
+		} else
 			result = ISC_R_FAILURE;
 	}
 	isc_task_endexclusive(server->task);
@@ -4833,15 +5081,36 @@ ns_server_flushname(ns_server_t *server, char *args) {
 			continue;
 		found = ISC_TRUE;
 		result = dns_view_flushname(view, name);
-		if (result != ISC_R_SUCCESS)
+		if (result != ISC_R_SUCCESS) {
 			flushed = ISC_FALSE;
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing name '%s' in cache view '%s' "
+				      "failed: %s", target, view->name,
+				      isc_result_totext(result));
+		}
 	}
-	if (flushed && found)
+	if (flushed && found) {
+		if (viewname != NULL)
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing name '%s' in cache view '%s' "
+				      "succeeded", target, viewname);
+		else
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_INFO,
+				      "flushing name '%s' in all cache views "
+				      "succeeded", target);
 		result = ISC_R_SUCCESS;
-	else if (!found)
-		result = ISC_R_NOTFOUND;
-	else
+	} else {
+		if (!found)
+			isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+				      NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
+				      "flushing name '%s' in cache view '%s' "
+				      "failed: view not found", target,
+				      viewname);
 		result = ISC_R_FAILURE;
+	}
 	isc_task_endexclusive(server->task);
 	return (result);
 }
@@ -4850,7 +5119,16 @@ isc_result_t
 ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 	int zonecount, xferrunning, xferdeferred, soaqueries;
 	unsigned int n;
+	const char *ob = "", *cb = "", *alt = "";
 
+	if (ns_g_server->version_set) {
+		ob = " (";
+		cb = ")";
+		if (ns_g_server->version == NULL)
+			alt = "version.bind/txt/ch disabled";
+		else
+			alt = ns_g_server->version;
+	}
 	zonecount = dns_zonemgr_getcount(server->zonemgr, DNS_ZONESTATE_ANY);
 	xferrunning = dns_zonemgr_getcount(server->zonemgr,
 					   DNS_ZONESTATE_XFERRUNNING);
@@ -4858,8 +5136,14 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 					    DNS_ZONESTATE_XFERDEFERRED);
 	soaqueries = dns_zonemgr_getcount(server->zonemgr,
 					  DNS_ZONESTATE_SOAQUERY);
+
 	n = snprintf((char *)isc_buffer_used(text),
 		     isc_buffer_availablelength(text),
+		     "version: %s%s%s%s\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		     "CPUs found: %u\n"
+		     "worker threads: %u\n"
+#endif
 		     "number of zones: %u\n"
 		     "debug level: %d\n"
 		     "xfers running: %u\n"
@@ -4869,6 +5153,10 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 		     "recursive clients: %d/%d/%d\n"
 		     "tcp clients: %d/%d\n"
 		     "server is up and running",
+		     ns_g_version, ob, alt, cb,
+#ifdef ISC_PLATFORM_USETHREADS
+		     ns_g_cpus_detected, ns_g_cpus,
+#endif
 		     zonecount, ns_g_debuglevel, xferrunning, xferdeferred,
 		     soaqueries, server->log_queries ? "ON" : "OFF",
 		     server->recursionquota.used, server->recursionquota.soft,
@@ -4880,6 +5168,235 @@ ns_server_status(ns_server_t *server, isc_buffer_t *text) {
 	return (ISC_R_SUCCESS);
 }
 
+static isc_result_t
+delete_keynames(dns_tsig_keyring_t *ring, char *target,
+		unsigned int *foundkeys)
+{
+	char namestr[DNS_NAME_FORMATSIZE];
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+
+	dns_name_init(&foundname, NULL);
+	dns_fixedname_init(&fixedorigin);
+	origin = dns_fixedname_name(&fixedorigin);
+
+ again:
+	dns_rbtnodechain_init(&chain, ring->mctx);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
+					origin);
+	if (result == ISC_R_NOTFOUND) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (result);
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+
+		if (tkey != NULL) {
+			if (!tkey->generated)
+				goto nextkey;
+
+			dns_name_format(&tkey->name, namestr, sizeof(namestr));
+			if (strcmp(namestr, target) == 0) {
+				(*foundkeys)++;
+				dns_rbtnodechain_invalidate(&chain);
+				(void)dns_rbt_deletename(ring->keys,
+							 &tkey->name,
+							 ISC_FALSE);
+				goto again;
+			}
+		}
+
+	nextkey:
+		result = dns_rbtnodechain_next(&chain, &foundname, origin);
+		if (result == ISC_R_NOMORE)
+			break;
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+ns_server_tsigdelete(ns_server_t *server, char *command, isc_buffer_t *text) {
+	isc_result_t result;
+	unsigned int n;
+	dns_view_t *view;
+	unsigned int foundkeys = 0;
+	char *target;
+	char *viewname;
+
+	(void)next_token(&command, " \t");  /* skip command name */
+	target = next_token(&command, " \t");
+	if (target == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	viewname = next_token(&command, " \t");
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		if (viewname == NULL || strcmp(view->name, viewname) == 0) {
+			RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_write);
+			result = delete_keynames(view->dynamickeys, target,
+						 &foundkeys);
+			RWUNLOCK(&view->dynamickeys->lock,
+				 isc_rwlocktype_write);
+			if (result != ISC_R_SUCCESS) {
+				isc_task_endexclusive(server->task);
+				return (result);
+			}
+		}
+	}
+	isc_task_endexclusive(server->task);
+
+	n = snprintf((char *)isc_buffer_used(text),
+		     isc_buffer_availablelength(text),
+		     "%d tsig keys deleted.\n", foundkeys);
+	if (n >= isc_buffer_availablelength(text)) {
+		isc_task_endexclusive(server->task);
+		return (ISC_R_NOSPACE);
+	}
+	isc_buffer_add(text, n);
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+list_keynames(dns_view_t *view, dns_tsig_keyring_t *ring, isc_buffer_t *text,
+	     unsigned int *foundkeys)
+{
+	char namestr[DNS_NAME_FORMATSIZE];
+	char creatorstr[DNS_NAME_FORMATSIZE];
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+	unsigned int n;
+	const char *viewname;
+
+	if (view != NULL)
+		viewname = view->name;
+	else
+		viewname = "(global)";
+
+	dns_name_init(&foundname, NULL);
+	dns_fixedname_init(&fixedorigin);
+	origin = dns_fixedname_name(&fixedorigin);
+	dns_rbtnodechain_init(&chain, ring->mctx);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
+					origin);
+	if (result == ISC_R_NOTFOUND) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		return (result);
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+
+		if (tkey != NULL) {
+			(*foundkeys)++;
+			dns_name_format(&tkey->name, namestr, sizeof(namestr));
+			if (tkey->generated) {
+				dns_name_format(tkey->creator, creatorstr,
+						sizeof(creatorstr));
+				n = snprintf((char *)isc_buffer_used(text),
+					     isc_buffer_availablelength(text),
+					     "view \"%s\"; type \"dynamic\"; key \"%s\"; creator \"%s\";\n",
+					     viewname, namestr, creatorstr);
+			} else {
+				n = snprintf((char *)isc_buffer_used(text),
+					     isc_buffer_availablelength(text),
+					     "view \"%s\"; type \"static\"; key \"%s\";\n",
+					     viewname, namestr);
+			}
+			if (n >= isc_buffer_availablelength(text)) {
+				dns_rbtnodechain_invalidate(&chain);
+				return (ISC_R_NOSPACE);
+			}
+			isc_buffer_add(text, n);
+		}
+		result = dns_rbtnodechain_next(&chain, &foundname, origin);
+		if (result == ISC_R_NOMORE)
+			break;
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			return (result);
+		}
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+ns_server_tsiglist(ns_server_t *server, isc_buffer_t *text) {
+	isc_result_t result;
+	unsigned int n;
+	dns_view_t *view;
+	unsigned int foundkeys = 0;
+
+	result = isc_task_beginexclusive(server->task);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		RWLOCK(&view->statickeys->lock, isc_rwlocktype_read);
+		result = list_keynames(view, view->statickeys, text,
+				       &foundkeys);
+		RWUNLOCK(&view->statickeys->lock, isc_rwlocktype_read);
+		if (result != ISC_R_SUCCESS) {
+			isc_task_endexclusive(server->task);
+			return (result);
+		}
+		RWLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
+		result = list_keynames(view, view->dynamickeys, text,
+				       &foundkeys);
+		RWUNLOCK(&view->dynamickeys->lock, isc_rwlocktype_read);
+		if (result != ISC_R_SUCCESS) {
+			isc_task_endexclusive(server->task);
+			return (result);
+		}
+	}
+	isc_task_endexclusive(server->task);
+
+	if (foundkeys == 0) {
+		n = snprintf((char *)isc_buffer_used(text),
+			     isc_buffer_availablelength(text),
+			     "no tsig keys found.\n");
+		if (n >= isc_buffer_availablelength(text)) {
+			isc_task_endexclusive(server->task);
+			return (ISC_R_NOSPACE);
+		}
+		isc_buffer_add(text, n);
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
 /*
  * Act on a "freeze" or "thaw" command from the command channel.
  */
diff --git a/bin/named/sortlist.c b/bin/named/sortlist.c
index 28f0360..daefa07 100644
--- a/bin/named/sortlist.c
+++ b/bin/named/sortlist.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sortlist.c,v 1.9.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: sortlist.c,v 1.17 2007/09/14 01:46:05 marka Exp $ */
 
 /*! \file */
 
@@ -51,15 +51,19 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
 		const dns_aclelement_t *matched_elt = NULL;
 
 		if (e->type == dns_aclelementtype_nestedacl) {
-			dns_acl_t *inner = e->u.nestedacl;
+			dns_acl_t *inner = e->nestedacl;
 
-			if (inner->length < 1 || inner->length > 2)
+			if (inner->length == 0)
+				try_elt = e;
+			else if (inner->length > 2)
 				goto dont_sort;
-			if (inner->elements[0].negative)
+			else if (inner->elements[0].negative)
 				goto dont_sort;
-			try_elt = &inner->elements[0];
-			if (inner->length == 2)
-				order_elt = &inner->elements[1];
+			else {
+				try_elt = &inner->elements[0];
+				if (inner->length == 2)
+					order_elt = &inner->elements[1];
+			}
 		} else {
 			/*
 			 * BIND 8 allows bare elements at the top level
@@ -74,7 +78,7 @@ ns_sortlist_setup(dns_acl_t *acl, isc_netaddr_t *clientaddr,
 			if (order_elt != NULL) {
 				if (order_elt->type ==
 				    dns_aclelementtype_nestedacl) {
-					*argp = order_elt->u.nestedacl;
+					*argp = order_elt->nestedacl;
 					return (NS_SORTLISTTYPE_2ELEMENT);
 				} else if (order_elt->type ==
 					   dns_aclelementtype_localhost &&
diff --git a/bin/named/statschannel.c b/bin/named/statschannel.c
new file mode 100644
index 0000000..81f40bb
--- /dev/null
+++ b/bin/named/statschannel.c
@@ -0,0 +1,1355 @@
+/*
+ * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: statschannel.c,v 1.14.64.6 2009/02/17 03:43:07 marka Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/httpd.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/print.h>
+#include <isc/socket.h>
+#include <isc/stats.h>
+#include <isc/task.h>
+
+#include <dns/db.h>
+#include <dns/opcode.h>
+#include <dns/resolver.h>
+#include <dns/rdataclass.h>
+#include <dns/rdatatype.h>
+#include <dns/stats.h>
+#include <dns/view.h>
+#include <dns/zt.h>
+
+#include <named/log.h>
+#include <named/server.h>
+#include <named/statschannel.h>
+
+#include "bind9.xsl.h"
+
+struct ns_statschannel {
+	/* Unlocked */
+	isc_httpdmgr_t				*httpdmgr;
+	isc_sockaddr_t				address;
+	isc_mem_t				*mctx;
+
+	/*
+	 * Locked by channel lock: can be referenced and modified by both
+	 * the server task and the channel task.
+	 */
+	isc_mutex_t				lock;
+	dns_acl_t				*acl;
+
+	/* Locked by server task */
+	ISC_LINK(struct ns_statschannel)	link;
+};
+
+typedef enum { statsformat_file, statsformat_xml } statsformat_t;
+
+typedef struct
+stats_dumparg {
+	statsformat_t	type;
+	void		*arg;		/* type dependent argument */
+	int		ncounters;	/* used for general statistics */
+	int		*counterindices; /* used for general statistics */
+	isc_uint64_t	*countervalues;	 /* used for general statistics */
+} stats_dumparg_t;
+
+static isc_once_t once = ISC_ONCE_INIT;
+
+/*%
+ * Statistics descriptions.  These could be statistically initialized at
+ * compile time, but we configure them run time in the init_desc() function
+ * below so that they'll be less susceptible to counter name changes.
+ */
+static const char *nsstats_desc[dns_nsstatscounter_max];
+static const char *resstats_desc[dns_resstatscounter_max];
+static const char *zonestats_desc[dns_zonestatscounter_max];
+static const char *sockstats_desc[isc_sockstatscounter_max];
+#ifdef HAVE_LIBXML2
+static const char *nsstats_xmldesc[dns_nsstatscounter_max];
+static const char *resstats_xmldesc[dns_resstatscounter_max];
+static const char *zonestats_xmldesc[dns_zonestatscounter_max];
+static const char *sockstats_xmldesc[isc_sockstatscounter_max];
+#else
+#define nsstats_xmldesc NULL
+#define resstats_xmldesc NULL
+#define zonestats_xmldesc NULL
+#define sockstats_xmldesc NULL
+#endif	/* HAVE_LIBXML2 */
+
+/*%
+ * Mapping arrays to represent statistics counters in the order of our
+ * preference, regardless of the order of counter indices.  For example,
+ * nsstats_desc[nsstats_index[0]] will be the description that is shown first.
+ */
+static int nsstats_index[dns_nsstatscounter_max];
+static int resstats_index[dns_resstatscounter_max];
+static int zonestats_index[dns_zonestatscounter_max];
+static int sockstats_index[isc_sockstatscounter_max];
+
+static inline void
+set_desc(int counter, int maxcounter, const char *fdesc, const char **fdescs,
+	 const char *xdesc, const char **xdescs)
+{
+	REQUIRE(counter < maxcounter);
+	REQUIRE(fdescs[counter] == NULL);
+#ifdef HAVE_LIBXML2
+	REQUIRE(xdescs[counter] == NULL);
+#endif
+
+	fdescs[counter] = fdesc;
+#ifdef HAVE_LIBXML2
+	xdescs[counter] = xdesc;
+#else
+	UNUSED(xdesc);
+	UNUSED(xdescs);
+#endif
+}
+
+static void
+init_desc(void) {
+	int i;
+
+	/* Initialize name server statistics */
+	memset((void *)nsstats_desc, 0,
+	       dns_nsstatscounter_max * sizeof(nsstats_desc[0]));
+#ifdef HAVE_LIBXML2
+	memset((void *)nsstats_xmldesc, 0,
+	       dns_nsstatscounter_max * sizeof(nsstats_xmldesc[0]));
+#endif
+
+#define SET_NSSTATDESC(counterid, desc, xmldesc) \
+	do { \
+		set_desc(dns_nsstatscounter_ ## counterid, \
+			 dns_nsstatscounter_max, \
+			 desc, nsstats_desc, xmldesc, nsstats_xmldesc); \
+		nsstats_index[i++] = dns_nsstatscounter_ ## counterid; \
+	} while (0)
+
+	i = 0;
+	SET_NSSTATDESC(requestv4, "IPv4 requests received", "Requestv4");
+	SET_NSSTATDESC(requestv6, "IPv6 requests received", "Requestv6");
+	SET_NSSTATDESC(edns0in, "requests with EDNS(0) received", "ReqEdns0");
+	SET_NSSTATDESC(badednsver,
+		       "requests with unsupported EDNS version received",
+		       "ReqBadEDNSVer");
+	SET_NSSTATDESC(tsigin, "requests with TSIG received", "ReqTSIG");
+	SET_NSSTATDESC(sig0in, "requests with SIG(0) received", "ReqSIG0");
+	SET_NSSTATDESC(invalidsig, "requests with invalid signature",
+		       "ReqBadSIG");
+	SET_NSSTATDESC(tcp, "TCP requests received", "ReqTCP");
+	SET_NSSTATDESC(authrej, "auth queries rejected", "AuthQryRej");
+	SET_NSSTATDESC(recurserej, "recursive queries rejected", "RecQryRej");
+	SET_NSSTATDESC(xfrrej, "transfer requests rejected", "XfrRej");
+	SET_NSSTATDESC(updaterej, "update requests rejected", "UpdateRej");
+	SET_NSSTATDESC(response, "responses sent", "Response");
+	SET_NSSTATDESC(truncatedresp, "truncated responses sent",
+		       "TruncatedResp");
+	SET_NSSTATDESC(edns0out, "responses with EDNS(0) sent", "RespEDNS0");
+	SET_NSSTATDESC(tsigout, "responses with TSIG sent", "RespTSIG");
+	SET_NSSTATDESC(sig0out, "responses with SIG(0) sent", "RespSIG0");
+	SET_NSSTATDESC(success, "queries resulted in successful answer",
+		       "QrySuccess");
+	SET_NSSTATDESC(authans, "queries resulted in authoritative answer",
+		       "QryAuthAns");
+	SET_NSSTATDESC(nonauthans,
+		       "queries resulted in non authoritative answer",
+		       "QryNoauthAns");
+	SET_NSSTATDESC(referral, "queries resulted in referral answer",
+		       "QryReferral");
+	SET_NSSTATDESC(nxrrset, "queries resulted in nxrrset", "QryNxrrset");
+	SET_NSSTATDESC(servfail, "queries resulted in SERVFAIL", "QrySERVFAIL");
+	SET_NSSTATDESC(formerr, "queries resulted in FORMERR", "QryFORMERR");
+	SET_NSSTATDESC(nxdomain, "queries resulted in NXDOMAIN", "QryNXDOMAIN");
+	SET_NSSTATDESC(recursion, "queries caused recursion","QryRecursion");
+	SET_NSSTATDESC(duplicate, "duplicate queries received", "QryDuplicate");
+	SET_NSSTATDESC(dropped, "queries dropped", "QryDropped");
+	SET_NSSTATDESC(failure, "other query failures", "QryFailure");
+	SET_NSSTATDESC(xfrdone, "requested transfers completed", "XfrReqDone");
+	SET_NSSTATDESC(updatereqfwd, "update requests forwarded",
+		       "UpdateReqFwd");
+	SET_NSSTATDESC(updaterespfwd, "update responses forwarded",
+		       "UpdateRespFwd");
+	SET_NSSTATDESC(updatefwdfail, "update forward failed", "UpdateFwdFail");
+	SET_NSSTATDESC(updatedone, "updates completed", "UpdateDone");
+	SET_NSSTATDESC(updatefail, "updates failed", "UpdateFail");
+	SET_NSSTATDESC(updatebadprereq,
+		       "updates rejected due to prerequisite failure",
+		       "UpdateBadPrereq");
+	INSIST(i == dns_nsstatscounter_max);
+
+	/* Initialize resolver statistics */
+	memset((void *)resstats_desc, 0,
+	       dns_resstatscounter_max * sizeof(resstats_desc[0]));
+#ifdef  HAVE_LIBXML2
+	memset((void *)resstats_xmldesc, 0,
+	       dns_resstatscounter_max * sizeof(resstats_xmldesc[0]));
+#endif
+
+#define SET_RESSTATDESC(counterid, desc, xmldesc) \
+	do { \
+		set_desc(dns_resstatscounter_ ## counterid, \
+			 dns_resstatscounter_max, \
+			 desc, resstats_desc, xmldesc, resstats_xmldesc); \
+		resstats_index[i++] = dns_resstatscounter_ ## counterid; \
+	} while (0)
+
+	i = 0;
+	SET_RESSTATDESC(queryv4, "IPv4 queries sent", "Queryv4");
+	SET_RESSTATDESC(queryv6, "IPv6 queries sent", "Queryv6");
+	SET_RESSTATDESC(responsev4, "IPv4 responses received", "Responsev4");
+	SET_RESSTATDESC(responsev6, "IPv6 responses received", "Responsev6");
+	SET_RESSTATDESC(nxdomain, "NXDOMAIN received", "NXDOMAIN");
+	SET_RESSTATDESC(servfail, "SERVFAIL received", "SERVFAIL");
+	SET_RESSTATDESC(formerr, "FORMERR received", "FORMERR");
+	SET_RESSTATDESC(othererror, "other errors received", "OtherError");
+	SET_RESSTATDESC(edns0fail, "EDNS(0) query failures", "EDNS0Fail");
+	SET_RESSTATDESC(mismatch, "mismatch responses received", "Mismatch");
+	SET_RESSTATDESC(truncated, "truncated responses received", "Truncated");
+	SET_RESSTATDESC(lame, "lame delegations received", "Lame");
+	SET_RESSTATDESC(retry, "query retries", "Retry");
+	SET_RESSTATDESC(dispabort, "queries aborted due to quota",
+			"QueryAbort");
+	SET_RESSTATDESC(dispsockfail, "failures in opening query sockets",
+			"QuerySockFail");
+	SET_RESSTATDESC(querytimeout, "query timeouts", "QueryTimeout");
+	SET_RESSTATDESC(gluefetchv4, "IPv4 NS address fetches", "GlueFetchv4");
+	SET_RESSTATDESC(gluefetchv6, "IPv6 NS address fetches", "GlueFetchv6");
+	SET_RESSTATDESC(gluefetchv4fail, "IPv4 NS address fetch failed",
+			"GlueFetchv4Fail");
+	SET_RESSTATDESC(gluefetchv6fail, "IPv6 NS address fetch failed",
+			"GlueFetchv6Fail");
+	SET_RESSTATDESC(val, "DNSSEC validation attempted", "ValAttempt");
+	SET_RESSTATDESC(valsuccess, "DNSSEC validation succeeded", "ValOk");
+	SET_RESSTATDESC(valnegsuccess, "DNSSEC NX validation succeeded",
+			"ValNegOk");
+	SET_RESSTATDESC(valfail, "DNSSEC validation failed", "ValFail");
+	SET_RESSTATDESC(queryrtt0, "queries with RTT < "
+			DNS_RESOLVER_QRYRTTCLASS0STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS0STR);
+	SET_RESSTATDESC(queryrtt1, "queries with RTT "
+			DNS_RESOLVER_QRYRTTCLASS0STR "-"
+			DNS_RESOLVER_QRYRTTCLASS1STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS1STR);
+	SET_RESSTATDESC(queryrtt2, "queries with RTT "
+			DNS_RESOLVER_QRYRTTCLASS1STR "-"
+			DNS_RESOLVER_QRYRTTCLASS2STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS2STR);
+	SET_RESSTATDESC(queryrtt3, "queries with RTT "
+			DNS_RESOLVER_QRYRTTCLASS2STR "-"
+			DNS_RESOLVER_QRYRTTCLASS3STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS3STR);
+	SET_RESSTATDESC(queryrtt4, "queries with RTT "
+			DNS_RESOLVER_QRYRTTCLASS3STR "-"
+			DNS_RESOLVER_QRYRTTCLASS4STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS4STR);
+	SET_RESSTATDESC(queryrtt5, "queries with RTT > "
+			DNS_RESOLVER_QRYRTTCLASS4STR "ms",
+			"QryRTT" DNS_RESOLVER_QRYRTTCLASS4STR "+");
+	INSIST(i == dns_resstatscounter_max);
+
+	/* Initialize zone statistics */
+	memset((void *)zonestats_desc, 0,
+	       dns_zonestatscounter_max * sizeof(zonestats_desc[0]));
+#ifdef  HAVE_LIBXML2
+	memset((void *)zonestats_xmldesc, 0,
+	       dns_zonestatscounter_max * sizeof(zonestats_xmldesc[0]));
+#endif
+
+#define SET_ZONESTATDESC(counterid, desc, xmldesc) \
+	do { \
+		set_desc(dns_zonestatscounter_ ## counterid, \
+			 dns_zonestatscounter_max, \
+			 desc, zonestats_desc, xmldesc, zonestats_xmldesc); \
+		zonestats_index[i++] = dns_zonestatscounter_ ## counterid; \
+	} while (0)
+
+	i = 0;
+	SET_ZONESTATDESC(notifyoutv4, "IPv4 notifies sent", "NotifyOutv4");
+	SET_ZONESTATDESC(notifyoutv6, "IPv6 notifies sent", "NotifyOutv6");
+	SET_ZONESTATDESC(notifyinv4, "IPv4 notifies received", "NotifyInv4");
+	SET_ZONESTATDESC(notifyinv6, "IPv6 notifies received", "NotifyInv6");
+	SET_ZONESTATDESC(notifyrej, "notifies rejected", "NotifyRej");
+	SET_ZONESTATDESC(soaoutv4, "IPv4 SOA queries sent", "SOAOutv4");
+	SET_ZONESTATDESC(soaoutv6, "IPv6 SOA queries sent", "SOAOutv6");
+	SET_ZONESTATDESC(axfrreqv4, "IPv4 AXFR requested", "AXFRReqv4");
+	SET_ZONESTATDESC(axfrreqv6, "IPv6 AXFR requested", "AXFRReqv6");
+	SET_ZONESTATDESC(ixfrreqv4, "IPv4 IXFR requested", "IXFRReqv4");
+	SET_ZONESTATDESC(ixfrreqv6, "IPv6 IXFR requested", "IXFRReqv6");
+	SET_ZONESTATDESC(xfrsuccess, "transfer requests succeeded","XfrSuccess");
+	SET_ZONESTATDESC(xfrfail, "transfer requests failed", "XfrFail");
+	INSIST(i == dns_zonestatscounter_max);
+
+	/* Initialize socket statistics */
+	memset((void *)sockstats_desc, 0,
+	       isc_sockstatscounter_max * sizeof(sockstats_desc[0]));
+#ifdef  HAVE_LIBXML2
+	memset((void *)sockstats_xmldesc, 0,
+	       isc_sockstatscounter_max * sizeof(sockstats_xmldesc[0]));
+#endif
+
+#define SET_SOCKSTATDESC(counterid, desc, xmldesc) \
+	do { \
+		set_desc(isc_sockstatscounter_ ## counterid, \
+			 isc_sockstatscounter_max, \
+			 desc, sockstats_desc, xmldesc, sockstats_xmldesc); \
+		sockstats_index[i++] = isc_sockstatscounter_ ## counterid; \
+	} while (0)
+
+	i = 0;
+	SET_SOCKSTATDESC(udp4open, "UDP/IPv4 sockets opened", "UDP4Open");
+	SET_SOCKSTATDESC(udp6open, "UDP/IPv6 sockets opened", "UDP6Open");
+	SET_SOCKSTATDESC(tcp4open, "TCP/IPv4 sockets opened", "TCP4Open");
+	SET_SOCKSTATDESC(tcp6open, "TCP/IPv6 sockets opened", "TCP6Open");
+	SET_SOCKSTATDESC(unixopen, "Unix domain sockets opened", "UnixOpen");
+	SET_SOCKSTATDESC(udp4openfail, "UDP/IPv4 socket open failures",
+			 "UDP4OpenFail");
+	SET_SOCKSTATDESC(udp6openfail, "UDP/IPv6 socket open failures",
+			 "UDP6OpenFail");
+	SET_SOCKSTATDESC(tcp4openfail, "TCP/IPv4 socket open failures",
+			 "TCP4OpenFail");
+	SET_SOCKSTATDESC(tcp6openfail, "TCP/IPv6 socket open failures",
+			 "TCP6OpenFail");
+	SET_SOCKSTATDESC(unixopenfail, "Unix domain socket open failures",
+			 "UnixOpenFail");
+	SET_SOCKSTATDESC(udp4close, "UDP/IPv4 sockets closed", "UDP4Close");
+	SET_SOCKSTATDESC(udp6close, "UDP/IPv6 sockets closed", "UDP6Close");
+	SET_SOCKSTATDESC(tcp4close, "TCP/IPv4 sockets closed", "TCP4Close");
+	SET_SOCKSTATDESC(tcp6close, "TCP/IPv6 sockets closed", "TCP6Close");
+	SET_SOCKSTATDESC(unixclose, "Unix domain sockets closed", "UnixClose");
+	SET_SOCKSTATDESC(fdwatchclose, "FDwatch sockets closed",
+			 "FDWatchClose");
+	SET_SOCKSTATDESC(udp4bindfail, "UDP/IPv4 socket bind failures",
+			 "UDP4BindFail");
+	SET_SOCKSTATDESC(udp6bindfail, "UDP/IPv6 socket bind failures",
+			 "UDP6BindFail");
+	SET_SOCKSTATDESC(tcp4bindfail, "TCP/IPv4 socket bind failures",
+			 "TCP4BindFail");
+	SET_SOCKSTATDESC(tcp6bindfail, "TCP/IPv6 socket bind failures",
+			 "TCP6BindFail");
+	SET_SOCKSTATDESC(unixbindfail, "Unix domain socket bind failures",
+			 "UnixBindFail");
+	SET_SOCKSTATDESC(fdwatchbindfail, "FDwatch socket bind failures",
+			 "FdwatchBindFail");
+	SET_SOCKSTATDESC(udp4connectfail, "UDP/IPv4 socket connect failures",
+			 "UDP4ConnFail");
+	SET_SOCKSTATDESC(udp6connectfail, "UDP/IPv6 socket connect failures",
+			 "UDP6ConnFail");
+	SET_SOCKSTATDESC(tcp4connectfail, "TCP/IPv4 socket connect failures",
+			 "TCP4ConnFail");
+	SET_SOCKSTATDESC(tcp6connectfail, "TCP/IPv6 socket connect failures",
+			 "TCP6ConnFail");
+	SET_SOCKSTATDESC(unixconnectfail, "Unix domain socket connect failures",
+			 "UnixConnFail");
+	SET_SOCKSTATDESC(fdwatchconnectfail, "FDwatch socket connect failures",
+			 "FDwatchConnFail");
+	SET_SOCKSTATDESC(udp4connect, "UDP/IPv4 connections established",
+			 "UDP4Conn");
+	SET_SOCKSTATDESC(udp6connect, "UDP/IPv6 connections established",
+			 "UDP6Conn");
+	SET_SOCKSTATDESC(tcp4connect, "TCP/IPv4 connections established",
+			 "TCP4Conn");
+	SET_SOCKSTATDESC(tcp6connect, "TCP/IPv6 connections established",
+			 "TCP6Conn");
+	SET_SOCKSTATDESC(unixconnect, "Unix domain connections established",
+			 "UnixConn");
+	SET_SOCKSTATDESC(fdwatchconnect,
+			 "FDwatch domain connections established",
+			 "FDwatchConn");
+	SET_SOCKSTATDESC(tcp4acceptfail, "TCP/IPv4 connection accept failures",
+			 "TCP4AcceptFail");
+	SET_SOCKSTATDESC(tcp6acceptfail, "TCP/IPv6 connection accept failures",
+			 "TCP6AcceptFail");
+	SET_SOCKSTATDESC(unixacceptfail,
+			 "Unix domain connection accept failures",
+			 "UnixAcceptFail");
+	SET_SOCKSTATDESC(tcp4accept, "TCP/IPv4 connections accepted",
+			 "TCP4Accept");
+	SET_SOCKSTATDESC(tcp6accept, "TCP/IPv6 connections accepted",
+			 "TCP6Accept");
+	SET_SOCKSTATDESC(unixaccept, "Unix domain connections accepted",
+			 "UnixAccept");
+	SET_SOCKSTATDESC(udp4sendfail, "UDP/IPv4 send errors", "UDP4SendErr");
+	SET_SOCKSTATDESC(udp6sendfail, "UDP/IPv6 send errors", "UDP6SendErr");
+	SET_SOCKSTATDESC(tcp4sendfail, "TCP/IPv4 send errors", "TCP4SendErr");
+	SET_SOCKSTATDESC(tcp6sendfail, "TCP/IPv6 send errors", "TCP6SendErr");
+	SET_SOCKSTATDESC(unixsendfail, "Unix domain send errors",
+			 "UnixSendErr");
+	SET_SOCKSTATDESC(fdwatchsendfail, "FDwatch send errors",
+			 "FDwatchSendErr");
+	SET_SOCKSTATDESC(udp4recvfail, "UDP/IPv4 recv errors", "UDP4RecvErr");
+	SET_SOCKSTATDESC(udp6recvfail, "UDP/IPv6 recv errors", "UDP6RecvErr");
+	SET_SOCKSTATDESC(tcp4recvfail, "TCP/IPv4 recv errors", "TCP4RecvErr");
+	SET_SOCKSTATDESC(tcp6recvfail, "TCP/IPv6 recv errors", "TCP6RecvErr");
+	SET_SOCKSTATDESC(unixrecvfail, "Unix domain recv errors",
+			 "UnixRecvErr");
+	SET_SOCKSTATDESC(fdwatchrecvfail, "FDwatch recv errors",
+			 "FDwatchRecvErr");
+	INSIST(i == isc_sockstatscounter_max);
+
+	/* Sanity check */
+	for (i = 0; i < dns_nsstatscounter_max; i++)
+		INSIST(nsstats_desc[i] != NULL);
+	for (i = 0; i < dns_resstatscounter_max; i++)
+		INSIST(resstats_desc[i] != NULL);
+	for (i = 0; i < dns_zonestatscounter_max; i++)
+		INSIST(zonestats_desc[i] != NULL);
+	for (i = 0; i < isc_sockstatscounter_max; i++)
+		INSIST(sockstats_desc[i] != NULL);
+#ifdef  HAVE_LIBXML2
+	for (i = 0; i < dns_nsstatscounter_max; i++)
+		INSIST(nsstats_xmldesc[i] != NULL);
+	for (i = 0; i < dns_resstatscounter_max; i++)
+		INSIST(resstats_xmldesc[i] != NULL);
+	for (i = 0; i < dns_zonestatscounter_max; i++)
+		INSIST(zonestats_xmldesc[i] != NULL);
+	for (i = 0; i < isc_sockstatscounter_max; i++)
+		INSIST(sockstats_xmldesc[i] != NULL);
+#endif
+}
+
+/*%
+ * Dump callback functions.
+ */
+static void
+generalstat_dump(isc_statscounter_t counter, isc_uint64_t val, void *arg) {
+	stats_dumparg_t *dumparg = arg;
+
+	REQUIRE(counter < dumparg->ncounters);
+	dumparg->countervalues[counter] = val;
+}
+
+static void
+dump_counters(isc_stats_t *stats, statsformat_t type, void *arg,
+	      const char *category, const char **desc, int ncounters,
+	      int *indices, isc_uint64_t *values, int options)
+{
+	int i, index;
+	isc_uint64_t value;
+	stats_dumparg_t dumparg;
+	FILE *fp;
+#ifdef HAVE_LIBXML2
+	xmlTextWriterPtr writer;
+#endif
+
+#ifndef HAVE_LIBXML2
+	UNUSED(category);
+#endif
+
+	dumparg.type = type;
+	dumparg.ncounters = ncounters;
+	dumparg.counterindices = indices;
+	dumparg.countervalues = values;
+
+	memset(values, 0, sizeof(values[0]) * ncounters);
+	isc_stats_dump(stats, generalstat_dump, &dumparg, options);
+
+	for (i = 0; i < ncounters; i++) {
+		index = indices[i];
+		value = values[index];
+
+		if (value == 0 && (options & ISC_STATSDUMP_VERBOSE) == 0)
+			continue;
+
+		switch (dumparg.type) {
+		case statsformat_file:
+			fp = arg;
+			fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n",
+				value, desc[index]);
+			break;
+		case statsformat_xml:
+#ifdef HAVE_LIBXML2
+			writer = arg;
+
+			if (category != NULL) {
+				xmlTextWriterStartElement(writer,
+							  ISC_XMLCHAR
+							  category);
+				xmlTextWriterStartElement(writer,
+							  ISC_XMLCHAR "name");
+				xmlTextWriterWriteString(writer, ISC_XMLCHAR
+							desc[index]);
+				xmlTextWriterEndElement(writer); /* name */
+
+				xmlTextWriterStartElement(writer, ISC_XMLCHAR
+							  "counter");
+			} else {
+				xmlTextWriterStartElement(writer, ISC_XMLCHAR
+							  desc[index]);
+			}
+			xmlTextWriterWriteFormatString(writer,
+						       "%" ISC_PRINT_QUADFORMAT
+						       "u", value);
+			xmlTextWriterEndElement(writer); /* counter */
+			if (category != NULL)
+				xmlTextWriterEndElement(writer); /* category */
+#endif
+			break;
+		}
+	}
+}
+
+static void
+rdtypestat_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
+	char typebuf[64];
+	const char *typestr;
+	stats_dumparg_t *dumparg = arg;
+	FILE *fp;
+#ifdef HAVE_LIBXML2
+	xmlTextWriterPtr writer;
+#endif
+
+	if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_OTHERTYPE)
+	    == 0) {
+		dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf,
+				     sizeof(typebuf));
+		typestr = typebuf;
+	} else
+		typestr = "Others";
+
+	switch (dumparg->type) {
+	case statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, typestr);
+		break;
+	case statsformat_xml:
+#ifdef HAVE_LIBXML2
+		writer = dumparg->arg;
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdtype");
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
+		xmlTextWriterWriteString(writer, ISC_XMLCHAR typestr);
+		xmlTextWriterEndElement(writer); /* name */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter");
+		xmlTextWriterWriteFormatString(writer,
+					       "%" ISC_PRINT_QUADFORMAT "u",
+					       val);
+		xmlTextWriterEndElement(writer); /* counter */
+
+		xmlTextWriterEndElement(writer); /* rdtype */
+#endif
+		break;
+	}
+}
+
+static void
+rdatasetstats_dump(dns_rdatastatstype_t type, isc_uint64_t val, void *arg) {
+	stats_dumparg_t *dumparg = arg;
+	FILE *fp;
+	char typebuf[64];
+	const char *typestr;
+	isc_boolean_t nxrrset = ISC_FALSE;
+#ifdef HAVE_LIBXML2
+	xmlTextWriterPtr writer;
+#endif
+
+	if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_NXDOMAIN)
+	    != 0) {
+		typestr = "NXDOMAIN";
+	} else if ((DNS_RDATASTATSTYPE_ATTR(type) &
+		    DNS_RDATASTATSTYPE_ATTR_OTHERTYPE) != 0) {
+		typestr = "Others";
+	} else {
+		dns_rdatatype_format(DNS_RDATASTATSTYPE_BASE(type), typebuf,
+				     sizeof(typebuf));
+		typestr = typebuf;
+	}
+
+	if ((DNS_RDATASTATSTYPE_ATTR(type) & DNS_RDATASTATSTYPE_ATTR_NXRRSET)
+	    != 0)
+		nxrrset = ISC_TRUE;
+
+	switch (dumparg->type) {
+	case statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s%s\n", val,
+			nxrrset ? "!" : "", typestr);
+		break;
+	case statsformat_xml:
+#ifdef HAVE_LIBXML2
+		writer = dumparg->arg;
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "rrset");
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
+		xmlTextWriterWriteFormatString(writer, "%s%s",
+					       nxrrset ? "!" : "", typestr);
+		xmlTextWriterEndElement(writer); /* name */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter");
+		xmlTextWriterWriteFormatString(writer,
+					       "%" ISC_PRINT_QUADFORMAT "u",
+					       val);
+		xmlTextWriterEndElement(writer); /* counter */
+
+		xmlTextWriterEndElement(writer); /* rrset */
+#endif
+		break;
+	}
+}
+
+static void
+opcodestat_dump(dns_opcode_t code, isc_uint64_t val, void *arg) {
+	FILE *fp = arg;
+	isc_buffer_t b;
+	char codebuf[64];
+	stats_dumparg_t *dumparg = arg;
+#ifdef HAVE_LIBXML2
+	xmlTextWriterPtr writer;
+#endif
+
+	isc_buffer_init(&b, codebuf, sizeof(codebuf) - 1);
+	dns_opcode_totext(code, &b);
+	codebuf[isc_buffer_usedlength(&b)] = '\0';
+
+	switch (dumparg->type) {
+	case statsformat_file:
+		fp = dumparg->arg;
+		fprintf(fp, "%20" ISC_PRINT_QUADFORMAT "u %s\n", val, codebuf);
+		break;
+	case statsformat_xml:
+#ifdef HAVE_LIBXML2
+		writer = dumparg->arg;
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "opcode");
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
+		xmlTextWriterWriteString(writer, ISC_XMLCHAR codebuf);
+		xmlTextWriterEndElement(writer); /* name */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "counter");
+		xmlTextWriterWriteFormatString(writer,
+					       "%" ISC_PRINT_QUADFORMAT "u",
+					       val);
+		xmlTextWriterEndElement(writer); /* counter */
+
+		xmlTextWriterEndElement(writer); /* opcode */
+#endif
+		break;
+	}
+}
+
+#ifdef HAVE_LIBXML2
+
+/* XXXMLG below here sucks. */
+
+#define TRY(a) do { result = (a); INSIST(result == ISC_R_SUCCESS); } while(0);
+#define TRY0(a) do { xmlrc = (a); INSIST(xmlrc >= 0); } while(0);
+
+static isc_result_t
+zone_xmlrender(dns_zone_t *zone, void *arg) {
+	char buf[1024 + 32];	/* sufficiently large for zone name and class */
+	dns_rdataclass_t rdclass;
+	isc_uint32_t serial;
+	xmlTextWriterPtr writer = arg;
+	isc_stats_t *zonestats;
+	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "zone");
+
+	dns_zone_name(zone, buf, sizeof(buf));
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
+	xmlTextWriterWriteString(writer, ISC_XMLCHAR buf);
+	xmlTextWriterEndElement(writer);
+
+	rdclass = dns_zone_getclass(zone);
+	dns_rdataclass_format(rdclass, buf, sizeof(buf));
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "rdataclass");
+	xmlTextWriterWriteString(writer, ISC_XMLCHAR buf);
+	xmlTextWriterEndElement(writer);
+
+	serial = dns_zone_getserial(zone);
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "serial");
+	xmlTextWriterWriteFormatString(writer, "%u", serial);
+	xmlTextWriterEndElement(writer);
+
+	zonestats = dns_zone_getrequeststats(zone);
+	if (zonestats != NULL) {
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "counters");
+		dump_counters(zonestats, statsformat_xml, writer, NULL,
+			      nsstats_xmldesc, dns_nsstatscounter_max,
+			      nsstats_index, nsstat_values,
+			      ISC_STATSDUMP_VERBOSE);
+		xmlTextWriterEndElement(writer); /* counters */
+	}
+
+	xmlTextWriterEndElement(writer); /* zone */
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+generatexml(ns_server_t *server, int *buflen, xmlChar **buf) {
+	char boottime[sizeof "yyyy-mm-ddThh:mm:ssZ"];
+	char nowstr[sizeof "yyyy-mm-ddThh:mm:ssZ"];
+	isc_time_t now;
+	xmlTextWriterPtr writer;
+	xmlDocPtr doc;
+	int xmlrc;
+	dns_view_t *view;
+	stats_dumparg_t dumparg;
+	dns_stats_t *cachestats;
+	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
+	isc_uint64_t resstat_values[dns_resstatscounter_max];
+	isc_uint64_t zonestat_values[dns_zonestatscounter_max];
+	isc_uint64_t sockstat_values[isc_sockstatscounter_max];
+
+	isc_time_now(&now);
+	isc_time_formatISO8601(&ns_g_boottime, boottime, sizeof boottime);
+	isc_time_formatISO8601(&now, nowstr, sizeof nowstr);
+
+	writer = xmlNewTextWriterDoc(&doc, 0);
+	TRY0(xmlTextWriterStartDocument(writer, NULL, "UTF-8", NULL));
+	TRY0(xmlTextWriterWritePI(writer, ISC_XMLCHAR "xml-stylesheet",
+			ISC_XMLCHAR "type=\"text/xsl\" href=\"/bind9.xsl\""));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "isc"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
+					 ISC_XMLCHAR "1.0"));
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "bind"));
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "statistics"));
+	TRY0(xmlTextWriterWriteAttribute(writer, ISC_XMLCHAR "version",
+					 ISC_XMLCHAR "2.0"));
+
+	/* Set common fields for statistics dump */
+	dumparg.type = statsformat_xml;
+	dumparg.arg = writer;
+
+	/*
+	 * Start by rendering the views we know of here.  For each view we
+	 * know of, call its rendering function.
+	 */
+	view = ISC_LIST_HEAD(server->viewlist);
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "views"));
+	while (view != NULL) {
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "view");
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
+		xmlTextWriterWriteString(writer, ISC_XMLCHAR view->name);
+		xmlTextWriterEndElement(writer);
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "zones");
+		dns_zt_apply(view->zonetable, ISC_FALSE, zone_xmlrender,
+			     writer);
+		xmlTextWriterEndElement(writer);
+
+		if (view->resquerystats != NULL) {
+			dns_rdatatypestats_dump(view->resquerystats,
+						rdtypestat_dump, &dumparg, 0);
+		}
+
+		if (view->resstats != NULL) {
+			dump_counters(view->resstats, statsformat_xml, writer,
+				      "resstat", resstats_xmldesc,
+				      dns_resstatscounter_max, resstats_index,
+				      resstat_values, ISC_STATSDUMP_VERBOSE);
+		}
+
+		cachestats = dns_db_getrrsetstats(view->cachedb);
+		if (cachestats != NULL) {
+			xmlTextWriterStartElement(writer,
+						  ISC_XMLCHAR "cache");
+			dns_rdatasetstats_dump(cachestats, rdatasetstats_dump,
+					       &dumparg, 0);
+			xmlTextWriterEndElement(writer); /* cache */
+		}
+
+		xmlTextWriterEndElement(writer); /* view */
+
+		view = ISC_LIST_NEXT(view, link);
+	}
+	TRY0(xmlTextWriterEndElement(writer)); /* views */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "socketmgr"));
+	isc_socketmgr_renderxml(ns_g_socketmgr, writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* socketmgr */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "taskmgr"));
+	isc_taskmgr_renderxml(ns_g_taskmgr, writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* taskmgr */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "server"));
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "boot-time");
+	xmlTextWriterWriteString(writer, ISC_XMLCHAR boottime);
+	xmlTextWriterEndElement(writer);
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "current-time");
+	xmlTextWriterWriteString(writer, ISC_XMLCHAR nowstr);
+	xmlTextWriterEndElement(writer);
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "requests"));
+	dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg,
+			     0);
+	xmlTextWriterEndElement(writer); /* requests */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "queries-in"));
+	dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump,
+				&dumparg, 0);
+	xmlTextWriterEndElement(writer); /* queries-in */
+
+	dump_counters(server->nsstats, statsformat_xml, writer,
+		      "nsstat", nsstats_xmldesc, dns_nsstatscounter_max,
+		      nsstats_index, nsstat_values, ISC_STATSDUMP_VERBOSE);
+
+	dump_counters(server->zonestats, statsformat_xml, writer, "zonestat",
+		      zonestats_xmldesc, dns_zonestatscounter_max,
+		      zonestats_index, zonestat_values, ISC_STATSDUMP_VERBOSE);
+
+	/*
+	 * Most of the common resolver statistics entries are 0, so we don't
+	 * use the verbose dump here.
+	 */
+	dump_counters(server->resolverstats, statsformat_xml, writer, "resstat",
+		      resstats_xmldesc, dns_resstatscounter_max, resstats_index,
+		      resstat_values, 0);
+
+	dump_counters(server->sockstats, statsformat_xml, writer, "sockstat",
+		      sockstats_xmldesc, isc_sockstatscounter_max,
+		      sockstats_index, sockstat_values, ISC_STATSDUMP_VERBOSE);
+
+	xmlTextWriterEndElement(writer); /* server */
+
+	TRY0(xmlTextWriterStartElement(writer, ISC_XMLCHAR "memory"));
+	isc_mem_renderxml(writer);
+	TRY0(xmlTextWriterEndElement(writer)); /* memory */
+
+	TRY0(xmlTextWriterEndElement(writer)); /* statistics */
+	TRY0(xmlTextWriterEndElement(writer)); /* bind */
+	TRY0(xmlTextWriterEndElement(writer)); /* isc */
+
+	TRY0(xmlTextWriterEndDocument(writer));
+
+	xmlFreeTextWriter(writer);
+
+	xmlDocDumpFormatMemoryEnc(doc, buf, buflen, "UTF-8", 1);
+	xmlFreeDoc(doc);
+}
+
+static void
+wrap_xmlfree(isc_buffer_t *buffer, void *arg) {
+	UNUSED(arg);
+
+	xmlFree(isc_buffer_base(buffer));
+}
+
+static isc_result_t
+render_index(const char *url, const char *querystring, void *arg,
+	     unsigned int *retcode, const char **retmsg, const char **mimetype,
+	     isc_buffer_t *b, isc_httpdfree_t **freecb,
+	     void **freecb_args)
+{
+	unsigned char *msg;
+	int msglen;
+	ns_server_t *server = arg;
+
+	UNUSED(url);
+	UNUSED(querystring);
+
+	generatexml(server, &msglen, &msg);
+
+	*retcode = 200;
+	*retmsg = "OK";
+	*mimetype = "text/xml";
+	isc_buffer_reinit(b, msg, msglen);
+	isc_buffer_add(b, msglen);
+	*freecb = wrap_xmlfree;
+	*freecb_args = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+#endif	/* HAVE_LIBXML2 */
+
+static isc_result_t
+render_xsl(const char *url, const char *querystring, void *args,
+	   unsigned int *retcode, const char **retmsg, const char **mimetype,
+	   isc_buffer_t *b, isc_httpdfree_t **freecb,
+	   void **freecb_args)
+{
+	UNUSED(url);
+	UNUSED(querystring);
+	UNUSED(args);
+
+	*retcode = 200;
+	*retmsg = "OK";
+	*mimetype = "text/xslt+xml";
+	isc_buffer_reinit(b, xslmsg, strlen(xslmsg));
+	isc_buffer_add(b, strlen(xslmsg));
+	*freecb = NULL;
+	*freecb_args = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+shutdown_listener(ns_statschannel_t *listener) {
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_format(&listener->address, socktext, sizeof(socktext));
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,NS_LOGMODULE_SERVER,
+		      ISC_LOG_NOTICE, "stopping statistics channel on %s",
+		      socktext);
+
+	isc_httpdmgr_shutdown(&listener->httpdmgr);
+}
+
+static isc_boolean_t
+client_ok(const isc_sockaddr_t *fromaddr, void *arg) {
+	ns_statschannel_t *listener = arg;
+	isc_netaddr_t netaddr;
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+	int match;
+
+	REQUIRE(listener != NULL);
+
+	isc_netaddr_fromsockaddr(&netaddr, fromaddr);
+
+	LOCK(&listener->lock);
+	if (dns_acl_match(&netaddr, NULL, listener->acl, &ns_g_server->aclenv,
+			  &match, NULL) == ISC_R_SUCCESS && match > 0) {
+		UNLOCK(&listener->lock);
+		return (ISC_TRUE);
+	}
+	UNLOCK(&listener->lock);
+
+	isc_sockaddr_format(fromaddr, socktext, sizeof(socktext));
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+		      "rejected statistics connection from %s", socktext);
+
+	return (ISC_FALSE);
+}
+
+static void
+destroy_listener(void *arg) {
+	ns_statschannel_t *listener = arg;
+
+	REQUIRE(listener != NULL);
+	REQUIRE(!ISC_LINK_LINKED(listener, link));
+
+	/* We don't have to acquire the lock here since it's already unlinked */
+	dns_acl_detach(&listener->acl);
+
+	DESTROYLOCK(&listener->lock);
+	isc_mem_putanddetach(&listener->mctx, listener, sizeof(*listener));
+}
+
+static isc_result_t
+add_listener(ns_server_t *server, ns_statschannel_t **listenerp,
+	     const cfg_obj_t *listen_params, const cfg_obj_t *config,
+	     isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+	     const char *socktext)
+{
+	isc_result_t result;
+	ns_statschannel_t *listener;
+	isc_task_t *task = NULL;
+	isc_socket_t *sock = NULL;
+	const cfg_obj_t *allow;
+	dns_acl_t *new_acl = NULL;
+
+	listener = isc_mem_get(server->mctx, sizeof(*listener));
+	if (listener == NULL)
+		return (ISC_R_NOMEMORY);
+
+	listener->httpdmgr = NULL;
+	listener->address = *addr;
+	listener->acl = NULL;
+	listener->mctx = NULL;
+	ISC_LINK_INIT(listener, link);
+
+	result = isc_mutex_init(&listener->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(server->mctx, listener, sizeof(*listener));
+		return (ISC_R_FAILURE);
+	}
+
+	isc_mem_attach(server->mctx, &listener->mctx);
+
+	allow = cfg_tuple_get(listen_params, "allow");
+	if (allow != NULL && cfg_obj_islist(allow)) {
+		result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
+					    aclconfctx, listener->mctx, 0,
+					    &new_acl);
+	} else
+		result = dns_acl_any(listener->mctx, &new_acl);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	dns_acl_attach(new_acl, &listener->acl);
+	dns_acl_detach(&new_acl);
+
+	result = isc_task_create(ns_g_taskmgr, 0, &task);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isc_task_setname(task, "statchannel", NULL);
+
+	result = isc_socket_create(ns_g_socketmgr, isc_sockaddr_pf(addr),
+				   isc_sockettype_tcp, &sock);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	isc_socket_setname(sock, "statchannel", NULL);
+
+#ifndef ISC_ALLOW_MAPPED
+	isc_socket_ipv6only(sock, ISC_TRUE);
+#endif
+
+	result = isc_socket_bind(sock, addr, ISC_SOCKET_REUSEADDRESS);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	result = isc_httpdmgr_create(server->mctx, sock, task, client_ok,
+				     destroy_listener, listener, ns_g_timermgr,
+				     &listener->httpdmgr);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+#ifdef HAVE_LIBXML2
+	isc_httpdmgr_addurl(listener->httpdmgr, "/", render_index, server);
+#endif
+	isc_httpdmgr_addurl(listener->httpdmgr, "/bind9.xsl", render_xsl,
+			    server);
+
+	*listenerp = listener;
+	isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+		      NS_LOGMODULE_SERVER, ISC_LOG_NOTICE,
+		      "statistics channel listening on %s", socktext);
+
+cleanup:
+	if (result != ISC_R_SUCCESS) {
+		if (listener->acl != NULL)
+			dns_acl_detach(&listener->acl);
+		DESTROYLOCK(&listener->lock);
+		isc_mem_putanddetach(&listener->mctx, listener,
+				     sizeof(*listener));
+	}
+	if (task != NULL)
+		isc_task_detach(&task);
+	if (sock != NULL)
+		isc_socket_detach(&sock);
+
+	return (result);
+}
+
+static void
+update_listener(ns_server_t *server, ns_statschannel_t **listenerp,
+		const cfg_obj_t *listen_params, const cfg_obj_t *config,
+		isc_sockaddr_t *addr, cfg_aclconfctx_t *aclconfctx,
+		const char *socktext)
+{
+	ns_statschannel_t *listener;
+	const cfg_obj_t *allow = NULL;
+	dns_acl_t *new_acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	for (listener = ISC_LIST_HEAD(server->statschannels);
+	     listener != NULL;
+	     listener = ISC_LIST_NEXT(listener, link))
+		if (isc_sockaddr_equal(addr, &listener->address))
+			break;
+
+	if (listener == NULL) {
+		*listenerp = NULL;
+		return;
+	}
+
+	/*
+	 * Now, keep the old access list unless a new one can be made.
+	 */
+	allow = cfg_tuple_get(listen_params, "allow");
+	if (allow != NULL && cfg_obj_islist(allow)) {
+		result = cfg_acl_fromconfig(allow, config, ns_g_lctx,
+					    aclconfctx, listener->mctx, 0,
+					    &new_acl);
+	} else
+		result = dns_acl_any(listener->mctx, &new_acl);
+
+	if (result == ISC_R_SUCCESS) {
+		LOCK(&listener->lock);
+
+		dns_acl_detach(&listener->acl);
+		dns_acl_attach(new_acl, &listener->acl);
+		dns_acl_detach(&new_acl);
+
+		UNLOCK(&listener->lock);
+	} else {
+		cfg_obj_log(listen_params, ns_g_lctx, ISC_LOG_WARNING,
+			    "couldn't install new acl for "
+			    "statistics channel %s: %s",
+			    socktext, isc_result_totext(result));
+	}
+
+	*listenerp = listener;
+}
+
+isc_result_t
+ns_statschannels_configure(ns_server_t *server, const cfg_obj_t *config,
+			 cfg_aclconfctx_t *aclconfctx)
+{
+	ns_statschannel_t *listener, *listener_next;
+	ns_statschannellist_t new_listeners;
+	const cfg_obj_t *statschannellist = NULL;
+	const cfg_listelt_t *element, *element2;
+	char socktext[ISC_SOCKADDR_FORMATSIZE];
+
+	RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS);
+
+	ISC_LIST_INIT(new_listeners);
+
+	/*
+	 * Get the list of named.conf 'statistics-channels' statements.
+	 */
+	(void)cfg_map_get(config, "statistics-channels", &statschannellist);
+
+	/*
+	 * Run through the new address/port list, noting sockets that are
+	 * already being listened on and moving them to the new list.
+	 *
+	 * Identifying duplicate addr/port combinations is left to either
+	 * the underlying config code, or to the bind attempt getting an
+	 * address-in-use error.
+	 */
+	if (statschannellist != NULL) {
+#ifndef HAVE_LIBXML2
+		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
+			      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
+			      "statistics-channels specified but not effective "
+			      "due to missing XML library");
+#endif
+
+		for (element = cfg_list_first(statschannellist);
+		     element != NULL;
+		     element = cfg_list_next(element)) {
+			const cfg_obj_t *statschannel;
+			const cfg_obj_t *listenercfg = NULL;
+
+			statschannel = cfg_listelt_value(element);
+			(void)cfg_map_get(statschannel, "inet",
+					  &listenercfg);
+			if (listenercfg == NULL)
+				continue;
+
+			for (element2 = cfg_list_first(listenercfg);
+			     element2 != NULL;
+			     element2 = cfg_list_next(element2)) {
+				const cfg_obj_t *listen_params;
+				const cfg_obj_t *obj;
+				isc_sockaddr_t addr;
+
+				listen_params = cfg_listelt_value(element2);
+
+				obj = cfg_tuple_get(listen_params, "address");
+				addr = *cfg_obj_assockaddr(obj);
+				if (isc_sockaddr_getport(&addr) == 0)
+					isc_sockaddr_setport(&addr, NS_STATSCHANNEL_HTTPPORT);
+
+				isc_sockaddr_format(&addr, socktext,
+						    sizeof(socktext));
+
+				isc_log_write(ns_g_lctx,
+					      NS_LOGCATEGORY_GENERAL,
+					      NS_LOGMODULE_SERVER,
+					      ISC_LOG_DEBUG(9),
+					      "processing statistics "
+					      "channel %s",
+					      socktext);
+
+				update_listener(server, &listener,
+						listen_params, config, &addr,
+						aclconfctx, socktext);
+
+				if (listener != NULL) {
+					/*
+					 * Remove the listener from the old
+					 * list, so it won't be shut down.
+					 */
+					ISC_LIST_UNLINK(server->statschannels,
+							listener, link);
+				} else {
+					/*
+					 * This is a new listener.
+					 */
+					isc_result_t r;
+
+					r = add_listener(server, &listener,
+							 listen_params, config,
+							 &addr, aclconfctx,
+							 socktext);
+					if (r != ISC_R_SUCCESS) {
+						cfg_obj_log(listen_params,
+							    ns_g_lctx,
+							    ISC_LOG_WARNING,
+							    "couldn't allocate "
+							    "statistics channel"
+							    " %s: %s",
+							    socktext,
+							    isc_result_totext(r));
+					}
+				}
+
+				if (listener != NULL)
+					ISC_LIST_APPEND(new_listeners, listener,
+							link);
+			}
+		}
+	}
+
+	for (listener = ISC_LIST_HEAD(server->statschannels);
+	     listener != NULL;
+	     listener = listener_next) {
+		listener_next = ISC_LIST_NEXT(listener, link);
+		ISC_LIST_UNLINK(server->statschannels, listener, link);
+		shutdown_listener(listener);
+	}
+
+	ISC_LIST_APPENDLIST(server->statschannels, new_listeners, link);
+	return (ISC_R_SUCCESS);
+}
+
+void
+ns_statschannels_shutdown(ns_server_t *server) {
+	ns_statschannel_t *listener;
+
+	while ((listener = ISC_LIST_HEAD(server->statschannels)) != NULL) {
+		ISC_LIST_UNLINK(server->statschannels, listener, link);
+		shutdown_listener(listener);
+	}
+}
+
+isc_result_t
+ns_stats_dump(ns_server_t *server, FILE *fp) {
+	isc_stdtime_t now;
+	isc_result_t result;
+	dns_view_t *view;
+	dns_zone_t *zone, *next;
+	stats_dumparg_t dumparg;
+	isc_uint64_t nsstat_values[dns_nsstatscounter_max];
+	isc_uint64_t resstat_values[dns_resstatscounter_max];
+	isc_uint64_t zonestat_values[dns_zonestatscounter_max];
+	isc_uint64_t sockstat_values[isc_sockstatscounter_max];
+
+	RUNTIME_CHECK(isc_once_do(&once, init_desc) == ISC_R_SUCCESS);
+
+	/* Set common fields */
+	dumparg.type = statsformat_file;
+	dumparg.arg = fp;
+
+	isc_stdtime_get(&now);
+	fprintf(fp, "+++ Statistics Dump +++ (%lu)\n", (unsigned long)now);
+
+	fprintf(fp, "++ Incoming Requests ++\n");
+	dns_opcodestats_dump(server->opcodestats, opcodestat_dump, &dumparg, 0);
+
+	fprintf(fp, "++ Incoming Queries ++\n");
+	dns_rdatatypestats_dump(server->rcvquerystats, rdtypestat_dump,
+				&dumparg, 0);
+
+	fprintf(fp, "++ Outgoing Queries ++\n");
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		if (view->resquerystats == NULL)
+			continue;
+		if (strcmp(view->name, "_default") == 0)
+			fprintf(fp, "[View: default]\n");
+		else
+			fprintf(fp, "[View: %s]\n", view->name);
+		dns_rdatatypestats_dump(view->resquerystats, rdtypestat_dump,
+					&dumparg, 0);
+	}
+
+	fprintf(fp, "++ Name Server Statistics ++\n");
+	dump_counters(server->nsstats, statsformat_file, fp, NULL,
+		      nsstats_desc, dns_nsstatscounter_max, nsstats_index,
+		      nsstat_values, 0);
+
+	fprintf(fp, "++ Zone Maintenance Statistics ++\n");
+	dump_counters(server->zonestats, statsformat_file, fp, NULL,
+		      zonestats_desc, dns_zonestatscounter_max,
+		      zonestats_index, zonestat_values, 0);
+
+	fprintf(fp, "++ Resolver Statistics ++\n");
+	fprintf(fp, "[Common]\n");
+	dump_counters(server->resolverstats, statsformat_file, fp, NULL,
+		      resstats_desc, dns_resstatscounter_max, resstats_index,
+		      resstat_values, 0);
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		if (view->resstats == NULL)
+			continue;
+		if (strcmp(view->name, "_default") == 0)
+			fprintf(fp, "[View: default]\n");
+		else
+			fprintf(fp, "[View: %s]\n", view->name);
+		dump_counters(view->resstats, statsformat_file, fp, NULL,
+			      resstats_desc, dns_resstatscounter_max,
+			      resstats_index, resstat_values, 0);
+	}
+
+	fprintf(fp, "++ Cache DB RRsets ++\n");
+	for (view = ISC_LIST_HEAD(server->viewlist);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		dns_stats_t *cachestats;
+
+		cachestats = dns_db_getrrsetstats(view->cachedb);
+		if (cachestats == NULL)
+			continue;
+		if (strcmp(view->name, "_default") == 0)
+			fprintf(fp, "[View: default]\n");
+		else
+			fprintf(fp, "[View: %s]\n", view->name);
+		dns_rdatasetstats_dump(cachestats, rdatasetstats_dump, &dumparg,
+				       0);
+	}
+
+	fprintf(fp, "++ Socket I/O Statistics ++\n");
+	dump_counters(server->sockstats, statsformat_file, fp, NULL,
+		      sockstats_desc, isc_sockstatscounter_max, sockstats_index,
+		      sockstat_values, 0);
+
+	fprintf(fp, "++ Per Zone Query Statistics ++\n");
+	zone = NULL;
+	for (result = dns_zone_first(server->zonemgr, &zone);
+	     result == ISC_R_SUCCESS;
+	     next = NULL, result = dns_zone_next(zone, &next), zone = next)
+	{
+		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
+		if (zonestats != NULL) {
+			char zonename[DNS_NAME_FORMATSIZE];
+
+			dns_name_format(dns_zone_getorigin(zone),
+					zonename, sizeof(zonename));
+			view = dns_zone_getview(zone);
+
+			fprintf(fp, "[%s", zonename);
+			if (strcmp(view->name, "_default") != 0)
+				fprintf(fp, " (view: %s)", view->name);
+			fprintf(fp, "]\n");
+
+			dump_counters(zonestats, statsformat_file, fp, NULL,
+				      nsstats_desc, dns_nsstatscounter_max,
+				      nsstats_index, nsstat_values, 0);
+		}
+	}
+
+	fprintf(fp, "--- Statistics Dump --- (%lu)\n", (unsigned long)now);
+
+	return (ISC_R_SUCCESS);	/* this function currently always succeeds */
+}
diff --git a/bin/named/tkeyconf.c b/bin/named/tkeyconf.c
index 3c843ac..82cf573 100644
--- a/bin/named/tkeyconf.c
+++ b/bin/named/tkeyconf.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkeyconf.c,v 1.20.18.6 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: tkeyconf.c,v 1.29 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
@@ -42,6 +42,13 @@
 		goto failure; \
 	} while (0)
 
+#include<named/log.h>
+#define LOG(msg) \
+	isc_log_write(ns_g_lctx, \
+	NS_LOGCATEGORY_GENERAL, \
+	NS_LOGMODULE_SERVER, \
+	ISC_LOG_ERROR, \
+	"%s", msg)
 
 isc_result_t
 ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
@@ -100,6 +107,7 @@ ns_tkeyctx_fromconfig(const cfg_obj_t *options, isc_mem_t *mctx,
 	result = cfg_map_get(options, "tkey-gssapi-credential", &obj);
 	if (result == ISC_R_SUCCESS) {
 		s = cfg_obj_asstring(obj);
+
 		isc_buffer_init(&b, s, strlen(s));
 		isc_buffer_add(&b, strlen(s));
 		dns_fixedname_init(&fname);
diff --git a/bin/named/tsigconf.c b/bin/named/tsigconf.c
index 7fa7fe5..b3c6e02 100644
--- a/bin/named/tsigconf.c
+++ b/bin/named/tsigconf.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsigconf.c,v 1.22.18.6 2006/02/28 03:10:47 marka Exp $ */
+/* $Id: tsigconf.c,v 1.30 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/named/unix/Makefile.in b/bin/named/unix/Makefile.in
index a18351a..5092834 100644
--- a/bin/named/unix/Makefile.in
+++ b/bin/named/unix/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8 2004/03/05 04:58:01 marka Exp $
+# $Id: Makefile.in,v 1.10 2007/06/19 23:46:59 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/named/unix/include/named/os.h b/bin/named/unix/include/named/os.h
index 6c603dc..d03bf75 100644
--- a/bin/named/unix/include/named/os.h
+++ b/bin/named/unix/include/named/os.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.22.18.5 2008/10/24 01:43:17 tbox Exp $ */
+/* $Id: os.h,v 1.29 2008/10/24 01:44:48 tbox Exp $ */
 
 #ifndef NS_OS_H
 #define NS_OS_H 1
diff --git a/bin/named/unix/os.c b/bin/named/unix/os.c
index ad26a8e..5e6b98f 100644
--- a/bin/named/unix/os.c
+++ b/bin/named/unix/os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.66.18.17 2008/10/24 01:43:17 tbox Exp $ */
+/* $Id: os.c,v 1.89.12.5 2009/03/02 03:03:54 marka Exp $ */
 
 /*! \file */
 
@@ -70,7 +70,7 @@ static int devnullfd = -1;
 /*
  * Linux defines:
  *	(T) HAVE_LINUXTHREADS
- *	(C) HAVE_LINUX_CAPABILITY_H
+ *	(C) HAVE_SYS_CAPABILITY_H (or HAVE_LINUX_CAPABILITY_H)
  *	(P) HAVE_SYS_PRCTL_H
  * The possible cases are:
  *	none:	setuid() normally
@@ -117,16 +117,9 @@ static int dfd[2] = { -1, -1 };
 static isc_boolean_t non_root = ISC_FALSE;
 static isc_boolean_t non_root_caps = ISC_FALSE;
 
-#if defined(HAVE_CAPSET)
-#undef _POSIX_SOURCE
 #ifdef HAVE_SYS_CAPABILITY_H
 #include <sys/capability.h>
 #else
-#include <linux/capability.h>
-int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
-#endif
-#include <sys/prctl.h>
-#else
 /*%
  * We define _LINUX_FS_H to prevent it from being included.  We don't need
  * anything from it, and the files it includes cause warnings with 2.2
@@ -134,9 +127,15 @@ int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
  * and <string.h>) on 2.3 kernels.
  */
 #define _LINUX_FS_H
-
-#include <sys/syscall.h>	/* Required for syscall(). */
-#include <linux/capability.h>	/* Required for _LINUX_CAPABILITY_VERSION. */
+#include <linux/capability.h>
+#include <syscall.h>
+#ifndef SYS_capset
+#ifndef __NR_capset
+#include <asm/unistd.h> /* Slackware 4.0 needs this. */
+#endif /* __NR_capset */
+#define SYS_capset __NR_capset
+#endif /* SYS_capset */
+#endif /* HAVE_SYS_CAPABILITY_H */
 
 #ifdef HAVE_SYS_PRCTL_H
 #include <sys/prctl.h>		/* Required for prctl(). */
@@ -153,23 +152,24 @@ int capset(cap_user_header_t hdrp, const cap_user_data_t datap);
 
 #endif /* HAVE_SYS_PRCTL_H */
 
-#ifndef SYS_capset
-#ifndef __NR_capset
-#include <asm/unistd.h> /* Slackware 4.0 needs this. */
-#endif
-#define SYS_capset __NR_capset
-#endif
-#endif
+#ifdef HAVE_LIBCAP
+#define SETCAPS_FUNC "cap_set_proc "
+#else
+typedef unsigned int cap_t;
+#define SETCAPS_FUNC "syscall(capset) "
+#endif /* HAVE_LIBCAP */
 
 static void
-linux_setcaps(unsigned int caps) {
+linux_setcaps(cap_t caps) {
+#ifndef HAVE_LIBCAP
 	struct __user_cap_header_struct caphead;
 	struct __user_cap_data_struct cap;
+#endif
 	char strbuf[ISC_STRERRORSIZE];
 
 	if ((getuid() != 0 && !non_root_caps) || non_root)
 		return;
-
+#ifndef HAVE_LIBCAP
 	memset(&caphead, 0, sizeof(caphead));
 	caphead.version = _LINUX_CAPABILITY_VERSION;
 	caphead.pid = 0;
@@ -177,46 +177,89 @@ linux_setcaps(unsigned int caps) {
 	cap.effective = caps;
 	cap.permitted = caps;
 	cap.inheritable = 0;
-#ifdef HAVE_CAPSET
-	if (capset(&caphead, &cap) < 0 ) {
-		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("capset failed: %s:"
-				   " please ensure that the capset kernel"
-				   " module is loaded.  see insmod(8)",
-				   strbuf);
-	}
+#endif
+#ifdef HAVE_LIBCAP
+	if (cap_set_proc(caps) < 0) {
 #else
 	if (syscall(SYS_capset, &caphead, &cap) < 0) {
+#endif
 		isc__strerror(errno, strbuf, sizeof(strbuf));
-		ns_main_earlyfatal("syscall(capset) failed: %s:"
+		ns_main_earlyfatal(SETCAPS_FUNC "failed: %s:"
 				   " please ensure that the capset kernel"
 				   " module is loaded.  see insmod(8)",
 				   strbuf);
 	}
-#endif
 }
 
+#ifdef HAVE_LIBCAP
+#define SET_CAP(flag) \
+	do { \
+		capval = (flag); \
+		cap_flag_value_t curval; \
+		err = cap_get_flag(curcaps, capval, CAP_PERMITTED, &curval); \
+		if (err != -1 && curval) { \
+			err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval, CAP_SET); \
+			if (err == -1) { \
+				isc__strerror(errno, strbuf, sizeof(strbuf)); \
+				ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
+			} \
+			\
+			err = cap_set_flag(caps, CAP_PERMITTED, 1, &capval, CAP_SET); \
+			if (err == -1) { \
+				isc__strerror(errno, strbuf, sizeof(strbuf)); \
+				ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \
+			} \
+		} \
+	} while (0)
+#define INIT_CAP \
+	do { \
+		caps = cap_init(); \
+		if (caps == NULL) { \
+			isc__strerror(errno, strbuf, sizeof(strbuf)); \
+			ns_main_earlyfatal("cap_init failed: %s", strbuf); \
+		} \
+		curcaps = cap_get_proc(); \
+		if (curcaps == NULL) { \
+			isc__strerror(errno, strbuf, sizeof(strbuf)); \
+			ns_main_earlyfatal("cap_get_proc failed: %s", strbuf); \
+		} \
+	} while (0)
+#define FREE_CAP \
+	{ \
+		cap_free(caps); \
+		cap_free(curcaps); \
+	} while (0)
+#else
+#define SET_CAP(flag) do { caps |= (1 << (flag)); } while (0)
+#define INIT_CAP do { caps = 0; } while (0)
+#endif /* HAVE_LIBCAP */
+
 static void
 linux_initialprivs(void) {
-	unsigned int caps;
+	cap_t caps;
+#ifdef HAVE_LIBCAP
+	cap_t curcaps;
+	cap_value_t capval;
+	char strbuf[ISC_STRERRORSIZE];
+	int err;
+#endif
 
 	/*%
 	 * We don't need most privileges, so we drop them right away.
 	 * Later on linux_minprivs() will be called, which will drop our
 	 * capabilities to the minimum needed to run the server.
 	 */
-
-	caps = 0;
+	INIT_CAP;
 
 	/*
 	 * We need to be able to bind() to privileged ports, notably port 53!
 	 */
-	caps |= (1 << CAP_NET_BIND_SERVICE);
+	SET_CAP(CAP_NET_BIND_SERVICE);
 
 	/*
 	 * We need chroot() initially too.
 	 */
-	caps |= (1 << CAP_SYS_CHROOT);
+	SET_CAP(CAP_SYS_CHROOT);
 
 #if defined(HAVE_SYS_PRCTL_H) || !defined(HAVE_LINUXTHREADS)
 	/*
@@ -225,19 +268,19 @@ linux_initialprivs(void) {
 	 * tried) or we're not using threads.  If either of these is
 	 * true, we want the setuid capability.
 	 */
-	caps |= (1 << CAP_SETUID);
+	SET_CAP(CAP_SETUID);
 #endif
 
 	/*
 	 * Since we call initgroups, we need this.
 	 */
-	caps |= (1 << CAP_SETGID);
+	SET_CAP(CAP_SETGID);
 
 	/*
 	 * Without this, we run into problems reading a configuration file
 	 * owned by a non-root user and non-world-readable on startup.
 	 */
-	caps |= (1 << CAP_DAC_READ_SEARCH);
+	SET_CAP(CAP_DAC_READ_SEARCH);
 
 	/*
 	 * XXX  We might want to add CAP_SYS_RESOURCE, though it's not
@@ -246,15 +289,26 @@ linux_initialprivs(void) {
 	 * of files, the stack size, data size, and core dump size to
 	 * support named.conf options, this is now being added to test.
 	 */
-	caps |= (1 << CAP_SYS_RESOURCE);
+	SET_CAP(CAP_SYS_RESOURCE);
 
 	linux_setcaps(caps);
+
+#ifdef HAVE_LIBCAP
+	FREE_CAP;
+#endif
 }
 
 static void
 linux_minprivs(void) {
-	unsigned int caps;
+	cap_t caps;
+#ifdef HAVE_LIBCAP
+	cap_t curcaps;
+	cap_value_t capval;
+	char strbuf[ISC_STRERRORSIZE];
+	int err;
+#endif
 
+	INIT_CAP;
 	/*%
 	 * Drop all privileges except the ability to bind() to privileged
 	 * ports.
@@ -263,8 +317,7 @@ linux_minprivs(void) {
 	 * chroot() could be used to escape from the chrooted area.
 	 */
 
-	caps = 0;
-	caps |= (1 << CAP_NET_BIND_SERVICE);
+	SET_CAP(CAP_NET_BIND_SERVICE);
 
 	/*
 	 * XXX  We might want to add CAP_SYS_RESOURCE, though it's not
@@ -273,9 +326,13 @@ linux_minprivs(void) {
 	 * of files, the stack size, data size, and core dump size to
 	 * support named.conf options, this is now being added to test.
 	 */
-	caps |= (1 << CAP_SYS_RESOURCE);
+	SET_CAP(CAP_SYS_RESOURCE);
 
 	linux_setcaps(caps);
+
+#ifdef HAVE_LIBCAP
+	FREE_CAP;
+#endif
 }
 
 #ifdef HAVE_SYS_PRCTL_H
@@ -405,10 +462,12 @@ ns_os_started(void) {
 	char buf = 0;
 
 	/*
-	 * Signal to the parent that we stated successfully.
+	 * Signal to the parent that we started successfully.
 	 */
 	if (dfd[0] != -1 && dfd[1] != -1) {
-		write(dfd[1], &buf, 1);
+		if (write(dfd[1], &buf, 1) != 1)
+			ns_main_earlyfatal("unable to signal parent that we "
+					   "otherwise started successfully.");
 		close(dfd[1]);
 		dfd[0] = dfd[1] = -1;
 	}
@@ -448,10 +507,14 @@ ns_os_chroot(const char *root) {
 	ns_smf_chroot = 0;
 #endif
 	if (root != NULL) {
+#ifdef HAVE_CHROOT
 		if (chroot(root) < 0) {
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			ns_main_earlyfatal("chroot(): %s", strbuf);
 		}
+#else
+		ns_main_earlyfatal("chroot(): disabled");
+#endif
 		if (chdir("/") < 0) {
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			ns_main_earlyfatal("chdir(/): %s", strbuf);
@@ -584,7 +647,8 @@ safe_open(const char *filename, isc_boolean_t append) {
 		fd = open(filename, O_WRONLY|O_CREAT|O_APPEND,
 			  S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
 	else {
-		(void)unlink(filename);
+		if (unlink(filename) < 0 && errno != ENOENT)
+			return (-1);
 		fd = open(filename, O_WRONLY|O_CREAT|O_EXCL,
 			  S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH);
 	}
@@ -593,13 +657,54 @@ safe_open(const char *filename, isc_boolean_t append) {
 
 static void
 cleanup_pidfile(void) {
+	int n;
 	if (pidfile != NULL) {
-		(void)unlink(pidfile);
+		n = unlink(pidfile);
+		if (n == -1 && errno != ENOENT)
+			ns_main_earlywarning("unlink '%s': failed", pidfile);
 		free(pidfile);
 	}
 	pidfile = NULL;
 }
 
+static int
+mkdirpath(char *filename, void (*report)(const char *, ...)) {
+	char *slash = strrchr(filename, '/');
+	char strbuf[ISC_STRERRORSIZE];
+	unsigned int mode;
+
+	if (slash != NULL && slash != filename) {
+		struct stat sb;
+		*slash = '\0';
+
+		if (stat(filename, &sb) == -1) {
+			if (errno != ENOENT) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				(*report)("couldn't stat '%s': %s", filename,
+					  strbuf);
+				goto error;
+			}
+			if (mkdirpath(filename, report) == -1)
+				goto error;
+			mode = S_IRUSR | S_IWUSR | S_IXUSR;	/* u=rwx */
+			mode |= S_IRGRP | S_IXGRP;		/* g=rx */
+			mode |= S_IROTH | S_IXOTH;		/* o=rx */
+			if (mkdir(filename, mode) == -1) {
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				(*report)("couldn't mkdir '%s': %s", filename,
+					  strbuf);
+				goto error;
+			}
+		}
+		*slash = '/';
+	}
+	return (0);
+
+ error:
+	*slash = '/';
+	return (-1);
+}
+
 void
 ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
 	int fd;
@@ -627,9 +732,19 @@ ns_os_writepidfile(const char *filename, isc_boolean_t first_time) {
 		(*report)("couldn't malloc '%s': %s", filename, strbuf);
 		return;
 	}
+
 	/* This is safe. */
 	strcpy(pidfile, filename);
 
+	/*
+	 * Make the containing directory if it doesn't exist.
+	 */
+	if (mkdirpath(pidfile, report) == -1) {
+		free(pidfile);
+		pidfile = NULL;
+		return;
+	}
+
 	fd = safe_open(filename, ISC_FALSE);
 	if (fd < 0) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
diff --git a/bin/named/update.c b/bin/named/update.c
index fb6dec2..ff07311 100644
--- a/bin/named/update.c
+++ b/bin/named/update.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,11 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.109.18.27 2008/02/07 03:16:08 marka Exp $ */
+/* $Id: update.c,v 1.151.12.5 2009/04/30 07:03:37 marka Exp $ */
 
 #include <config.h>
 
+#include <isc/netaddr.h>
 #include <isc/print.h>
+#include <isc/serial.h>
+#include <isc/stats.h>
 #include <isc/string.h>
 #include <isc/taskpool.h>
 #include <isc/util.h>
@@ -34,6 +37,7 @@
 #include <dns/keyvalues.h>
 #include <dns/message.h>
 #include <dns/nsec.h>
+#include <dns/nsec3.h>
 #include <dns/rdataclass.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
@@ -47,6 +51,7 @@
 
 #include <named/client.h>
 #include <named/log.h>
+#include <named/server.h>
 #include <named/update.h>
 
 /*! \file
@@ -55,9 +60,9 @@
  */
 
 /*
-  XXX TODO:
-  - document strict minimality
-*/
+ *  XXX TODO:
+ * - document strict minimality
+ */
 
 /**************************************************************************/
 
@@ -69,7 +74,7 @@
 /*%
  * Log level for low-level debug tracing.
  */
-#define LOGLEVEL_DEBUG 		ISC_LOG_DEBUG(8)
+#define LOGLEVEL_DEBUG		ISC_LOG_DEBUG(8)
 
 /*%
  * Check an operation for failure.  These macros all assume that
@@ -77,8 +82,8 @@
  * label.
  */
 #define CHECK(op) \
-	do { result = (op); 				  	 \
-	       if (result != ISC_R_SUCCESS) goto failure; 	 \
+	do { result = (op); \
+		if (result != ISC_R_SUCCESS) goto failure; \
 	} while (0)
 
 /*%
@@ -112,11 +117,16 @@
 		case DNS_R_NXRRSET:				\
 			_what = "unsuccessful";			\
 		}						\
-		update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
-			      "update %s: %s (%s)", _what,	\
-			      msg, isc_result_totext(result));	\
+		update_log(client, zone, LOGLEVEL_PROTOCOL,	\
+			   "update %s: %s (%s)", _what,		\
+			   msg, isc_result_totext(result));	\
 		if (result != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
+#define PREREQFAILC(code, msg) \
+	do {							\
+		inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
+		FAILC(code, msg);				\
+	} while (0)
 
 #define FAILN(code, name, msg) \
 	do {								\
@@ -132,12 +142,17 @@
 		if (isc_log_wouldlog(ns_g_lctx, LOGLEVEL_PROTOCOL)) {	\
 			char _nbuf[DNS_NAME_FORMATSIZE];		\
 			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
-			update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
+			update_log(client, zone, LOGLEVEL_PROTOCOL,	\
 				   "update %s: %s: %s (%s)", _what, _nbuf, \
 				   msg, isc_result_totext(result));	\
 		}							\
 		if (result != ISC_R_SUCCESS) goto failure;		\
 	} while (0)
+#define PREREQFAILN(code, name, msg) \
+	do {								\
+		inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
+		FAILN(code, name, msg);					\
+	} while (0)
 
 #define FAILNT(code, name, type, msg) \
 	do {								\
@@ -155,13 +170,19 @@
 			char _tbuf[DNS_RDATATYPE_FORMATSIZE];		\
 			dns_name_format(name, _nbuf, sizeof(_nbuf));	\
 			dns_rdatatype_format(type, _tbuf, sizeof(_tbuf)); \
-			update_log(client, zone, LOGLEVEL_PROTOCOL,   	\
+			update_log(client, zone, LOGLEVEL_PROTOCOL,	\
 				   "update %s: %s/%s: %s (%s)",		\
 				   _what, _nbuf, _tbuf, msg,		\
 				   isc_result_totext(result));		\
 		}							\
 		if (result != ISC_R_SUCCESS) goto failure;		\
 	} while (0)
+#define PREREQFAILNT(code, name, type, msg)				\
+	do {								\
+		inc_stats(zone, dns_nsstatscounter_updatebadprereq); \
+		FAILNT(code, name, type, msg);				\
+	} while (0)
+
 /*%
  * Fail unconditionally and log as a server error.
  * The test against ISC_R_SUCCESS is there to keep the Solaris compiler
@@ -171,26 +192,31 @@
 	do {							\
 		result = (code);				\
 		update_log(client, zone, LOGLEVEL_PROTOCOL,	\
-			      "error: %s: %s", 			\
-			      msg, isc_result_totext(result));	\
+			   "error: %s: %s",			\
+			   msg, isc_result_totext(result));	\
 		if (result != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
+/*
+ * Return TRUE if NS_CLIENTATTR_TCP is set in the attributes other FALSE.
+ */
+#define TCPCLIENT(client) (((client)->attributes & NS_CLIENTATTR_TCP) != 0)
+
 /**************************************************************************/
 
 typedef struct rr rr_t;
 
 struct rr {
 	/* dns_name_t name; */
-	isc_uint32_t 		ttl;
-	dns_rdata_t 		rdata;
+	isc_uint32_t		ttl;
+	dns_rdata_t		rdata;
 };
 
 typedef struct update_event update_event_t;
 
 struct update_event {
 	ISC_EVENT_COMMON(update_event_t);
-	dns_zone_t 		*zone;
+	dns_zone_t		*zone;
 	isc_result_t		result;
 	dns_message_t		*answer;
 };
@@ -240,9 +266,38 @@ update_log(ns_client_t *client, dns_zone_t *zone,
 		      namebuf, classbuf, message);
 }
 
+/*%
+ * Increment updated-related statistics counters.
+ */
+static inline void
+inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
+	isc_stats_increment(ns_g_server->nsstats, counter);
+
+	if (zone != NULL) {
+		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
+		if (zonestats != NULL)
+			isc_stats_increment(zonestats, counter);
+	}
+}
+
+/*%
+ * Override the default acl logging when checking whether a client
+ * can update the zone or whether we can forward the request to the
+ * master based on IP address.
+ *
+ * 'message' contains the type of operation that is being attempted.
+ * 'slave' indicates if this is a slave zone.  If 'acl' is NULL then
+ * log at debug=3.
+ * If the zone has no access controls configured ('acl' == NULL &&
+ * 'has_ssutable == ISC_FALS) log the attempt at info, otherwise
+ * at error.
+ *
+ * If the request was signed log that we received it.
+ */
 static isc_result_t
 checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
-	       dns_name_t *zonename, isc_boolean_t slave)
+	       dns_name_t *zonename, isc_boolean_t slave,
+	       isc_boolean_t has_ssutable)
 {
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char classbuf[DNS_RDATACLASS_FORMATSIZE];
@@ -254,12 +309,21 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
 		result = DNS_R_NOTIMP;
 		level = ISC_LOG_DEBUG(3);
 		msg = "disabled";
-	} else
-		result = ns_client_checkaclsilent(client, acl, ISC_FALSE);
+	} else {
+		result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
+		if (result == ISC_R_SUCCESS) {
+			level = ISC_LOG_DEBUG(3);
+			msg = "approved";
+		} else if (acl == NULL && !has_ssutable) {
+			level = ISC_LOG_INFO;
+		}
+	}
 
-	if (result == ISC_R_SUCCESS) {
-		level = ISC_LOG_DEBUG(3);
-		msg = "approved";
+	if (client->signer != NULL) {
+		dns_name_format(client->signer, namebuf, sizeof(namebuf));
+		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
+			      NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
+			      "signer \"%s\" %s", namebuf, msg);
 	}
 
 	dns_name_format(zonename, namebuf, sizeof(namebuf));
@@ -267,8 +331,8 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
 			      sizeof(classbuf));
 
 	ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
-			      NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
-			      message, namebuf, classbuf, msg);
+		      NS_LOGMODULE_UPDATE, level, "%s '%s/%s' %s",
+		      message, namebuf, classbuf, msg);
 	return (result);
 }
 
@@ -277,12 +341,11 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
  * update in 'diff'.
  *
  * Ensures:
- * \li  '*tuple' == NULL.  Either the tuple is freed, or its
- *         ownership has been transferred to the diff.
+ * \li	'*tuple' == NULL.  Either the tuple is freed, or its
+ *	ownership has been transferred to the diff.
  */
 static isc_result_t
-do_one_tuple(dns_difftuple_t **tuple,
-	     dns_db_t *db, dns_dbversion_t *ver,
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
 	     dns_diff_t *diff)
 {
 	dns_diff_t temp_diff;
@@ -292,6 +355,7 @@ do_one_tuple(dns_difftuple_t **tuple,
 	 * Create a singleton diff.
 	 */
 	dns_diff_init(diff->mctx, &temp_diff);
+	temp_diff.resign = diff->resign;
 	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
 
 	/*
@@ -320,7 +384,7 @@ do_one_tuple(dns_difftuple_t **tuple,
  * update in 'diff'.
  *
  * Ensures:
- * \li  'updates' is empty.
+ * \li	'updates' is empty.
  */
 static isc_result_t
 do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
@@ -341,8 +405,8 @@ do_diff(dns_diff_t *updates, dns_db_t *db, dns_dbversion_t *ver,
 
 static isc_result_t
 update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
-	      dns_diffop_t op, dns_name_t *name,
-	      dns_ttl_t ttl, dns_rdata_t *rdata)
+	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+	      dns_rdata_t *rdata)
 {
 	dns_difftuple_t *tuple = NULL;
 	isc_result_t result;
@@ -423,11 +487,8 @@ foreach_node_rr_action(void *data, dns_rdataset_t *rdataset) {
  * If 'action' returns an error, abort iteration and return the error.
  */
 static isc_result_t
-foreach_rrset(dns_db_t *db,
-	      dns_dbversion_t *ver,
-	      dns_name_t *name,
-	      rrset_func *action,
-	      void *action_data)
+foreach_rrset(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	      rrset_func *action, void *action_data)
 {
 	isc_result_t result;
 	dns_dbnode_t *node;
@@ -482,11 +543,8 @@ foreach_rrset(dns_db_t *db,
  * and return the error.
  */
 static isc_result_t
-foreach_node_rr(dns_db_t *db,
-	    dns_dbversion_t *ver,
-	    dns_name_t *name,
-	    rr_func *rr_action,
-	    void *rr_action_data)
+foreach_node_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+		rr_func *rr_action, void *rr_action_data)
 {
 	foreach_node_rr_ctx_t ctx;
 	ctx.rr_action = rr_action;
@@ -506,12 +564,8 @@ foreach_node_rr(dns_db_t *db,
  * If 'action' returns an error, abort iteration and return the error.
  */
 static isc_result_t
-foreach_rr(dns_db_t *db,
-	   dns_dbversion_t *ver,
-	   dns_name_t *name,
-	   dns_rdatatype_t type,
-	   dns_rdatatype_t covers,
-	   rr_func *rr_action,
+foreach_rr(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	   dns_rdatatype_t type, dns_rdatatype_t covers, rr_func *rr_action,
 	   void *rr_action_data)
 {
 
@@ -524,7 +578,11 @@ foreach_rr(dns_db_t *db,
 					rr_action, rr_action_data));
 
 	node = NULL;
-	result = dns_db_findnode(db, name, ISC_FALSE, &node);
+	if (type == dns_rdatatype_nsec3 ||
+	    (type == dns_rdatatype_rrsig && covers == dns_rdatatype_nsec3))
+		result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
+	else
+		result = dns_db_findnode(db, name, ISC_FALSE, &node);
 	if (result == ISC_R_NOTFOUND)
 		return (ISC_R_SUCCESS);
 	if (result != ISC_R_SUCCESS)
@@ -597,9 +655,9 @@ rrset_exists_action(void *data, rr_t *rr) {
  * This would be more readable as "do { if ... } while(0)",
  * but that form generates tons of warnings on Solaris 2.6.
  */
-#define RETURN_EXISTENCE_FLAG 				\
-	return ((result == ISC_R_EXISTS) ? 		\
-		(*exists = ISC_TRUE, ISC_R_SUCCESS) : 	\
+#define RETURN_EXISTENCE_FLAG				\
+	return ((result == ISC_R_EXISTS) ?		\
+		(*exists = ISC_TRUE, ISC_R_SUCCESS) :	\
 		((result == ISC_R_SUCCESS) ?		\
 		 (*exists = ISC_FALSE, ISC_R_SUCCESS) :	\
 		 result))
@@ -609,8 +667,8 @@ rrset_exists_action(void *data, rr_t *rr) {
  * to false otherwise.
  */
 static isc_result_t
-rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
-	     dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
+rrset_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	     dns_rdatatype_t type, dns_rdatatype_t covers,
 	     isc_boolean_t *exists)
 {
 	isc_result_t result;
@@ -620,6 +678,45 @@ rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
 }
 
 /*%
+ * Set '*visible' to true if the RRset exists and is part of the
+ * visible zone.  Otherwise '*visible' is set to false unless a
+ * error occurs.
+ */
+static isc_result_t
+rrset_visible(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	      dns_rdatatype_t type, isc_boolean_t *visible)
+{
+	isc_result_t result;
+	dns_fixedname_t fixed;
+
+	dns_fixedname_init(&fixed);
+	result = dns_db_find(db, name, ver, type, DNS_DBFIND_NOWILD,
+			     (isc_stdtime_t) 0, NULL,
+			     dns_fixedname_name(&fixed), NULL, NULL);
+	switch (result) {
+	case ISC_R_SUCCESS:
+		*visible = ISC_TRUE;
+		break;
+	/*
+	 * Glue, obscured, deleted or replaced records.
+	 */
+	case DNS_R_DELEGATION:
+	case DNS_R_DNAME:
+	case DNS_R_CNAME:
+	case DNS_R_NXDOMAIN:
+	case DNS_R_NXRRSET:
+	case DNS_R_EMPTYNAME:
+	case DNS_R_COVERINGNSEC:
+		*visible = ISC_FALSE;
+		result = ISC_R_SUCCESS;
+		break;
+	default:
+		break;
+	}
+	return (result);
+}
+
+/*%
  * Helper function for cname_incompatible_rrset_exists.
  */
 static isc_result_t
@@ -695,8 +792,22 @@ name_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	RETURN_EXISTENCE_FLAG;
 }
 
+/*
+ *	'ssu_check_t' is used to pass the arguments to
+ *	dns_ssutable_checkrules() to the callback function
+ *	ssu_checkrule().
+ */
 typedef struct {
-	dns_name_t *name, *signer;
+	/* The ownername of the record to be updated. */
+	dns_name_t *name;
+
+	/* The signature's name if the request was signed. */
+	dns_name_t *signer;
+
+	/* The address of the client if the request was received via TCP. */
+	isc_netaddr_t *tcpaddr;
+
+	/* The ssu table to check against. */
 	dns_ssutable_t *table;
 } ssu_check_t;
 
@@ -713,13 +824,15 @@ ssu_checkrule(void *data, dns_rdataset_t *rrset) {
 	    rrset->type == dns_rdatatype_nsec)
 		return (ISC_R_SUCCESS);
 	result = dns_ssutable_checkrules(ssuinfo->table, ssuinfo->signer,
-					 ssuinfo->name, rrset->type);
+					 ssuinfo->name, ssuinfo->tcpaddr,
+					 rrset->type);
 	return (result == ISC_TRUE ? ISC_R_SUCCESS : ISC_R_FAILURE);
 }
 
 static isc_boolean_t
 ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	     dns_ssutable_t *ssutable, dns_name_t *signer)
+	     dns_ssutable_t *ssutable, dns_name_t *signer,
+	     isc_netaddr_t *tcpaddr)
 {
 	isc_result_t result;
 	ssu_check_t ssuinfo;
@@ -727,6 +840,7 @@ ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	ssuinfo.name = name;
 	ssuinfo.table = ssutable;
 	ssuinfo.signer = signer;
+	ssuinfo.tcpaddr = tcpaddr;
 	result = foreach_rrset(db, ver, name, ssu_checkrule, &ssuinfo);
 	return (ISC_TF(result == ISC_R_SUCCESS));
 }
@@ -738,8 +852,8 @@ ssu_checkall(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
  * In the RFC2136 section 3.2.5, this is the pseudocode involving
  * a variable called "temp", a mapping of <name, type> tuples to rrsets.
  *
- * Here, we represent the "temp" data structure as (non-minimial) "dns_diff_t"
- * where each typle has op==DNS_DIFFOP_EXISTS.
+ * Here, we represent the "temp" data structure as (non-minimal) "dns_diff_t"
+ * where each tuple has op==DNS_DIFFOP_EXISTS.
  */
 
 
@@ -754,7 +868,7 @@ temp_append(dns_diff_t *diff, dns_name_t *name, dns_rdata_t *rdata) {
 
 	REQUIRE(DNS_DIFF_VALID(diff));
 	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_EXISTS,
-				      name, 0, rdata, &tuple));
+				   name, 0, rdata, &tuple));
 	ISC_LIST_APPEND(diff->tuples, tuple, link);
  failure:
 	return (result);
@@ -974,13 +1088,14 @@ typedef struct {
 
 /*%
  * Return true iff 'db_rr' is neither a SOA nor an NS RR nor
- * an RRSIG nor a NSEC.
+ * an RRSIG nor an NSEC3PARAM nor a NSEC.
  */
 static isc_boolean_t
 type_not_soa_nor_ns_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 	UNUSED(update_rr);
 	return ((db_rr->type != dns_rdatatype_soa &&
 		 db_rr->type != dns_rdatatype_ns &&
+		 db_rr->type != dns_rdatatype_nsec3param &&
 		 db_rr->type != dns_rdatatype_rrsig &&
 		 db_rr->type != dns_rdatatype_nsec) ?
 		ISC_TRUE : ISC_FALSE);
@@ -1008,6 +1123,16 @@ true_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 }
 
 /*%
+ * Return true if the record is a RRSIG.
+ */
+static isc_boolean_t
+rrsig_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	UNUSED(update_rr);
+	return ((db_rr->type == dns_rdatatype_rrsig) ?
+		ISC_TRUE : ISC_FALSE);
+}
+
+/*%
  * Return true iff the two RRs have identical rdata.
  */
 static isc_boolean_t
@@ -1027,9 +1152,17 @@ rr_equal_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
  *
  * RFC2136 does not mention NSEC or DNAME, but multiple NSECs or DNAMEs
  * make little sense, so we replace those, too.
+ *
+ * Additionally replace RRSIG that have been generated by the same key
+ * for the same type.  This simplifies refreshing a offline KSK by not
+ * requiring that the old RRSIG be deleted.  It also simplifies key
+ * rollover by only requiring that the new RRSIG be added.
  */
 static isc_boolean_t
 replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
+	dns_rdata_rrsig_t updatesig, dbsig;
+	isc_result_t result;
+
 	if (db_rr->type != update_rr->type)
 		return (ISC_FALSE);
 	if (db_rr->type == dns_rdatatype_cname)
@@ -1040,18 +1173,46 @@ replaces_p(dns_rdata_t *update_rr, dns_rdata_t *db_rr) {
 		return (ISC_TRUE);
 	if (db_rr->type == dns_rdatatype_nsec)
 		return (ISC_TRUE);
+	if (db_rr->type == dns_rdatatype_rrsig) {
+		/*
+		 * Replace existing RRSIG with the same keyid,
+		 * covered and algorithm.
+		 */
+		result = dns_rdata_tostruct(db_rr, &dbsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		result = dns_rdata_tostruct(update_rr, &updatesig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if (dbsig.keyid == updatesig.keyid &&
+		    dbsig.covered == updatesig.covered &&
+		    dbsig.algorithm == updatesig.algorithm)
+			return (ISC_TRUE);
+	}
 	if (db_rr->type == dns_rdatatype_wks) {
 		/*
 		 * Compare the address and protocol fields only.  These
 		 * form the first five bytes of the RR data.  Do a
 		 * raw binary comparison; unpacking the WKS RRs using
-		 * dns_rdata_tostruct() might be cleaner in some ways,
-		 * but it would require us to pass around an mctx.
+		 * dns_rdata_tostruct() might be cleaner in some ways.
 		 */
 		INSIST(db_rr->length >= 5 && update_rr->length >= 5);
 		return (memcmp(db_rr->data, update_rr->data, 5) == 0 ?
 			ISC_TRUE : ISC_FALSE);
 	}
+
+	if (db_rr->type == dns_rdatatype_nsec3param) {
+		if (db_rr->length != update_rr->length)
+			return (ISC_FALSE);
+		INSIST(db_rr->length >= 4 && update_rr->length >= 4);
+		/*
+		 * Replace records added in this UPDATE request.
+		 */
+		if (db_rr->data[0] == update_rr->data[0] &&
+		    db_rr->data[1] & DNS_NSEC3FLAG_UPDATE &&
+		    update_rr->data[1] & DNS_NSEC3FLAG_UPDATE &&
+		    memcmp(db_rr->data+2, update_rr->data+2,
+			   update_rr->length - 2) == 0)
+			return (ISC_TRUE);
+	}
 	return (ISC_FALSE);
 }
 
@@ -1080,14 +1241,9 @@ delete_if_action(void *data, rr_t *rr) {
  * deletions in 'diff'.
  */
 static isc_result_t
-delete_if(rr_predicate *predicate,
-	  dns_db_t *db,
-	  dns_dbversion_t *ver,
-	  dns_name_t *name,
-	  dns_rdatatype_t type,
-	  dns_rdatatype_t covers,
-	  dns_rdata_t *update_rr,
-	  dns_diff_t *diff)
+delete_if(rr_predicate *predicate, dns_db_t *db, dns_dbversion_t *ver,
+	  dns_name_t *name, dns_rdatatype_t type, dns_rdatatype_t covers,
+	  dns_rdata_t *update_rr, dns_diff_t *diff)
 {
 	conditional_delete_ctx_t ctx;
 	ctx.predicate = predicate;
@@ -1144,10 +1300,8 @@ add_rr_prepare_action(void *data, rr_t *rr) {
 	 * be deleted before the update RR is added.
 	 */
 	if (replaces_p(ctx->update_rr, &rr->rdata)) {
-		CHECK(dns_difftuple_create(ctx->del_diff.mctx,
-					   DNS_DIFFOP_DEL, ctx->name,
-					   rr->ttl,
-					   &rr->rdata,
+		CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
+					   ctx->name, rr->ttl, &rr->rdata,
 					   &tuple));
 		dns_diff_append(&ctx->del_diff, &tuple);
 		return (ISC_R_SUCCESS);
@@ -1158,18 +1312,15 @@ add_rr_prepare_action(void *data, rr_t *rr) {
 	 * its TTL must be adjusted.
 	 */
 	if (rr->ttl != ctx->update_rr_ttl) {
-		CHECK(dns_difftuple_create(ctx->del_diff.mctx,
-					   DNS_DIFFOP_DEL, ctx->name,
-					   rr->ttl,
-					   &rr->rdata,
+		CHECK(dns_difftuple_create(ctx->del_diff.mctx, DNS_DIFFOP_DEL,
+					   ctx->name, rr->ttl, &rr->rdata,
 					   &tuple));
 		dns_diff_append(&ctx->del_diff, &tuple);
 		if (!equal) {
 			CHECK(dns_difftuple_create(ctx->add_diff.mctx,
 						   DNS_DIFFOP_ADD, ctx->name,
 						   ctx->update_rr_ttl,
-						   &rr->rdata,
-						   &tuple));
+						   &rr->rdata, &tuple));
 			dns_diff_append(&ctx->add_diff, &tuple);
 		}
 	}
@@ -1191,10 +1342,9 @@ add_rr_prepare_action(void *data, rr_t *rr) {
  */
 static void
 get_current_rr(dns_message_t *msg, dns_section_t section,
-	       dns_rdataclass_t zoneclass,
-	       dns_name_t **name, dns_rdata_t *rdata, dns_rdatatype_t *covers,
-	       dns_ttl_t *ttl,
-	       dns_rdataclass_t *update_class)
+	       dns_rdataclass_t zoneclass, dns_name_t **name,
+	       dns_rdata_t *rdata, dns_rdatatype_t *covers,
+	       dns_ttl_t *ttl, dns_rdataclass_t *update_class)
 {
 	dns_rdataset_t *rdataset;
 	isc_result_t result;
@@ -1279,8 +1429,7 @@ increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
  */
 static isc_result_t
 check_soa_increment(dns_db_t *db, dns_dbversion_t *ver,
-		    dns_rdata_t *update_rdata,
-		    isc_boolean_t *ok)
+		    dns_rdata_t *update_rdata, isc_boolean_t *ok)
 {
 	isc_uint32_t db_serial;
 	isc_uint32_t update_serial;
@@ -1337,7 +1486,7 @@ namelist_append_subdomain(dns_db_t *db, dns_name_t *name, dns_diff_t *affected)
 	dns_fixedname_init(&fixedname);
 	child = dns_fixedname_name(&fixedname);
 
-	CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit));
+	CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
 
 	for (result = dns_dbiterator_seek(dbit, name);
 	     result == ISC_R_SUCCESS;
@@ -1367,8 +1516,10 @@ static isc_result_t
 is_non_nsec_action(void *data, dns_rdataset_t *rrset) {
 	UNUSED(data);
 	if (!(rrset->type == dns_rdatatype_nsec ||
+	      rrset->type == dns_rdatatype_nsec3 ||
 	      (rrset->type == dns_rdatatype_rrsig &&
-	       rrset->covers == dns_rdatatype_nsec)))
+	       (rrset->covers == dns_rdatatype_nsec ||
+		rrset->covers == dns_rdatatype_nsec3))))
 		return (ISC_R_EXISTS);
 	return (ISC_R_SUCCESS);
 }
@@ -1386,8 +1537,7 @@ non_nsec_rrset_exists(dns_db_t *db, dns_dbversion_t *ver,
 		     dns_name_t *name, isc_boolean_t *exists)
 {
 	isc_result_t result;
-	result = foreach_rrset(db, ver, name,
-			       is_non_nsec_action, NULL);
+	result = foreach_rrset(db, ver, name, is_non_nsec_action, NULL);
 	RETURN_EXISTENCE_FLAG;
 }
 
@@ -1425,10 +1575,9 @@ uniqify_name_list(dns_diff_t *list) {
 	return (result);
 }
 
-
 static isc_result_t
-is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-	isc_boolean_t *flag)
+is_active(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	  isc_boolean_t *flag, isc_boolean_t *cut, isc_boolean_t *unsecure)
 {
 	isc_result_t result;
 	dns_fixedname_t foundname;
@@ -1438,20 +1587,44 @@ is_glue(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 			     (isc_stdtime_t) 0, NULL,
 			     dns_fixedname_name(&foundname),
 			     NULL, NULL);
-	if (result == ISC_R_SUCCESS) {
-		*flag = ISC_FALSE;
+	if (result == ISC_R_SUCCESS || result == DNS_R_EMPTYNAME) {
+		*flag = ISC_TRUE;
+		*cut = ISC_FALSE;
+		if (unsecure != NULL)
+			*unsecure = ISC_FALSE;
 		return (ISC_R_SUCCESS);
 	} else if (result == DNS_R_ZONECUT) {
-		/*
-		 * We are at the zonecut.  The name will have an NSEC, but
-		 * non-delegation will be omitted from the type bit map.
-		 */
-		*flag = ISC_FALSE;
-		return (ISC_R_SUCCESS);
-	} else if (result == DNS_R_GLUE || result == DNS_R_DNAME) {
 		*flag = ISC_TRUE;
+		*cut = ISC_TRUE;
+		if (unsecure != NULL) {
+			/*
+			 * We are at the zonecut.  Check to see if there
+			 * is a DS RRset.
+			 */
+			if (dns_db_find(db, name, ver, dns_rdatatype_ds, 0,
+					(isc_stdtime_t) 0, NULL,
+					dns_fixedname_name(&foundname),
+					NULL, NULL) == DNS_R_NXRRSET)
+				*unsecure = ISC_TRUE;
+			else
+				*unsecure = ISC_FALSE;
+		}
+		return (ISC_R_SUCCESS);
+	} else if (result == DNS_R_GLUE || result == DNS_R_DNAME ||
+		   result == DNS_R_DELEGATION || result == DNS_R_NXDOMAIN) {
+		*flag = ISC_FALSE;
+		*cut = ISC_FALSE;
+		if (unsecure != NULL)
+			*unsecure = ISC_FALSE;
 		return (ISC_R_SUCCESS);
 	} else {
+		/*
+		 * Silence compiler.
+		 */
+		*flag = ISC_FALSE;
+		*cut = ISC_FALSE;
+		if (unsecure != NULL)
+			*unsecure = ISC_FALSE;
 		return (result);
 	}
 }
@@ -1471,8 +1644,9 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_dbiterator_t *dbit = NULL;
 	isc_boolean_t has_nsec;
 	unsigned int wraps = 0;
+	isc_boolean_t secure = dns_db_issecure(db);
 
-	CHECK(dns_db_createiterator(db, ISC_FALSE, &dbit));
+	CHECK(dns_db_createiterator(db, 0, &dbit));
 
 	CHECK(dns_dbiterator_seek(dbit, oldname));
 	do {
@@ -1508,9 +1682,29 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		 * we must pause the iterator first.
 		 */
 		CHECK(dns_dbiterator_pause(dbit));
-		CHECK(rrset_exists(db, ver, newname,
-				   dns_rdatatype_nsec, 0, &has_nsec));
-
+		if (secure) {
+			CHECK(rrset_exists(db, ver, newname,
+					   dns_rdatatype_nsec, 0, &has_nsec));
+		} else {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			dns_fixedname_init(&ffound);
+			found = dns_fixedname_name(&ffound);
+			result = dns_db_find(db, newname, ver,
+					     dns_rdatatype_soa,
+					     DNS_DBFIND_NOWILD, 0, NULL, found,
+					     NULL, NULL);
+			if (result == ISC_R_SUCCESS ||
+			    result == DNS_R_EMPTYNAME ||
+			    result == DNS_R_NXRRSET ||
+			    result == DNS_R_CNAME ||
+			    (result == DNS_R_DELEGATION &&
+			     dns_name_equal(newname, found))) {
+				has_nsec = ISC_TRUE;
+				result = ISC_R_SUCCESS;
+			} else if (result != DNS_R_NXDOMAIN)
+				break;
+		}
 	} while (! has_nsec);
  failure:
 	if (dbit != NULL)
@@ -1519,6 +1713,35 @@ next_active(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	return (result);
 }
 
+static isc_boolean_t
+has_opt_bit(dns_db_t *db, dns_dbversion_t *version, dns_dbnode_t *node) {
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_boolean_t has_bit = ISC_FALSE;
+
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
+				  dns_rdatatype_none, 0, &rdataset, NULL));
+	CHECK(dns_rdataset_first(&rdataset));
+	dns_rdataset_current(&rdataset, &rdata);
+	has_bit = dns_nsec_typepresent(&rdata, dns_rdatatype_opt);
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (has_bit);
+}
+
+static void
+set_bit(unsigned char *array, unsigned int index) {
+	unsigned int shift, bit;
+
+	shift = 7 - (index % 8);
+	bit = 1 << shift;
+
+	array[index / 8] |= bit;
+}
+
 /*%
  * Add a NSEC record for "name", recording the change in "diff".
  * The existing NSEC is removed.
@@ -1550,6 +1773,24 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
 	dns_rdata_init(&rdata);
 	CHECK(dns_nsec_buildrdata(db, ver, node, target, buffer, &rdata));
+	/*
+	 * Preserve the status of the OPT bit in the origin's NSEC record.
+	 */
+	if (dns_name_equal(dns_db_origin(db), name) &&
+	    has_opt_bit(db, ver, node))
+	{
+			isc_region_t region;
+			dns_name_t next;
+
+			dns_name_init(&next, NULL);
+			dns_rdata_toregion(&rdata, &region);
+			dns_name_fromregion(&next, &region);
+			isc_region_consume(&region, next.length);
+			INSIST(region.length > (2 + dns_rdatatype_opt / 8) &&
+			       region.base[0] == 0 &&
+			       region.base[1] > dns_rdatatype_opt / 8);
+			set_bit(region.base + 2, dns_rdatatype_opt);
+	}
 	dns_db_detachnode(db, &node);
 
 	/*
@@ -1576,7 +1817,8 @@ add_nsec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
  */
 static isc_result_t
 add_placeholder_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
-		    dns_diff_t *diff) {
+		     dns_diff_t *diff)
+{
 	isc_result_t result;
 	dns_difftuple_t *tuple = NULL;
 	isc_region_t r;
@@ -1655,7 +1897,7 @@ static isc_result_t
 add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	 dns_dbversion_t *ver, dns_name_t *name, dns_rdatatype_t type,
 	 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
-	 isc_mem_t *mctx, isc_stdtime_t inception, isc_stdtime_t expire,
+	 isc_stdtime_t inception, isc_stdtime_t expire,
 	 isc_boolean_t check_ksk)
 {
 	isc_result_t result;
@@ -1666,15 +1908,18 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	unsigned char data[1024]; /* XXX */
 	unsigned int i;
 	isc_boolean_t added_sig = ISC_FALSE;
+	isc_mem_t *mctx = client->mctx;
 
 	dns_rdataset_init(&rdataset);
 	isc_buffer_init(&buffer, data, sizeof(data));
 
 	/* Get the rdataset to sign. */
-	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
+	if (type == dns_rdatatype_nsec3)
+		CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
+	else
+		CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
 	CHECK(dns_db_findrdataset(db, node, ver, type, 0,
-				  (isc_stdtime_t) 0,
-				  &rdataset, NULL));
+				  (isc_stdtime_t) 0, &rdataset, NULL));
 	dns_db_detachnode(db, &node);
 
 	for (i = 0; i < nkeys; i++) {
@@ -1693,7 +1938,7 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 
 		/* Update the database and journal with the RRSIG. */
 		/* XXX inefficient - will cause dataset merging */
-		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name,
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name,
 				    rdataset.ttl, &sig_rdata));
 		dns_rdata_reset(&sig_rdata);
 		added_sig = ISC_TRUE;
@@ -1713,13 +1958,156 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	return (result);
 }
 
+/*
+ * Delete expired RRsigs and any RRsigs we are about to re-sign.
+ * See also zone.c:del_sigs().
+ */
+static isc_result_t
+del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	    dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int i;
+	dns_rdata_rrsig_t rrsig;
+	isc_boolean_t found;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findnode(db, name, ISC_FALSE, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig,
+				     dns_rdatatype_dnskey, (isc_stdtime_t) 0,
+				     &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		found = ISC_FALSE;
+		for (i = 0; i < nkeys; i++) {
+			if (rrsig.keyid == dst_key_id(keys[i])) {
+				found = ISC_TRUE;
+				if (!dst_key_isprivate(keys[i])) {
+					/*
+					 * The re-signing code in zone.c
+					 * will mark this as offline.
+					 * Just skip the record for now.
+					 */
+					break;
+				}
+				result = update_one_rr(db, ver, diff,
+						       DNS_DIFFOP_DEL, name,
+						       rdataset.ttl, &rdata);
+				break;
+			}
+		}
+		/*
+		 * If there is not a matching DNSKEY then delete the RRSIG.
+		 */
+		if (!found)
+			result = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
+					       name, rdataset.ttl, &rdata);
+		dns_rdata_reset(&rdata);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static isc_result_t
+add_exposed_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+		 dns_dbversion_t *ver, dns_name_t *name, isc_boolean_t cut,
+		 dns_diff_t *diff, dst_key_t **keys, unsigned int nkeys,
+		 isc_stdtime_t inception, isc_stdtime_t expire,
+		 isc_boolean_t check_ksk)
+{
+	isc_result_t result;
+	dns_dbnode_t *node;
+	dns_rdatasetiter_t *iter;
+
+	node = NULL;
+	result = dns_db_findnode(db, name, ISC_FALSE, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	iter = NULL;
+	result = dns_db_allrdatasets(db, node, ver,
+				     (isc_stdtime_t) 0, &iter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdatasetiter_first(iter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iter))
+	{
+		dns_rdataset_t rdataset;
+		dns_rdatatype_t type;
+		isc_boolean_t flag;
+
+		dns_rdataset_init(&rdataset);
+		dns_rdatasetiter_current(iter, &rdataset);
+		type = rdataset.type;
+		dns_rdataset_disassociate(&rdataset);
+
+		/*
+		 * We don't need to sign unsigned NSEC records at the cut
+		 * as they are handled elsewhere.
+		 */
+		if ((type == dns_rdatatype_rrsig) ||
+		    (cut && type != dns_rdatatype_ds))
+			continue;
+		result = rrset_exists(db, ver, name, dns_rdatatype_rrsig,
+				      type, &flag);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_iterator;
+		if (flag)
+			continue;;
+		result = add_sigs(client, zone, db, ver, name, type, diff,
+				  keys, nkeys, inception, expire, check_ksk);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_iterator;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ cleanup_iterator:
+	dns_rdatasetiter_destroy(&iter);
+
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
 /*%
- * Update RRSIG and NSEC records affected by an update.  The original
- * update, including the SOA serial update but exluding the RRSIG & NSEC
+ * Update RRSIG, NSEC and NSEC3 records affected by an update.  The original
+ * update, including the SOA serial update but excluding the RRSIG & NSEC
  * changes, is in "diff" and has already been applied to "newver" of "db".
  * The database version prior to the update is "oldver".
  *
- * The necessary RRSIG and NSEC changes will be applied to "newver"
+ * The necessary RRSIG, NSEC and NSEC3 changes will be applied to "newver"
  * and added (as a minimal diff) to "diff".
  *
  * The RRSIGs generated will be valid for 'sigvalidityinterval' seconds.
@@ -1727,7 +2115,8 @@ add_sigs(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 static isc_result_t
 update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		  dns_dbversion_t *oldver, dns_dbversion_t *newver,
-		  dns_diff_t *diff, isc_uint32_t sigvalidityinterval)
+		  dns_diff_t *diff, isc_uint32_t sigvalidityinterval,
+		  isc_boolean_t *deleted_zsk)
 {
 	isc_result_t result;
 	dns_difftuple_t *t;
@@ -1747,11 +2136,14 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_rdataset_t rdataset;
 	dns_dbnode_t *node = NULL;
 	isc_boolean_t check_ksk;
+	isc_boolean_t unsecure;
+	isc_boolean_t cut;
 
 	dns_diff_init(client->mctx, &diffnames);
 	dns_diff_init(client->mctx, &affected);
 
 	dns_diff_init(client->mctx, &sig_diff);
+	sig_diff.resign = dns_zone_getsigresigninginterval(zone);
 	dns_diff_init(client->mctx, &nsec_diff);
 	dns_diff_init(client->mctx, &nsec_mindiff);
 
@@ -1770,16 +2162,35 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	/*
 	 * Do we look at the KSK flag on the DNSKEY to determining which
 	 * keys sign which RRsets?  First check the zone option then
-	 * check the keys flags to make sure atleast one has a ksk set
+	 * check the keys flags to make sure at least one has a ksk set
 	 * and one doesn't.
 	 */
 	check_ksk = ISC_TF((dns_zone_getoptions(zone) &
 			    DNS_ZONEOPT_UPDATECHECKKSK) != 0);
-	if (check_ksk)
+	/*
+	 * If we are not checking the ZSK flag then all DNSKEY's are
+	 * already signing all RRsets so we don't need to trigger special
+	 * changes.
+	 */
+	if (*deleted_zsk && (!check_ksk || !ksk_sanity(db, oldver)))
+		*deleted_zsk = ISC_FALSE;
+
+	if (check_ksk) {
 		check_ksk = ksk_sanity(db, newver);
+		if (!check_ksk && ksk_sanity(db, oldver))
+			update_log(client, zone, ISC_LOG_WARNING,
+				   "disabling update-check-ksk");
+	}
 
 	/*
-	 * Get the NSEC's TTL from the SOA MINIMUM field.
+	 * If we have deleted a ZSK and we we still have some ZSK's
+	 * we don't need to convert the KSK's to a ZSK's.
+	 */
+	if (*deleted_zsk && check_ksk)
+		*deleted_zsk = ISC_FALSE;
+
+	/*
+	 * Get the NSEC/NSEC3 TTL from the SOA MINIMUM field.
 	 */
 	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
 	dns_rdataset_init(&rdataset);
@@ -1823,21 +2234,27 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			 * Delete all old RRSIGs covering this type, since they
 			 * are all invalid when the signed RRset has changed.
 			 * We may not be able to recreate all of them - tough.
+			 * Special case changes to the zone's DNSKEY records
+			 * to support offline KSKs.
 			 */
-			CHECK(delete_if(true_p, db, newver, name,
-					dns_rdatatype_rrsig, type,
-					NULL, &sig_diff));
+			if (type == dns_rdatatype_dnskey)
+				del_keysigs(db, newver, name, &sig_diff,
+					    zone_keys, nkeys);
+			else
+				CHECK(delete_if(true_p, db, newver, name,
+						dns_rdatatype_rrsig, type,
+						NULL, &sig_diff));
 
 			/*
-			 * If this RRset still exists after the update,
+			 * If this RRset is still visible after the update,
 			 * add a new signature for it.
 			 */
-			CHECK(rrset_exists(db, newver, name, type, 0, &flag));
+			CHECK(rrset_visible(db, newver, name, type, &flag));
 			if (flag) {
 				CHECK(add_sigs(client, zone, db, newver, name,
 					       type, &sig_diff, zone_keys,
-					       nkeys, client->mctx, inception,
-					       expire, check_ksk));
+					       nkeys, inception, expire,
+					       check_ksk));
 			}
 		skip:
 			/* Skip any other updates to the same RRset. */
@@ -1849,6 +2266,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			}
 		}
 	}
+	update_log(client, zone, ISC_LOG_DEBUG(3), "updated data signatures");
 
 	/* Remove orphaned NSECs and RRSIG NSECs. */
 	for (t = ISC_LIST_HEAD(diffnames.tuples);
@@ -1862,6 +2280,19 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 					NULL, &sig_diff));
 		}
 	}
+	update_log(client, zone, ISC_LOG_DEBUG(3),
+		   "removed any orphaned NSEC records");
+
+	/*
+	 * If we don't have a NSEC record at the origin then we need to
+	 * update the NSEC3 records.
+	 */
+	CHECK(rrset_exists(db, newver, dns_db_origin(db), dns_rdatatype_nsec,
+			   0, &flag));
+	if (!flag)
+		goto update_nsec3;
+
+	update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC chain");
 
 	/*
 	 * When a name is created or deleted, its predecessor needs to
@@ -1944,27 +2375,34 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	     t = ISC_LIST_NEXT(t, link))
 	{
 		isc_boolean_t exists;
-		CHECK(name_exists(db, newver, &t->name, &exists));
+		dns_name_t *name = &t->name;
+
+		CHECK(name_exists(db, newver, name, &exists));
 		if (! exists)
 			continue;
-		CHECK(is_glue(db, newver, &t->name, &flag));
-		if (flag) {
+		CHECK(is_active(db, newver, name, &flag, &cut, NULL));
+		if (!flag) {
 			/*
 			 * This name is obscured.  Delete any
 			 * existing NSEC record.
 			 */
-			CHECK(delete_if(true_p, db, newver, &t->name,
+			CHECK(delete_if(true_p, db, newver, name,
 					dns_rdatatype_nsec, 0,
 					NULL, &nsec_diff));
+			CHECK(delete_if(rrsig_p, db, newver, name,
+					dns_rdatatype_any, 0, NULL, diff));
 		} else {
 			/*
 			 * This name is not obscured.  It should have a NSEC.
 			 */
-			CHECK(rrset_exists(db, newver, &t->name,
+			CHECK(rrset_exists(db, newver, name,
 					   dns_rdatatype_nsec, 0, &flag));
 			if (! flag)
-				CHECK(add_placeholder_nsec(db, newver, &t->name,
-							  diff));
+				CHECK(add_placeholder_nsec(db, newver, name,
+							   diff));
+			CHECK(add_exposed_sigs(client, zone, db, newver, name,
+					       cut, diff, zone_keys, nkeys,
+					       inception, expire, check_ksk));
 		}
 	}
 
@@ -2010,6 +2448,9 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		dns_diff_appendminimal(&nsec_mindiff, &t);
 	}
 
+	update_log(client, zone, ISC_LOG_DEBUG(3),
+		   "signing rebuilt NSEC chain");
+
 	/* Update RRSIG NSECs. */
 	for (t = ISC_LIST_HEAD(nsec_mindiff.tuples);
 	     t != NULL;
@@ -2022,7 +2463,139 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 		} else if (t->op == DNS_DIFFOP_ADD) {
 			CHECK(add_sigs(client, zone, db, newver, &t->name,
 				       dns_rdatatype_nsec, &sig_diff,
-				       zone_keys, nkeys, client->mctx,
+				       zone_keys, nkeys, inception, expire,
+				       check_ksk));
+		} else {
+			INSIST(0);
+		}
+	}
+
+ update_nsec3:
+
+	/* Record our changes for the journal. */
+	while ((t = ISC_LIST_HEAD(sig_diff.tuples)) != NULL) {
+		ISC_LIST_UNLINK(sig_diff.tuples, t, link);
+		dns_diff_appendminimal(diff, &t);
+	}
+	while ((t = ISC_LIST_HEAD(nsec_mindiff.tuples)) != NULL) {
+		ISC_LIST_UNLINK(nsec_mindiff.tuples, t, link);
+		dns_diff_appendminimal(diff, &t);
+	}
+
+	INSIST(ISC_LIST_EMPTY(sig_diff.tuples));
+	INSIST(ISC_LIST_EMPTY(nsec_diff.tuples));
+	INSIST(ISC_LIST_EMPTY(nsec_mindiff.tuples));
+
+	/*
+	 * Check if we have any active NSEC3 chains by looking for a
+	 * NSEC3PARAM RRset.
+	 */
+	CHECK(rrset_exists(db, newver, dns_db_origin(db),
+			   dns_rdatatype_nsec3param, 0, &flag));
+	if (!flag) {
+		update_log(client, zone, ISC_LOG_DEBUG(3),
+			   "no NSEC3 chains to rebuild");
+		goto failure;
+	}
+
+	update_log(client, zone, ISC_LOG_DEBUG(3), "rebuilding NSEC3 chains");
+
+	dns_diff_clear(&diffnames);
+	dns_diff_clear(&affected);
+
+	CHECK(dns_diff_sort(diff, temp_order));
+
+	/*
+	 * Find names potentially affected by delegation changes
+	 * (obscured by adding an NS or DNAME, or unobscured by
+	 * removing one).
+	 */
+	t = ISC_LIST_HEAD(diff->tuples);
+	while (t != NULL) {
+		dns_name_t *name = &t->name;
+
+		isc_boolean_t ns_existed, dname_existed;
+		isc_boolean_t ns_exists, dname_exists;
+
+		if (t->rdata.type == dns_rdatatype_nsec ||
+		    t->rdata.type == dns_rdatatype_rrsig) {
+			t = ISC_LIST_NEXT(t, link);
+			continue;
+		}
+
+		CHECK(namelist_append_name(&affected, name));
+
+		CHECK(rrset_exists(db, oldver, name, dns_rdatatype_ns, 0,
+				   &ns_existed));
+		CHECK(rrset_exists(db, oldver, name, dns_rdatatype_dname, 0,
+				   &dname_existed));
+		CHECK(rrset_exists(db, newver, name, dns_rdatatype_ns, 0,
+				   &ns_exists));
+		CHECK(rrset_exists(db, newver, name, dns_rdatatype_dname, 0,
+				   &dname_exists));
+
+		if ((ns_exists || dname_exists) == (ns_existed || dname_existed))
+			goto nextname;
+		/*
+		 * There was a delegation change.  Mark all subdomains
+		 * of t->name as potentially needing a NSEC3 update.
+		 */
+		CHECK(namelist_append_subdomain(db, name, &affected));
+
+	nextname:
+		while (t != NULL && dns_name_equal(&t->name, name))
+			t = ISC_LIST_NEXT(t, link);
+	}
+
+	for (t = ISC_LIST_HEAD(affected.tuples);
+	     t != NULL;
+	     t = ISC_LIST_NEXT(t, link)) {
+		dns_name_t *name = &t->name;
+
+		unsecure = ISC_FALSE;	/* Silence compiler warning. */
+		CHECK(is_active(db, newver, name, &flag, &cut, &unsecure));
+
+		if (!flag) {
+			CHECK(delete_if(rrsig_p, db, newver, name,
+					dns_rdatatype_any, 0, NULL, diff));
+			CHECK(dns_nsec3_delnsec3s(db, newver, name,
+						  &nsec_diff));
+		} else {
+			CHECK(add_exposed_sigs(client, zone, db, newver, name,
+					       cut, diff, zone_keys, nkeys,
+					       inception, expire, check_ksk));
+			CHECK(dns_nsec3_addnsec3s(db, newver, name, nsecttl,
+						  unsecure, &nsec_diff));
+		}
+	}
+
+	/*
+	 * Minimize the set of NSEC3 updates so that we don't
+	 * have to regenerate the RRSIG NSEC3s for NSEC3s that were
+	 * replaced with identical ones.
+	 */
+	while ((t = ISC_LIST_HEAD(nsec_diff.tuples)) != NULL) {
+		ISC_LIST_UNLINK(nsec_diff.tuples, t, link);
+		dns_diff_appendminimal(&nsec_mindiff, &t);
+	}
+
+	update_log(client, zone, ISC_LOG_DEBUG(3),
+		   "signing rebuilt NSEC3 chain");
+
+	/* Update RRSIG NSEC3s. */
+	for (t = ISC_LIST_HEAD(nsec_mindiff.tuples);
+	     t != NULL;
+	     t = ISC_LIST_NEXT(t, link))
+	{
+		if (t->op == DNS_DIFFOP_DEL) {
+			CHECK(delete_if(true_p, db, newver, &t->name,
+					dns_rdatatype_rrsig,
+					dns_rdatatype_nsec3,
+					NULL, &sig_diff));
+		} else if (t->op == DNS_DIFFOP_ADD) {
+			CHECK(add_sigs(client, zone, db, newver, &t->name,
+				       dns_rdatatype_nsec3,
+				       &sig_diff, zone_keys, nkeys,
 				       inception, expire, check_ksk));
 		} else {
 			INSIST(0);
@@ -2127,8 +2700,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 	 */
 	result = dns_message_firstname(request, DNS_SECTION_ZONE);
 	if (result != ISC_R_SUCCESS)
-		FAILC(DNS_R_FORMERR,
-		      "update zone section empty");
+		FAILC(DNS_R_FORMERR, "update zone section empty");
 
 	/*
 	 * The zone section must contain exactly one "question", and
@@ -2153,8 +2725,7 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 	result = dns_zt_find(client->view->zonetable, zonename, 0, NULL,
 			     &zone);
 	if (result != ISC_R_SUCCESS)
-		FAILC(DNS_R_NOTAUTH,
-		      "not authoritative for update zone");
+		FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
 
 	switch(dns_zone_gettype(zone)) {
 	case dns_zone_master:
@@ -2168,16 +2739,20 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 		break;
 	case dns_zone_slave:
 		CHECK(checkupdateacl(client, dns_zone_getforwardacl(zone),
-				     "update forwarding", zonename, ISC_TRUE));
+				     "update forwarding", zonename, ISC_TRUE,
+				     ISC_FALSE));
 		CHECK(send_forward_event(client, zone));
 		break;
 	default:
-		FAILC(DNS_R_NOTAUTH,
-		      "not authoritative for update zone");
+		FAILC(DNS_R_NOTAUTH, "not authoritative for update zone");
 	}
 	return;
 
  failure:
+	if (result == DNS_R_REFUSED) {
+		INSIST(dns_zone_gettype(zone) == dns_zone_slave);
+		inc_stats(zone, dns_nsstatscounter_updaterej);
+	}
 	/*
 	 * We failed without having sent an update event to the zone.
 	 * We are still in the client task context, so we can
@@ -2190,36 +2765,44 @@ ns_update_start(ns_client_t *client, isc_result_t sigresult) {
 
 /*%
  * DS records are not allowed to exist without corresponding NS records,
- * draft-ietf-dnsext-delegation-signer-11.txt, 2.2 Protocol Change,
+ * RFC 3658, 2.2 Protocol Change,
  * "DS RRsets MUST NOT appear at non-delegation points or at a zone's apex".
  */
 
 static isc_result_t
 remove_orphaned_ds(dns_db_t *db, dns_dbversion_t *newver, dns_diff_t *diff) {
 	isc_result_t result;
-	isc_boolean_t ns_exists, ds_exists;
-	dns_difftuple_t *t;
+	isc_boolean_t ns_exists;
+	dns_difftuple_t *tupple;
+	dns_diff_t temp_diff;
 
-	for (t = ISC_LIST_HEAD(diff->tuples);
-	     t != NULL;
-	     t = ISC_LIST_NEXT(t, link)) {
-		if (t->op != DNS_DIFFOP_ADD ||
-		    t->rdata.type != dns_rdatatype_ns)
-			continue;
-		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ns, 0,
-				   &ns_exists));
-		if (ns_exists)
+	dns_diff_init(diff->mctx, &temp_diff);
+
+	for (tupple = ISC_LIST_HEAD(diff->tuples);
+	     tupple != NULL;
+	     tupple = ISC_LIST_NEXT(tupple, link)) {
+		if (!((tupple->op == DNS_DIFFOP_DEL &&
+		       tupple->rdata.type == dns_rdatatype_ns) ||
+		      (tupple->op == DNS_DIFFOP_ADD &&
+		       tupple->rdata.type == dns_rdatatype_ds)))
 			continue;
-		CHECK(rrset_exists(db, newver, &t->name, dns_rdatatype_ds, 0,
-				   &ds_exists));
-		if (!ds_exists)
+		CHECK(rrset_exists(db, newver, &tupple->name,
+				   dns_rdatatype_ns, 0, &ns_exists));
+		if (ns_exists &&
+		    !dns_name_equal(&tupple->name, dns_db_origin(db)))
 			continue;
-		CHECK(delete_if(true_p, db, newver, &t->name,
-				dns_rdatatype_ds, 0, NULL, diff));
+		CHECK(delete_if(true_p, db, newver, &tupple->name,
+				dns_rdatatype_ds, 0, NULL, &temp_diff));
 	}
-	return (ISC_R_SUCCESS);
+	result = ISC_R_SUCCESS;
 
  failure:
+	for (tupple = ISC_LIST_HEAD(temp_diff.tuples);
+	     tupple != NULL;
+	     tupple = ISC_LIST_HEAD(temp_diff.tuples)) {
+		ISC_LIST_UNLINK(temp_diff.tuples, tupple, link);
+		dns_diff_appendminimal(diff, &tupple);
+	}
 	return (result);
 }
 
@@ -2329,6 +2912,463 @@ check_mx(ns_client_t *client, dns_zone_t *zone,
 	return (ok ? ISC_R_SUCCESS : DNS_R_REFUSED);
 }
 
+static isc_result_t
+rr_exists(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	  const dns_rdata_t *rdata, isc_boolean_t *flag)
+{
+	dns_rdataset_t rdataset;
+	dns_dbnode_t *node = NULL;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	if (rdata->type == dns_rdatatype_nsec3)
+		CHECK(dns_db_findnsec3node(db, name, ISC_FALSE, &node));
+	else
+		CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
+	result = dns_db_findrdataset(db, node, ver, rdata->type, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*flag = ISC_FALSE;
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t myrdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &myrdata);
+		if (!dns_rdata_compare(&myrdata, rdata))
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS) {
+		*flag = ISC_TRUE;
+	} else if (result == ISC_R_NOMORE) {
+		*flag = ISC_FALSE;
+		result = ISC_R_SUCCESS;
+	}
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static isc_result_t
+get_iterations(dns_db_t *db, dns_dbversion_t *ver, unsigned int *iterationsp) {
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	unsigned int iterations = 0;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
+			continue;
+		if (nsec3param.iterations > iterations)
+			iterations = nsec3param.iterations;
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+ success:
+	*iterationsp = iterations;
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+/*
+ * Prevent the zone entering a inconsistent state where
+ * NSEC only DNSKEYs are present with NSEC3 chains.
+ */
+static isc_result_t
+check_dnssec(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+	     dns_dbversion_t *ver, dns_diff_t *diff)
+{
+	dns_diff_t temp_diff;
+	dns_diffop_t op;
+	dns_difftuple_t *tuple, *newtuple = NULL, *next;
+	isc_boolean_t flag;
+	isc_result_t result;
+	unsigned int iterations = 0, max;
+
+	dns_diff_init(diff->mctx, &temp_diff);
+
+	CHECK(dns_nsec_nseconly(db, ver, &flag));
+
+	if (flag)
+		CHECK(dns_nsec3_active(db, ver, ISC_FALSE, &flag));
+	if (flag) {
+		update_log(client, zone, ISC_LOG_WARNING,
+			   "NSEC only DNSKEYs and NSEC3 chains not allowed");
+	} else {
+		CHECK(get_iterations(db, ver, &iterations));
+		CHECK(dns_nsec3_maxiterations(db, ver, client->mctx, &max));
+		if (iterations > max) {
+			flag = ISC_TRUE;
+			update_log(client, zone, ISC_LOG_WARNING,
+				   "too many NSEC3 iterations (%u) for "
+				   "weakest DNSKEY (%u)", iterations, max);
+		}
+	}
+	if (flag) {
+		for (tuple = ISC_LIST_HEAD(diff->tuples);
+		     tuple != NULL;
+		     tuple = next) {
+			next = ISC_LIST_NEXT(tuple, link);
+			if (tuple->rdata.type != dns_rdatatype_dnskey &&
+			    tuple->rdata.type != dns_rdatatype_nsec3param)
+				continue;
+			op = (tuple->op == DNS_DIFFOP_DEL) ?
+			     DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
+			CHECK(dns_difftuple_create(temp_diff.mctx, op,
+						   &tuple->name, tuple->ttl,
+						   &tuple->rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, &temp_diff));
+			INSIST(newtuple == NULL);
+		}
+		for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
+		     tuple != NULL;
+		     tuple = ISC_LIST_HEAD(temp_diff.tuples)) {
+			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+			dns_diff_appendminimal(diff, &tuple);
+		}
+	}
+
+
+ failure:
+	dns_diff_clear(&temp_diff);
+	return (result);
+}
+
+#ifdef ALLOW_NSEC3PARAM_UPDATE
+/*
+ * Delay NSEC3PARAM changes as they need to be applied to the whole zone.
+ */
+static isc_result_t
+add_nsec3param_records(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
+		       dns_name_t *name, dns_dbversion_t *ver, dns_diff_t *diff)
+{
+	isc_result_t result = ISC_R_SUCCESS;
+	dns_difftuple_t *tuple, *newtuple = NULL, *next;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+	dns_diff_t temp_diff;
+	dns_diffop_t op;
+	isc_boolean_t flag;
+
+	update_log(client, zone, ISC_LOG_DEBUG(3),
+		    "checking for NSEC3PARAM changes");
+
+	dns_diff_init(diff->mctx, &temp_diff);
+
+	/*
+	 * Extract NSEC3PARAM tuples from list.
+	 */
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = next) {
+
+		next = ISC_LIST_NEXT(tuple, link);
+
+		if (tuple->rdata.type != dns_rdatatype_nsec3param ||
+		    !dns_name_equal(name, &tuple->name))
+			continue;
+		ISC_LIST_UNLINK(diff->tuples, tuple, link);
+		ISC_LIST_APPEND(temp_diff.tuples, tuple, link);
+	}
+
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
+	     tuple != NULL; tuple = next) {
+
+		if (tuple->op == DNS_DIFFOP_ADD) {
+			next = ISC_LIST_NEXT(tuple, link);
+			while (next != NULL) {
+				unsigned char *next_data = next->rdata.data;
+				unsigned char *tuple_data = tuple->rdata.data;
+				if (next_data[0] != tuple_data[0] ||
+					/* Ignore flags. */
+				    next_data[2] != tuple_data[2] ||
+				    next_data[3] != tuple_data[3] ||
+				    next_data[4] != tuple_data[4] ||
+				    !memcmp(&next_data[5], &tuple_data[5],
+					    tuple_data[4])) {
+					next = ISC_LIST_NEXT(next, link);
+					continue;
+				}
+				op = (next->op == DNS_DIFFOP_DEL) ?
+				     DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
+				CHECK(dns_difftuple_create(diff->mctx, op,
+							   name, next->ttl,
+							   &next->rdata,
+							   &newtuple));
+				CHECK(do_one_tuple(&newtuple, db, ver, diff));
+				ISC_LIST_UNLINK(temp_diff.tuples, next, link);
+				dns_diff_appendminimal(diff, &next);
+				next = ISC_LIST_NEXT(tuple, link);
+			}
+
+			INSIST(tuple->rdata.data[1] & DNS_NSEC3FLAG_UPDATE);
+
+			/*
+			 * See if we already have a CREATE request in progress.
+			 */
+			dns_rdata_clone(&tuple->rdata, &rdata);
+			INSIST(rdata.length <= sizeof(buf));
+			memcpy(buf, rdata.data, rdata.length);
+			buf[1] |= DNS_NSEC3FLAG_CREATE;
+			buf[1] &= ~DNS_NSEC3FLAG_UPDATE;
+			rdata.data = buf;
+
+			CHECK(rr_exists(db, ver, name, &rdata, &flag));
+
+			if (!flag) {
+				CHECK(dns_difftuple_create(diff->mctx,
+							   DNS_DIFFOP_ADD,
+							   name, tuple->ttl,
+							   &rdata,
+							   &newtuple));
+				CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			}
+			/*
+			 * Remove the temporary add record.
+			 */
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
+						   name, tuple->ttl,
+						   &tuple->rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			next = ISC_LIST_NEXT(tuple, link);
+			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+			dns_diff_appendminimal(diff, &tuple);
+			dns_rdata_reset(&rdata);
+		} else
+			next = ISC_LIST_NEXT(tuple, link);
+	}
+
+	/*
+	 * Reverse any pending changes.
+	 */
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
+	     tuple != NULL; tuple = next) {
+		next = ISC_LIST_NEXT(tuple, link);
+		if ((tuple->rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
+			op = (tuple->op == DNS_DIFFOP_DEL) ?
+			     DNS_DIFFOP_ADD : DNS_DIFFOP_DEL;
+			CHECK(dns_difftuple_create(diff->mctx, op, name,
+						   tuple->ttl, &tuple->rdata,
+						   &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+			dns_diff_appendminimal(diff, &tuple);
+		}
+	}
+
+	/*
+	 * Convert deletions into delayed deletions.
+	 */
+	for (tuple = ISC_LIST_HEAD(temp_diff.tuples);
+	     tuple != NULL; tuple = next) {
+		next = ISC_LIST_NEXT(tuple, link);
+		/*
+		 * See if we already have a REMOVE request in progress.
+		 */
+		dns_rdata_clone(&tuple->rdata, &rdata);
+		INSIST(rdata.length <= sizeof(buf));
+		memcpy(buf, rdata.data, rdata.length);
+		buf[1] |= DNS_NSEC3FLAG_REMOVE;
+		rdata.data = buf;
+
+		CHECK(rr_exists(db, ver, name, &rdata, &flag));
+
+		if (!flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   name, tuple->ttl, &rdata,
+						   &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+		}
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
+					   tuple->ttl, &tuple->rdata,
+					   &newtuple));
+		CHECK(do_one_tuple(&newtuple, db, ver, diff));
+		ISC_LIST_UNLINK(temp_diff.tuples, tuple, link);
+		dns_diff_appendminimal(diff, &tuple);
+		dns_rdata_reset(&rdata);
+	}
+
+	result = ISC_R_SUCCESS;
+ failure:
+	dns_diff_clear(&temp_diff);
+	return (result);
+}
+#endif
+
+/*
+ * Add records to cause the delayed signing of the zone by added DNSKEY
+ * to remove the RRSIG records generated by a deleted DNSKEY.
+ */
+static isc_result_t
+add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
+		    dns_rdatatype_t privatetype, dns_diff_t *diff)
+{
+	dns_difftuple_t *tuple, *newtuple = NULL;
+	dns_rdata_dnskey_t dnskey;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_boolean_t flag;
+	isc_region_t r;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_uint16_t keyid;
+	unsigned char buf[5];
+
+	for (tuple = ISC_LIST_HEAD(diff->tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_NEXT(tuple, link)) {
+		if (tuple->rdata.type != dns_rdatatype_dnskey)
+			continue;
+
+		dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
+		if ((dnskey.flags &
+		     (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
+			 != DNS_KEYOWNER_ZONE)
+			continue;
+
+		dns_rdata_toregion(&tuple->rdata, &r);
+		keyid = dst_region_computeid(&r, dnskey.algorithm);
+
+		buf[0] = dnskey.algorithm;
+		buf[1] = (keyid & 0xff00) >> 8;
+		buf[2] = (keyid & 0xff);
+		buf[3] = (tuple->op == DNS_DIFFOP_ADD) ? 0 : 1;
+		buf[4] = 0;
+		rdata.data = buf;
+		rdata.length = sizeof(buf);
+		rdata.type = privatetype;
+		rdata.rdclass = tuple->rdata.rdclass;
+
+		CHECK(rr_exists(db, ver, name, &rdata, &flag));
+		if (flag)
+			continue;
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+					   name, 0, &rdata, &newtuple));
+		CHECK(do_one_tuple(&newtuple, db, ver, diff));
+		INSIST(newtuple == NULL);
+		/*
+		 * Remove any record which says this operation has already
+		 * completed.
+		 */
+		buf[4] = 1;
+		CHECK(rr_exists(db, ver, name, &rdata, &flag));
+		if (flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
+						   name, 0, &rdata, &newtuple));
+			CHECK(do_one_tuple(&newtuple, db, ver, diff));
+			INSIST(newtuple == NULL);
+		}
+	}
+ failure:
+	return (result);
+}
+
+#ifdef ALLOW_NSEC3PARAM_UPDATE
+/*
+ * Mark all NSEC3 chains for deletion without creating a NSEC chain as
+ * a side effect of deleting the last chain.
+ */
+static isc_result_t
+delete_chains(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *origin,
+	      dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_difftuple_t *tuple = NULL;
+	dns_name_t next;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_boolean_t flag;
+	isc_result_t result = ISC_R_SUCCESS;
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+
+	dns_name_init(&next, NULL);
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Cause all NSEC3 chains to be deleted.
+	 */
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		INSIST(rdata.length <= sizeof(buf));
+		memcpy(buf, rdata.data, rdata.length);
+
+		if (buf[1] == (DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC)) {
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL,
+					   origin, 0, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, ver, diff));
+		INSIST(tuple == NULL);
+
+		buf[1] = DNS_NSEC3FLAG_REMOVE | DNS_NSEC3FLAG_NONSEC;
+		rdata.data = buf;
+
+		CHECK(rr_exists(db, ver, origin, &rdata, &flag));
+
+		if (!flag) {
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   origin, 0, &rdata, &tuple));
+			CHECK(do_one_tuple(&tuple, db, ver, diff));
+			INSIST(tuple == NULL);
+		}
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+ success:
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+#endif
+
 static void
 update_action(isc_task_t *task, isc_event_t *event) {
 	update_event_t *uev = (update_event_t *) event;
@@ -2339,8 +3379,8 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_db_t *db = NULL;
 	dns_dbversion_t *oldver = NULL;
 	dns_dbversion_t *ver = NULL;
-	dns_diff_t diff; 	/* Pending updates. */
-	dns_diff_t temp; 	/* Pending RR existence assertions. */
+	dns_diff_t diff;	/* Pending updates. */
+	dns_diff_t temp;	/* Pending RR existence assertions. */
 	isc_boolean_t soa_serial_changed = ISC_FALSE;
 	isc_mem_t *mctx = client->mctx;
 	dns_rdatatype_t covers;
@@ -2351,6 +3391,15 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	dns_fixedname_t tmpnamefixed;
 	dns_name_t *tmpname = NULL;
 	unsigned int options;
+	isc_boolean_t deleted_zsk;
+	dns_difftuple_t *tuple;
+	dns_rdata_dnskey_t dnskey;
+#ifdef ALLOW_NSEC3PARAM_UPDATE
+	unsigned char buf[DNS_NSEC3PARAM_BUFFERSIZE];
+#endif
+#if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE)
+	isc_boolean_t had_dnskey;
+#endif
 
 	INSIST(event->ev_type == DNS_EVENT_UPDATE);
 
@@ -2382,54 +3431,59 @@ update_action(isc_task_t *task, isc_event_t *event) {
 			       &name, &rdata, &covers, &ttl, &update_class);
 
 		if (ttl != 0)
-			FAILC(DNS_R_FORMERR, "prerequisite TTL is not zero");
+			PREREQFAILC(DNS_R_FORMERR,
+				    "prerequisite TTL is not zero");
 
 		if (! dns_name_issubdomain(name, zonename))
-			FAILN(DNS_R_NOTZONE, name,
-				"prerequisite name is out of zone");
+			PREREQFAILN(DNS_R_NOTZONE, name,
+				    "prerequisite name is out of zone");
 
 		if (update_class == dns_rdataclass_any) {
 			if (rdata.length != 0)
-				FAILC(DNS_R_FORMERR,
+				PREREQFAILC(DNS_R_FORMERR,
 				      "class ANY prerequisite "
 				      "RDATA is not empty");
 			if (rdata.type == dns_rdatatype_any) {
 				CHECK(name_exists(db, ver, name, &flag));
 				if (! flag) {
-					FAILN(DNS_R_NXDOMAIN, name,
-					      "'name in use' prerequisite "
-					      "not satisfied");
+					PREREQFAILN(DNS_R_NXDOMAIN, name,
+						    "'name in use' "
+						    "prerequisite not "
+						    "satisfied");
 				}
 			} else {
 				CHECK(rrset_exists(db, ver, name,
 						   rdata.type, covers, &flag));
 				if (! flag) {
 					/* RRset does not exist. */
-					FAILNT(DNS_R_NXRRSET, name, rdata.type,
+					PREREQFAILNT(DNS_R_NXRRSET, name, rdata.type,
 					"'rrset exists (value independent)' "
 					"prerequisite not satisfied");
 				}
 			}
 		} else if (update_class == dns_rdataclass_none) {
 			if (rdata.length != 0)
-				FAILC(DNS_R_FORMERR,
-				      "class NONE prerequisite "
-				      "RDATA is not empty");
+				PREREQFAILC(DNS_R_FORMERR,
+					    "class NONE prerequisite "
+					    "RDATA is not empty");
 			if (rdata.type == dns_rdatatype_any) {
 				CHECK(name_exists(db, ver, name, &flag));
 				if (flag) {
-					FAILN(DNS_R_YXDOMAIN, name,
-					      "'name not in use' prerequisite "
-					      "not satisfied");
+					PREREQFAILN(DNS_R_YXDOMAIN, name,
+						    "'name not in use' "
+						    "prerequisite not "
+						    "satisfied");
 				}
 			} else {
 				CHECK(rrset_exists(db, ver, name,
 						   rdata.type, covers, &flag));
 				if (flag) {
 					/* RRset exists. */
-					FAILNT(DNS_R_YXRRSET, name, rdata.type,
-					       "'rrset does not exist' "
-					       "prerequisite not satisfied");
+					PREREQFAILNT(DNS_R_YXRRSET, name,
+						     rdata.type,
+						     "'rrset does not exist' "
+						     "prerequisite not "
+						     "satisfied");
 				}
 			}
 		} else if (update_class == zoneclass) {
@@ -2442,7 +3496,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				FAIL(ISC_R_UNEXPECTED);
 			}
 		} else {
-			FAILC(DNS_R_FORMERR, "malformed prerequisite");
+			PREREQFAILC(DNS_R_FORMERR, "malformed prerequisite");
 		}
 	}
 	if (result != ISC_R_NOMORE)
@@ -2484,13 +3538,15 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	result = ISC_R_SUCCESS;
 	if (ssutable == NULL)
 		CHECK(checkupdateacl(client, dns_zone_getupdateacl(zone),
-				     "update", zonename, ISC_FALSE));
-	else if (client->signer == NULL)
+				     "update", zonename, ISC_FALSE, ISC_FALSE));
+	else if (client->signer == NULL && !TCPCLIENT(client))
 		CHECK(checkupdateacl(client, NULL, "update", zonename,
-				     ISC_FALSE));
+				     ISC_FALSE, ISC_TRUE));
 
 	if (dns_zone_getupdatedisabled(zone))
-		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled");
+		FAILC(DNS_R_REFUSED, "dynamic update temporarily disabled "
+				     "because the zone is frozen.  Use "
+				     "'rndc thaw' to re-enable updates.");
 
 	/*
 	 * Perform the Update Section Prescan.
@@ -2546,29 +3602,47 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		 * is forbidden from updating NSEC records."
 		 */
 		if (dns_db_issecure(db)) {
-			if (rdata.type == dns_rdatatype_nsec) {
+			if (rdata.type == dns_rdatatype_nsec3) {
+				FAILC(DNS_R_REFUSED,
+				      "explicit NSEC3 updates are not allowed "
+				      "in secure zones");
+			} else if (rdata.type == dns_rdatatype_nsec) {
 				FAILC(DNS_R_REFUSED,
 				      "explicit NSEC updates are not allowed "
 				      "in secure zones");
-			}
-			else if (rdata.type == dns_rdatatype_rrsig) {
+			} else if (rdata.type == dns_rdatatype_rrsig &&
+				   !dns_name_equal(name, zonename)) {
 				FAILC(DNS_R_REFUSED,
-				      "explicit RRSIG updates are currently not "
-				      "supported in secure zones");
+				      "explicit RRSIG updates are currently "
+				      "not supported in secure zones except "
+				      "at the apex");
 			}
 		}
 
-		if (ssutable != NULL && client->signer != NULL) {
+		if (ssutable != NULL) {
+			isc_netaddr_t *tcpaddr, netaddr;
+			/*
+			 * If this is a TCP connection then pass the
+			 * address of the client through for tcp-self
+			 * and 6to4-self otherwise pass NULL.  This
+			 * provides weak address based authentication.
+			 */
+			if (TCPCLIENT(client)) {
+				isc_netaddr_fromsockaddr(&netaddr,
+							 &client->peeraddr);
+				tcpaddr = &netaddr;
+			} else
+				tcpaddr = NULL;
 			if (rdata.type != dns_rdatatype_any) {
 				if (!dns_ssutable_checkrules(ssutable,
 							     client->signer,
-							     name, rdata.type))
+							     name, tcpaddr,
+							     rdata.type))
 					FAILC(DNS_R_REFUSED,
 					      "rejected by secure update");
-			}
-			else {
+			} else {
 				if (!ssu_checkall(db, ver, name, ssutable,
-						  client->signer))
+						  client->signer, tcpaddr))
 					FAILC(DNS_R_REFUSED,
 					      "rejected by secure update");
 			}
@@ -2613,12 +3687,17 @@ update_action(isc_task_t *task, isc_event_t *event) {
 					   typebuf);
 				continue;
 			}
-			if (rdata.type == dns_rdatatype_ns &&
+			if ((rdata.type == dns_rdatatype_ns ||
+			     rdata.type == dns_rdatatype_dname) &&
 			    dns_name_iswildcard(name)) {
+				char typebuf[DNS_RDATATYPE_FORMATSIZE];
+
+				dns_rdatatype_format(rdata.type, typebuf,
+						     sizeof(typebuf));
 				update_log(client, zone,
 					   LOGLEVEL_PROTOCOL,
-					   "attempt to add wildcard NS record"
-					   "ignored");
+					   "attempt to add wildcard %s record "
+					   "ignored", typebuf);
 				continue;
 			}
 			if (rdata.type == dns_rdatatype_cname) {
@@ -2671,6 +3750,43 @@ update_action(isc_task_t *task, isc_event_t *event) {
 				}
 				soa_serial_changed = ISC_TRUE;
 			}
+
+#ifdef ALLOW_NSEC3PARAM_UPDATE
+			if (rdata.type == dns_rdatatype_nsec3param) {
+				/*
+				 * Ignore attempts to add NSEC3PARAM records
+				 * with any flags other than OPTOUT.
+				 */
+				if ((rdata.data[1] & ~DNS_NSEC3FLAG_OPTOUT) != 0) {
+					update_log(client, zone,
+						   LOGLEVEL_PROTOCOL,
+						   "attempt to add NSEC3PARAM "
+						   "record with non OPTOUT "
+						   "flag");
+					continue;
+				}
+
+				/*
+				 * Set the NSEC3CHAIN creation flag.
+				 */
+				INSIST(rdata.length <= sizeof(buf));
+				memcpy(buf, rdata.data, rdata.length);
+				buf[1] |= DNS_NSEC3FLAG_UPDATE;
+				rdata.data = buf;
+				/*
+				 * Force the TTL to zero for NSEC3PARAM records.
+				 */
+				ttl = 0;
+			}
+#else
+			if (rdata.type == dns_rdatatype_nsec3param) {
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to add NSEC3PARAM "
+					   "record ignored");
+				continue;
+			};
+#endif
+
 			if ((options & DNS_ZONEOPT_CHECKWILDCARD) != 0 &&
 			    dns_name_internalwildcard(name)) {
 				char namestr[DNS_NAME_FORMATSIZE];
@@ -2688,8 +3804,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 						sizeof(namestr));
 				dns_rdatatype_format(rdata.type, typestr,
 						     sizeof(typestr));
-				update_log(client, zone,
-					   LOGLEVEL_PROTOCOL,
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
 					   "adding an RR at '%s' %s",
 					   namestr, typestr);
 			}
@@ -2714,8 +3829,10 @@ update_action(isc_task_t *task, isc_event_t *event) {
 					dns_diff_clear(&ctx.del_diff);
 					dns_diff_clear(&ctx.add_diff);
 				} else {
-					CHECK(do_diff(&ctx.del_diff, db, ver, &diff));
-					CHECK(do_diff(&ctx.add_diff, db, ver, &diff));
+					CHECK(do_diff(&ctx.del_diff, db, ver,
+						      &diff));
+					CHECK(do_diff(&ctx.add_diff, db, ver,
+						      &diff));
 					CHECK(update_one_rr(db, ver, &diff,
 							    DNS_DIFFOP_ADD,
 							    name, ttl, &rdata));
@@ -2745,11 +3862,17 @@ update_action(isc_task_t *task, isc_event_t *event) {
 							dns_rdatatype_any, 0,
 							&rdata, &diff));
 				}
+#ifndef ALLOW_NSEC3PARAM_UPDATE
+			} else if (rdata.type == dns_rdatatype_nsec3param) {
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
+					   "attempt to delete a NSEC3PARAM "
+					   "records ignored");
+				continue;
+#endif
 			} else if (dns_name_equal(name, zonename) &&
 				   (rdata.type == dns_rdatatype_soa ||
 				    rdata.type == dns_rdatatype_ns)) {
-				update_log(client, zone,
-					   LOGLEVEL_PROTOCOL,
+				update_log(client, zone, LOGLEVEL_PROTOCOL,
 					   "attempt to delete all SOA "
 					   "or NS records ignored");
 				continue;
@@ -2812,6 +3935,14 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		FAIL(result);
 
 	/*
+	 * Check that any changes to DNSKEY/NSEC3PARAM records make sense.
+	 * If they don't then back out all changes to DNSKEY/NSEC3PARAM
+	 * records.
+	 */
+	if (! ISC_LIST_EMPTY(diff.tuples))
+		CHECK(check_dnssec(client, zone, db, ver, &diff));
+
+	/*
 	 * If any changes were made, increment the SOA serial number,
 	 * update RRSIGs and NSECs (if zone is secure), and write the update
 	 * to the journal.
@@ -2819,6 +3950,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	if (! ISC_LIST_EMPTY(diff.tuples)) {
 		char *journalfile;
 		dns_journal_t *journal;
+		isc_boolean_t has_dnskey;
 
 		/*
 		 * Increment the SOA serial, but only if it was not
@@ -2832,14 +3964,61 @@ update_action(isc_task_t *task, isc_event_t *event) {
 
 		CHECK(remove_orphaned_ds(db, ver, &diff));
 
-		if (dns_db_issecure(db)) {
+		CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
+				   0, &has_dnskey));
+
+#if !defined(ALLOW_SECURE_TO_INSECURE) || !defined(ALLOW_INSECURE_TO_SECURE)
+		CHECK(rrset_exists(db, oldver, zonename, dns_rdatatype_dnskey,
+				   0, &had_dnskey));
+
+#ifndef ALLOW_SECURE_TO_INSECURE
+		if (had_dnskey && !has_dnskey) {
+			update_log(client, zone, LOGLEVEL_PROTOCOL,
+				   "update rejected: all DNSKEY records "
+				   "removed");
+			result = DNS_R_REFUSED;
+			goto failure;
+		}
+#endif
+#ifndef ALLOW_INSECURE_TO_SECURE
+		if (!had_dnskey && has_dnskey) {
+			update_log(client, zone, LOGLEVEL_PROTOCOL,
+				   "update rejected: DNSKEY record added");
+			result = DNS_R_REFUSED;
+			goto failure;
+		}
+#endif
+#endif
+
+		CHECK(add_signing_records(db, zonename, ver,
+					  dns_zone_getprivatetype(zone),
+					  &diff));
+
+#ifdef ALLOW_NSEC3PARAM_UPDATE
+		CHECK(add_nsec3param_records(client, zone, db, zonename,
+					     ver, &diff));
+#endif
+
+		if (!has_dnskey) {
+			/*
+			 * We are transitioning from secure to insecure.
+			 * Cause all NSEC3 chains to be deleted.  When the
+			 * the last signature for the DNSKEY records are
+			 * remove any NSEC chain present will also be removed.
+			 */
+#ifdef ALLOW_NSEC3PARAM_UPDATE
+			 CHECK(delete_chains(db, ver, zonename, &diff));
+#endif
+		} else if (has_dnskey && dns_db_isdnssec(db)) {
+			isc_uint32_t interval;
+			interval = dns_zone_getsigvalidityinterval(zone);
 			result = update_signatures(client, zone, db, oldver,
-						   ver, &diff,
-					 dns_zone_getsigvalidityinterval(zone));
+						   ver, &diff, interval,
+						   &deleted_zsk);
 			if (result != ISC_R_SUCCESS) {
 				update_log(client, zone,
 					   ISC_LOG_ERROR,
-					   "RRSIG/NSEC update failed: %s",
+					   "RRSIG/NSEC/NSEC3 update failed: %s",
 					   isc_result_totext(result));
 				goto failure;
 			}
@@ -2872,6 +4051,7 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		 */
 		update_log(client, zone, LOGLEVEL_DEBUG,
 			   "committing update transaction");
+
 		dns_db_closeversion(db, &ver, ISC_TRUE);
 
 		/*
@@ -2883,6 +4063,71 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		 * Notify slaves of the change we just made.
 		 */
 		dns_zone_notify(zone);
+
+		/*
+		 * Cause the zone to be signed with the key that we
+		 * have just added or have the corresponding signatures
+		 * deleted.
+		 *
+		 * Note: we are already committed to this course of action.
+		 */
+		for (tuple = ISC_LIST_HEAD(diff.tuples);
+		     tuple != NULL;
+		     tuple = ISC_LIST_NEXT(tuple, link)) {
+			isc_region_t r;
+			dns_secalg_t algorithm;
+			isc_uint16_t keyid;
+
+			if (tuple->rdata.type != dns_rdatatype_dnskey)
+				continue;
+
+			dns_rdata_tostruct(&tuple->rdata, &dnskey, NULL);
+			if ((dnskey.flags &
+			     (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
+				 != DNS_KEYOWNER_ZONE)
+				continue;
+
+			dns_rdata_toregion(&tuple->rdata, &r);
+			algorithm = dnskey.algorithm;
+			keyid = dst_region_computeid(&r, algorithm);
+
+			result = dns_zone_signwithkey(zone, algorithm, keyid,
+					ISC_TF(tuple->op == DNS_DIFFOP_DEL));
+			if (result != ISC_R_SUCCESS) {
+				update_log(client, zone, ISC_LOG_ERROR,
+					   "dns_zone_signwithkey failed: %s",
+					   dns_result_totext(result));
+			}
+		}
+
+#ifdef ALLOW_NSEC3PARAM_UPDATE
+		/*
+		 * Cause the zone to add/delete NSEC3 chains for the
+		 * deferred NSEC3PARAM changes.
+		 *
+		 * Note: we are already committed to this course of action.
+		 */
+		for (tuple = ISC_LIST_HEAD(diff.tuples);
+		     tuple != NULL;
+		     tuple = ISC_LIST_NEXT(tuple, link)) {
+			dns_rdata_nsec3param_t nsec3param;
+
+			if (tuple->rdata.type != dns_rdatatype_nsec3param ||
+			    tuple->op != DNS_DIFFOP_ADD)
+				continue;
+
+			dns_rdata_tostruct(&tuple->rdata, &nsec3param, NULL);
+			if (nsec3param.flags == 0)
+				continue;
+
+			result = dns_zone_addnsec3chain(zone, &nsec3param);
+			if (result != ISC_R_SUCCESS) {
+				update_log(client, zone, ISC_LOG_ERROR,
+					   "dns_zone_addnsec3chain failed: %s",
+					   dns_result_totext(result));
+			}
+		}
+#endif
 	} else {
 		update_log(client, zone, LOGLEVEL_DEBUG, "redundant request");
 		dns_db_closeversion(db, &ver, ISC_TRUE);
@@ -2891,6 +4136,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	goto common;
 
  failure:
+	if (result == DNS_R_REFUSED)
+		inc_stats(zone, dns_nsstatscounter_updaterej);
+
 	/*
 	 * The reason for failure should have been logged at this point.
 	 */
@@ -2913,11 +4161,10 @@ update_action(isc_task_t *task, isc_event_t *event) {
 	if (ssutable != NULL)
 		dns_ssutable_detach(&ssutable);
 
-	if (zone != NULL)
-		dns_zone_detach(&zone);
-
 	isc_task_detach(&task);
 	uev->result = result;
+	if (zone != NULL)
+		INSIST(uev->zone == zone); /* we use this later */
 	uev->ev_type = DNS_EVENT_UPDATEDONE;
 	uev->ev_action = updatedone_action;
 	isc_task_send(client->task, &event);
@@ -2935,6 +4182,19 @@ updatedone_action(isc_task_t *task, isc_event_t *event) {
 	INSIST(task == client->task);
 
 	INSIST(client->nupdates > 0);
+	switch (uev->result) {
+	case ISC_R_SUCCESS:
+		inc_stats(uev->zone, dns_nsstatscounter_updatedone);
+		break;
+	case DNS_R_REFUSED:
+		inc_stats(uev->zone, dns_nsstatscounter_updaterej);
+		break;
+	default:
+		inc_stats(uev->zone, dns_nsstatscounter_updatefail);
+		break;
+	}
+	if (uev->zone != NULL)
+		dns_zone_detach(&uev->zone);
 	client->nupdates--;
 	respond(client, uev->result);
 	isc_event_free(&event);
@@ -2963,17 +4223,21 @@ static void
 forward_callback(void *arg, isc_result_t result, dns_message_t *answer) {
 	update_event_t *uev = arg;
 	ns_client_t *client = uev->ev_arg;
+	dns_zone_t *zone = uev->zone;
 
 	if (result != ISC_R_SUCCESS) {
 		INSIST(answer == NULL);
 		uev->ev_type = DNS_EVENT_UPDATEDONE;
 		uev->ev_action = forward_fail;
+		inc_stats(zone, dns_nsstatscounter_updatefwdfail);
 	} else {
 		uev->ev_type = DNS_EVENT_UPDATEDONE;
 		uev->ev_action = forward_done;
 		uev->answer = answer;
+		inc_stats(zone, dns_nsstatscounter_updaterespfwd);
 	}
 	isc_task_send(client->task, ISC_EVENT_PTR(&uev));
+	dns_zone_detach(&zone);
 }
 
 static void
@@ -3004,8 +4268,10 @@ forward_action(isc_task_t *task, isc_event_t *event) {
 		uev->ev_type = DNS_EVENT_UPDATEDONE;
 		uev->ev_action = forward_fail;
 		isc_task_send(client->task, &event);
-	}
-	dns_zone_detach(&zone);
+		inc_stats(zone, dns_nsstatscounter_updatefwdfail);
+		dns_zone_detach(&zone);
+	} else
+		inc_stats(zone, dns_nsstatscounter_updatereqfwd);
 	isc_task_detach(&task);
 }
 
diff --git a/bin/named/xfrout.c b/bin/named/xfrout.c
index 9fe90a2..0aa6f79 100644
--- a/bin/named/xfrout.c
+++ b/bin/named/xfrout.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrout.c,v 1.115.18.8 2006/03/05 23:58:51 marka Exp $ */
+/* $Id: xfrout.c,v 1.131.26.4 2009/01/29 22:40:34 jinmei Exp $ */
 
 #include <config.h>
 
@@ -23,6 +23,7 @@
 #include <isc/mem.h>
 #include <isc/timer.h>
 #include <isc/print.h>
+#include <isc/stats.h>
 #include <isc/util.h>
 
 #include <dns/db.h>
@@ -40,6 +41,7 @@
 #include <dns/rdatasetiter.h>
 #include <dns/result.h>
 #include <dns/soa.h>
+#include <dns/stats.h>
 #include <dns/timer.h>
 #include <dns/tsig.h>
 #include <dns/view.h>
@@ -51,7 +53,7 @@
 #include <named/server.h>
 #include <named/xfrout.h>
 
-/*! \file 
+/*! \file
  * \brief
  * Outgoing AXFR and IXFR.
  */
@@ -86,7 +88,7 @@
 		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \
 			   NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \
 			   "bad zone transfer request: %s (%s)", \
-		      	   msg, isc_result_totext(code));	\
+			   msg, isc_result_totext(code));	\
 		if (result != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
@@ -100,12 +102,12 @@
 		ns_client_log(client, DNS_LOGCATEGORY_XFER_OUT, \
 			   NS_LOGMODULE_XFER_OUT, ISC_LOG_INFO, \
 			   "bad zone transfer request: '%s/%s': %s (%s)", \
-		      	   _buf1, _buf2, msg, isc_result_totext(code));	\
+			   _buf1, _buf2, msg, isc_result_totext(code));	\
 		if (result != ISC_R_SUCCESS) goto failure;	\
 	} while (0)
 
 #define CHECK(op) \
-     	do { result = (op); 					\
+	do { result = (op); 					\
 		if (result != ISC_R_SUCCESS) goto failure; 	\
 	} while (0)
 
@@ -121,12 +123,12 @@ typedef struct db_rr_iterator db_rr_iterator_t;
 struct db_rr_iterator {
 	isc_result_t		result;
 	dns_db_t		*db;
-    	dns_dbiterator_t 	*dbit;
+	dns_dbiterator_t 	*dbit;
 	dns_dbversion_t 	*ver;
 	isc_stdtime_t		now;
 	dns_dbnode_t		*node;
 	dns_fixedname_t		fixedname;
-    	dns_rdatasetiter_t 	*rdatasetit;
+	dns_rdatasetiter_t 	*rdatasetit;
 	dns_rdataset_t 		rdataset;
 	dns_rdata_t		rdata;
 };
@@ -148,6 +150,16 @@ db_rr_iterator_current(db_rr_iterator_t *it, dns_name_t **name,
 static void
 db_rr_iterator_destroy(db_rr_iterator_t *it);
 
+static inline void
+inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
+	isc_stats_increment(ns_g_server->nsstats, counter);
+	if (zone != NULL) {
+		isc_stats_t *zonestats = dns_zone_getrequeststats(zone);
+		if (zonestats != NULL)
+			isc_stats_increment(zonestats, counter);
+	}
+}
+
 static isc_result_t
 db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
 		    isc_stdtime_t now)
@@ -158,7 +170,7 @@ db_rr_iterator_init(db_rr_iterator_t *it, dns_db_t *db, dns_dbversion_t *ver,
 	it->ver = ver;
 	it->now = now;
 	it->node = NULL;
-	result = dns_db_createiterator(it->db, ISC_FALSE, &it->dbit);
+	result = dns_db_createiterator(it->db, 0, &it->dbit);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	it->rdatasetit = NULL;
@@ -303,6 +315,11 @@ log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) {
 	rdl.type = rdata->type;
 	rdl.rdclass = rdata->rdclass;
 	rdl.ttl = ttl;
+	if (rdata->type == dns_rdatatype_sig ||
+	    rdata->type == dns_rdatatype_rrsig)
+		rdl.covers = dns_rdata_covers(rdata);
+	else
+		rdl.covers = dns_rdatatype_none;
 	ISC_LIST_INIT(rdl.rdata);
 	ISC_LINK_INIT(&rdl, link);
 	dns_rdataset_init(&rds);
@@ -326,7 +343,7 @@ log_rr(dns_name_t *name, dns_rdata_t *rdata, isc_uint32_t ttl) {
 		INSIST(buf.used >= 1 &&
 		       ((char *) buf.base)[buf.used - 1] == '\n');
 		buf.used--;
-		
+
 		isc_log_write(XFROUT_RR_LOGARGS, "%.*s",
 			      (int)isc_buffer_usedlength(&buf),
 			      (char *)isc_buffer_base(&buf));
@@ -818,6 +835,7 @@ typedef struct {
 	dns_name_t		*qname;		/* Question name of request */
 	dns_rdatatype_t		qtype;		/* dns_rdatatype_{a,i}xfr */
 	dns_rdataclass_t	qclass;
+	dns_zone_t 		*zone;		/* (necessary for stats) */
 	dns_db_t 		*db;
 	dns_dbversion_t 	*ver;
 	isc_quota_t		*quota;
@@ -841,7 +859,7 @@ typedef struct {
 static isc_result_t
 xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client,
 		  unsigned int id, dns_name_t *qname, dns_rdatatype_t qtype,
-		  dns_rdataclass_t qclass,
+		  dns_rdataclass_t qclass, dns_zone_t *zone,
 		  dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota,
 		  rrstream_t *stream, dns_tsigkey_t *tsigkey,
 		  isc_buffer_t *lasttsig,
@@ -969,7 +987,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 		/*
 		 * Normal zone table does not have a match.  Try the DLZ database
 		 */
-	    	if (client->view->dlzdatabase != NULL) {
+		if (client->view->dlzdatabase != NULL) {
 			result = dns_dlzallowzonexfr(client->view,
 						     question_name, &client->peeraddr,
 						     &db);
@@ -1006,7 +1024,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 
 		} else {
 			/*
-		 	 * not DLZ and not in normal zone table, we are
+			 * not DLZ and not in normal zone table, we are
 			 * not authoritative
 			 */
 			FAILQ(DNS_R_NOTAUTH, "non-authoritative zone",
@@ -1090,9 +1108,9 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 #endif
 		ns_client_aclmsg("zone transfer", question_name, reqtype,
 				 client->view->rdclass, msg, sizeof(msg));
-		CHECK(ns_client_checkacl(client, msg,
-					 dns_zone_getxfracl(zone), ISC_TRUE,
-					 ISC_LOG_ERROR));
+		CHECK(ns_client_checkacl(client, NULL, msg,
+					 dns_zone_getxfracl(zone),
+					 ISC_TRUE, ISC_LOG_ERROR));
 #ifdef DLZ
 	}
 #endif
@@ -1191,7 +1209,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	}
 
 	/*
-	 * Bracket the the data stream with SOAs.
+	 * Bracket the data stream with SOAs.
 	 */
 	CHECK(soa_rrstream_create(mctx, db, ver, &soa_stream));
 	CHECK(compound_rrstream_create(mctx, &soa_stream, &data_stream,
@@ -1210,26 +1228,28 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 
 #ifdef DLZ
 	if (is_dlz)
- 		CHECK(xfrout_ctx_create(mctx, client, request->id, question_name,
- 					reqtype, question_class, db, ver, quota,
- 					stream, dns_message_gettsigkey(request),
- 					tsigbuf,
- 					3600,
- 					3600,
- 					(format == dns_many_answers) ?
-  					ISC_TRUE : ISC_FALSE,
- 					&xfr));
- 	else
+		CHECK(xfrout_ctx_create(mctx, client, request->id, question_name,
+					reqtype, question_class, zone, db, ver,
+					quota, stream,
+					dns_message_gettsigkey(request),
+					tsigbuf,
+					3600,
+					3600,
+					(format == dns_many_answers) ?
+					ISC_TRUE : ISC_FALSE,
+					&xfr));
+	else
 #endif
- 		CHECK(xfrout_ctx_create(mctx, client, request->id, question_name,
- 					reqtype, question_class, db, ver, quota,
- 					stream, dns_message_gettsigkey(request),
- 					tsigbuf,
- 					dns_zone_getmaxxfrout(zone),
- 					dns_zone_getidleout(zone),
- 					(format == dns_many_answers) ?
- 					ISC_TRUE : ISC_FALSE,
- 					&xfr));
+		CHECK(xfrout_ctx_create(mctx, client, request->id, question_name,
+					reqtype, question_class, zone, db, ver,
+					quota, stream,
+					dns_message_gettsigkey(request),
+					tsigbuf,
+					dns_zone_getmaxxfrout(zone),
+					dns_zone_getidleout(zone),
+					(format == dns_many_answers) ?
+					ISC_TRUE : ISC_FALSE,
+					&xfr));
 
 	xfr->mnemonic = mnemonic;
 	stream = NULL;
@@ -1261,6 +1281,8 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 	result = ISC_R_SUCCESS;
 
  failure:
+	if (result == DNS_R_REFUSED)
+		inc_stats(zone, dns_nsstatscounter_xfrrej);
 	if (quota != NULL)
 		isc_quota_detach(&quota);
 	if (current_soa_tuple != NULL)
@@ -1291,7 +1313,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 static isc_result_t
 xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
 		  dns_name_t *qname, dns_rdatatype_t qtype,
-		  dns_rdataclass_t qclass,
+		  dns_rdataclass_t qclass, dns_zone_t *zone,
 		  dns_db_t *db, dns_dbversion_t *ver, isc_quota_t *quota,
 		  rrstream_t *stream, dns_tsigkey_t *tsigkey,
 		  isc_buffer_t *lasttsig, unsigned int maxtime,
@@ -1314,8 +1336,11 @@ xfrout_ctx_create(isc_mem_t *mctx, ns_client_t *client, unsigned int id,
 	xfr->qname = qname;
 	xfr->qtype = qtype;
 	xfr->qclass = qclass;
+	xfr->zone = NULL;
 	xfr->db = NULL;
 	xfr->ver = NULL;
+	if (zone != NULL)	/* zone will be NULL if it's DLZ */
+		dns_zone_attach(zone, &xfr->zone);
 	dns_db_attach(db, &xfr->db);
 	dns_db_attachversion(db, ver, &xfr->ver);
 	xfr->end_of_stream = ISC_FALSE;
@@ -1399,7 +1424,7 @@ failure:
  *
  * Requires:
  *	The stream iterator is initialized and points at an RR,
- *      or possiby at the end of the stream (that is, the
+ *      or possibly at the end of the stream (that is, the
  *      _first method of the iterator has been called).
  */
 static void
@@ -1573,6 +1598,11 @@ sendstream(xfrout_ctx_t *xfr) {
 		msgrdl->type = rdata->type;
 		msgrdl->rdclass = rdata->rdclass;
 		msgrdl->ttl = ttl;
+		if (rdata->type == dns_rdatatype_sig ||
+		    rdata->type == dns_rdatatype_rrsig)
+			msgrdl->covers = dns_rdata_covers(rdata);
+		else
+			msgrdl->covers = dns_rdatatype_none;
 		ISC_LINK_INIT(msgrdl, link);
 		ISC_LIST_INIT(msgrdl->rdata);
 		ISC_LIST_APPEND(msgrdl->rdata, msgrdata, link);
@@ -1663,7 +1693,7 @@ sendstream(xfrout_ctx_t *xfr) {
 	 * iterators before returning from the event handler.
 	 */
 	xfr->stream->methods->pause(xfr->stream);
-	
+
 	if (result == ISC_R_SUCCESS)
 		return;
 
@@ -1691,6 +1721,8 @@ xfrout_ctx_destroy(xfrout_ctx_t **xfrp) {
 		isc_quota_detach(&xfr->quota);
 	if (xfr->ver != NULL)
 		dns_db_closeversion(xfr->db, &xfr->ver, ISC_FALSE);
+	if (xfr->zone != NULL)
+		dns_zone_detach(&xfr->zone);
 	if (xfr->db != NULL)
 		dns_db_detach(&xfr->db);
 
@@ -1724,6 +1756,7 @@ xfrout_senddone(isc_task_t *task, isc_event_t *event) {
 		sendstream(xfr);
 	} else {
 		/* End of zone transfer stream. */
+		inc_stats(xfr->zone, dns_nsstatscounter_xfrdone);
 		xfrout_log(xfr, ISC_LOG_INFO, "%s ended", xfr->mnemonic);
 		ns_client_next(xfr->client, ISC_R_SUCCESS);
 		xfrout_ctx_destroy(&xfr);
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index a0c1bab..641831d 100644
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.110.18.23 2006/05/16 03:39:57 marka Exp $ */
+/* $Id: zoneconf.c,v 1.147.50.2 2009/01/29 23:47:44 tbox Exp $ */
 
 /*% */
 
@@ -25,6 +25,7 @@
 #include <isc/file.h>
 #include <isc/mem.h>
 #include <isc/print.h>
+#include <isc/stats.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
 
@@ -34,6 +35,7 @@
 #include <dns/name.h>
 #include <dns/rdatatype.h>
 #include <dns/ssu.h>
+#include <dns/stats.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 
@@ -44,6 +46,15 @@
 #include <named/server.h>
 #include <named/zoneconf.h>
 
+/* ACLs associated with zone */
+typedef enum {
+	allow_notify,
+	allow_query,
+	allow_transfer,
+	allow_update,
+	allow_update_forwarding
+} acl_type_t;
+
 /*%
  * These are BIND9 server defaults, not necessarily identical to the
  * library defaults defined in zone.c.
@@ -59,19 +70,69 @@
  */
 static isc_result_t
 configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
-		   const cfg_obj_t *config, const char *aclname,
-		   cfg_aclconfctx_t *actx, dns_zone_t *zone, 
+		   const cfg_obj_t *config, acl_type_t acltype,
+		   cfg_aclconfctx_t *actx, dns_zone_t *zone,
 		   void (*setzacl)(dns_zone_t *, dns_acl_t *),
 		   void (*clearzacl)(dns_zone_t *))
 {
 	isc_result_t result;
-	const cfg_obj_t *maps[5];
+	const cfg_obj_t *maps[5] = {NULL, NULL, NULL, NULL, NULL};
 	const cfg_obj_t *aclobj = NULL;
 	int i = 0;
-	dns_acl_t *dacl = NULL;
+	dns_acl_t **aclp = NULL, *acl = NULL;
+	const char *aclname;
+	dns_view_t *view;
+
+	view = dns_zone_getview(zone);
+
+	switch (acltype) {
+	    case allow_notify:
+		if (view != NULL)
+			aclp = &view->notifyacl;
+		aclname = "allow-notify";
+		break;
+	    case allow_query:
+		if (view != NULL)
+			aclp = &view->queryacl;
+		aclname = "allow-query";
+		break;
+	    case allow_transfer:
+		if (view != NULL)
+			aclp = &view->transferacl;
+		aclname = "allow-transfer";
+		break;
+	    case allow_update:
+		if (view != NULL)
+			aclp = &view->updateacl;
+		aclname = "allow-update";
+		break;
+	    case allow_update_forwarding:
+		if (view != NULL)
+			aclp = &view->upfwdacl;
+		aclname = "allow-update-forwarding";
+		break;
+	    default:
+		INSIST(0);
+		return (ISC_R_FAILURE);
+	}
 
-	if (zconfig != NULL)
-		maps[i++] = cfg_tuple_get(zconfig, "options");
+	/* First check to see if ACL is defined within the zone */
+	if (zconfig != NULL) {
+		maps[0] = cfg_tuple_get(zconfig, "options");
+		ns_config_get(maps, aclname, &aclobj);
+		if (aclobj != NULL) {
+			aclp = NULL;
+			goto parse_acl;
+		}
+	}
+
+	/* Failing that, see if there's a default ACL already in the view */
+	if (aclp != NULL && *aclp != NULL) {
+		(*setzacl)(zone, *aclp);
+		return (ISC_R_SUCCESS);
+	}
+
+	/* Check for default ACLs that haven't been parsed yet */
 	if (vconfig != NULL)
 		maps[i++] = cfg_tuple_get(vconfig, "options");
 	if (config != NULL) {
@@ -89,12 +150,18 @@ configure_zone_acl(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
 		return (ISC_R_SUCCESS);
 	}
 
+parse_acl:
 	result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx,
-				    dns_zone_getmctx(zone), &dacl);
+				    dns_zone_getmctx(zone), 0, &acl);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	(*setzacl)(zone, dacl);
-	dns_acl_detach(&dacl);
+	(*setzacl)(zone, acl);
+
+	/* Set the view default now */
+	if (aclp != NULL)
+		dns_acl_attach(acl, aclp);
+
+	dns_acl_detach(&acl);
 	return (ISC_R_SUCCESS);
 }
 
@@ -158,6 +225,18 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone) {
 			mtype = DNS_SSUMATCHTYPE_SELFSUB;
 		else if (strcasecmp(str, "selfwild") == 0)
 			mtype = DNS_SSUMATCHTYPE_SELFWILD;
+		else if (strcasecmp(str, "ms-self") == 0)
+			mtype = DNS_SSUMATCHTYPE_SELFMS;
+		else if (strcasecmp(str, "krb5-self") == 0)
+			mtype = DNS_SSUMATCHTYPE_SELFKRB5;
+		else if (strcasecmp(str, "ms-subdomain") == 0)
+			mtype = DNS_SSUMATCHTYPE_SUBDOMAINMS;
+		else if (strcasecmp(str, "krb5-subdomain") == 0)
+			mtype = DNS_SSUMATCHTYPE_SUBDOMAINKRB5;
+		else if (strcasecmp(str, "tcp-self") == 0)
+			mtype = DNS_SSUMATCHTYPE_TCPSELF;
+		else if (strcasecmp(str, "6to4-self") == 0)
+			mtype = DNS_SSUMATCHTYPE_6TO4SELF;
 		else
 			INSIST(0);
 
@@ -264,11 +343,11 @@ strtoargvsub(isc_mem_t *mctx, char *s, unsigned int *argcp,
 	     char ***argvp, unsigned int n)
 {
 	isc_result_t result;
-	
+
 	/* Discard leading whitespace. */
 	while (*s == ' ' || *s == '\t')
 		s++;
-	
+
 	if (*s == '\0') {
 		/* We have reached the end of the string. */
 		*argcp = n;
@@ -353,6 +432,9 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
 	isc_boolean_t ixfrdiff;
 	dns_masterformat_t masterformat;
+	isc_stats_t *zoneqrystats;
+	isc_boolean_t zonestats_on;
+	int seconds;
 
 	i = 0;
 	if (zconfig != NULL) {
@@ -443,14 +525,14 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 
 	if (ztype == dns_zone_slave)
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-notify", ac, zone,
+					  allow_notify, ac, zone,
 					  dns_zone_setnotifyacl,
 					  dns_zone_clearnotifyacl));
 	/*
 	 * XXXAG This probably does not make sense for stubs.
 	 */
 	RETERR(configure_zone_acl(zconfig, vconfig, config,
-				  "allow-query", ac, zone,
+				  allow_query, ac, zone,
 				  dns_zone_setqueryacl,
 				  dns_zone_clearqueryacl));
 
@@ -480,7 +562,15 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	obj = NULL;
 	result = ns_config_get(maps, "zone-statistics", &obj);
 	INSIST(result == ISC_R_SUCCESS);
-	RETERR(dns_zone_setstatistics(zone, cfg_obj_asboolean(obj)));
+	zonestats_on = cfg_obj_asboolean(obj);
+	zoneqrystats = NULL;
+	if (zonestats_on) {
+		RETERR(isc_stats_create(mctx, &zoneqrystats,
+					dns_nsstatscounter_max));
+	}
+	dns_zone_setrequeststats(zone, zoneqrystats);
+	if (zoneqrystats != NULL)
+		isc_stats_detach(&zoneqrystats);
 
 	/*
 	 * Configure master functionality.  This applies
@@ -536,10 +626,16 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		RETERR(dns_zone_setnotifysrc6(zone, cfg_obj_assockaddr(obj)));
 		ns_add_reserved_dispatch(ns_g_server, cfg_obj_assockaddr(obj));
 
+		obj = NULL;
+		result = ns_config_get(maps, "notify-to-soa", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setoption(zone, DNS_ZONEOPT_NOTIFYTOSOA,
+				   cfg_obj_asboolean(obj));
+
 		dns_zone_setisself(zone, ns_client_isself, NULL);
 
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-transfer", ac, zone,
+					  allow_transfer, ac, zone,
 					  dns_zone_setxfracl,
 					  dns_zone_clearxfracl));
 
@@ -614,13 +710,19 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "check-sibling", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING, 
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKSIBLING,
 				   cfg_obj_asboolean(obj));
 
 		obj = NULL;
 		result = ns_config_get(maps, "zero-no-soa-ttl", &obj);
 		INSIST(result == ISC_R_SUCCESS);
 		dns_zone_setzeronosoattl(zone, cfg_obj_asboolean(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "nsec3-test-zone", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setoption(zone, DNS_ZONEOPT_NSEC3TESTZONE,
+				   cfg_obj_asboolean(obj));
 	}
 
 	/*
@@ -630,10 +732,10 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	if (ztype == dns_zone_master) {
 		dns_acl_t *updateacl;
 		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-update", ac, zone,
+					  allow_update, ac, zone,
 					  dns_zone_setupdateacl,
 					  dns_zone_clearupdateacl));
-		
+
 		updateacl = dns_zone_getupdateacl(zone);
 		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
 			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
@@ -641,14 +743,32 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 				      "zone '%s' allows updates by IP "
 				      "address, which is insecure",
 				      zname);
-		
+
 		RETERR(configure_zone_ssutable(zoptions, zone));
 
 		obj = NULL;
 		result = ns_config_get(maps, "sig-validity-interval", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setsigvalidityinterval(zone,
-						cfg_obj_asuint32(obj) * 86400);
+		{
+			const cfg_obj_t *validity, *resign;
+
+			validity = cfg_tuple_get(obj, "validity");
+			seconds = cfg_obj_asuint32(validity) * 86400;
+			dns_zone_setsigvalidityinterval(zone, seconds);
+
+			resign = cfg_tuple_get(obj, "re-sign");
+			if (cfg_obj_isvoid(resign)) {
+				seconds /= 4;
+			} else {
+				if (seconds > 7 * 86400)
+					seconds = cfg_obj_asuint32(resign) *
+							86400;
+				else
+					seconds = cfg_obj_asuint32(resign) *
+							3600;
+			}
+			dns_zone_setsigresigninginterval(zone, seconds);
+		}
 
 		obj = NULL;
 		result = ns_config_get(maps, "key-directory", &obj);
@@ -664,6 +784,39 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		}
 
 		obj = NULL;
+		result = ns_config_get(maps, "sig-signing-signatures", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setsignatures(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "sig-signing-nodes", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setnodes(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "sig-signing-type", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "update-check-ksk", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
+				   cfg_obj_asboolean(obj));
+
+	} else if (ztype == dns_zone_slave) {
+		RETERR(configure_zone_acl(zconfig, vconfig, config,
+					  allow_update_forwarding, ac, zone,
+					  dns_zone_setforwardacl,
+					  dns_zone_clearforwardacl));
+	}
+
+
+	/*%
+	 * Primary master functionality.
+	 */
+	if (ztype == dns_zone_master) {
+		obj = NULL;
 		result = ns_config_get(maps, "check-wildcard", &obj);
 		if (result == ISC_R_SUCCESS)
 			check = cfg_obj_asboolean(obj);
@@ -689,7 +842,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "check-integrity", &obj);
 		INSIST(obj != NULL);
-		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY, 
+		dns_zone_setoption(zone, DNS_ZONEOPT_CHECKINTEGRITY,
 				   cfg_obj_asboolean(obj));
 
 		obj = NULL;
@@ -721,59 +874,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			INSIST(0);
 		dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
 		dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
-
-		obj = NULL;
-		result = ns_config_get(maps, "update-check-ksk", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, 
-				   cfg_obj_asboolean(obj));
-	}
-
-	/*
-	 * Configure update-related options.  These apply to
-	 * primary masters only.
-	 */
-	if (ztype == dns_zone_master) {
-		dns_acl_t *updateacl;
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-update", ac, zone,
-					  dns_zone_setupdateacl,
-					  dns_zone_clearupdateacl));
-		
-		updateacl = dns_zone_getupdateacl(zone);
-		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
-			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-				      "zone '%s' allows updates by IP "
-				      "address, which is insecure",
-				      zname);
-		
-		RETERR(configure_zone_ssutable(zoptions, zone));
-
-		obj = NULL;
-		result = ns_config_get(maps, "sig-validity-interval", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setsigvalidityinterval(zone,
-						cfg_obj_asuint32(obj) * 86400);
-
-		obj = NULL;
-		result = ns_config_get(maps, "key-directory", &obj);
-		if (result == ISC_R_SUCCESS) {
-			filename = cfg_obj_asstring(obj);
-			if (!isc_file_isabsolute(filename)) {
-				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-					    "key-directory '%s' "
-					    "is not absolute", filename);
-				return (ISC_R_FAILURE);
-			}
-			RETERR(dns_zone_setkeydirectory(zone, filename));
-		}
-
-	} else if (ztype == dns_zone_slave) {
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-update-forwarding", ac, zone,
-					  dns_zone_setforwardacl,
-					  dns_zone_clearforwardacl));
 	}
 
 	/*
@@ -876,6 +976,10 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			alt = cfg_obj_asboolean(obj);
 		dns_zone_setoption(zone, DNS_ZONEOPT_USEALTXFRSRC, alt);
 
+		obj = NULL;
+		(void)ns_config_get(maps, "try-tcp-refresh", &obj);
+		dns_zone_setoption(zone, DNS_ZONEOPT_TRYTCPREFRESH,
+				   cfg_obj_asboolean(obj));
 		break;
 
 	default:
diff --git a/bin/nsupdate/Makefile.in b/bin/nsupdate/Makefile.in
index 713ec30..6d65697 100644
--- a/bin/nsupdate/Makefile.in
+++ b/bin/nsupdate/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004, 2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2006-2008  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000-2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.22.18.3 2008/08/29 23:46:16 tbox Exp $
+# $Id: Makefile.in,v 1.29 2008/08/29 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -24,9 +24,9 @@ top_srcdir =	@top_srcdir@
 @BIND9_MAKE_INCLUDES@
 
 CINCLUDES =	${LWRES_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
-		${ISC_INCLUDES}
+		${ISC_INCLUDES} @DST_GSSAPI_INC@
 
-CDEFINES =
+CDEFINES =	@USE_GSSAPI@
 CWARNINGS =
 
 LWRESLIBS =	../../lib/lwres/liblwres.@A@
diff --git a/bin/nsupdate/nsupdate.1 b/bin/nsupdate/nsupdate.1
index 454f505..b0688a3 100644
--- a/bin/nsupdate/nsupdate.1
+++ b/bin/nsupdate/nsupdate.1
@@ -1,4 +1,4 @@
-.\" Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
 .\" Copyright (C) 2000-2003 Internet Software Consortium.
 .\" 
 .\" Permission to use, copy, modify, and distribute this software for any
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: nsupdate.1,v 1.1.4.2 2008/09/01 02:29:00 tbox Exp $
+.\" $Id: nsupdate.1,v 1.3.48.2 2009/03/10 01:54:11 tbox Exp $
 .\"
 .hy 0
 .ad l
@@ -33,7 +33,7 @@
 nsupdate \- Dynamic DNS update utility
 .SH "SYNOPSIS"
 .HP 9
-\fBnsupdate\fR [\fB\-d\fR] [[\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-v\fR] [filename]
+\fBnsupdate\fR [\fB\-d\fR] [\fB\-D\fR] [[\fB\-g\fR] | [\fB\-o\fR] | [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIkeyname:secret\fR\fR] | [\fB\-k\ \fR\fB\fIkeyfile\fR\fR]] [\fB\-t\ \fR\fB\fItimeout\fR\fR] [\fB\-u\ \fR\fB\fIudptimeout\fR\fR] [\fB\-r\ \fR\fB\fIudpretries\fR\fR] [\fB\-R\ \fR\fB\fIrandomdev\fR\fR] [\fB\-v\fR] [filename]
 .SH "DESCRIPTION"
 .PP
 \fBnsupdate\fR
@@ -53,7 +53,14 @@ option makes
 \fBnsupdate\fR
 operate in debug mode. This provides tracing information about the update requests that are made and the replies received from the name server.
 .PP
-Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931. TSIG relies on a shared secret that should only be known to
+The
+\fB\-D\fR
+option makes
+\fBnsupdate\fR
+report additional debugging information to
+\fB\-d\fR.
+.PP
+Transaction signatures can be used to authenticate the Dynamic DNS updates. These use the TSIG resource record type described in RFC2845 or the SIG(0) record described in RFC3535 and RFC2931 or GSS\-TSIG as described in RFC3645. TSIG relies on a shared secret that should only be known to
 \fBnsupdate\fR
 and the name server. Currently, the only supported encryption algorithm for TSIG is HMAC\-MD5, which is defined in RFC 2104. Once other algorithms are defined for TSIG, applications will need to ensure they select the appropriate algorithm as well as the key when authenticating each other. For instance, suitable
 \fBkey\fR
@@ -64,7 +71,7 @@ statements would be added to
 so that the name server can associate the appropriate secret key and algorithm with the IP address of the client application that will be using TSIG authentication. SIG(0) uses public key cryptography. To use a SIG(0) key, the public key must be stored in a KEY record in a zone served by the name server.
 \fBnsupdate\fR
 does not read
-\fI/etc/named.conf\fR.
+\fI/etc/named.conf\fR. GSS\-TSIG uses Kerberos credentials.
 .PP
 \fBnsupdate\fR
 uses the
@@ -96,7 +103,15 @@ The
 \fB\-k\fR
 may also be used to specify a SIG(0) key used to authenticate Dynamic DNS update requests. In this case, the key specified is not an HMAC\-MD5 key.
 .PP
-By default
+The
+\fB\-g\fR
+and
+\fB\-o\fR
+specify that GSS\-TSIG is to be used. The
+\fB\-o\fR
+should only be used with old Microsoft Windows 2000 servers.
+.PP
+By default,
 \fBnsupdate\fR
 uses UDP to send update requests to the name server unless they are too large to fit in a UDP request in which case TCP will be used. The
 \fB\-v\fR
@@ -115,6 +130,16 @@ option sets the UDP retry interval. The default is 3 seconds. If zero, the inter
 The
 \fB\-r\fR
 option sets the number of UDP retries. The default is 3. If zero, only one update request will be made.
+.PP
+The
+\fB\-R \fR\fB\fIrandomdev\fR\fR
+option specifies a source of randomness. If the operating system does not provide a
+\fI/dev/random\fR
+or equivalent device, the default source of randomness is keyboard input.
+\fIrandomdev\fR
+specifies the name of a character device or file containing random data to be used instead of the default. The special value
+\fIkeyboard\fR
+indicates that keyboard input should be used. This option may be specified multiple times.
 .SH "INPUT FORMAT"
 .PP
 \fBnsupdate\fR
@@ -168,6 +193,13 @@ is specified, the default class is
 \fIIN\fR.
 .RE
 .PP
+\fBttl\fR {seconds}
+.RS 4
+Specify the default time to live for records to be added. The value
+\fInone\fR
+will clear the default ttl.
+.RE
+.PP
 \fBkey\fR {name} {secret}
 .RS 4
 Specifies that all updates are to be TSIG\-signed using the
@@ -271,6 +303,11 @@ Sends the current message. This is equivalent to entering a blank line.
 Displays the answer.
 .RE
 .PP
+\fBdebug\fR
+.RS 4
+Turn on debugging.
+.RE
+.PP
 Lines beginning with a semicolon are comments and are ignored.
 .SH "EXAMPLES"
 .PP
@@ -342,7 +379,7 @@ base\-64 encoding of HMAC\-MD5 key created by
 .PP
 The TSIG key is redundantly stored in two separate files. This is a consequence of nsupdate using the DST library for its cryptographic operations, and may change in future releases.
 .SH "COPYRIGHT"
-Copyright \(co 2004\-2008 Internet Systems Consortium, Inc. ("ISC")
+Copyright \(co 2004\-2009 Internet Systems Consortium, Inc. ("ISC")
 .br
 Copyright \(co 2000\-2003 Internet Software Consortium.
 .br
diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
index 88749e6..6cf4cf4 100644
--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.130.18.22 2008/01/17 23:45:58 tbox Exp $ */
+/* $Id: nsupdate.c,v 1.163.48.3 2009/04/30 07:12:49 marka Exp $ */
 
 /*! \file */
 
@@ -35,8 +35,10 @@
 #include <isc/event.h>
 #include <isc/hash.h>
 #include <isc/lex.h>
+#include <isc/log.h>
 #include <isc/mem.h>
 #include <isc/parseint.h>
+#include <isc/random.h>
 #include <isc/region.h>
 #include <isc/sockaddr.h>
 #include <isc/socket.h>
@@ -52,6 +54,7 @@
 #include <dns/dnssec.h>
 #include <dns/events.h>
 #include <dns/fixedname.h>
+#include <dns/log.h>
 #include <dns/masterdump.h>
 #include <dns/message.h>
 #include <dns/name.h>
@@ -64,6 +67,7 @@
 #include <dns/rdatatype.h>
 #include <dns/request.h>
 #include <dns/result.h>
+#include <dns/tkey.h>
 #include <dns/tsig.h>
 
 #include <dst/dst.h>
@@ -71,8 +75,12 @@
 #include <lwres/lwres.h>
 #include <lwres/net.h>
 
+#ifdef GSSAPI
+#include <dst/gssapi.h>
+#endif
 #include <bind9/getaddresses.h>
 
+
 #ifdef HAVE_ADDRINFO
 #ifdef HAVE_GETADDRINFO
 #ifdef HAVE_GAISTRERROR
@@ -107,9 +115,13 @@ static isc_boolean_t have_ipv4 = ISC_FALSE;
 static isc_boolean_t have_ipv6 = ISC_FALSE;
 static isc_boolean_t is_dst_up = ISC_FALSE;
 static isc_boolean_t usevc = ISC_FALSE;
+static isc_boolean_t usegsstsig = ISC_FALSE;
+static isc_boolean_t use_win2k_gsstsig = ISC_FALSE;
+static isc_boolean_t tried_other_gsstsig = ISC_FALSE;
 static isc_taskmgr_t *taskmgr = NULL;
 static isc_task_t *global_task = NULL;
 static isc_event_t *global_event = NULL;
+static isc_log_t *lctx = NULL;
 static isc_mem_t *mctx = NULL;
 static dns_dispatchmgr_t *dispatchmgr = NULL;
 static dns_requestmgr_t *requestmgr = NULL;
@@ -120,6 +132,10 @@ static dns_dispatch_t *dispatchv6 = NULL;
 static dns_message_t *updatemsg = NULL;
 static dns_fixedname_t fuserzone;
 static dns_name_t *userzone = NULL;
+static dns_name_t *zonename = NULL;
+static dns_name_t tmpzonename;
+static dns_name_t restart_master;
+static dns_tsig_keyring_t *gssring = NULL;
 static dns_tsigkey_t *tsigkey = NULL;
 static dst_key_t *sig0key;
 static lwres_context_t *lwctx = NULL;
@@ -129,20 +145,25 @@ static int ns_inuse = 0;
 static int ns_total = 0;
 static isc_sockaddr_t *userserver = NULL;
 static isc_sockaddr_t *localaddr = NULL;
+static isc_sockaddr_t *serveraddr = NULL;
+static isc_sockaddr_t tempaddr;
 static char *keystr = NULL, *keyfile = NULL;
-static isc_entropy_t *entp = NULL;
+static isc_entropy_t *entropy = NULL;
 static isc_boolean_t shuttingdown = ISC_FALSE;
 static FILE *input;
 static isc_boolean_t interactive = ISC_TRUE;
 static isc_boolean_t seenerror = ISC_FALSE;
 static const dns_master_style_t *style;
 static int requests = 0;
+static unsigned int logdebuglevel = 0;
 static unsigned int timeout = 300;
 static unsigned int udp_timeout = 3;
 static unsigned int udp_retries = 3;
 static dns_rdataclass_t defaultclass = dns_rdataclass_in;
 static dns_rdataclass_t zoneclass = dns_rdataclass_none;
 static dns_message_t *answer = NULL;
+static isc_uint32_t default_ttl = 0;
+static isc_boolean_t default_ttl_set = ISC_FALSE;
 
 typedef struct nsu_requestinfo {
 	dns_message_t *msg;
@@ -161,6 +182,27 @@ debug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 static void
 ddebug(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
+#ifdef GSSAPI
+static dns_fixedname_t fkname;
+static isc_sockaddr_t *kserver = NULL;
+static char servicename[DNS_NAME_FORMATSIZE];
+static dns_name_t *keyname;
+typedef struct nsu_gssinfo {
+	dns_message_t *msg;
+	isc_sockaddr_t *addr;
+	gss_ctx_id_t context;
+} nsu_gssinfo_t;
+
+static void
+start_gssrequest(dns_name_t *master);
+static void
+send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		dns_message_t *msg, dns_request_t **request,
+		gss_ctx_id_t context);
+static void
+recvgss(isc_task_t *task, isc_event_t *event);
+#endif /* GSSAPI */
+
 static void
 error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 
@@ -169,6 +211,69 @@ error(const char *format, ...) ISC_FORMAT_PRINTF(1, 2);
 #define STATUS_QUIT	(isc_uint16_t)2
 #define STATUS_SYNTAX	(isc_uint16_t)3
 
+typedef struct entropysource entropysource_t;
+
+struct entropysource {
+	isc_entropysource_t *source;
+	isc_mem_t *mctx;
+	ISC_LINK(entropysource_t) link;
+};
+
+static ISC_LIST(entropysource_t) sources;
+
+static void
+setup_entropy(isc_mem_t *mctx, const char *randomfile, isc_entropy_t **ectx)
+{
+	isc_result_t result;
+	isc_entropysource_t *source = NULL;
+	entropysource_t *elt;
+	int usekeyboard = ISC_ENTROPY_KEYBOARDMAYBE;
+
+	REQUIRE(ectx != NULL);
+
+	if (*ectx == NULL) {
+		result = isc_entropy_create(mctx, ectx);
+		if (result != ISC_R_SUCCESS)
+			fatal("could not create entropy object");
+		ISC_LIST_INIT(sources);
+	}
+
+	if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
+		usekeyboard = ISC_ENTROPY_KEYBOARDYES;
+		randomfile = NULL;
+	}
+
+	result = isc_entropy_usebestsource(*ectx, &source, randomfile,
+					   usekeyboard);
+
+	if (result != ISC_R_SUCCESS)
+		fatal("could not initialize entropy source: %s",
+		      isc_result_totext(result));
+
+	if (source != NULL) {
+		elt = isc_mem_get(mctx, sizeof(*elt));
+		if (elt == NULL)
+			fatal("out of memory");
+		elt->source = source;
+		elt->mctx = mctx;
+		ISC_LINK_INIT(elt, link);
+		ISC_LIST_APPEND(sources, elt, link);
+	}
+}
+
+static void
+cleanup_entropy(isc_entropy_t **ectx) {
+	entropysource_t *source;
+	while (!ISC_LIST_EMPTY(sources)) {
+		source = ISC_LIST_HEAD(sources);
+		ISC_LIST_UNLINK(sources, source, link);
+		isc_entropy_destroysource(&source->source);
+		isc_mem_put(source->mctx, source, sizeof(*source));
+	}
+	isc_entropy_detach(ectx);
+}
+
+
 static dns_rdataclass_t
 getzoneclass(void) {
 	if (zoneclass == dns_rdataclass_none)
@@ -295,6 +400,13 @@ reset_system(void) {
 		check_result(result, "dns_message_create");
 	}
 	updatemsg->opcode = dns_opcode_update;
+	if (usegsstsig) {
+		if (tsigkey != NULL)
+			dns_tsigkey_detach(&tsigkey);
+		if (gssring != NULL)
+			dns_tsigkeyring_destroy(&gssring);
+		tried_other_gsstsig = ISC_FALSE;
+	}
 }
 
 static isc_uint16_t
@@ -518,10 +630,7 @@ doshutdown(void) {
 		is_dst_up = ISC_FALSE;
 	}
 
-	if (entp != NULL) {
-		ddebug("Detach from entropy");
-		isc_entropy_detach(&entp);
-	}
+	cleanup_entropy(&entropy);
 
 	lwres_conf_clear(lwctx);
 	lwres_context_destroy(&lwctx);
@@ -572,6 +681,7 @@ setup_system(void) {
 	lwres_result_t lwresult;
 	unsigned int attrs, attrmask;
 	int i;
+	isc_logconfig_t *logconfig = NULL;
 
 	ddebug("setup_system()");
 
@@ -588,8 +698,17 @@ setup_system(void) {
 	if (!have_ipv4 && !have_ipv6)
 		fatal("could not find either IPv4 or IPv6");
 
-	result = isc_mem_create(0, 0, &mctx);
-	check_result(result, "isc_mem_create");
+	result = isc_log_create(mctx, &lctx, &logconfig);
+	check_result(result, "isc_log_create");
+
+	isc_log_setcontext(lctx);
+	dns_log_init(lctx);
+	dns_log_setcontext(lctx);
+
+	result = isc_log_usechannel(logconfig, "default_debug", NULL, NULL);
+	check_result(result, "isc_log_usechannel");
+
+	isc_log_setdebuglevel(lctx, logdebuglevel);
 
 	lwresult = lwres_context_create(&lwctx, mctx, mem_alloc, mem_free, 1);
 	if (lwresult != LWRES_R_SUCCESS)
@@ -626,14 +745,13 @@ setup_system(void) {
 		}
 	}
 
-	result = isc_entropy_create(mctx, &entp);
-	check_result(result, "isc_entropy_create");
+	setup_entropy(mctx, NULL, &entropy);
 
-	result = isc_hash_create(mctx, entp, DNS_NAME_MAXWIRE);
+	result = isc_hash_create(mctx, entropy, DNS_NAME_MAXWIRE);
 	check_result(result, "isc_hash_create");
 	isc_hash_init();
 
-	result = dns_dispatchmgr_create(mctx, entp, &dispatchmgr);
+	result = dns_dispatchmgr_create(mctx, entropy, &dispatchmgr);
 	check_result(result, "dns_dispatchmgr_create");
 
 	result = isc_socketmgr_create(mctx, &socketmgr);
@@ -651,7 +769,7 @@ setup_system(void) {
 	result = isc_task_onshutdown(global_task, shutdown_program, NULL);
 	check_result(result, "isc_task_onshutdown");
 
-	result = dst_lib_init(mctx, entp, 0);
+	result = dst_lib_init(mctx, entropy, 0);
 	check_result(result, "dst_lib_init");
 	is_dst_up = ISC_TRUE;
 
@@ -707,14 +825,47 @@ get_address(char *host, in_port_t port, isc_sockaddr_t *sockaddr) {
 	INSIST(count == 1);
 }
 
+#define PARSE_ARGS_FMT "dDMl:y:govk:rR::t:u:"
+
+static void
+pre_parse_args(int argc, char **argv) {
+	int ch;
+
+	while ((ch = isc_commandline_parse(argc, argv, PARSE_ARGS_FMT)) != -1) {
+		switch (ch) {
+		case 'M': /* was -dm */
+			debugging = ISC_TRUE;
+			ddebugging = ISC_TRUE;
+			memdebugging = ISC_TRUE;
+			isc_mem_debugging = ISC_MEM_DEBUGTRACE |
+					    ISC_MEM_DEBUGRECORD;
+			break;
+
+		case '?':
+			if (isc_commandline_option != '?')
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					argv[0], isc_commandline_option);
+			fprintf(stderr, "usage: nsupdate [-d] "
+				"[-g | -o | -y keyname:secret | -k keyfile] "
+				"[-v] [filename]\n");
+			exit(1);
+
+		default:
+			break;
+		}
+	}
+	isc_commandline_reset = ISC_TRUE;
+	isc_commandline_index = 1;
+}
+
 static void
-parse_args(int argc, char **argv) {
+parse_args(int argc, char **argv, isc_mem_t *mctx, isc_entropy_t **ectx) {
 	int ch;
+	isc_uint32_t i;
 	isc_result_t result;
 
 	debug("parse_args");
-	while ((ch = isc_commandline_parse(argc, argv, "dDMy:vk:r:t:u:")) != -1)
-	{
+	while ((ch = isc_commandline_parse(argc, argv, PARSE_ARGS_FMT)) != -1) {
 		switch (ch) {
 		case 'd':
 			debugging = ISC_TRUE;
@@ -723,12 +874,17 @@ parse_args(int argc, char **argv) {
 			debugging = ISC_TRUE;
 			ddebugging = ISC_TRUE;
 			break;
-		case 'M': /* was -dm */
-			debugging = ISC_TRUE;
-			ddebugging = ISC_TRUE;
-			memdebugging = ISC_TRUE;
-			isc_mem_debugging = ISC_MEM_DEBUGTRACE |
-					    ISC_MEM_DEBUGRECORD;
+		case 'M':
+			break;
+		case 'l':
+			result = isc_parse_uint32(&i, isc_commandline_argument,
+						  10);
+			if (result != ISC_R_SUCCESS) {
+				fprintf(stderr, "bad library debug value "
+					"'%s'\n", isc_commandline_argument);
+				exit(1);
+			}
+			logdebuglevel = i;
 			break;
 		case 'y':
 			keystr = isc_commandline_argument;
@@ -739,6 +895,14 @@ parse_args(int argc, char **argv) {
 		case 'k':
 			keyfile = isc_commandline_argument;
 			break;
+		case 'g':
+			usegsstsig = ISC_TRUE;
+			use_win2k_gsstsig = ISC_FALSE;
+			break;
+		case 'o':
+			usegsstsig = ISC_TRUE;
+			use_win2k_gsstsig = ISC_TRUE;
+			break;
 		case 't':
 			result = isc_parse_uint32(&timeout,
 						  isc_commandline_argument, 10);
@@ -767,12 +931,14 @@ parse_args(int argc, char **argv) {
 				exit(1);
 			}
 			break;
+
+		case 'R':
+			setup_entropy(mctx, isc_commandline_argument, ectx);
+			break;
+
 		default:
-			fprintf(stderr, "%s: invalid argument -%c\n",
-				argv[0], ch);
-			fprintf(stderr, "usage: nsupdate [-d] "
-				"[-y keyname:secret | -k keyfile] [-v] "
-				"[filename]\n");
+			fprintf(stderr, "%s: unhandled option: %c\n",
+				argv[0], isc_commandline_option);
 			exit(1);
 		}
 	}
@@ -782,6 +948,21 @@ parse_args(int argc, char **argv) {
 		exit(1);
 	}
 
+#ifdef GSSAPI
+	if (usegsstsig && (keyfile != NULL || keystr != NULL)) {
+		fprintf(stderr, "%s: cannot specify -g with -k or -y\n",
+			argv[0]);
+		exit(1);
+	}
+#else
+	if (usegsstsig) {
+		fprintf(stderr, "%s: cannot specify -g  or -o, " \
+			"program not linked with GSS API Library\n",
+			argv[0]);
+		exit(1);
+	}
+#endif
+
 	if (argv[isc_commandline_index] != NULL) {
 		if (strcmp(argv[isc_commandline_index], "-") == 0) {
 			input = stdin;
@@ -853,7 +1034,7 @@ parse_rdata(char **cmdlinep, dns_rdataclass_t rdataclass,
 		check_result(result, "isc_lex_openbuffer");
 		result = isc_buffer_allocate(mctx, &buf, MAXWIRE);
 		check_result(result, "isc_buffer_allocate");
-		result = dns_rdata_fromtext(rdata, rdataclass, rdatatype, lex,
+		result = dns_rdata_fromtext(NULL, rdataclass, rdatatype, lex,
 					    dns_rootname, 0, mctx, buf,
 					    &callbacks);
 		isc_lex_destroy(&lex);
@@ -947,8 +1128,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
 	result = dns_message_gettemprdata(updatemsg, &rdata);
 	check_result(result, "dns_message_gettemprdata");
 
-	rdata->data = NULL;
-	rdata->length = 0;
+	dns_rdata_init(rdata);
 
 	if (isrrset && ispositive) {
 		retval = parse_rdata(&cmdline, rdataclass, rdatatype,
@@ -1209,6 +1389,39 @@ evaluate_zone(char *cmdline) {
 }
 
 static isc_uint16_t
+evaluate_ttl(char *cmdline) {
+	char *word;
+	isc_result_t result;
+	isc_uint32_t ttl;
+
+	word = nsu_strsep(&cmdline, " \t\r\n");
+	if (*word == 0) {
+		fprintf(stderr, "could not ttl\n");
+		return (STATUS_SYNTAX);
+	}
+
+	if (!strcasecmp(word, "none")) {
+		default_ttl = 0;
+		default_ttl_set = ISC_FALSE;
+		return (STATUS_MORE);
+	}
+
+	result = isc_parse_uint32(&ttl, word, 10);
+	if (result != ISC_R_SUCCESS)
+		return (STATUS_SYNTAX);
+
+	if (ttl > TTL_MAX) {
+		fprintf(stderr, "ttl '%s' is out of range (0 to %u)\n",
+			word, TTL_MAX);
+		return (STATUS_SYNTAX);
+	}
+	default_ttl = ttl;
+	default_ttl_set = ISC_TRUE;
+
+	return (STATUS_MORE);
+}
+
+static isc_uint16_t
 evaluate_class(char *cmdline) {
 	char *word;
 	isc_textregion_t r;
@@ -1267,10 +1480,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
 	result = dns_message_gettemprdata(updatemsg, &rdata);
 	check_result(result, "dns_message_gettemprdata");
 
-	rdata->rdclass = 0;
-	rdata->type = 0;
-	rdata->data = NULL;
-	rdata->length = 0;
+	dns_rdata_init(rdata);
 
 	/*
 	 * If this is an add, read the TTL and verify that it's in range.
@@ -1295,6 +1505,9 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
 		if (isdelete) {
 			ttl = 0;
 			goto parseclass;
+		} else if (default_ttl_set) {
+			ttl = default_ttl;
+			goto parseclass;
 		} else {
 			fprintf(stderr, "ttl '%s': %s\n", word,
 				isc_result_totext(result));
@@ -1328,8 +1541,9 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
 	}
 	region.base = word;
 	region.length = strlen(word);
+	rdataclass = dns_rdataclass_any;
 	result = dns_rdataclass_fromtext(&rdataclass, &region);
-	if (result == ISC_R_SUCCESS) {
+	if (result == ISC_R_SUCCESS && rdataclass != dns_rdataclass_any) {
 		if (!setzoneclass(rdataclass)) {
 			fprintf(stderr, "class mismatch: %s\n", word);
 			goto failure;
@@ -1469,7 +1683,7 @@ setzone(dns_name_t *zonename) {
 }
 
 static void
-show_message(dns_message_t *msg) {
+show_message(FILE *stream, dns_message_t *msg, const char *description) {
 	isc_result_t result;
 	isc_buffer_t *buf = NULL;
 	int bufsz;
@@ -1497,9 +1711,8 @@ show_message(dns_message_t *msg) {
 		isc_buffer_free(&buf);
 		return;
 	}
-	printf("Outgoing update query:\n%.*s",
-	       (int)isc_buffer_usedlength(buf),
-	       (char*)isc_buffer_base(buf));
+	fprintf(stream, "%s\n%.*s", description,
+	       (int)isc_buffer_usedlength(buf), (char*)isc_buffer_base(buf));
 	isc_buffer_free(&buf);
 }
 
@@ -1544,17 +1757,68 @@ get_next_command(void) {
 		return (evaluate_class(cmdline));
 	if (strcasecmp(word, "send") == 0)
 		return (STATUS_SEND);
+	if (strcasecmp(word, "debug") == 0) {
+		if (debugging)
+			ddebugging = ISC_TRUE;
+		else
+			debugging = ISC_TRUE;
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "ttl") == 0)
+		return (evaluate_ttl(cmdline));
 	if (strcasecmp(word, "show") == 0) {
-		show_message(updatemsg);
+		show_message(stdout, updatemsg, "Outgoing update query:");
 		return (STATUS_MORE);
 	}
 	if (strcasecmp(word, "answer") == 0) {
 		if (answer != NULL)
-			show_message(answer);
+			show_message(stdout, answer, "Answer:");
 		return (STATUS_MORE);
 	}
-	if (strcasecmp(word, "key") == 0)
+	if (strcasecmp(word, "key") == 0) {
+		usegsstsig = ISC_FALSE;
 		return (evaluate_key(cmdline));
+	}
+	if (strcasecmp(word, "gsstsig") == 0) {
+#ifdef GSSAPI
+		usegsstsig = ISC_TRUE;
+		use_win2k_gsstsig = ISC_FALSE;
+#else
+		fprintf(stderr, "gsstsig not supported\n");
+#endif
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "oldgsstsig") == 0) {
+#ifdef GSSAPI
+		usegsstsig = ISC_TRUE;
+		use_win2k_gsstsig = ISC_TRUE;
+#else
+		fprintf(stderr, "gsstsig not supported\n");
+#endif
+		return (STATUS_MORE);
+	}
+	if (strcasecmp(word, "help") == 0) {
+		fprintf(stdout,
+"local address [port]      (set local resolver)\n"
+"server address [port]     (set master server for zone)\n"
+"send                      (send the update request)\n"
+"show                      (show the update request)\n"
+"answer	                   (show the answer to the last request)\n"
+"quit                      (quit, any pending update is not sent\n"
+"help			   (display this message_\n"
+"key [hmac:]keyname secret (use TSIG to sign the request)\n"
+"gsstsig                   (use GSS_TSIG to sign the request)\n"
+"oldgsstsig                (use Microsoft's GSS_TSIG to sign the request)\n"
+"zone name                 (set the zone to be updated)\n"
+"class CLASS               (set the zone's DNS class, e.g. IN (default), CH)\n"
+"prereq nxdomain name      (does this name not exist)\n"
+"prereq yxdomain name      (does this name exist)\n"
+"prereq nxrrset ....       (does this RRset exist)\n"
+"prereq yxrrset ....       (does this RRset not exist)\n"
+"update add ....           (add the given record to the zone)\n"
+"update delete ....        (remove the given record(s) from the zone)\n");
+		return (STATUS_MORE);
+	}
 	fprintf(stderr, "incorrect section name: %s\n", word);
 	return (STATUS_SYNTAX);
 }
@@ -1641,12 +1905,23 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 					 DNS_MESSAGEPARSE_PRESERVEORDER);
 	switch (result) {
 	case ISC_R_SUCCESS:
+		if (answer->verify_attempted)
+			ddebug("tsig verification successful");
 		break;
 	case DNS_R_CLOCKSKEW:
 	case DNS_R_EXPECTEDTSIG:
 	case DNS_R_TSIGERRORSET:
 	case DNS_R_TSIGVERIFYFAILURE:
 	case DNS_R_UNEXPECTEDTSIG:
+	case ISC_R_FAILURE:
+#if 0
+		if (usegsstsig && answer->rcode == dns_rcode_noerror) {
+			/*
+			 * For MS DNS that violates RFC 2845, section 4.2
+			 */
+			break;
+		}
+#endif
 		fprintf(stderr, "; TSIG error with server: %s\n",
 			isc_result_totext(result));
 		seenerror = ISC_TRUE;
@@ -1672,32 +1947,15 @@ update_completed(isc_task_t *task, isc_event_t *event) {
 				(int)isc_buffer_usedlength(&b), buf);
 		}
 	}
-	if (debugging) {
-		isc_buffer_t *buf = NULL;
-		int bufsz;
-
-		bufsz = INITTEXT;
-		do {
-			if (bufsz > MAXTEXT) {
-				fprintf(stderr, "could not allocate large "
-					"enough buffer to display message\n");
-				exit(1);
-			}
-			if (buf != NULL)
-				isc_buffer_free(&buf);
-			result = isc_buffer_allocate(mctx, &buf, bufsz);
-			check_result(result, "isc_buffer_allocate");
-			result = dns_message_totext(answer, style, 0, buf);
-			bufsz *= 2;
-		} while (result == ISC_R_NOSPACE);
-		check_result(result, "dns_message_totext");
-		fprintf(stderr, "\nReply from update query:\n%.*s\n",
-			(int)isc_buffer_usedlength(buf),
-			(char*)isc_buffer_base(buf));
-		isc_buffer_free(&buf);
-	}
+	if (debugging)
+		show_message(stderr, answer, "\nReply from update query:");
+
  done:
 	dns_request_destroy(&request);
+	if (usegsstsig) {
+		dns_name_free(&tmpzonename, mctx);
+		dns_name_free(&restart_master, mctx);
+	}
 	isc_event_free(&event);
 	done_update();
 }
@@ -1726,6 +1984,7 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
 		isc_sockaddr_format(master, addrbuf, sizeof(addrbuf));
 		fprintf(stderr, "Sending update to %s\n", addrbuf);
 	}
+
 	result = dns_request_createvia3(requestmgr, updatemsg, srcaddr,
 					master, options, tsigkey, timeout,
 					udp_timeout, udp_retries, global_task,
@@ -1733,7 +1992,7 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
 	check_result(result, "dns_request_createvia3");
 
 	if (debugging)
-		show_message(updatemsg);
+		show_message(stdout, updatemsg, "Outgoing update query:");
 
 	requests++;
 }
@@ -1751,8 +2010,6 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	dns_rdata_t soarr = DNS_RDATA_INIT;
 	int pass = 0;
 	dns_name_t master;
-	isc_sockaddr_t *serveraddr, tempaddr;
-	dns_name_t *zonename;
 	nsu_requestinfo_t *reqinfo;
 	dns_message_t *soaquery = NULL;
 	isc_sockaddr_t *addr;
@@ -1788,7 +2045,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 
 		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
 		fprintf(stderr, "; Communication with %s failed: %s\n",
-		       addrbuf, isc_result_totext(eresult));
+			addrbuf, isc_result_totext(eresult));
 		if (userserver != NULL)
 			fatal("could not talk to specified name server");
 		else if (++ns_inuse >= lwconf->nsnext)
@@ -1837,28 +2094,8 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	}
 	check_result(result, "dns_request_getresponse");
 	section = DNS_SECTION_ANSWER;
-	if (debugging) {
-		isc_buffer_t *buf = NULL;
-		int bufsz;
-		bufsz = INITTEXT;
-		do {
-			if (buf != NULL)
-				isc_buffer_free(&buf);
-			if (bufsz > MAXTEXT) {
-				fprintf(stderr, "could not allocate enough "
-					 "space for debugging message\n");
-				exit(1);
-			}
-			result = isc_buffer_allocate(mctx, &buf, bufsz);
-			check_result(result, "isc_buffer_allocate");
-			result = dns_message_totext(rcvmsg, style, 0, buf);
-		} while (result == ISC_R_NOSPACE);
-		check_result(result, "dns_message_totext");
-		fprintf(stderr, "Reply from SOA query:\n%.*s\n",
-			(int)isc_buffer_usedlength(buf),
-			(char*)isc_buffer_base(buf));
-		isc_buffer_free(&buf);
-	}
+	if (debugging)
+		show_message(stderr, rcvmsg, "Reply from SOA query:");
 
 	if (rcvmsg->rcode != dns_rcode_noerror &&
 	    rcvmsg->rcode != dns_rcode_nxdomain)
@@ -1901,12 +2138,9 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 		if (section == DNS_SECTION_ANSWER) {
 			dns_rdataset_t *tset = NULL;
 			if (dns_message_findtype(name, dns_rdatatype_cname, 0,
-						 &tset) == ISC_R_SUCCESS
-			    ||
+						 &tset) == ISC_R_SUCCESS ||
 			    dns_message_findtype(name, dns_rdatatype_dname, 0,
-						 &tset) == ISC_R_SUCCESS
-			    )
-			{
+						 &tset) == ISC_R_SUCCESS ) {
 				seencname = ISC_TRUE;
 				break;
 			}
@@ -1966,8 +2200,21 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	}
 	dns_rdata_freestruct(&soa);
 
+#ifdef GSSAPI
+	if (usegsstsig) {
+		dns_name_init(&tmpzonename, NULL);
+		dns_name_dup(zonename, mctx, &tmpzonename);
+		dns_name_init(&restart_master, NULL);
+		dns_name_dup(&master, mctx, &restart_master);
+		start_gssrequest(&master);
+	} else {
+		send_update(zonename, serveraddr, localaddr);
+		setzoneclass(dns_rdataclass_none);
+	}
+#else
 	send_update(zonename, serveraddr, localaddr);
 	setzoneclass(dns_rdataclass_none);
+#endif
 
 	dns_message_destroy(&soaquery);
 	dns_request_destroy(&request);
@@ -1994,8 +2241,7 @@ recvsoa(isc_task_t *task, isc_event_t *event) {
 	if (userserver != NULL)
 		sendrequest(localaddr, userserver, soaquery, &request);
 	else
-		sendrequest(localaddr, &servers[ns_inuse], soaquery,
-			    &request);
+		sendrequest(localaddr, &servers[ns_inuse], soaquery, &request);
 	goto out;
 }
 
@@ -2019,6 +2265,286 @@ sendrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
 	requests++;
 }
 
+#ifdef GSSAPI
+static void
+start_gssrequest(dns_name_t *master)
+{
+	gss_ctx_id_t context;
+	isc_buffer_t buf;
+	isc_result_t result;
+	isc_uint32_t val = 0;
+	dns_message_t *rmsg;
+	dns_request_t *request = NULL;
+	dns_name_t *servname;
+	dns_fixedname_t fname;
+	char namestr[DNS_NAME_FORMATSIZE];
+	char keystr[DNS_NAME_FORMATSIZE];
+
+	debug("start_gssrequest");
+	usevc = ISC_TRUE;
+
+	if (gssring != NULL)
+		dns_tsigkeyring_destroy(&gssring);
+	gssring = NULL;
+	result = dns_tsigkeyring_create(mctx, &gssring);
+
+	if (result != ISC_R_SUCCESS)
+		fatal("dns_tsigkeyring_create failed: %s",
+		      isc_result_totext(result));
+
+	dns_name_format(master, namestr, sizeof(namestr));
+	if (kserver == NULL) {
+		kserver = isc_mem_get(mctx, sizeof(isc_sockaddr_t));
+		if (kserver == NULL)
+			fatal("out of memory");
+	}
+	if (userserver == NULL)
+		get_address(namestr, DNSDEFAULTPORT, kserver);
+	else
+		(void)memcpy(kserver, userserver, sizeof(isc_sockaddr_t));
+
+	dns_fixedname_init(&fname);
+	servname = dns_fixedname_name(&fname);
+
+	result = isc_string_printf(servicename, sizeof(servicename),
+				   "DNS/%s", namestr);
+	if (result != ISC_R_SUCCESS)
+		fatal("isc_string_printf(servicename) failed: %s",
+		      isc_result_totext(result));
+	isc_buffer_init(&buf, servicename, strlen(servicename));
+	isc_buffer_add(&buf, strlen(servicename));
+	result = dns_name_fromtext(servname, &buf, dns_rootname,
+				   ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("dns_name_fromtext(servname) failed: %s",
+		      isc_result_totext(result));
+
+	dns_fixedname_init(&fkname);
+	keyname = dns_fixedname_name(&fkname);
+
+	isc_random_get(&val);
+	result = isc_string_printf(keystr, sizeof(keystr), "%u.sig-%s",
+				   val, namestr);
+	if (result != ISC_R_SUCCESS)
+		fatal("isc_string_printf(keystr) failed: %s",
+		      isc_result_totext(result));
+	isc_buffer_init(&buf, keystr, strlen(keystr));
+	isc_buffer_add(&buf, strlen(keystr));
+
+	result = dns_name_fromtext(keyname, &buf, dns_rootname,
+				   ISC_FALSE, NULL);
+	if (result != ISC_R_SUCCESS)
+		fatal("dns_name_fromtext(keyname) failed: %s",
+		      isc_result_totext(result));
+
+	/* Windows doesn't recognize name compression in the key name. */
+	keyname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+
+	rmsg = NULL;
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTRENDER, &rmsg);
+	if (result != ISC_R_SUCCESS)
+		fatal("dns_message_create failed: %s",
+		      isc_result_totext(result));
+
+	/* Build first request. */
+
+	context = GSS_C_NO_CONTEXT;
+	result = dns_tkey_buildgssquery(rmsg, keyname, servname, NULL, 0,
+					&context, use_win2k_gsstsig);
+	if (result == ISC_R_FAILURE)
+		fatal("Check your Kerberos ticket, it may have expired.");
+	if (result != ISC_R_SUCCESS)
+		fatal("dns_tkey_buildgssquery failed: %s",
+		      isc_result_totext(result));
+
+	send_gssrequest(localaddr, kserver, rmsg, &request, context);
+}
+
+static void
+send_gssrequest(isc_sockaddr_t *srcaddr, isc_sockaddr_t *destaddr,
+		dns_message_t *msg, dns_request_t **request,
+		gss_ctx_id_t context)
+{
+	isc_result_t result;
+	nsu_gssinfo_t *reqinfo;
+	unsigned int options = 0;
+
+	debug("send_gssrequest");
+	reqinfo = isc_mem_get(mctx, sizeof(nsu_gssinfo_t));
+	if (reqinfo == NULL)
+		fatal("out of memory");
+	reqinfo->msg = msg;
+	reqinfo->addr = destaddr;
+	reqinfo->context = context;
+
+	options |= DNS_REQUESTOPT_TCP;
+	result = dns_request_createvia3(requestmgr, msg, srcaddr, destaddr,
+					options, tsigkey, FIND_TIMEOUT * 20,
+					FIND_TIMEOUT, 3, global_task, recvgss,
+					reqinfo, request);
+	check_result(result, "dns_request_createvia3");
+	if (debugging)
+		show_message(stdout, msg, "Outgoing update query:");
+	requests++;
+}
+
+static void
+recvgss(isc_task_t *task, isc_event_t *event) {
+	dns_requestevent_t *reqev = NULL;
+	dns_request_t *request = NULL;
+	isc_result_t result, eresult;
+	dns_message_t *rcvmsg = NULL;
+	nsu_gssinfo_t *reqinfo;
+	dns_message_t *tsigquery = NULL;
+	isc_sockaddr_t *addr;
+	gss_ctx_id_t context;
+	isc_buffer_t buf;
+	dns_name_t *servname;
+	dns_fixedname_t fname;
+
+	UNUSED(task);
+
+	ddebug("recvgss()");
+
+	requests--;
+
+	REQUIRE(event->ev_type == DNS_EVENT_REQUESTDONE);
+	reqev = (dns_requestevent_t *)event;
+	request = reqev->request;
+	eresult = reqev->result;
+	reqinfo = reqev->ev_arg;
+	tsigquery = reqinfo->msg;
+	context = reqinfo->context;
+	addr = reqinfo->addr;
+
+	if (shuttingdown) {
+		dns_request_destroy(&request);
+		dns_message_destroy(&tsigquery);
+		isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
+		isc_event_free(&event);
+		maybeshutdown();
+		return;
+	}
+
+	if (eresult != ISC_R_SUCCESS) {
+		char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+
+		isc_sockaddr_format(addr, addrbuf, sizeof(addrbuf));
+		fprintf(stderr, "; Communication with %s failed: %s\n",
+			addrbuf, isc_result_totext(eresult));
+		if (userserver != NULL)
+			fatal("could not talk to specified name server");
+		else if (++ns_inuse >= lwconf->nsnext)
+			fatal("could not talk to any default name server");
+		ddebug("Destroying request [%p]", request);
+		dns_request_destroy(&request);
+		dns_message_renderreset(tsigquery);
+		sendrequest(localaddr, &servers[ns_inuse], tsigquery,
+			    &request);
+		isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
+		isc_event_free(&event);
+		return;
+	}
+	isc_mem_put(mctx, reqinfo, sizeof(nsu_gssinfo_t));
+
+	isc_event_free(&event);
+	reqev = NULL;
+
+	ddebug("recvgss creating rcvmsg");
+	result = dns_message_create(mctx, DNS_MESSAGE_INTENTPARSE, &rcvmsg);
+	check_result(result, "dns_message_create");
+
+	result = dns_request_getresponse(request, rcvmsg,
+					 DNS_MESSAGEPARSE_PRESERVEORDER);
+	check_result(result, "dns_request_getresponse");
+
+	if (debugging)
+		show_message(stderr, rcvmsg,
+			     "recvmsg reply from GSS-TSIG query");
+
+	if (rcvmsg->rcode == dns_rcode_formerr && !tried_other_gsstsig) {
+		ddebug("recvgss trying %s GSS-TSIG",
+		       use_win2k_gsstsig ? "Standard" : "Win2k");
+		if (use_win2k_gsstsig)
+			use_win2k_gsstsig = ISC_FALSE;
+		else
+			use_win2k_gsstsig = ISC_TRUE;
+		tried_other_gsstsig = ISC_TRUE;
+		start_gssrequest(&restart_master);
+		goto done;
+	}
+
+	if (rcvmsg->rcode != dns_rcode_noerror &&
+	    rcvmsg->rcode != dns_rcode_nxdomain)
+		fatal("response to GSS-TSIG query was unsuccessful");
+
+
+	dns_fixedname_init(&fname);
+	servname = dns_fixedname_name(&fname);
+	isc_buffer_init(&buf, servicename, strlen(servicename));
+	isc_buffer_add(&buf, strlen(servicename));
+	result = dns_name_fromtext(servname, &buf, dns_rootname,
+				   ISC_FALSE, NULL);
+	check_result(result, "dns_name_fromtext");
+
+	tsigkey = NULL;
+	result = dns_tkey_gssnegotiate(tsigquery, rcvmsg, servname,
+				       &context, &tsigkey, gssring,
+				       use_win2k_gsstsig);
+	switch (result) {
+
+	case DNS_R_CONTINUE:
+		send_gssrequest(localaddr, kserver, tsigquery, &request,
+				context);
+		break;
+
+	case ISC_R_SUCCESS:
+		/*
+		 * XXXSRA Waaay too much fun here.  There's no good
+		 * reason why we need a TSIG here (the people who put
+		 * it into the spec admitted at the time that it was
+		 * not a security issue), and Windows clients don't
+		 * seem to work if named complies with the spec and
+		 * includes the gratuitous TSIG.  So we're in the
+		 * bizarre situation of having to choose between
+		 * complying with a useless requirement in the spec
+		 * and interoperating.  This is nuts.  If we can
+		 * confirm this behavior, we should ask the WG to
+		 * consider removing the requirement for the
+		 * gratuitous TSIG here.  For the moment, we ignore
+		 * the TSIG -- this too is a spec violation, but it's
+		 * the least insane thing to do.
+		 */
+#if 0
+		/*
+		 * Verify the signature.
+		 */
+		rcvmsg->state = DNS_SECTION_ANY;
+		dns_message_setquerytsig(rcvmsg, NULL);
+		result = dns_message_settsigkey(rcvmsg, tsigkey);
+		check_result(result, "dns_message_settsigkey");
+		result = dns_message_checksig(rcvmsg, NULL);
+		ddebug("tsig verification: %s", dns_result_totext(result));
+		check_result(result, "dns_message_checksig");
+#endif /* 0 */
+
+		send_update(&tmpzonename, serveraddr, localaddr);
+		setzoneclass(dns_rdataclass_none);
+		break;
+
+	default:
+		fatal("dns_tkey_negotiategss: %s", isc_result_totext(result));
+	}
+
+ done:
+	dns_request_destroy(&request);
+	dns_message_destroy(&tsigquery);
+
+	dns_message_destroy(&rcvmsg);
+	ddebug("Out of recvgss");
+}
+#endif
+
 static void
 start_update(void) {
 	isc_result_t result;
@@ -2034,7 +2560,7 @@ start_update(void) {
 	if (answer != NULL)
 		dns_message_destroy(&answer);
 
-	if (userzone != NULL && userserver != NULL) {
+	if (userzone != NULL && userserver != NULL && ! usegsstsig) {
 		send_update(userzone, userserver, localaddr);
 		setzoneclass(dns_rdataclass_none);
 		return;
@@ -2096,6 +2622,22 @@ cleanup(void) {
 
 	if (answer != NULL)
 		dns_message_destroy(&answer);
+
+#ifdef GSSAPI
+	if (tsigkey != NULL) {
+		ddebug("detach tsigkey x%p", tsigkey);
+		dns_tsigkey_detach(&tsigkey);
+	}
+	if (gssring != NULL) {
+		ddebug("Destroying GSS-TSIG keyring");
+		dns_tsigkeyring_destroy(&gssring);
+	}
+	if (kserver != NULL) {
+		isc_mem_put(mctx, kserver, sizeof(isc_sockaddr_t));
+		kserver = NULL;
+	}
+#endif
+
 	ddebug("Shutting down task manager");
 	isc_taskmgr_destroy(&taskmgr);
 
@@ -2114,6 +2656,9 @@ cleanup(void) {
 	ddebug("Destroying name state");
 	dns_name_destroy();
 
+	ddebug("Removing log context");
+	isc_log_destroy(&lctx);
+
 	ddebug("Destroying memory context");
 	if (memdebugging)
 		isc_mem_stats(mctx, stderr);
@@ -2155,7 +2700,12 @@ main(int argc, char **argv) {
 
 	isc_app_start();
 
-	parse_args(argc, argv);
+	pre_parse_args(argc, argv);
+
+	result = isc_mem_create(0, 0, &mctx);
+	check_result(result, "isc_mem_create");
+
+	parse_args(argc, argv, mctx, &entropy);
 
 	setup_system();
 
diff --git a/bin/nsupdate/nsupdate.docbook b/bin/nsupdate/nsupdate.docbook
index 43fe69a..c42a053 100644
--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -2,7 +2,7 @@
                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,18 +18,18 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: nsupdate.docbook,v 1.18.18.12 2008/08/29 23:46:16 tbox Exp $ -->
-<refentry>
+<!-- $Id: nsupdate.docbook,v 1.34.48.3 2009/03/09 04:21:56 marka Exp $ -->
+<refentry id="man.nsupdate">
   <refentryinfo>
     <date>Jun 30, 2000</date>
   </refentryinfo>
   <refmeta>
-    <refentrytitle>nsupdate</refentrytitle>
+    <refentrytitle><application>nsupdate</application></refentrytitle>
     <manvolnum>1</manvolnum>
     <refmiscinfo>BIND9</refmiscinfo>
   </refmeta>
   <refnamediv>
-    <refname>nsupdate</refname>
+    <refname><application>nsupdate</application></refname>
     <refpurpose>Dynamic DNS update utility</refpurpose>
   </refnamediv>
 
@@ -40,6 +40,7 @@
       <year>2006</year>
       <year>2007</year>
       <year>2008</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -55,13 +56,17 @@
     <cmdsynopsis>
       <command>nsupdate</command>
       <arg><option>-d</option></arg>
+      <arg><option>-D</option></arg>
       <group>
+	<arg><option>-g</option></arg>
+	<arg><option>-o</option></arg>
         <arg><option>-y <replaceable class="parameter"><optional>hmac:</optional>keyname:secret</replaceable></option></arg>
         <arg><option>-k <replaceable class="parameter">keyfile</replaceable></option></arg>
       </group>
       <arg><option>-t <replaceable class="parameter">timeout</replaceable></option></arg>
       <arg><option>-u <replaceable class="parameter">udptimeout</replaceable></option></arg>
       <arg><option>-r <replaceable class="parameter">udpretries</replaceable></option></arg>
+      <arg><option>-R <replaceable class="parameter">randomdev</replaceable></option></arg>
       <arg><option>-v</option></arg>
       <arg>filename</arg>
     </cmdsynopsis>
@@ -102,31 +107,31 @@
       made and the replies received from the name server.
     </para>
     <para>
-      Transaction signatures can be used to authenticate the Dynamic DNS
-      updates.
-      These use the TSIG resource record type described in RFC2845 or the
-      SIG(0) record described in RFC3535 and RFC2931.
-      TSIG relies on a shared secret that should only be known to
-      <command>nsupdate</command> and the name server.
-      Currently, the only supported encryption algorithm for TSIG is
-      HMAC-MD5, which is defined in RFC 2104.
-      Once other algorithms are defined for TSIG, applications will need to
-      ensure they select the appropriate algorithm as well as the key when
-      authenticating each other.
-      For instance, suitable
-      <type>key</type>
-      and
-      <type>server</type>
-      statements would be added to
-      <filename>/etc/named.conf</filename>
-      so that the name server can associate the appropriate secret key
-      and algorithm with the IP address of the
-      client application that will be using TSIG authentication.
-      SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
-      key must be stored in a KEY record in a zone served by the name server.
-      <command>nsupdate</command>
-      does not read
+      The <option>-D</option> option makes <command>nsupdate</command>
+      report additional debugging information to <option>-d</option>.
+    </para>
+    <para>
+      Transaction signatures can be used to authenticate the Dynamic
+      DNS updates.  These use the TSIG resource record type described
+      in RFC2845 or the SIG(0) record described in RFC3535 and
+      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      a shared secret that should only be known to
+      <command>nsupdate</command> and the name server.  Currently,
+      the only supported encryption algorithm for TSIG is HMAC-MD5,
+      which is defined in RFC 2104.  Once other algorithms are
+      defined for TSIG, applications will need to ensure they select
+      the appropriate algorithm as well as the key when authenticating
+      each other.  For instance, suitable <type>key</type> and
+      <type>server</type> statements would be added to
+      <filename>/etc/named.conf</filename> so that the name server
+      can associate the appropriate secret key and algorithm with
+      the IP address of the client application that will be using
+      TSIG authentication.  SIG(0) uses public key cryptography.
+      To use a SIG(0) key, the public key must be stored in a KEY
+      record in a zone served by the name server.
+      <command>nsupdate</command> does not read
       <filename>/etc/named.conf</filename>.
+      GSS-TSIG uses Kerberos credentials.
     </para>
     <para><command>nsupdate</command>
       uses the <option>-y</option> or <option>-k</option> option
@@ -159,7 +164,12 @@
       specified is not an HMAC-MD5 key.
     </para>
     <para>
-      By default
+      The <option>-g</option> and <option>-o</option> specify that
+      GSS-TSIG is to be used.  The <option>-o</option> should only
+      be used with old Microsoft Windows 2000 servers.
+    </para>
+    <para>
+      By default,
       <command>nsupdate</command>
       uses UDP to send update requests to the name server unless they are too
       large to fit in a UDP request in which case TCP will be used.
@@ -189,6 +199,18 @@
       default is
       3.  If zero, only one update request will be made.
     </para>
+    <para>
+      The <option>-R <replaceable
+      class="parameter">randomdev</replaceable></option> option
+      specifies a source of randomness.  If the operating system
+      does not provide a <filename>/dev/random</filename> or
+      equivalent device, the default source of randomness is keyboard
+      input.  <filename>randomdev</filename> specifies the name of
+      a character device or file containing random data to be used
+      instead of the default.  The special value
+      <filename>keyboard</filename> indicates that keyboard input
+      should be used.  This option may be specified multiple times.
+    </para>
   </refsect1>
 
   <refsect1>
@@ -307,6 +329,20 @@
 
         <varlistentry>
           <term>
+              <command>ttl</command>
+              <arg choice="req">seconds</arg>
+            </term>
+          <listitem>
+            <para>
+              Specify the default time to live for records to be added.
+	      The value <parameter>none</parameter> will clear the default
+	      ttl.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
               <command>key</command>
               <arg choice="req">name</arg>
               <arg choice="req">secret</arg>
@@ -510,6 +546,17 @@
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term>
+              <command>debug</command>
+            </term>
+          <listitem>
+            <para>
+              Turn on debugging.
+            </para>
+          </listitem>
+        </varlistentry>
+
       </variablelist>
     </para>
 
diff --git a/bin/nsupdate/nsupdate.html b/bin/nsupdate/nsupdate.html
index 1fe0f9c..dab7f90 100644
--- a/bin/nsupdate/nsupdate.html
+++ b/bin/nsupdate/nsupdate.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: nsupdate.html,v 1.14.18.23 2008/09/01 02:29:00 tbox Exp $ -->
+<!-- $Id: nsupdate.html,v 1.40.48.2 2009/03/10 01:54:11 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,17 +22,17 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
-<a name="id2476275"></a><div class="titlepage"></div>
+<a name="man.nsupdate"></a><div class="titlepage"></div>
 <div class="refnamediv">
 <h2>Name</h2>
-<p>nsupdate &#8212; Dynamic DNS update utility</p>
+<p><span class="application">nsupdate</span> &#8212; Dynamic DNS update utility</p>
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [[<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
+<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543420"></a><h2>DESCRIPTION</h2>
+<a name="id2543449"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       is used to submit Dynamic DNS Update requests as defined in RFC2136
       to a name server.
@@ -66,31 +66,31 @@
       made and the replies received from the name server.
     </p>
 <p>
-      Transaction signatures can be used to authenticate the Dynamic DNS
-      updates.
-      These use the TSIG resource record type described in RFC2845 or the
-      SIG(0) record described in RFC3535 and RFC2931.
-      TSIG relies on a shared secret that should only be known to
-      <span><strong class="command">nsupdate</strong></span> and the name server.
-      Currently, the only supported encryption algorithm for TSIG is
-      HMAC-MD5, which is defined in RFC 2104.
-      Once other algorithms are defined for TSIG, applications will need to
-      ensure they select the appropriate algorithm as well as the key when
-      authenticating each other.
-      For instance, suitable
-      <span class="type">key</span>
-      and
-      <span class="type">server</span>
-      statements would be added to
-      <code class="filename">/etc/named.conf</code>
-      so that the name server can associate the appropriate secret key
-      and algorithm with the IP address of the
-      client application that will be using TSIG authentication.
-      SIG(0) uses public key cryptography.  To use a SIG(0) key, the public
-      key must be stored in a KEY record in a zone served by the name server.
-      <span><strong class="command">nsupdate</strong></span>
-      does not read
+      The <code class="option">-D</code> option makes <span><strong class="command">nsupdate</strong></span>
+      report additional debugging information to <code class="option">-d</code>.
+    </p>
+<p>
+      Transaction signatures can be used to authenticate the Dynamic
+      DNS updates.  These use the TSIG resource record type described
+      in RFC2845 or the SIG(0) record described in RFC3535 and
+      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      a shared secret that should only be known to
+      <span><strong class="command">nsupdate</strong></span> and the name server.  Currently,
+      the only supported encryption algorithm for TSIG is HMAC-MD5,
+      which is defined in RFC 2104.  Once other algorithms are
+      defined for TSIG, applications will need to ensure they select
+      the appropriate algorithm as well as the key when authenticating
+      each other.  For instance, suitable <span class="type">key</span> and
+      <span class="type">server</span> statements would be added to
+      <code class="filename">/etc/named.conf</code> so that the name server
+      can associate the appropriate secret key and algorithm with
+      the IP address of the client application that will be using
+      TSIG authentication.  SIG(0) uses public key cryptography.
+      To use a SIG(0) key, the public key must be stored in a KEY
+      record in a zone served by the name server.
+      <span><strong class="command">nsupdate</strong></span> does not read
       <code class="filename">/etc/named.conf</code>.
+      GSS-TSIG uses Kerberos credentials.
     </p>
 <p><span><strong class="command">nsupdate</strong></span>
       uses the <code class="option">-y</code> or <code class="option">-k</code> option
@@ -121,7 +121,12 @@
       specified is not an HMAC-MD5 key.
     </p>
 <p>
-      By default
+      The <code class="option">-g</code> and <code class="option">-o</code> specify that
+      GSS-TSIG is to be used.  The <code class="option">-o</code> should only
+      be used with old Microsoft Windows 2000 servers.
+    </p>
+<p>
+      By default,
       <span><strong class="command">nsupdate</strong></span>
       uses UDP to send update requests to the name server unless they are too
       large to fit in a UDP request in which case TCP will be used.
@@ -151,9 +156,20 @@
       default is
       3.  If zero, only one update request will be made.
     </p>
+<p>
+      The <code class="option">-R <em class="replaceable"><code>randomdev</code></em></code> option
+      specifies a source of randomness.  If the operating system
+      does not provide a <code class="filename">/dev/random</code> or
+      equivalent device, the default source of randomness is keyboard
+      input.  <code class="filename">randomdev</code> specifies the name of
+      a character device or file containing random data to be used
+      instead of the default.  The special value
+      <code class="filename">keyboard</code> indicates that keyboard input
+      should be used.  This option may be specified multiple times.
+    </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2543649"></a><h2>INPUT FORMAT</h2>
+<a name="id2543726"></a><h2>INPUT FORMAT</h2>
 <p><span><strong class="command">nsupdate</strong></span>
       reads input from
       <em class="parameter"><code>filename</code></em>
@@ -247,6 +263,15 @@
               <em class="parameter"><code>IN</code></em>.
             </p></dd>
 <dt><span class="term">
+              <span><strong class="command">ttl</strong></span>
+               {seconds}
+            </span></dt>
+<dd><p>
+              Specify the default time to live for records to be added.
+	      The value <em class="parameter"><code>none</code></em> will clear the default
+	      ttl.
+            </p></dd>
+<dt><span class="term">
               <span><strong class="command">key</strong></span>
                {name}
                {secret}
@@ -394,6 +419,12 @@
 <dd><p>
               Displays the answer.
             </p></dd>
+<dt><span class="term">
+              <span><strong class="command">debug</strong></span>
+            </span></dt>
+<dd><p>
+              Turn on debugging.
+            </p></dd>
 </dl></div>
 <p>
     </p>
@@ -402,7 +433,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544446"></a><h2>EXAMPLES</h2>
+<a name="id2544567"></a><h2>EXAMPLES</h2>
 <p>
       The examples below show how
       <span><strong class="command">nsupdate</strong></span>
@@ -456,7 +487,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544490"></a><h2>FILES</h2>
+<a name="id2544611"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
 <dd><p>
@@ -475,7 +506,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2544560"></a><h2>SEE ALSO</h2>
+<a name="id2544680"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
       <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
       <span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
@@ -488,7 +519,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2542172"></a><h2>BUGS</h2>
+<a name="id2542156"></a><h2>BUGS</h2>
 <p>
       The TSIG key is redundantly stored in two separate files.
       This is a consequence of nsupdate using the DST library
diff --git a/bin/rndc/Makefile.in b/bin/rndc/Makefile.in
index 3bc72b1..9b0e20d 100644
--- a/bin/rndc/Makefile.in
+++ b/bin/rndc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.40.18.4 2007/08/28 07:20:01 tbox Exp $
+# $Id: Makefile.in,v 1.44 2007/06/18 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/rndc/include/rndc/os.h b/bin/rndc/include/rndc/os.h
index b5c1d24..253dcba 100644
--- a/bin/rndc/include/rndc/os.h
+++ b/bin/rndc/include/rndc/os.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.5.18.2 2005/04/29 00:15:41 marka Exp $ */
+/* $Id: os.h,v 1.9.332.2 2009/01/18 23:47:35 tbox Exp $ */
 
 /*! \file */
 
@@ -35,7 +35,7 @@ FILE *safe_create(const char *filename);
 
 int set_user(FILE *fd, const char *user);
 /*%<
- * Set the owner of the file refernced by 'fd' to 'user'.
+ * Set the owner of the file referenced by 'fd' to 'user'.
  * Returns:
  *   0 		success
  *   -1 	insufficient permissions, or 'user' does not exist.
diff --git a/bin/rndc/rndc-confgen.8 b/bin/rndc/rndc-confgen.8
index fe25a7b..440870a 100644
--- a/bin/rndc/rndc-confgen.8
+++ b/bin/rndc/rndc-confgen.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc-confgen.8,v 1.9.18.11 2007/01/30 00:23:44 marka Exp $
+.\" $Id: rndc-confgen.8,v 1.20 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/rndc/rndc-confgen.c b/bin/rndc/rndc-confgen.c
index bb7ba81..221135e 100644
--- a/bin/rndc/rndc-confgen.c
+++ b/bin/rndc/rndc-confgen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc-confgen.c,v 1.18.18.5 2008/10/15 23:46:06 tbox Exp $ */
+/* $Id: rndc-confgen.c,v 1.26 2008/10/15 23:47:31 tbox Exp $ */
 
 /*! \file */
 
@@ -160,6 +160,8 @@ main(int argc, char **argv) {
 	serveraddr = DEFAULT_SERVER;
 	port = DEFAULT_PORT;
 
+	isc_commandline_errprint = ISC_FALSE;
+
 	while ((ch = isc_commandline_parse(argc, argv,
 					   "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
 		switch (ch) {
@@ -214,12 +216,17 @@ main(int argc, char **argv) {
 			verbose = ISC_TRUE;
 			break;
 		case '?':
-			usage(1);
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+				usage(1);
+			} else
+				usage(0);
 			break;
 		default:
-			fatal("unexpected error parsing command arguments: "
-			      "got %c\n", ch);
-			break;
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
 		}
 	}
 
diff --git a/bin/rndc/rndc-confgen.docbook b/bin/rndc/rndc-confgen.docbook
index c694f4b..4c51da5 100644
--- a/bin/rndc/rndc-confgen.docbook
+++ b/bin/rndc/rndc-confgen.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc-confgen.docbook,v 1.6.18.7 2007/08/28 07:20:01 tbox Exp $ -->
+<!-- $Id: rndc-confgen.docbook,v 1.13 2007/06/18 23:47:25 tbox Exp $ -->
 <refentry id="man.rndc-confgen">
   <refentryinfo>
     <date>Aug 27, 2001</date>
diff --git a/bin/rndc/rndc-confgen.html b/bin/rndc/rndc-confgen.html
index fd40a81..4be87af 100644
--- a/bin/rndc/rndc-confgen.html
+++ b/bin/rndc/rndc-confgen.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc-confgen.html,v 1.8.18.17 2007/01/30 00:23:44 marka Exp $ -->
+<!-- $Id: rndc-confgen.html,v 1.25 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/rndc/rndc.8 b/bin/rndc/rndc.8
index 6858ed7..7f0dea1 100644
--- a/bin/rndc/rndc.8
+++ b/bin/rndc/rndc.8
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.8,v 1.26.18.16 2007/12/14 22:37:16 marka Exp $
+.\" $Id: rndc.8,v 1.42 2007/12/14 22:37:22 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/rndc/rndc.c b/bin/rndc/rndc.c
index 772cc29..c3d4cb7 100644
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.c,v 1.96.18.21 2008/10/15 03:07:19 marka Exp $ */
+/* $Id: rndc.c,v 1.122.44.2 2009/01/18 23:47:35 tbox Exp $ */
 
 /*! \file */
 
@@ -200,7 +200,7 @@ rndc_recvdone(isc_task_t *task, isc_event_t *event) {
 		      "* the remote server is using an older version of"
 		      " the command protocol,\n"
 		      "* this host is not authorized to connect,\n"
-		      "* the clocks are not syncronized, or\n"
+		      "* the clocks are not synchronized, or\n"
 		      "* the key is invalid.");
 
 	if (ccmsg.result != ISC_R_SUCCESS)
@@ -263,7 +263,7 @@ rndc_recvnonce(isc_task_t *task, isc_event_t *event) {
 		      "* the remote server is using an older version of"
 		      " the command protocol,\n"
 		      "* this host is not authorized to connect,\n"
-		      "* the clocks are not syncronized, or\n"
+		      "* the clocks are not synchronized, or\n"
 		      "* the key is invalid.");
 
 	if (ccmsg.result != ISC_R_SUCCESS)
@@ -369,7 +369,7 @@ rndc_connected(isc_task_t *task, isc_event_t *event) {
 	r.base = databuf;
 
 	isccc_ccmsg_init(mctx, sock, &ccmsg);
-	isccc_ccmsg_setmaxsize(&ccmsg, 1024);
+	isccc_ccmsg_setmaxsize(&ccmsg, 1024 * 1024);
 
 	DO("schedule recv", isccc_ccmsg_readmessage(&ccmsg, task,
 						    rndc_recvnonce, NULL));
@@ -690,7 +690,9 @@ main(int argc, char **argv) {
 	if (result != ISC_R_SUCCESS)
 		fatal("isc_app_start() failed: %s", isc_result_totext(result));
 
-	while ((ch = isc_commandline_parse(argc, argv, "b:c:k:Mmp:s:Vy:"))
+	isc_commandline_errprint = ISC_FALSE;
+
+	while ((ch = isc_commandline_parse(argc, argv, "b:c:hk:Mmp:s:Vy:"))
 	       != -1) {
 		switch (ch) {
 		case 'b':
@@ -741,13 +743,18 @@ main(int argc, char **argv) {
 			break;
 
 		case '?':
+			if (isc_commandline_option != '?') {
+				fprintf(stderr, "%s: invalid argument -%c\n",
+					program, isc_commandline_option);
+				usage(1);
+			}
+		case 'h':
 			usage(0);
 			break;
-
 		default:
-			fatal("unexpected error parsing command arguments: "
-			      "got %c\n", ch);
-			break;
+			fprintf(stderr, "%s: unhandled option -%c\n",
+				program, isc_commandline_option);
+			exit(1);
 		}
 	}
 
diff --git a/bin/rndc/rndc.conf b/bin/rndc/rndc.conf
index e303535..67542b9 100644
--- a/bin/rndc/rndc.conf
+++ b/bin/rndc/rndc.conf
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rndc.conf,v 1.8.18.1 2004/06/18 04:39:39 marka Exp $ */
+/* $Id: rndc.conf,v 1.11 2007/06/19 23:46:59 tbox Exp $ */
 
 /*
  * Sample rndc configuration file.
diff --git a/bin/rndc/rndc.conf.5 b/bin/rndc/rndc.conf.5
index dbeb707..9e9bad4 100644
--- a/bin/rndc/rndc.conf.5
+++ b/bin/rndc/rndc.conf.5
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: rndc.conf.5,v 1.23.18.15 2007/05/09 13:35:47 marka Exp $
+.\" $Id: rndc.conf.5,v 1.38 2007/05/09 13:35:57 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/bin/rndc/rndc.conf.docbook b/bin/rndc/rndc.conf.docbook
index ebea7af..9de19954 100644
--- a/bin/rndc/rndc.conf.docbook
+++ b/bin/rndc/rndc.conf.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.conf.docbook,v 1.5.18.12 2007/08/28 07:20:01 tbox Exp $ -->
+<!-- $Id: rndc.conf.docbook,v 1.17 2007/06/18 23:47:25 tbox Exp $ -->
 <refentry id="man.rndc.conf">
   <refentryinfo>
     <date>June 30, 2000</date>
diff --git a/bin/rndc/rndc.conf.html b/bin/rndc/rndc.conf.html
index d11f9df..144cd1c 100644
--- a/bin/rndc/rndc.conf.html
+++ b/bin/rndc/rndc.conf.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc.conf.html,v 1.6.18.23 2007/05/09 13:35:47 marka Exp $ -->
+<!-- $Id: rndc.conf.html,v 1.29 2007/05/09 13:35:57 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/rndc/rndc.docbook b/bin/rndc/rndc.docbook
index f2f0a0d..d407f2b 100644
--- a/bin/rndc/rndc.docbook
+++ b/bin/rndc/rndc.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: rndc.docbook,v 1.8.18.13 2007/12/14 20:53:58 marka Exp $ -->
+<!-- $Id: rndc.docbook,v 1.21 2007/12/14 20:39:14 marka Exp $ -->
 <refentry id="man.rndc">
   <refentryinfo>
     <date>June 30, 2000</date>
diff --git a/bin/rndc/rndc.html b/bin/rndc/rndc.html
index c460225..a8d11c4 100644
--- a/bin/rndc/rndc.html
+++ b/bin/rndc/rndc.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: rndc.html,v 1.8.18.23 2007/12/14 22:37:16 marka Exp $ -->
+<!-- $Id: rndc.html,v 1.31 2007/12/14 22:37:22 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/bin/rndc/unix/Makefile.in b/bin/rndc/unix/Makefile.in
index 6696c23..31a0532 100644
--- a/bin/rndc/unix/Makefile.in
+++ b/bin/rndc/unix/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3 2004/03/05 04:58:29 marka Exp $
+# $Id: Makefile.in,v 1.5 2007/06/19 23:46:59 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/bin/rndc/unix/os.c b/bin/rndc/unix/os.c
index f5f6a91..ddf8259 100644
--- a/bin/rndc/unix/os.c
+++ b/bin/rndc/unix/os.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */
+/* $Id: os.c,v 1.10 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/rndc/util.c b/bin/rndc/util.c
index c64add72..c654462 100644
--- a/bin/rndc/util.c
+++ b/bin/rndc/util.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.c,v 1.3.18.2 2005/04/29 00:15:40 marka Exp $ */
+/* $Id: util.c,v 1.7 2007/06/19 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/bin/rndc/util.h b/bin/rndc/util.h
index 6414861..7adcaa5 100644
--- a/bin/rndc/util.h
+++ b/bin/rndc/util.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.6.18.2 2005/04/29 00:15:41 marka Exp $ */
+/* $Id: util.h,v 1.10 2007/06/19 23:46:59 tbox Exp $ */
 
 #ifndef RNDC_UTIL_H
 #define RNDC_UTIL_H 1
diff --git a/config.guess b/config.guess
index 7d0185e..c79aebc 100644
--- a/config.guess
+++ b/config.guess
@@ -141,7 +141,7 @@ UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
 case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
     *:NetBSD:*:*)
 	# NetBSD (nbsd) targets should (where applicable) match one or
-	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*,
 	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
 	# switched to ELF, *-*-netbsd* would select the old
 	# object file format.  This provides both forward
diff --git a/config.h.in b/config.h.in
index 210a079..97b13c4 100644
--- a/config.h.in
+++ b/config.h.in
@@ -1,9 +1,9 @@
 /* config.h.in.  Generated from configure.in by autoheader.  */
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,7 +16,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.h.in,v 1.60.18.34 2008/10/21 02:47:25 marka Exp $ */
+/* $Id: config.h.in,v 1.106.40.6 2009/03/13 05:35:43 marka Exp $ */
 
 /*! \file */
 
@@ -25,9 +25,6 @@
  *** it does not get installed.
  ***/
 
-/** define to `int' if <sys/types.h> doesn't define.  */
-#undef ssize_t
-
 /** define on DEC OSF to enable 4.4BSD style sa_len support */
 #undef _SOCKADDR_LEN
 
@@ -61,9 +58,6 @@
 /** define if you have the NET_RT_IFLIST sysctl variable and sys/sysctl.h */
 #undef HAVE_IFLIST_SYSCTL
 
-/** define if chroot() is available */
-#undef HAVE_CHROOT
-
 /** define if tzset() is available */
 #undef HAVE_TZSET
 
@@ -115,7 +109,7 @@ int sigwait(const unsigned int *set, int *sig);
  * The silly continuation line is to keep configure from
  * commenting out the #undef.
  */
- 
+
 #undef \
 	va_start
 #define	va_start(ap, last) \
@@ -157,11 +151,14 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if you cannot bind() before connect() for TCP sockets. */
 #undef BROKEN_TCP_BIND_BEFORE_CONNECT
 
+/* Define to enable "rrset-order fixed" syntax. */
+#undef DNS_RDATASET_FIXED
+
 /* Solaris hack to get select_large_fdset. */
 #undef FD_SETSIZE
 
-/* Define to 1 if you have the `capset' function. */
-#undef HAVE_CAPSET
+/* Define to 1 if you have the `chroot' function. */
+#undef HAVE_CHROOT
 
 /* Define to 1 if you have the <dlfcn.h> header file. */
 #undef HAVE_DLFCN_H
@@ -169,12 +166,21 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <fcntl.h> header file. */
 #undef HAVE_FCNTL_H
 
+/* Define to 1 if you have the <gssapi/gssapi.h> header file. */
+#undef HAVE_GSSAPI_GSSAPI_H
+
+/* Define to 1 if you have the <gssapi.h> header file. */
+#undef HAVE_GSSAPI_H
+
 /* Define to 1 if you have the <inttypes.h> header file. */
 #undef HAVE_INTTYPES_H
 
 /* Define to 1 if you have the `c' library (-lc). */
 #undef HAVE_LIBC
 
+/* Define to 1 if you have the `cap' library (-lcap). */
+#undef HAVE_LIBCAP
+
 /* Define to 1 if you have the `c_r' library (-lc_r). */
 #undef HAVE_LIBC_R
 
@@ -193,6 +199,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the `thr' library (-lthr). */
 #undef HAVE_LIBTHR
 
+/* Define if libxml2 was found */
+#undef HAVE_LIBXML2
+
 /* Define to 1 if you have the <linux/capability.h> header file. */
 #undef HAVE_LINUX_CAPABILITY_H
 
@@ -202,6 +211,9 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <memory.h> header file. */
 #undef HAVE_MEMORY_H
 
+/* Define to 1 if you have the `nanosleep' function. */
+#undef HAVE_NANOSLEEP
+
 /* Define to 1 if you have the <net/if6.h> header file. */
 #undef HAVE_NET_IF6_H
 
@@ -301,9 +313,13 @@ int sigwait(const unsigned int *set, int *sig);
 /* define if idnkit support is to be included. */
 #undef WITH_IDN
 
-/* Define to 1 if your processor stores words with the most significant byte
-   first (like Motorola and SPARC, unlike Intel and VAX). */
-#undef WORDS_BIGENDIAN
+/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
+   significant byte first (like Motorola and SPARC, unlike Intel and VAX). */
+#if defined __BIG_ENDIAN__
+# define WORDS_BIGENDIAN 1
+#elif ! defined __LITTLE_ENDIAN__
+# undef WORDS_BIGENDIAN
+#endif
 
 /* Define to empty if `const' does not conform to ANSI C. */
 #undef const
diff --git a/configure.in b/configure.in
index 6320b6a..6ebdfdd 100644
--- a/configure.in
+++ b/configure.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -18,18 +18,17 @@ AC_DIVERT_PUSH(1)dnl
 esyscmd([sed "s/^/# /" COPYRIGHT])dnl
 AC_DIVERT_POP()dnl
 
-AC_REVISION($Revision: 1.355.18.85 $)
+AC_REVISION($Revision: 1.457.26.9 $)
 
 AC_INIT(lib/dns/name.c)
 AC_PREREQ(2.59)
 
 AC_CONFIG_HEADER(config.h)
-AC_CONFIG_SUBDIRS(lib/bind)
 
 AC_CANONICAL_HOST
 
 AC_PROG_MAKE_SET
-AC_PROG_RANLIB
+AC_PROG_LIBTOOL
 AC_PROG_INSTALL
 AC_PROG_LN_S
 
@@ -38,10 +37,23 @@ AC_SUBST(STD_CDEFINES)
 AC_SUBST(STD_CWARNINGS)
 AC_SUBST(CCOPT)
 
+# Warn if the user specified libbind, which is now deprecated
+AC_ARG_ENABLE(libbind, [  --enable-libbind	  deprecated])
+
+case "$enable_libbind" in
+	yes)
+		AC_MSG_ERROR(['libbind' is no longer part of the BIND 9 distribution.
+It is available from http://www.isc.org as a separate download.])
+		;;
+	no|'')
+		;;
+esac
+
+
 #
 # Make very sure that these are the first files processed by
 # config.status, since we use the processed output as the input for
-# AC_SUBST_FILE() subsitutions in other files.
+# AC_SUBST_FILE() substitutions in other files.
 #
 AC_CONFIG_FILES([make/rules make/includes])
 
@@ -112,18 +124,18 @@ AC_SUBST(PERL)
 # ./configure --prefix=/usr/local
 #
 case "$prefix" in
-        NONE)
-                case "$sysconfdir" in
-                        '${prefix}/etc')
-                                sysconfdir=/etc
-                                ;;
-                esac
-                case "$localstatedir" in
-                        '${prefix}/var')
-                                localstatedir=/var
-                                ;;
-                esac
-                ;;
+	NONE)
+		case "$sysconfdir" in
+			'${prefix}/etc')
+				sysconfdir=/etc
+				;;
+		esac
+		case "$localstatedir" in
+			'${prefix}/var')
+				localstatedir=/var
+				;;
+		esac
+		;;
 esac
 
 #
@@ -136,20 +148,20 @@ esac
 #
 case "$INSTALL" in
 	/*)
-                ;;
-        *)
-                #
-                # Not all systems have dirname.
-                #
-                changequote({, })
-                ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
-                changequote([, ])
-
-                ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
-                test "$ac_dir" = "$ac_prog" && ac_dir=.
-                test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
-                INSTALL="$ac_dir/$ac_prog"
-                ;;
+		;;
+	*)
+		#
+		# Not all systems have dirname.
+		#
+		changequote({, })
+		ac_dir="`echo $INSTALL | sed 's%/[^/]*$%%'`"
+		changequote([, ])
+
+		ac_prog="`echo $INSTALL | sed 's%.*/%%'`"
+		test "$ac_dir" = "$ac_prog" && ac_dir=.
+		test -d "$ac_dir" && ac_dir="`(cd \"$ac_dir\" && pwd)`"
+		INSTALL="$ac_dir/$ac_prog"
+		;;
 esac
 
 #
@@ -166,12 +178,12 @@ if test "X$CC" = "X" ; then
 			CC="cc"
 			;;
 		*-solaris*)
-                        # Use Sun's cc if it is available, but watch
-                        # out for /usr/ucb/cc; it will never be the right
-                        # compiler to use.
-                        #
-                        # If setting CC here fails, the AC_PROG_CC done
-                        # below might still find gcc.
+			# Use Sun's cc if it is available, but watch
+			# out for /usr/ucb/cc; it will never be the right
+			# compiler to use.
+			#
+			# If setting CC here fails, the AC_PROG_CC done
+			# below might still find gcc.
 			IFS="${IFS=	}"; ac_save_ifs="$IFS"; IFS=":"
 			for ac_dir in $PATH; do
 				test -z "$ac_dir" && ac_dir=.
@@ -215,7 +227,7 @@ fi
 # OS dependent CC flags
 #
 case "$host" in
-	# OSF 5.0: recv/send are only avaliable with -D_POSIX_PII_SOCKET or
+	# OSF 5.0: recv/send are only available with -D_POSIX_PII_SOCKET or
 	# -D_XOPEN_SOURCE_EXTENDED.
 	*-dec-osf*)
 		STD_CDEFINES="$STD_CDEFINES -D_POSIX_PII_SOCKET"
@@ -275,7 +287,7 @@ AC_TRY_COMPILE(, [
 	],
 	[AC_MSG_RESULT(no)],
 	[AC_MSG_RESULT(yes)
-         AC_DEFINE(inline, )])
+	 AC_DEFINE(inline, )])
 
 AC_TYPE_SIZE_T
 AC_CHECK_TYPE(ssize_t, int)
@@ -355,10 +367,10 @@ AC_SUBST(ISC_PLATFORM_HAVEKQUEUE)
 # so we need to try running the code, not just test its existence.
 #
 AC_ARG_ENABLE(epoll,
-	[  --enable-epoll          use Linux epoll when available [[default=yes]]],
-	      want_epoll="$enableval",  want_epoll="yes")
+[  --enable-epoll          use Linux epoll when available [[default=auto]]],
+	      want_epoll="$enableval",  want_epoll="auto")
 case $want_epoll in
-yes)
+auto)
 	AC_MSG_CHECKING(epoll support)
 	AC_TRY_RUN([
 #include <sys/epoll.h>
@@ -373,6 +385,9 @@ int main() {
 	[AC_MSG_RESULT(no)
 	ISC_PLATFORM_HAVEEPOLL="#undef ISC_PLATFORM_HAVEEPOLL"])
 	;;
+yes)
+	ISC_PLATFORM_HAVEEPOLL="#define ISC_PLATFORM_HAVEEPOLL 1"
+	;;
 *)
 	ISC_PLATFORM_HAVEEPOLL="#undef ISC_PLATFORM_HAVEEPOLL"
 	;;
@@ -415,7 +430,7 @@ AC_TRY_COMPILE([
 	[AC_MSG_RESULT(no)
 	case $ac_cv_header_sys_select_h in
 	yes)
-         ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+	 ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
 	 LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
 		;;
 	no)
@@ -427,7 +442,7 @@ AC_TRY_COMPILE([
 no)
 	case $ac_cv_header_sys_select_h in
 	yes)
-             ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
+	     ISC_PLATFORM_NEEDSYSSELECTH="#define ISC_PLATFORM_NEEDSYSSELECTH 1"
 	     LWRES_PLATFORM_NEEDSYSSELECTH="#define LWRES_PLATFORM_NEEDSYSSELECTH 1"
 		;;
 	no)
@@ -452,7 +467,7 @@ OPENSSL_WARNING=
 AC_MSG_CHECKING(for OpenSSL library)
 AC_ARG_WITH(openssl,
 [  --with-openssl[=PATH]   Build with OpenSSL [yes|no|path].
-                          (Required for DNSSEC)],
+			  (Required for DNSSEC)],
     use_openssl="$withval", use_openssl="auto")
 
 openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
@@ -481,21 +496,24 @@ case "$use_openssl" in
 	*)
 		if test "$use_openssl" = "yes"
 		then
-		    	# User did not specify a path - guess it
+			# User did not specify a path - guess it
 			for d in $openssldirs
 			do
 				if test -f $d/include/openssl/opensslv.h
 				then
-				 	use_openssl=$d
+					use_openssl=$d
 					break
 				fi
 			done
 			if test "$use_openssl" = "yes"
 			then
-			    	AC_MSG_RESULT(not found)
+				AC_MSG_RESULT(not found)
 				AC_MSG_ERROR(
 [OpenSSL was not found in any of $openssldirs; use --with-openssl=/path])
 			fi
+		elif ! test -f "$use_openssl"/include/openssl/opensslv.h
+		then
+			AC_MSG_ERROR(["$use_openssl/include/openssl/opensslv.h" not found])
 		fi
 		USE_OPENSSL='-DOPENSSL'
 		if test "$use_openssl" = "/usr"
@@ -531,7 +549,7 @@ case "$use_openssl" in
 				;;
 			esac
 		fi
-		AC_MSG_RESULT(using openssl from $use_openssl/lib and $use_openssl/include)
+		AC_MSG_RESULT(using OpenSSL from $use_openssl/lib and $use_openssl/include)
 
 		saved_cflags="$CFLAGS"
 		saved_libs="$LIBS"
@@ -545,7 +563,7 @@ int main() {
 	return (0);
 }
 ],
-	        [AC_MSG_RESULT(yes)],
+		[AC_MSG_RESULT(yes)],
 		[AC_MSG_RESULT(no)
 		 AC_MSG_ERROR(Could not run test program using OpenSSL from
 $use_openssl/lib and $use_openssl/include.
@@ -574,7 +592,7 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],
 		 
 AC_ARG_ENABLE(openssl-version-check,
 [AC_HELP_STRING([--enable-openssl-version-check],
-        [Check OpenSSL Version @<:@default=yes@:>@])])
+	[Check OpenSSL Version @<:@default=yes@:>@])])
 case "$enable_openssl_version_check" in
 yes|'')
 		AC_MSG_CHECKING(OpenSSL library version)
@@ -582,20 +600,20 @@ yes|'')
 #include <stdio.h>
 #include <openssl/opensslv.h>
 int main() {
-        if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
+	if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
 	     OPENSSL_VERSION_NUMBER < 0x00908000L) ||
 	     OPENSSL_VERSION_NUMBER >= 0x0090804fL)
-                return (0);
+		return (0);
 	printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
 		OPENSSL_VERSION_NUMBER);
 	printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
 	       "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
-        return (1);
+	return (1);
 }
 		],
-	        [AC_MSG_RESULT(ok)],
+		[AC_MSG_RESULT(ok)],
 		[AC_MSG_RESULT(not compatible)
-                 OPENSSL_WARNING=yes
+		 OPENSSL_WARNING=yes
 		],
 		[AC_MSG_RESULT(assuming target platform has compatible version)])
 ;;
@@ -627,38 +645,173 @@ AC_SUBST(DST_OPENSSL_INC)
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"
 
 #
-# was --with-gssapi specified?
-#
-#AC_MSG_CHECKING(for GSSAPI library)
-#AC_ARG_WITH(gssapi,
-#[  --with-gssapi=PATH   Specify path for system-supplied GSSAPI],
-#    use_gssapi="$withval", use_gssapi="no")
-#
-#case "$use_gssapi" in
-#	no)
-#		USE_GSSAPI=''
-#		DST_GSSAPI_INC=''
-#		DNS_GSSAPI_LIBS=''
-#		AC_MSG_RESULT(not specified)
-#		;;
-#	yes)
-#		AC_MSG_ERROR([--with-gssapi must specify a path])
-#		;;
-#	*)
-#		USE_GSSAPI='-DGSSAPI'
-#		DST_GSSAPI_INC="-I$use_gssapi/include"
-#		DNS_GSSAPI_LIBS="-L$use_gssapi/lib -lgssapi_krb5"
-#		AC_MSG_RESULT(using gssapi from $use_gssapi/lib and $use_gssapi/include)
-#		;;
-#esac
-
-USE_GSSAPI=''
-DST_GSSAPI_INC=''
-DNS_GSSAPI_LIBS=''
+# PKCS11 (aka crypto hardware) support
+#
+# This works only with the right OpenSSL with PKCS11 engine!
+#
+
+AC_MSG_CHECKING(for PKCS11 support)
+AC_ARG_WITH(pkcs11,
+[  --with-pkcs11     Build with PKCS11 support],
+   use_pkcs11="yes", use_pkcs11="no")
+
+case "$use_pkcs11" in
+	no)
+		AC_MSG_RESULT(disabled)
+		USE_PKCS11=""
+		;;
+	yes)
+		AC_MSG_RESULT(using OpenSSL with PKCS11 support)
+		USE_PKCS11='-DUSE_PKCS11'
+		;;
+esac
+
+AC_SUBST(USE_PKCS11)
+
+AC_MSG_CHECKING(for GSSAPI library)
+AC_ARG_WITH(gssapi,
+[  --with-gssapi=PATH   Specify path for system-supplied GSSAPI],
+    use_gssapi="$withval", use_gssapi="no")
+
+gssapidirs="/usr/local /usr/pkg /usr/kerberos /usr"
+if test "$use_gssapi" = "yes"
+then
+	for d in $gssapidirs
+	do
+		if test -f $d/include/gssapi/gssapi.h -o -f $d/include/gssapi.h
+		then
+			use_gssapi=$d
+			break
+		fi
+	done
+fi
+
+case "$use_gssapi" in
+	no)
+		AC_MSG_RESULT(disabled)
+		USE_GSSAPI=''
+		;;
+	yes)
+		AC_MSG_ERROR([--with-gssapi must specify a path])
+		;;
+	*)
+		AC_MSG_RESULT(looking in $use_gssapi/lib)
+		USE_GSSAPI='-DGSSAPI'
+		saved_cppflags="$CPPFLAGS"
+		CPPFLAGS="-I$use_gssapi/include $CPPFLAGS"
+		AC_CHECK_HEADERS(gssapi.h gssapi/gssapi.h,
+		    [ISC_PLATFORM_GSSAPIHEADER="#define ISC_PLATFORM_GSSAPIHEADER <$ac_header>"])
+
+		if test "$ISC_PLATFORM_GSSAPIHEADER" = ""; then
+		    AC_MSG_ERROR([gssapi.h not found])
+		fi
+
+		CPPFLAGS="$saved_cppflags"
+
+		#
+		# XXXDCL This probably doesn't work right on all systems.
+		# It will need to be worked on as problems become evident.
+		#
+		# Essentially the problems here relate to two different
+		# areas.  The first area is building with either KTH
+		# or MIT Kerberos, particularly when both are present on
+		# the machine.  The other is static versus dynamic linking.
+		#
+		# On the KTH vs MIT issue, Both have libkrb5 that can mess
+		# up the works if one implementation ends up trying to
+		# use the other's krb.  This is unfortunately a situation
+		# that very easily arises.
+		#
+		# Dynamic linking when the dependency information is built
+		# into MIT's libgssapi_krb5 or KTH's libgssapi magically makes
+		# all such problems go away, but when that setup is not
+		# present, because either the dynamic libraries lack
+		# dependencies or static linking is being done, then the
+		# problems start to show up.
+		saved_libs="$LIBS"
+		for TRY_LIBS in \
+		    "-lgssapi_krb5" \
+		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err" \
+		    "-lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err -lresolv" \
+		    "-lgssapi" \
+		    "-lgssapi -lkrb5 -ldes -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgssapi -lkrb5 -lcrypto -lcrypt -lasn1 -lroken -lcom_err" \
+		    "-lgss"
+		do
+		    # Note that this does not include $saved_libs, because
+		    # on FreeBSD machines this configure script has added
+		    # -L/usr/local/lib to LIBS, which can make the
+		    # -lgssapi_krb5 test succeed with shared libraries even
+		    # when you are trying to build with KTH in /usr/lib.
+		    LIBS="-L$use_gssapi/lib $TRY_LIBS"
+		    AC_MSG_CHECKING(linking as $TRY_LIBS)
+		    AC_TRY_LINK( , [gss_acquire_cred();],
+				gssapi_linked=yes, gssapi_linked=no)
+		    case $gssapi_linked in
+		    yes) AC_MSG_RESULT(yes); break ;;
+		    no)  AC_MSG_RESULT(no) ;;
+		    esac
+		done
+
+		case $gssapi_linked in
+		no) AC_MSG_ERROR(could not determine proper GSSAPI linkage) ;;
+		esac
+
+		#
+		# XXXDCL Major kludge.  Tries to cope with KTH in /usr/lib
+		# but MIT in /usr/local/lib and trying to build with KTH.
+		# /usr/local/lib can end up earlier on the link lines.
+		# Like most kludges, this one is not only inelegant it
+		# is also likely to be the wrong thing to do at least as
+		# many times as it is the right thing.  Something better
+		# needs to be done.
+		#
+		if test "$use_gssapi" = "/usr" -a \
+			-f /usr/local/lib/libkrb5.a; then
+		    FIX_KTH_VS_MIT=yes
+		fi
+
+		case "$FIX_KTH_VS_MIT" in
+		yes)
+		    case "$enable_static_linking" in
+		    yes) gssapi_lib_suffix=".a"  ;;
+		    *)   gssapi_lib_suffix=".so" ;;
+		    esac
+
+		    for lib in $LIBS; do
+			case $lib in
+			-L*)
+			    ;;
+			-l*)
+			    new_lib=`echo $lib |
+				     sed -e s%^-l%$use_gssapi/lib/lib% \
+					 -e s%$%$gssapi_lib_suffix%`
+			    NEW_LIBS="$NEW_LIBS $new_lib"
+			    ;;
+			*)
+			   AC_MSG_ERROR([KTH vs MIT Kerberos confusion!])
+			    ;;
+			esac
+		    done
+		    LIBS="$NEW_LIBS"
+		    ;;
+		esac
+
+		DST_GSSAPI_INC="-I$use_gssapi/include"
+		DNS_GSSAPI_LIBS="$LIBS"
+
+		AC_MSG_RESULT(using GSSAPI from $use_gssapi/lib and $use_gssapi/include)
+		LIBS="$saved_libs"
+		;;
+esac
+
+AC_SUBST(ISC_PLATFORM_HAVEGSSAPI)
+AC_SUBST(ISC_PLATFORM_GSSAPIHEADER)
 
 AC_SUBST(USE_GSSAPI)
 AC_SUBST(DST_GSSAPI_INC)
-DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_GSSAPI_LIBS"
+AC_SUBST(DNS_GSSAPI_LIBS)
+DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
 
 #
 # Applications linking with libdns also need to link with these libraries.
@@ -764,7 +917,7 @@ then
 		      AC_CHECK_LIB(pthread, sigwait,
 				   AC_DEFINE(HAVE_SIGWAIT),
 				   AC_CHECK_LIB(pthread, _Psigwait,
-					        AC_DEFINE(HAVE_SIGWAIT),))))
+						AC_DEFINE(HAVE_SIGWAIT),))))
 
 	AC_CHECK_FUNC(pthread_attr_getstacksize,
 		      AC_DEFINE(HAVE_PTHREAD_ATTR_GETSTACKSIZE),)
@@ -840,6 +993,48 @@ ISC_THREAD_DIR=$thread_dir
 AC_SUBST(ISC_THREAD_DIR)
 
 #
+# was --with-libxml2 specified?
+#
+AC_MSG_CHECKING(for libxml2 library)
+AC_ARG_WITH(libxml2,
+[  --with-libxml2[=PATH]   Build with libxml2 library [yes|no|path]],
+    use_libxml2="$withval", use_libxml2="auto")
+
+case "$use_libxml2" in
+	no)
+		DST_LIBXML2_INC=""
+		;;
+	auto|yes)
+		case X`(xml2-config --version) 2>/dev/null` in
+		X2.[[67]].*)
+			libxml2_libs=`xml2-config --libs`
+			libxml2_cflags=`xml2-config --cflags`
+			;;
+		*)
+			libxml2_libs=
+			libxml2_cflags=
+			;;
+		esac
+		;;
+	*)
+		if test -f "$use_libxml2/bin/xml2-config" ; then
+			libxml2_libs=`$use_libxml2/bin/xml2-config --libs`
+			libxml2_cflags=`$use_libxml2/bin/xml2-config --cflags`
+		fi
+		;;
+esac
+
+if test "X$libxml2_libs" != "X"
+then
+	AC_MSG_RESULT(yes)
+	CFLAGS="$CFLAGS $libxml2_cflags"
+	LIBS="$LIBS $libxml2_libs"
+	AC_DEFINE(HAVE_LIBXML2, 1, [Define if libxml2 was found])
+else
+	AC_MSG_RESULT(no)
+fi
+
+#
 # In solaris 10, SMF can manage named service
 #
 AC_CHECK_LIB(scf, smf_enable_instance)
@@ -914,9 +1109,9 @@ else
 	*-hp-hpux*)
 		CC="$CC -Ae -z"
 		# The version of the C compiler that constantly warns about
-                # 'const' as well as alignment issues is unfortunately not
-                # able to be discerned via the version of the operating
-                # system, nor does cc have a version flag.
+		# 'const' as well as alignment issues is unfortunately not
+		# able to be discerned via the version of the operating
+		# system, nor does cc have a version flag.
 		case "`$CC +W 123 2>&1`" in
 		*Unknown?option*)
 			STD_CWARNINGS="+w1"
@@ -945,7 +1140,7 @@ else
 		MKDEPCFLAGS="-xM"
 		;;
 	*-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-                # UnixWare
+		# UnixWare
 		CC="$CC -w"
 		;;
 	esac
@@ -966,7 +1161,6 @@ AC_CHECK_FUNC(catgets, AC_DEFINE(HAVE_CATGETS),)
 #
 # AC_CHECK_LIB(xnet, socket, ,
 #    AC_CHECK_LIB(socket, socket)
-#    AC_CHECK_LIB(nsl, inet_ntoa)
 # )
 #
 # Use this for now, instead:
@@ -974,9 +1168,11 @@ AC_CHECK_FUNC(catgets, AC_DEFINE(HAVE_CATGETS),)
 case "$host" in
 	mips-sgi-irix*)
 		;;
+	*-linux*)
+		;;
 	*)
 		AC_CHECK_LIB(socket, socket)
-		AC_CHECK_LIB(nsl, inet_ntoa)
+		AC_CHECK_LIB(nsl, inet_addr)
 		;;
 esac
 
@@ -1095,24 +1291,8 @@ AC_SUBST(LIBTOOL_ALLOW_UNDEFINED)
 AC_SUBST(LIBTOOL_IN_MAIN)
 
 #
-# build libbind?
-#
-AC_ARG_ENABLE(libbind,
-	[  --enable-libbind		build libbind [default=no]])
-
-case "$enable_libbind" in
-	yes)
-		LIBBIND=lib/bind
-		AC_SUBST(LIBBIND)
-		;;
-	no|'')
-		;;
-esac
-
-
-#
 # Here begins a very long section to determine the system's networking
-# capabilities.  The order of the tests is signficant.
+# capabilities.  The order of the tests is significant.
 #
 
 #
@@ -1211,16 +1391,16 @@ changequote([, ])
 #
 case "$host" in
 *-sco-sysv*uw*|*-*-sysv*UnixWare*|*-*-sysv*OpenUNIX*)
-        # UnixWare
+	# UnixWare
 	ISC_PLATFORM_NEEDNETINETIN6H="#define ISC_PLATFORM_NEEDNETINETIN6H 1"
 	LWRES_PLATFORM_NEEDNETINETIN6H="#define LWRES_PLATFORM_NEEDNETINETIN6H 1"
-        ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
+	ISC_PLATFORM_FIXIN6ISADDR="#define ISC_PLATFORM_FIXIN6ISADDR 1"
 	isc_netinetin6_hack="#include <netinet/in6.h>"
 	;;
 *)
 	ISC_PLATFORM_NEEDNETINETIN6H="#undef ISC_PLATFORM_NEEDNETINETIN6H"
 	LWRES_PLATFORM_NEEDNETINETIN6H="#undef LWRES_PLATFORM_NEEDNETINETIN6H"
-        ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
+	ISC_PLATFORM_FIXIN6ISADDR="#undef ISC_PLATFORM_FIXIN6ISADDR"
 	isc_netinetin6_hack=""
 	;;
 esac
@@ -1389,17 +1569,17 @@ AC_TRY_RUN([
 #include <arpa/inet.h>
 main() {
 char a[16],b[64]; return(inet_ntop(AF_INET6, a, b, sizeof(b)) == (char*)0);}],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_NEEDNTOP="#undef ISC_PLATFORM_NEEDNTOP"],
 
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"],
-        [AC_MSG_RESULT(assuming inet_ntop needed)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
-        ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"])
+	[AC_MSG_RESULT(no)
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
+	ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"],
+	[AC_MSG_RESULT(assuming inet_ntop needed)
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_ntop.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_ntop.c"
+	ISC_PLATFORM_NEEDNTOP="#define ISC_PLATFORM_NEEDNTOP 1"])
 
 
 # On NetBSD 1.4.2 and maybe others, inet_pton() incorrectly accepts
@@ -1415,38 +1595,23 @@ AC_TRY_RUN([
 main() { char a[16]; return (inet_pton(AF_INET, "1.2.3", a) == 1 ? 1 :
 			     inet_pton(AF_INET, "1.2.3.04", a) == 1 ? 1 : 
 			     (inet_pton(AF_INET6, "::1.2.3.4", a) != 1)); }],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
+	[AC_MSG_RESULT(yes)
+	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
+	[AC_MSG_RESULT(no)
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
+	ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
 	[AC_MSG_RESULT(assuming target platform has working inet_pton)
 	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"],
-        [AC_MSG_RESULT(assuming inet_pton needed)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
-        ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
-        [AC_MSG_RESULT(assuming target platform has working inet_pton)
-        ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"])
-
-AC_MSG_CHECKING([for inet_aton])
-AC_TRY_LINK([
-#include <sys/types.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>],
-        [struct in_addr in; inet_aton(0, &in); return (0);],
-        [AC_MSG_RESULT(yes)
-        ISC_PLATFORM_NEEDATON="#undef ISC_PLATFORM_NEEDATON"],
-
-        [AC_MSG_RESULT(no)
-        ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_aton.$O"
-        ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_aton.c"
-        ISC_PLATFORM_NEEDATON="#define ISC_PLATFORM_NEEDATON 1"])
+	[AC_MSG_RESULT(assuming inet_pton needed)
+	ISC_EXTRA_OBJS="$ISC_EXTRA_OBJS inet_pton.$O"
+	ISC_EXTRA_SRCS="$ISC_EXTRA_SRCS inet_pton.c"
+	ISC_PLATFORM_NEEDPTON="#define ISC_PLATFORM_NEEDPTON 1"],
+	[AC_MSG_RESULT(assuming target platform has working inet_pton)
+	ISC_PLATFORM_NEEDPTON="#undef ISC_PLATFORM_NEEDPTON"])
 
 AC_SUBST(ISC_PLATFORM_NEEDNTOP)
 AC_SUBST(ISC_PLATFORM_NEEDPTON)
-AC_SUBST(ISC_PLATFORM_NEEDATON)
 
 #
 # Look for a 4.4BSD-style sa_len member in struct sockaddr.
@@ -1496,7 +1661,7 @@ AC_TRY_COMPILE([
 [in_port_t port = 25; return (0);],
 	[AC_MSG_RESULT(yes)
 	ISC_PLATFORM_NEEDPORTT="#undef ISC_PLATFORM_NEEDPORTT"],
-        [AC_MSG_RESULT(no)
+	[AC_MSG_RESULT(no)
 	ISC_PLATFORM_NEEDPORTT="#define ISC_PLATFORM_NEEDPORTT 1"])
 AC_SUBST(ISC_PLATFORM_NEEDPORTT)
 
@@ -1600,53 +1765,36 @@ AC_TRY_COMPILE([
 AC_SUBST(ISC_LWRES_NEEDHERRNO)
 
 AC_CHECK_FUNC(getipnodebyname,
-        [ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
-        [ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
+	[ISC_LWRES_GETIPNODEPROTO="#undef ISC_LWRES_GETIPNODEPROTO"],
+	[ISC_LWRES_GETIPNODEPROTO="#define ISC_LWRES_GETIPNODEPROTO 1"])
 AC_CHECK_FUNC(getnameinfo,
-        [ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"],
-        [ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"])
+	[ISC_LWRES_GETNAMEINFOPROTO="#undef ISC_LWRES_GETNAMEINFOPROTO"],
+	[ISC_LWRES_GETNAMEINFOPROTO="#define ISC_LWRES_GETNAMEINFOPROTO 1"])
 AC_CHECK_FUNC(getaddrinfo,
-        [ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
+	[ISC_LWRES_GETADDRINFOPROTO="#undef ISC_LWRES_GETADDRINFOPROTO"
 	AC_DEFINE(HAVE_GETADDRINFO)],
-        [ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"])
+	[ISC_LWRES_GETADDRINFOPROTO="#define ISC_LWRES_GETADDRINFOPROTO 1"])
 AC_CHECK_FUNC(gai_strerror, AC_DEFINE(HAVE_GAISTRERROR))
 AC_SUBST(ISC_LWRES_GETIPNODEPROTO)
 AC_SUBST(ISC_LWRES_GETADDRINFOPROTO)
 AC_SUBST(ISC_LWRES_GETNAMEINFOPROTO)
 
 AC_ARG_ENABLE(getifaddrs,
-[  --enable-getifaddrs    Enable the use of getifaddrs() [[yes|no|glibc]].
-             glibc: Use getifaddrs() in glibc if you know it supports IPv6.],
+[  --enable-getifaddrs    Enable the use of getifaddrs() [[yes|no]].],
     want_getifaddrs="$enableval",  want_getifaddrs="yes")
 
-case $want_getifaddrs in
-yes|glibc)
-#
-# Do we have getifaddrs() ?
 #
-case $host in
-*-linux*)
-	# Some recent versions of glibc support getifaddrs() which does not
-	# provide AF_INET6 addresses while the function provided by the USAGI
-	# project handles the AF_INET6 case correctly.  We need to avoid
-	# using the former but prefer the latter unless overridden by
-	# --enable-getifaddrs=glibc.
-	if test $want_getifaddrs = glibc
-	then
-		AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
-	else
-		save_LIBS="$LIBS"
-		LIBS="-L/usr/local/v6/lib $LIBS"
-		AC_CHECK_LIB(inet6, getifaddrs,
-			LIBS="$LIBS -linet6"
-			AC_DEFINE(HAVE_GETIFADDRS),
-			LIBS=${save_LIBS})
-	fi
-	;;
-*)
-	AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
-	;;
-esac
+# This interface iteration code for getifaddrs() will fall back to using
+# /proc/net/if_inet6 if getifaddrs() in glibc doesn't return any IPv6
+# addresses.
+# 
+case $want_getifaddrs in
+glibc)
+AC_MSG_WARN("--enable-getifaddrs=glibc is no longer required")
+AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
+;;
+yes)
+AC_CHECK_FUNC(getifaddrs, AC_DEFINE(HAVE_GETIFADDRS))
 ;;
 no)
 ;;
@@ -1750,11 +1898,37 @@ AC_CHECK_FUNC(strerror, AC_DEFINE(HAVE_STRERROR))
 AC_SUBST(ISC_EXTRA_OBJS)
 AC_SUBST(ISC_EXTRA_SRCS)
 
+#
+# Use our own SPNEGO implementation?
+#
+AC_ARG_ENABLE(isc-spnego,
+	[  --disable-isc-spnego		use SPNEGO from GSSAPI library])
+
+if test -n "$USE_GSSAPI"
+then
+	case "$enable_isc_spnego" in
+		yes|'')
+			USE_ISC_SPNEGO='-DUSE_ISC_SPNEGO'
+			DST_EXTRA_OBJS="$DST_EXTRA_OBJS spnego.$O"
+			DST_EXTRA_SRCS="$DST_EXTRA_SRCS spnego.c"
+			AC_MSG_RESULT(using SPNEGO from lib/dns)
+			;;
+		no)
+			AC_MSG_RESULT(using SPNEGO from GSSAPI library)
+			;;
+	esac
+fi
+
+AC_SUBST(USE_ISC_SPNEGO)
+
+AC_SUBST(DST_EXTRA_OBJS)
+AC_SUBST(DST_EXTRA_SRCS)
+
 # Determine the printf format characters to use when printing
 # values of type isc_int64_t. This will normally be "ll", but where
 # the compiler treats "long long" as a alias for "long" and printf
 # doesn't know about "long long" use "l".  Hopefully the sprintf
-# will produce a inconsistant result in the later case.  If the compiler
+# will produce a inconsistent result in the later case.  If the compiler
 # fails due to seeing "%lld" we fall back to "l".
 #
 # Digital Unix 4.0 (gcc?) (long long) is 64 bits as is its long. It uses
@@ -1790,13 +1964,23 @@ AC_SUBST(LWRES_PLATFORM_QUADFORMAT)
 #
 # Security Stuff
 #
-AC_CHECK_FUNC(chroot, AC_DEFINE(HAVE_CHROOT))
+# Note it is very recommended to *not* disable chroot(),
+# this is only because chroot() was made obsolete by Posix.
+AC_ARG_ENABLE(chroot,
+	[  --disable-chroot disable chroot])
+case "$enable_chroot" in
+	yes|'')
+		AC_CHECK_FUNCS(chroot)
+		;;
+	no)
+		;;
+esac
 AC_ARG_ENABLE(linux-caps,
 	[  --disable-linux-caps	disable linux capabilities])
 case "$enable_linux_caps" in
 	yes|'')
 		AC_CHECK_HEADERS(linux/capability.h sys/capability.h)
-		AC_CHECK_FUNCS(capset)
+		AC_CHECK_LIB(cap, cap_set_proc)
 		;;
 	no)
 		;;
@@ -1826,7 +2010,7 @@ esac
 #
 AC_CHECK_FUNC(tzset, AC_DEFINE(HAVE_TZSET))
 
-AC_MSG_CHECKING(for optarg decarartion)
+AC_MSG_CHECKING(for optarg declaration)
 AC_TRY_COMPILE([
 #include <unistd.h>
 ],
@@ -1953,7 +2137,7 @@ case "$host" in
 		hack_shutup_pthreadonceinit=yes
 		;;
 	*-solaris2.1[[0-9]])
-		hack_shutup_pthreadonceinit=yes
+		AC_TRY_COMPILE([ #include <pthread.h> ], [ static pthread_once_t once_test = { PTHREAD_ONCE_INIT }; ], [hack_shutup_pthreadonceinit=yes], )
 		;;
 esac
 
@@ -2008,11 +2192,11 @@ AC_CHECK_FUNC(if_nametoindex, ac_cv_have_if_nametoindex=yes,
 case $ac_cv_have_if_nametoindex in
 no)
 	case "$host" in
-  	*-hp-hpux*)
-  		AC_CHECK_LIB(ipv6, if_nametoindex,
+	*-hp-hpux*)
+		AC_CHECK_LIB(ipv6, if_nametoindex,
 				ac_cv_have_if_nametoindex=yes
 				LIBS="-lipv6 $LIBS",)
-  	;;
+	;;
 	esac
 esac
 case $ac_cv_have_if_nametoindex in
@@ -2025,12 +2209,14 @@ yes)
 esac
 AC_SUBST(ISC_PLATFORM_HAVEIFNAMETOINDEX)
 
+AC_CHECK_FUNCS(nanosleep)
+
 #
 # Machine architecture dependent features
 #
 AC_ARG_ENABLE(atomic,
 	[  --enable-atomic	enable machine specific atomic operations
-                        [[default=autodetect]]],
+			[[default=autodetect]]],
 			enable_atomic="$enableval",
 			enable_atomic="autodetect")
 case "$enable_atomic" in
@@ -2056,11 +2242,13 @@ main() {
 	exit((sizeof(void *) == 8) ? 0 : 1);
 }
 ],
-		[arch=x86_64],
+		[arch=x86_64
+		have_xaddq=yes],
 		[arch=x86_32],
-	        [arch=x86_32])
+		[arch=x86_32])
 	;;
-	x86_64-*)
+	x86_64-*|amd64-*)
+		have_xaddq=yes
 		arch=x86_64
 	;;
 	alpha*-*)
@@ -2165,7 +2353,14 @@ else
 	ISC_PLATFORM_HAVEATOMICSTORE="#undef ISC_PLATFORM_HAVEATOMICSTORE"
 fi
 
+if test "$have_xaddq" = "yes"; then
+        ISC_PLATFORM_HAVEXADDQ="#define ISC_PLATFORM_HAVEXADDQ 1"
+else
+        ISC_PLATFORM_HAVEXADDQ="#undef ISC_PLATFORM_HAVEXADDQ"
+fi
+
 AC_SUBST(ISC_PLATFORM_HAVEXADD)
+AC_SUBST(ISC_PLATFORM_HAVEXADDQ)
 AC_SUBST(ISC_PLATFORM_HAVECMPXCHG)
 AC_SUBST(ISC_PLATFORM_HAVEATOMICSTORE)
 
@@ -2178,6 +2373,25 @@ ISC_ARCH_DIR=$arch
 AC_SUBST(ISC_ARCH_DIR)
 
 #
+# Activate "rrset-order fixed" or not?
+#
+AC_ARG_ENABLE(fixed-rrset,
+	[  --enable-fixed-rrset        enable fixed rrset ordering
+			[[default=no]]],
+			enable_fixed="$enableval",
+			enable_fixed="no")
+case "$enable_fixed" in
+	yes)
+		AC_DEFINE(DNS_RDATASET_FIXED, 1,
+                          [Define to enable "rrset-order fixed" syntax.])
+		;;
+	no)
+		;;
+	*)
+		;;
+esac
+
+#
 #  The following sets up how non-blocking i/o is established.
 #  Sunos, cygwin and solaris 2.x (x<5) require special handling.
 #
@@ -2241,6 +2455,13 @@ AC_PATH_PROG(XMLLINT, xmllint, xmllint)
 AC_SUBST(XMLLINT)
 
 #
+# Look for Doxygen
+#
+
+AC_PATH_PROG(DOXYGEN, doxygen, doxygen)
+AC_SUBST(DOXYGEN)
+
+#
 # Subroutine for searching for an ordinary file (e.g., a stylesheet)
 # in a number of directories:
 #
@@ -2460,6 +2681,18 @@ BIND9_MAKE_RULES=$BIND9_TOP_BUILDDIR/make/rules
 BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}.${PATCHVER}${RELEASETYPE}${RELEASEVER}"
 AC_SUBST(BIND9_VERSION)
 
+if test -z "$ac_configure_args"; then
+	BIND9_CONFIGARGS="defaults"
+else
+	for a in $ac_configure_args
+	do
+		BIND9_CONFIGARGS="$BIND9_CONFIGARGS $a"
+	done
+fi
+BIND9_CONFIGARGS="`echo $BIND9_CONFIGARGS | sed 's/^ //'`"
+BIND9_CONFIGARGS="CONFIGARGS=${BIND9_CONFIGARGS}"
+AC_SUBST(BIND9_CONFIGARGS)
+
 AC_SUBST_FILE(LIBISC_API)
 LIBISC_API=$srcdir/lib/isc/api
 
@@ -2533,6 +2766,93 @@ else
 	BUILD_LIBS="$LIBS"
 fi
 
+NEWFLAGS=""
+for e in $BUILD_LDFLAGS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		solaris*)
+		    ee=`echo $e | sed -e 's%^-L%-R%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+BUILD_LDFLAGS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $DNS_GSSAPI_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		solaris*)
+		    ee=`echo $e | sed -e 's%^-L%-R%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+DNS_GSSAPI_LIBS="$NEWFLAGS"
+
+NEWFLAGS=""
+for e in $DNS_CRYPTO_LIBS ; do
+    case $e in
+	-L*)
+	    case $host_os in
+		netbsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		freebsd*)
+		    ee=`echo $e | sed -e 's%^-L%-Wl,-rpath,%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		solaris*)
+		    ee=`echo $e | sed -e 's%^-L%-R%'`
+		    NEWFLAGS="$NEWFLAGS $e $ee"
+		    ;;
+		*)
+		    NEWFLAGS="$NEWFLAGS $e"
+		    ;;
+		esac
+	    ;;
+	*)
+	    NEWFLAGS="$NEWFLAGS $e"
+	    ;;
+    esac
+done
+DNS_CRYPTO_LIBS="$NEWFLAGS"
+
 AC_SUBST(BUILD_CC)
 AC_SUBST(BUILD_CFLAGS)
 AC_SUBST(BUILD_CPPFLAGS)
@@ -2547,7 +2867,7 @@ AC_SUBST(BUILD_LIBS)
 
 AC_CONFIG_COMMANDS(
 	[chmod],
-	[chmod a+x isc-config.sh])
+	[chmod a+x isc-config.sh doc/doxygen/doxygen-input-filter])
 
 #
 # Files to configure.  These are listed here because we used to
@@ -2633,6 +2953,9 @@ AC_CONFIG_FILES([
 	doc/xsl/isc-docbook-html.xsl
 	doc/xsl/isc-docbook-latex.xsl
 	doc/xsl/isc-manpage.xsl
+	doc/doxygen/Doxyfile
+	doc/doxygen/Makefile
+	doc/doxygen/doxygen-input-filter
 ])
 
 #
diff --git a/doc/Makefile.in b/doc/Makefile.in
index f307f41..14d35bc 100644
--- a/doc/Makefile.in
+++ b/doc/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5.18.2 2005/07/23 04:35:12 marka Exp $
+# $Id: Makefile.in,v 1.11 2007/06/19 23:47:13 tbox Exp $
 
 # This Makefile is a placeholder.  It exists merely to make
 # sure that its directory gets created in the object directory
@@ -23,7 +23,7 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS = arm misc xsl
+SUBDIRS = arm misc xsl doxygen
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index cdcb9d8..f3bfe0d 100644
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -1,8 +1,8 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
-               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+              "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
 	       [<!ENTITY mdash "&#8212;">]>
 <!--
- - Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003  Internet Software Consortium.
  -
  - Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.241.18.97 2008/10/17 19:37:35 jreed Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.380.14.14 2009/04/02 15:30:12 jreed Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -29,6 +29,7 @@
       <year>2006</year>
       <year>2007</year>
       <year>2008</year>
+      <year>2009</year>
       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
     </copyright>
     <copyright>
@@ -67,30 +68,30 @@
       </para>
 
       <para>
-        This version of the manual corresponds to BIND version 9.4.
+        This version of the manual corresponds to BIND version 9.6.
       </para>
 
     </sect1>
     <sect1>
       <title>Organization of This Document</title>
       <para>
-        In this document, <emphasis>Section 1</emphasis> introduces
-        the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Section 2</emphasis>
+        In this document, <emphasis>Chapter 1</emphasis> introduces
+        the basic <acronym>DNS</acronym> and <acronym>BIND</acronym> concepts. <emphasis>Chapter 2</emphasis>
         describes resource requirements for running <acronym>BIND</acronym> in various
-        environments. Information in <emphasis>Section 3</emphasis> is
+        environments. Information in <emphasis>Chapter 3</emphasis> is
         <emphasis>task-oriented</emphasis> in its presentation and is
         organized functionally, to aid in the process of installing the
         <acronym>BIND</acronym> 9 software. The task-oriented
         section is followed by
-        <emphasis>Section 4</emphasis>, which contains more advanced
+        <emphasis>Chapter 4</emphasis>, which contains more advanced
         concepts that the system administrator may need for implementing
-        certain options. <emphasis>Section 5</emphasis>
+        certain options. <emphasis>Chapter 5</emphasis>
         describes the <acronym>BIND</acronym> 9 lightweight
-        resolver.  The contents of <emphasis>Section 6</emphasis> are
+        resolver.  The contents of <emphasis>Chapter 6</emphasis> are
         organized as in a reference manual to aid in the ongoing
-        maintenance of the software. <emphasis>Section 7</emphasis> addresses
+        maintenance of the software. <emphasis>Chapter 7</emphasis> addresses
         security considerations, and
-        <emphasis>Section 8</emphasis> contains troubleshooting help. The
+        <emphasis>Chapter 8</emphasis> contains troubleshooting help. The
         main body of the document is followed by several
         <emphasis>appendices</emphasis> which contain useful reference
         information, such as a <emphasis>bibliography</emphasis> and
@@ -253,8 +254,10 @@
           more <emphasis>name servers</emphasis> and interprets the responses.
           The <acronym>BIND</acronym> 9 software distribution
           contains a
-          name server, <command>named</command>, and two resolver
-          libraries, <command>liblwres</command> and <command>libbind</command>.
+          name server, <command>named</command>, and a resolver
+          library, <command>liblwres</command>.  The older
+          <command>libbind</command> resolver library is also available
+          from ISC as a separate download.
         </para>
 
         </sect2><sect2>
@@ -639,11 +642,13 @@
       <title>Supported Operating Systems</title>
       <para>
         ISC <acronym>BIND</acronym> 9 compiles and runs on a large
-        number of Unix-like operating systems, and on some versions of
-        Microsoft Windows including Windows XP, Windows 2003, and
-        Windows 2008.  For an up-to-date list of supported systems,
-        see the README file in the top level directory of the BIND 9
-        source distribution.
+        number
+        of Unix-like operating systems and on NT-derived versions of
+        Microsoft Windows such as Windows 2000 and Windows XP.  For an
+        up-to-date
+        list of supported systems, see the README file in the top level
+        directory
+        of the BIND 9 source distribution.
       </para>
     </sect1>
   </chapter>
@@ -651,7 +656,7 @@
   <chapter id="Bv9ARM.ch03">
     <title>Name Server Configuration</title>
     <para>
-      In this section we provide some suggested configurations along
+      In this chapter we provide some suggested configurations along
       with guidelines for their use.  We suggest reasonable values for
       certain option settings.
     </para>
@@ -928,7 +933,7 @@ zone "eng.example.com" {
                   <arg>%<replaceable>comment</replaceable></arg>
                 </cmdsynopsis>
                 <para>
-                  The usual simple use of dig will take the form
+                  The usual simple use of <command>dig</command> will take the form
                 </para>
                 <simpara>
                   <command>dig @server domain query-type query-class</command>
@@ -1068,7 +1073,7 @@ zone "eng.example.com" {
                 </cmdsynopsis>
               </listitem>
             </varlistentry>
-	    <varlistentry id="named-compilezone" xreflabel="Zone Compilation aplication">
+	    <varlistentry id="named-compilezone" xreflabel="Zone Compilation application">
 	      <term><command>named-compilezone</command></term>
 	      <listitem>
 		<para>
@@ -1271,8 +1276,8 @@ zone "eng.example.com" {
                         Stop the server, making sure any recent changes
                         made through dynamic update or IXFR are first saved to
                         the master files of the updated zones.
-			If -p is specified named's process id is returned.
-			This allows an external process to determine when named
+			If <option>-p</option> is specified <command>named</command>'s process id is returned.
+			This allows an external process to determine when <command>named</command>
 			had completed stopping.
                       </para>
                     </listitem>
@@ -1286,8 +1291,8 @@ zone "eng.example.com" {
                         made through dynamic update or IXFR are not saved to
                         the master files, but will be rolled forward from the
 			journal files when the server is restarted.
-			If -p is specified named's process id is returned.
-			This allows an external process to determine when named
+			If <option>-p</option> is specified <command>named</command>'s process id is returned.
+			This allows an external process to determine when <command>named</command>
 			had completed halting.
                       </para>
                     </listitem>
@@ -1356,12 +1361,27 @@ zone "eng.example.com" {
                     <term><userinput>recursing</userinput></term>
                     <listitem>
                       <para>
-                        Dump the list of queries named is currently recursing
+                        Dump the list of queries <command>named</command> is currently recursing
                         on.
                       </para>
                     </listitem>
                   </varlistentry>
 
+                  <varlistentry>
+                    <term><userinput>validation
+                        <optional>on|off</optional>
+                        <optional><replaceable>view ...</replaceable></optional>
+                    </userinput></term>
+                    <listitem>
+                      <para>
+                        Enable or disable DNSSEC validation.
+                        Note <command>dnssec-enable</command> also needs to be
+                        set to <userinput>yes</userinput> to be effective.
+                        It defaults to enabled.
+                      </para>
+                    </listitem>
+                  </varlistentry>
+
                 </variablelist>
 
                 <para>
@@ -1426,7 +1446,7 @@ zone "eng.example.com" {
                   with
                   <command>named</command>.  Its syntax is
                   identical to the
-                  <command>key</command> statement in named.conf.
+                  <command>key</command> statement in <filename>named.conf</filename>.
                   The keyword <userinput>key</userinput> is
                   followed by a key name, which must be a valid
                   domain name, though it need not actually be hierarchical;
@@ -1599,10 +1619,10 @@ controls {
       </para>
 
       <note>
-	As a slave zone can also be a master to other slaves, named,
+	As a slave zone can also be a master to other slaves, <command>named</command>,
         by default, sends <command>NOTIFY</command> messages for every zone
 	it loads.  Specifying <command>notify master-only;</command> will
-	cause named to only send <command>NOTIFY</command> for master
+	cause <command>named</command> to only send <command>NOTIFY</command> for master
 	zones that it loads.
       </note>
 
@@ -1619,18 +1639,23 @@ controls {
       </para>
 
       <para>
-        Dynamic update is enabled by
-        including an <command>allow-update</command> or
-        <command>update-policy</command> clause in the
-        <command>zone</command> statement.
+	Dynamic update is enabled by including an
+	<command>allow-update</command> or <command>update-policy</command>
+	clause in the <command>zone</command> statement.  The
+	<command>tkey-gssapi-credential</command> and
+	<command>tkey-domain</command> clauses in the
+	<command>options</command>        statement enable the
+	server to negotiate keys that can be matched against those
+	in <command>update-policy</command> or
+	<command>allow-update</command>.
       </para>
 
       <para>
-        Updating of secure zones (zones using DNSSEC) follows
-        RFC 3007: RRSIG and NSEC records affected by updates are automatically
-            regenerated by the server using an online zone key.
-        Update authorization is based
-        on transaction signatures and an explicit server policy.
+	Updating of secure zones (zones using DNSSEC) follows RFC
+	3007: RRSIG, NSEC and NSEC3 records affected by updates are
+	automatically regenerated by the server using an online
+	zone key.  Update authorization is based on transaction
+	signatures and an explicit server policy.
       </para>
 
       <sect2 id="journal">
@@ -2086,7 +2111,7 @@ key host1-host2. {
 </programlisting>
 
         <para>
-          The algorithm, hmac-md5, is the only one supported by <acronym>BIND</acronym>.
+          The algorithm, <literal>hmac-md5</literal>, is the only one supported by <acronym>BIND</acronym>.
           The secret is the one generated above. Since this is a secret, it
           is recommended that either <filename>named.conf</filename> be non-world
           readable, or the key directive be added to a non-world readable
@@ -2146,22 +2171,23 @@ server 10.1.2.3 {
           be denoted <command>key host1-host2.</command>
         </para>
         <para>
-          An example of an allow-update directive would be:
+          An example of an <command>allow-update</command> directive would be:
         </para>
 
 <programlisting>
 allow-update { key host1-host2. ;};
 </programlisting>
 
-        <para>
-          This allows dynamic updates to succeed only if the request
-          was signed by a key named
-          "<command>host1-host2.</command>".
-        </para>
 	<para>
-          You may want to read about the more
-          powerful <command>update-policy</command> statement in <xref linkend="dynamic_update_policies"/>.
-        </para>
+	  This allows dynamic updates to succeed only if the request
+	  was signed by a key named "<command>host1-host2.</command>".
+	</para>
+
+	<para>
+	  You may want to read about the more powerful
+	  <command>update-policy</command> statement in
+	  <xref linkend="dynamic_update_policies"/>.
+	</para>
 
       </sect2>
       <sect2>
@@ -2235,7 +2261,7 @@ allow-update { key host1-host2. ;};
 
       <para>
         <acronym>BIND</acronym> 9 partially supports DNSSEC SIG(0)
-            transaction signatures as specified in RFC 2535 and RFC2931.
+            transaction signatures as specified in RFC 2535 and RFC 2931.
         SIG(0)
         uses public/private keys to authenticate messages.  Access control
         is performed in the same manner as TSIG keys; privileges can be
@@ -2351,6 +2377,12 @@ allow-update { key host1-host2. ;};
         </para>
 
         <para>
+          The <command>dnssec-keyfromlabel</command> program is used
+          to get a key pair from a crypto hardware and build the key
+          files. Its usage is similar to <command>dnssec-keygen</command>.
+        </para>
+
+        <para>
           The public keys should be inserted into the zone file by
           including the <filename>.key</filename> files using
           <command>$INCLUDE</command> statements.
@@ -2360,23 +2392,21 @@ allow-update { key host1-host2. ;};
       <sect2>
         <title>Signing the Zone</title>
 
-        <para>
-          The <command>dnssec-signzone</command> program is used
-          to
-          sign a zone.
-        </para>
+	<para>
+	  The <command>dnssec-signzone</command> program is used
+	  to sign a zone.
+	</para>
 
-        <para>
-          Any <filename>keyset</filename> files corresponding
-          to secure subzones should be present.  The zone signer will
-          generate <literal>NSEC</literal> and <literal>RRSIG</literal>
-          records for the zone, as well as <literal>DS</literal>
-          for
-          the child zones if <literal>'-d'</literal> is specified.
-                If <literal>'-d'</literal> is not specified, then
-          DS RRsets for
-          the secure child zones need to be added manually.
-        </para>
+	<para>
+	  Any <filename>keyset</filename> files corresponding to
+	  secure subzones should be present.  The zone signer will
+	  generate <literal>NSEC</literal>, <literal>NSEC3</literal>
+	  and <literal>RRSIG</literal> records for the zone, as
+	  well as <literal>DS</literal> for the child zones if
+	  <literal>'-g'</literal> is specified.  If <literal>'-g'</literal>
+	  is not specified, then DS RRsets for the secure child
+	  zones need to be added manually.
+	</para>
 
         <para>
           The following command signs the zone, assuming it is in a
@@ -2452,7 +2482,7 @@ allow-update { key host1-host2. ;};
 	  more public keys for the root.  This allows answers from
 	  outside the organization to be validated.  It will also
 	  have several keys for parts of the namespace the organization
-	  controls.  These are here to ensure that named is immune
+	  controls.  These are here to ensure that <command>named</command> is immune
 	  to compromises in the DNSSEC components of the security
 	  of parent zones.
 	</para>
@@ -2791,33 +2821,29 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
                   <varname>ip6_addr</varname>
                 </para>
               </entry>
-              <entry colname="2">
-                <para>
-                  An IPv6 address, such as <command>2001:db8::1234</command>.
-                  IPv6 scoped addresses that have ambiguity on their scope
-                  zones must be
-                  disambiguated by an appropriate zone ID with the percent
-                  character
-                  (`%') as delimiter.
-                  It is strongly recommended to use string zone names rather
-                  than
-                  numeric identifiers, in order to be robust against system
-                  configuration changes.
-                  However, since there is no standard mapping for such names
-                  and
-                  identifier values, currently only interface names as link
-                  identifiers
-                  are supported, assuming one-to-one mapping between
-                  interfaces and links.
-                  For example, a link-local address <command>fe80::1</command> on the
-                  link attached to the interface <command>ne0</command>
-                  can be specified as <command>fe80::1%ne0</command>.
-                  Note that on most systems link-local addresses always have
-                  the
-                  ambiguity, and need to be disambiguated.
-                </para>
-              </entry>
-            </row>
+	      <entry colname="2">
+		<para>
+		  An IPv6 address, such as <command>2001:db8::1234</command>.
+		  IPv6 scoped addresses that have ambiguity on their
+		  scope zones must be disambiguated by an appropriate
+		  zone ID with the percent character (`%') as
+		  delimiter.  It is strongly recommended to use
+		  string zone names rather than numeric identifiers,
+		  in order to be robust against system configuration
+		  changes.  However, since there is no standard
+		  mapping for such names and identifier values,
+		  currently only interface names as link identifiers
+		  are supported, assuming one-to-one mapping between
+		  interfaces and links.  For example, a link-local
+		  address <command>fe80::1</command> on the link
+		  attached to the interface <command>ne0</command>
+		  can be specified as <command>fe80::1%ne0</command>.
+		  Note that on most systems link-local addresses
+		  always have the ambiguity, and need to be
+		  disambiguated.
+		</para>
+	      </entry>
+	    </row>
             <row rowsep="0">
               <entry colname="1">
                 <para>
@@ -2867,6 +2893,11 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
                   netmask <command>255.0.0.0</command> and <command>1.2.3.0/28</command> is
                   network <command>1.2.3.0</command> with netmask <command>255.255.255.240</command>.
                 </para>
+                <para>
+		  When specifying a prefix involving a IPv6 scoped address
+		  the scope may be omitted.  In that case the prefix will
+		  match packets from any scope.
+                </para>
               </entry>
             </row>
             <row rowsep="0">
@@ -3042,9 +3073,8 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
             the <command>listen-on</command> and <command>sortlist</command>
-            statements. The elements
-            which constitute an address match list can be any of the
-            following:
+            statements. The elements which constitute an address match
+            list can be any of the following:
           </para>
           <itemizedlist>
             <listitem>
@@ -3072,28 +3102,30 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
           <para>
             Elements can be negated with a leading exclamation mark (`!'),
             and the match list names "any", "none", "localhost", and
-            "localnets"
-            are predefined. More information on those names can be found in
-            the description of the acl statement.
+            "localnets" are predefined. More information on those names
+            can be found in the description of the acl statement.
           </para>
 
           <para>
             The addition of the key clause made the name of this syntactic
             element something of a misnomer, since security keys can be used
             to validate access without regard to a host or network address.
-            Nonetheless,
-            the term "address match list" is still used throughout the
-            documentation.
+            Nonetheless, the term "address match list" is still used
+            throughout the documentation.
           </para>
 
           <para>
             When a given IP address or prefix is compared to an address
-            match list, the list is traversed in order until an element
-            matches.
+            match list, the comparison takes place in approximately O(1)
+            time.  However, key comparisons require that the list of keys
+            be traversed until a matching key is found, and therefore may
+            be somewhat slower.
+          </para>
+
+          <para>
             The interpretation of a match depends on whether the list is being
-            used
-            for access control, defining listen-on ports, or in a sortlist,
-            and whether the element was negated.
+            used for access control, defining <command>listen-on</command> ports, or in a
+            <command>sortlist</command>, and whether the element was negated.
           </para>
 
 	  <para>
@@ -3101,30 +3133,36 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	    allows access and a negated match denies access. If
 	    there is no match, access is denied. The clauses
 	    <command>allow-notify</command>,
+	    <command>allow-recursion</command>,
+	    <command>allow-recursion-on</command>,
 	    <command>allow-query</command>,
+	    <command>allow-query-on</command>,
 	    <command>allow-query-cache</command>,
+	    <command>allow-query-cache-on</command>,
 	    <command>allow-transfer</command>,
 	    <command>allow-update</command>,
 	    <command>allow-update-forwarding</command>, and
 	    <command>blackhole</command> all use address match
-	    lists.  Similarly, the listen-on option will cause the
-	    server to not accept queries on any of the machine's
+	    lists.  Similarly, the <command>listen-on</command> option will cause the
+	    server to refuse queries on any of the machine's
 	    addresses which do not match the list.
 	  </para>
 
           <para>
-            Because of the first-match aspect of the algorithm, an element
-            that defines a subset of another element in the list should come
-            before the broader element, regardless of whether either is
-            negated. For
-            example, in
-            <command>1.2.3/24; ! 1.2.3.13;</command> the 1.2.3.13
-            element is
-            completely useless because the algorithm will match any lookup for
-            1.2.3.13 to the 1.2.3/24 element.
-            Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
-            that problem by having 1.2.3.13 blocked by the negation but all
-            other 1.2.3.* hosts fall through.
+            Order of insertion is significant.  If more than one element
+            in an ACL is found to match a given IP address or prefix,
+            preference will be given to the one that came
+            <emphasis>first</emphasis> in the ACL definition.
+            Because of this first-match behavior, an element that
+            defines a subset of another element in the list should
+            come before the broader element, regardless of whether
+            either is negated. For example, in
+            <command>1.2.3/24; ! 1.2.3.13;</command>
+            the 1.2.3.13 element is completely useless because the
+            algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
+            element.  Using <command>! 1.2.3.13; 1.2.3/24</command> fixes
+            that problem by having 1.2.3.13 blocked by the negation, but
+            all other 1.2.3.* hosts fall through.
           </para>
         </sect3>
       </sect2>
@@ -3180,8 +3218,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
             slash) and continue to the end of the physical line. They cannot
             be continued across multiple physical lines; to have one logical
             comment span multiple lines, each line must use the // pair.
-          </para>
-          <para>
             For example:
           </para>
           <para>
@@ -3197,8 +3233,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
             with the character <literal>#</literal> (number sign)
             and continue to the end of the
             physical line, as in C++ comments.
-          </para>
-          <para>
             For example:
           </para>
 
@@ -3344,6 +3378,17 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
             </row>
             <row rowsep="0">
               <entry colname="1">
+                <para><command>statistics-channels</command></para>
+              </entry>
+              <entry colname="2">
+                <para>
+		  declares communication channels to get access to
+		  <command>named</command> statistics.
+                </para>
+              </entry>
+            </row>
+            <row rowsep="0">
+              <entry colname="1">
                 <para><command>trusted-keys</command></para>
               </entry>
               <entry colname="2">
@@ -3405,8 +3450,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
         <para>
           Note that an address match list's name must be defined
           with <command>acl</command> before it can be used
-          elsewhere; no
-          forward references are allowed.
+          elsewhere; no forward references are allowed.
         </para>
 
         <para>
@@ -3688,7 +3732,7 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 
 <programlisting><command>logging</command> {
    [ <command>channel</command> <replaceable>channel_name</replaceable> {
-     ( <command>file</command> <replaceable>path name</replaceable>
+     ( <command>file</command> <replaceable>path_name</replaceable>
          [ <command>versions</command> ( <replaceable>number</replaceable> | <command>unlimited</command> ) ]
          [ <command>size</command> <replaceable>size spec</replaceable> ]
        | <command>syslog</command> <replaceable>syslog_facility</replaceable>
@@ -3922,7 +3966,7 @@ notrace</command>. All debugging messages in the server have a debug
             the date and time will be logged. <command>print-time</command> may
             be specified for a <command>syslog</command> channel,
             but is usually
-            pointless since <command>syslog</command> also prints
+            pointless since <command>syslog</command> also logs
             the date and
             time. If <command>print-category</command> is
             requested, then the
@@ -4168,7 +4212,7 @@ category notify { null; };
                   </entry>
                   <entry colname="2">
                     <para>
-                      Messages that named was unable to determine the
+                      Messages that <command>named</command> was unable to determine the
                       class of or for which there was no matching <command>view</command>.
                       A one line summary is also logged to the <command>client</command> category.
                       This category is best sent to a file or stderr, by
@@ -4220,15 +4264,18 @@ category notify { null; };
                       enable query logging unless <command>querylog</command> option has been
                       specified.
                     </para>
-                    <para>
-                      The query log entry reports the client's IP address and
-                      port number, and the
-                      query name, class and type.  It also reports whether the
-                      Recursion Desired
-                      flag was set (+ if set, - if not set), EDNS was in use
-                      (E) or if the
-                      query was signed (S).
-                    </para>
+
+		    <para>
+		      The query log entry reports the client's IP
+		      address and port number, and the query name,
+		      class and type.  It also reports whether the
+		      Recursion Desired flag was set (+ if set, -
+		      if not set), if the query was signed (S),
+		      EDNS was in use (E), if DO (DNSSEC Ok) was
+		      set (D), or if CD (Checking Disabled) was set
+		      (C).
+		    </para>
+
                     <para>
                       <computeroutput>client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</computeroutput>
                     </para>
@@ -4239,6 +4286,17 @@ category notify { null; };
                 </row>
                 <row rowsep="0">
                   <entry colname="1">
+                    <para><command>query-errors</command></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+                      Information about queries that resulted in some
+                      failure.
+		    </para>
+		  </entry>
+		</row>
+                <row rowsep="0">
+                  <entry colname="1">
                     <para><command>dispatch</command></para>
                   </entry>
                   <entry colname="2">
@@ -4277,7 +4335,7 @@ category notify { null; };
                   </entry>
                   <entry colname="2">
                     <para>
-                      Delegation only.  Logs queries that have have
+                      Delegation only.  Logs queries that have
                       been forced to NXDOMAIN as the result of a
                       delegation-only zone or
                       a <command>delegation-only</command> in a
@@ -4285,10 +4343,264 @@ category notify { null; };
                     </para>
                   </entry>
                 </row>
-              </tbody>
-            </tgroup>
-          </informaltable>
-        </sect3>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><command>edns-disabled</command></para>
+                  </entry>
+		  <entry colname="2">
+		    <para>
+		      Log queries that have been forced to use plain
+		      DNS due to timeouts.  This is often due to
+		      the remote servers not being RFC 1034 compliant
+		      (not always returning FORMERR or similar to
+		      EDNS queries and other extensions to the DNS
+		      when they are not understood).  In other words, this is
+		      targeted at servers that fail to respond to
+		      DNS queries that they don't understand.
+		    </para>
+		    <para>
+		      Note: the log message can also be due to
+		      packet loss.  Before reporting servers for
+		      non-RFC 1034 compliance they should be re-tested
+		      to determine the nature of the non-compliance.
+		      This testing should prevent or reduce the
+		      number of false-positive reports.
+		    </para>
+		    <para>
+		      Note: eventually <command>named</command> will have to stop
+		      treating such timeouts as due to RFC 1034 non
+		      compliance and start treating it as plain
+		      packet loss.  Falsely classifying packet
+		      loss as due to RFC 1034 non compliance impacts
+		      on DNSSEC validation which requires EDNS for
+		      the DNSSEC records to be returned.
+		    </para>
+		  </entry>
+		</row>
+	      </tbody>
+	    </tgroup>
+	  </informaltable>
+	</sect3>
+	<sect3>
+	  <title>The <command>query-errors</command> Category</title>
+	  <para>
+	    The <command>query-errors</command> category is
+	    specifically intended for debugging purposes: To identify
+	    why and how specific queries result in responses which
+	    indicate an error.
+	    Messages of this category are therefore only logged
+	    with <command>debug</command> levels.
+	  </para>
+
+	  <para>
+	    At the debug levels of 1 or higher, each response with the
+	    rcode of SERVFAIL is logged as follows:
+	  </para>
+	  <para>
+	    <computeroutput>client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</computeroutput>
+	  </para>
+	  <para>
+	    This means an error resulting in SERVFAIL was
+	    detected at line 3880 of source file
+	    <filename>query.c</filename>.
+	    Log messages of this level will particularly
+	    help identify the cause of SERVFAIL for an
+	    authoritative server.
+	  </para>
+	  <para>
+	    At the debug levels of 2 or higher, detailed context
+	    information of recursive resolutions that resulted in
+	    SERVFAIL is logged.
+	    The log message will look like as follows:
+	  </para>
+	  <para>
+	    <computeroutput>fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]</computeroutput>
+	  </para>
+	  <para>
+	    The first part before the colon shows that a recursive
+	    resolution for AAAA records of www.example.com completed
+	    in 30.000183 seconds and the final result that led to the
+	    SERVFAIL was determined at line 2970 of source file
+	    <filename>resolver.c</filename>.
+	  </para>
+	  <para>
+	    The following part shows the detected final result and the
+	    latest result of DNSSEC validation.
+	    The latter is always success when no validation attempt
+	    is made.
+	    In this example, this query resulted in SERVFAIL probably
+	    because all name servers are down or unreachable, leading
+	    to a timeout in 30 seconds.
+	    DNSSEC validation was probably not attempted.
+	  </para>
+	  <para>
+	    The last part enclosed in square brackets shows statistics
+	    information collected for this particular resolution
+	    attempt.
+	    The <varname>domain</varname> field shows the deepest zone
+	    that the resolver reached;
+	    it is the zone where the error was finally detected.
+	    The meaning of the other fields is summarized in the
+	    following table.
+	  </para>
+
+          <informaltable colsep="0" rowsep="0">
+            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+              <colspec colname="1" colnum="1" colsep="0" />
+              <colspec colname="2" colnum="2" colsep="0" />
+              <tbody>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><varname>referral</varname></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      The number of referrals the resolver received
+		      throughout the resolution process.
+		      In the above example this is 2, which are most
+		      likely com and example.com.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><varname>restart</varname></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      The number of cycles that the resolver tried
+		      remote servers at the <varname>domain</varname>
+		      zone.
+		      In each cycle the resolver sends one query
+		      (possibly resending it, depending on the response)
+		      to each known name server of
+		      the <varname>domain</varname> zone.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><varname>qrysent</varname></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      The number of queries the resolver sent at the
+		      <varname>domain</varname> zone.
+                    </para>
+                  </entry>
+                </row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><varname>timeout</varname></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      The number of timeouts since the resolver
+		      received the last response.
+		    </para>
+		  </entry>
+		</row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><varname>lame</varname></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      The number of lame servers the resolver detected
+		      at the <varname>domain</varname> zone.
+		      A server is detected to be lame either by an
+		      invalid response or as a result of lookup in
+		      BIND9's address database (ADB), where lame
+		      servers are cached.
+		    </para>
+		  </entry>
+		</row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><varname>neterr</varname></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      The number of erroneous results that the
+		      resolver encountered in sending queries
+		      at the <varname>domain</varname> zone.
+		      One common case is the remote server is
+		      unreachable and the resolver receives an ICMP
+		      unreachable error message.
+		    </para>
+		  </entry>
+		</row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><varname>badresp</varname></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      The number of unexpected responses (other than
+		      <varname>lame</varname>) to queries sent by the
+		      resolver at the <varname>domain</varname> zone.
+		    </para>
+		  </entry>
+		</row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><varname>adberr</varname></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      Failures in finding remote server addresses
+		      of the <varname>domain</varname> zone in the ADB.
+		      One common case of this is that the remote
+		      server's name does not have any address records.
+		    </para>
+		  </entry>
+		</row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><varname>findfail</varname></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      Failures of resolving remote server addresses.
+		      This is a total number of failures throughout
+		      the resolution process.
+		    </para>
+		  </entry>
+		</row>
+                <row rowsep="0">
+                  <entry colname="1">
+                    <para><varname>valfail</varname></para>
+                  </entry>
+                  <entry colname="2">
+                    <para>
+		      Failures of DNSSEC validation.
+		      Validation failures are counted throughout
+		      the resolution process (not limited to
+		      the <varname>domain</varname> zone), but should
+		      only happen in <varname>domain</varname>.
+		    </para>
+		  </entry>
+		</row>
+	      </tbody>
+	    </tgroup>
+	  </informaltable>
+	  <para>
+	    At the debug levels of 3 or higher, the same messages
+	    as those at the debug 1 level are logged for other errors
+	    than SERVFAIL.
+	    Note that negative responses such as NXDOMAIN are not
+	    regarded as errors here.
+	  </para>
+	  <para>
+	    At the debug levels of 4 or higher, the same messages
+	    as those at the debug 2 level are logged for other errors
+	    than SERVFAIL.
+	    Unlike the above case of level 3, messages are logged for
+	    negative responses.
+	    This is because any unexpected results can be difficult to
+	    debug in the recursion case.
+	  </para>
+	</sect3>
       </sect2>
 
       <sect2>
@@ -4396,10 +4708,12 @@ category notify { null; };
     <optional> directory <replaceable>path_name</replaceable>; </optional>
     <optional> key-directory <replaceable>path_name</replaceable>; </optional>
     <optional> named-xfer <replaceable>path_name</replaceable>; </optional>
+    <optional> tkey-gssapi-credential <replaceable>principal</replaceable>; </optional>
     <optional> tkey-domain <replaceable>domainname</replaceable>; </optional>
     <optional> tkey-dhkey <replaceable>key_name</replaceable> <replaceable>key_tag</replaceable>; </optional>
     <optional> cache-file <replaceable>path_name</replaceable>; </optional>
     <optional> dump-file <replaceable>path_name</replaceable>; </optional>
+    <optional> memstatistics <replaceable>yes_or_no</replaceable>; </optional>
     <optional> memstatistics-file <replaceable>path_name</replaceable>; </optional>
     <optional> pid-file <replaceable>path_name</replaceable>; </optional>
     <optional> recursing-file <replaceable>path_name</replaceable>; </optional>
@@ -4421,6 +4735,7 @@ category notify { null; };
     <optional> rfc2308-type1 <replaceable>yes_or_no</replaceable>; </optional>
     <optional> use-id-pool <replaceable>yes_or_no</replaceable>; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> ixfr-from-differences (<replaceable>yes_or_no</replaceable> | <constant>master</constant> | <constant>slave</constant>); </optional>
     <optional> dnssec-enable <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-validation <replaceable>yes_or_no</replaceable>; </optional>
     <optional> dnssec-lookaside <replaceable>domain</replaceable> trust-anchor <replaceable>domain</replaceable>; </optional>
@@ -4442,12 +4757,16 @@ category notify { null; };
     <optional> check-sibling <replaceable>yes_or_no</replaceable>; </optional>
     <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query-cache { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-cache-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-recursion { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-recursion-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
     <optional> allow-v6-synthesis { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> blackhole { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> use-v4-udp-ports { <replaceable>port_list</replaceable> }; </optional>
@@ -4464,6 +4783,9 @@ category notify { null; };
 	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> | 
 	<optional> address ( <replaceable>ip6_addr</replaceable> | <replaceable>*</replaceable> ) </optional> 
 	<optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional> ) ; </optional>
+    <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
+    <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
     <optional> max-transfer-time-in <replaceable>number</replaceable>; </optional>
     <optional> max-transfer-time-out <replaceable>number</replaceable>; </optional>
     <optional> max-transfer-idle-in <replaceable>number</replaceable>; </optional>
@@ -4486,6 +4808,7 @@ category notify { null; };
     <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
+    <optional> notify-to-soa <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> max-ixfr-log-size <replaceable>number</replaceable>; </optional>
     <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
@@ -4504,6 +4827,9 @@ category notify { null; };
     <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
     <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
     <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
     <optional> min-roots <replaceable>number</replaceable>; </optional>
     <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
@@ -4594,39 +4920,57 @@ category notify { null; };
 
           <varlistentry>
             <term><command>named-xfer</command></term>
-            <listitem>
-              <para>
-                <emphasis>This option is obsolete.</emphasis>
-                It was used in <acronym>BIND</acronym> 8 to
-                specify the pathname to the <command>named-xfer</command> program.
-                In <acronym>BIND</acronym> 9, no separate <command>named-xfer</command> program is
-                needed; its functionality is built into the name server.
-              </para>
+	    <listitem>
+	      <para>
+		<emphasis>This option is obsolete.</emphasis> It
+		was used in <acronym>BIND</acronym> 8 to specify
+		the pathname to the <command>named-xfer</command>
+		program.  In <acronym>BIND</acronym> 9, no separate
+		<command>named-xfer</command> program is needed;
+		its functionality is built into the name server.
+	      </para>
+	    </listitem>
+	  </varlistentry>
 
-            </listitem>
-          </varlistentry>
+	  <varlistentry>
+	    <term><command>tkey-gssapi-credential</command></term>
+	    <listitem>
+	      <para>
+		The security credential with which the server should
+		authenticate keys requested by the GSS-TSIG protocol.
+		Currently only Kerberos 5 authentication is available
+		and the credential is a Kerberos principal which
+		the server can acquire through the default system
+		key file, normally <filename>/etc/krb5.keytab</filename>.
+		Normally this principal is of the form
+		"<userinput>dns/</userinput><varname>server.domain</varname>".
+		To use GSS-TSIG, <command>tkey-domain</command>
+		must also be set.
+	      </para>
+	    </listitem>
+	  </varlistentry>
 
           <varlistentry>
             <term><command>tkey-domain</command></term>
-            <listitem>
-              <para>
-                The domain appended to the names of all
-                shared keys generated with
-                <command>TKEY</command>. When a client
-                requests a <command>TKEY</command> exchange, it
-                may or may not specify
-                the desired name for the key. If present, the name of the
-                shared
-                key will be "<varname>client specified part</varname>" +
-                "<varname>tkey-domain</varname>".
-                Otherwise, the name of the shared key will be "<varname>random hex
-digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
-                the <command>domainname</command> should be the
-                server's domain
-                name.
-              </para>
-            </listitem>
-          </varlistentry>
+	    <listitem>
+	      <para>
+		The domain appended to the names of all shared keys
+		generated with <command>TKEY</command>.  When a
+		client requests a <command>TKEY</command> exchange,
+		it may or may not specify the desired name for the
+		key. If present, the name of the shared key will
+		be <varname>client specified part</varname> +
+		<varname>tkey-domain</varname>.  Otherwise, the
+		name of the shared key will be <varname>random hex
+		digits</varname> + <varname>tkey-domain</varname>.
+		In most cases, the <command>domainname</command>
+		should be the server's domain name, or an otherwise
+		non-existent subdomain like
+		"_tkey.<varname>domainname</varname>".  If you are
+		using GSS-TSIG, this variable must be defined.
+	      </para>
+	    </listitem>
+	  </varlistentry>
 
           <varlistentry>
             <term><command>tkey-dhkey</command></term>
@@ -4670,26 +5014,20 @@ digits</varname>" + "<varname>tkey-domain</varname>". In most cases,
             <listitem>
               <para>
                 The pathname of the file the server writes memory
-                usage statistics to on exit.  If specified the
-		statistics will be written to the file on exit.
+                usage statistics to on exit. If not specified,
+                the default is <filename>named.memstats</filename>.
               </para>
-	      <para>
-		In <acronym>BIND</acronym> 9.5 and later this will
-		default to <filename>named.memstats</filename>.
-		<acronym>BIND</acronym> 9.5 will also introduce
-		<command>memstatistics</command> to control the
-		writing.
-	      </para>
-	    </listitem>
-	  </varlistentry>
+            </listitem>
+          </varlistentry>
 
           <varlistentry>
             <term><command>pid-file</command></term>
             <listitem>
               <para>
                 The pathname of the file the server writes its process ID
-                in. If not specified, the default is <filename>/var/run/named.pid</filename>.
-                The pid-file is used by programs that want to send signals to
+                in. If not specified, the default is
+		<filename>/var/run/named/named.pid</filename>.
+                The PID file is used by programs that want to send signals to
                 the running
                 name server. Specifying <command>pid-file none</command> disables the
                 use of a PID file &mdash; no file will be written and any
@@ -4824,7 +5162,7 @@ options {
                 top of a zone.  When a DNSKEY is at or below a domain
                 specified by the
                 deepest <command>dnssec-lookaside</command>, and
-                the normal dnssec validation
+                the normal DNSSEC validation
                 has left the key untrusted, the trust-anchor will be append to
                 the key
                 name and a DLV record will be looked up to see if it can
@@ -4842,10 +5180,10 @@ options {
               <para>
                 Specify hierarchies which must be or may not be secure (signed and
                 validated).
-                If <userinput>yes</userinput>, then named will only accept
+                If <userinput>yes</userinput>, then <command>named</command> will only accept
                 answers if they
                 are secure.
-                If <userinput>no</userinput>, then normal dnssec validation
+                If <userinput>no</userinput>, then normal DNSSEC validation
                 applies
                 allowing for insecure answers to be accepted.
                 The specified domain must be under a <command>trusted-key</command> or
@@ -4891,6 +5229,19 @@ options {
             </varlistentry>
 
             <varlistentry>
+              <term><command>memstatistics</command></term>
+              <listitem>
+                <para>
+		  Write memory statistics to the file specified by
+		  <command>memstatistics-file</command> at exit.
+		  The default is <userinput>no</userinput> unless
+		  '-m record' is specified on the command line in
+		  which case it is <userinput>yes</userinput>.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
               <term><command>dialup</command></term>
               <listitem>
                 <para>
@@ -5259,6 +5610,22 @@ options {
             </varlistentry>
 
             <varlistentry>
+              <term><command>notify-to-soa</command></term>
+              <listitem>
+                <para>
+		  If <userinput>yes</userinput> do not check the nameservers
+		  in the NS RRset against the SOA MNAME.  Normally a NOTIFY
+		  message is not sent to the SOA MNAME (SOA ORIGIN) as it is
+		  supposed to contain the name of the ultimate master.
+		  Sometimes, however, a slave is listed as the SOA MNAME in
+		  hidden master configurations and in that case you would
+		  want the ultimate master to still send NOTIFY messages to
+		  all the nameservers listed in the NS RRset.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
               <term><command>recursion</command></term>
               <listitem>
                 <para>
@@ -5518,9 +5885,10 @@ options {
 		  also accepts <command>master</command> and
                   <command>slave</command> at the view and options
                   levels which causes
-                  <command>ixfr-from-differences</command> to apply to
+                  <command>ixfr-from-differences</command> to be enabled for
                   all <command>master</command> or
                   <command>slave</command> zones respectively.
+                  It is off by default.
                 </para>
               </listitem>
             </varlistentry>
@@ -5531,9 +5899,9 @@ options {
                 <para>
                   This should be set when you have multiple masters for a zone
                   and the
-                  addresses refer to different machines.  If <userinput>yes</userinput>, named will
+                  addresses refer to different machines.  If <userinput>yes</userinput>, <command>named</command> will
                   not log
-                  when the serial number on the master is less than what named
+                  when the serial number on the master is less than what <command>named</command>
                   currently
                   has.  The default is <userinput>no</userinput>.
                 </para>
@@ -5544,8 +5912,8 @@ options {
               <term><command>dnssec-enable</command></term>
               <listitem>
                 <para>
-                  Enable DNSSEC support in named.  Unless set to <userinput>yes</userinput>,
-                  named behaves as if it does not support DNSSEC.
+                  Enable DNSSEC support in <command>named</command>.  Unless set to <userinput>yes</userinput>,
+                  <command>named</command> behaves as if it does not support DNSSEC.
                   The default is <userinput>yes</userinput>.
                 </para>
               </listitem>
@@ -5555,10 +5923,10 @@ options {
               <term><command>dnssec-validation</command></term>
               <listitem>
                 <para>
-                  Enable DNSSEC validation in named.
+                  Enable DNSSEC validation in <command>named</command>.
 		  Note <command>dnssec-enable</command> also needs to be
 		  set to <userinput>yes</userinput> to be effective.
-                  The default is <userinput>no</userinput>.
+                  The default is <userinput>yes</userinput>.
                 </para>
               </listitem>
             </varlistentry>
@@ -5569,7 +5937,7 @@ options {
                 <para>
 		  Accept expired signatures when verifying DNSSEC signatures.
                   The default is <userinput>no</userinput>.
-		  Setting this option to "yes" leaves named vulnerable to replay attacks.
+		  Setting this option to "yes" leaves <command>named</command> vulnerable to replay attacks.
                 </para>
               </listitem>
             </varlistentry>
@@ -5578,7 +5946,7 @@ options {
               <term><command>querylog</command></term>
               <listitem>
                 <para>
-                  Specify whether query logging should be started when named
+                  Specify whether query logging should be started when <command>named</command>
                   starts.
                   If <command>querylog</command> is not specified,
                   then the query logging
@@ -5608,9 +5976,9 @@ options {
                   from RFC 952 and RFC 821 as modified by RFC 1123.
                 </para>
                 <para><command>check-names</command>
-		  applies to the owner names of A, AAA and MX records.
-		  It also applies to the domain names in the RDATA of NS, SOA
-		  and MX records.
+		  applies to the owner names of A, AAAA and MX records.
+		  It also applies to the domain names in the RDATA of NS, SOA,
+		  MX, and SRV records.
 		  It also applies to the RDATA of PTR records where the owner
 		  name indicated that it is a reverse lookup of a hostname
 		  (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
@@ -5701,7 +6069,7 @@ options {
 	      <listitem>
 	        <para>
 		  When returning authoritative negative responses to
-		  SOA queries set the TTL of the SOA recored returned in
+		  SOA queries set the TTL of the SOA record returned in
 		  the authority section to zero.
 		  The default is <command>yes</command>.
 	        </para>
@@ -5734,6 +6102,17 @@ options {
 	      </listitem>
 	    </varlistentry>
 
+	    <varlistentry>
+	      <term><command>try-tcp-refresh</command></term>
+	      <listitem>
+	        <para>
+		  Try to refresh the zone using TCP if UDP queries fail.
+		  For BIND 8 compatibility, the default is
+		  <command>yes</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
           </variablelist>
 
         </sect3>
@@ -5874,6 +6253,35 @@ options {
 	    </varlistentry>
 
 	    <varlistentry>
+	      <term><command>allow-query-on</command></term>
+	      <listitem>
+		<para>
+		  Specifies which local addresses can accept ordinary
+		  DNS questions. This makes it possible, for instance,
+		  to allow queries on internal-facing interfaces but
+		  disallow them on external-facing ones, without
+		  necessarily knowing the internal network's addresses.
+		</para>
+		<para>
+		  <command>allow-query-on</command> may
+		  also be specified in the <command>zone</command>
+		  statement, in which case it overrides the
+		  <command>options allow-query-on</command> statement.
+		</para>
+		<para>
+		  If not specified, the default is to allow queries
+		  on all addresses.
+		</para>
+		<note>
+		  <para>
+		    <command>allow-query-cache</command> is
+		    used to specify access to the cache.
+		  </para>
+		</note>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
 	      <term><command>allow-query-cache</command></term>
 	      <listitem>
 		<para>
@@ -5881,13 +6289,27 @@ options {
 		  from the cache.  If <command>allow-query-cache</command>
 		  is not set then <command>allow-recursion</command>
 		  is used if set, otherwise <command>allow-query</command>
-		  is used if set, otherwise the default
-		  (<command>localnets;</command>
+		  is used if set unless <command>recursion no;</command> is
+		  set in which case <command>none;</command> is used,
+		  otherwise the default (<command>localnets;</command>
 		  <command>localhost;</command>) is used.
 		</para>
 	      </listitem>
 	    </varlistentry>
 
+	    <varlistentry>
+	      <term><command>allow-query-cache-on</command></term>
+	      <listitem>
+		<para>
+		  Specifies which local addresses can give answers
+		  from the cache.  If not specified, the default is
+		  to allow cache queries on any address,
+		  <command>localnets</command> and
+		  <command>localhost</command>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
             <varlistentry>
               <term><command>allow-recursion</command></term>
               <listitem>
@@ -5905,6 +6327,17 @@ options {
             </varlistentry>
 
             <varlistentry>
+              <term><command>allow-recursion-on</command></term>
+              <listitem>
+                <para>
+		  Specifies which local addresses can accept recursive
+		  queries.  If not specified, the default is to allow
+		  recursive queries on all addresses.
+                </para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
               <term><command>allow-update</command></term>
               <listitem>
                 <para>
@@ -6001,7 +6434,7 @@ options {
           <para>
             The interfaces and ports that the server will answer queries
             from may be specified using the <command>listen-on</command> option. <command>listen-on</command> takes
-            an optional port, and an <varname>address_match_list</varname>.
+            an optional port and an <varname>address_match_list</varname>.
             The server will listen on all interfaces allowed by the address
             match list. If a port is not specified, port 53 will be used.
           </para>
@@ -6023,7 +6456,7 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; };
 
           <para>
             If no <command>listen-on</command> is specified, the
-            server will listen on port 53 on all interfaces.
+            server will listen on port 53 on all IPv4 interfaces.
           </para>
 
           <para>
@@ -6081,8 +6514,10 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 
           <para>
             If no <command>listen-on-v6</command> option is
-            specified,
-            the server will not listen on any IPv6 address.
+            specified, the server will not listen on any IPv6 address
+	    unless <command>-6</command> is specified when <command>named</command> is
+	    invoked.  If <command>-6</command> is specified then
+	    <command>named</command> will listen on port 53 on all IPv6 interfaces by default.
           </para>
         </sect3>
 
@@ -6176,20 +6611,52 @@ avoid-v6-udp-ports {};
 </programlisting>
 
 	  <para>
-	    Note: it is generally strongly discouraged to
+	    Note: BIND 9.5.0 introduced
+	    the <command>use-queryport-pool</command> 
+	    option to support a pool of such random ports, but this
+	    option is now obsolete because reusing the same ports in
+	    the pool may not be sufficiently secure.
+	    For the same reason, it is generally strongly discouraged to
             specify a particular port for the
 	    <command>query-source</command> or
 	    <command>query-source-v6</command> options;
-	    it implicitly disables the use of randomized port numbers
-	    and can be insecure.
+	    it implicitly disables the use of randomized port numbers.
           </para>
 
+          <variablelist>
+            <varlistentry>
+              <term><command>use-queryport-pool</command></term>
+              <listitem>
+                <para>
+		  This option is obsolete.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+            <varlistentry>
+              <term><command>queryport-pool-ports</command></term>
+              <listitem>
+                <para>
+		  This option is obsolete.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+            <varlistentry>
+              <term><command>queryport-pool-updateinterval</command></term>
+              <listitem>
+                <para>
+		  This option is obsolete.
+		</para>
+	      </listitem>
+	    </varlistentry>
+	    
+          </variablelist>
           <note>
             <para>
               The address specified in the <command>query-source</command> option
               is used for both UDP and TCP queries, but the port applies only
-              to
-              UDP queries.  TCP queries always use a random
+              to UDP queries.  TCP queries always use a random
               unprivileged port.
             </para>
           </note>
@@ -6228,7 +6695,12 @@ avoid-v6-udp-ports {};
                   zone is loaded, in addition to the servers listed in the
                   zone's NS records.
                   This helps to ensure that copies of the zones will
-                  quickly converge on stealth servers. If an <command>also-notify</command> list
+                  quickly converge on stealth servers.
+                  Optionally, a port may be specified with each
+                  <command>also-notify</command> address to send
+                  the notify messages to a port other than the
+                  default of 53.
+                  If an <command>also-notify</command> list
                   is given in a <command>zone</command> statement,
                   it will override
                   the <command>options also-notify</command>
@@ -6457,7 +6929,7 @@ avoid-v6-udp-ports {};
 		  to be used, you should set
 		  <command>use-alt-transfer-source</command>
 		  appropriately and you should not depend upon
-		  getting a answer back to the first refresh
+		  getting an answer back to the first refresh
 		  query.
 		</note>
               </listitem>
@@ -6657,7 +7129,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
         </sect3>
 
-        <sect3>
+        <sect3 id="server_resource_limits">
           <title>Server  Resource Limits</title>
 
           <para>
@@ -6691,6 +7163,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   journal
                   will be automatically removed.  The default is
                   <literal>unlimited</literal>.
+                  This may also be set on a per-zone basis.
                 </para>
               </listitem>
             </varlistentry>
@@ -6741,7 +7214,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                 <para>
 		  The number of file descriptors reserved for TCP, stdio,
 		  etc.  This needs to be big enough to cover the number of
-		  interfaces named listens on, tcp-clients as well as
+		  interfaces <command>named</command> listens on, <command>tcp-clients</command> as well as
 		  to provide room for outgoing TCP queries and incoming zone
 		  transfers.  The default is <literal>512</literal>.
 		  The minimum value is <literal>128</literal> and the
@@ -6762,7 +7235,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   server's cache, in bytes.
                   When the amount of data in the cache
                   reaches this limit, the server will cause records to expire
-                  prematurely so that the limit is not exceeded.
+                  prematurely based on an LRU based strategy so that
+                  the limit is not exceeded.
                   A value of 0 is special, meaning that
                   records are purged from the cache only when their
                   TTLs expire.
@@ -6809,11 +7283,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
               <term><command>cleaning-interval</command></term>
               <listitem>
                 <para>
-                  The server will remove expired resource records
+		  This interval is effectively obsolete.  Previously,
+		  the server would remove expired resource records
                   from the cache every <command>cleaning-interval</command> minutes.
-                  The default is 60 minutes.  The maximum value is 28 days
-                  (40320 minutes).
-                  If set to 0, no periodic cleaning will occur.
+		  <acronym>BIND</acronym> 9 now manages cache
+		  memory in a more sophisticated manner and does not
+		  rely on the periodic cleaning any more.
+		  Specifying this option therefore has no effect on
+		  the server's behavior.
                 </para>
               </listitem>
             </varlistentry>
@@ -7095,8 +7572,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   </entry>
                   <entry colname="2">
                     <para>
-                      Records are returned in a round-robin
-                      order.
+                      Records are returned in a cyclic round-robin order.
+                    </para>
+                    <para>
+                      If <acronym>BIND</acronym> is configured with the
+                      "--enable-fixed-rrset" option at compile time, then
+                      the initial ordering of the RRset will match the
+                      one specified in the zone file.
                     </para>
                   </entry>
                 </row>
@@ -7127,9 +7609,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 
           <note>
             <simpara>
-              The <command>rrset-order</command> statement
-              is not yet fully implemented in <acronym>BIND</acronym> 9.
-              BIND 9 currently does not fully support "fixed" ordering.
+              In this release of <acronym>BIND</acronym> 9, the
+              <command>rrset-order</command> statement does not support
+              "fixed" ordering by default.  Fixed ordering can be enabled
+              at compile time by specifying "--enable-fixed-rrset" on
+              the "configure" command line.
             </simpara>
           </note>
         </sect3>
@@ -7203,22 +7687,76 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><command>sig-validity-interval</command></term>
-              <listitem>
-                <para>
-                  Specifies the number of days into the
-                  future when DNSSEC signatures automatically generated as a
-                  result
-                  of dynamic updates (<xref linkend="dynamic_update"/>)
-                  will expire. The default is <literal>30</literal> days.
-                  The maximum value is 10 years (3660 days). The signature
-                  inception time is unconditionally set to one hour before the
-                  current time
-                  to allow for a limited amount of clock skew.
-                </para>
-              </listitem>
-            </varlistentry>
+	    <varlistentry>
+	      <term><command>sig-validity-interval</command></term>
+	      <listitem>
+		<para>
+		  Specifies the number of days into the future when
+		  DNSSEC signatures automatically generated as a
+		  result of dynamic updates (<xref
+		  linkend="dynamic_update"/>) will expire.  There
+		  is a optional second field which specifies how
+		  long before expiry that the signatures will be
+		  regenerated.  If not specified, the signatures will
+		  be regenerated at 1/4 of base interval.  The second
+		  field is specified in days if the base interval is
+		  greater than 7 days otherwise it is specified in hours.
+		  The default base interval is <literal>30</literal> days
+		  giving a re-signing interval of 7 1/2 days.  The maximum
+		  values are 10 years (3660 days).
+		</para>
+		<para>
+		  The signature inception time is unconditionally
+		  set to one hour before the current time to allow
+		  for a limited amount of clock skew.
+		</para>
+		<para>
+		  The <command>sig-validity-interval</command>
+		  should be, at least, several multiples of the SOA
+		  expire interval to allow for reasonable interaction
+		  between the various timer and expiry dates.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>sig-signing-nodes</command></term>
+	      <listitem>
+		<para>
+		  Specify the maximum number of nodes to be
+		  examined in each quantum when signing a zone with
+		  a new DNSKEY. The default is
+		  <literal>100</literal>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>sig-signing-signatures</command></term>
+	      <listitem>
+		<para>
+		  Specify a threshold number of signatures that
+		  will terminate processing a quantum when signing
+		  a zone with a new DNSKEY.  The default is
+		  <literal>10</literal>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>sig-signing-type</command></term>
+	      <listitem>
+		<para>
+		  Specify a private RDATA type to be used when generating
+		  key signing records.  The default is
+		  <literal>65535</literal>.
+		</para>
+		<para>
+		  It is expected that this parameter may be removed
+		  in a future version once there is a standard type.
+		</para>
+	      </listitem>
+	    </varlistentry>
 
             <varlistentry>
               <term><command>min-refresh-time</command></term>
@@ -7252,14 +7790,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
               <term><command>edns-udp-size</command></term>
               <listitem>
                 <para>
-		  Sets the advertised EDNS UDP buffer size in bytes.  Valid
-                  values are 512 to 4096 (values outside this range
-                  will be silently adjusted).  The default value is
-                  4096.  The usual reason for setting edns-udp-size to
-                  a non-default value is to get UDP answers to pass
-                  through broken firewalls that block fragmented
-                  packets and/or block UDP packets that are greater
-                  than 512 bytes.
+		  Sets the advertised EDNS UDP buffer size in bytes
+                  to control the size of packets received.
+                  Valid values are 512 to 4096 (values outside this range
+		  will be silently adjusted).  The default value
+		  is 4096.  The usual reason for setting
+		  <command>edns-udp-size</command> to a non-default
+		  value is to get UDP answers to pass through broken
+		  firewalls that block fragmented packets and/or
+		  block UDP packets that are greater than 512 bytes.
                 </para>
               </listitem>
             </varlistentry>
@@ -7268,11 +7807,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
               <term><command>max-udp-size</command></term>
               <listitem>
                 <para>
-		  Sets the maximum EDNS UDP message size named will
+		  Sets the maximum EDNS UDP message size <command>named</command> will
 		  send in bytes.  Valid values are 512 to 4096 (values outside
 		  this range will be silently adjusted).  The default
 		  value is 4096.  The usual reason for setting
-		  max-udp-size to a non-default value is to get UDP
+		  <command>max-udp-size</command> to a non-default value is to get UDP
 		  answers to pass through broken firewalls that
 		  block fragmented packets and/or block UDP packets
 		  that are greater than 512 bytes.
@@ -7312,22 +7851,22 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      </listitem>
 	    </varlistentry>
 
-	    <varlistentry>
+	    <varlistentry id="clients-per-query">
 	      <term><command>clients-per-query</command></term>
 	      <term><command>max-clients-per-query</command></term>
               <listitem>
 		<para>These set the
 		  initial value (minimum) and maximum number of recursive
-		  simultanious clients for any given query
+		  simultaneous clients for any given query
 		  (&lt;qname,qtype,qclass&gt;) that the server will accept
-		  before dropping additional clients.  named will attempt to
+		  before dropping additional clients.  <command>named</command> will attempt to
 		  self tune this value and changes will be logged.  The
 		  default values are 10 and 100.
 		</para>
 		<para>
 	          This value should reflect how many queries come in for
 		  a given name in the time it takes to resolve that name.
-		  If the number of queries exceed this value, named will
+		  If the number of queries exceed this value, <command>named</command> will
 		  assume that it is dealing with a non-responsive zone
 		  and will drop additional queries.  If it gets a response
 		  after dropping queries, it will raise the estimate.  The
@@ -7422,14 +7961,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
               <term><command>server-id</command></term>
               <listitem>
                 <para>
-                  The ID of the server should report via a query of
-                  the name <filename>ID.SERVER</filename>
-                  with type <command>TXT</command>, class <command>CHAOS</command>.
+                  The ID the server should report when receiving a Name
+                  Server Identifier (NSID) query, or a query of the name
+                  <filename>ID.SERVER</filename> with type
+                  <command>TXT</command>, class <command>CHAOS</command>.
                   The primary purpose of such queries is to
                   identify which of a group of anycast servers is actually
                   answering your queries.  Specifying <command>server-id none;</command>
                   disables processing of the queries.
-                  Specifying <command>server-id hostname;</command> will cause named to
+                  Specifying <command>server-id hostname;</command> will cause <command>named</command> to
                   use the hostname as found by the gethostname() function.
                   The default <command>server-id</command> is <command>none</command>.
                 </para>
@@ -7451,12 +7991,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	    these cover the reverse namespace for addresses from RFC 1918 and
 	    RFC 3330.  They also include the reverse namespace for IPv6 local
 	    address (locally assigned), IPv6 link local addresses, the IPv6
-	    loopback address and the IPv6 unknown addresss.
+	    loopback address and the IPv6 unknown address.
 	  </para>
 	  <para>
-	    Named will attempt to determine if a built in zone already exists
+	    Named will attempt to determine if a built-in zone already exists
 	    or is active (covered by a forward-only forwarding declaration)
-	    and will not not create a empty zone in that case.
+	    and will not create a empty zone in that case.
 	  </para>
 	  <para>
 	    The current list of empty zones is:
@@ -7517,7 +8057,7 @@ XXX: end of RFC1918 addresses #defined out -->
 	  <note>
 	    The real parent servers for these zones should disable all
 	    empty zone under the parent zone they serve.  For the real
-	    root servers, this is all built in empty zones.  This will
+	    root servers, this is all built-in empty zones.  This will
 	    enable them to return referrals to deeper in the tree.
 	  </note>
           <variablelist>
@@ -7547,7 +8087,7 @@ XXX: end of RFC1918 addresses #defined out -->
 	      <term><command>empty-zones-enable</command></term>
 	      <listitem>
 	        <para>
-		  Enable or disable all empty zones.  By default they
+		  Enable or disable all empty zones.  By default, they
 		  are enabled.
 	        </para>
 	      </listitem>
@@ -7557,171 +8097,13 @@ XXX: end of RFC1918 addresses #defined out -->
 	    <term><command>disable-empty-zone</command></term>
 	      <listitem>
 	        <para>
-		  Disable individual empty zones.  By default none are
+		  Disable individual empty zones.  By default, none are
 		  disabled.  This option can be specified multiple times.
 	        </para>
 	      </listitem>
 	    </varlistentry>
           </variablelist>
         </sect3>
-  
-        <sect3 id="statsfile">
-          <title>The Statistics File</title>
-
-          <para>
-            The statistics file generated by <acronym>BIND</acronym> 9
-            is similar, but not identical, to that
-            generated by <acronym>BIND</acronym> 8.
-          </para>
-          <para>
-            The statistics dump begins with a line, like:
-	  </para>
-          <para>
-	    <command>+++ Statistics Dump +++ (973798949)</command>
-	  </para>
-	  <para>
-	    The number in parentheses is a standard
-            Unix-style timestamp, measured as seconds since January 1, 1970.
-            Following
-            that line are a series of lines containing a counter type, the
-            value of the
-            counter, optionally a zone name, and optionally a view name.
-            The lines without view and zone listed are global statistics for
-            the entire server.
-            Lines with a zone and view name for the given view and zone (the
-            view name is
-            omitted for the default view).
-	  </para>
-	  <para>
-	    The statistics dump ends with the line where the
-            number is identical to the number in the beginning line; for example:
-          </para>
-          <para>
-	    <command>--- Statistics Dump --- (973798949)</command>
-          </para>
-          <para>
-            The following statistics counters are maintained:
-          </para>
-          <informaltable colsep="0" rowsep="0">
-            <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
-              <colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
-              <colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
-              <tbody>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>success</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The number of
-                      successful queries made to the server or zone.  A
-                      successful query
-                      is defined as query which returns a NOERROR response
-                      with at least
-                      one answer RR.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>referral</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The number of queries which resulted
-                      in referral responses.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>nxrrset</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The number of queries which resulted in
-                      NOERROR responses with no data.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>nxdomain</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The number
-                      of queries which resulted in NXDOMAIN responses.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>failure</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The number of queries which resulted in a
-                      failure response other than those above.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>recursion</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The number of queries which caused the server
-                      to perform recursion in order to find the final answer.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>duplicate</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-                      The number of queries which the server attempted to
-		      recurse but discover a existing query with the same
-		      IP address, port, query id, name, type and class
-		      already being processed.
-                    </para>
-                  </entry>
-                </row>
-                <row rowsep="0">
-                  <entry colname="1">
-                    <para><command>dropped</command></para>
-                  </entry>
-                  <entry colname="2">
-                    <para>
-		      The number of queries for which the server
-		      discovered a excessive number of existing
-		      recursive queries for the same name, type and
-		      class and were subsequently dropped.
-		    </para>
-		  </entry>
-		</row>
-              </tbody>
-            </tgroup>
-          </informaltable>
-
-          <para>
-            Each query received by the server will cause exactly one of
-            <command>success</command>,
-            <command>referral</command>,
-            <command>nxrrset</command>,
-            <command>nxdomain</command>,
-            <command>failure</command>,
-            <command>duplicate</command>, or
-            <command>dropped</command>
-            to be incremented, and may additionally cause the
-            <command>recursion</command> counter to be
-            incremented.
-          </para>
-
-        </sect3>
 
         <sect3 id="acache">
           <title>Additional Section Caching</title>
@@ -7829,10 +8211,7 @@ XXX: end of RFC1918 addresses #defined out -->
                   In a server with multiple views, the limit applies
                   separately to the
                   acache of each view.
-                  The default is <literal>unlimited</literal>,
-                  meaning that
-                  entries are purged from the acache only at the
-                  periodic cleaning time.
+                  The default is <literal>16M</literal>.
                 </para>
               </listitem>
             </varlistentry>
@@ -7862,6 +8241,9 @@ XXX: end of RFC1918 addresses #defined out -->
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> query-source <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
     <optional> query-source-v6 <optional> address ( <replaceable>ip_addr</replaceable> | <replaceable>*</replaceable> ) </optional> <optional> port ( <replaceable>ip_port</replaceable> | <replaceable>*</replaceable> ) </optional>; </optional>
+    <optional> use-queryport-pool <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> queryport-pool-ports <replaceable>number</replaceable>; </optional>
+    <optional> queryport-pool-interval <replaceable>number</replaceable>; </optional>
 };
 </programlisting>
 
@@ -7953,7 +8335,7 @@ XXX: end of RFC1918 addresses #defined out -->
 
           <para>
             The <command>edns-udp-size</command> option sets the EDNS UDP size
-	    that is advertised by named when querying the remote server.
+	    that is advertised by <command>named</command> when querying the remote server.
 	    Valid values are 512 to 4096 bytes (values outside this range will be
 	    silently adjusted).  This option is useful when you wish to
 	    advertises a different value to this server than the value you
@@ -7963,11 +8345,11 @@ XXX: end of RFC1918 addresses #defined out -->
 
           <para>
 	    The <command>max-udp-size</command> option sets the
-	    maximum EDNS UDP message size named will send.  Valid
+	    maximum EDNS UDP message size <command>named</command> will send.  Valid
 	    values are 512 to 4096 bytes (values outside this range will
 	    be silently adjusted).  This option is useful when you
 	    know that there is a firewall that is blocking large
-	    replies from named.
+	    replies from <command>named</command>.
 	  </para>
 
           <para>
@@ -8052,6 +8434,74 @@ XXX: end of RFC1918 addresses #defined out -->
 
         </sect2>
 
+      <sect2 id="statschannels">
+        <title><command>statistics-channels</command> Statement Grammar</title>
+
+<programlisting><command>statistics-channels</command> {
+   [ inet ( ip_addr | * ) [ port ip_port ] [allow { <replaceable> address_match_list </replaceable> } ]; ]
+   [ inet ...; ]
+};
+</programlisting>
+      </sect2>
+
+      <sect2>
+          <title><command>statistics-channels</command> Statement Definition and
+            Usage</title>
+
+        <para>
+          The <command>statistics-channels</command> statement
+	  declares communication channels to be used by system
+	  administrators to get access to statistics information of
+	  the name server.
+        </para>
+
+        <para>
+	  This statement intends to be flexible to support multiple
+	  communication protocols in the future, but currently only
+	  HTTP access is supported.
+	  It requires that BIND 9 be compiled with libxml2;
+	  the <command>statistics-channels</command> statement is
+	  still accepted even if it is built without the library,
+	  but any HTTP access will fail with an error.
+        </para>
+
+        <para>
+          An <command>inet</command> control channel is a TCP socket
+	  listening at the specified <command>ip_port</command> on the
+	  specified <command>ip_addr</command>, which can be an IPv4 or IPv6
+	  address.  An <command>ip_addr</command> of <literal>*</literal> (asterisk) is
+	  interpreted as the IPv4 wildcard address; connections will be
+	  accepted on any of the system's IPv4 addresses.
+	  To listen on the IPv6 wildcard address,
+          use an <command>ip_addr</command> of <literal>::</literal>.
+        </para>
+
+        <para>
+          If no port is specified, port 80 is used for HTTP channels.
+	  The asterisk "<literal>*</literal>" cannot be used for
+	  <command>ip_port</command>.
+        </para>
+
+        <para>
+          The attempt of opening a statistics channel is
+          restricted by the optional <command>allow</command> clause.
+	  Connections to the statistics channel are permitted based on the
+          <command>address_match_list</command>.
+	  If no <command>allow</command> clause is present,
+	  <command>named</command> accepts connection
+	  attempts from any address; since the statistics may
+	  contain sensitive internal information, it is highly
+	  recommended to restrict the source of connection requests
+	  appropriately.
+        </para>
+
+        <para>
+          If no <command>statistics-channels</command> statement is present,
+          <command>named</command> will not open any communication channels.
+        </para>
+
+      </sect2>
+
         <sect2>
           <title><command>trusted-keys</command> Statement Grammar</title>
 
@@ -8090,6 +8540,9 @@ XXX: end of RFC1918 addresses #defined out -->
 	    multiple key entries, each consisting of the key's
 	    domain name, flags, protocol, algorithm, and the Base-64
 	    representation of the key data.
+	    Spaces, tabs, newlines and carriage returns are ignored
+	    in the key data, so the configuration may be split up into
+	    multiple lines.
 	  </para>
 	</sect2>
 
@@ -8240,6 +8693,7 @@ view "external" {
 <programlisting><command>zone</command> <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type master;
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-policy { <replaceable>update_policy_rule</replaceable> <optional>...</optional> }; </optional>
@@ -8252,9 +8706,11 @@ view "external" {
     <optional> file <replaceable>string</replaceable> ; </optional>
     <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
     <optional> journal <replaceable>string</replaceable> ; </optional>
+    <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
     <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
     <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
+    <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
     <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> max-ixfr-log-size <replaceable>number</replaceable> ; </optional>
@@ -8262,11 +8718,15 @@ view "external" {
     <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
     <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
     <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
+    <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
     <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
     <optional> notify-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
     <optional> database <replaceable>string</replaceable> ; </optional>
     <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
     <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
@@ -8280,18 +8740,22 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     type slave;
     <optional> allow-notify { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-transfer { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> allow-update-forwarding { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> update-check-ksk <replaceable>yes_or_no</replaceable>; </optional>
+    <optional> try-tcp-refresh <replaceable>yes_or_no</replaceable>; </optional>
     <optional> also-notify { <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
     <optional> file <replaceable>string</replaceable> ; </optional>
     <optional> masterfile-format (<constant>text</constant>|<constant>raw</constant>) ; </optional>
     <optional> journal <replaceable>string</replaceable> ; </optional>
+    <optional> max-journal-size <replaceable>size_spec</replaceable>; </optional>
     <optional> forward (<constant>only</constant>|<constant>first</constant>) ; </optional>
     <optional> forwarders { <optional> <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> ; ... </optional> }; </optional>
     <optional> ixfr-base <replaceable>string</replaceable> ; </optional>
+    <optional> ixfr-from-differences <replaceable>yes_or_no</replaceable>; </optional>
     <optional> ixfr-tmp-file <replaceable>string</replaceable> ; </optional>
     <optional> maintain-ixfr-base <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> masters <optional>port <replaceable>ip_port</replaceable></optional> { ( <replaceable>masters_list</replaceable> | <replaceable>ip_addr</replaceable> <optional>port <replaceable>ip_port</replaceable></optional> <optional>key <replaceable>key</replaceable></optional> ) ; <optional>...</optional> }; </optional>
@@ -8301,6 +8765,8 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
     <optional> max-transfer-time-in <replaceable>number</replaceable> ; </optional>
     <optional> max-transfer-time-out <replaceable>number</replaceable> ; </optional>
     <optional> notify <replaceable>yes_or_no</replaceable> | <replaceable>explicit</replaceable> | <replaceable>master-only</replaceable> ; </optional>
+    <optional> notify-delay <replaceable>seconds</replaceable> ; </optional>
+    <optional> notify-to-soa <replaceable>yes_or_no</replaceable>; </optional>
     <optional> pubkey <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>number</replaceable> <replaceable>string</replaceable> ; </optional>
     <optional> transfer-source (<replaceable>ip4_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> transfer-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
@@ -8329,6 +8795,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replaceable></optional> {
     type stub;
     <optional> allow-query { <replaceable>address_match_list</replaceable> }; </optional>
+    <optional> allow-query-on { <replaceable>address_match_list</replaceable> }; </optional>
     <optional> check-names (<constant>warn</constant>|<constant>fail</constant>|<constant>ignore</constant>) ; </optional>
     <optional> dialup <replaceable>dialup_option</replaceable> ; </optional>
     <optional> delegation-only <replaceable>yes_or_no</replaceable> ; </optional>
@@ -8435,7 +8902,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                         <filename>ex/example.com</filename> where <filename>ex/</filename> is
                         just the first two letters of the zone name. (Most
                         operating systems
-                        behave very slowly if you put 100 000 files into
+                        behave very slowly if you put 100000 files into
                         a single directory.)
                       </para>
                     </entry>
@@ -8629,6 +9096,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               </varlistentry>
 
               <varlistentry>
+                <term><command>allow-query-on</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>allow-query-on</command> in <xref linkend="access_control"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
                 <term><command>allow-transfer</command></term>
                 <listitem>
                   <para>
@@ -8767,6 +9244,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                 </listitem>
               </varlistentry>
 
+	      <varlistentry>
+	        <term><command>try-tcp-refresh</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>try-tcp-refresh</command> in <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
               <varlistentry>
                 <term><command>database</command></term>
                 <listitem>
@@ -8882,6 +9369,16 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               </varlistentry>
 
               <varlistentry>
+                <term><command>max-journal-size</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>max-journal-size</command> in <xref linkend="server_resource_limits"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
                 <term><command>max-transfer-time-in</command></term>
                 <listitem>
                   <para>
@@ -8942,6 +9439,17 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               </varlistentry>
 
               <varlistentry>
+                <term><command>notify-to-soa</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>notify-to-soa</command> in
+		    <xref linkend="boolean_options"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
                 <term><command>pubkey</command></term>
                 <listitem>
                   <para>
@@ -8979,6 +9487,36 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               </varlistentry>
 
               <varlistentry>
+                <term><command>sig-signing-nodes</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-signing-nodes</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>sig-signing-signatures</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-signing-signatures</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>sig-signing-type</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-signing-type</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
                 <term><command>transfer-source</command></term>
                 <listitem>
                   <para>
@@ -9067,6 +9605,10 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                   <para>
                     See the description of
                     <command>ixfr-from-differences</command> in <xref linkend="boolean_options"/>.
+		    (Note that the <command>ixfr-from-differences</command>
+		    <userinput>master</userinput> and
+		    <userinput>slave</userinput> choices are not
+		    available at the zone level.)
                   </para>
                 </listitem>
               </varlistentry>
@@ -9106,45 +9648,41 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
           </sect3>
           <sect3 id="dynamic_update_policies">
             <title>Dynamic Update Policies</title>
-            <para>
-              <acronym>BIND</acronym> 9 supports two alternative
-              methods of granting clients
-              the right to perform dynamic updates to a zone,
-              configured by the <command>allow-update</command>
-              and
-              <command>update-policy</command> option,
-              respectively.
-            </para>
-            <para>
-              The <command>allow-update</command> clause works the
-              same
-              way as in previous versions of <acronym>BIND</acronym>. It grants given clients the
-              permission to update any record of any name in the zone.
-            </para>
-            <para>
-              The <command>update-policy</command> clause is new
-              in <acronym>BIND</acronym>
-              9 and allows more fine-grained control over what updates are
-              allowed.
-              A set of rules is specified, where each rule either grants or
-              denies
-              permissions for one or more names to be updated by one or more
-              identities.
-              If the dynamic update request message is signed (that is, it
-              includes
-              either a TSIG or SIG(0) record), the identity of the signer can
-              be determined.
-            </para>
-            <para>
-              Rules are specified in the <command>update-policy</command> zone
-              option, and are only meaningful for master zones.  When the <command>update-policy</command> statement
-              is present, it is a configuration error for the <command>allow-update</command> statement
-              to be present.  The <command>update-policy</command>
-              statement only
-              examines the signer of a message; the source address is not
-              relevant.
-            </para>
-            <para>
+	    <para><acronym>BIND</acronym> 9 supports two alternative
+	      methods of granting clients the right to perform
+	      dynamic updates to a zone, configured by the
+	      <command>allow-update</command> and
+	      <command>update-policy</command> option, respectively.
+	    </para>
+	    <para>
+	      The <command>allow-update</command> clause works the
+	      same way as in previous versions of <acronym>BIND</acronym>.
+	      It grants given clients the permission to update any
+	      record of any name in the zone.
+	    </para>
+	    <para>
+	      The <command>update-policy</command> clause is new
+	      in <acronym>BIND</acronym> 9 and allows more fine-grained
+	      control over what updates are allowed.  A set of rules
+	      is specified, where each rule either grants or denies
+	      permissions for one or more names to be updated by
+	      one or more identities.  If the dynamic update request
+	      message is signed (that is, it includes either a TSIG
+	      or SIG(0) record), the identity of the signer can be
+	      determined.
+	    </para>
+	    <para>
+	      Rules are specified in the <command>update-policy</command>
+	      zone option, and are only meaningful for master zones.
+	      When the <command>update-policy</command> statement
+	      is present, it is a configuration error for the
+	      <command>allow-update</command> statement to be
+	      present.  The <command>update-policy</command> statement
+	      only examines the signer of a message; the source
+	      address is not relevant.
+	    </para>
+
+	    <para>
               This is how a rule definition looks:
             </para>
 
@@ -9162,29 +9700,40 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               matches
               the types specified in the type field.
             </para>
-
             <para>
-              The identity field specifies a name or a wildcard name.
-              Normally, this
-              is the name of the TSIG or SIG(0) key used to sign the update
-              request.  When a
-              TKEY exchange has been used to create a shared secret, the
-              identity of the
-              shared secret is the same as the identity of the key used to
-              authenticate the
-              TKEY exchange.  When the <replaceable>identity</replaceable> field specifies a
-              wildcard name, it is subject to DNS wildcard expansion, so the
-              rule will apply
-              to multiple identities.  The <replaceable>identity</replaceable> field must
-              contain a fully-qualified domain name.
-            </para>
+	      No signer is required for <replaceable>tcp-self</replaceable>
+	      or <replaceable>6to4-self</replaceable> however the standard
+	      reverse mapping / prefix conversion must match the identity
+	      field.
+	    </para>
+	    <para>
+	      The identity field specifies a name or a wildcard
+	      name.  Normally, this is the name of the TSIG or
+	      SIG(0) key used to sign the update request.  When a
+	      TKEY exchange has been used to create a shared secret,
+	      the identity of the shared secret is the same as the
+	      identity of the key used to authenticate the TKEY
+	      exchange.  TKEY is also the negotiation method used
+	      by GSS-TSIG, which establishes an identity that is
+	      the Kerberos principal of the client, such as
+	      <userinput>"user@host.domain"</userinput>.  When the
+	      <replaceable>identity</replaceable> field specifies
+	      a wildcard name, it is subject to DNS wildcard
+	      expansion, so the rule will apply to multiple identities.
+	      The <replaceable>identity</replaceable> field must
+	      contain a fully-qualified domain name.
+	    </para>
 
             <para>
-              The <replaceable>nametype</replaceable> field has 6
+              The <replaceable>nametype</replaceable> field has 12
               values:
               <varname>name</varname>, <varname>subdomain</varname>,
               <varname>wildcard</varname>, <varname>self</varname>,
-	       <varname>selfsub</varname>, and <varname>selfwild</varname>.
+	      <varname>selfsub</varname>, <varname>selfwild</varname>,
+	      <varname>krb5-self</varname>, <varname>ms-self</varname>,
+	      <varname>krb5-subdomain</varname>,
+	      <varname>ms-subdomain</varname>,
+	      <varname>tcp-self</varname> and <varname>6to4-self</varname>.
             </para>
             <informaltable>
               <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
@@ -9283,6 +9832,43 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
 		      </para>
 		    </entry>
 		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>tcp-self</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			Allow updates that have been sent via TCP and
+			for which the standard mapping from the initiating
+			IP address into the IN-ADDR.ARPA and IP6.ARPA
+			namespaces match the name to be updated.
+		      </para>
+		      <note>
+			It is theoretically possible to spoof these TCP
+			sessions.
+		      </note>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para>
+			<varname>6to4-self</varname>
+		      </para>
+		    </entry> <entry colname="2">
+		      <para>
+			Allow the 6to4 prefix to be update by any TCP
+			conection from the 6to4 network or from the
+			corresponding IPv4 address.  This is intended
+			to allow NS or DNAME RRsets to be added to the
+			reverse tree.
+		      </para>
+		      <note>
+			It is theoretically possible to spoof these TCP
+			sessions.
+		      </note>
+		    </entry>
+		  </row>
                 </tbody>
               </tgroup>
             </informaltable>
@@ -9293,16 +9879,15 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
               specify a fully-qualified domain name.
             </para>
 
-            <para>
-              If no types are explicitly specified, this rule matches all
-              types except
-              RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
-              "ANY" (ANY matches all types except NSEC, which can never be
-              updated).
-              Note that when an attempt is made to delete all records
-              associated with a
-              name, the rules are checked for each existing record type.
-            </para>
+	    <para>
+	      If no types are explicitly specified, this rule matches
+	      all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
+	      may be specified by name, including "ANY" (ANY matches
+	      all types except NSEC and NSEC3, which can never be
+	      updated).  Note that when an attempt is made to delete
+	      all records associated with a name, the rules are
+	      checked for each existing record type.
+	    </para>
           </sect3>
         </sect2>
       </sect1>
@@ -9514,6 +10099,19 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                   <row rowsep="0">
                     <entry colname="1">
                       <para>
+                        DHCID
+                      </para>
+                    </entry>
+                    <entry colname="2">
+                      <para>
+			Is used for identifying which DHCP client is
+			associated with this name.  Described in RFC 4701.
+                      </para>
+                    </entry>
+                  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
                         DNAME
                       </para>
                     </entry>
@@ -9720,6 +10318,40 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                   <row rowsep="0">
                     <entry colname="1">
                       <para>
+                        NSEC3
+                      </para>
+                    </entry>
+		    <entry colname="2">
+		      <para>
+			Used in DNSSECbis to securely indicate that
+			RRs with an owner name in a certain name
+			interval do not exist in a zone and indicate
+			what RR types are present for an existing
+			name.  NSEC3 differs from NSEC in that it
+			prevents zone enumeration but is more
+			computationally expensive on both the server
+			and the client than NSEC.  Described in RFC
+			5155.
+		      </para>
+		    </entry>
+		  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
+                        NSEC3PARAM
+                      </para>
+                    </entry>
+		    <entry colname="2">
+		      <para>
+			Used in DNSSECbis to tell the authoritative
+			server which NSEC3 chains are available to use.
+			Described in RFC 5155.
+		      </para>
+		    </entry>
+		  </row>
+                  <row rowsep="0">
+                    <entry colname="1">
+                      <para>
                         NXT
                       </para>
                     </entry>
@@ -9865,7 +10497,7 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                     </entry>
                     <entry colname="2">
                       <para>
-			Provides a way to securly publish a secure shell key's
+			Provides a way to securely publish a secure shell key's
 			fingerprint.  Described in RFC 4255.
                       </para>
                     </entry>
@@ -10250,8 +10882,6 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
             the mail will be delivered to the server specified in the MX
             record
             pointed to by the CNAME.
-          </para>
-	  <para>
             For example:
           </para>
           <informaltable colsep="0" rowsep="0">
@@ -10690,7 +11320,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
 		      describes the owner name of the resource records
                       to be created.  Any single <command>$</command>
                       (dollar sign)
-                      symbols within the <command>lhs</command> side
+                      symbols within the <command>lhs</command> string
                       are replaced by the iterator value.
 
                       To get a $ in the output, you need to escape the
@@ -10734,7 +11364,7 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
                     <para>
 		      Specifies the time-to-live of the generated records. If
                       not specified this will be inherited using the
-                      normal ttl inheritance rules.
+                      normal TTL inheritance rules.
                     </para>
                     <para><command>class</command>
 		      and <command>ttl</command> can be
@@ -10834,15 +11464,1526 @@ $GENERATE 1-127 $ CNAME $.0</programlisting>
 	  </para>
 	</sect2>
       </sect1>
+
+      <sect1 id="statistics">
+        <title>BIND9 Statistics</title>
+        <para>
+	  <acronym>BIND</acronym> 9 maintains lots of statistics
+	  information and provides several interfaces for users to
+	  get access to the statistics.
+	  The available statistics include all statistics counters
+	  that were available in <acronym>BIND</acronym> 8 and
+	  are meaningful in <acronym>BIND</acronym> 9,
+	  and other information that is considered useful.
+        </para>
+
+        <para>
+	  The statistics information is categorized into the following
+	  sections.
+        </para>
+
+	<informaltable frame="all">
+          <tgroup cols="2">
+            <colspec colname="1" colnum="1" colsep="0" colwidth="3.300in"/>
+            <colspec colname="2" colnum="2" colsep="0" colwidth="2.625in"/>
+            <tbody>
+
+	      <row rowsep="0">
+                <entry colname="1">
+                  <para>Incoming Requests</para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    The number of incoming DNS requests for each OPCODE.
+                  </para>
+                </entry>
+	      </row>
+
+	      <row rowsep="0">
+                <entry colname="1">
+                  <para>Incoming Queries</para>
+                </entry>
+                <entry colname="2">
+                  <para>
+		    The number of incoming queries for each RR type.
+                  </para>
+                </entry>
+	      </row>
+
+	      <row rowsep="0">
+                <entry colname="1">
+                  <para>Outgoing Queries</para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    The number of outgoing queries for each RR
+                    type sent from the internal resolver.
+		    Maintained per view.
+                  </para>
+                </entry>
+	      </row>
+
+	      <row rowsep="0">
+                <entry colname="1">
+                  <para>Name Server Statistics</para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    Statistics counters about incoming request processing.
+                  </para>
+                </entry>
+	      </row>
+
+	      <row rowsep="0">
+                <entry colname="1">
+                  <para>Zone Maintenance Statistics</para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    Statistics counters regarding zone maintenance
+                    operations such as zone transfers.
+                  </para>
+                </entry>
+	      </row>
+
+	      <row rowsep="0">
+                <entry colname="1">
+                  <para>Resolver Statistics</para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    Statistics counters about name resolution
+                    performed in the internal resolver.
+		    Maintained per view.
+                  </para>
+                </entry>
+	      </row>
+
+	      <row rowsep="0">
+                <entry colname="1">
+                  <para>Cache DB RRsets</para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    The number of RRsets per RR type (positive
+                    or negative) and nonexistent names stored in the
+                    cache database.
+		    Maintained per view.
+                  </para>
+                </entry>
+	      </row>
+
+	      <row rowsep="0">
+                <entry colname="1">
+                  <para>Socket I/O Statistics</para>
+                </entry>
+                <entry colname="2">
+                  <para>
+                    Statistics counters about network related events.
+                  </para>
+                </entry>
+	      </row>
+
+	    </tbody>
+	  </tgroup>
+	</informaltable>
+
+	<para>
+	  A subset of Name Server Statistics is collected and shown
+	  per zone for which the server has the authority when
+	  <command>zone-statistics</command> is set to
+	  <userinput>yes</userinput>.
+	  These statistics counters are shown with their zone and view
+	  names.
+	  In some cases the view names are omitted for the default view.
+	</para>
+
+	<para>
+	  There are currently two user interfaces to get access to the
+	  statistics.
+	  One is in the plain text format dumped to the file specified
+	  by the <command>statistics-file</command> configuration option.
+	  The other is remotely accessible via a statistics channel
+	  when the <command>statistics-channels</command> statement
+	  is specified in the configuration file
+	  (see <xref linkend="statschannels"/>.)
+	</para>
+
+        <sect3 id="statsfile">
+          <title>The Statistics File</title>
+          <para>
+            The text format statistics dump begins with a line, like:
+	  </para>
+          <para>
+	    <command>+++ Statistics Dump +++ (973798949)</command>
+	  </para>
+	  <para>
+	    The number in parentheses is a standard
+            Unix-style timestamp, measured as seconds since January 1, 1970.
+
+            Following
+            that line is a set of statistics information, which is categorized
+            as described above.
+	    Each section begins with a line, like:
+	  </para>
+
+	  <para>
+	    <command>++ Name Server Statistics ++</command>
+	  </para>
+
+	  <para>
+	    Each section consists of lines, each containing the statistics
+	    counter value followed by its textual description.
+	    See below for available counters.
+	    For brevity, counters that have a value of 0 are not shown
+	    in the statistics file.
+	  </para>
+
+	  <para>
+	    The statistics dump ends with the line where the
+            number is identical to the number in the beginning line; for example:
+          </para>
+          <para>
+	    <command>--- Statistics Dump --- (973798949)</command>
+          </para>
+	</sect3>
+
+        <sect2 id="statistics_counters">
+	  <title>Statistics Counters</title>
+	  <para>
+	    The following tables summarize statistics counters that
+	    <acronym>BIND</acronym> 9 provides.
+	    For each row of the tables, the leftmost column is the
+	    abbreviated symbol name of that counter.
+	    These symbols are shown in the statistics information
+	    accessed via an HTTP statistics channel.
+	    The rightmost column gives the description of the counter,
+	    which is also shown in the statistics file
+	    (but, in this document, possibly with slight modification
+	    for better readability).
+	    Additional notes may also be provided in this column.
+	    When a middle column exists between these two columns,
+	    it gives the corresponding counter name of the
+	    <acronym>BIND</acronym> 8 statistics, if applicable.
+	  </para>
+
+	  <sect3>
+            <title>Name Server Statistics Counters</title>
+
+            <informaltable colsep="0" rowsep="0">
+              <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+		<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+		<colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
+		<colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
+		<tbody>
+		  <row>
+		    <entry colname="1">
+                      <para>
+			<emphasis>Symbol</emphasis>
+                      </para>
+		    </entry>
+		    <entry colname="2">
+                      <para>
+			<emphasis>BIND8 Symbol</emphasis>
+                      </para>
+		    </entry>
+		    <entry colname="3">
+                      <para>
+			<emphasis>Description</emphasis>
+                      </para>
+		    </entry>
+		  </row>
+
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>Requestv4</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RQ</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			IPv4 requests received.
+			Note: this also counts non query requests.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>Requestv6</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RQ</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			IPv6 requests received.
+			Note: this also counts non query requests.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>ReqEdns0</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Requests with EDNS(0) received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>ReqBadEDNSVer</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Requests with unsupported EDNS version received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>ReqTSIG</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Requests with TSIG received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>ReqSIG0</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Requests with SIG(0) received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>ReqBadSIG</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Requests with invalid (TSIG or SIG(0)) signature.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>ReqTCP</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RTCP</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			TCP requests received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>AuthQryRej</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RUQ</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Authoritative (non recursive) queries rejected.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>RecQryRej</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RURQ</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Recursive queries rejected.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>XfrRej</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RUXFR</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Zone transfer requests rejected.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>UpdateRej</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RUUpd</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Dynamic update requests rejected.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>Response</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>SAns</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Responses sent.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>RespTruncated</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Truncated responses sent.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>RespEDNS0</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Responses with EDNS(0) sent.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>RespTSIG</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Responses with TSIG sent.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>RespSIG0</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Responses with SIG(0) sent.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QrySuccess</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Queries resulted in a successful answer.
+			This means the query which returns a NOERROR response
+			with at least one answer RR.
+			This corresponds to the
+			<command>success</command> counter
+			of previous versions of
+			<acronym>BIND</acronym> 9.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QryAuthAns</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Queries resulted in authoritative answer.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QryNoauthAns</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>SNaAns</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Queries resulted in non authoritative answer.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QryReferral</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Queries resulted in referral answer.
+			This corresponds to the
+			<command>referral</command> counter
+			of previous versions of
+			<acronym>BIND</acronym> 9.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QryNxrrset</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Queries resulted in NOERROR responses with no data.
+			This corresponds to the
+			<command>nxrrset</command> counter
+			of previous versions of
+			<acronym>BIND</acronym> 9.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QrySERVFAIL</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>SFail</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Queries resulted in SERVFAIL.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QryFORMERR</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>SFErr</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Queries resulted in FORMERR.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QryNXDOMAIN</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>SNXD</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Queries resulted in NXDOMAIN.
+			This corresponds to the
+			<command>nxdomain</command> counter
+			of previous versions of
+			<acronym>BIND</acronym> 9.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QryRecursion</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RFwdQ</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Queries which caused the server
+			to perform recursion in order to find the final answer.
+			This corresponds to the
+			<command>recursion</command> counter
+			of previous versions of
+			<acronym>BIND</acronym> 9.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QryDuplicate</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RDupQ</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Queries which the server attempted to
+			recurse but discovered an existing query with the same
+			IP address, port, query ID, name, type and class
+			already being processed.
+			This corresponds to the
+			<command>duplicate</command> counter
+			of previous versions of
+			<acronym>BIND</acronym> 9.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QryDropped</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Recursive queries for which the server
+			discovered an excessive number of existing
+			recursive queries for the same name, type and
+			class and were subsequently dropped.
+			This is the number of dropped queries due to
+			the reason explained with the
+			<command>clients-per-query</command>
+			and
+			<command>max-clients-per-query</command>
+			options
+			(see the description about
+			<xref linkend="clients-per-query"/>.)
+			This corresponds to the
+			<command>dropped</command> counter
+			of previous versions of
+			<acronym>BIND</acronym> 9.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QryFailure</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Other query failures.
+			This corresponds to the
+			<command>failure</command> counter
+			of previous versions of
+			<acronym>BIND</acronym> 9.
+			Note: this counter is provided mainly for
+			backward compatibility with the previous versions.
+			Normally a more fine-grained counters such as
+			<command>AuthQryRej</command> and
+			<command>RecQryRej</command>
+			that would also fall into this counter are provided,
+			and so this counter would not be of much
+			interest in practice.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>XfrReqDone</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Requested zone transfers completed.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>UpdateReqFwd</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Update requests forwarded.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>UpdateRespFwd</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Update responses forwarded.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>UpdateFwdFail</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Dynamic update forward failed.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>UpdateDone</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Dynamic updates completed.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>UpdateFail</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Dynamic updates failed.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>UpdateBadPrereq</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Dynamic updates rejected due to prerequisite failure.
+		      </para>
+		    </entry>
+		  </row>
+		</tbody>
+              </tgroup>
+            </informaltable>
+          </sect3>
+
+	  <sect3>
+            <title>Zone Maintenance Statistics Counters</title>
+
+            <informaltable colsep="0" rowsep="0">
+              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+		<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+		<colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
+		<tbody>
+		  <row>
+		    <entry colname="1">
+                      <para>
+			<emphasis>Symbol</emphasis>
+                      </para>
+		    </entry>
+		    <entry colname="2">
+                      <para>
+			<emphasis>Description</emphasis>
+                      </para>
+		    </entry>
+		  </row>
+
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>NotifyOutv4</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			IPv4 notifies sent.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>NotifyOutv6</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			IPv6 notifies sent.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>NotifyInv4</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			IPv4 notifies received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>NotifyInv6</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			IPv6 notifies received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>NotifyRej</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Incoming notifies rejected.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>SOAOutv4</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			IPv4 SOA queries sent.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>SOAOutv6</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			IPv6 SOA queries sent.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>AXFRReqv4</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			IPv4 AXFR requested.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>AXFRReqv6</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			IPv6 AXFR requested.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>IXFRReqv4</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			IPv4 IXFR requested.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>IXFRReqv6</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			IPv6 IXFR requested.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>XfrSuccess</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Zone transfer requests succeeded.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>XfrFail</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Zone transfer requests failed.
+		      </para>
+		    </entry>
+		  </row>
+		</tbody>
+              </tgroup>
+            </informaltable>
+	  </sect3>
+
+	  <sect3>
+            <title>Resolver Statistics Counters</title>
+
+            <informaltable colsep="0" rowsep="0">
+              <tgroup cols="3" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+		<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+		<colspec colname="2" colnum="2" colsep="0" colwidth="1.150in"/>
+		<colspec colname="3" colnum="3" colsep="0" colwidth="3.350in"/>
+		<tbody>
+		  <row>
+		    <entry colname="1">
+                      <para>
+			<emphasis>Symbol</emphasis>
+                      </para>
+		    </entry>
+		    <entry colname="2">
+                      <para>
+			<emphasis>BIND8 Symbol</emphasis>
+                      </para>
+		    </entry>
+		    <entry colname="3">
+                      <para>
+			<emphasis>Description</emphasis>
+                      </para>
+		    </entry>
+		  </row>
+
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>Queryv4</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>SFwdQ</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			IPv4 queries sent.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>Queryv6</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>SFwdQ</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			IPv6 queries sent.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>Responsev4</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RR</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			IPv4 responses received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>Responsev6</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RR</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			IPv6 responses received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>NXDOMAIN</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RNXD</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			NXDOMAIN received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>SERVFAIL</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RFail</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			SERVFAIL received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>FORMERR</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RFErr</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			FORMERR received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>OtherError</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RErr</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Other errors received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>EDNS0Fail</command></para>
+						 </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			EDNS(0) query failures.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>Mismatch</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RDupR</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Mismatch responses received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>Truncated</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Truncated responses received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>Lame</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>RLame</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Lame delegations received.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>Retry</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>SDupQ</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Query retries performed.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QueryAbort</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Queries aborted due to quota control.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QuerySockFail</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Failures in opening query sockets.
+			One common reason for such failures is a
+			failure of opening a new socket due to a
+			limitation on file descriptors.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QueryTimeout</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Query timeouts.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>GlueFetchv4</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>SSysQ</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			IPv4 NS address fetches invoked.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>GlueFetchv6</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command>SSysQ</command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			IPv6 NS address fetches invoked.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>GlueFetchv4Fail</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			IPv4 NS address fetch failed.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>GlueFetchv6Fail</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			IPv6 NS address fetch failed.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>ValAttempt</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			DNSSEC validation attempted.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>ValOk</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			DNSSEC validation succeeded.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>ValNegOk</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			DNSSEC validation on negative information succeeded.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>ValFail</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			DNSSEC validation failed.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>QryRTTnn</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para><command></command></para>
+		    </entry>
+		    <entry colname="3">
+		      <para>
+			Frequency table on round trip times (RTTs) of
+			queries.
+			Each <command>nn</command> specifies the corresponding
+			frequency.
+			In the sequence of
+			<command>nn_1</command>,
+			<command>nn_2</command>,
+			...,
+			<command>nn_m</command>,
+			the value of <command>nn_i</command> is the
+			number of queries whose RTTs are between
+			<command>nn_(i-1)</command> (inclusive) and
+			<command>nn_i</command> (exclusive) milliseconds.
+			For the sake of convenience we define
+			<command>nn_0</command> to be 0.
+			The last entry should be represented as
+			<command>nn_m+</command>, which means the
+			number of queries whose RTTs are equal to or over
+			<command>nn_m</command> milliseconds.
+		      </para>
+		    </entry>
+		  </row>
+		</tbody>
+              </tgroup>
+            </informaltable>
+
+	  </sect3>
+
+	  <sect3>
+            <title>Socket I/O Statistics Counters</title>
+
+	    <para>
+	      Socket I/O statistics counters are defined per socket
+	      types, which are
+	      <command>UDP4</command> (UDP/IPv4),
+	      <command>UDP6</command> (UDP/IPv6),
+	      <command>TCP4</command> (TCP/IPv4),
+	      <command>TCP6</command> (TCP/IPv6),
+	      <command>Unix</command> (Unix Domain), and
+	      <command>FDwatch</command> (sockets opened outside the
+	      socket module).
+	      In the following table <command>&lt;TYPE&gt;</command>
+	      represents a socket type.
+	      Not all counters are available for all socket types;
+	      exceptions are noted in the description field.
+	    </para>
+
+	    <informaltable colsep="0" rowsep="0">
+              <tgroup cols="2" colsep="0" rowsep="0" tgroupstyle="4Level-table">
+		<colspec colname="1" colnum="1" colsep="0" colwidth="1.150in"/>
+		<colspec colname="2" colnum="2" colsep="0" colwidth="3.350in"/>
+		<tbody>
+		  <row>
+		    <entry colname="1">
+                      <para>
+			<emphasis>Symbol</emphasis>
+                      </para>
+		    </entry>
+		    <entry colname="2">
+                      <para>
+			<emphasis>Description</emphasis>
+                      </para>
+		    </entry>
+		  </row>
+
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>&lt;TYPE&gt;Open</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Sockets opened successfully.
+			This counter is not applicable to the
+			<command>FDwatch</command> type.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>&lt;TYPE&gt;OpenFail</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Failures of opening sockets.
+			This counter is not applicable to the
+			<command>FDwatch</command> type.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>&lt;TYPE&gt;Close</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Sockets closed.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>&lt;TYPE&gt;BindFail</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Failures of binding sockets.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>&lt;TYPE&gt;ConnFail</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Failures of connecting sockets.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>&lt;TYPE&gt;Conn</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Connections established successfully.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>&lt;TYPE&gt;AcceptFail</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Failures of accepting incoming connection requests.
+			This counter is not applicable to the
+			<command>UDP</command> and
+			<command>FDwatch</command> types.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>&lt;TYPE&gt;Accept</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Incoming connections successfully accepted.
+			This counter is not applicable to the
+			<command>UDP</command> and
+			<command>FDwatch</command> types.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>&lt;TYPE&gt;SendErr</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Errors in socket send operations.
+			This counter corresponds
+			to <command>SErr</command> counter of
+			<command>BIND</command> 8.
+		      </para>
+		    </entry>
+		  </row>
+		  <row rowsep="0">
+		    <entry colname="1">
+		      <para><command>&lt;TYPE&gt;RecvErr</command></para>
+		    </entry>
+		    <entry colname="2">
+		      <para>
+			Errors in socket receive operations.
+			This includes errors of send operations on a
+			connected UDP socket notified by an ICMP error
+			message.
+		      </para>
+		    </entry>
+		  </row>
+		</tbody>
+              </tgroup>
+	    </informaltable>
+	  </sect3>
+	  <sect3>
+            <title>Compatibility with <emphasis>BIND</emphasis> 8 Counters</title>
+	    <para>
+	      Most statistics counters that were available
+	      in <command>BIND</command> 8 are also supported in
+	      <command>BIND</command> 9 as shown in the above tables.
+	      Here are notes about other counters that do not appear
+	      in these tables.
+	    </para>
+
+            <variablelist>
+              <varlistentry>
+		<term><command>RFwdR,SFwdR</command></term>
+		<listitem>
+		  <para>
+		    These counters are not supported
+		    because <command>BIND</command> 9 does not adopt
+		    the notion of <emphasis>forwarding</emphasis>
+		    as <command>BIND</command> 8 did.
+		  </para>
+		</listitem>
+	      </varlistentry>
+
+              <varlistentry>
+		<term><command>RAXFR</command></term>
+		<listitem>
+		  <para>
+		    This counter is accessible in the Incoming Queries section.
+		  </para>
+		</listitem>
+	      </varlistentry>
+
+              <varlistentry>
+		<term><command>RIQ</command></term>
+		<listitem>
+		  <para>
+		    This counter is accessible in the Incoming Requests section.
+		  </para>
+		</listitem>
+	      </varlistentry>
+
+              <varlistentry>
+		<term><command>ROpts</command></term>
+		<listitem>
+		  <para>
+		    This counter is not supported
+		    because <command>BIND</command> 9 does not care
+		    about IP options in the first place.
+		  </para>
+		</listitem>
+	      </varlistentry>
+	    </variablelist>
+	  </sect3>
+        </sect2>
+      </sect1>
+
     </chapter>
     <chapter id="Bv9ARM.ch07">
       <title><acronym>BIND</acronym> 9 Security Considerations</title>
       <sect1 id="Access_Control_Lists">
         <title>Access Control Lists</title>
         <para>
-          Access Control Lists (ACLs), are address match lists that
+          Access Control Lists (ACLs) are address match lists that
           you can set up and nickname for future use in <command>allow-notify</command>,
-          <command>allow-query</command>, <command>allow-recursion</command>,
+          <command>allow-query</command>, <command>allow-query-on</command>,
+	  <command>allow-recursion</command>, <command>allow-recursion-on</command>,
           <command>blackhole</command>, <command>allow-transfer</command>,
           etc.
         </para>
@@ -10904,11 +13045,13 @@ zone "example.com" {
       <sect1>
         <title><command>Chroot</command> and <command>Setuid</command></title>
         <para>
-          On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
-          (using the <command>chroot()</command> function) by specifying the "<option>-t</option>"
-          option. This can help improve system security by placing <acronym>BIND</acronym> in
-          a "sandbox", which will limit the damage done if a server is
-          compromised.
+	  On UNIX servers, it is possible to run <acronym>BIND</acronym>
+	  in a <emphasis>chrooted</emphasis> environment (using
+	  the <command>chroot()</command> function) by specifying
+	  the "<option>-t</option>" option for <command>named</command>.
+	  This can help improve system security by placing
+	  <acronym>BIND</acronym> in a "sandbox", which will limit
+	  the damage done if a server is compromised.
         </para>
         <para>
           Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
@@ -10921,7 +13064,7 @@ zone "example.com" {
           user 202:
         </para>
         <para>
-          <userinput>/usr/local/bin/named -u 202 -t /var/named</userinput>
+          <userinput>/usr/local/sbin/named -u 202 -t /var/named</userinput>
         </para>
 
         <sect2>
@@ -11187,11 +13330,9 @@ zone "example.com" {
 	    BIND architecture.
           </para>
           <para>
-	    BIND version 4 is officially deprecated and BIND version
-	    8 development is considered maintenance-only in favor
-	    of BIND version 9. No additional development is done
-	    on BIND version 4 or BIND version 8 other than for
-	    security-related patches.
+	    BIND versions 4 and 8 are officially deprecated.
+	    No additional development is done
+	    on BIND version 4 or BIND version 8.
           </para>
           <para>
             <acronym>BIND</acronym> development work is made
@@ -11554,7 +13695,7 @@ zone "example.com" {
 		<pubdate>March 2005</pubdate>
 	      </biblioentry>
 	      <biblioentry>
-	        <abbrev>RFC4044</abbrev>
+	        <abbrev>RFC4034</abbrev>
 	 	<authorgroup>
 		  <author>
 		    <firstname>R.</firstname>
@@ -12518,13 +14659,15 @@ zone "example.com" {
       <title>Manual pages</title>
       <xi:include href="../../bin/dig/dig.docbook"/>
       <xi:include href="../../bin/dig/host.docbook"/>
+      <xi:include href="../../bin/dnssec/dnssec-dsfromkey.docbook"/>
+      <xi:include href="../../bin/dnssec/dnssec-keyfromlabel.docbook"/>
       <xi:include href="../../bin/dnssec/dnssec-keygen.docbook"/>
       <xi:include href="../../bin/dnssec/dnssec-signzone.docbook"/>
       <xi:include href="../../bin/check/named-checkconf.docbook"/>
       <xi:include href="../../bin/check/named-checkzone.docbook"/>
       <xi:include href="../../bin/named/named.docbook"/>
       <!-- named.conf.docbook and others? -->
-      <!-- nsupdate gives db2latex indigestion, markup problems? -->
+      <xi:include href="../../bin/nsupdate/nsupdate.docbook"/>
       <xi:include href="../../bin/rndc/rndc.docbook"/>
       <xi:include href="../../bin/rndc/rndc.conf.docbook"/>
       <xi:include href="../../bin/rndc/rndc-confgen.docbook"/>
diff --git a/doc/arm/Bv9ARM.ch01.html b/doc/arm/Bv9ARM.ch01.html
index 76a4bb7..320a867 100644
--- a/doc/arm/Bv9ARM.ch01.html
+++ b/doc/arm/Bv9ARM.ch01.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch01.html,v 1.16.18.26 2008/05/24 01:31:10 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch01.html,v 1.43.48.2 2009/04/03 01:52:22 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,17 +45,17 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563405">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564385">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564524">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564637">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563409">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564388">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564528">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564641">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564659">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564693">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564845">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567243">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567416">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567546">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564662">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564696">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567170">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567246">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567419">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567549">Name Servers in Multiple Roles</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -71,7 +71,7 @@
     </p>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2563405"></a>Scope of Document</h2></div></div></div>
+<a name="id2563409"></a>Scope of Document</h2></div></div></div>
 <p>
         The Berkeley Internet Name Domain
         (<acronym class="acronym">BIND</acronym>) implements a
@@ -82,30 +82,30 @@
         system administrators.
       </p>
 <p>
-        This version of the manual corresponds to BIND version 9.4.
+        This version of the manual corresponds to BIND version 9.6.
       </p>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564385"></a>Organization of This Document</h2></div></div></div>
+<a name="id2564388"></a>Organization of This Document</h2></div></div></div>
 <p>
-        In this document, <span class="emphasis"><em>Section 1</em></span> introduces
-        the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Section 2</em></span>
+        In this document, <span class="emphasis"><em>Chapter 1</em></span> introduces
+        the basic <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym> concepts. <span class="emphasis"><em>Chapter 2</em></span>
         describes resource requirements for running <acronym class="acronym">BIND</acronym> in various
-        environments. Information in <span class="emphasis"><em>Section 3</em></span> is
+        environments. Information in <span class="emphasis"><em>Chapter 3</em></span> is
         <span class="emphasis"><em>task-oriented</em></span> in its presentation and is
         organized functionally, to aid in the process of installing the
         <acronym class="acronym">BIND</acronym> 9 software. The task-oriented
         section is followed by
-        <span class="emphasis"><em>Section 4</em></span>, which contains more advanced
+        <span class="emphasis"><em>Chapter 4</em></span>, which contains more advanced
         concepts that the system administrator may need for implementing
-        certain options. <span class="emphasis"><em>Section 5</em></span>
+        certain options. <span class="emphasis"><em>Chapter 5</em></span>
         describes the <acronym class="acronym">BIND</acronym> 9 lightweight
-        resolver.  The contents of <span class="emphasis"><em>Section 6</em></span> are
+        resolver.  The contents of <span class="emphasis"><em>Chapter 6</em></span> are
         organized as in a reference manual to aid in the ongoing
-        maintenance of the software. <span class="emphasis"><em>Section 7</em></span> addresses
+        maintenance of the software. <span class="emphasis"><em>Chapter 7</em></span> addresses
         security considerations, and
-        <span class="emphasis"><em>Section 8</em></span> contains troubleshooting help. The
+        <span class="emphasis"><em>Chapter 8</em></span> contains troubleshooting help. The
         main body of the document is followed by several
         <span class="emphasis"><em>appendices</em></span> which contain useful reference
         information, such as a <span class="emphasis"><em>bibliography</em></span> and
@@ -116,7 +116,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564524"></a>Conventions Used in This Document</h2></div></div></div>
+<a name="id2564528"></a>Conventions Used in This Document</h2></div></div></div>
 <p>
         In this document, we use the following general typographic
         conventions:
@@ -243,7 +243,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2564637"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
+<a name="id2564641"></a>The Domain Name System (<acronym class="acronym">DNS</acronym>)</h2></div></div></div>
 <p>
         The purpose of this document is to explain the installation
         and upkeep of the <acronym class="acronym">BIND</acronym> (Berkeley Internet
@@ -253,7 +253,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2564659"></a>DNS Fundamentals</h3></div></div></div>
+<a name="id2564662"></a>DNS Fundamentals</h3></div></div></div>
 <p>
           The Domain Name System (DNS) is a hierarchical, distributed
           database.  It stores information for mapping Internet host names to
@@ -267,13 +267,15 @@
           more <span class="emphasis"><em>name servers</em></span> and interprets the responses.
           The <acronym class="acronym">BIND</acronym> 9 software distribution
           contains a
-          name server, <span><strong class="command">named</strong></span>, and two resolver
-          libraries, <span><strong class="command">liblwres</strong></span> and <span><strong class="command">libbind</strong></span>.
+          name server, <span><strong class="command">named</strong></span>, and a resolver
+          library, <span><strong class="command">liblwres</strong></span>.  The older
+          <span><strong class="command">libbind</strong></span> resolver library is also available
+          from ISC as a separate download.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2564693"></a>Domains and Domain Names</h3></div></div></div>
+<a name="id2564696"></a>Domains and Domain Names</h3></div></div></div>
 <p>
           The data stored in the DNS is identified by <span class="emphasis"><em>domain names</em></span> that are organized as a tree according to
           organizational or administrative boundaries. Each node of the tree,
@@ -319,7 +321,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2564845"></a>Zones</h3></div></div></div>
+<a name="id2567170"></a>Zones</h3></div></div></div>
 <p>
           To properly operate a name server, it is important to understand
           the difference between a <span class="emphasis"><em>zone</em></span>
@@ -372,7 +374,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2567243"></a>Authoritative Name Servers</h3></div></div></div>
+<a name="id2567246"></a>Authoritative Name Servers</h3></div></div></div>
 <p>
           Each zone is served by at least
           one <span class="emphasis"><em>authoritative name server</em></span>,
@@ -389,7 +391,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2567267"></a>The Primary Master</h4></div></div></div>
+<a name="id2567270"></a>The Primary Master</h4></div></div></div>
 <p>
             The authoritative server where the master copy of the zone
             data is maintained is called the
@@ -409,7 +411,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2567297"></a>Slave Servers</h4></div></div></div>
+<a name="id2567300"></a>Slave Servers</h4></div></div></div>
 <p>
             The other authoritative servers, the <span class="emphasis"><em>slave</em></span>
             servers (also known as <span class="emphasis"><em>secondary</em></span> servers)
@@ -425,7 +427,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2567386"></a>Stealth Servers</h4></div></div></div>
+<a name="id2567389"></a>Stealth Servers</h4></div></div></div>
 <p>
             Usually all of the zone's authoritative servers are listed in
             NS records in the parent zone.  These NS records constitute
@@ -460,7 +462,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2567416"></a>Caching Name Servers</h3></div></div></div>
+<a name="id2567419"></a>Caching Name Servers</h3></div></div></div>
 <p>
           The resolver libraries provided by most operating systems are
           <span class="emphasis"><em>stub resolvers</em></span>, meaning that they are not
@@ -487,7 +489,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2567520"></a>Forwarding</h4></div></div></div>
+<a name="id2567523"></a>Forwarding</h4></div></div></div>
 <p>
             Even a caching name server does not necessarily perform
             the complete recursive lookup itself.  Instead, it can
@@ -514,7 +516,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2567546"></a>Name Servers in Multiple Roles</h3></div></div></div>
+<a name="id2567549"></a>Name Servers in Multiple Roles</h3></div></div></div>
 <p>
           The <acronym class="acronym">BIND</acronym> name server can
           simultaneously act as
diff --git a/doc/arm/Bv9ARM.ch02.html b/doc/arm/Bv9ARM.ch02.html
index f2abce4..831e7a1 100644
--- a/doc/arm/Bv9ARM.ch02.html
+++ b/doc/arm/Bv9ARM.ch02.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch02.html,v 1.13.18.28 2008/09/12 01:32:08 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch02.html,v 1.38.56.1 2009/01/08 01:50:59 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,16 +45,16 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567580">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567607">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567620">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567851">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567862">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567584">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567610">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567623">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567854">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567865">Supported Operating Systems</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567580"></a>Hardware requirements</h2></div></div></div>
+<a name="id2567584"></a>Hardware requirements</h2></div></div></div>
 <p>
         <acronym class="acronym">DNS</acronym> hardware requirements have
         traditionally been quite modest.
@@ -73,7 +73,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567607"></a>CPU Requirements</h2></div></div></div>
+<a name="id2567610"></a>CPU Requirements</h2></div></div></div>
 <p>
         CPU requirements for <acronym class="acronym">BIND</acronym> 9 range from
         i486-class machines
@@ -84,7 +84,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567620"></a>Memory Requirements</h2></div></div></div>
+<a name="id2567623"></a>Memory Requirements</h2></div></div></div>
 <p>
         The memory of the server has to be large enough to fit the
         cache and zones loaded off disk.  The <span><strong class="command">max-cache-size</strong></span>
@@ -107,7 +107,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567851"></a>Name Server Intensive Environment Issues</h2></div></div></div>
+<a name="id2567854"></a>Name Server Intensive Environment Issues</h2></div></div></div>
 <p>
         For name server intensive environments, there are two alternative
         configurations that may be used. The first is where clients and
@@ -124,14 +124,16 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2567862"></a>Supported Operating Systems</h2></div></div></div>
+<a name="id2567865"></a>Supported Operating Systems</h2></div></div></div>
 <p>
         ISC <acronym class="acronym">BIND</acronym> 9 compiles and runs on a large
-        number of Unix-like operating systems, and on some versions of
-        Microsoft Windows including Windows XP, Windows 2003, and
-        Windows 2008.  For an up-to-date list of supported systems,
-        see the README file in the top level directory of the BIND 9
-        source distribution.
+        number
+        of Unix-like operating systems and on NT-derived versions of
+        Microsoft Windows such as Windows 2000 and Windows XP.  For an
+        up-to-date
+        list of supported systems, see the README file in the top level
+        directory
+        of the BIND 9 source distribution.
       </p>
 </div>
 </div>
diff --git a/doc/arm/Bv9ARM.ch03.html b/doc/arm/Bv9ARM.ch03.html
index 4d39c51..9964823 100644
--- a/doc/arm/Bv9ARM.ch03.html
+++ b/doc/arm/Bv9ARM.ch03.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch03.html,v 1.35.18.36 2008/05/24 01:31:10 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch03.html,v 1.71.48.2 2009/04/03 01:52:21 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,19 +47,19 @@
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567894">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567910">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567897">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567913">An Authoritative-only Name Server</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568001">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568423">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568004">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568358">Name Server Operations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568428">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570142">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568363">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570071">Signals</a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <p>
-      In this section we provide some suggested configurations along
+      In this chapter we provide some suggested configurations along
       with guidelines for their use.  We suggest reasonable values for
       certain option settings.
     </p>
@@ -68,7 +68,7 @@
 <a name="sample_configuration"></a>Sample Configurations</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2567894"></a>A Caching-only Name Server</h3></div></div></div>
+<a name="id2567897"></a>A Caching-only Name Server</h3></div></div></div>
 <p>
           The following sample configuration is appropriate for a caching-only
           name server for use by clients internal to a corporation.  All
@@ -95,7 +95,7 @@ zone "0.0.127.in-addr.arpa" {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2567910"></a>An Authoritative-only Name Server</h3></div></div></div>
+<a name="id2567913"></a>An Authoritative-only Name Server</h3></div></div></div>
 <p>
           This sample configuration is for an authoritative-only server
           that is the master server for "<code class="filename">example.com</code>"
@@ -137,7 +137,7 @@ zone "eng.example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568001"></a>Load Balancing</h2></div></div></div>
+<a name="id2568004"></a>Load Balancing</h2></div></div></div>
 <p>
         A primitive form of load balancing can be achieved in
         the <acronym class="acronym">DNS</acronym> by using multiple records
@@ -280,10 +280,10 @@ zone "eng.example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2568423"></a>Name Server Operations</h2></div></div></div>
+<a name="id2568358"></a>Name Server Operations</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2568428"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
+<a name="id2568363"></a>Tools for Use With the Name Server Daemon</h3></div></div></div>
 <p>
           This section describes several indispensable diagnostic,
           administrative and monitoring tools available to the system
@@ -315,7 +315,7 @@ zone "eng.example.com" {
                 </p>
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [@<em class="replaceable"><code>server</code></em>]  <em class="replaceable"><code>domain</code></em>  [<em class="replaceable"><code>query-type</code></em>] [<em class="replaceable"><code>query-class</code></em>] [+<em class="replaceable"><code>query-option</code></em>] [-<em class="replaceable"><code>dig-option</code></em>] [%<em class="replaceable"><code>comment</code></em>]</p></div>
 <p>
-                  The usual simple use of dig will take the form
+                  The usual simple use of <span><strong class="command">dig</strong></span> will take the form
                 </p>
 <p>
                   <span><strong class="command">dig @server domain query-type query-class</strong></span>
@@ -541,8 +541,8 @@ zone "eng.example.com" {
                         Stop the server, making sure any recent changes
                         made through dynamic update or IXFR are first saved to
                         the master files of the updated zones.
-                        If -p is specified named's process id is returned.
-                        This allows an external process to determine when named
+                        If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
+                        This allows an external process to determine when <span><strong class="command">named</strong></span>
                         had completed stopping.
                       </p></dd>
 <dt><span class="term"><strong class="userinput"><code>halt [<span class="optional">-p</span>]</code></strong></span></dt>
@@ -551,8 +551,8 @@ zone "eng.example.com" {
                         made through dynamic update or IXFR are not saved to
                         the master files, but will be rolled forward from the
                         journal files when the server is restarted.
-                        If -p is specified named's process id is returned.
-                        This allows an external process to determine when named
+                        If <code class="option">-p</code> is specified <span><strong class="command">named</strong></span>'s process id is returned.
+                        This allows an external process to determine when <span><strong class="command">named</strong></span>
                         had completed halting.
                       </p></dd>
 <dt><span class="term"><strong class="userinput"><code>trace</code></strong></span></dt>
@@ -586,9 +586,19 @@ zone "eng.example.com" {
                       </p></dd>
 <dt><span class="term"><strong class="userinput"><code>recursing</code></strong></span></dt>
 <dd><p>
-                        Dump the list of queries named is currently recursing
+                        Dump the list of queries <span><strong class="command">named</strong></span> is currently recursing
                         on.
                       </p></dd>
+<dt><span class="term"><strong class="userinput"><code>validation
+                        [<span class="optional">on|off</span>]
+                        [<span class="optional"><em class="replaceable"><code>view ...</code></em></span>]
+                    </code></strong></span></dt>
+<dd><p>
+                        Enable or disable DNSSEC validation.
+                        Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
+                        set to <strong class="userinput"><code>yes</code></strong> to be effective.
+                        It defaults to enabled.
+                      </p></dd>
 </dl></div>
 <p>
                   A configuration file is required, since all
@@ -651,7 +661,7 @@ zone "eng.example.com" {
                   with
                   <span><strong class="command">named</strong></span>.  Its syntax is
                   identical to the
-                  <span><strong class="command">key</strong></span> statement in named.conf.
+                  <span><strong class="command">key</strong></span> statement in <code class="filename">named.conf</code>.
                   The keyword <strong class="userinput"><code>key</code></strong> is
                   followed by a key name, which must be a valid
                   domain name, though it need not actually be hierarchical;
@@ -739,7 +749,7 @@ controls {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570142"></a>Signals</h3></div></div></div>
+<a name="id2570071"></a>Signals</h3></div></div></div>
 <p>
           Certain UNIX signals cause the name server to take specific
           actions, as described in the following table.  These signals can
diff --git a/doc/arm/Bv9ARM.ch04.html b/doc/arm/Bv9ARM.ch04.html
index e31d85d..123098e 100644
--- a/doc/arm/Bv9ARM.ch04.html
+++ b/doc/arm/Bv9ARM.ch04.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch04.html,v 1.40.18.46 2008/05/24 01:31:11 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch04.html,v 1.87.48.2 2009/04/03 01:52:21 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -49,29 +49,29 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570600">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570618">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564066">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564084">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570985">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571127">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571138">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571177">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571303">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571416">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571214">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571225">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571268">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571325">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571510">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571430">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571547">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571524">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571709">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571684">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571753">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571832">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571778">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571925">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572006">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571975">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572220">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572173">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572195">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572282">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572304">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl>
 </div>
@@ -95,10 +95,10 @@
       </p>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
-        As a slave zone can also be a master to other slaves, named,
+        As a slave zone can also be a master to other slaves, <span><strong class="command">named</strong></span>,
         by default, sends <span><strong class="command">NOTIFY</strong></span> messages for every zone
         it loads.  Specifying <span><strong class="command">notify master-only;</strong></span> will
-        cause named to only send <span><strong class="command">NOTIFY</strong></span> for master
+        cause <span><strong class="command">named</strong></span> to only send <span><strong class="command">NOTIFY</strong></span> for master
         zones that it loads.
       </div>
 </div>
@@ -112,17 +112,22 @@
         in RFC 2136.
       </p>
 <p>
-        Dynamic update is enabled by
-        including an <span><strong class="command">allow-update</strong></span> or
-        <span><strong class="command">update-policy</strong></span> clause in the
-        <span><strong class="command">zone</strong></span> statement.
+        Dynamic update is enabled by including an
+        <span><strong class="command">allow-update</strong></span> or <span><strong class="command">update-policy</strong></span>
+        clause in the <span><strong class="command">zone</strong></span> statement.  The
+        <span><strong class="command">tkey-gssapi-credential</strong></span> and
+        <span><strong class="command">tkey-domain</strong></span> clauses in the
+        <span><strong class="command">options</strong></span>        statement enable the
+        server to negotiate keys that can be matched against those
+        in <span><strong class="command">update-policy</strong></span> or
+        <span><strong class="command">allow-update</strong></span>.
       </p>
 <p>
-        Updating of secure zones (zones using DNSSEC) follows
-        RFC 3007: RRSIG and NSEC records affected by updates are automatically
-            regenerated by the server using an online zone key.
-        Update authorization is based
-        on transaction signatures and an explicit server policy.
+        Updating of secure zones (zones using DNSSEC) follows RFC
+        3007: RRSIG, NSEC and NSEC3 records affected by updates are
+        automatically regenerated by the server using an online
+        zone key.  Update authorization is based on transaction
+        signatures and an explicit server policy.
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
@@ -205,7 +210,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2570600"></a>Split DNS</h2></div></div></div>
+<a name="id2564066"></a>Split DNS</h2></div></div></div>
 <p>
         Setting up different views, or visibility, of the DNS space to
         internal and external resolvers is usually referred to as a
@@ -235,7 +240,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570618"></a>Example split DNS setup</h3></div></div></div>
+<a name="id2564084"></a>Example split DNS setup</h3></div></div></div>
 <p>
         Let's say a company named <span class="emphasis"><em>Example, Inc.</em></span>
         (<code class="literal">example.com</code>)
@@ -481,7 +486,7 @@ nameserver 172.16.72.4
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2570985"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
+<a name="id2571141"></a>Generate Shared Keys for Each Pair of Hosts</h3></div></div></div>
 <p>
           A shared secret is generated to be shared between <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host2</em></span>.
           An arbitrary key name is chosen: "host1-host2.". The key name must
@@ -489,7 +494,7 @@ nameserver 172.16.72.4
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2571070"></a>Automatic Generation</h4></div></div></div>
+<a name="id2571158"></a>Automatic Generation</h4></div></div></div>
 <p>
             The following command will generate a 128-bit (16 byte) HMAC-MD5
             key as described above. Longer keys are better, but shorter keys
@@ -514,7 +519,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2571109"></a>Manual Generation</h4></div></div></div>
+<a name="id2571196"></a>Manual Generation</h4></div></div></div>
 <p>
             The shared secret is simply a random sequence of bits, encoded
             in base-64. Most ASCII strings are valid base-64 strings (assuming
@@ -529,7 +534,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571127"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
+<a name="id2571214"></a>Copying the Shared Secret to Both Machines</h3></div></div></div>
 <p>
           This is beyond the scope of DNS. A secure transport mechanism
           should be used. This could be secure FTP, ssh, telephone, etc.
@@ -537,7 +542,7 @@ nameserver 172.16.72.4
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571138"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
+<a name="id2571225"></a>Informing the Servers of the Key's Existence</h3></div></div></div>
 <p>
           Imagine <span class="emphasis"><em>host1</em></span> and <span class="emphasis"><em>host 2</em></span>
           are
@@ -550,7 +555,7 @@ key host1-host2. {
 };
 </pre>
 <p>
-          The algorithm, hmac-md5, is the only one supported by <acronym class="acronym">BIND</acronym>.
+          The algorithm, <code class="literal">hmac-md5</code>, is the only one supported by <acronym class="acronym">BIND</acronym>.
           The secret is the one generated above. Since this is a secret, it
           is recommended that either <code class="filename">named.conf</code> be non-world
           readable, or the key directive be added to a non-world readable
@@ -566,7 +571,7 @@ key host1-host2. {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571177"></a>Instructing the Server to Use the Key</h3></div></div></div>
+<a name="id2571268"></a>Instructing the Server to Use the Key</h3></div></div></div>
 <p>
           Since keys are shared between two hosts only, the server must
           be told when keys are to be used. The following is added to the <code class="filename">named.conf</code> file
@@ -598,7 +603,7 @@ server 10.1.2.3 {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571303"></a>TSIG Key Based Access Control</h3></div></div></div>
+<a name="id2571325"></a>TSIG Key Based Access Control</h3></div></div></div>
 <p>
           <acronym class="acronym">BIND</acronym> allows IP addresses and ranges
           to be specified in ACL
@@ -609,24 +614,24 @@ server 10.1.2.3 {
           be denoted <span><strong class="command">key host1-host2.</strong></span>
         </p>
 <p>
-          An example of an allow-update directive would be:
+          An example of an <span><strong class="command">allow-update</strong></span> directive would be:
         </p>
 <pre class="programlisting">
 allow-update { key host1-host2. ;};
 </pre>
 <p>
           This allows dynamic updates to succeed only if the request
-          was signed by a key named
-          "<span><strong class="command">host1-host2.</strong></span>".
+          was signed by a key named "<span><strong class="command">host1-host2.</strong></span>".
         </p>
 <p>
-          You may want to read about the more
-          powerful <span><strong class="command">update-policy</strong></span> statement in <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
+          You may want to read about the more powerful
+          <span><strong class="command">update-policy</strong></span> statement in
+          <a href="Bv9ARM.ch06.html#dynamic_update_policies" title="Dynamic Update Policies">the section called &#8220;Dynamic Update Policies&#8221;</a>.
         </p>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571416"></a>Errors</h3></div></div></div>
+<a name="id2571510"></a>Errors</h3></div></div></div>
 <p>
           The processing of TSIG signed messages can result in
           several errors. If a signed message is sent to a non-TSIG aware
@@ -652,7 +657,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571430"></a>TKEY</h2></div></div></div>
+<a name="id2571524"></a>TKEY</h2></div></div></div>
 <p><span><strong class="command">TKEY</strong></span>
         is a mechanism for automatically generating a shared secret
         between two hosts.  There are several "modes" of
@@ -688,10 +693,10 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571547"></a>SIG(0)</h2></div></div></div>
+<a name="id2571709"></a>SIG(0)</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 partially supports DNSSEC SIG(0)
-            transaction signatures as specified in RFC 2535 and RFC2931.
+            transaction signatures as specified in RFC 2535 and RFC 2931.
         SIG(0)
         uses public/private keys to authenticate messages.  Access control
         is performed in the same manner as TSIG keys; privileges can be
@@ -749,7 +754,7 @@ allow-update { key host1-host2. ;};
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571684"></a>Generating Keys</h3></div></div></div>
+<a name="id2571778"></a>Generating Keys</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-keygen</strong></span> program is used to
           generate keys.
@@ -793,6 +798,11 @@ allow-update { key host1-host2. ;};
           a different key tag), repeat the above command.
         </p>
 <p>
+          The <span><strong class="command">dnssec-keyfromlabel</strong></span> program is used
+          to get a key pair from a crypto hardware and build the key
+          files. Its usage is similar to <span><strong class="command">dnssec-keygen</strong></span>.
+        </p>
+<p>
           The public keys should be inserted into the zone file by
           including the <code class="filename">.key</code> files using
           <span><strong class="command">$INCLUDE</strong></span> statements.
@@ -800,22 +810,20 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571753"></a>Signing the Zone</h3></div></div></div>
+<a name="id2571925"></a>Signing the Zone</h3></div></div></div>
 <p>
           The <span><strong class="command">dnssec-signzone</strong></span> program is used
-          to
-          sign a zone.
+          to sign a zone.
         </p>
 <p>
-          Any <code class="filename">keyset</code> files corresponding
-          to secure subzones should be present.  The zone signer will
-          generate <code class="literal">NSEC</code> and <code class="literal">RRSIG</code>
-          records for the zone, as well as <code class="literal">DS</code>
-          for
-          the child zones if <code class="literal">'-d'</code> is specified.
-                If <code class="literal">'-d'</code> is not specified, then
-          DS RRsets for
-          the secure child zones need to be added manually.
+          Any <code class="filename">keyset</code> files corresponding to
+          secure subzones should be present.  The zone signer will
+          generate <code class="literal">NSEC</code>, <code class="literal">NSEC3</code>
+          and <code class="literal">RRSIG</code> records for the zone, as
+          well as <code class="literal">DS</code> for the child zones if
+          <code class="literal">'-g'</code> is specified.  If <code class="literal">'-g'</code>
+          is not specified, then DS RRsets for the secure child
+          zones need to be added manually.
         </p>
 <p>
           The following command signs the zone, assuming it is in a
@@ -844,7 +852,7 @@ allow-update { key host1-host2. ;};
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2571832"></a>Configuring Servers</h3></div></div></div>
+<a name="id2572006"></a>Configuring Servers</h3></div></div></div>
 <p>
           To enable <span><strong class="command">named</strong></span> to respond appropriately
           to DNS requests from DNSSEC aware clients,
@@ -881,7 +889,7 @@ allow-update { key host1-host2. ;};
           more public keys for the root.  This allows answers from
           outside the organization to be validated.  It will also
           have several keys for parts of the namespace the organization
-          controls.  These are here to ensure that named is immune
+          controls.  These are here to ensure that <span><strong class="command">named</strong></span> is immune
           to compromises in the DNSSEC components of the security
           of parent zones.
         </p>
@@ -932,7 +940,7 @@ options {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2571975"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
+<a name="id2572220"></a>IPv6 Support in <acronym class="acronym">BIND</acronym> 9</h2></div></div></div>
 <p>
         <acronym class="acronym">BIND</acronym> 9 fully supports all currently
         defined forms of IPv6
@@ -971,7 +979,7 @@ options {
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572173"></a>Address Lookups Using AAAA Records</h3></div></div></div>
+<a name="id2572282"></a>Address Lookups Using AAAA Records</h3></div></div></div>
 <p>
           The IPv6 AAAA record is a parallel to the IPv4 A record,
           and, unlike the deprecated A6 record, specifies the entire
@@ -990,7 +998,7 @@ host            3600    IN      AAAA    2001:db8::1
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2572195"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
+<a name="id2572304"></a>Address to Name Lookups Using Nibble Format</h3></div></div></div>
 <p>
           When looking up an address in nibble format, the address
           components are simply reversed, just as in IPv4, and
diff --git a/doc/arm/Bv9ARM.ch05.html b/doc/arm/Bv9ARM.ch05.html
index 33d1d0d..addc97a 100644
--- a/doc/arm/Bv9ARM.ch05.html
+++ b/doc/arm/Bv9ARM.ch05.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch05.html,v 1.33.18.38 2008/05/24 01:31:11 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch05.html,v 1.71.48.2 2009/04/03 01:52:21 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,13 +45,13 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572228">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572337">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2572228"></a>The Lightweight Resolver Library</h2></div></div></div>
+<a name="id2572337"></a>The Lightweight Resolver Library</h2></div></div></div>
 <p>
         Traditionally applications have been linked with a stub resolver
         library that sends recursive DNS queries to a local caching name
diff --git a/doc/arm/Bv9ARM.ch06.html b/doc/arm/Bv9ARM.ch06.html
index e292906..10b7fd5 100644
--- a/doc/arm/Bv9ARM.ch06.html
+++ b/doc/arm/Bv9ARM.ch06.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch06.html,v 1.82.18.88 2008/10/18 01:29:58 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch06.html,v 1.201.14.8 2009/04/03 01:52:21 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,54 +48,59 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573436">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573716">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574117"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574346"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574307"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574536"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574736"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574753"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574965"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574982"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574776"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574800"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574958"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575084"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575005"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575029"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575120"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575245"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576435"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576508"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576572"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576616"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577306"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577448"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577512"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577556"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576631"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577571"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585614"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585666"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586754"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+            Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586908"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586960"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585748"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587042"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587332"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588510"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589477">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2591109">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591500">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593203">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592188">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592384">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592572"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593886">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594013">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594270"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
 </dl>
 </div>
 <p>
@@ -221,27 +226,23 @@
 <td>
                 <p>
                   An IPv6 address, such as <span><strong class="command">2001:db8::1234</strong></span>.
-                  IPv6 scoped addresses that have ambiguity on their scope
-                  zones must be
-                  disambiguated by an appropriate zone ID with the percent
-                  character
-                  (`%') as delimiter.
-                  It is strongly recommended to use string zone names rather
-                  than
-                  numeric identifiers, in order to be robust against system
-                  configuration changes.
-                  However, since there is no standard mapping for such names
-                  and
-                  identifier values, currently only interface names as link
-                  identifiers
+                  IPv6 scoped addresses that have ambiguity on their
+                  scope zones must be disambiguated by an appropriate
+                  zone ID with the percent character (`%') as
+                  delimiter.  It is strongly recommended to use
+                  string zone names rather than numeric identifiers,
+                  in order to be robust against system configuration
+                  changes.  However, since there is no standard
+                  mapping for such names and identifier values,
+                  currently only interface names as link identifiers
                   are supported, assuming one-to-one mapping between
-                  interfaces and links.
-                  For example, a link-local address <span><strong class="command">fe80::1</strong></span> on the
-                  link attached to the interface <span><strong class="command">ne0</strong></span>
+                  interfaces and links.  For example, a link-local
+                  address <span><strong class="command">fe80::1</strong></span> on the link
+                  attached to the interface <span><strong class="command">ne0</strong></span>
                   can be specified as <span><strong class="command">fe80::1%ne0</strong></span>.
-                  Note that on most systems link-local addresses always have
-                  the
-                  ambiguity, and need to be disambiguated.
+                  Note that on most systems link-local addresses
+                  always have the ambiguity, and need to be
+                  disambiguated.
                 </p>
               </td>
 </tr>
@@ -294,6 +295,11 @@
                   netmask <span><strong class="command">255.0.0.0</strong></span> and <span><strong class="command">1.2.3.0/28</strong></span> is
                   network <span><strong class="command">1.2.3.0</strong></span> with netmask <span><strong class="command">255.255.255.240</strong></span>.
                 </p>
+                <p>
+                  When specifying a prefix involving a IPv6 scoped address
+                  the scope may be omitted.  In that case the prefix will
+                  match packets from any scope.
+                </p>
               </td>
 </tr>
 <tr>
@@ -455,7 +461,7 @@
 <a name="address_match_lists"></a>Address Match Lists</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573302"></a>Syntax</h4></div></div></div>
+<a name="id2573414"></a>Syntax</h4></div></div></div>
 <pre class="programlisting"><code class="varname">address_match_list</code> = address_match_list_element ;
   [<span class="optional"> address_match_list_element; ... </span>]
 <code class="varname">address_match_list_element</code> = [<span class="optional"> ! </span>] (ip_address [<span class="optional">/length</span>] |
@@ -464,14 +470,13 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573330"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573442"></a>Definition and Usage</h4></div></div></div>
 <p>
             Address match lists are primarily used to determine access
             control for various server operations. They are also used in
             the <span><strong class="command">listen-on</strong></span> and <span><strong class="command">sortlist</strong></span>
-            statements. The elements
-            which constitute an address match list can be any of the
-            following:
+            statements. The elements which constitute an address match
+            list can be any of the following:
           </p>
 <div class="itemizedlist"><ul type="disc">
 <li>an IP address (IPv4 or IPv6)</li>
@@ -488,61 +493,68 @@
 <p>
             Elements can be negated with a leading exclamation mark (`!'),
             and the match list names "any", "none", "localhost", and
-            "localnets"
-            are predefined. More information on those names can be found in
-            the description of the acl statement.
+            "localnets" are predefined. More information on those names
+            can be found in the description of the acl statement.
           </p>
 <p>
             The addition of the key clause made the name of this syntactic
             element something of a misnomer, since security keys can be used
             to validate access without regard to a host or network address.
-            Nonetheless,
-            the term "address match list" is still used throughout the
-            documentation.
+            Nonetheless, the term "address match list" is still used
+            throughout the documentation.
           </p>
 <p>
             When a given IP address or prefix is compared to an address
-            match list, the list is traversed in order until an element
-            matches.
+            match list, the comparison takes place in approximately O(1)
+            time.  However, key comparisons require that the list of keys
+            be traversed until a matching key is found, and therefore may
+            be somewhat slower.
+          </p>
+<p>
             The interpretation of a match depends on whether the list is being
-            used
-            for access control, defining listen-on ports, or in a sortlist,
-            and whether the element was negated.
+            used for access control, defining <span><strong class="command">listen-on</strong></span> ports, or in a
+            <span><strong class="command">sortlist</strong></span>, and whether the element was negated.
           </p>
 <p>
             When used as an access control list, a non-negated match
             allows access and a negated match denies access. If
             there is no match, access is denied. The clauses
             <span><strong class="command">allow-notify</strong></span>,
+            <span><strong class="command">allow-recursion</strong></span>,
+            <span><strong class="command">allow-recursion-on</strong></span>,
             <span><strong class="command">allow-query</strong></span>,
+            <span><strong class="command">allow-query-on</strong></span>,
             <span><strong class="command">allow-query-cache</strong></span>,
+            <span><strong class="command">allow-query-cache-on</strong></span>,
             <span><strong class="command">allow-transfer</strong></span>,
             <span><strong class="command">allow-update</strong></span>,
             <span><strong class="command">allow-update-forwarding</strong></span>, and
             <span><strong class="command">blackhole</strong></span> all use address match
-            lists.  Similarly, the listen-on option will cause the
-            server to not accept queries on any of the machine's
+            lists.  Similarly, the <span><strong class="command">listen-on</strong></span> option will cause the
+            server to refuse queries on any of the machine's
             addresses which do not match the list.
           </p>
 <p>
-            Because of the first-match aspect of the algorithm, an element
-            that defines a subset of another element in the list should come
-            before the broader element, regardless of whether either is
-            negated. For
-            example, in
-            <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span> the 1.2.3.13
-            element is
-            completely useless because the algorithm will match any lookup for
-            1.2.3.13 to the 1.2.3/24 element.
-            Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
-            that problem by having 1.2.3.13 blocked by the negation but all
-            other 1.2.3.* hosts fall through.
+            Order of insertion is significant.  If more than one element
+            in an ACL is found to match a given IP address or prefix,
+            preference will be given to the one that came
+            <span class="emphasis"><em>first</em></span> in the ACL definition.
+            Because of this first-match behavior, an element that
+            defines a subset of another element in the list should
+            come before the broader element, regardless of whether
+            either is negated. For example, in
+            <span><strong class="command">1.2.3/24; ! 1.2.3.13;</strong></span>
+            the 1.2.3.13 element is completely useless because the
+            algorithm will match any lookup for 1.2.3.13 to the 1.2.3/24
+            element.  Using <span><strong class="command">! 1.2.3.13; 1.2.3/24</strong></span> fixes
+            that problem by having 1.2.3.13 blocked by the negation, but
+            all other 1.2.3.* hosts fall through.
           </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2573436"></a>Comment Syntax</h3></div></div></div>
+<a name="id2573716"></a>Comment Syntax</h3></div></div></div>
 <p>
           The <acronym class="acronym">BIND</acronym> 9 comment syntax allows for
           comments to appear
@@ -552,7 +564,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573588"></a>Syntax</h4></div></div></div>
+<a name="id2573731"></a>Syntax</h4></div></div></div>
 <p>
             </p>
 <pre class="programlisting">/* This is a <acronym class="acronym">BIND</acronym> comment as in C */</pre>
@@ -567,7 +579,7 @@
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2573618"></a>Definition and Usage</h4></div></div></div>
+<a name="id2573761"></a>Definition and Usage</h4></div></div></div>
 <p>
             Comments may appear anywhere that whitespace may appear in
             a <acronym class="acronym">BIND</acronym> configuration file.
@@ -598,8 +610,6 @@
             slash) and continue to the end of the physical line. They cannot
             be continued across multiple physical lines; to have one logical
             comment span multiple lines, each line must use the // pair.
-          </p>
-<p>
             For example:
           </p>
 <p>
@@ -617,8 +627,6 @@
             with the character <code class="literal">#</code> (number sign)
             and continue to the end of the
             physical line, as in C++ comments.
-          </p>
-<p>
             For example:
           </p>
 <p>
@@ -763,6 +771,17 @@
 </tr>
 <tr>
 <td>
+                <p><span><strong class="command">statistics-channels</strong></span></p>
+              </td>
+<td>
+                <p>
+                  declares communication channels to get access to
+                  <span><strong class="command">named</strong></span> statistics.
+                </p>
+              </td>
+</tr>
+<tr>
+<td>
                 <p><span><strong class="command">trusted-keys</strong></span></p>
               </td>
 <td>
@@ -801,7 +820,7 @@
       </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574117"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574346"></a><span><strong class="command">acl</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">acl</strong></span> acl-name {
     address_match_list
 };
@@ -819,8 +838,7 @@
 <p>
           Note that an address match list's name must be defined
           with <span><strong class="command">acl</strong></span> before it can be used
-          elsewhere; no
-          forward references are allowed.
+          elsewhere; no forward references are allowed.
         </p>
 <p>
           The following ACLs are built-in:
@@ -884,7 +902,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574307"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574536"></a><span><strong class="command">controls</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">controls</strong></span> {
    [ inet ( ip_addr | * ) [ port ip_port ] allow { <em class="replaceable"><code> address_match_list </code></em> }
                 keys { <em class="replaceable"><code>key_list</code></em> }; ]
@@ -1006,12 +1024,12 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574736"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2574965"></a><span><strong class="command">include</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">include</strong></span> <em class="replaceable"><code>filename</code></em>;</pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574753"></a><span><strong class="command">include</strong></span> Statement Definition and
+<a name="id2574982"></a><span><strong class="command">include</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">include</strong></span> statement inserts the
@@ -1026,7 +1044,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574776"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575005"></a><span><strong class="command">key</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">key</strong></span> <em class="replaceable"><code>key_id</code></em> {
     algorithm <em class="replaceable"><code>string</code></em>;
     secret <em class="replaceable"><code>string</code></em>;
@@ -1035,7 +1053,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574800"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2575029"></a><span><strong class="command">key</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">key</strong></span> statement defines a shared
           secret key for use with TSIG (see <a href="Bv9ARM.ch04.html#tsig" title="TSIG">the section called &#8220;TSIG&#8221;</a>)
@@ -1082,10 +1100,10 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2574958"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2575120"></a><span><strong class="command">logging</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">logging</strong></span> {
    [ <span><strong class="command">channel</strong></span> <em class="replaceable"><code>channel_name</code></em> {
-     ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path name</code></em>
+     ( <span><strong class="command">file</strong></span> <em class="replaceable"><code>path_name</code></em>
          [ <span><strong class="command">versions</strong></span> ( <em class="replaceable"><code>number</code></em> | <span><strong class="command">unlimited</strong></span> ) ]
          [ <span><strong class="command">size</strong></span> <em class="replaceable"><code>size spec</code></em> ]
        | <span><strong class="command">syslog</strong></span> <em class="replaceable"><code>syslog_facility</code></em>
@@ -1106,7 +1124,7 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2575084"></a><span><strong class="command">logging</strong></span> Statement Definition and
+<a name="id2575245"></a><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">logging</strong></span> statement configures a
@@ -1140,7 +1158,7 @@
         </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2575137"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
+<a name="id2575298"></a>The <span><strong class="command">channel</strong></span> Phrase</h4></div></div></div>
 <p>
             All log output goes to one or more <span class="emphasis"><em>channels</em></span>;
             you can make as many of them as you want.
@@ -1302,7 +1320,7 @@ notrace</strong></span>. All debugging messages in the server have a debug
             the date and time will be logged. <span><strong class="command">print-time</strong></span> may
             be specified for a <span><strong class="command">syslog</strong></span> channel,
             but is usually
-            pointless since <span><strong class="command">syslog</strong></span> also prints
+            pointless since <span><strong class="command">syslog</strong></span> also logs
             the date and
             time. If <span><strong class="command">print-category</strong></span> is
             requested, then the
@@ -1536,7 +1554,7 @@ category notify { null; };
                   </td>
 <td>
                     <p>
-                      Messages that named was unable to determine the
+                      Messages that <span><strong class="command">named</strong></span> was unable to determine the
                       class of or for which there was no matching <span><strong class="command">view</strong></span>.
                       A one line summary is also logged to the <span><strong class="command">client</strong></span> category.
                       This category is best sent to a file or stderr, by
@@ -1588,15 +1606,18 @@ category notify { null; };
                       enable query logging unless <span><strong class="command">querylog</strong></span> option has been
                       specified.
                     </p>
+
                     <p>
-                      The query log entry reports the client's IP address and
-                      port number, and the
-                      query name, class and type.  It also reports whether the
-                      Recursion Desired
-                      flag was set (+ if set, - if not set), EDNS was in use
-                      (E) or if the
-                      query was signed (S).
+                      The query log entry reports the client's IP
+                      address and port number, and the query name,
+                      class and type.  It also reports whether the
+                      Recursion Desired flag was set (+ if set, -
+                      if not set), if the query was signed (S),
+                      EDNS was in use (E), if DO (DNSSEC Ok) was
+                      set (D), or if CD (Checking Disabled) was set
+                      (C).
                     </p>
+
                     <p>
                       <code class="computeroutput">client 127.0.0.1#62536: query: www.example.com IN AAAA +SE</code>
                     </p>
@@ -1607,6 +1628,17 @@ category notify { null; };
 </tr>
 <tr>
 <td>
+                    <p><span><strong class="command">query-errors</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Information about queries that resulted in some
+                      failure.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
                     <p><span><strong class="command">dispatch</strong></span></p>
                   </td>
 <td>
@@ -1645,7 +1677,7 @@ category notify { null; };
                   </td>
 <td>
                     <p>
-                      Delegation only.  Logs queries that have have
+                      Delegation only.  Logs queries that have
                       been forced to NXDOMAIN as the result of a
                       delegation-only zone or
                       a <span><strong class="command">delegation-only</strong></span> in a
@@ -1653,13 +1685,266 @@ category notify { null; };
                     </p>
                   </td>
 </tr>
+<tr>
+<td>
+                    <p><span><strong class="command">edns-disabled</strong></span></p>
+                  </td>
+<td>
+                    <p>
+                      Log queries that have been forced to use plain
+                      DNS due to timeouts.  This is often due to
+                      the remote servers not being RFC 1034 compliant
+                      (not always returning FORMERR or similar to
+                      EDNS queries and other extensions to the DNS
+                      when they are not understood).  In other words, this is
+                      targeted at servers that fail to respond to
+                      DNS queries that they don't understand.
+                    </p>
+                    <p>
+                      Note: the log message can also be due to
+                      packet loss.  Before reporting servers for
+                      non-RFC 1034 compliance they should be re-tested
+                      to determine the nature of the non-compliance.
+                      This testing should prevent or reduce the
+                      number of false-positive reports.
+                    </p>
+                    <p>
+                      Note: eventually <span><strong class="command">named</strong></span> will have to stop
+                      treating such timeouts as due to RFC 1034 non
+                      compliance and start treating it as plain
+                      packet loss.  Falsely classifying packet
+                      loss as due to RFC 1034 non compliance impacts
+                      on DNSSEC validation which requires EDNS for
+                      the DNSSEC records to be returned.
+                    </p>
+                  </td>
+</tr>
+</tbody>
+</table></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2576793"></a>The <span><strong class="command">query-errors</strong></span> Category</h4></div></div></div>
+<p>
+            The <span><strong class="command">query-errors</strong></span> category is
+            specifically intended for debugging purposes: To identify
+            why and how specific queries result in responses which
+            indicate an error.
+            Messages of this category are therefore only logged
+            with <span><strong class="command">debug</strong></span> levels.
+          </p>
+<p>
+            At the debug levels of 1 or higher, each response with the
+            rcode of SERVFAIL is logged as follows:
+          </p>
+<p>
+            <code class="computeroutput">client 127.0.0.1#61502: query failed (SERVFAIL) for www.example.com/IN/AAAA at query.c:3880</code>
+          </p>
+<p>
+            This means an error resulting in SERVFAIL was
+            detected at line 3880 of source file
+            <code class="filename">query.c</code>.
+            Log messages of this level will particularly
+            help identify the cause of SERVFAIL for an
+            authoritative server.
+          </p>
+<p>
+            At the debug levels of 2 or higher, detailed context
+            information of recursive resolutions that resulted in
+            SERVFAIL is logged.
+            The log message will look like as follows:
+          </p>
+<p>
+            <code class="computeroutput">fetch completed at resolver.c:2970 for www.example.com/A in 30.000183: timed out/success [domain:example.com,referral:2,restart:7,qrysent:8,timeout:5,lame:0,neterr:0,badresp:1,adberr:0,findfail:0,valfail:0]</code>
+          </p>
+<p>
+            The first part before the colon shows that a recursive
+            resolution for AAAA records of www.example.com completed
+            in 30.000183 seconds and the final result that led to the
+            SERVFAIL was determined at line 2970 of source file
+            <code class="filename">resolver.c</code>.
+          </p>
+<p>
+            The following part shows the detected final result and the
+            latest result of DNSSEC validation.
+            The latter is always success when no validation attempt
+            is made.
+            In this example, this query resulted in SERVFAIL probably
+            because all name servers are down or unreachable, leading
+            to a timeout in 30 seconds.
+            DNSSEC validation was probably not attempted.
+          </p>
+<p>
+            The last part enclosed in square brackets shows statistics
+            information collected for this particular resolution
+            attempt.
+            The <code class="varname">domain</code> field shows the deepest zone
+            that the resolver reached;
+            it is the zone where the error was finally detected.
+            The meaning of the other fields is summarized in the
+            following table.
+          </p>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+                    <p><code class="varname">referral</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of referrals the resolver received
+                      throughout the resolution process.
+                      In the above example this is 2, which are most
+                      likely com and example.com.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">restart</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of cycles that the resolver tried
+                      remote servers at the <code class="varname">domain</code>
+                      zone.
+                      In each cycle the resolver sends one query
+                      (possibly resending it, depending on the response)
+                      to each known name server of
+                      the <code class="varname">domain</code> zone.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">qrysent</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of queries the resolver sent at the
+                      <code class="varname">domain</code> zone.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">timeout</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of timeouts since the resolver
+                      received the last response.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">lame</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of lame servers the resolver detected
+                      at the <code class="varname">domain</code> zone.
+                      A server is detected to be lame either by an
+                      invalid response or as a result of lookup in
+                      BIND9's address database (ADB), where lame
+                      servers are cached.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">neterr</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of erroneous results that the
+                      resolver encountered in sending queries
+                      at the <code class="varname">domain</code> zone.
+                      One common case is the remote server is
+                      unreachable and the resolver receives an ICMP
+                      unreachable error message.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">badresp</code></p>
+                  </td>
+<td>
+                    <p>
+                      The number of unexpected responses (other than
+                      <code class="varname">lame</code>) to queries sent by the
+                      resolver at the <code class="varname">domain</code> zone.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">adberr</code></p>
+                  </td>
+<td>
+                    <p>
+                      Failures in finding remote server addresses
+                      of the <code class="varname">domain</code> zone in the ADB.
+                      One common case of this is that the remote
+                      server's name does not have any address records.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">findfail</code></p>
+                  </td>
+<td>
+                    <p>
+                      Failures of resolving remote server addresses.
+                      This is a total number of failures throughout
+                      the resolution process.
+                    </p>
+                  </td>
+</tr>
+<tr>
+<td>
+                    <p><code class="varname">valfail</code></p>
+                  </td>
+<td>
+                    <p>
+                      Failures of DNSSEC validation.
+                      Validation failures are counted throughout
+                      the resolution process (not limited to
+                      the <code class="varname">domain</code> zone), but should
+                      only happen in <code class="varname">domain</code>.
+                    </p>
+                  </td>
+</tr>
 </tbody>
 </table></div>
+<p>
+            At the debug levels of 3 or higher, the same messages
+            as those at the debug 1 level are logged for other errors
+            than SERVFAIL.
+            Note that negative responses such as NXDOMAIN are not
+            regarded as errors here.
+          </p>
+<p>
+            At the debug levels of 4 or higher, the same messages
+            as those at the debug 2 level are logged for other errors
+            than SERVFAIL.
+            Unlike the above case of level 3, messages are logged for
+            negative responses.
+            This is because any unexpected results can be difficult to
+            debug in the recursion case.
+          </p>
 </div>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576435"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577306"></a><span><strong class="command">lwres</strong></span> Statement Grammar</h3></div></div></div>
 <p>
            This is the grammar of the <span><strong class="command">lwres</strong></span>
           statement in the <code class="filename">named.conf</code> file:
@@ -1674,7 +1959,7 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576508"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2577448"></a><span><strong class="command">lwres</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
           The <span><strong class="command">lwres</strong></span> statement configures the
           name
@@ -1725,14 +2010,14 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576572"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577512"></a><span><strong class="command">masters</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting">
 <span><strong class="command">masters</strong></span> <em class="replaceable"><code>name</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] };
 </pre>
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576616"></a><span><strong class="command">masters</strong></span> Statement Definition and
+<a name="id2577556"></a><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</h3></div></div></div>
 <p><span><strong class="command">masters</strong></span>
           lists allow for a common set of masters to be easily used by
@@ -1741,7 +2026,7 @@ category notify { null; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2576631"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
+<a name="id2577571"></a><span><strong class="command">options</strong></span> Statement Grammar</h3></div></div></div>
 <p>
           This is the grammar of the <span><strong class="command">options</strong></span>
           statement in the <code class="filename">named.conf</code> file:
@@ -1753,10 +2038,12 @@ category notify { null; };
     [<span class="optional"> directory <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> key-directory <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> named-xfer <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> tkey-gssapi-credential <em class="replaceable"><code>principal</code></em>; </span>]
     [<span class="optional"> tkey-domain <em class="replaceable"><code>domainname</code></em>; </span>]
     [<span class="optional"> tkey-dhkey <em class="replaceable"><code>key_name</code></em> <em class="replaceable"><code>key_tag</code></em>; </span>]
     [<span class="optional"> cache-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> dump-file <em class="replaceable"><code>path_name</code></em>; </span>]
+    [<span class="optional"> memstatistics <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> memstatistics-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> pid-file <em class="replaceable"><code>path_name</code></em>; </span>]
     [<span class="optional"> recursing-file <em class="replaceable"><code>path_name</code></em>; </span>]
@@ -1778,6 +2065,7 @@ category notify { null; };
     [<span class="optional"> rfc2308-type1 <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> use-id-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> ixfr-from-differences (<em class="replaceable"><code>yes_or_no</code></em> | <code class="constant">master</code> | <code class="constant">slave</code>); </span>]
     [<span class="optional"> dnssec-enable <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-validation <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> dnssec-lookaside <em class="replaceable"><code>domain</code></em> trust-anchor <em class="replaceable"><code>domain</code></em>; </span>]
@@ -1799,12 +2087,16 @@ category notify { null; };
     [<span class="optional"> check-sibling <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query-cache { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query-cache-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-recursion { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-recursion-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> allow-v6-synthesis { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> blackhole { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> use-v4-udp-ports { <em class="replaceable"><code>port_list</code></em> }; </span>]
@@ -1821,6 +2113,9 @@ category notify { null; };
         [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] | 
         [<span class="optional"> address ( <em class="replaceable"><code>ip6_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] 
         [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] ) ; </span>]
+    [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
+    [<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-transfer-idle-in <em class="replaceable"><code>number</code></em>; </span>]
@@ -1843,6 +2138,7 @@ category notify { null; };
     [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
+    [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
@@ -1861,6 +2157,9 @@ category notify { null; };
     [<span class="optional"> max-ncache-ttl <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> max-cache-ttl <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
+    [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
+    [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
+    [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> min-roots <em class="replaceable"><code>number</code></em>; </span>]
     [<span class="optional"> use-ixfr <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> provide-ixfr <em class="replaceable"><code>yes_or_no</code></em>; </span>]
@@ -1937,28 +2236,42 @@ category notify { null; };
               </p></dd>
 <dt><span class="term"><span><strong class="command">named-xfer</strong></span></span></dt>
 <dd><p>
-                <span class="emphasis"><em>This option is obsolete.</em></span>
-                It was used in <acronym class="acronym">BIND</acronym> 8 to
-                specify the pathname to the <span><strong class="command">named-xfer</strong></span> program.
-                In <acronym class="acronym">BIND</acronym> 9, no separate <span><strong class="command">named-xfer</strong></span> program is
-                needed; its functionality is built into the name server.
+                <span class="emphasis"><em>This option is obsolete.</em></span> It
+                was used in <acronym class="acronym">BIND</acronym> 8 to specify
+                the pathname to the <span><strong class="command">named-xfer</strong></span>
+                program.  In <acronym class="acronym">BIND</acronym> 9, no separate
+                <span><strong class="command">named-xfer</strong></span> program is needed;
+                its functionality is built into the name server.
+              </p></dd>
+<dt><span class="term"><span><strong class="command">tkey-gssapi-credential</strong></span></span></dt>
+<dd><p>
+                The security credential with which the server should
+                authenticate keys requested by the GSS-TSIG protocol.
+                Currently only Kerberos 5 authentication is available
+                and the credential is a Kerberos principal which
+                the server can acquire through the default system
+                key file, normally <code class="filename">/etc/krb5.keytab</code>.
+                Normally this principal is of the form
+                "<strong class="userinput"><code>dns/</code></strong><code class="varname">server.domain</code>".
+                To use GSS-TSIG, <span><strong class="command">tkey-domain</strong></span>
+                must also be set.
               </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-domain</strong></span></span></dt>
 <dd><p>
-                The domain appended to the names of all
-                shared keys generated with
-                <span><strong class="command">TKEY</strong></span>. When a client
-                requests a <span><strong class="command">TKEY</strong></span> exchange, it
-                may or may not specify
-                the desired name for the key. If present, the name of the
-                shared
-                key will be "<code class="varname">client specified part</code>" +
-                "<code class="varname">tkey-domain</code>".
-                Otherwise, the name of the shared key will be "<code class="varname">random hex
-digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
-                the <span><strong class="command">domainname</strong></span> should be the
-                server's domain
-                name.
+                The domain appended to the names of all shared keys
+                generated with <span><strong class="command">TKEY</strong></span>.  When a
+                client requests a <span><strong class="command">TKEY</strong></span> exchange,
+                it may or may not specify the desired name for the
+                key. If present, the name of the shared key will
+                be <code class="varname">client specified part</code> +
+                <code class="varname">tkey-domain</code>.  Otherwise, the
+                name of the shared key will be <code class="varname">random hex
+                digits</code> + <code class="varname">tkey-domain</code>.
+                In most cases, the <span><strong class="command">domainname</strong></span>
+                should be the server's domain name, or an otherwise
+                non-existent subdomain like
+                "_tkey.<code class="varname">domainname</code>".  If you are
+                using GSS-TSIG, this variable must be defined.
               </p></dd>
 <dt><span class="term"><span><strong class="command">tkey-dhkey</strong></span></span></dt>
 <dd><p>
@@ -1983,25 +2296,17 @@ digits</code>" + "<code class="varname">tkey-domain</code>". In most cases,
                 If not specified, the default is <code class="filename">named_dump.db</code>.
               </p></dd>
 <dt><span class="term"><span><strong class="command">memstatistics-file</strong></span></span></dt>
-<dd>
-<p>
+<dd><p>
                 The pathname of the file the server writes memory
-                usage statistics to on exit.  If specified the
-                statistics will be written to the file on exit.
-              </p>
-<p>
-                In <acronym class="acronym">BIND</acronym> 9.5 and later this will
-                default to <code class="filename">named.memstats</code>.
-                <acronym class="acronym">BIND</acronym> 9.5 will also introduce
-                <span><strong class="command">memstatistics</strong></span> to control the
-                writing.
-              </p>
-</dd>
+                usage statistics to on exit. If not specified,
+                the default is <code class="filename">named.memstats</code>.
+              </p></dd>
 <dt><span class="term"><span><strong class="command">pid-file</strong></span></span></dt>
 <dd><p>
                 The pathname of the file the server writes its process ID
-                in. If not specified, the default is <code class="filename">/var/run/named.pid</code>.
-                The pid-file is used by programs that want to send signals to
+                in. If not specified, the default is
+                <code class="filename">/var/run/named/named.pid</code>.
+                The PID file is used by programs that want to send signals to
                 the running
                 name server. Specifying <span><strong class="command">pid-file none</strong></span> disables the
                 use of a PID file &#8212; no file will be written and any
@@ -2096,7 +2401,7 @@ options {
                 top of a zone.  When a DNSKEY is at or below a domain
                 specified by the
                 deepest <span><strong class="command">dnssec-lookaside</strong></span>, and
-                the normal dnssec validation
+                the normal DNSSEC validation
                 has left the key untrusted, the trust-anchor will be append to
                 the key
                 name and a DLV record will be looked up to see if it can
@@ -2109,10 +2414,10 @@ options {
 <dd><p>
                 Specify hierarchies which must be or may not be secure (signed and
                 validated).
-                If <strong class="userinput"><code>yes</code></strong>, then named will only accept
+                If <strong class="userinput"><code>yes</code></strong>, then <span><strong class="command">named</strong></span> will only accept
                 answers if they
                 are secure.
-                If <strong class="userinput"><code>no</code></strong>, then normal dnssec validation
+                If <strong class="userinput"><code>no</code></strong>, then normal DNSSEC validation
                 applies
                 allowing for insecure answers to be accepted.
                 The specified domain must be under a <span><strong class="command">trusted-key</strong></span> or
@@ -2142,6 +2447,14 @@ options {
                   for memory leaks on exit. <acronym class="acronym">BIND</acronym> 9 ignores the option and always performs
                   the checks.
                 </p></dd>
+<dt><span class="term"><span><strong class="command">memstatistics</strong></span></span></dt>
+<dd><p>
+                  Write memory statistics to the file specified by
+                  <span><strong class="command">memstatistics-file</strong></span> at exit.
+                  The default is <strong class="userinput"><code>no</code></strong> unless
+                  '-m record' is specified on the command line in
+                  which case it is <strong class="userinput"><code>yes</code></strong>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">dialup</strong></span></span></dt>
 <dd>
 <p>
@@ -2461,6 +2774,17 @@ options {
                   to crash.
                 </p>
 </dd>
+<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
+<dd><p>
+                  If <strong class="userinput"><code>yes</code></strong> do not check the nameservers
+                  in the NS RRset against the SOA MNAME.  Normally a NOTIFY
+                  message is not sent to the SOA MNAME (SOA ORIGIN) as it is
+                  supposed to contain the name of the ultimate master.
+                  Sometimes, however, a slave is listed as the SOA MNAME in
+                  hidden master configurations and in that case you would
+                  want the ultimate master to still send NOTIFY messages to
+                  all the nameservers listed in the NS RRset.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">recursion</strong></span></span></dt>
 <dd><p>
                   If <strong class="userinput"><code>yes</code></strong>, and a
@@ -2675,43 +2999,44 @@ options {
                   also accepts <span><strong class="command">master</strong></span> and
                   <span><strong class="command">slave</strong></span> at the view and options
                   levels which causes
-                  <span><strong class="command">ixfr-from-differences</strong></span> to apply to
+                  <span><strong class="command">ixfr-from-differences</strong></span> to be enabled for
                   all <span><strong class="command">master</strong></span> or
                   <span><strong class="command">slave</strong></span> zones respectively.
+                  It is off by default.
                 </p>
 </dd>
 <dt><span class="term"><span><strong class="command">multi-master</strong></span></span></dt>
 <dd><p>
                   This should be set when you have multiple masters for a zone
                   and the
-                  addresses refer to different machines.  If <strong class="userinput"><code>yes</code></strong>, named will
+                  addresses refer to different machines.  If <strong class="userinput"><code>yes</code></strong>, <span><strong class="command">named</strong></span> will
                   not log
-                  when the serial number on the master is less than what named
+                  when the serial number on the master is less than what <span><strong class="command">named</strong></span>
                   currently
                   has.  The default is <strong class="userinput"><code>no</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-enable</strong></span></span></dt>
 <dd><p>
-                  Enable DNSSEC support in named.  Unless set to <strong class="userinput"><code>yes</code></strong>,
-                  named behaves as if it does not support DNSSEC.
+                  Enable DNSSEC support in <span><strong class="command">named</strong></span>.  Unless set to <strong class="userinput"><code>yes</code></strong>,
+                  <span><strong class="command">named</strong></span> behaves as if it does not support DNSSEC.
                   The default is <strong class="userinput"><code>yes</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-validation</strong></span></span></dt>
 <dd><p>
-                  Enable DNSSEC validation in named.
+                  Enable DNSSEC validation in <span><strong class="command">named</strong></span>.
                   Note <span><strong class="command">dnssec-enable</strong></span> also needs to be
                   set to <strong class="userinput"><code>yes</code></strong> to be effective.
-                  The default is <strong class="userinput"><code>no</code></strong>.
+                  The default is <strong class="userinput"><code>yes</code></strong>.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">dnssec-accept-expired</strong></span></span></dt>
 <dd><p>
                   Accept expired signatures when verifying DNSSEC signatures.
                   The default is <strong class="userinput"><code>no</code></strong>.
-                  Setting this option to "yes" leaves named vulnerable to replay attacks.
+                  Setting this option to "yes" leaves <span><strong class="command">named</strong></span> vulnerable to replay attacks.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">querylog</strong></span></span></dt>
 <dd><p>
-                  Specify whether query logging should be started when named
+                  Specify whether query logging should be started when <span><strong class="command">named</strong></span>
                   starts.
                   If <span><strong class="command">querylog</strong></span> is not specified,
                   then the query logging
@@ -2737,9 +3062,9 @@ options {
                   from RFC 952 and RFC 821 as modified by RFC 1123.
                 </p>
 <p><span><strong class="command">check-names</strong></span>
-                  applies to the owner names of A, AAA and MX records.
-                  It also applies to the domain names in the RDATA of NS, SOA
-                  and MX records.
+                  applies to the owner names of A, AAAA and MX records.
+                  It also applies to the domain names in the RDATA of NS, SOA,
+                  MX, and SRV records.
                   It also applies to the RDATA of PTR records where the owner
                   name indicated that it is a reverse lookup of a hostname
                   (the owner name ends in IN-ADDR.ARPA, IP6.ARPA, or IP6.INT).
@@ -2796,7 +3121,7 @@ options {
 <dt><span class="term"><span><strong class="command">zero-no-soa-ttl</strong></span></span></dt>
 <dd><p>
                   When returning authoritative negative responses to
-                  SOA queries set the TTL of the SOA recored returned in
+                  SOA queries set the TTL of the SOA record returned in
                   the authority section to zero.
                   The default is <span><strong class="command">yes</strong></span>.
                 </p></dd>
@@ -2816,11 +3141,17 @@ options {
                   a KSK.
                   The default is <span><strong class="command">yes</strong></span>.
                 </p></dd>
+<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
+<dd><p>
+                  Try to refresh the zone using TCP if UDP queries fail.
+                  For BIND 8 compatibility, the default is
+                  <span><strong class="command">yes</strong></span>.
+                </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2580525"></a>Forwarding</h4></div></div></div>
+<a name="id2581667"></a>Forwarding</h4></div></div></div>
 <p>
             The forwarding facility can be used to create a large site-wide
             cache on a few servers, reducing traffic over links to external
@@ -2864,7 +3195,7 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2580721"></a>Dual-stack Servers</h4></div></div></div>
+<a name="id2581725"></a>Dual-stack Servers</h4></div></div></div>
 <p>
             Dual-stack servers are used as servers of last resort to work
             around
@@ -2929,16 +3260,52 @@ options {
                   </p>
 </div>
 </dd>
+<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
+<dd>
+<p>
+                  Specifies which local addresses can accept ordinary
+                  DNS questions. This makes it possible, for instance,
+                  to allow queries on internal-facing interfaces but
+                  disallow them on external-facing ones, without
+                  necessarily knowing the internal network's addresses.
+                </p>
+<p>
+                  <span><strong class="command">allow-query-on</strong></span> may
+                  also be specified in the <span><strong class="command">zone</strong></span>
+                  statement, in which case it overrides the
+                  <span><strong class="command">options allow-query-on</strong></span> statement.
+                </p>
+<p>
+                  If not specified, the default is to allow queries
+                  on all addresses.
+                </p>
+<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+<p>
+                    <span><strong class="command">allow-query-cache</strong></span> is
+                    used to specify access to the cache.
+                  </p>
+</div>
+</dd>
 <dt><span class="term"><span><strong class="command">allow-query-cache</strong></span></span></dt>
 <dd><p>
                   Specifies which hosts are allowed to get answers
                   from the cache.  If <span><strong class="command">allow-query-cache</strong></span>
                   is not set then <span><strong class="command">allow-recursion</strong></span>
                   is used if set, otherwise <span><strong class="command">allow-query</strong></span>
-                  is used if set, otherwise the default
-                  (<span><strong class="command">localnets;</strong></span>
+                  is used if set unless <span><strong class="command">recursion no;</strong></span> is
+                  set in which case <span><strong class="command">none;</strong></span> is used,
+                  otherwise the default (<span><strong class="command">localnets;</strong></span>
                   <span><strong class="command">localhost;</strong></span>) is used.
                 </p></dd>
+<dt><span class="term"><span><strong class="command">allow-query-cache-on</strong></span></span></dt>
+<dd><p>
+                  Specifies which local addresses can give answers
+                  from the cache.  If not specified, the default is
+                  to allow cache queries on any address,
+                  <span><strong class="command">localnets</strong></span> and
+                  <span><strong class="command">localhost</strong></span>.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">allow-recursion</strong></span></span></dt>
 <dd><p>
                   Specifies which hosts are allowed to make recursive
@@ -2950,6 +3317,12 @@ options {
                   (<span><strong class="command">localnets;</strong></span>
                   <span><strong class="command">localhost;</strong></span>) is used.
                 </p></dd>
+<dt><span class="term"><span><strong class="command">allow-recursion-on</strong></span></span></dt>
+<dd><p>
+                  Specifies which local addresses can accept recursive
+                  queries.  If not specified, the default is to allow
+                  recursive queries on all addresses.
+                </p></dd>
 <dt><span class="term"><span><strong class="command">allow-update</strong></span></span></dt>
 <dd><p>
                   Specifies which hosts are allowed to
@@ -3019,11 +3392,11 @@ options {
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2581142"></a>Interfaces</h4></div></div></div>
+<a name="id2582231"></a>Interfaces</h4></div></div></div>
 <p>
             The interfaces and ports that the server will answer queries
             from may be specified using the <span><strong class="command">listen-on</strong></span> option. <span><strong class="command">listen-on</strong></span> takes
-            an optional port, and an <code class="varname">address_match_list</code>.
+            an optional port and an <code class="varname">address_match_list</code>.
             The server will listen on all interfaces allowed by the address
             match list. If a port is not specified, port 53 will be used.
           </p>
@@ -3042,7 +3415,7 @@ listen-on port 1234 { !1.2.3.4; 1.2/16; };
           </p>
 <p>
             If no <span><strong class="command">listen-on</strong></span> is specified, the
-            server will listen on port 53 on all interfaces.
+            server will listen on port 53 on all IPv4 interfaces.
           </p>
 <p>
             The <span><strong class="command">listen-on-v6</strong></span> option is used to
@@ -3093,8 +3466,10 @@ listen-on-v6 port 1234 { !2001:db8::/32; any; };
 </pre>
 <p>
             If no <span><strong class="command">listen-on-v6</strong></span> option is
-            specified,
-            the server will not listen on any IPv6 address.
+            specified, the server will not listen on any IPv6 address
+            unless <span><strong class="command">-6</strong></span> is specified when <span><strong class="command">named</strong></span> is
+            invoked.  If <span><strong class="command">-6</strong></span> is specified then
+            <span><strong class="command">named</strong></span> will listen on port 53 on all IPv6 interfaces by default.
           </p>
 </div>
 <div class="sect3" lang="en">
@@ -3178,20 +3553,37 @@ use-v6-udp-ports { range 1024 65535; };
 avoid-v6-udp-ports {};
 </pre>
 <p>
-            Note: it is generally strongly discouraged to
+            Note: BIND 9.5.0 introduced
+            the <span><strong class="command">use-queryport-pool</strong></span> 
+            option to support a pool of such random ports, but this
+            option is now obsolete because reusing the same ports in
+            the pool may not be sufficiently secure.
+            For the same reason, it is generally strongly discouraged to
             specify a particular port for the
             <span><strong class="command">query-source</strong></span> or
             <span><strong class="command">query-source-v6</strong></span> options;
-            it implicitly disables the use of randomized port numbers
-            and can be insecure.
+            it implicitly disables the use of randomized port numbers.
           </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">use-queryport-pool</strong></span></span></dt>
+<dd><p>
+                  This option is obsolete.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">queryport-pool-ports</strong></span></span></dt>
+<dd><p>
+                  This option is obsolete.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">queryport-pool-updateinterval</strong></span></span></dt>
+<dd><p>
+                  This option is obsolete.
+                </p></dd>
+</dl></div>
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
               The address specified in the <span><strong class="command">query-source</strong></span> option
               is used for both UDP and TCP queries, but the port applies only
-              to
-              UDP queries.  TCP queries always use a random
+              to UDP queries.  TCP queries always use a random
               unprivileged port.
             </p>
 </div>
@@ -3228,7 +3620,12 @@ avoid-v6-udp-ports {};
                   zone is loaded, in addition to the servers listed in the
                   zone's NS records.
                   This helps to ensure that copies of the zones will
-                  quickly converge on stealth servers. If an <span><strong class="command">also-notify</strong></span> list
+                  quickly converge on stealth servers.
+                  Optionally, a port may be specified with each
+                  <span><strong class="command">also-notify</strong></span> address to send
+                  the notify messages to a port other than the
+                  default of 53.
+                  If an <span><strong class="command">also-notify</strong></span> list
                   is given in a <span><strong class="command">zone</strong></span> statement,
                   it will override
                   the <span><strong class="command">options also-notify</strong></span>
@@ -3395,7 +3792,7 @@ avoid-v6-udp-ports {};
                   to be used, you should set
                   <span><strong class="command">use-alt-transfer-source</strong></span>
                   appropriately and you should not depend upon
-                  getting a answer back to the first refresh
+                  getting an answer back to the first refresh
                   query.
                 </div>
 </dd>
@@ -3447,7 +3844,7 @@ avoid-v6-udp-ports {};
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582140"></a>UDP Port Lists</h4></div></div></div>
+<a name="id2583571"></a>UDP Port Lists</h4></div></div></div>
 <p>
             <span><strong class="command">use-v4-udp-ports</strong></span>,
             <span><strong class="command">avoid-v4-udp-ports</strong></span>,
@@ -3489,7 +3886,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582200"></a>Operating System Resource Limits</h4></div></div></div>
+<a name="id2583699"></a>Operating System Resource Limits</h4></div></div></div>
 <p>
             The server's usage of many system resources can be limited.
             Scaled values are allowed when specifying resource limits.  For
@@ -3548,7 +3945,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582452"></a>Server  Resource Limits</h4></div></div></div>
+<a name="server_resource_limits"></a>Server  Resource Limits</h4></div></div></div>
 <p>
             The following options set limits on the server's
             resource consumption that are enforced internally by the
@@ -3571,6 +3968,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   journal
                   will be automatically removed.  The default is
                   <code class="literal">unlimited</code>.
+                  This may also be set on a per-zone basis.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">host-statistics-max</strong></span></span></dt>
 <dd><p>
@@ -3602,7 +4000,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 <p>
                   The number of file descriptors reserved for TCP, stdio,
                   etc.  This needs to be big enough to cover the number of
-                  interfaces named listens on, tcp-clients as well as
+                  interfaces <span><strong class="command">named</strong></span> listens on, <span><strong class="command">tcp-clients</strong></span> as well as
                   to provide room for outgoing TCP queries and incoming zone
                   transfers.  The default is <code class="literal">512</code>.
                   The minimum value is <code class="literal">128</code> and the
@@ -3619,7 +4017,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   server's cache, in bytes.
                   When the amount of data in the cache
                   reaches this limit, the server will cause records to expire
-                  prematurely so that the limit is not exceeded.
+                  prematurely based on an LRU based strategy so that
+                  the limit is not exceeded.
                   A value of 0 is special, meaning that
                   records are purged from the cache only when their
                   TTLs expire.
@@ -3649,15 +4048,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2582682"></a>Periodic Task Intervals</h4></div></div></div>
+<a name="id2583985"></a>Periodic Task Intervals</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">cleaning-interval</strong></span></span></dt>
 <dd><p>
-                  The server will remove expired resource records
+                  This interval is effectively obsolete.  Previously,
+                  the server would remove expired resource records
                   from the cache every <span><strong class="command">cleaning-interval</strong></span> minutes.
-                  The default is 60 minutes.  The maximum value is 28 days
-                  (40320 minutes).
-                  If set to 0, no periodic cleaning will occur.
+                  <acronym class="acronym">BIND</acronym> 9 now manages cache
+                  memory in a more sophisticated manner and does not
+                  rely on the periodic cleaning any more.
+                  Specifying this option therefore has no effect on
+                  the server's behavior.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">heartbeat-interval</strong></span></span></dt>
 <dd><p>
@@ -3914,8 +4316,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   </td>
 <td>
                     <p>
-                      Records are returned in a round-robin
-                      order.
+                      Records are returned in a cyclic round-robin order.
+                    </p>
+                    <p>
+                      If <acronym class="acronym">BIND</acronym> is configured with the
+                      "--enable-fixed-rrset" option at compile time, then
+                      the initial ordering of the RRset will match the
+                      one specified in the zone file.
                     </p>
                   </td>
 </tr>
@@ -3943,9 +4350,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 <h3 class="title">Note</h3>
 <p>
-              The <span><strong class="command">rrset-order</strong></span> statement
-              is not yet fully implemented in <acronym class="acronym">BIND</acronym> 9.
-              BIND 9 currently does not fully support "fixed" ordering.
+              In this release of <acronym class="acronym">BIND</acronym> 9, the
+              <span><strong class="command">rrset-order</strong></span> statement does not support
+              "fixed" ordering by default.  Fixed ordering can be enabled
+              at compile time by specifying "--enable-fixed-rrset" on
+              the "configure" command line.
             </p>
 </div>
 </div>
@@ -4000,17 +4409,59 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 </dd>
 <dt><span class="term"><span><strong class="command">sig-validity-interval</strong></span></span></dt>
+<dd>
+<p>
+                  Specifies the number of days into the future when
+                  DNSSEC signatures automatically generated as a
+                  result of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>) will expire.  There
+                  is a optional second field which specifies how
+                  long before expiry that the signatures will be
+                  regenerated.  If not specified, the signatures will
+                  be regenerated at 1/4 of base interval.  The second
+                  field is specified in days if the base interval is
+                  greater than 7 days otherwise it is specified in hours.
+                  The default base interval is <code class="literal">30</code> days
+                  giving a re-signing interval of 7 1/2 days.  The maximum
+                  values are 10 years (3660 days).
+                </p>
+<p>
+                  The signature inception time is unconditionally
+                  set to one hour before the current time to allow
+                  for a limited amount of clock skew.
+                </p>
+<p>
+                  The <span><strong class="command">sig-validity-interval</strong></span>
+                  should be, at least, several multiples of the SOA
+                  expire interval to allow for reasonable interaction
+                  between the various timer and expiry dates.
+                </p>
+</dd>
+<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
+<dd><p>
+                  Specify the maximum number of nodes to be
+                  examined in each quantum when signing a zone with
+                  a new DNSKEY. The default is
+                  <code class="literal">100</code>.
+                </p></dd>
+<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
 <dd><p>
-                  Specifies the number of days into the
-                  future when DNSSEC signatures automatically generated as a
-                  result
-                  of dynamic updates (<a href="Bv9ARM.ch04.html#dynamic_update" title="Dynamic Update">the section called &#8220;Dynamic Update&#8221;</a>)
-                  will expire. The default is <code class="literal">30</code> days.
-                  The maximum value is 10 years (3660 days). The signature
-                  inception time is unconditionally set to one hour before the
-                  current time
-                  to allow for a limited amount of clock skew.
+                  Specify a threshold number of signatures that
+                  will terminate processing a quantum when signing
+                  a zone with a new DNSKEY.  The default is
+                  <code class="literal">10</code>.
                 </p></dd>
+<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
+<dd>
+<p>
+                  Specify a private RDATA type to be used when generating
+                  key signing records.  The default is
+                  <code class="literal">65535</code>.
+                </p>
+<p>
+                  It is expected that this parameter may be removed
+                  in a future version once there is a standard type.
+                </p>
+</dd>
 <dt>
 <span class="term"><span><strong class="command">min-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">max-refresh-time</strong></span>, </span><span class="term"><span><strong class="command">min-retry-time</strong></span>, </span><span class="term"><span><strong class="command">max-retry-time</strong></span></span>
 </dt>
@@ -4037,22 +4488,23 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </dd>
 <dt><span class="term"><span><strong class="command">edns-udp-size</strong></span></span></dt>
 <dd><p>
-                  Sets the advertised EDNS UDP buffer size in bytes.  Valid
-                  values are 512 to 4096 (values outside this range
-                  will be silently adjusted).  The default value is
-                  4096.  The usual reason for setting edns-udp-size to
-                  a non-default value is to get UDP answers to pass
-                  through broken firewalls that block fragmented
-                  packets and/or block UDP packets that are greater
-                  than 512 bytes.
+                  Sets the advertised EDNS UDP buffer size in bytes
+                  to control the size of packets received.
+                  Valid values are 512 to 4096 (values outside this range
+                  will be silently adjusted).  The default value
+                  is 4096.  The usual reason for setting
+                  <span><strong class="command">edns-udp-size</strong></span> to a non-default
+                  value is to get UDP answers to pass through broken
+                  firewalls that block fragmented packets and/or
+                  block UDP packets that are greater than 512 bytes.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">max-udp-size</strong></span></span></dt>
 <dd><p>
-                  Sets the maximum EDNS UDP message size named will
+                  Sets the maximum EDNS UDP message size <span><strong class="command">named</strong></span> will
                   send in bytes.  Valid values are 512 to 4096 (values outside
                   this range will be silently adjusted).  The default
                   value is 4096.  The usual reason for setting
-                  max-udp-size to a non-default value is to get UDP
+                  <span><strong class="command">max-udp-size</strong></span> to a non-default value is to get UDP
                   answers to pass through broken firewalls that
                   block fragmented packets and/or block UDP packets
                   that are greater than 512 bytes.
@@ -4085,21 +4537,21 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   file.
                 </p></dd>
 <dt>
-<span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
+<a name="clients-per-query"></a><span class="term"><span><strong class="command">clients-per-query</strong></span>, </span><span class="term"><span><strong class="command">max-clients-per-query</strong></span></span>
 </dt>
 <dd>
 <p>These set the
                   initial value (minimum) and maximum number of recursive
-                  simultanious clients for any given query
+                  simultaneous clients for any given query
                   (&lt;qname,qtype,qclass&gt;) that the server will accept
-                  before dropping additional clients.  named will attempt to
+                  before dropping additional clients.  <span><strong class="command">named</strong></span> will attempt to
                   self tune this value and changes will be logged.  The
                   default values are 10 and 100.
                 </p>
 <p>
                   This value should reflect how many queries come in for
                   a given name in the time it takes to resolve that name.
-                  If the number of queries exceed this value, named will
+                  If the number of queries exceed this value, <span><strong class="command">named</strong></span> will
                   assume that it is dealing with a non-responsive zone
                   and will drop additional queries.  If it gets a response
                   after dropping queries, it will raise the estimate.  The
@@ -4172,14 +4624,15 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                 </p></dd>
 <dt><span class="term"><span><strong class="command">server-id</strong></span></span></dt>
 <dd><p>
-                  The ID of the server should report via a query of
-                  the name <code class="filename">ID.SERVER</code>
-                  with type <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
+                  The ID the server should report when receiving a Name
+                  Server Identifier (NSID) query, or a query of the name
+                  <code class="filename">ID.SERVER</code> with type
+                  <span><strong class="command">TXT</strong></span>, class <span><strong class="command">CHAOS</strong></span>.
                   The primary purpose of such queries is to
                   identify which of a group of anycast servers is actually
                   answering your queries.  Specifying <span><strong class="command">server-id none;</strong></span>
                   disables processing of the queries.
-                  Specifying <span><strong class="command">server-id hostname;</strong></span> will cause named to
+                  Specifying <span><strong class="command">server-id hostname;</strong></span> will cause <span><strong class="command">named</strong></span> to
                   use the hostname as found by the gethostname() function.
                   The default <span><strong class="command">server-id</strong></span> is <span><strong class="command">none</strong></span>.
                 </p></dd>
@@ -4197,12 +4650,12 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             these cover the reverse namespace for addresses from RFC 1918 and
             RFC 3330.  They also include the reverse namespace for IPv6 local
             address (locally assigned), IPv6 link local addresses, the IPv6
-            loopback address and the IPv6 unknown addresss.
+            loopback address and the IPv6 unknown address.
           </p>
 <p>
-            Named will attempt to determine if a built in zone already exists
+            Named will attempt to determine if a built-in zone already exists
             or is active (covered by a forward-only forwarding declaration)
-            and will not not create a empty zone in that case.
+            and will not create a empty zone in that case.
           </p>
 <p>
             The current list of empty zones is:
@@ -4248,7 +4701,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 <h3 class="title">Note</h3>
             The real parent servers for these zones should disable all
             empty zone under the parent zone they serve.  For the real
-            root servers, this is all built in empty zones.  This will
+            root servers, this is all built-in empty zones.  This will
             enable them to return referrals to deeper in the tree.
           </div>
 <div class="variablelist"><dl>
@@ -4266,173 +4719,18 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                 </p></dd>
 <dt><span class="term"><span><strong class="command">empty-zones-enable</strong></span></span></dt>
 <dd><p>
-                  Enable or disable all empty zones.  By default they
+                  Enable or disable all empty zones.  By default, they
                   are enabled.
                 </p></dd>
 <dt><span class="term"><span><strong class="command">disable-empty-zone</strong></span></span></dt>
 <dd><p>
-                  Disable individual empty zones.  By default none are
+                  Disable individual empty zones.  By default, none are
                   disabled.  This option can be specified multiple times.
                 </p></dd>
 </dl></div>
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="statsfile"></a>The Statistics File</h4></div></div></div>
-<p>
-            The statistics file generated by <acronym class="acronym">BIND</acronym> 9
-            is similar, but not identical, to that
-            generated by <acronym class="acronym">BIND</acronym> 8.
-          </p>
-<p>
-            The statistics dump begins with a line, like:
-          </p>
-<p>
-            <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
-          </p>
-<p>
-            The number in parentheses is a standard
-            Unix-style timestamp, measured as seconds since January 1, 1970.
-            Following
-            that line are a series of lines containing a counter type, the
-            value of the
-            counter, optionally a zone name, and optionally a view name.
-            The lines without view and zone listed are global statistics for
-            the entire server.
-            Lines with a zone and view name for the given view and zone (the
-            view name is
-            omitted for the default view).
-          </p>
-<p>
-            The statistics dump ends with the line where the
-            number is identical to the number in the beginning line; for example:
-          </p>
-<p>
-            <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
-          </p>
-<p>
-            The following statistics counters are maintained:
-          </p>
-<div class="informaltable"><table border="1">
-<colgroup>
-<col>
-<col>
-</colgroup>
-<tbody>
-<tr>
-<td>
-                    <p><span><strong class="command">success</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The number of
-                      successful queries made to the server or zone.  A
-                      successful query
-                      is defined as query which returns a NOERROR response
-                      with at least
-                      one answer RR.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">referral</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The number of queries which resulted
-                      in referral responses.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">nxrrset</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The number of queries which resulted in
-                      NOERROR responses with no data.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">nxdomain</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The number
-                      of queries which resulted in NXDOMAIN responses.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">failure</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The number of queries which resulted in a
-                      failure response other than those above.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">recursion</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The number of queries which caused the server
-                      to perform recursion in order to find the final answer.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">duplicate</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The number of queries which the server attempted to
-                      recurse but discover a existing query with the same
-                      IP address, port, query id, name, type and class
-                      already being processed.
-                    </p>
-                  </td>
-</tr>
-<tr>
-<td>
-                    <p><span><strong class="command">dropped</strong></span></p>
-                  </td>
-<td>
-                    <p>
-                      The number of queries for which the server
-                      discovered a excessive number of existing
-                      recursive queries for the same name, type and
-                      class and were subsequently dropped.
-                    </p>
-                  </td>
-</tr>
-</tbody>
-</table></div>
-<p>
-            Each query received by the server will cause exactly one of
-            <span><strong class="command">success</strong></span>,
-            <span><strong class="command">referral</strong></span>,
-            <span><strong class="command">nxrrset</strong></span>,
-            <span><strong class="command">nxdomain</strong></span>,
-            <span><strong class="command">failure</strong></span>,
-            <span><strong class="command">duplicate</strong></span>, or
-            <span><strong class="command">dropped</strong></span>
-            to be incremented, and may additionally cause the
-            <span><strong class="command">recursion</strong></span> counter to be
-            incremented.
-          </p>
-</div>
-<div class="sect3" lang="en">
-<div class="titlepage"><div><div><h4 class="title">
 <a name="acache"></a>Additional Section Caching</h4></div></div></div>
 <p>
             The additional section cache, also called <span><strong class="command">acache</strong></span>,
@@ -4518,10 +4816,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
                   In a server with multiple views, the limit applies
                   separately to the
                   acache of each view.
-                  The default is <code class="literal">unlimited</code>,
-                  meaning that
-                  entries are purged from the acache only at the
-                  periodic cleaning time.
+                  The default is <code class="literal">16M</code>.
                 </p></dd>
 </dl></div>
 </div>
@@ -4545,6 +4840,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> query-source [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
     [<span class="optional"> query-source-v6 [<span class="optional"> address ( <em class="replaceable"><code>ip_addr</code></em> | <em class="replaceable"><code>*</code></em> ) </span>] [<span class="optional"> port ( <em class="replaceable"><code>ip_port</code></em> | <em class="replaceable"><code>*</code></em> ) </span>]; </span>]
+    [<span class="optional"> use-queryport-pool <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> queryport-pool-ports <em class="replaceable"><code>number</code></em>; </span>]
+    [<span class="optional"> queryport-pool-interval <em class="replaceable"><code>number</code></em>; </span>]
 };
 </pre>
 </div>
@@ -4628,7 +4926,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
           </p>
 <p>
             The <span><strong class="command">edns-udp-size</strong></span> option sets the EDNS UDP size
-            that is advertised by named when querying the remote server.
+            that is advertised by <span><strong class="command">named</strong></span> when querying the remote server.
             Valid values are 512 to 4096 bytes (values outside this range will be
             silently adjusted).  This option is useful when you wish to
             advertises a different value to this server than the value you
@@ -4637,11 +4935,11 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
           </p>
 <p>
             The <span><strong class="command">max-udp-size</strong></span> option sets the
-            maximum EDNS UDP message size named will send.  Valid
+            maximum EDNS UDP message size <span><strong class="command">named</strong></span> will send.  Valid
             values are 512 to 4096 bytes (values outside this range will
             be silently adjusted).  This option is useful when you
             know that there is a firewall that is blocking large
-            replies from named.
+            replies from <span><strong class="command">named</strong></span>.
           </p>
 <p>
             The server supports two zone transfer methods. The first, <span><strong class="command">one-answer</strong></span>,
@@ -4719,7 +5017,67 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2585614"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
+<a name="statschannels"></a><span><strong class="command">statistics-channels</strong></span> Statement Grammar</h3></div></div></div>
+<pre class="programlisting"><span><strong class="command">statistics-channels</strong></span> {
+   [ inet ( ip_addr | * ) [ port ip_port ] [allow { <em class="replaceable"><code> address_match_list </code></em> } ]; ]
+   [ inet ...; ]
+};
+</pre>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2586754"></a><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+            Usage</h3></div></div></div>
+<p>
+          The <span><strong class="command">statistics-channels</strong></span> statement
+          declares communication channels to be used by system
+          administrators to get access to statistics information of
+          the name server.
+        </p>
+<p>
+          This statement intends to be flexible to support multiple
+          communication protocols in the future, but currently only
+          HTTP access is supported.
+          It requires that BIND 9 be compiled with libxml2;
+          the <span><strong class="command">statistics-channels</strong></span> statement is
+          still accepted even if it is built without the library,
+          but any HTTP access will fail with an error.
+        </p>
+<p>
+          An <span><strong class="command">inet</strong></span> control channel is a TCP socket
+          listening at the specified <span><strong class="command">ip_port</strong></span> on the
+          specified <span><strong class="command">ip_addr</strong></span>, which can be an IPv4 or IPv6
+          address.  An <span><strong class="command">ip_addr</strong></span> of <code class="literal">*</code> (asterisk) is
+          interpreted as the IPv4 wildcard address; connections will be
+          accepted on any of the system's IPv4 addresses.
+          To listen on the IPv6 wildcard address,
+          use an <span><strong class="command">ip_addr</strong></span> of <code class="literal">::</code>.
+        </p>
+<p>
+          If no port is specified, port 80 is used for HTTP channels.
+          The asterisk "<code class="literal">*</code>" cannot be used for
+          <span><strong class="command">ip_port</strong></span>.
+        </p>
+<p>
+          The attempt of opening a statistics channel is
+          restricted by the optional <span><strong class="command">allow</strong></span> clause.
+          Connections to the statistics channel are permitted based on the
+          <span><strong class="command">address_match_list</strong></span>.
+          If no <span><strong class="command">allow</strong></span> clause is present,
+          <span><strong class="command">named</strong></span> accepts connection
+          attempts from any address; since the statistics may
+          contain sensitive internal information, it is highly
+          recommended to restrict the source of connection requests
+          appropriately.
+        </p>
+<p>
+          If no <span><strong class="command">statistics-channels</strong></span> statement is present,
+          <span><strong class="command">named</strong></span> will not open any communication channels.
+        </p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="id2586908"></a><span><strong class="command">trusted-keys</strong></span> Statement Grammar</h3></div></div></div>
 <pre class="programlisting"><span><strong class="command">trusted-keys</strong></span> {
     <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ;
     [<span class="optional"> <em class="replaceable"><code>string</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; [<span class="optional">...</span>]</span>]
@@ -4728,7 +5086,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2585666"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<a name="id2586960"></a><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">trusted-keys</strong></span> statement defines
@@ -4754,6 +5112,9 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
             multiple key entries, each consisting of the key's
             domain name, flags, protocol, algorithm, and the Base-64
             representation of the key data.
+            Spaces, tabs, newlines and carriage returns are ignored
+            in the key data, so the configuration may be split up into
+            multiple lines.
           </p>
 </div>
 <div class="sect2" lang="en">
@@ -4771,7 +5132,7 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2585748"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2587042"></a><span><strong class="command">view</strong></span> Statement Definition and Usage</h3></div></div></div>
 <p>
             The <span><strong class="command">view</strong></span> statement is a powerful
             feature
@@ -4894,6 +5255,7 @@ view "external" {
 <pre class="programlisting"><span><strong class="command">zone</strong></span> <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type master;
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-policy { <em class="replaceable"><code>update_policy_rule</code></em> [<span class="optional">...</span>] }; </span>]
@@ -4906,9 +5268,11 @@ view "external" {
     [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
     [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
+    [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
+    [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> max-ixfr-log-size <em class="replaceable"><code>number</code></em> ; </span>]
@@ -4916,11 +5280,15 @@ view "external" {
     [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
     [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
+    [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> notify-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> notify-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> zone-statistics <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> sig-validity-interval <em class="replaceable"><code>number</code></em> ; </span>]
+    [<span class="optional"> sig-signing-nodes <em class="replaceable"><code>number</code></em> ; </span>]
+    [<span class="optional"> sig-signing-signatures <em class="replaceable"><code>number</code></em> ; </span>]
+    [<span class="optional"> sig-signing-type <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> database <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> min-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-refresh-time <em class="replaceable"><code>number</code></em> ; </span>]
@@ -4934,18 +5302,22 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     type slave;
     [<span class="optional"> allow-notify { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-transfer { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> allow-update-forwarding { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> update-check-ksk <em class="replaceable"><code>yes_or_no</code></em>; </span>]
+    [<span class="optional"> try-tcp-refresh <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> also-notify { <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
     [<span class="optional"> file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> masterfile-format (<code class="constant">text</code>|<code class="constant">raw</code>) ; </span>]
     [<span class="optional"> journal <em class="replaceable"><code>string</code></em> ; </span>]
+    [<span class="optional"> max-journal-size <em class="replaceable"><code>size_spec</code></em>; </span>]
     [<span class="optional"> forward (<code class="constant">only</code>|<code class="constant">first</code>) ; </span>]
     [<span class="optional"> forwarders { [<span class="optional"> <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; ... </span>] }; </span>]
     [<span class="optional"> ixfr-base <em class="replaceable"><code>string</code></em> ; </span>]
+    [<span class="optional"> ixfr-from-differences <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> ixfr-tmp-file <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> maintain-ixfr-base <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
     [<span class="optional"> masters [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] { ( <em class="replaceable"><code>masters_list</code></em> | <em class="replaceable"><code>ip_addr</code></em> [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] [<span class="optional">key <em class="replaceable"><code>key</code></em></span>] ) ; [<span class="optional">...</span>] }; </span>]
@@ -4955,6 +5327,8 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
     [<span class="optional"> max-transfer-time-in <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> max-transfer-time-out <em class="replaceable"><code>number</code></em> ; </span>]
     [<span class="optional"> notify <em class="replaceable"><code>yes_or_no</code></em> | <em class="replaceable"><code>explicit</code></em> | <em class="replaceable"><code>master-only</code></em> ; </span>]
+    [<span class="optional"> notify-delay <em class="replaceable"><code>seconds</code></em> ; </span>]
+    [<span class="optional"> notify-to-soa <em class="replaceable"><code>yes_or_no</code></em>; </span>]
     [<span class="optional"> pubkey <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>number</code></em> <em class="replaceable"><code>string</code></em> ; </span>]
     [<span class="optional"> transfer-source (<em class="replaceable"><code>ip4_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
     [<span class="optional"> transfer-source-v6 (<em class="replaceable"><code>ip6_addr</code></em> | <code class="constant">*</code>) [<span class="optional">port <em class="replaceable"><code>ip_port</code></em></span>] ; </span>]
@@ -4983,6 +5357,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"><em class="replaceable"><code>class</code></em></span>] {
     type stub;
     [<span class="optional"> allow-query { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
+    [<span class="optional"> allow-query-on { <em class="replaceable"><code>address_match_list</code></em> }; </span>]
     [<span class="optional"> check-names (<code class="constant">warn</code>|<code class="constant">fail</code>|<code class="constant">ignore</code>) ; </span>]
     [<span class="optional"> dialup <em class="replaceable"><code>dialup_option</code></em> ; </span>]
     [<span class="optional"> delegation-only <em class="replaceable"><code>yes_or_no</code></em> ; </span>]
@@ -5023,10 +5398,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2587332"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
+<a name="id2588510"></a><span><strong class="command">zone</strong></span> Statement Definition and Usage</h3></div></div></div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2587339"></a>Zone Types</h4></div></div></div>
+<a name="id2588518"></a>Zone Types</h4></div></div></div>
 <div class="informaltable"><table border="1">
 <colgroup>
 <col>
@@ -5089,7 +5464,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                         <code class="filename">ex/example.com</code> where <code class="filename">ex/</code> is
                         just the first two letters of the zone name. (Most
                         operating systems
-                        behave very slowly if you put 100 000 files into
+                        behave very slowly if you put 100000 files into
                         a single directory.)
                       </p>
                     </td>
@@ -5235,7 +5610,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2587690"></a>Class</h4></div></div></div>
+<a name="id2588937"></a>Class</h4></div></div></div>
 <p>
               The zone's name may optionally be followed by a class. If
               a class is not specified, class <code class="literal">IN</code> (for <code class="varname">Internet</code>),
@@ -5257,7 +5632,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2587723"></a>Zone Options</h4></div></div></div>
+<a name="id2588970"></a>Zone Options</h4></div></div></div>
 <div class="variablelist"><dl>
 <dt><span class="term"><span><strong class="command">allow-notify</strong></span></span></dt>
 <dd><p>
@@ -5269,6 +5644,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     See the description of
                     <span><strong class="command">allow-query</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
                   </p></dd>
+<dt><span class="term"><span><strong class="command">allow-query-on</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">allow-query-on</strong></span> in <a href="Bv9ARM.ch06.html#access_control" title="Access Control">the section called &#8220;Access Control&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">allow-transfer</strong></span></span></dt>
 <dd><p>
                     See the description of <span><strong class="command">allow-transfer</strong></span>
@@ -5348,6 +5728,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     See the description of
                     <span><strong class="command">update-check-ksk</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
                   </p></dd>
+<dt><span class="term"><span><strong class="command">try-tcp-refresh</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">try-tcp-refresh</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">database</strong></span></span></dt>
 <dd>
 <p>
@@ -5424,6 +5809,11 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     The default is the zone's filename with "<code class="filename">.jnl</code>" appended.
                     This is applicable to <span><strong class="command">master</strong></span> and <span><strong class="command">slave</strong></span> zones.
                   </p></dd>
+<dt><span class="term"><span><strong class="command">max-journal-size</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">max-journal-size</strong></span> in <a href="Bv9ARM.ch06.html#server_resource_limits" title="Server  Resource Limits">the section called &#8220;Server  Resource Limits&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">max-transfer-time-in</strong></span></span></dt>
 <dd><p>
                     See the description of
@@ -5454,6 +5844,12 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     See the description of
                     <span><strong class="command">notify-delay</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                   </p></dd>
+<dt><span class="term"><span><strong class="command">notify-to-soa</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">notify-to-soa</strong></span> in
+                    <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">pubkey</strong></span></span></dt>
 <dd><p>
                     In <acronym class="acronym">BIND</acronym> 8, this option was
@@ -5476,6 +5872,21 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     See the description of
                     <span><strong class="command">sig-validity-interval</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
                   </p></dd>
+<dt><span class="term"><span><strong class="command">sig-signing-nodes</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">sig-signing-nodes</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">sig-signing-signatures</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">sig-signing-signatures</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">sig-signing-type</strong></span></span></dt>
+<dd><p>
+                    See the description of
+                    <span><strong class="command">sig-signing-type</strong></span> in <a href="Bv9ARM.ch06.html#tuning" title="Tuning">the section called &#8220;Tuning&#8221;</a>.
+                  </p></dd>
 <dt><span class="term"><span><strong class="command">transfer-source</strong></span></span></dt>
 <dd><p>
                     See the description of
@@ -5521,6 +5932,10 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 <dd><p>
                     See the description of
                     <span><strong class="command">ixfr-from-differences</strong></span> in <a href="Bv9ARM.ch06.html#boolean_options" title="Boolean Options">the section called &#8220;Boolean Options&#8221;</a>.
+                    (Note that the <span><strong class="command">ixfr-from-differences</strong></span>
+                    <strong class="userinput"><code>master</code></strong> and
+                    <strong class="userinput"><code>slave</code></strong> choices are not
+                    available at the zone level.)
                   </p></dd>
 <dt><span class="term"><span><strong class="command">key-directory</strong></span></span></dt>
 <dd><p>
@@ -5544,43 +5959,38 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
 <a name="dynamic_update_policies"></a>Dynamic Update Policies</h4></div></div></div>
-<p>
-              <acronym class="acronym">BIND</acronym> 9 supports two alternative
-              methods of granting clients
-              the right to perform dynamic updates to a zone,
-              configured by the <span><strong class="command">allow-update</strong></span>
-              and
-              <span><strong class="command">update-policy</strong></span> option,
-              respectively.
+<p><acronym class="acronym">BIND</acronym> 9 supports two alternative
+              methods of granting clients the right to perform
+              dynamic updates to a zone, configured by the
+              <span><strong class="command">allow-update</strong></span> and
+              <span><strong class="command">update-policy</strong></span> option, respectively.
             </p>
 <p>
               The <span><strong class="command">allow-update</strong></span> clause works the
-              same
-              way as in previous versions of <acronym class="acronym">BIND</acronym>. It grants given clients the
-              permission to update any record of any name in the zone.
+              same way as in previous versions of <acronym class="acronym">BIND</acronym>.
+              It grants given clients the permission to update any
+              record of any name in the zone.
             </p>
 <p>
               The <span><strong class="command">update-policy</strong></span> clause is new
-              in <acronym class="acronym">BIND</acronym>
-              9 and allows more fine-grained control over what updates are
-              allowed.
-              A set of rules is specified, where each rule either grants or
-              denies
-              permissions for one or more names to be updated by one or more
-              identities.
-              If the dynamic update request message is signed (that is, it
-              includes
-              either a TSIG or SIG(0) record), the identity of the signer can
-              be determined.
+              in <acronym class="acronym">BIND</acronym> 9 and allows more fine-grained
+              control over what updates are allowed.  A set of rules
+              is specified, where each rule either grants or denies
+              permissions for one or more names to be updated by
+              one or more identities.  If the dynamic update request
+              message is signed (that is, it includes either a TSIG
+              or SIG(0) record), the identity of the signer can be
+              determined.
             </p>
 <p>
-              Rules are specified in the <span><strong class="command">update-policy</strong></span> zone
-              option, and are only meaningful for master zones.  When the <span><strong class="command">update-policy</strong></span> statement
-              is present, it is a configuration error for the <span><strong class="command">allow-update</strong></span> statement
-              to be present.  The <span><strong class="command">update-policy</strong></span>
-              statement only
-              examines the signer of a message; the source address is not
-              relevant.
+              Rules are specified in the <span><strong class="command">update-policy</strong></span>
+              zone option, and are only meaningful for master zones.
+              When the <span><strong class="command">update-policy</strong></span> statement
+              is present, it is a configuration error for the
+              <span><strong class="command">allow-update</strong></span> statement to be
+              present.  The <span><strong class="command">update-policy</strong></span> statement
+              only examines the signer of a message; the source
+              address is not relevant.
             </p>
 <p>
               This is how a rule definition looks:
@@ -5599,26 +6009,38 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
               the types specified in the type field.
             </p>
 <p>
-              The identity field specifies a name or a wildcard name.
-              Normally, this
-              is the name of the TSIG or SIG(0) key used to sign the update
-              request.  When a
-              TKEY exchange has been used to create a shared secret, the
-              identity of the
-              shared secret is the same as the identity of the key used to
-              authenticate the
-              TKEY exchange.  When the <em class="replaceable"><code>identity</code></em> field specifies a
-              wildcard name, it is subject to DNS wildcard expansion, so the
-              rule will apply
-              to multiple identities.  The <em class="replaceable"><code>identity</code></em> field must
+              No signer is required for <em class="replaceable"><code>tcp-self</code></em>
+              or <em class="replaceable"><code>6to4-self</code></em> however the standard
+              reverse mapping / prefix conversion must match the identity
+              field.
+            </p>
+<p>
+              The identity field specifies a name or a wildcard
+              name.  Normally, this is the name of the TSIG or
+              SIG(0) key used to sign the update request.  When a
+              TKEY exchange has been used to create a shared secret,
+              the identity of the shared secret is the same as the
+              identity of the key used to authenticate the TKEY
+              exchange.  TKEY is also the negotiation method used
+              by GSS-TSIG, which establishes an identity that is
+              the Kerberos principal of the client, such as
+              <strong class="userinput"><code>"user@host.domain"</code></strong>.  When the
+              <em class="replaceable"><code>identity</code></em> field specifies
+              a wildcard name, it is subject to DNS wildcard
+              expansion, so the rule will apply to multiple identities.
+              The <em class="replaceable"><code>identity</code></em> field must
               contain a fully-qualified domain name.
             </p>
 <p>
-              The <em class="replaceable"><code>nametype</code></em> field has 6
+              The <em class="replaceable"><code>nametype</code></em> field has 12
               values:
               <code class="varname">name</code>, <code class="varname">subdomain</code>,
               <code class="varname">wildcard</code>, <code class="varname">self</code>,
-               <code class="varname">selfsub</code>, and <code class="varname">selfwild</code>.
+              <code class="varname">selfsub</code>, <code class="varname">selfwild</code>,
+              <code class="varname">krb5-self</code>, <code class="varname">ms-self</code>,
+              <code class="varname">krb5-subdomain</code>,
+              <code class="varname">ms-subdomain</code>,
+              <code class="varname">tcp-self</code> and <code class="varname">6to4-self</code>.
             </p>
 <div class="informaltable"><table border="1">
 <colgroup>
@@ -5723,6 +6145,47 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                       </p>
                     </td>
 </tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">tcp-self</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Allow updates that have been sent via TCP and
+                        for which the standard mapping from the initiating
+                        IP address into the IN-ADDR.ARPA and IP6.ARPA
+                        namespaces match the name to be updated.
+                      </p>
+                      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                        It is theoretically possible to spoof these TCP
+                        sessions.
+                      </div>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        <code class="varname">6to4-self</code>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Allow the 6to4 prefix to be update by any TCP
+                        conection from the 6to4 network or from the
+                        corresponding IPv4 address.  This is intended
+                        to allow NS or DNAME RRsets to be added to the
+                        reverse tree.
+                      </p>
+                      <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
+<h3 class="title">Note</h3>
+                        It is theoretically possible to spoof these TCP
+                        sessions.
+                      </div>
+                    </td>
+</tr>
 </tbody>
 </table></div>
 <p>
@@ -5731,21 +6194,20 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
               specify a fully-qualified domain name.
             </p>
 <p>
-              If no types are explicitly specified, this rule matches all
-              types except
-              RRSIG, NS, SOA, and NSEC. Types may be specified by name, including
-              "ANY" (ANY matches all types except NSEC, which can never be
-              updated).
-              Note that when an attempt is made to delete all records
-              associated with a
-              name, the rules are checked for each existing record type.
+              If no types are explicitly specified, this rule matches
+              all types except RRSIG, NS, SOA, NSEC and NSEC3. Types
+              may be specified by name, including "ANY" (ANY matches
+              all types except NSEC and NSEC3, which can never be
+              updated).  Note that when an attempt is made to delete
+              all records associated with a name, the rules are
+              checked for each existing record type.
             </p>
 </div>
 </div>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2589477"></a>Zone File</h2></div></div></div>
+<a name="id2591109"></a>Zone File</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="types_of_resource_records_and_when_to_use_them"></a>Types of Resource Records and When to Use Them</h3></div></div></div>
@@ -5758,7 +6220,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2589495"></a>Resource Records</h4></div></div></div>
+<a name="id2591127"></a>Resource Records</h4></div></div></div>
 <p>
               A domain name identifies a node.  Each node has a set of
               resource information, which may be empty.  The set of resource
@@ -5953,6 +6415,19 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 <tr>
 <td>
                       <p>
+                        DHCID
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Is used for identifying which DHCP client is
+                        associated with this name.  Described in RFC 4701.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
                         DNAME
                       </p>
                     </td>
@@ -6159,6 +6634,40 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 <tr>
 <td>
                       <p>
+                        NSEC3
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Used in DNSSECbis to securely indicate that
+                        RRs with an owner name in a certain name
+                        interval do not exist in a zone and indicate
+                        what RR types are present for an existing
+                        name.  NSEC3 differs from NSEC in that it
+                        prevents zone enumeration but is more
+                        computationally expensive on both the server
+                        and the client than NSEC.  Described in RFC
+                        5155.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
+                        NSEC3PARAM
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        Used in DNSSECbis to tell the authoritative
+                        server which NSEC3 chains are available to use.
+                        Described in RFC 5155.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p>
                         NXT
                       </p>
                     </td>
@@ -6304,7 +6813,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
                     </td>
 <td>
                       <p>
-                        Provides a way to securly publish a secure shell key's
+                        Provides a way to securely publish a secure shell key's
                         fingerprint.  Described in RFC 4255.
                       </p>
                     </td>
@@ -6448,7 +6957,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2590912"></a>Textual expression of RRs</h4></div></div></div>
+<a name="id2592682"></a>Textual expression of RRs</h4></div></div></div>
 <p>
               RRs are represented in binary form in the packets of the DNS
               protocol, and are usually represented in highly encoded form
@@ -6651,7 +7160,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2591500"></a>Discussion of MX Records</h3></div></div></div>
+<a name="id2593203"></a>Discussion of MX Records</h3></div></div></div>
 <p>
             As described above, domain servers store information as a
             series of resource records, each of which contains a particular
@@ -6685,8 +7194,6 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
             the mail will be delivered to the server specified in the MX
             record
             pointed to by the CNAME.
-          </p>
-<p>
             For example:
           </p>
 <div class="informaltable"><table border="1">
@@ -6909,7 +7416,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2592188"></a>Inverse Mapping in IPv4</h3></div></div></div>
+<a name="id2593886"></a>Inverse Mapping in IPv4</h3></div></div></div>
 <p>
             Reverse name resolution (that is, translation from IP address
             to name) is achieved by means of the <span class="emphasis"><em>in-addr.arpa</em></span> domain
@@ -6970,7 +7477,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2592384"></a>Other Zone File Directives</h3></div></div></div>
+<a name="id2594013"></a>Other Zone File Directives</h3></div></div></div>
 <p>
             The Master File Format was initially defined in RFC 1035 and
             has subsequently been extended. While the Master File Format
@@ -6985,7 +7492,7 @@ zone <em class="replaceable"><code>zone_name</code></em> [<span class="optional"
           </p>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2592406"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
+<a name="id2594036"></a>The <span><strong class="command">$ORIGIN</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$ORIGIN</strong></span>
               <em class="replaceable"><code>domain-name</code></em>
@@ -7013,7 +7520,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2592467"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
+<a name="id2594097"></a>The <span><strong class="command">$INCLUDE</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$INCLUDE</strong></span>
               <em class="replaceable"><code>filename</code></em>
@@ -7049,7 +7556,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect3" lang="en">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2592536"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
+<a name="id2594234"></a>The <span><strong class="command">$TTL</strong></span> Directive</h4></div></div></div>
 <p>
               Syntax: <span><strong class="command">$TTL</strong></span>
               <em class="replaceable"><code>default-ttl</code></em>
@@ -7068,7 +7575,7 @@ WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2592572"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
+<a name="id2594270"></a><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</h3></div></div></div>
 <p>
             Syntax: <span><strong class="command">$GENERATE</strong></span>
             <em class="replaceable"><code>range</code></em>
@@ -7128,7 +7635,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
                       describes the owner name of the resource records
                       to be created.  Any single <span><strong class="command">$</strong></span>
                       (dollar sign)
-                      symbols within the <span><strong class="command">lhs</strong></span> side
+                      symbols within the <span><strong class="command">lhs</strong></span> string
                       are replaced by the iterator value.
 
                       To get a $ in the output, you need to escape the
@@ -7172,7 +7679,7 @@ $GENERATE 1-127 $ CNAME $.0</pre>
                     <p>
                       Specifies the time-to-live of the generated records. If
                       not specified this will be inherited using the
-                      normal ttl inheritance rules.
+                      normal TTL inheritance rules.
                     </p>
                     <p><span><strong class="command">class</strong></span>
                       and <span><strong class="command">ttl</strong></span> can be
@@ -7271,6 +7778,1470 @@ $GENERATE 1-127 $ CNAME $.0</pre>
           </p>
 </div>
 </div>
+<div class="sect1" lang="en">
+<div class="titlepage"><div><div><h2 class="title" style="clear: both">
+<a name="statistics"></a>BIND9 Statistics</h2></div></div></div>
+<p>
+          <acronym class="acronym">BIND</acronym> 9 maintains lots of statistics
+          information and provides several interfaces for users to
+          get access to the statistics.
+          The available statistics include all statistics counters
+          that were available in <acronym class="acronym">BIND</acronym> 8 and
+          are meaningful in <acronym class="acronym">BIND</acronym> 9,
+          and other information that is considered useful.
+        </p>
+<p>
+          The statistics information is categorized into the following
+          sections.
+        </p>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+                  <p>Incoming Requests</p>
+                </td>
+<td>
+                  <p>
+                    The number of incoming DNS requests for each OPCODE.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Incoming Queries</p>
+                </td>
+<td>
+                  <p>
+                    The number of incoming queries for each RR type.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Outgoing Queries</p>
+                </td>
+<td>
+                  <p>
+                    The number of outgoing queries for each RR
+                    type sent from the internal resolver.
+                    Maintained per view.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Name Server Statistics</p>
+                </td>
+<td>
+                  <p>
+                    Statistics counters about incoming request processing.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Zone Maintenance Statistics</p>
+                </td>
+<td>
+                  <p>
+                    Statistics counters regarding zone maintenance
+                    operations such as zone transfers.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Resolver Statistics</p>
+                </td>
+<td>
+                  <p>
+                    Statistics counters about name resolution
+                    performed in the internal resolver.
+                    Maintained per view.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Cache DB RRsets</p>
+                </td>
+<td>
+                  <p>
+                    The number of RRsets per RR type (positive
+                    or negative) and nonexistent names stored in the
+                    cache database.
+                    Maintained per view.
+                  </p>
+                </td>
+</tr>
+<tr>
+<td>
+                  <p>Socket I/O Statistics</p>
+                </td>
+<td>
+                  <p>
+                    Statistics counters about network related events.
+                  </p>
+                </td>
+</tr>
+</tbody>
+</table></div>
+<p>
+          A subset of Name Server Statistics is collected and shown
+          per zone for which the server has the authority when
+          <span><strong class="command">zone-statistics</strong></span> is set to
+          <strong class="userinput"><code>yes</code></strong>.
+          These statistics counters are shown with their zone and view
+          names.
+          In some cases the view names are omitted for the default view.
+        </p>
+<p>
+          There are currently two user interfaces to get access to the
+          statistics.
+          One is in the plain text format dumped to the file specified
+          by the <span><strong class="command">statistics-file</strong></span> configuration option.
+          The other is remotely accessible via a statistics channel
+          when the <span><strong class="command">statistics-channels</strong></span> statement
+          is specified in the configuration file
+          (see <a href="Bv9ARM.ch06.html#statschannels" title="statistics-channels Statement Grammar">the section called &#8220;<span><strong class="command">statistics-channels</strong></span> Statement Grammar&#8221;</a>.)
+        </p>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="statsfile"></a>The Statistics File</h4></div></div></div>
+<p>
+            The text format statistics dump begins with a line, like:
+          </p>
+<p>
+            <span><strong class="command">+++ Statistics Dump +++ (973798949)</strong></span>
+          </p>
+<p>
+            The number in parentheses is a standard
+            Unix-style timestamp, measured as seconds since January 1, 1970.
+
+            Following
+            that line is a set of statistics information, which is categorized
+            as described above.
+            Each section begins with a line, like:
+          </p>
+<p>
+            <span><strong class="command">++ Name Server Statistics ++</strong></span>
+          </p>
+<p>
+            Each section consists of lines, each containing the statistics
+            counter value followed by its textual description.
+            See below for available counters.
+            For brevity, counters that have a value of 0 are not shown
+            in the statistics file.
+          </p>
+<p>
+            The statistics dump ends with the line where the
+            number is identical to the number in the beginning line; for example:
+          </p>
+<p>
+            <span><strong class="command">--- Statistics Dump --- (973798949)</strong></span>
+          </p>
+</div>
+<div class="sect2" lang="en">
+<div class="titlepage"><div><div><h3 class="title">
+<a name="statistics_counters"></a>Statistics Counters</h3></div></div></div>
+<p>
+            The following tables summarize statistics counters that
+            <acronym class="acronym">BIND</acronym> 9 provides.
+            For each row of the tables, the leftmost column is the
+            abbreviated symbol name of that counter.
+            These symbols are shown in the statistics information
+            accessed via an HTTP statistics channel.
+            The rightmost column gives the description of the counter,
+            which is also shown in the statistics file
+            (but, in this document, possibly with slight modification
+            for better readability).
+            Additional notes may also be provided in this column.
+            When a middle column exists between these two columns,
+            it gives the corresponding counter name of the
+            <acronym class="acronym">BIND</acronym> 8 statistics, if applicable.
+          </p>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2595267"></a>Name Server Statistics Counters</h4></div></div></div>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>BIND8 Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Description</em></span>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">Requestv4</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 requests received.
+                        Note: this also counts non query requests.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">Requestv6</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 requests received.
+                        Note: this also counts non query requests.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">ReqEdns0</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requests with EDNS(0) received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">ReqBadEDNSVer</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requests with unsupported EDNS version received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">ReqTSIG</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requests with TSIG received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">ReqSIG0</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requests with SIG(0) received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">ReqBadSIG</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requests with invalid (TSIG or SIG(0)) signature.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">ReqTCP</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RTCP</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        TCP requests received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">AuthQryRej</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RUQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Authoritative (non recursive) queries rejected.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">RecQryRej</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RURQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Recursive queries rejected.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">XfrRej</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RUXFR</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Zone transfer requests rejected.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">UpdateRej</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RUUpd</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Dynamic update requests rejected.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">Response</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">SAns</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Responses sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">RespTruncated</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Truncated responses sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">RespEDNS0</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Responses with EDNS(0) sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">RespTSIG</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Responses with TSIG sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">RespSIG0</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Responses with SIG(0) sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QrySuccess</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in a successful answer.
+                        This means the query which returns a NOERROR response
+                        with at least one answer RR.
+                        This corresponds to the
+                        <span><strong class="command">success</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QryAuthAns</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in authoritative answer.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QryNoauthAns</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">SNaAns</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in non authoritative answer.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QryReferral</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in referral answer.
+                        This corresponds to the
+                        <span><strong class="command">referral</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QryNxrrset</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in NOERROR responses with no data.
+                        This corresponds to the
+                        <span><strong class="command">nxrrset</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QrySERVFAIL</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">SFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in SERVFAIL.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QryFORMERR</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">SFErr</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in FORMERR.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QryNXDOMAIN</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">SNXD</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries resulted in NXDOMAIN.
+                        This corresponds to the
+                        <span><strong class="command">nxdomain</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QryRecursion</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RFwdQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries which caused the server
+                        to perform recursion in order to find the final answer.
+                        This corresponds to the
+                        <span><strong class="command">recursion</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QryDuplicate</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RDupQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries which the server attempted to
+                        recurse but discovered an existing query with the same
+                        IP address, port, query ID, name, type and class
+                        already being processed.
+                        This corresponds to the
+                        <span><strong class="command">duplicate</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QryDropped</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Recursive queries for which the server
+                        discovered an excessive number of existing
+                        recursive queries for the same name, type and
+                        class and were subsequently dropped.
+                        This is the number of dropped queries due to
+                        the reason explained with the
+                        <span><strong class="command">clients-per-query</strong></span>
+                        and
+                        <span><strong class="command">max-clients-per-query</strong></span>
+                        options
+                        (see the description about
+                        <a href="Bv9ARM.ch06.html#clients-per-query"><span><strong class="command">clients-per-query</strong></span></a>.)
+                        This corresponds to the
+                        <span><strong class="command">dropped</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QryFailure</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Other query failures.
+                        This corresponds to the
+                        <span><strong class="command">failure</strong></span> counter
+                        of previous versions of
+                        <acronym class="acronym">BIND</acronym> 9.
+                        Note: this counter is provided mainly for
+                        backward compatibility with the previous versions.
+                        Normally a more fine-grained counters such as
+                        <span><strong class="command">AuthQryRej</strong></span> and
+                        <span><strong class="command">RecQryRej</strong></span>
+                        that would also fall into this counter are provided,
+                        and so this counter would not be of much
+                        interest in practice.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">XfrReqDone</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Requested zone transfers completed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">UpdateReqFwd</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Update requests forwarded.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">UpdateRespFwd</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Update responses forwarded.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">UpdateFwdFail</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Dynamic update forward failed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">UpdateDone</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Dynamic updates completed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">UpdateFail</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Dynamic updates failed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">UpdateBadPrereq</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Dynamic updates rejected due to prerequisite failure.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2596808"></a>Zone Maintenance Statistics Counters</h4></div></div></div>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Description</em></span>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">NotifyOutv4</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 notifies sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">NotifyOutv6</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 notifies sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">NotifyInv4</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 notifies received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">NotifyInv6</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 notifies received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">NotifyRej</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Incoming notifies rejected.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">SOAOutv4</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 SOA queries sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">SOAOutv6</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 SOA queries sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">AXFRReqv4</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 AXFR requested.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">AXFRReqv6</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 AXFR requested.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">IXFRReqv4</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 IXFR requested.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">IXFRReqv6</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 IXFR requested.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">XfrSuccess</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Zone transfer requests succeeded.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">XfrFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Zone transfer requests failed.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2597191"></a>Resolver Statistics Counters</h4></div></div></div>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>BIND8 Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Description</em></span>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">Queryv4</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">SFwdQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 queries sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">Queryv6</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">SFwdQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 queries sent.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">Responsev4</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RR</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 responses received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">Responsev6</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RR</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 responses received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">NXDOMAIN</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RNXD</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        NXDOMAIN received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">SERVFAIL</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        SERVFAIL received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">FORMERR</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RFErr</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        FORMERR received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">OtherError</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RErr</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Other errors received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">EDNS0Fail</strong></span></p>
+                                                 </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        EDNS(0) query failures.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">Mismatch</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RDupR</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Mismatch responses received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">Truncated</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Truncated responses received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">Lame</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">RLame</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Lame delegations received.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">Retry</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">SDupQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Query retries performed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QueryAbort</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Queries aborted due to quota control.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QuerySockFail</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Failures in opening query sockets.
+                        One common reason for such failures is a
+                        failure of opening a new socket due to a
+                        limitation on file descriptors.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QueryTimeout</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Query timeouts.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">GlueFetchv4</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">SSysQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 NS address fetches invoked.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">GlueFetchv6</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command">SSysQ</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 NS address fetches invoked.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">GlueFetchv4Fail</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv4 NS address fetch failed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">GlueFetchv6Fail</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        IPv6 NS address fetch failed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">ValAttempt</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        DNSSEC validation attempted.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">ValOk</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        DNSSEC validation succeeded.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">ValNegOk</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        DNSSEC validation on negative information succeeded.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">ValFail</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        DNSSEC validation failed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">QryRTTnn</strong></span></p>
+                    </td>
+<td>
+                      <p><span><strong class="command"></strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Frequency table on round trip times (RTTs) of
+                        queries.
+                        Each <span><strong class="command">nn</strong></span> specifies the corresponding
+                        frequency.
+                        In the sequence of
+                        <span><strong class="command">nn_1</strong></span>,
+                        <span><strong class="command">nn_2</strong></span>,
+                        ...,
+                        <span><strong class="command">nn_m</strong></span>,
+                        the value of <span><strong class="command">nn_i</strong></span> is the
+                        number of queries whose RTTs are between
+                        <span><strong class="command">nn_(i-1)</strong></span> (inclusive) and
+                        <span><strong class="command">nn_i</strong></span> (exclusive) milliseconds.
+                        For the sake of convenience we define
+                        <span><strong class="command">nn_0</strong></span> to be 0.
+                        The last entry should be represented as
+                        <span><strong class="command">nn_m+</strong></span>, which means the
+                        number of queries whose RTTs are equal to or over
+                        <span><strong class="command">nn_m</strong></span> milliseconds.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2598210"></a>Socket I/O Statistics Counters</h4></div></div></div>
+<p>
+              Socket I/O statistics counters are defined per socket
+              types, which are
+              <span><strong class="command">UDP4</strong></span> (UDP/IPv4),
+              <span><strong class="command">UDP6</strong></span> (UDP/IPv6),
+              <span><strong class="command">TCP4</strong></span> (TCP/IPv4),
+              <span><strong class="command">TCP6</strong></span> (TCP/IPv6),
+              <span><strong class="command">Unix</strong></span> (Unix Domain), and
+              <span><strong class="command">FDwatch</strong></span> (sockets opened outside the
+              socket module).
+              In the following table <span><strong class="command">&lt;TYPE&gt;</strong></span>
+              represents a socket type.
+              Not all counters are available for all socket types;
+              exceptions are noted in the description field.
+            </p>
+<div class="informaltable"><table border="1">
+<colgroup>
+<col>
+<col>
+</colgroup>
+<tbody>
+<tr>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Symbol</em></span>
+                      </p>
+                    </td>
+<td>
+                      <p>
+                        <span class="emphasis"><em>Description</em></span>
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">&lt;TYPE&gt;Open</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Sockets opened successfully.
+                        This counter is not applicable to the
+                        <span><strong class="command">FDwatch</strong></span> type.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">&lt;TYPE&gt;OpenFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Failures of opening sockets.
+                        This counter is not applicable to the
+                        <span><strong class="command">FDwatch</strong></span> type.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">&lt;TYPE&gt;Close</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Sockets closed.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">&lt;TYPE&gt;BindFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Failures of binding sockets.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">&lt;TYPE&gt;ConnFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Failures of connecting sockets.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">&lt;TYPE&gt;Conn</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Connections established successfully.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">&lt;TYPE&gt;AcceptFail</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Failures of accepting incoming connection requests.
+                        This counter is not applicable to the
+                        <span><strong class="command">UDP</strong></span> and
+                        <span><strong class="command">FDwatch</strong></span> types.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">&lt;TYPE&gt;Accept</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Incoming connections successfully accepted.
+                        This counter is not applicable to the
+                        <span><strong class="command">UDP</strong></span> and
+                        <span><strong class="command">FDwatch</strong></span> types.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">&lt;TYPE&gt;SendErr</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Errors in socket send operations.
+                        This counter corresponds
+                        to <span><strong class="command">SErr</strong></span> counter of
+                        <span><strong class="command">BIND</strong></span> 8.
+                      </p>
+                    </td>
+</tr>
+<tr>
+<td>
+                      <p><span><strong class="command">&lt;TYPE&gt;RecvErr</strong></span></p>
+                    </td>
+<td>
+                      <p>
+                        Errors in socket receive operations.
+                        This includes errors of send operations on a
+                        connected UDP socket notified by an ICMP error
+                        message.
+                      </p>
+                    </td>
+</tr>
+</tbody>
+</table></div>
+</div>
+<div class="sect3" lang="en">
+<div class="titlepage"><div><div><h4 class="title">
+<a name="id2598651"></a>Compatibility with <span class="emphasis"><em>BIND</em></span> 8 Counters</h4></div></div></div>
+<p>
+              Most statistics counters that were available
+              in <span><strong class="command">BIND</strong></span> 8 are also supported in
+              <span><strong class="command">BIND</strong></span> 9 as shown in the above tables.
+              Here are notes about other counters that do not appear
+              in these tables.
+            </p>
+<div class="variablelist"><dl>
+<dt><span class="term"><span><strong class="command">RFwdR,SFwdR</strong></span></span></dt>
+<dd><p>
+                    These counters are not supported
+                    because <span><strong class="command">BIND</strong></span> 9 does not adopt
+                    the notion of <span class="emphasis"><em>forwarding</em></span>
+                    as <span><strong class="command">BIND</strong></span> 8 did.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">RAXFR</strong></span></span></dt>
+<dd><p>
+                    This counter is accessible in the Incoming Queries section.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">RIQ</strong></span></span></dt>
+<dd><p>
+                    This counter is accessible in the Incoming Requests section.
+                  </p></dd>
+<dt><span class="term"><span><strong class="command">ROpts</strong></span></span></dt>
+<dd><p>
+                    This counter is not supported
+                    because <span><strong class="command">BIND</strong></span> 9 does not care
+                    about IP options in the first place.
+                  </p></dd>
+</dl></div>
+</div>
+</div>
+</div>
 </div>
 <div class="navfooter">
 <hr>
diff --git a/doc/arm/Bv9ARM.ch07.html b/doc/arm/Bv9ARM.ch07.html
index 4ddbced..80ba6e3 100644
--- a/doc/arm/Bv9ARM.ch07.html
+++ b/doc/arm/Bv9ARM.ch07.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch07.html,v 1.75.18.76 2008/10/16 01:29:41 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch07.html,v 1.178.14.5 2009/04/03 01:52:22 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -46,10 +46,10 @@
 <p><b>Table of Contents</b></p>
 <dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2593181"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2598893"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593326">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593386">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2598974">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599034">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl>
@@ -58,9 +58,10 @@
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 <a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
 <p>
-          Access Control Lists (ACLs), are address match lists that
+          Access Control Lists (ACLs) are address match lists that
           you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
-          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
+          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
+          <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
           <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
           etc.
         </p>
@@ -118,14 +119,16 @@ zone "example.com" {
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593181"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
+<a name="id2598893"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
 </h2></div></div></div>
 <p>
-          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
-          (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
-          option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
-          a "sandbox", which will limit the damage done if a server is
-          compromised.
+          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
+          in a <span class="emphasis"><em>chrooted</em></span> environment (using
+          the <span><strong class="command">chroot()</strong></span> function) by specifying
+          the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
+          This can help improve system security by placing
+          <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
+          the damage done if a server is compromised.
         </p>
 <p>
           Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
@@ -138,11 +141,11 @@ zone "example.com" {
           user 202:
         </p>
 <p>
-          <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
+          <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
         </p>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2593326"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
+<a name="id2598974"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
 <p>
             In order for a <span><strong class="command">chroot</strong></span> environment
             to
@@ -170,7 +173,7 @@ zone "example.com" {
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2593386"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
+<a name="id2599034"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
 <p>
             Prior to running the <span><strong class="command">named</strong></span> daemon,
             use
diff --git a/doc/arm/Bv9ARM.ch08.html b/doc/arm/Bv9ARM.ch08.html
index 65f8cec..65ca623 100644
--- a/doc/arm/Bv9ARM.ch08.html
+++ b/doc/arm/Bv9ARM.ch08.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch08.html,v 1.75.18.77 2008/10/16 01:29:41 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch08.html,v 1.178.14.5 2009/04/03 01:52:22 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,18 +45,18 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593466">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2593472">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593483">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593500">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599251">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599324">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599336">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599353">Where Can I Get Help?</a></span></dt>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593466"></a>Common Problems</h2></div></div></div>
+<a name="id2599251"></a>Common Problems</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2593472"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
+<a name="id2599324"></a>It's not working; how can I figure out what's wrong?</h3></div></div></div>
 <p>
             The best solution to solving installation and
             configuration issues is to take preventative measures by setting
@@ -68,7 +68,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593483"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
+<a name="id2599336"></a>Incrementing and Changing the Serial Number</h2></div></div></div>
 <p>
           Zone serial numbers are just numbers &#8212; they aren't
           date related.  A lot of people set them to a number that
@@ -95,7 +95,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593500"></a>Where Can I Get Help?</h2></div></div></div>
+<a name="id2599353"></a>Where Can I Get Help?</h2></div></div></div>
 <p>
           The Internet Systems Consortium
           (<acronym class="acronym">ISC</acronym>) offers a wide range
diff --git a/doc/arm/Bv9ARM.ch09.html b/doc/arm/Bv9ARM.ch09.html
index 71ea617..3664b99 100644
--- a/doc/arm/Bv9ARM.ch09.html
+++ b/doc/arm/Bv9ARM.ch09.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch09.html,v 1.75.18.80 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch09.html,v 1.180.16.5 2009/04/03 01:52:22 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -45,21 +45,21 @@
 <div class="toc">
 <p><b>Table of Contents</b></p>
 <dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593630">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599415">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593802">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599587">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2597082">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2602867">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl>
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593630"></a>Acknowledgments</h2></div></div></div>
+<a name="id2599415"></a>Acknowledgments</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="historical_dns_information"></a>A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym>
@@ -148,11 +148,9 @@
             BIND architecture.
           </p>
 <p>
-            BIND version 4 is officially deprecated and BIND version
-            8 development is considered maintenance-only in favor
-            of BIND version 9. No additional development is done
-            on BIND version 4 or BIND version 8 other than for
-            security-related patches.
+            BIND versions 4 and 8 are officially deprecated.
+            No additional development is done
+            on BIND version 4 or BIND version 8.
           </p>
 <p>
             <acronym class="acronym">BIND</acronym> development work is made
@@ -164,7 +162,7 @@
 </div>
 <div class="sect1" lang="en">
 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
-<a name="id2593802"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
+<a name="id2599587"></a>General <acronym class="acronym">DNS</acronym> Reference Information</h2></div></div></div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
 <a name="ipv6addresses"></a>IPv6 addresses (AAAA)</h3></div></div></div>
@@ -252,17 +250,17 @@
           </p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2593990"></a>Bibliography</h4></div></div></div>
+<a name="id2599843"></a>Bibliography</h4></div></div></div>
 <div class="bibliodiv">
 <h3 class="title">Standards</h3>
 <div class="biblioentry">
-<a name="id2594001"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
+<a name="id2599853"></a><p>[<abbr class="abbrev">RFC974</abbr>] <span class="author"><span class="firstname">C.</span> <span class="surname">Partridge</span>. </span><span class="title"><i>Mail Routing and the Domain System</i>. </span><span class="pubdate">January 1986. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594024"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2599877"></a><p>[<abbr class="abbrev">RFC1034</abbr>] <span class="author"><span class="firstname">P.V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Concepts and Facilities</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594048"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
+<a name="id2599900"></a><p>[<abbr class="abbrev">RFC1035</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>Domain Names &#8212; Implementation and
                   Specification</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 </div>
@@ -270,42 +268,42 @@
 <h3 class="title">
 <a name="proposed_standards"></a>Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2594084"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
+<a name="id2599937"></a><p>[<abbr class="abbrev">RFC2181</abbr>] <span class="author"><span class="firstname">R., R. Bush</span> <span class="surname">Elz</span>. </span><span class="title"><i>Clarifications to the <acronym class="acronym">DNS</acronym>
                   Specification</i>. </span><span class="pubdate">July 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594110"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
+<a name="id2599963"></a><p>[<abbr class="abbrev">RFC2308</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Andrews</span>. </span><span class="title"><i>Negative Caching of <acronym class="acronym">DNS</acronym>
                   Queries</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594136"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2599989"></a><p>[<abbr class="abbrev">RFC1995</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Ohta</span>. </span><span class="title"><i>Incremental Zone Transfer in <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594161"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2600013"></a><p>[<abbr class="abbrev">RFC1996</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A Mechanism for Prompt Notification of Zone Changes</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594184"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2600037"></a><p>[<abbr class="abbrev">RFC2136</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">Y.</span> <span class="surname">Rekhter</span>, and <span class="firstname">J.</span> <span class="surname">Bound</span>. </span><span class="title"><i>Dynamic Updates in the Domain Name System</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594240"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
+<a name="id2600092"></a><p>[<abbr class="abbrev">RFC2671</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Extension Mechanisms for DNS (EDNS0)</i>. </span><span class="pubdate">August 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594266"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2600119"></a><p>[<abbr class="abbrev">RFC2672</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Non-Terminal DNS Name Redirection</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594293"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2600146"></a><p>[<abbr class="abbrev">RFC2845</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>, <span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, and <span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secret Key Transaction Authentication for <acronym class="acronym">DNS</acronym> (TSIG)</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594423"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2600208"></a><p>[<abbr class="abbrev">RFC2930</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secret Key Establishment for DNS (TKEY RR)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594453"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2600237"></a><p>[<abbr class="abbrev">RFC2931</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DNS Request and Transaction Signatures (SIG(0)s)</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594483"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
+<a name="id2600267"></a><p>[<abbr class="abbrev">RFC3007</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Secure Domain Name System (DNS) Dynamic Update</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594509"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
+<a name="id2600294"></a><p>[<abbr class="abbrev">RFC3645</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Kwan</span>, <span class="firstname">P.</span> <span class="surname">Garg</span>, <span class="firstname">J.</span> <span class="surname">Gilroy</span>, <span class="firstname">L.</span> <span class="surname">Esibov</span>, <span class="firstname">J.</span> <span class="surname">Westhead</span>, and <span class="firstname">R.</span> <span class="surname">Hall</span>. </span><span class="title"><i>Generic Security Service Algorithm for Secret
                        Key Transaction Authentication for DNS
                        (GSS-TSIG)</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
@@ -314,19 +312,19 @@
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Security Proposed Standards</h3>
 <div class="biblioentry">
-<a name="id2594592"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
+<a name="id2600376"></a><p>[<abbr class="abbrev">RFC3225</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Conrad</span>. </span><span class="title"><i>Indicating Resolver Support of DNSSEC</i>. </span><span class="pubdate">December 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594618"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2600403"></a><p>[<abbr class="abbrev">RFC3833</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Atkins</span> and <span class="firstname">R.</span> <span class="surname">Austein</span>. </span><span class="title"><i>Threat Analysis of the Domain Name System (DNS)</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594654"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2600439"></a><p>[<abbr class="abbrev">RFC4033</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>DNS Security Introduction and Requirements</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594720"></a><p>[<abbr class="abbrev">RFC4044</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
+<a name="id2600504"></a><p>[<abbr class="abbrev">RFC4034</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Resource Records for the DNS Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594785"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
+<a name="id2600569"></a><p>[<abbr class="abbrev">RFC4035</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Arends</span>, <span class="firstname">R.</span> <span class="surname">Austein</span>, <span class="firstname">M.</span> <span class="surname">Larson</span>, <span class="firstname">D.</span> <span class="surname">Massey</span>, and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Protocol Modifications for the DNS
                        Security Extensions</i>. </span><span class="pubdate">March 2005. </span></p>
 </div>
 </div>
@@ -334,146 +332,146 @@
 <h3 class="title">Other Important RFCs About <acronym class="acronym">DNS</acronym>
                 Implementation</h3>
 <div class="biblioentry">
-<a name="id2594858"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
+<a name="id2600643"></a><p>[<abbr class="abbrev">RFC1535</abbr>] <span class="author"><span class="firstname">E.</span> <span class="surname">Gavron</span>. </span><span class="title"><i>A Security Problem and Proposed Correction With Widely
                   Deployed <acronym class="acronym">DNS</acronym> Software.</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594884"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
+<a name="id2600668"></a><p>[<abbr class="abbrev">RFC1536</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Kumar</span>, <span class="firstname">J.</span> <span class="surname">Postel</span>, <span class="firstname">C.</span> <span class="surname">Neuman</span>, <span class="firstname">P.</span> <span class="surname">Danzig</span>, and <span class="firstname">S.</span> <span class="surname">Miller</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Implementation
                   Errors and Suggested Fixes</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594952"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
+<a name="id2600737"></a><p>[<abbr class="abbrev">RFC1982</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Elz</span> and <span class="firstname">R.</span> <span class="surname">Bush</span>. </span><span class="title"><i>Serial Number Arithmetic</i>. </span><span class="pubdate">August 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2594987"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
+<a name="id2600772"></a><p>[<abbr class="abbrev">RFC4074</abbr>] <span class="authorgroup"><span class="firstname">Y.</span> <span class="surname">Morishita</span> and <span class="firstname">T.</span> <span class="surname">Jinmei</span>. </span><span class="title"><i>Common Misbehaviour Against <acronym class="acronym">DNS</acronym>
                 Queries for IPv6 Addresses</i>. </span><span class="pubdate">May 2005. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Resource Record Types</h3>
 <div class="biblioentry">
-<a name="id2595033"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
+<a name="id2600818"></a><p>[<abbr class="abbrev">RFC1183</abbr>] <span class="authorgroup"><span class="firstname">C.F.</span> <span class="surname">Everhart</span>, <span class="firstname">L. A.</span> <span class="surname">Mamakos</span>, <span class="firstname">R.</span> <span class="surname">Ullmann</span>, and <span class="firstname">P.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i>New <acronym class="acronym">DNS</acronym> RR Definitions</i>. </span><span class="pubdate">October 1990. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595091"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
+<a name="id2600875"></a><p>[<abbr class="abbrev">RFC1706</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">R.</span> <span class="surname">Colella</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> NSAP Resource Records</i>. </span><span class="pubdate">October 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595128"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
+<a name="id2600913"></a><p>[<abbr class="abbrev">RFC2168</abbr>] <span class="authorgroup"><span class="firstname">R.</span> <span class="surname">Daniel</span> and <span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="title"><i>Resolution of Uniform Resource Identifiers using
                   the Domain Name System</i>. </span><span class="pubdate">June 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595163"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
+<a name="id2600948"></a><p>[<abbr class="abbrev">RFC1876</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Davis</span>, <span class="firstname">P.</span> <span class="surname">Vixie</span>, <span class="firstname">T.</span>, and <span class="firstname">I.</span> <span class="surname">Dickinson</span>. </span><span class="title"><i>A Means for Expressing Location Information in the
                   Domain
                   Name System</i>. </span><span class="pubdate">January 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595218"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
+<a name="id2601002"></a><p>[<abbr class="abbrev">RFC2052</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>A <acronym class="acronym">DNS</acronym> RR for Specifying the
                   Location of
                   Services.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595256"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
+<a name="id2601041"></a><p>[<abbr class="abbrev">RFC2163</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Allocchio</span>. </span><span class="title"><i>Using the Internet <acronym class="acronym">DNS</acronym> to
                   Distribute MIXER
                   Conformant Global Address Mapping</i>. </span><span class="pubdate">January 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595282"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
+<a name="id2601066"></a><p>[<abbr class="abbrev">RFC2230</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Atkinson</span>. </span><span class="title"><i>Key Exchange Delegation Record for the <acronym class="acronym">DNS</acronym></i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595307"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601092"></a><p>[<abbr class="abbrev">RFC2536</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>DSA KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595334"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601118"></a><p>[<abbr class="abbrev">RFC2537</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/MD5 KEYs and SIGs in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595361"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601145"></a><p>[<abbr class="abbrev">RFC2538</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Storing Certificates in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595400"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601185"></a><p>[<abbr class="abbrev">RFC2539</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Storage of Diffie-Hellman Keys in the Domain Name System (DNS)</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595430"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2601214"></a><p>[<abbr class="abbrev">RFC2540</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Detached Domain Name System (DNS) Information</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595460"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
+<a name="id2601244"></a><p>[<abbr class="abbrev">RFC2782</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gulbrandsen</span>. </span><span class="author"><span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="author"><span class="firstname">L.</span> <span class="surname">Esibov</span>. </span><span class="title"><i>A DNS RR for specifying the location of services (DNS SRV)</i>. </span><span class="pubdate">February 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595502"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2601287"></a><p>[<abbr class="abbrev">RFC2915</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Mealling</span>. </span><span class="author"><span class="firstname">R.</span> <span class="surname">Daniel</span>. </span><span class="title"><i>The Naming Authority Pointer (NAPTR) DNS Resource Record</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595536"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
+<a name="id2601320"></a><p>[<abbr class="abbrev">RFC3110</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>RSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)</i>. </span><span class="pubdate">May 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595562"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
+<a name="id2601347"></a><p>[<abbr class="abbrev">RFC3123</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Koch</span>. </span><span class="title"><i>A DNS RR Type for Lists of Address Prefixes (APL RR)</i>. </span><span class="pubdate">June 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595586"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
+<a name="id2601370"></a><p>[<abbr class="abbrev">RFC3596</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Thomson</span>, <span class="firstname">C.</span> <span class="surname">Huitema</span>, <span class="firstname">V.</span> <span class="surname">Ksinant</span>, and <span class="firstname">M.</span> <span class="surname">Souissi</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Extensions to support IP
                   version 6</i>. </span><span class="pubdate">October 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595643"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
+<a name="id2601428"></a><p>[<abbr class="abbrev">RFC3597</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Gustafsson</span>. </span><span class="title"><i>Handling of Unknown DNS Resource Record (RR) Types</i>. </span><span class="pubdate">September 2003. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> and the Internet</h3>
 <div class="biblioentry">
-<a name="id2595675"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
+<a name="id2601460"></a><p>[<abbr class="abbrev">RFC1101</abbr>] <span class="author"><span class="firstname">P. V.</span> <span class="surname">Mockapetris</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Network Names
                   and Other Types</i>. </span><span class="pubdate">April 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595701"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
+<a name="id2601485"></a><p>[<abbr class="abbrev">RFC1123</abbr>] <span class="author"><span class="surname">Braden</span>. </span><span class="title"><i>Requirements for Internet Hosts - Application and
                   Support</i>. </span><span class="pubdate">October 1989. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595723"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
+<a name="id2601576"></a><p>[<abbr class="abbrev">RFC1591</abbr>] <span class="author"><span class="firstname">J.</span> <span class="surname">Postel</span>. </span><span class="title"><i>Domain Name System Structure and Delegation</i>. </span><span class="pubdate">March 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595747"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
+<a name="id2601600"></a><p>[<abbr class="abbrev">RFC2317</abbr>] <span class="authorgroup"><span class="firstname">H.</span> <span class="surname">Eidnes</span>, <span class="firstname">G.</span> <span class="surname">de Groot</span>, and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Classless IN-ADDR.ARPA Delegation</i>. </span><span class="pubdate">March 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595793"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
+<a name="id2601645"></a><p>[<abbr class="abbrev">RFC2826</abbr>] <span class="authorgroup"><span class="surname">Internet Architecture Board</span>. </span><span class="title"><i>IAB Technical Comment on the Unique DNS Root</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595816"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
+<a name="id2601669"></a><p>[<abbr class="abbrev">RFC2929</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>, <span class="firstname">E.</span> <span class="surname">Brunner-Williams</span>, and <span class="firstname">B.</span> <span class="surname">Manning</span>. </span><span class="title"><i>Domain Name System (DNS) IANA Considerations</i>. </span><span class="pubdate">September 2000. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">
 <acronym class="acronym">DNS</acronym> Operations</h3>
 <div class="biblioentry">
-<a name="id2595874"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
+<a name="id2601726"></a><p>[<abbr class="abbrev">RFC1033</abbr>] <span class="author"><span class="firstname">M.</span> <span class="surname">Lottor</span>. </span><span class="title"><i>Domain administrators operations guide.</i>. </span><span class="pubdate">November 1987. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595897"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
+<a name="id2601750"></a><p>[<abbr class="abbrev">RFC1537</abbr>] <span class="author"><span class="firstname">P.</span> <span class="surname">Beertema</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Data File
                   Configuration Errors</i>. </span><span class="pubdate">October 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595924"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
+<a name="id2601777"></a><p>[<abbr class="abbrev">RFC1912</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Barr</span>. </span><span class="title"><i>Common <acronym class="acronym">DNS</acronym> Operational and
                   Configuration Errors</i>. </span><span class="pubdate">February 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595950"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
+<a name="id2601803"></a><p>[<abbr class="abbrev">RFC2010</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Manning</span> and <span class="firstname">P.</span> <span class="surname">Vixie</span>. </span><span class="title"><i>Operational Criteria for Root Name Servers.</i>. </span><span class="pubdate">October 1996. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2595987"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
+<a name="id2601840"></a><p>[<abbr class="abbrev">RFC2219</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Hamilton</span> and <span class="firstname">R.</span> <span class="surname">Wright</span>. </span><span class="title"><i>Use of <acronym class="acronym">DNS</acronym> Aliases for
                   Network Services.</i>. </span><span class="pubdate">October 1997. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Internationalized Domain Names</h3>
 <div class="biblioentry">
-<a name="id2596033"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
+<a name="id2601885"></a><p>[<abbr class="abbrev">RFC2825</abbr>] <span class="authorgroup"><span class="surname">IAB</span> and <span class="firstname">R.</span> <span class="surname">Daigle</span>. </span><span class="title"><i>A Tangled Web: Issues of I18N, Domain Names,
                        and the Other Internet protocols</i>. </span><span class="pubdate">May 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596065"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2601917"></a><p>[<abbr class="abbrev">RFC3490</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Faltstrom</span>, <span class="firstname">P.</span> <span class="surname">Hoffman</span>, and <span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Internationalizing Domain Names in Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596110"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
+<a name="id2601963"></a><p>[<abbr class="abbrev">RFC3491</abbr>] <span class="authorgroup"><span class="firstname">P.</span> <span class="surname">Hoffman</span> and <span class="firstname">M.</span> <span class="surname">Blanchet</span>. </span><span class="title"><i>Nameprep: A Stringprep Profile for Internationalized Domain Names</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596146"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
+<a name="id2601998"></a><p>[<abbr class="abbrev">RFC3492</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Costello</span>. </span><span class="title"><i>Punycode: A Bootstring encoding of Unicode
                        for Internationalized Domain Names in
                        Applications (IDNA)</i>. </span><span class="pubdate">March 2003. </span></p>
 </div>
@@ -489,47 +487,47 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2596190"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
+<a name="id2602043"></a><p>[<abbr class="abbrev">RFC1464</abbr>] <span class="author"><span class="firstname">R.</span> <span class="surname">Rosenbaum</span>. </span><span class="title"><i>Using the Domain Name System To Store Arbitrary String
                   Attributes</i>. </span><span class="pubdate">May 1993. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596213"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
+<a name="id2602066"></a><p>[<abbr class="abbrev">RFC1713</abbr>] <span class="author"><span class="firstname">A.</span> <span class="surname">Romao</span>. </span><span class="title"><i>Tools for <acronym class="acronym">DNS</acronym> Debugging</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596238"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
+<a name="id2602091"></a><p>[<abbr class="abbrev">RFC1794</abbr>] <span class="author"><span class="firstname">T.</span> <span class="surname">Brisco</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Support for Load
                   Balancing</i>. </span><span class="pubdate">April 1995. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596332"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
+<a name="id2602117"></a><p>[<abbr class="abbrev">RFC2240</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Legal Basis for Domain Name Allocation</i>. </span><span class="pubdate">November 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596356"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2602140"></a><p>[<abbr class="abbrev">RFC2345</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>, <span class="firstname">T.</span> <span class="surname">Wolf</span>, and <span class="firstname">G.</span> <span class="surname">Oglesby</span>. </span><span class="title"><i>Domain Names and Company Name Retrieval</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596402"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
+<a name="id2602186"></a><p>[<abbr class="abbrev">RFC2352</abbr>] <span class="author"><span class="firstname">O.</span> <span class="surname">Vaughan</span>. </span><span class="title"><i>A Convention For Using Legal Names as Domain Names</i>. </span><span class="pubdate">May 1998. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596425"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
+<a name="id2602210"></a><p>[<abbr class="abbrev">RFC3071</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Klensin</span>. </span><span class="title"><i>Reflections on the DNS, RFC 1591, and Categories of Domains</i>. </span><span class="pubdate">February 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596452"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
+<a name="id2602236"></a><p>[<abbr class="abbrev">RFC3258</abbr>] <span class="authorgroup"><span class="firstname">T.</span> <span class="surname">Hardie</span>. </span><span class="title"><i>Distributing Authoritative Name Servers via
                        Shared Unicast Addresses</i>. </span><span class="pubdate">April 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596477"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
+<a name="id2602262"></a><p>[<abbr class="abbrev">RFC3901</abbr>] <span class="authorgroup"><span class="firstname">A.</span> <span class="surname">Durand</span> and <span class="firstname">J.</span> <span class="surname">Ihren</span>. </span><span class="title"><i>DNS IPv6 Transport Operational Guidelines</i>. </span><span class="pubdate">September 2004. </span></p>
 </div>
 </div>
 <div class="bibliodiv">
 <h3 class="title">Obsolete and Unimplemented Experimental RFC</h3>
 <div class="biblioentry">
-<a name="id2596521"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
+<a name="id2602306"></a><p>[<abbr class="abbrev">RFC1712</abbr>] <span class="authorgroup"><span class="firstname">C.</span> <span class="surname">Farrell</span>, <span class="firstname">M.</span> <span class="surname">Schulze</span>, <span class="firstname">S.</span> <span class="surname">Pleitner</span>, and <span class="firstname">D.</span> <span class="surname">Baldoni</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> Encoding of Geographical
                   Location</i>. </span><span class="pubdate">November 1994. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596579"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
+<a name="id2602363"></a><p>[<abbr class="abbrev">RFC2673</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span>. </span><span class="title"><i>Binary Labels in the Domain Name System</i>. </span><span class="pubdate">August 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596605"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
+<a name="id2602390"></a><p>[<abbr class="abbrev">RFC2874</abbr>] <span class="authorgroup"><span class="firstname">M.</span> <span class="surname">Crawford</span> and <span class="firstname">C.</span> <span class="surname">Huitema</span>. </span><span class="title"><i>DNS Extensions to Support IPv6 Address Aggregation
                        and Renumbering</i>. </span><span class="pubdate">July 2000. </span></p>
 </div>
 </div>
@@ -543,39 +541,39 @@
                 </p>
 </div>
 <div class="biblioentry">
-<a name="id2596653"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
+<a name="id2602438"></a><p>[<abbr class="abbrev">RFC2065</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span> and <span class="firstname">C.</span> <span class="surname">Kaufman</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">January 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596693"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
+<a name="id2602477"></a><p>[<abbr class="abbrev">RFC2137</abbr>] <span class="author"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Secure Domain Name System Dynamic Update</i>. </span><span class="pubdate">April 1997. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596720"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
+<a name="id2602504"></a><p>[<abbr class="abbrev">RFC2535</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Eastlake</span>, <span class="lineage">3rd</span>. </span><span class="title"><i>Domain Name System Security Extensions</i>. </span><span class="pubdate">March 1999. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596818"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
+<a name="id2602534"></a><p>[<abbr class="abbrev">RFC3008</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span>. </span><span class="title"><i>Domain Name System Security (DNSSEC)
                        Signing Authority</i>. </span><span class="pubdate">November 2000. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596843"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
+<a name="id2602560"></a><p>[<abbr class="abbrev">RFC3090</abbr>] <span class="authorgroup"><span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>DNS Security Extension Clarification on Zone Status</i>. </span><span class="pubdate">March 2001. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596870"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
+<a name="id2602586"></a><p>[<abbr class="abbrev">RFC3445</abbr>] <span class="authorgroup"><span class="firstname">D.</span> <span class="surname">Massey</span> and <span class="firstname">S.</span> <span class="surname">Rose</span>. </span><span class="title"><i>Limiting the Scope of the KEY Resource Record (RR)</i>. </span><span class="pubdate">December 2002. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596906"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
+<a name="id2602691"></a><p>[<abbr class="abbrev">RFC3655</abbr>] <span class="authorgroup"><span class="firstname">B.</span> <span class="surname">Wellington</span> and <span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Redefinition of DNS Authenticated Data (AD) bit</i>. </span><span class="pubdate">November 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596942"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
+<a name="id2602727"></a><p>[<abbr class="abbrev">RFC3658</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Gudmundsson</span>. </span><span class="title"><i>Delegation Signer (DS) Resource Record (RR)</i>. </span><span class="pubdate">December 2003. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596969"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
+<a name="id2602754"></a><p>[<abbr class="abbrev">RFC3755</abbr>] <span class="authorgroup"><span class="firstname">S.</span> <span class="surname">Weiler</span>. </span><span class="title"><i>Legacy Resolver Compatibility for Delegation Signer (DS)</i>. </span><span class="pubdate">May 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2596996"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
+<a name="id2602780"></a><p>[<abbr class="abbrev">RFC3757</abbr>] <span class="authorgroup"><span class="firstname">O.</span> <span class="surname">Kolkman</span>, <span class="firstname">J.</span> <span class="surname">Schlyter</span>, and <span class="firstname">E.</span> <span class="surname">Lewis</span>. </span><span class="title"><i>Domain Name System KEY (DNSKEY) Resource Record
                       (RR) Secure Entry Point (SEP) Flag</i>. </span><span class="pubdate">April 2004. </span></p>
 </div>
 <div class="biblioentry">
-<a name="id2597041"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
+<a name="id2602825"></a><p>[<abbr class="abbrev">RFC3845</abbr>] <span class="authorgroup"><span class="firstname">J.</span> <span class="surname">Schlyter</span>. </span><span class="title"><i>DNS Security (DNSSEC) NextSECure (NSEC) RDATA Format</i>. </span><span class="pubdate">August 2004. </span></p>
 </div>
 </div>
 </div>
@@ -596,14 +594,14 @@
 </div>
 <div class="sect2" lang="en">
 <div class="titlepage"><div><div><h3 class="title">
-<a name="id2597082"></a>Other Documents About <acronym class="acronym">BIND</acronym>
+<a name="id2602867"></a>Other Documents About <acronym class="acronym">BIND</acronym>
 </h3></div></div></div>
 <p></p>
 <div class="bibliography">
 <div class="titlepage"><div><div><h4 class="title">
-<a name="id2597092"></a>Bibliography</h4></div></div></div>
+<a name="id2602876"></a>Bibliography</h4></div></div></div>
 <div class="biblioentry">
-<a name="id2597094"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
+<a name="id2602878"></a><p><span class="authorgroup"><span class="firstname">Paul</span> <span class="surname">Albitz</span> and <span class="firstname">Cricket</span> <span class="surname">Liu</span>. </span><span class="title"><i><acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></i>. </span><span class="copyright">Copyright © 1998 Sebastopol, CA: O'Reilly and Associates. </span></p>
 </div>
 </div>
 </div>
diff --git a/doc/arm/Bv9ARM.ch10.html b/doc/arm/Bv9ARM.ch10.html
index 892ab16..5fbeb3d 100644
--- a/doc/arm/Bv9ARM.ch10.html
+++ b/doc/arm/Bv9ARM.ch10.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.ch10.html,v 1.2.2.9 2008/05/24 01:31:12 tbox Exp $ -->
+<!-- $Id: Bv9ARM.ch10.html,v 1.11.14.1 2009/01/08 01:51:00 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -55,6 +55,12 @@
 <span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
 </dt>
 <dt>
+<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> &#8212; DNSSEC DS RR generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
+</dt>
+<dt>
 <span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
 </dt>
 <dt>
@@ -70,6 +76,9 @@
 <span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
 </dt>
 <dt>
+<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
+</dt>
+<dt>
 <span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
 </dt>
 <dt>
diff --git a/doc/arm/Bv9ARM.html b/doc/arm/Bv9ARM.html
index 6de42bc..2349940 100644
--- a/doc/arm/Bv9ARM.html
+++ b/doc/arm/Bv9ARM.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: Bv9ARM.html,v 1.85.18.82 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: Bv9ARM.html,v 1.193.14.5 2009/04/03 01:52:22 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -41,7 +41,7 @@
 <div>
 <div><h1 class="title">
 <a name="id2563174"></a>BIND 9 Administrator Reference Manual</h1></div>
-<div><p class="copyright">Copyright © 2004-2008 Internet Systems Consortium, Inc. ("ISC")</p></div>
+<div><p class="copyright">Copyright © 2004-2009 Internet Systems Consortium, Inc. ("ISC")</p></div>
 <div><p class="copyright">Copyright © 2000-2003 Internet Software Consortium.</p></div>
 </div>
 <hr>
@@ -51,39 +51,39 @@
 <dl>
 <dt><span class="chapter"><a href="Bv9ARM.ch01.html">1. Introduction</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563405">Scope of Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564385">Organization of This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564524">Conventions Used in This Document</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564637">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2563409">Scope of Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564388">Organization of This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564528">Conventions Used in This Document</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch01.html#id2564641">The Domain Name System (<acronym class="acronym">DNS</acronym>)</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564659">DNS Fundamentals</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564693">Domains and Domain Names</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564845">Zones</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567243">Authoritative Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567416">Caching Name Servers</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567546">Name Servers in Multiple Roles</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564662">DNS Fundamentals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2564696">Domains and Domain Names</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567170">Zones</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567246">Authoritative Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567419">Caching Name Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch01.html#id2567549">Name Servers in Multiple Roles</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch02.html">2. <acronym class="acronym">BIND</acronym> Resource Requirements</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567580">Hardware requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567607">CPU Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567620">Memory Requirements</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567851">Name Server Intensive Environment Issues</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567862">Supported Operating Systems</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567584">Hardware requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567610">CPU Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567623">Memory Requirements</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567854">Name Server Intensive Environment Issues</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch02.html#id2567865">Supported Operating Systems</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch03.html">3. Name Server Configuration</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch03.html#sample_configuration">Sample Configurations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567894">A Caching-only Name Server</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567910">An Authoritative-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567897">A Caching-only Name Server</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2567913">An Authoritative-only Name Server</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568001">Load Balancing</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568423">Name Server Operations</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568004">Load Balancing</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch03.html#id2568358">Name Server Operations</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568428">Tools for Use With the Name Server Daemon</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570142">Signals</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2568363">Tools for Use With the Name Server Daemon</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch03.html#id2570071">Signals</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch04.html">4. Advanced DNS Features</a></span></dt>
@@ -92,34 +92,34 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#dynamic_update">Dynamic Update</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#journal">The journal file</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#incremental_zone_transfers">Incremental Zone Transfers (IXFR)</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2570600">Split DNS</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570618">Example split DNS setup</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2564066">Split DNS</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2564084">Example split DNS setup</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#tsig">TSIG</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2570985">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571127">Copying the Shared Secret to Both Machines</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571138">Informing the Servers of the Key's Existence</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571177">Instructing the Server to Use the Key</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571303">TSIG Key Based Access Control</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571416">Errors</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571141">Generate Shared Keys for Each Pair of Hosts</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571214">Copying the Shared Secret to Both Machines</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571225">Informing the Servers of the Key's Existence</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571268">Instructing the Server to Use the Key</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571325">TSIG Key Based Access Control</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571510">Errors</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571430">TKEY</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571547">SIG(0)</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571524">TKEY</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571709">SIG(0)</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch04.html#DNSSEC">DNSSEC</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571684">Generating Keys</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571753">Signing the Zone</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571832">Configuring Servers</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571778">Generating Keys</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2571925">Signing the Zone</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572006">Configuring Servers</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2571975">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch04.html#id2572220">IPv6 Support in <acronym class="acronym">BIND</acronym> 9</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572173">Address Lookups Using AAAA Records</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572195">Address to Name Lookups Using Nibble Format</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572282">Address Lookups Using AAAA Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch04.html#id2572304">Address to Name Lookups Using Nibble Format</a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch05.html">5. The <acronym class="acronym">BIND</acronym> 9 Lightweight Resolver</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572228">The Lightweight Resolver Library</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch05.html#id2572337">The Lightweight Resolver Library</a></span></dt>
 <dt><span class="sect1"><a href="Bv9ARM.ch05.html#lwresd">Running a Resolver Daemon</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch06.html">6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference</a></span></dt>
@@ -127,83 +127,88 @@
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#configuration_file_elements">Configuration File Elements</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#address_match_lists">Address Match Lists</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573436">Comment Syntax</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2573716">Comment Syntax</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch06.html#Configuration_File_Grammar">Configuration File Grammar</a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574117"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574346"><span><strong class="command">acl</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#acl"><span><strong class="command">acl</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574307"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574536"><span><strong class="command">controls</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#controls_statement_definition_and_usage"><span><strong class="command">controls</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574736"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574753"><span><strong class="command">include</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574965"><span><strong class="command">include</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574982"><span><strong class="command">include</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574776"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574800"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2574958"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575084"><span><strong class="command">logging</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575005"><span><strong class="command">key</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575029"><span><strong class="command">key</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575120"><span><strong class="command">logging</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2575245"><span><strong class="command">logging</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576435"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576508"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576572"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576616"><span><strong class="command">masters</strong></span> Statement Definition and
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577306"><span><strong class="command">lwres</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577448"><span><strong class="command">lwres</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577512"><span><strong class="command">masters</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577556"><span><strong class="command">masters</strong></span> Statement Definition and
           Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2576631"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2577571"><span><strong class="command">options</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#options"><span><strong class="command">options</strong></span> Statement Definition and
           Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_grammar"><span><strong class="command">server</strong></span> Statement Grammar</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#server_statement_definition_and_usage"><span><strong class="command">server</strong></span> Statement Definition and
             Usage</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585614"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585666"><span><strong class="command">trusted-keys</strong></span> Statement Definition
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#statschannels"><span><strong class="command">statistics-channels</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586754"><span><strong class="command">statistics-channels</strong></span> Statement Definition and
+            Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586908"><span><strong class="command">trusted-keys</strong></span> Statement Grammar</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2586960"><span><strong class="command">trusted-keys</strong></span> Statement Definition
             and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#view_statement_grammar"><span><strong class="command">view</strong></span> Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2585748"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587042"><span><strong class="command">view</strong></span> Statement Definition and Usage</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zone_statement_grammar"><span><strong class="command">zone</strong></span>
             Statement Grammar</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2587332"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2588510"><span><strong class="command">zone</strong></span> Statement Definition and Usage</a></span></dt>
 </dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2589477">Zone File</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#id2591109">Zone File</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#types_of_resource_records_and_when_to_use_them">Types of Resource Records and When to Use Them</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2591500">Discussion of MX Records</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593203">Discussion of MX Records</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#Setting_TTLs">Setting TTLs</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592188">Inverse Mapping in IPv4</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592384">Other Zone File Directives</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2592572"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2593886">Inverse Mapping in IPv4</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594013">Other Zone File Directives</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch06.html#id2594270"><acronym class="acronym">BIND</acronym> Master File Extension: the  <span><strong class="command">$GENERATE</strong></span> Directive</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch06.html#zonefile_format">Additional File Formats</a></span></dt>
 </dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch06.html#statistics">BIND9 Statistics</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch06.html#statistics_counters">Statistics Counters</a></span></dt></dl></dd>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch07.html">7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</a></span></dt>
 <dd><dl>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2593181"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2598893"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
 <dd><dl>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593326">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593386">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2598974">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599034">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 </dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
 </dl></dd>
 <dt><span class="chapter"><a href="Bv9ARM.ch08.html">8. Troubleshooting</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593466">Common Problems</a></span></dt>
-<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2593472">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593483">Incrementing and Changing the Serial Number</a></span></dt>
-<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2593500">Where Can I Get Help?</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599251">Common Problems</a></span></dt>
+<dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch08.html#id2599324">It's not working; how can I figure out what's wrong?</a></span></dt></dl></dd>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599336">Incrementing and Changing the Serial Number</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch08.html#id2599353">Where Can I Get Help?</a></span></dt>
 </dl></dd>
 <dt><span class="appendix"><a href="Bv9ARM.ch09.html">A. Appendices</a></span></dt>
 <dd><dl>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593630">Acknowledgments</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599415">Acknowledgments</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#historical_dns_information">A Brief History of the <acronym class="acronym">DNS</acronym> and <acronym class="acronym">BIND</acronym></a></span></dt></dl></dd>
-<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2593802">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
+<dt><span class="sect1"><a href="Bv9ARM.ch09.html#id2599587">General <acronym class="acronym">DNS</acronym> Reference Information</a></span></dt>
 <dd><dl><dt><span class="sect2"><a href="Bv9ARM.ch09.html#ipv6addresses">IPv6 addresses (AAAA)</a></span></dt></dl></dd>
 <dt><span class="sect1"><a href="Bv9ARM.ch09.html#bibliography">Bibliography (and Suggested Reading)</a></span></dt>
 <dd><dl>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#rfcs">Request for Comments (RFCs)</a></span></dt>
 <dt><span class="sect2"><a href="Bv9ARM.ch09.html#internet_drafts">Internet Drafts</a></span></dt>
-<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2597082">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
+<dt><span class="sect2"><a href="Bv9ARM.ch09.html#id2602867">Other Documents About <acronym class="acronym">BIND</acronym></a></span></dt>
 </dl></dd>
 </dl></dd>
 <dt><span class="reference"><a href="Bv9ARM.ch10.html">I. Manual pages</a></span></dt>
@@ -215,6 +220,12 @@
 <span class="refentrytitle"><a href="man.host.html">host</a></span><span class="refpurpose"> &#8212; DNS lookup utility</span>
 </dt>
 <dt>
+<span class="refentrytitle"><a href="man.dnssec-dsfromkey.html"><span class="application">dnssec-dsfromkey</span></a></span><span class="refpurpose"> &#8212; DNSSEC DS RR generation tool</span>
+</dt>
+<dt>
+<span class="refentrytitle"><a href="man.dnssec-keyfromlabel.html"><span class="application">dnssec-keyfromlabel</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
+</dt>
+<dt>
 <span class="refentrytitle"><a href="man.dnssec-keygen.html"><span class="application">dnssec-keygen</span></a></span><span class="refpurpose"> &#8212; DNSSEC key generation tool</span>
 </dt>
 <dt>
@@ -230,6 +241,9 @@
 <span class="refentrytitle"><a href="man.named.html"><span class="application">named</span></a></span><span class="refpurpose"> &#8212; Internet domain name server</span>
 </dt>
 <dt>
+<span class="refentrytitle"><a href="man.nsupdate.html"><span class="application">nsupdate</span></a></span><span class="refpurpose"> &#8212; Dynamic DNS update utility</span>
+</dt>
+<dt>
 <span class="refentrytitle"><a href="man.rndc.html"><span class="application">rndc</span></a></span><span class="refpurpose"> &#8212; name server control utility</span>
 </dt>
 <dt>
diff --git a/doc/arm/Bv9ARM.pdf b/doc/arm/Bv9ARM.pdf
index 2963745..b56a05d 100644
--- a/doc/arm/Bv9ARM.pdf
+++ b/doc/arm/Bv9ARM.pdf
@@ -621,389 +621,455 @@ endobj
 << /S /GoTo /D (subsubsection.6.2.16.18) >>
 endobj
 420 0 obj
-(6.2.16.18 The Statistics File)
+(6.2.16.18 Additional Section Caching)
 endobj
 421 0 obj
-<< /S /GoTo /D (subsubsection.6.2.16.19) >>
+<< /S /GoTo /D (subsection.6.2.17) >>
 endobj
 424 0 obj
-(6.2.16.19 Additional Section Caching)
+(6.2.17 statistics-channels Statement Grammar)
 endobj
 425 0 obj
-<< /S /GoTo /D (subsection.6.2.17) >>
+<< /S /GoTo /D (subsection.6.2.18) >>
 endobj
 428 0 obj
-(6.2.17 server Statement Grammar)
+(6.2.18 statistics-channels Statement Definition and Usage)
 endobj
 429 0 obj
-<< /S /GoTo /D (subsection.6.2.18) >>
+<< /S /GoTo /D (subsection.6.2.19) >>
 endobj
 432 0 obj
-(6.2.18 server Statement Definition and Usage)
+(6.2.19 server Statement Grammar)
 endobj
 433 0 obj
-<< /S /GoTo /D (subsection.6.2.19) >>
+<< /S /GoTo /D (subsection.6.2.20) >>
 endobj
 436 0 obj
-(6.2.19 trusted-keys Statement Grammar)
+(6.2.20 server Statement Definition and Usage)
 endobj
 437 0 obj
-<< /S /GoTo /D (subsection.6.2.20) >>
+<< /S /GoTo /D (subsection.6.2.21) >>
 endobj
 440 0 obj
-(6.2.20 trusted-keys Statement Definition and Usage)
+(6.2.21 trusted-keys Statement Grammar)
 endobj
 441 0 obj
-<< /S /GoTo /D (subsection.6.2.21) >>
+<< /S /GoTo /D (subsection.6.2.22) >>
 endobj
 444 0 obj
-(6.2.21 view Statement Grammar)
+(6.2.22 trusted-keys Statement Definition and Usage)
 endobj
 445 0 obj
-<< /S /GoTo /D (subsection.6.2.22) >>
+<< /S /GoTo /D (subsection.6.2.23) >>
 endobj
 448 0 obj
-(6.2.22 view Statement Definition and Usage)
+(6.2.23 view Statement Grammar)
 endobj
 449 0 obj
-<< /S /GoTo /D (subsection.6.2.23) >>
+<< /S /GoTo /D (subsection.6.2.24) >>
 endobj
 452 0 obj
-(6.2.23 zone Statement Grammar)
+(6.2.24 view Statement Definition and Usage)
 endobj
 453 0 obj
-<< /S /GoTo /D (subsection.6.2.24) >>
+<< /S /GoTo /D (subsection.6.2.25) >>
 endobj
 456 0 obj
-(6.2.24 zone Statement Definition and Usage)
+(6.2.25 zone Statement Grammar)
 endobj
 457 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.1) >>
+<< /S /GoTo /D (subsection.6.2.26) >>
 endobj
 460 0 obj
-(6.2.24.1 Zone Types)
+(6.2.26 zone Statement Definition and Usage)
 endobj
 461 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.2) >>
+<< /S /GoTo /D (subsubsection.6.2.26.1) >>
 endobj
 464 0 obj
-(6.2.24.2 Class)
+(6.2.26.1 Zone Types)
 endobj
 465 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.3) >>
+<< /S /GoTo /D (subsubsection.6.2.26.2) >>
 endobj
 468 0 obj
-(6.2.24.3 Zone Options)
+(6.2.26.2 Class)
 endobj
 469 0 obj
-<< /S /GoTo /D (subsubsection.6.2.24.4) >>
+<< /S /GoTo /D (subsubsection.6.2.26.3) >>
 endobj
 472 0 obj
-(6.2.24.4 Dynamic Update Policies)
+(6.2.26.3 Zone Options)
 endobj
 473 0 obj
-<< /S /GoTo /D (section.6.3) >>
+<< /S /GoTo /D (subsubsection.6.2.26.4) >>
 endobj
 476 0 obj
-(6.3 Zone File)
+(6.2.26.4 Dynamic Update Policies)
 endobj
 477 0 obj
-<< /S /GoTo /D (subsection.6.3.1) >>
+<< /S /GoTo /D (section.6.3) >>
 endobj
 480 0 obj
-(6.3.1 Types of Resource Records and When to Use Them)
+(6.3 Zone File)
 endobj
 481 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.1) >>
+<< /S /GoTo /D (subsection.6.3.1) >>
 endobj
 484 0 obj
-(6.3.1.1 Resource Records)
+(6.3.1 Types of Resource Records and When to Use Them)
 endobj
 485 0 obj
-<< /S /GoTo /D (subsubsection.6.3.1.2) >>
+<< /S /GoTo /D (subsubsection.6.3.1.1) >>
 endobj
 488 0 obj
-(6.3.1.2 Textual expression of RRs)
+(6.3.1.1 Resource Records)
 endobj
 489 0 obj
-<< /S /GoTo /D (subsection.6.3.2) >>
+<< /S /GoTo /D (subsubsection.6.3.1.2) >>
 endobj
 492 0 obj
-(6.3.2 Discussion of MX Records)
+(6.3.1.2 Textual expression of RRs)
 endobj
 493 0 obj
-<< /S /GoTo /D (subsection.6.3.3) >>
+<< /S /GoTo /D (subsection.6.3.2) >>
 endobj
 496 0 obj
-(6.3.3 Setting TTLs)
+(6.3.2 Discussion of MX Records)
 endobj
 497 0 obj
-<< /S /GoTo /D (subsection.6.3.4) >>
+<< /S /GoTo /D (subsection.6.3.3) >>
 endobj
 500 0 obj
-(6.3.4 Inverse Mapping in IPv4)
+(6.3.3 Setting TTLs)
 endobj
 501 0 obj
-<< /S /GoTo /D (subsection.6.3.5) >>
+<< /S /GoTo /D (subsection.6.3.4) >>
 endobj
 504 0 obj
-(6.3.5 Other Zone File Directives)
+(6.3.4 Inverse Mapping in IPv4)
 endobj
 505 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.1) >>
+<< /S /GoTo /D (subsection.6.3.5) >>
 endobj
 508 0 obj
-(6.3.5.1 The \044ORIGIN Directive)
+(6.3.5 Other Zone File Directives)
 endobj
 509 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.2) >>
+<< /S /GoTo /D (subsubsection.6.3.5.1) >>
 endobj
 512 0 obj
-(6.3.5.2 The \044INCLUDE Directive)
+(6.3.5.1 The \044ORIGIN Directive)
 endobj
 513 0 obj
-<< /S /GoTo /D (subsubsection.6.3.5.3) >>
+<< /S /GoTo /D (subsubsection.6.3.5.2) >>
 endobj
 516 0 obj
-(6.3.5.3 The \044TTL Directive)
+(6.3.5.2 The \044INCLUDE Directive)
 endobj
 517 0 obj
-<< /S /GoTo /D (subsection.6.3.6) >>
+<< /S /GoTo /D (subsubsection.6.3.5.3) >>
 endobj
 520 0 obj
-(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
+(6.3.5.3 The \044TTL Directive)
 endobj
 521 0 obj
-<< /S /GoTo /D (subsection.6.3.7) >>
+<< /S /GoTo /D (subsection.6.3.6) >>
 endobj
 524 0 obj
-(6.3.7 Additional File Formats)
+(6.3.6 BIND Master File Extension: the \044GENERATE Directive)
 endobj
 525 0 obj
-<< /S /GoTo /D (chapter.7) >>
+<< /S /GoTo /D (subsection.6.3.7) >>
 endobj
 528 0 obj
-(7 BIND 9 Security Considerations)
+(6.3.7 Additional File Formats)
 endobj
 529 0 obj
-<< /S /GoTo /D (section.7.1) >>
+<< /S /GoTo /D (section.6.4) >>
 endobj
 532 0 obj
-(7.1 Access Control Lists)
+(6.4 BIND9 Statistics)
 endobj
 533 0 obj
-<< /S /GoTo /D (section.7.2) >>
+<< /S /GoTo /D (subsubsection.6.4.0.1) >>
 endobj
 536 0 obj
-(7.2 Chroot and Setuid)
+(6.4.0.1 The Statistics File)
 endobj
 537 0 obj
-<< /S /GoTo /D (subsection.7.2.1) >>
+<< /S /GoTo /D (subsection.6.4.1) >>
 endobj
 540 0 obj
-(7.2.1 The chroot Environment)
+(6.4.1 Statistics Counters)
 endobj
 541 0 obj
-<< /S /GoTo /D (subsection.7.2.2) >>
+<< /S /GoTo /D (subsubsection.6.4.1.1) >>
 endobj
 544 0 obj
-(7.2.2 Using the setuid Function)
+(6.4.1.1 Name Server Statistics Counters)
 endobj
 545 0 obj
-<< /S /GoTo /D (section.7.3) >>
+<< /S /GoTo /D (subsubsection.6.4.1.2) >>
 endobj
 548 0 obj
-(7.3 Dynamic Update Security)
+(6.4.1.2 Zone Maintenance Statistics Counters)
 endobj
 549 0 obj
-<< /S /GoTo /D (chapter.8) >>
+<< /S /GoTo /D (subsubsection.6.4.1.3) >>
 endobj
 552 0 obj
-(8 Troubleshooting)
+(6.4.1.3 Resolver Statistics Counters)
 endobj
 553 0 obj
-<< /S /GoTo /D (section.8.1) >>
+<< /S /GoTo /D (subsubsection.6.4.1.4) >>
 endobj
 556 0 obj
-(8.1 Common Problems)
+(6.4.1.4 Compatibility with BIND 8 Counters)
 endobj
 557 0 obj
-<< /S /GoTo /D (subsection.8.1.1) >>
+<< /S /GoTo /D (chapter.7) >>
 endobj
 560 0 obj
-(8.1.1 It's not working; how can I figure out what's wrong?)
+(7 BIND 9 Security Considerations)
 endobj
 561 0 obj
-<< /S /GoTo /D (section.8.2) >>
+<< /S /GoTo /D (section.7.1) >>
 endobj
 564 0 obj
-(8.2 Incrementing and Changing the Serial Number)
+(7.1 Access Control Lists)
 endobj
 565 0 obj
-<< /S /GoTo /D (section.8.3) >>
+<< /S /GoTo /D (section.7.2) >>
 endobj
 568 0 obj
-(8.3 Where Can I Get Help?)
+(7.2 Chroot and Setuid)
 endobj
 569 0 obj
-<< /S /GoTo /D (appendix.A) >>
+<< /S /GoTo /D (subsection.7.2.1) >>
 endobj
 572 0 obj
-(A Appendices)
+(7.2.1 The chroot Environment)
 endobj
 573 0 obj
-<< /S /GoTo /D (section.A.1) >>
+<< /S /GoTo /D (subsection.7.2.2) >>
 endobj
 576 0 obj
-(A.1 Acknowledgments)
+(7.2.2 Using the setuid Function)
 endobj
 577 0 obj
-<< /S /GoTo /D (subsection.A.1.1) >>
+<< /S /GoTo /D (section.7.3) >>
 endobj
 580 0 obj
-(A.1.1 A Brief History of the DNS and BIND)
+(7.3 Dynamic Update Security)
 endobj
 581 0 obj
-<< /S /GoTo /D (section.A.2) >>
+<< /S /GoTo /D (chapter.8) >>
 endobj
 584 0 obj
-(A.2 General DNS Reference Information)
+(8 Troubleshooting)
 endobj
 585 0 obj
-<< /S /GoTo /D (subsection.A.2.1) >>
+<< /S /GoTo /D (section.8.1) >>
 endobj
 588 0 obj
-(A.2.1 IPv6 addresses \(AAAA\))
+(8.1 Common Problems)
 endobj
 589 0 obj
-<< /S /GoTo /D (section.A.3) >>
+<< /S /GoTo /D (subsection.8.1.1) >>
 endobj
 592 0 obj
-(A.3 Bibliography \(and Suggested Reading\))
+(8.1.1 It's not working; how can I figure out what's wrong?)
 endobj
 593 0 obj
-<< /S /GoTo /D (subsection.A.3.1) >>
+<< /S /GoTo /D (section.8.2) >>
 endobj
 596 0 obj
-(A.3.1 Request for Comments \(RFCs\))
+(8.2 Incrementing and Changing the Serial Number)
 endobj
 597 0 obj
-<< /S /GoTo /D (subsection.A.3.2) >>
+<< /S /GoTo /D (section.8.3) >>
 endobj
 600 0 obj
-(A.3.2 Internet Drafts)
+(8.3 Where Can I Get Help?)
 endobj
 601 0 obj
-<< /S /GoTo /D (subsection.A.3.3) >>
+<< /S /GoTo /D (appendix.A) >>
 endobj
 604 0 obj
-(A.3.3 Other Documents About BIND)
+(A Appendices)
 endobj
 605 0 obj
-<< /S /GoTo /D (appendix.B) >>
+<< /S /GoTo /D (section.A.1) >>
 endobj
 608 0 obj
-(B Manual pages)
+(A.1 Acknowledgments)
 endobj
 609 0 obj
-<< /S /GoTo /D (section.B.1) >>
+<< /S /GoTo /D (subsection.A.1.1) >>
 endobj
 612 0 obj
-(B.1 dig)
+(A.1.1 A Brief History of the DNS and BIND)
 endobj
 613 0 obj
-<< /S /GoTo /D (section.B.2) >>
+<< /S /GoTo /D (section.A.2) >>
 endobj
 616 0 obj
-(B.2 host)
+(A.2 General DNS Reference Information)
 endobj
 617 0 obj
-<< /S /GoTo /D (section.B.3) >>
+<< /S /GoTo /D (subsection.A.2.1) >>
 endobj
 620 0 obj
-(B.3 dnssec-keygen)
+(A.2.1 IPv6 addresses \(AAAA\))
 endobj
 621 0 obj
-<< /S /GoTo /D (section.B.4) >>
+<< /S /GoTo /D (section.A.3) >>
 endobj
 624 0 obj
-(B.4 dnssec-signzone)
+(A.3 Bibliography \(and Suggested Reading\))
 endobj
 625 0 obj
-<< /S /GoTo /D (section.B.5) >>
+<< /S /GoTo /D (subsection.A.3.1) >>
 endobj
 628 0 obj
-(B.5 named-checkconf)
+(A.3.1 Request for Comments \(RFCs\))
 endobj
 629 0 obj
-<< /S /GoTo /D (section.B.6) >>
+<< /S /GoTo /D (subsection.A.3.2) >>
 endobj
 632 0 obj
-(B.6 named-checkzone)
+(A.3.2 Internet Drafts)
 endobj
 633 0 obj
-<< /S /GoTo /D (section.B.7) >>
+<< /S /GoTo /D (subsection.A.3.3) >>
 endobj
 636 0 obj
-(B.7 named)
+(A.3.3 Other Documents About BIND)
 endobj
 637 0 obj
-<< /S /GoTo /D (section.B.8) >>
+<< /S /GoTo /D (appendix.B) >>
 endobj
 640 0 obj
-(B.8 rndc)
+(B Manual pages)
 endobj
 641 0 obj
-<< /S /GoTo /D (section.B.9) >>
+<< /S /GoTo /D (section.B.1) >>
 endobj
 644 0 obj
-(B.9 rndc.conf)
+(B.1 dig)
 endobj
 645 0 obj
-<< /S /GoTo /D (section.B.10) >>
+<< /S /GoTo /D (section.B.2) >>
 endobj
 648 0 obj
-(B.10 rndc-confgen)
+(B.2 host)
 endobj
 649 0 obj
-<< /S /GoTo /D [650 0 R  /FitH ] >>
+<< /S /GoTo /D (section.B.3) >>
+endobj
+652 0 obj
+(B.3 dnssec-dsfromkey)
+endobj
+653 0 obj
+<< /S /GoTo /D (section.B.4) >>
+endobj
+656 0 obj
+(B.4 dnssec-keyfromlabel)
+endobj
+657 0 obj
+<< /S /GoTo /D (section.B.5) >>
+endobj
+660 0 obj
+(B.5 dnssec-keygen)
+endobj
+661 0 obj
+<< /S /GoTo /D (section.B.6) >>
+endobj
+664 0 obj
+(B.6 dnssec-signzone)
+endobj
+665 0 obj
+<< /S /GoTo /D (section.B.7) >>
+endobj
+668 0 obj
+(B.7 named-checkconf)
+endobj
+669 0 obj
+<< /S /GoTo /D (section.B.8) >>
+endobj
+672 0 obj
+(B.8 named-checkzone)
+endobj
+673 0 obj
+<< /S /GoTo /D (section.B.9) >>
+endobj
+676 0 obj
+(B.9 named)
 endobj
-653 0 obj <<
+677 0 obj
+<< /S /GoTo /D (section.B.10) >>
+endobj
+680 0 obj
+(B.10 nsupdate)
+endobj
+681 0 obj
+<< /S /GoTo /D (section.B.11) >>
+endobj
+684 0 obj
+(B.11 rndc)
+endobj
+685 0 obj
+<< /S /GoTo /D (section.B.12) >>
+endobj
+688 0 obj
+(B.12 rndc.conf)
+endobj
+689 0 obj
+<< /S /GoTo /D (section.B.13) >>
+endobj
+692 0 obj
+(B.13 rndc-confgen)
+endobj
+693 0 obj
+<< /S /GoTo /D [694 0 R  /FitH ] >>
+endobj
+697 0 obj <<
 /Length 236       
 /Filter /FlateDecode
 >>
 stream
 xÚ��ÁJA†ïó9¶‡M'™d2s´T¥‚Beoâai·Rp·t­ïïÔÕ*êArÉÿ‘ü	�/A�}È–ՓºsžŠvíèƒ
¨B)þP+!ÃlQ¡bJÕÂwìNì1úÈP©)&>áóÚÍ®˜€-A½bEM¦pæêÍÃd¾¼[L+V?ÉcºØt»~÷ršã~[÷í¶Ú~ÝNë a¤(±ø˘’å÷9·MÿÚ<Ÿ
 endobj
-650 0 obj <<
+694 0 obj <<
 /Type /Page
-/Contents 653 0 R
-/Resources 652 0 R
+/Contents 697 0 R
+/Resources 696 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
+/Parent 703 0 R
 >> endobj
-651 0 obj <<
+695 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
 /PTEX.FileName (./isc-logo.pdf)
 /PTEX.PageNumber 1
-/PTEX.InfoDict 660 0 R 
+/PTEX.InfoDict 704 0 R 
 /Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
 /BBox [0.00000000 0.00000000 255.00000000 149.00000000]
 /Resources <<
 /ProcSet [ /PDF /Text ]
 /ColorSpace <<
-/R15 661 0 R
-/R9 662 0 R
-/R11 663 0 R
-/R13 664 0 R
+/R15 705 0 R
+/R9 706 0 R
+/R11 707 0 R
+/R13 708 0 R
 >>/ExtGState <<
-/R17 665 0 R
-/R8 666 0 R
->>/Font << /R19 667 0 R >>
+/R17 709 0 R
+/R8 710 0 R
+>>/Font << /R19 711 0 R >>
 >>
-/Length 668 0 R
+/Length 712 0 R
 /Filter /FlateDecode
 >>
 stream
@@ -1019,7 +1085,7 @@ xœu˜;“d9…ýû+®Ùe´�R©—�
lG`XËkz#†10gwÙ~6ßÉ[53}+ˆ}tI%åóäÉT½ßs*{Ö?·¿××í'¿�ûŸ?
 FÑÞIca­Ç0Ú)	¹A¿+�ÇÀº
�¸|-Tuùa>‚s:½¯•~K
“ÒÞV�׋„OÒAŠI…
�ɪÁr2Q“°Ø¨Á>.z
 ÏÆ狼eÇNdæÌdï"gK2cëÉ—GoOá8GëÏϦ:B
Àht[
 endobj
-660 0 obj
+704 0 obj
 <<
 /Producer (AFPL Ghostscript 8.51)
 /CreationDate (D:20050606145621)
@@ -1029,46 +1095,46 @@ endobj
 /Author (Douglas E. Appelt)
 >>
 endobj
-661 0 obj
-[/Separation/PANTONE#201805#20C/DeviceCMYK 669 0 R]
+705 0 obj
+[/Separation/PANTONE#201805#20C/DeviceCMYK 713 0 R]
 endobj
-662 0 obj
-[/Separation/PANTONE#207506#20C/DeviceCMYK 670 0 R]
+706 0 obj
+[/Separation/PANTONE#207506#20C/DeviceCMYK 714 0 R]
 endobj
-663 0 obj
-[/Separation/PANTONE#20301#20C/DeviceCMYK 671 0 R]
+707 0 obj
+[/Separation/PANTONE#20301#20C/DeviceCMYK 715 0 R]
 endobj
-664 0 obj
-[/Separation/PANTONE#20871#20C/DeviceCMYK 672 0 R]
+708 0 obj
+[/Separation/PANTONE#20871#20C/DeviceCMYK 716 0 R]
 endobj
-665 0 obj
+709 0 obj
 <<
 /Type /ExtGState
 /SA true
 >>
 endobj
-666 0 obj
+710 0 obj
 <<
 /Type /ExtGState
 /OPM 1
 >>
 endobj
-667 0 obj
+711 0 obj
 <<
 /BaseFont /NVXWCK#2BTrajanPro-Bold
-/FontDescriptor 673 0 R
+/FontDescriptor 717 0 R
 /Type /Font
 /FirstChar 67
 /LastChar 136
 /Widths [ 800 0 0 0 0 0 452 0 0 0 0 0 0 0 0 0 582 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 841 633 576 686 590 540 923 827 407 760]
-/Encoding 674 0 R
+/Encoding 718 0 R
 /Subtype /Type1
 >>
 endobj
-668 0 obj
+712 0 obj
 2362
 endobj
-669 0 obj
+713 0 obj
 <<
 /Filter /FlateDecode
 /FunctionType 4
@@ -1079,7 +1145,7 @@ endobj
 stream
 xœ«N)-P0PÈ-ÍQH­HÎP
 endobj
-670 0 obj
+714 0 obj
 <<
 /Filter /FlateDecode
 /FunctionType 4
@@ -1090,7 +1156,7 @@ endobj
 stream
 xœ«N)-P0PÈ-ÍQH­HÎP
 endobj
-671 0 obj
+715 0 obj
 <<
 /Filter /FlateDecode
 /FunctionType 4
@@ -1101,7 +1167,7 @@ endobj
 stream
 xœ«N)-P0TÈ-ÍQH­HÎP
 endobj
-672 0 obj
+716 0 obj
 <<
 /Filter /FlateDecode
 /FunctionType 4
@@ -1112,7 +1178,7 @@ endobj
 stream
 xœ«N)-P0Ð365³TÈ-ÍQH­HÎP€Š™X ‹™›#Äô-,ŒÀüZ
 endobj
-673 0 obj
+717 0 obj
 <<
 /Type /FontDescriptor
 /FontName /NVXWCK#2BTrajanPro-Bold
@@ -1125,17 +1191,17 @@ endobj
 /StemV 138
 /MissingWidth 500
 /CharSet (/Msmall/C/Ysmall/Nsmall/Osmall/Esmall/Rsmall/S/Ssmall/I/Tsmall/Ismall/Usmall)
-/FontFile3 675 0 R
+/FontFile3 719 0 R
 >>
 endobj
-674 0 obj
+718 0 obj
 <<
 /Type /Encoding
 /BaseEncoding /WinAnsiEncoding
 /Differences [ 127/Nsmall/Tsmall/Esmall/Rsmall/Ysmall/Ssmall/Msmall/Osmall/Ismall/Usmall]
 >>
 endobj
-675 0 obj
+719 0 obj
 <<
 /Filter /FlateDecode
 /Subtype /Type1C
@@ -1158,18 +1224,18 @@ x¸
\3§gA34–ITž-‹R8õ-ǵÛö2ªWuÉ~Á!"(0Š*FÂ͢ùĨ¸SˆˆoÊQPˆ0¦šåiFäݸVN^_!Ô‚–b
 ȼLçÇ<;—*X³«¥×ÛGâ_Y1ET�ïƒ4ˆ
Ò-U…_>´üØ¢�æ}õï÷v¼
§ádù�#¹rÛŸå¥@ÔÁ\5l…hð<8Ús·
 »O·Øèv61Bá5*È<6ÞÍ,‡bh‘˜¶ž\Î]Çé#¹#ØÔÍ1Oúñ°Ï¤5oÂ]цÆß4}h˜î0$å,6ü¼”A,¯?/å;Rôcy6Ò½UJ¿§Y½X^é¶�ÙÉŸ‡‹º–�2¸K|o½Ø”/�Ȩ�/ƒ(Â2Ð#žNMKðrˆ
rœÛf9ËyZ¸Ú}$«Ö	õ–©) h`iÎGàAç÷´€H+Šˆ…Õ&*áX$žèìVŽhª”—›¾÷‡A1Ý£¤œÏ0‰÷—Hi éƒw~I(Áö2;à]¸L ™x4[¡OÜ,¾®ÆûÂQQ°”FdQ“ƒ¢�¬„%\î¢Åâ:Ó;ÈÑ”ÌEb1ž�’�¡ˆÿ§=$¸¥?Iš¿CÐõ�3¾C=VÐ'>·¯ôÌÒ+Ü~8	ç#;úÁ_£×á*qň+ô	8®‚ãÆpêŒ_YR”¾d%a	ç¡H\eÄõãDf£Ñ¨­ŽR[�kφG¸ù/WT®ò•A5”H¥ÛVoo8h�nû)¼ÞÃDn…ñ�ëqÌzfåhý&þcQbµXÇß‚çLŽúõ;{²Ðñðué¿ÊÛÙ†-©[SÄ-Û¼ÔyubÜ�ñhüm´œ4^Ë™ ääšLÿQ‹¡endstream
 endobj
-654 0 obj <<
-/D [650 0 R /XYZ 85.0394 794.5015 null]
+698 0 obj <<
+/D [694 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-655 0 obj <<
-/D [650 0 R /XYZ 85.0394 769.5949 null]
+699 0 obj <<
+/D [694 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-652 0 obj <<
-/Font << /F21 658 0 R >>
-/XObject << /Im1 651 0 R >>
+696 0 obj <<
+/Font << /F21 702 0 R >>
+/XObject << /Im1 695 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-678 0 obj <<
+722 0 obj <<
 /Length 999       
 /Filter /FlateDecode
 >>
@@ -1181,21 +1247,21 @@ xÚµV]“¢:}÷Wð¨UC6|å‘AT¶\À�ÚÚÝGq†ªQ¼‚;5ÿþ6$Qï¼lÝò!�ô±ûôI'„h~D3-dqÊ5›ÈÄÄÔÖ»

 CfIÜ(|é|
 ²™°ê&cq$á¢e¤_RÖ¨h6Sï��¼p9¢éUò`¾UË=&ñDŒs?ñfàÙÆÐ} ûÑÚ°³7[±#-»I�E~š"ÅAŒ‘äë÷!ž <ë)½%õ0pCiOâDe•éÓ…ïnø 4N|¯å¨nÛèf	B´
@029ç}=½8JýoK AeLwîNÏr\çïyŸfn“(Kc¨-Q˜.Ãvõ¬þ$‰ç²¶8ítnXa÷âÕ/S_•'·{ÐçM	b§Š‡�œôewÕèeAõwÊη'SäOÃ`êGžßÏ·‘ÛËÂ@Ô!¤¿å¢!“³¡àx™^攑Ý$HÏZÄˬO%¾¢
Ô"ÿ‚rw4Îgêmmsøá�Ðqá'Ð<s·«gòÙ©¹ù’¨73Qó4ºûSùþú¦«lºa#æ8ôþ—ˆ:ðŲٙTû]½!}N™Eï0ÿýžf�endstream
 endobj
-677 0 obj <<
+721 0 obj <<
 /Type /Page
-/Contents 678 0 R
-/Resources 676 0 R
+/Contents 722 0 R
+/Resources 720 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
+/Parent 703 0 R
 >> endobj
-679 0 obj <<
-/D [677 0 R /XYZ 56.6929 794.5015 null]
+723 0 obj <<
+/D [721 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-676 0 obj <<
-/Font << /F23 682 0 R /F14 685 0 R >>
+720 0 obj <<
+/Font << /F23 726 0 R /F14 729 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-688 0 obj <<
+732 0 obj <<
 /Length 2891      
 /Filter /FlateDecode
 >>
@@ -1213,1498 +1279,1594 @@ W±ïëå*¯úoÞæ®x­]Δܫ�!$j2È�¢
 2¤PÁjÉñ&ÔX*¤÷€ŠoL–BE]*w·Ë—Š©=ÔB¿åp2LfRŒa™)Æ"qPŒ‘Þ‡¹LpæÒ—
da.;ûÞ¯3×þ¬h6wm‰¤öHßd8�!–‡‚#é ‘¥Ls
u4G]^œ¿9ž»7Vb_mS$H1•3lHp¶%µ?ô�ÅApF{ƒ�H-S\
 øƒÿÝÙ/ËuS”탙‰0ß™æ�•Éš#CJsœuJóH”æ¤÷AsiX
 M…­æ:h¾nêãô¨ý�èá·oðÐkƒ
h—#öùlk…lMf
R,`5("qP,�Þ„b‰Ð
ø˜Ž~]í»=Ãמ,Åzž%húg°º
-ÁîGÓäm2ƒÅR…Bb7ŠÊõ
-RDaYåxÏN,Š)Ò;ì]¥3"�ÃÂÖÕ�gk›uÔaëê«m‘‚S)CvdXg‚±Hb¤k ,I˜†–D·œ…Ó™ó7íÉï�å4ψ}µ

™J²#HÃz¤E‚ þåzø”¦¤ð ¥Ð¯òîââìÔ-töã)˜o•OþT¦3)$¬´ÄßxÁPáïþÌeÆÒØ'�·ªïAœ+·üR#M.ŠgÎ×3ÿ¦þ�çñç/àJàí”s®Aendstream
+ÁîGÓäm2ƒÅREŽ7XD‚ ˆ \@pÁ,tûµDÀ'/œÕ½ÊýØø@Á_™'Hûd �!E–•B*Åéö®ÒŒ‘@�aaëêdz¿µÍ:ê°uõÕ¶HA‰©”!;2¬3ÁX$1Ò5–$LCK¢[ÎÂéÌù›ödŽ÷ÇršgľڀŠL%
Ù¤a½	Ò"AP‡…r=|Ê?SRxÐRèWywqqvê:ûñÌ7ƒÊ'*Sƒ�VZâï<Ž`¨ðwæ2ciìÈÛ
Õ÷ Ε[~©‘&Å3ç�ë™SÿÀóøóp%ðö?ž­®Bendstream
 endobj
-687 0 obj <<
+731 0 obj <<
 /Type /Page
-/Contents 688 0 R
-/Resources 686 0 R
+/Contents 732 0 R
+/Resources 730 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
-/Annots [ 691 0 R 692 0 R 693 0 R 694 0 R 695 0 R 696 0 R 697 0 R 698 0 R 699 0 R 700 0 R 701 0 R 702 0 R 703 0 R 704 0 R 705 0 R 706 0 R 707 0 R 708 0 R 709 0 R 710 0 R 711 0 R 712 0 R 713 0 R 714 0 R 715 0 R 716 0 R 717 0 R 718 0 R 719 0 R 720 0 R 721 0 R 722 0 R 723 0 R 724 0 R 725 0 R 726 0 R 727 0 R 728 0 R 729 0 R 730 0 R 731 0 R 732 0 R 733 0 R 734 0 R 735 0 R 736 0 R 737 0 R 738 0 R 739 0 R 740 0 R ]
+/Parent 703 0 R
+/Annots [ 735 0 R 736 0 R 737 0 R 738 0 R 739 0 R 740 0 R 741 0 R 742 0 R 743 0 R 744 0 R 745 0 R 746 0 R 747 0 R 748 0 R 749 0 R 750 0 R 751 0 R 752 0 R 753 0 R 754 0 R 755 0 R 756 0 R 757 0 R 758 0 R 759 0 R 760 0 R 761 0 R 762 0 R 763 0 R 764 0 R 765 0 R 766 0 R 767 0 R 768 0 R 769 0 R 770 0 R 771 0 R 772 0 R 773 0 R 774 0 R 775 0 R 776 0 R 777 0 R 778 0 R 779 0 R 780 0 R 781 0 R 782 0 R 783 0 R 784 0 R ]
 >> endobj
-691 0 obj <<
+735 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 688.709 539.579 697.2967]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.1) >>
 >> endobj
-692 0 obj <<
+736 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 676.5858 539.579 685.4425]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.1) >>
 >> endobj
-693 0 obj <<
+737 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 664.4876 539.579 673.3442]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.2) >>
 >> endobj
-694 0 obj <<
+738 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 652.3894 539.579 661.246]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.3) >>
 >> endobj
-695 0 obj <<
+739 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 640.1914 539.579 649.1477]
 /Subtype /Link
 /A << /S /GoTo /D (section.1.4) >>
 >> endobj
-696 0 obj <<
+740 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 628.0932 539.579 637.0495]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.1) >>
 >> endobj
-697 0 obj <<
+741 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 615.995 539.579 624.9512]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.2) >>
 >> endobj
-698 0 obj <<
+742 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 603.8967 539.579 612.853]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.3) >>
 >> endobj
-699 0 obj <<
+743 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 591.7985 539.579 600.7547]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.4) >>
 >> endobj
-700 0 obj <<
+744 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 579.7002 539.579 588.6565]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.4.1) >>
 >> endobj
-701 0 obj <<
+745 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 567.6019 539.579 576.5582]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.4.2) >>
 >> endobj
-702 0 obj <<
+746 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [532.6051 555.5037 539.579 564.46]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.4.3) >>
 >> endobj
-703 0 obj <<
+747 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 543.4055 539.579 552.5112]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.5) >>
 >> endobj
-704 0 obj <<
+748 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 531.3072 539.579 540.413]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.1.4.5.1) >>
 >> endobj
-705 0 obj <<
+749 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 519.209 539.579 528.3147]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.1.4.6) >>
 >> endobj
-706 0 obj <<
+750 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 496.7003 539.579 505.4125]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.2) >>
 >> endobj
-707 0 obj <<
+751 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 484.5772 539.579 493.5832]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.1) >>
 >> endobj
-708 0 obj <<
+752 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 472.4789 539.579 481.485]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.2) >>
 >> endobj
-709 0 obj <<
+753 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 460.3806 539.579 469.3867]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.3) >>
 >> endobj
-710 0 obj <<
+754 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 448.2824 539.579 457.2885]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.4) >>
 >> endobj
-711 0 obj <<
+755 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 436.1841 539.579 445.1902]
 /Subtype /Link
 /A << /S /GoTo /D (section.2.5) >>
 >> endobj
-712 0 obj <<
+756 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 413.4314 539.579 422.288]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.3) >>
 >> endobj
-713 0 obj <<
+757 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 401.353 539.579 410.4588]
 /Subtype /Link
 /A << /S /GoTo /D (section.3.1) >>
 >> endobj
-714 0 obj <<
+758 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 389.2548 539.579 398.3605]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.1.1) >>
 >> endobj
-715 0 obj <<
+759 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 377.1565 539.579 386.2623]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.1.2) >>
 >> endobj
-716 0 obj <<
+760 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 365.1579 539.579 374.164]
 /Subtype /Link
 /A << /S /GoTo /D (section.3.2) >>
 >> endobj
-717 0 obj <<
+761 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 353.0597 539.579 362.0658]
 /Subtype /Link
 /A << /S /GoTo /D (section.3.3) >>
 >> endobj
-718 0 obj <<
+762 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 340.9614 539.579 349.9675]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.3.1) >>
 >> endobj
-719 0 obj <<
+763 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 328.7635 539.579 337.8693]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.3.3.1.1) >>
 >> endobj
-720 0 obj <<
+764 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 316.6653 539.579 325.771]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.3.3.1.2) >>
 >> endobj
-721 0 obj <<
+765 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 304.567 539.579 313.6728]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.3.3.2) >>
 >> endobj
-722 0 obj <<
+766 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 281.9139 539.579 290.7706]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.4) >>
 >> endobj
-723 0 obj <<
+767 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 269.8356 539.579 278.9413]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.1) >>
 >> endobj
-724 0 obj <<
+768 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 257.7373 539.579 266.8431]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.2) >>
 >> endobj
-725 0 obj <<
+769 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 245.6391 539.579 254.7448]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.2.1) >>
 >> endobj
-726 0 obj <<
+770 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 233.5408 539.579 242.4971]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.3) >>
 >> endobj
-727 0 obj <<
+771 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 221.4426 539.579 230.3988]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.4) >>
 >> endobj
-728 0 obj <<
+772 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 209.3443 539.579 218.3006]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.4.1) >>
 >> endobj
-729 0 obj <<
+773 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 197.2461 539.579 206.2023]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.5) >>
 >> endobj
-730 0 obj <<
+774 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 185.1478 539.579 194.1041]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.1) >>
 >> endobj
-731 0 obj <<
+775 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 173.0496 539.579 182.0058]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.4.5.1.1) >>
 >> endobj
-732 0 obj <<
+776 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 161.051 539.579 170.0571]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.4.5.1.2) >>
 >> endobj
-733 0 obj <<
+777 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 148.9527 539.579 157.9588]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.2) >>
 >> endobj
-734 0 obj <<
+778 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 136.8545 539.579 145.8606]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.3) >>
 >> endobj
-735 0 obj <<
+779 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 124.7562 539.579 133.7623]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.4) >>
 >> endobj
-736 0 obj <<
+780 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 112.658 539.579 121.6641]
+/Rect [527.6238 112.5583 539.579 121.5146]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.5) >>
 >> endobj
-737 0 obj <<
+781 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 100.4601 539.579 109.4163]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.5.6) >>
 >> endobj
-738 0 obj <<
+782 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 88.3618 539.579 97.3181]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.6) >>
 >> endobj
-739 0 obj <<
+783 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 76.2636 539.579 85.2199]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.7) >>
 >> endobj
-740 0 obj <<
+784 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 64.1653 539.579 73.1216]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.8) >>
 >> endobj
-689 0 obj <<
-/D [687 0 R /XYZ 85.0394 794.5015 null]
+733 0 obj <<
+/D [731 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-690 0 obj <<
-/D [687 0 R /XYZ 85.0394 711.9273 null]
+734 0 obj <<
+/D [731 0 R /XYZ 85.0394 711.9273 null]
 >> endobj
-686 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R >>
+730 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-743 0 obj <<
-/Length 3152      
+787 0 obj <<
+/Length 3167      
 /Filter /FlateDecode
 >>
 stream
-xÚí�[wÛ6Çßý)ôh?‹ûå1מvw“4q_¶ÛVf�J¢W’›f?ý‚"
-pdìÖÙØR{Z;1‡3žÿO’lBý¿l¢4ÑŽ»‰q’(ÊÔd¶<£“kÿ³ïÎXÌ44…G=¿<ûËka&Ž8ÍõäòãD*E¸Ú�Ìj-›\^ý|þâí›ËWo.?\ürùÃÙ«ËxVè™QÑžò_g?ÿB'W>€Î(ΪÉgÿJ˜s|²<“J%…³8ûpöc<!øéÎ4û›0J¸Ð<ó«p
~•ö‡ŠMŒrDÿ“ö‘Äv1eœÒóïêU½®¶óÕõÅ”+zþ×úËæbj5?'Såx|_¤sÚÉîJM}Ö�Ð)Ÿ{Ú¬¯'Ý7ï¡ZÁn
+xÚí�[wÛ6Çßý)ôh?‹ûå1מvw“4q_¶ÛVf�J¢W’›Í~úEZàÈØ­ÓØR{Z;1‡3žÿO’lBý¿l¢4ÑŽ»‰q’(ÊÔd¶<£“kÿ³ïÎXÌ44…G=¿<ûËka&Ž8ÍõäòãD*E¸Ú�Ìj-›\^ý|þâí›ËWo.?\ürùÃÙ«ËxVè™QÑžò_g?ÿB'W>€Î(ΪÉgÿJ˜s|²<“J%…³8ûpöc<!øéÎ4û›0J¸Ð<ó«p
~•ö‡ŠMŒrDÿ“ö‘Äv1eœÒóïêU½®¶óÕõÅ”+zþ×úËæbj5?'Såx|_¤sØÉîJM}Ö�Ð)Ÿ{Ú¬¯'Ý7ï¡ZÁn
 
÷ÕÚ?«×{qõsq`¬ Þ+ÒM©Ž¬ðž•óëUeû©î¾ùG³òߪOÄ Ä„¬1b j1™80bPï�¡ˆÒÖEbDOÌ‹fõOJùõí:ró¡^ÿ^¯Û1†‰cEe”‘�ÇbF€!ÆÔ‰›qF2q`Œ Þ
óCŽöå‘ûª&ï!qêyøþÝïº'ãöæ¦Yo»?ÌWÝ×çß¿yÙ}ç
g�w�ù*
 0ÄH�ba¤dâÀHÙóžs%–ºSÝ�¹{Cmêàªí¼Yr>Öëz5«Ç3N~ïñ`ã-Z°ñŒ�Óa™ÚóšýL1KŒéW
uo³©y=s‹W‹zY¯¶~¢˜9Ö~e”��ÒâO0Ä>YP2Œ“L/¨÷0i¥š©UÀe¼Qù{µ�}
 EyÓ¢¢
?õ´wP	é,Fb¨@¹G%†
-ê�qM¤`r¢<4†I›`Ùá"Úõ�/«mõÇÅT8uZZ½(1•¥ @C”�T(¹8Ppï	ˉ¶‚
PxÊ˺­C«yªBÕê*ô½Õu»:ÿ-Ìô¿Æ*{ÌR1Àc
-�
-ƒ$F	ê=`¢(tRæ &¿Õ_rS__‚œ!ìiÕ7漘'`ˆñ5ÅxÊÄ�ñ„z<	KM£Ž}œ�8Š>½N*¤¶˜šd‡A„ãÛò3A`È`®1ÜsbXBÆDfÑ\_·;É2…Êø!Ï©Cë9JÕnØâbt€!Æ”ƒ'Fê=àä?Üé´HŠŸ{Ltþ?»¬þ´†;䲘`ˆqµÂ8ÉÄ�q‚z�W™$å„Sã
+ê�qM¤`r¢<4†I›`Ùá"Úõ�/«mõï‹©pê´´zPb*KA�†(©Prq  àÞ(–m ð”—u[‡VóT…ªÕUè{«ëvuþ[˜é�Uö˜¥b€!Æ
+0ÄP�ra¨dâÀPA½§áBY¢™3	–S]ù_A	©,b @©0P2q`  Þ(ReSsãA9Õ•}B–Š
+àñÉu³ÎÍt$%Úš;ðHj�ªBÅô–Â
xòI:
+O.Ü{_¡„±„I	*Ôá«U‹Ïë:·ÐÇ}}Š°ŒMo¸ÒG|Ý3¦»%`ˆ¡å”ã[ðrq`(¡ÞJZ{z8(aüAP:<Ó‘Ì=¡Ñ'¤µ`ˆ!eÃ�ÉÄ�!ƒzÈ(I¨e<!søJÕ²ÚlÛûãóócéôÁþJWõ
+9.æbü@
1~2q`ü Þ?’*�Jüȇâç>ý•{ÌýUÌe1'Àãj…q’‰ãõ8í„vW‡/U57­Ô›üëÏvðR;®©MÈq1?Àãjˆñ“‰ãõøa†8«A�ÒÅÏ}.XÉG]�B.‹9
†'P+9¾q"Æ	ê=µâT§$¨H:¬ã<ošE]õ¢¾íé˜*áŽøjSLW1Àƒ
Ê!Çsq`0 Þ#Ü	â8·†~]æu³þ\uOXÙÝv.)?ÝV0d#f¯”
hˆ°1PG�”\¸÷ĆõÕÂÁÖG·OkÙxy[-¦›m5ûíÎÁÄ·wËÒ×$bªŠA
+„L¨÷‚vÄ*7¨²áÙlo…~Ñn°kÇ‹fÑ�Ó}Ï)qÅX
+¤Æo1ÉÅ�á�zOxHEŒÓâ¡;<~¼­Û‡íè¨ Œ9QóVL0Ĩ€º`TdâÀ¨@½'*„ F»ÓQÑ=…¶…âòÂÑóuµÚ|ÜM*”a',b⊱
+!e?Ìuâ„+"Í�Ew <¿�/¶Óðš“
èWæ«�»×ÄÿiVíZ¸1îQY(Öb²<¾&™‹“õž4f‚Hy§19�_-o¶_Ò;³Ú«ßÐÔÃö !IÅ
+…Óú	iÝg£Xêd‡)
s=¾Ðœ	ÓsÝŽ+Á=H‡oÖßø†À7óÙfÚßÀ–Û.çû\©ì¡'ƒøIÉ##ÆØI,eØ!l$ß•	au^MeˆP
 endobj
-742 0 obj <<
+786 0 obj <<
 /Type /Page
-/Contents 743 0 R
-/Resources 741 0 R
+/Contents 787 0 R
+/Resources 785 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
-/Annots [ 748 0 R 749 0 R 750 0 R 751 0 R 752 0 R 753 0 R 754 0 R 755 0 R 756 0 R 757 0 R 758 0 R 759 0 R 760 0 R 761 0 R 762 0 R 763 0 R 764 0 R 765 0 R 766 0 R 767 0 R 768 0 R 769 0 R 770 0 R 771 0 R 772 0 R 773 0 R 774 0 R 775 0 R 776 0 R 777 0 R 778 0 R 779 0 R 780 0 R 781 0 R 782 0 R 783 0 R 784 0 R 785 0 R 786 0 R 787 0 R 788 0 R 789 0 R 790 0 R 791 0 R 792 0 R 793 0 R 794 0 R 795 0 R 796 0 R 797 0 R 798 0 R 799 0 R 800 0 R 801 0 R 802 0 R 803 0 R 804 0 R ]
+/Parent 703 0 R
+/Annots [ 792 0 R 793 0 R 794 0 R 795 0 R 796 0 R 797 0 R 798 0 R 799 0 R 800 0 R 801 0 R 802 0 R 803 0 R 804 0 R 805 0 R 806 0 R 807 0 R 808 0 R 809 0 R 810 0 R 811 0 R 812 0 R 813 0 R 814 0 R 815 0 R 816 0 R 817 0 R 818 0 R 819 0 R 820 0 R 821 0 R 822 0 R 823 0 R 824 0 R 825 0 R 826 0 R 827 0 R 828 0 R 829 0 R 830 0 R 831 0 R 832 0 R 833 0 R 834 0 R 835 0 R 836 0 R 837 0 R 838 0 R 839 0 R 840 0 R 841 0 R 842 0 R 843 0 R 844 0 R 845 0 R 846 0 R 847 0 R 848 0 R ]
 >> endobj
-748 0 obj <<
+792 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 758.4766 511.2325 767.4329]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.8.1) >>
 >> endobj
-749 0 obj <<
+793 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 746.445 511.2325 755.4012]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.8.2) >>
 >> endobj
-750 0 obj <<
+794 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 734.5129 511.2325 743.3696]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.8.3) >>
 >> endobj
-751 0 obj <<
+795 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 722.3816 511.2325 731.3379]
 /Subtype /Link
 /A << /S /GoTo /D (section.4.9) >>
 >> endobj
-752 0 obj <<
+796 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 710.3499 511.2325 719.3062]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.9.1) >>
 >> endobj
-753 0 obj <<
+797 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 698.3182 511.2325 707.2745]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.4.9.2) >>
 >> endobj
-754 0 obj <<
+798 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 675.998 511.2325 684.7301]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.5) >>
 >> endobj
-755 0 obj <<
+799 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 663.9862 511.2325 672.9425]
 /Subtype /Link
 /A << /S /GoTo /D (section.5.1) >>
 >> endobj
-756 0 obj <<
+800 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 651.9545 511.2325 660.9108]
 /Subtype /Link
 /A << /S /GoTo /D (section.5.2) >>
 >> endobj
-757 0 obj <<
+801 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 629.6343 511.2325 638.4909]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.6) >>
 >> endobj
-758 0 obj <<
+802 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 617.6225 511.2325 626.7282]
 /Subtype /Link
 /A << /S /GoTo /D (section.6.1) >>
 >> endobj
-759 0 obj <<
+803 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 605.5908 511.2325 614.5471]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.1.1) >>
 >> endobj
-760 0 obj <<
+804 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 593.5591 511.2325 602.5154]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.1.1) >>
 >> endobj
-761 0 obj <<
+805 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 581.5275 511.2325 590.4837]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.1.2) >>
 >> endobj
-762 0 obj <<
+806 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 569.4958 511.2325 578.4521]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.1.2) >>
 >> endobj
-763 0 obj <<
+807 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 557.4641 511.2325 566.4204]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.2.1) >>
 >> endobj
-764 0 obj <<
+808 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 545.4324 511.2325 554.3887]
+/Rect [499.2773 545.4324 511.2325 554.5382]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.1.2.2) >>
 >> endobj
-765 0 obj <<
+809 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 533.4007 511.2325 542.5065]
 /Subtype /Link
 /A << /S /GoTo /D (section.6.2) >>
 >> endobj
-766 0 obj <<
+810 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 521.3691 511.2325 530.3254]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.1) >>
 >> endobj
-767 0 obj <<
+811 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 509.3374 511.2325 518.2937]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.2) >>
 >> endobj
-768 0 obj <<
+812 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 497.3057 511.2325 506.262]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.3) >>
 >> endobj
-769 0 obj <<
+813 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 485.274 511.2325 494.2303]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.4) >>
 >> endobj
-770 0 obj <<
+814 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 473.2424 511.2325 482.1986]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.5) >>
 >> endobj
-771 0 obj <<
+815 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 461.2107 511.2325 470.167]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.6) >>
 >> endobj
-772 0 obj <<
+816 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 449.179 511.2325 458.1353]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.7) >>
 >> endobj
-773 0 obj <<
+817 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 437.1473 511.2325 446.1036]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.8) >>
 >> endobj
-774 0 obj <<
+818 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 425.1157 511.2325 434.0719]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.9) >>
 >> endobj
-775 0 obj <<
+819 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 413.084 511.2325 422.0403]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.10) >>
 >> endobj
-776 0 obj <<
+820 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 401.0523 511.2325 410.0086]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.10.1) >>
 >> endobj
-777 0 obj <<
+821 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 389.0206 511.2325 398.1264]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.10.2) >>
 >> endobj
-778 0 obj <<
+822 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 377.0886 511.2325 386.0947]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.11) >>
 >> endobj
-779 0 obj <<
+823 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 365.0569 511.2325 374.063]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.12) >>
 >> endobj
-780 0 obj <<
+824 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 353.0252 511.2325 362.0313]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.13) >>
 >> endobj
-781 0 obj <<
+825 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 340.9936 511.2325 349.9997]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.14) >>
 >> endobj
-782 0 obj <<
+826 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 328.9619 511.2325 337.968]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.15) >>
 >> endobj
-783 0 obj <<
+827 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 316.9302 511.2325 325.9363]
+/Rect [499.2773 316.8305 511.2325 325.9363]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.16) >>
 >> endobj
-784 0 obj <<
+828 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 304.7989 511.2325 313.9046]
+/Rect [499.2773 304.8985 511.2325 313.9046]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.1) >>
 >> endobj
-785 0 obj <<
+829 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 292.7672 511.2325 301.873]
+/Rect [499.2773 292.7672 511.2325 301.7235]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.2) >>
 >> endobj
-786 0 obj <<
+830 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 280.7355 511.2325 289.8413]
+/Rect [499.2773 280.7355 511.2325 289.6918]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.3) >>
 >> endobj
-787 0 obj <<
+831 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 268.7038 511.2325 277.8096]
+/Rect [499.2773 268.7038 511.2325 277.6601]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.4) >>
 >> endobj
-788 0 obj <<
+832 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 256.6722 511.2325 265.6285]
+/Rect [499.2773 256.6722 511.2325 265.7779]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.5) >>
 >> endobj
-789 0 obj <<
+833 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 244.6405 511.2325 253.5968]
+/Rect [499.2773 244.6405 511.2325 253.7462]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.6) >>
 >> endobj
-790 0 obj <<
+834 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 232.6088 511.2325 241.7146]
+/Rect [499.2773 232.6088 511.2325 241.5651]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.7) >>
 >> endobj
-791 0 obj <<
+835 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 220.5771 511.2325 229.5334]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.8) >>
 >> endobj
-792 0 obj <<
+836 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 208.5455 511.2325 217.5017]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.9) >>
 >> endobj
-793 0 obj <<
+837 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 196.5138 511.2325 205.4701]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.10) >>
 >> endobj
-794 0 obj <<
+838 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 184.4821 511.2325 193.4384]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.11) >>
 >> endobj
-795 0 obj <<
+839 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 172.4504 511.2325 181.4067]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.12) >>
 >> endobj
-796 0 obj <<
+840 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 160.4187 511.2325 169.375]
+/Rect [499.2773 160.4187 511.2325 169.5245]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.13) >>
 >> endobj
-797 0 obj <<
+841 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 148.3871 511.2325 157.3433]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.14) >>
 >> endobj
-798 0 obj <<
+842 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 136.3554 511.2325 145.4611]
+/Rect [499.2773 136.3554 511.2325 145.3117]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.15) >>
 >> endobj
-799 0 obj <<
+843 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 124.3237 511.2325 133.28]
+/Rect [499.2773 124.3237 511.2325 133.4295]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.16) >>
 >> endobj
-800 0 obj <<
+844 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 112.292 511.2325 121.2483]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.17) >>
 >> endobj
-801 0 obj <<
+845 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [499.2773 100.2604 511.2325 109.3661]
+/Rect [499.2773 100.2604 511.2325 109.2166]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.2.16.18) >>
 >> endobj
-802 0 obj <<
+846 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 88.2287 511.2325 97.185]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.16.19) >>
+/A << /S /GoTo /D (subsection.6.2.17) >>
 >> endobj
-803 0 obj <<
+847 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 76.197 511.2325 85.1533]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.17) >>
+/A << /S /GoTo /D (subsection.6.2.18) >>
 >> endobj
-804 0 obj <<
+848 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [499.2773 64.1653 511.2325 73.1216]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.18) >>
+/A << /S /GoTo /D (subsection.6.2.19) >>
 >> endobj
-744 0 obj <<
-/D [742 0 R /XYZ 56.6929 794.5015 null]
+788 0 obj <<
+/D [786 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-741 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R >>
+785 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-807 0 obj <<
-/Length 3350      
-/Filter /FlateDecode
->>
-stream
-xÚí�Ks7€ïú<¤j¥ƒ°x€ÝÖ^v”rd¯$W¶6É�&ÇËâPáÃŽ÷×/†`š"¦%8~È�J‘’¦§›Ýß4º
Ì�õ¨û�õŒ"TXÙÓVE™ê
&;´7r{¾Ãü1ûá }xÔáåÎߟ	ݳļè]¾ç2„Ãz—Ã_w�^ž]žœ]^ìý~ùÓÎÉe<)T̨¨ÏøÇί¿ÓÞÐéÿi‡a�ê}p?P¬å½ÉŽT‚()DøÍõÎÅοã	Á_W¢©¢„!Êp�ø$\€OÂ8'Æjg�²¤îoõG)wŠëâgàpÁˆ1T:õa‹Ùr¾(‡ûïÊ�s0<·2ÄrSøƒ/ýE9)«ÅÞ>Wt÷ù¬?™ôg{ûFÒ]²·¯èx‘Ö~ŠÜ­€+nHÁ)k}º¡Ù¨×¼9‡1rûPp3f›ç_ÅLoØHÙ�ƒjo‰‘šZ³H§_”˜ãò7Jy5^Œ§Uó›~5lÞ¼ž÷GeýV<LN:
	.Ìb€¬…
$aª½D(¢9³- ìN@Þ�Ë	0¸tH«;R‰âÁ¤’Ï™_î	Spw6L@ƒi-œL	;0˜Pí-L\]¦…‰˜îÎ2…-¾?v:¡	n͆bЬ…
�&a
ª½…†9+ZhÄ�ÐüoZ•ih¨¶ú®dÌcN=wÁÜ�
Ä`Z§í†)aª=ÂTXKŒ*d“ü"0Ý��´b�gØŠnÍ…
-"Ь…M³NhRv ÐàÚ™’Dkm{…ÑÄR&
-A(2
^ñ•úôN‚«²A
-nφ
-bPÁ°bP%ìÀ BµÇá•Ib¹ôK“q£ZçÖĶ¼Õªx⋃�ÀŸf1``Ì0`v`ÀlhOuAÂÖóþÎUã» Ë=ÆØîlº|s]ίÜøUç£.÷Ä3Ü·Ù�H³³nY÷*;<âŽM­©ëG7z+?E{�£édö]¼j†iç™I=M 嶵ɾ¢‚—s/( ‡\Ok1D¸Ù4ÃS‡tQXB­¿Óø
}«µõÅß|¯\Mýíg¦³wîºúgóÓÕôCófЋíÍK}�Ú¨ÙèsötÎpÕ�§ýà«ÇÑ¿\*gæ
�·Ñ'ÙÑ‚X¸×|ŽÄ;apT{ÌJ׫ú^zUÁÕ	ã´4«‹ùXÌÅݸGWýj´VãùÁx6S’gËÉ›z†Ú™ñ
-ùè¦l€ ÆÀZv` Ú#Rfü��&Ö\¿Ô;%Ú«öèÖuý¼ôWñ�åõ�»h¥ÜŽ÷B)x;% ˆ¡´M¥„JÚ“Õ„~BüÀerÎwnnÊj8”ÝóÍQìÞ%ÀJ0hŽí^¾�§Ã|°¡5y91FªñA=‚jí¼0xWM?\—ÃQ�Rë=ðÜn+¯ü«'87ûê
‚ØÕƒ‡“°#ÕË/nëù^#:5<¶¾„šL{8—~×ô�ãùb:û¸¾•:ÄÇg·Fìf]¨ ìñ �•‹DPX‚BÊ\{H"Üh"©`žÞ$‘çeUÎB…ƒ|^¾õ#uî¶9­Þ®‚WÓe…}ZëOÑwÙ`
-.fÑJ6q8\
«ÂîÇ£G•4¿Ÿ›_c<r¯;(ˆ\wkñF KÙ�À†k�°F´µÌÃÆØ®¦u
§ô–¶¯G› …0º
È}iórûP0EÛíó×
g´»HL‚ᆪ�¸–æáj°¯S[5Ÿ—ƒúÉì£ú™<Rª-SŸ	&ïîl–Z9%LFe7I›V` aº#GJãþy�äHóñ¨Z=þÖ¡$¶ýU†‚«³!‚E0”Œv×�)C0ŽPõ$©ˆ¢ð ©¤ª?)‡ûƒ«rðn0­ÞîÕÅÛôÉg1‚`í^¡N‚„ª�	A¬6¾s©o­¼E�OEj›ƒ>� àãl‚€ FŒ!cÝI‚„ª�qN(¡áÓ€ ×[µ-»¿BÙb�Mă1f)»†`„¡ê#aŒZ˜Ð噆°Y58ï2³mï¾:n! Ù¸
A7pƺoiL‚ᆪ¸YCéÌ™›°�74Ö’U�•xX
+851 0 obj <<
+/Length 3445      
+/Filter /FlateDecode
+>>
+stream
+xÚí�[SGÇßùzHÕ½}¿ì>laÀ){1©lm’YƒÊH"º@¼Ÿ~{4ÓÝG¨ç@oÖáW
+�æÌ9:ÿßœ¾Îˆõ¨ÿÇzV*œì'‰¢Lõã-Ú;óï½Ùbí1»á ]xÔ«Ó­¿¾¦çˆÓ\÷N?ƒsYB­e½ÓáÏÛûï�O�O?îüzúÃÖái<)t̨¨ÏøÛÖÏ¿ÒÞÐûÿa‹á¬ê]û_(aÎñÞxK*A”"üåbëãÖ?ã	Á»+ÓÜQÂe¹É|.À'aœëŒ�N9¢…¯þ(špÂiýAüá.±–Jï£>l^Í®ªY{<«ðqk­ÛÃ>.ú‹j\M;»\ÑíƒêJùd´M'Í_ú“aóâÇyÿ¬ÚÙµŽn“�]Eïå‡t®Èà†ÜŠ[¢9e)£úÌÎzÍ‹¨X°Û…†›Šmž¥˜Ýˆ#�‹ãõžx‘†(Eyâ…ÝÊËb¶œ/ªáî—êë<C�²ÄqÛAÍ›Y<îÏ<ò>áøc¨ÜFLÈi11À#fM3×ML&ŒÔ{"F("µÄðoJÌíu†+ñÈJJHa1 ÀdM"�L ¨÷DXÍ âV@®FÕu.ý2ê–R¢„x0¥äÿY_îSHw1LÀƒiMN¦LL¨÷cDP	`’ߦ۫Œvúñ±Ó	MHk14ÀƒfM6šL4¨÷�vηJ …R·2óŸé¤Ê3C�3· kŸrå¹…¥�íR”€BÔÒ°N�2A ¡®FÖ&Eú›Pt{å1Š=�æªMj1,Ñc%	fD7*`¤ ~™’ÄãzÚ(B•‘P!Ìq¼„ÿ®‰X‰yºã‡Ã_/«¹Ï�|à–{("!…Å`
+LWÎoc~:¯Ú‘Íb6¡S|^�ý
+ö,{!aÅ8
+ !BÁš–wR�‹¡
+xÛŒæƒeFîwÿÊy¯òß÷ÌzÌa1!À#j„’‰#õžÑæT$D´„|¬‹Ñä¬mÕOß®8�/ýËr~B†‹ù
†?PAÛ=–‹ãõžøñ
&ñ#[~Ž&WÕ,ô
+ßõ//#L£¶æ}¸òs+^†"1‹ÅŒ
+†á’‰Ãõžpa†8ÇÀ…—àrt¼ÿöǃÃÜÖ5E¨]¼pñôêJHe1(ÀJ…�’‰õž@¡Š8ê (¢ßóÍ­ÿkb¥ë€ÄÜÏ´üýu^BŠ‹
†@PB L@¨÷Øy‘N<�
+™OÿIãô.bªJA€†kRØ\¸÷‚eÄH•@0-{Ãáj¯O˜NK¼žÎÆý…ï¹j£_91�Åx
+';La�fLáÍ 0…1×IaΈÔ�8í‘&PßõG^ÆI2¨nÓÙ—–‡>�?r±˜ÀS¦Ôvß­›‹Óõž¥ŽpÅ¡ ìÚ¸¸Ãµj5Bµ9ä£Xm`ˆ©
ó�©�‰SõÕÎf¨jËVíýéøÒ+üit1Z|m$¾-Λ)
+w7uÞÏ–º·Fé—)Ë<0!§ÅÀ
+"—ÔšŒ;™80†Pï±a纞$â�¡Ø_<Zü¥0O¦íãJ®§³/þâú{óÛùôºy1è‡mÚÍ�ú™&gÍ]dmáž.ÃÎûñ´×mò쾞3û€Ý�’b½“&7H8¦öf˜Ø˜ëX/”"±Zð¶ZM�TuW>våâ
œûçýÉÙZ/,�Â.–ãåøS=ù,´{Ýø6IÅÚG3Lú$
+1Y¥(@C…51rq (àÞCaVÅ] �7EäM5©f¡_E>©>·-uܨq4ù¼Ú1¼š"Óîy­9Å܃
10 6®{é?ê=ÕÉ”í˜{Í~]#Ž>\éö¢ÃS³Y~ñº=ÿŸÿÉêE{ó²ë7汘`ˆQuÂ(ÉÄ�Q‚z�åCS"´
+�ˆ¦|¼}ºMÏfýË󯉋ØF|\ž�UõÃØCYéýÈ®AFpþLŠGÈ\1ÀÃ*ƒa‘‰ÃõžŠ‡ô#{ÛÞk¹×<Ë©.'ÕoK/}#¼o:ÂVˆqÛY
¬œ¼ÞŸ7@XÁŸG�3¦¬`ˆ

%Á€ÈÄ�
�zO@M|	Þ¶&õþ®IâÌúŸkœã/ÃŒA´°&eõ®Ì´v»Ð0ÇÌÍóת1ڽ̒ƒuŸ á’0ÖÞG¹×<ꥆ<…á`:X‚Ú±÷)Îñ6#ÅžzùR…\£
+™@06Üçæ{eDiÓÌY¾ª[±ý®?‰»ìŸå¦}BìÁú¶iŸ˜`�›ö¹yÞ&'ÝO)�çÃr±á6×粎H«ÚT¬Vᶇ£³'U6Ám\-AŽÒëØ!—#,ê;pf‘T´˜ñ³óiÝySæ…³?�³VŽRÌ’B�šQäûß6BÀ¾(qŸ+¬ˆà¡’‰¶’Mæój°;œnfÇ_*?ˆöûMAß Ms):ÉAHÈEžF~3„
tâ—QîrG¬µ¹ÆÒÿψSͽíì»/Ó7tÖ\²]ß)&¨ó‘SÙ«¿yL4׈B6Ó®‘ÿî£A{endstream
 endobj
-806 0 obj <<
+850 0 obj <<
 /Type /Page
-/Contents 807 0 R
-/Resources 805 0 R
+/Contents 851 0 R
+/Resources 849 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
-/Annots [ 809 0 R 810 0 R 811 0 R 812 0 R 813 0 R 814 0 R 815 0 R 816 0 R 817 0 R 818 0 R 819 0 R 820 0 R 821 0 R 822 0 R 823 0 R 824 0 R 825 0 R 826 0 R 827 0 R 828 0 R 829 0 R 830 0 R 831 0 R 832 0 R 833 0 R 834 0 R 835 0 R 836 0 R 837 0 R 838 0 R 839 0 R 840 0 R 841 0 R 842 0 R 843 0 R 844 0 R 845 0 R 846 0 R 847 0 R 848 0 R 849 0 R 850 0 R 851 0 R 852 0 R 853 0 R 854 0 R 855 0 R 856 0 R 857 0 R 858 0 R 859 0 R 860 0 R 864 0 R 865 0 R ]
+/Parent 703 0 R
+/Annots [ 853 0 R 854 0 R 855 0 R 856 0 R 857 0 R 858 0 R 859 0 R 860 0 R 861 0 R 862 0 R 863 0 R 864 0 R 865 0 R 866 0 R 867 0 R 868 0 R 869 0 R 870 0 R 871 0 R 872 0 R 873 0 R 874 0 R 875 0 R 876 0 R 877 0 R 878 0 R 879 0 R 880 0 R 881 0 R 882 0 R 886 0 R 887 0 R 888 0 R 889 0 R 890 0 R 891 0 R 892 0 R 893 0 R 894 0 R 895 0 R 896 0 R 897 0 R 898 0 R 899 0 R 900 0 R 901 0 R 902 0 R 903 0 R 904 0 R 905 0 R 906 0 R 907 0 R 908 0 R 909 0 R 910 0 R ]
 >> endobj
-809 0 obj <<
+853 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [527.6238 758.4766 539.579 767.4329]
 /Subtype /Link
-/A << /S /GoTo /D (subsection.6.2.19) >>
->> endobj
-810 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 746.5215 539.579 755.4777]
-/Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.20) >>
 >> endobj
-811 0 obj <<
+854 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 734.5663 539.579 743.5226]
+/Rect [527.6238 746.3946 539.579 755.3509]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.21) >>
 >> endobj
-812 0 obj <<
+855 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 722.6111 539.579 731.5674]
+/Rect [527.6238 734.3125 539.579 743.2688]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.22) >>
 >> endobj
-813 0 obj <<
+856 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 710.656 539.579 719.6122]
+/Rect [527.6238 722.2305 539.579 731.1868]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.23) >>
 >> endobj
-814 0 obj <<
+857 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 698.8005 539.579 707.8065]
+/Rect [527.6238 710.1484 539.579 719.1047]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.2.24) >>
 >> endobj
-815 0 obj <<
+858 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 686.8453 539.579 695.8514]
+/Rect [527.6238 698.1661 539.579 707.1721]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.24.1) >>
+/A << /S /GoTo /D (subsection.6.2.25) >>
 >> endobj
-816 0 obj <<
+859 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 674.8901 539.579 683.7467]
+/Rect [527.6238 685.9843 539.579 694.9406]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.24.2) >>
+/A << /S /GoTo /D (subsection.6.2.26) >>
 >> endobj
-817 0 obj <<
+860 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 662.8353 539.579 671.7916]
+/Rect [527.6238 673.9023 539.579 682.8586]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.24.3) >>
+/A << /S /GoTo /D (subsubsection.6.2.26.1) >>
 >> endobj
-818 0 obj <<
+861 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 650.8801 539.579 659.8364]
+/Rect [527.6238 661.9199 539.579 670.926]
 /Subtype /Link
-/A << /S /GoTo /D (subsubsection.6.2.24.4) >>
+/A << /S /GoTo /D (subsubsection.6.2.26.2) >>
 >> endobj
-819 0 obj <<
+862 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 649.7382 539.579 658.6945]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.26.3) >>
+>> endobj
+863 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 637.7558 539.579 646.6124]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.2.26.4) >>
+>> endobj
+864 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 638.925 539.579 647.8812]
+/Rect [527.6238 625.5741 539.579 634.5304]
 /Subtype /Link
 /A << /S /GoTo /D (section.6.3) >>
 >> endobj
-820 0 obj <<
+865 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 626.9698 539.579 635.9261]
+/Rect [527.6238 613.4921 539.579 622.4483]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.1) >>
 >> endobj
-821 0 obj <<
+866 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 615.0146 539.579 623.9709]
+/Rect [527.6238 601.41 539.579 610.3663]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.1.1) >>
 >> endobj
-822 0 obj <<
+867 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 603.0594 539.579 612.0157]
+/Rect [527.6238 589.328 539.579 598.2842]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.1.2) >>
 >> endobj
-823 0 obj <<
+868 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 591.1043 539.579 600.0606]
+/Rect [527.6238 577.2459 539.579 586.2022]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.2) >>
 >> endobj
-824 0 obj <<
+869 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 579.1491 539.579 588.1054]
+/Rect [527.6238 565.1639 539.579 574.1201]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.3) >>
 >> endobj
-825 0 obj <<
+870 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 567.1939 539.579 576.1502]
+/Rect [527.6238 553.0818 539.579 562.0381]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.4) >>
 >> endobj
-826 0 obj <<
+871 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 555.2388 539.579 564.3445]
+/Rect [527.6238 540.9998 539.579 550.1055]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.5) >>
 >> endobj
-827 0 obj <<
+872 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 543.2836 539.579 552.3894]
+/Rect [527.6238 528.9177 539.579 538.0235]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.5.1) >>
 >> endobj
-828 0 obj <<
+873 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 531.3284 539.579 540.4342]
+/Rect [527.6238 516.8357 539.579 525.9414]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.5.2) >>
 >> endobj
-829 0 obj <<
+874 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 519.3733 539.579 528.479]
+/Rect [527.6238 504.7536 539.579 513.8594]
 /Subtype /Link
 /A << /S /GoTo /D (subsubsection.6.3.5.3) >>
 >> endobj
-830 0 obj <<
+875 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 507.4181 539.579 516.5239]
+/Rect [527.6238 492.6716 539.579 501.6279]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.6) >>
 >> endobj
-831 0 obj <<
+876 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 495.4629 539.579 504.4192]
+/Rect [527.6238 480.5895 539.579 489.5458]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.6.3.7) >>
 >> endobj
-832 0 obj <<
+877 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 468.5075 539.579 477.4638]
+/Subtype /Link
+/A << /S /GoTo /D (section.6.4) >>
+>> endobj
+878 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 456.4254 539.579 465.3817]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.0.1) >>
+>> endobj
+879 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 444.3434 539.579 453.2997]
+/Subtype /Link
+/A << /S /GoTo /D (subsection.6.4.1) >>
+>> endobj
+880 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 432.2613 539.579 441.2176]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.1) >>
+>> endobj
+881 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 420.1793 539.579 429.1356]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.2) >>
+>> endobj
+882 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 408.0972 539.579 417.0535]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.3) >>
+>> endobj
+886 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 473.5253 539.579 482.2574]
+/Rect [527.6238 396.0152 539.579 404.9715]
+/Subtype /Link
+/A << /S /GoTo /D (subsubsection.6.4.1.4) >>
+>> endobj
+887 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [527.6238 373.4431 539.579 382.2997]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.7) >>
 >> endobj
-833 0 obj <<
+888 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 461.59 539.579 470.5462]
+/Rect [527.6238 361.3809 539.579 370.4867]
 /Subtype /Link
 /A << /S /GoTo /D (section.7.1) >>
 >> endobj
-834 0 obj <<
+889 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 449.6348 539.579 458.5911]
+/Rect [527.6238 349.2989 539.579 358.2551]
 /Subtype /Link
 /A << /S /GoTo /D (section.7.2) >>
 >> endobj
-835 0 obj <<
+890 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 437.6796 539.579 446.6359]
+/Rect [527.6238 337.2168 539.579 346.1731]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.7.2.1) >>
 >> endobj
-836 0 obj <<
+891 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 425.7245 539.579 434.6807]
+/Rect [527.6238 325.1348 539.579 334.091]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.7.2.2) >>
 >> endobj
-837 0 obj <<
+892 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 413.7693 539.579 422.7256]
+/Rect [527.6238 313.0527 539.579 322.009]
 /Subtype /Link
 /A << /S /GoTo /D (section.7.3) >>
 >> endobj
-838 0 obj <<
+893 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 391.8316 539.579 400.5637]
+/Rect [527.6238 290.4806 539.579 299.2128]
 /Subtype /Link
 /A << /S /GoTo /D (chapter.8) >>
 >> endobj
-839 0 obj <<
+894 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 379.8963 539.579 388.8526]
+/Rect [527.6238 278.4184 539.579 287.3747]
 /Subtype /Link
 /A << /S /GoTo /D (section.8.1) >>
 >> endobj
-840 0 obj <<
+895 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 367.9411 539.579 376.8974]
+/Rect [527.6238 266.3364 539.579 275.2927]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.8.1.1) >>
 >> endobj
-841 0 obj <<
+896 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 355.986 539.579 364.9423]
+/Rect [527.6238 254.2544 539.579 263.2106]
 /Subtype /Link
 /A << /S /GoTo /D (section.8.2) >>
 >> endobj
-842 0 obj <<
+897 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 344.0308 539.579 352.9871]
+/Rect [527.6238 242.1723 539.579 251.1286]
 /Subtype /Link
 /A << /S /GoTo /D (section.8.3) >>
 >> endobj
-843 0 obj <<
+898 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 322.0931 539.579 330.9498]
+/Rect [527.6238 219.6002 539.579 228.3323]
 /Subtype /Link
 /A << /S /GoTo /D (appendix.A) >>
 >> endobj
-844 0 obj <<
+899 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 310.1578 539.579 319.2636]
+/Rect [527.6238 207.538 539.579 216.4943]
 /Subtype /Link
 /A << /S /GoTo /D (section.A.1) >>
 >> endobj
-845 0 obj <<
+900 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 298.2027 539.579 307.3084]
+/Rect [527.6238 195.456 539.579 204.4123]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.1.1) >>
 >> endobj
-846 0 obj <<
+901 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 286.2475 539.579 295.2038]
+/Rect [527.6238 183.3739 539.579 192.3302]
 /Subtype /Link
 /A << /S /GoTo /D (section.A.2) >>
 >> endobj
-847 0 obj <<
+902 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 274.2923 539.579 283.2486]
+/Rect [527.6238 171.2919 539.579 180.2482]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.2.1) >>
 >> endobj
-848 0 obj <<
+903 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 262.3372 539.579 271.2934]
+/Rect [527.6238 159.2098 539.579 168.1661]
 /Subtype /Link
 /A << /S /GoTo /D (section.A.3) >>
 >> endobj
-849 0 obj <<
+904 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 250.382 539.579 259.3383]
+/Rect [527.6238 147.1278 539.579 156.0841]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.3.1) >>
 >> endobj
-850 0 obj <<
+905 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 238.4268 539.579 247.3831]
+/Rect [522.6425 135.0457 539.579 144.1515]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.3.2) >>
 >> endobj
-851 0 obj <<
+906 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 226.4717 539.579 235.4279]
+/Rect [522.6425 122.9637 539.579 132.0694]
 /Subtype /Link
 /A << /S /GoTo /D (subsection.A.3.3) >>
 >> endobj
-852 0 obj <<
+907 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 204.534 539.579 213.2661]
+/Rect [522.6425 100.3916 539.579 109.2482]
 /Subtype /Link
 /A << /S /GoTo /D (appendix.B) >>
 >> endobj
-853 0 obj <<
+908 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [527.6238 192.5987 539.579 201.555]
+/Rect [522.6425 88.3294 539.579 97.4352]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.1) >>
 >> endobj
-854 0 obj <<
+909 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 180.6435 539.579 189.7493]
+/Rect [522.6425 76.2474 539.579 85.3531]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.2) >>
 >> endobj
-855 0 obj <<
+910 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 168.6883 539.579 177.7941]
+/Rect [522.6425 64.1653 539.579 73.2711]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.3) >>
 >> endobj
-856 0 obj <<
+852 0 obj <<
+/D [850 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+849 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F39 885 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+913 0 obj <<
+/Length 762       
+/Filter /FlateDecode
+>>
+stream
+xÚíÙKOÜ0
+*q jÉ
q »a[Á†–mUµ¿¾NˆƒaWá!$X¡aã±ÇžO–�qÿƒL0$ˆYR 9j¶Xœ­ü½ömÊШŒ[íUÅ»i
aXuÎ”Ö t×™î²jy2{ÿñ¨Ú?ªŽç§Õa±_
½Æ##—m—?Š“SΖ>�ƒ$§Ùoÿ$l](-A+)Ã7—Åqñiè0ºÛ…&g‚„4"1!£©X#�ON“¿ð·Ú™ì�š—$i¶l6›zQ^ÔίçèfWë˳/õå¼tœf0/5ç¯å—¢'˜Ñ½Ê+òNÈ/ê°º[¥º^±›‹ÏQñ†¸2Ü.Þvÿmõq‹`Ð�J$g';ü`GY0ÖboGß·³ª¿¾J¿21/§)¬÷dMQ`NS\OD9®)‘HNSvøA“Ô`R¯ÉÜÑ´ù¶jþ^5uëIî =RXêÉ�¢À¤¸”ˆzR"‘¤ìð$!ÁãzHöRs¶®—åâk½¸X\5çóÒh±ô`Aa�'Šs‚â"ºqA‰Dr‚²Ã‚Á!š^�ÛÔoEz·=\PXãÉ‚¢Àœ ¸†ˆ4.(‘HNPvø È�ÓFõ‚(äÑô–ŽDÏGë?†Lf„Ý©1
+1*,•HFX~øA˜³@Ãr¿¨-±Í¯ï˳Ÿ~wÒVíx='¯P€É¼¢À¯¸À(Ô8¯D"9^Ùá^V)žíü£eÇëºY.üº·¾�½€·P‘ÉÞ¢Àœ·¸â(Æ�\©DrÞ²ÃÞŒ"žþ°ÛMß(ŒÚ
+
„ª¢mÔR„î(ßµ¼Ó«Áö”gû–;£Oê0Tj²Ã(0ç0–€büà–J$ç0;üàPàR‡‡G”·û^ÙbëÞiI”»=îiQ…eŸŒ*
+Ì¡ŠËŠrüEi*‘-TËøÒ 
Ã…M½‹÷ÒÿæÿöÊ‚tN¤§+²’˜ÔÐöÕNÖŒNµoeþwã¹endstream
+endobj
+912 0 obj <<
+/Type /Page
+/Contents 913 0 R
+/Resources 911 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 703 0 R
+/Annots [ 915 0 R 916 0 R 917 0 R 918 0 R 919 0 R 920 0 R 921 0 R 922 0 R 926 0 R 927 0 R ]
+>> endobj
+915 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 156.7332 539.579 165.8389]
+/Rect [494.296 758.5763 511.2325 767.5824]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.4) >>
 >> endobj
-857 0 obj <<
+916 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 144.778 539.579 153.8838]
+/Rect [494.296 746.5215 511.2325 755.6272]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.5) >>
 >> endobj
-858 0 obj <<
+917 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 132.8228 539.579 141.9286]
+/Rect [494.296 734.5663 511.2325 743.672]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.6) >>
 >> endobj
-859 0 obj <<
+918 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 120.9673 539.579 129.9734]
+/Rect [494.296 722.6111 511.2325 731.7169]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.7) >>
 >> endobj
-860 0 obj <<
+919 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 108.9125 539.579 118.0182]
+/Rect [494.296 710.656 511.2325 719.7617]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.8) >>
 >> endobj
-864 0 obj <<
+920 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 96.9573 539.579 106.0631]
+/Rect [494.296 698.8005 511.2325 707.8065]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.9) >>
 >> endobj
-865 0 obj <<
+921 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [522.6425 85.0022 539.579 94.1079]
+/Rect [494.296 686.8453 511.2325 695.8514]
 /Subtype /Link
 /A << /S /GoTo /D (section.B.10) >>
 >> endobj
-808 0 obj <<
-/D [806 0 R /XYZ 85.0394 794.5015 null]
+922 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 674.7905 511.2325 683.8962]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.11) >>
 >> endobj
-805 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
-/ProcSet [ /PDF /Text ]
+926 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 662.8353 511.2325 671.941]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.12) >>
 >> endobj
-868 0 obj <<
-/Length 69        
-/Filter /FlateDecode
->>
-stream
-xÚ3T0
-endobj
-867 0 obj <<
-/Type /Page
-/Contents 868 0 R
-/Resources 866 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 659 0 R
+927 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [494.296 650.8801 511.2325 659.9859]
+/Subtype /Link
+/A << /S /GoTo /D (section.B.13) >>
 >> endobj
-869 0 obj <<
-/D [867 0 R /XYZ 56.6929 794.5015 null]
+914 0 obj <<
+/D [912 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-866 0 obj <<
-/ProcSet [ /PDF ]
+911 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F41 925 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-872 0 obj <<
+930 0 obj <<
 /Length 2197      
 /Filter /FlateDecode
 >>
 stream
-xÚÝYÝ�ã¶÷_áG-pfù)‘y¼»¦¸ ¸¢Ý
ò�æA+qmádÉÑÇnœ¿¾C)˶|wé-РX`M�†äpæ7¿ÚlMá�­µ"T¹ÎŒ$Š2µ.ö+ºÞ»¿­XБJ%…€‡…·%4QšgëÍ|‘·«¿|ÏÙšS’¦\­ž¦½ÒL#¤Y?”?'ïvùa°Ý݆+š°»_~Ài’d:cn…-ÉÕ~‡fèÚr,†ªm‚ºXbRžFí悹Nûagai�ºi¶kì€OïÛ}^58þ˜ïƒÎý±ìÇÿ¦Š¾ÿxÌ	²¤h›¾ê‡_·Oø9Äõûc3ä¿ad[TOÇÍö»XÅ6C5T(Í’êŽ%
Ý$8£;cÄ(Å£Âa§‰;ˆà,ÉñqWÙ.ïî˜NŠ]Uä5J÷yÓ€›3™¼
�Ðh�{ÓÝéd¬Ýæn‘±·%ÊŸÚ¥­í6ªfö‡]ÛU˜yDIûlƒ®?\Ø!oÂJa+Nò>;ó'ªö‡ÚîÁ¹�놃¡Ã.wáÊT’Ø×õåûüÐã(ºT¼ÏA4‹³›X–Þ¶ïmOÀ-ˆ*ª–ù�£ZÕÇ•+° jœܳ‡ˆ[·~­v< ¢·›@ÒU�ãàQKñpR·ùcî­Š˜g’™ò€bI	Obž
-ôœA)*ìaˆÔqf§†d
-DÖñ›Öñ 	R
-}å7A,û�+£c”ú…%%”Æ8yÿiU¢¿^OI¢�0SÔƒ©C�>”‚e”<÷á!8|V5T•Ëã­Wóø·áÕÓØøú*ÉsUž›�vð>¯Jœ‹–D‚A G
-OyùœCÖ•“¦Ï@´64* >2óNgÃŒ&ÌõÀçUlN¾.ÝR Ñ#ë›0Hõ§øn*·Ø†�¤°ÝàK­{hîôËŒ�B/-RvÍi¢n0‚b‰ÒHUéŒ�
-êj»^¬ûh‚*"¸‘K4Ñ·õ3v£®tgihM2îc`ˆŠw.°Ëº>,)…¼â`7!]
->YÉàT&³ëdQ¶®ÂŠ¾QaÁô'ìL,
-¸×S^ÛIÀ“ÿõ÷7¨¹kûa¦	¼VÇêvñÍA
DŠÑ
úþ®ø�}	°ÝþüUè[o#zvÊosÜÑ—žƒ[Ñ¢gžû¾úÍql
-ôûR•Ãî6x_ÍÞ?xc _‘©!RªôKàe‚PÁ#ĆSY
VébÍ;ŒŸÁÏl£WcÄK㡪/ágnü@?y
-š[}¡[Ày5sÿ,¸áî‹®Œ¥î
-ADÆåüg¿«Ÿÿ¸§` Ô
˜¯µ^ü�0þô·Š¸_Ñ# §r”\²+·Ç_O+ÅÝþ-Õ«endstream
+xÚÝYÝ�ã¶÷_áG-pfù)‘y¼»¦¸ ¸¢Ý
ò�æA+qmádÉÑÇnœ¿¾C)˶|wé-РX`M�†äpæ7¿ÚlMá�­µ"T¹ÎŒ$Š2µ.ö+ºÞ»¿­XБJ%…€‡…·%4QšgëÍ|‘·«¿|ÏÙšS’¦\­ž¦½ÒL#¤Y?”?'ïvùa°Ý݆+š°»_~Ài’d:cn…-ÉÕ~‡fèÚr,†ªm‚ºXbRžFí悹Nûagai�ºi¶kì€OïÛ}^58þ˜ïƒÎý±ìÇÿ¦Š¾ÿxÌ	²¤h›¾ê‡_·Oø9Äõûc3ä¿ad[TOÇÍö»XÅ6C5T(Í’êŽ%
Ý$8£;cÄ(Å£Âa§‰;ˆà,ÉñqWÙ.ïî˜NŠ]Uä5J÷yÓ€›3™¼
�Ðh�{ÓÝéd¬Ýæn‘±·%ÊŸÚ¥­í6ªfö‡]ÛU˜yDIûlƒ®?\Ø!oÂJa+Nò>;ó'ªö‡ÚîÁ¹�놃¡Ã.wáÊT’Ø×õåûüÐã(ºT¼ÏA4‹³›X–Þ¶ïmOÀ-ˆ*ª–ù�£ZÕÇ•+° jœܳ‡ˆ[·~­v< ¢·›@ÒU�ãàQKñpR·ùcî­Š˜g’™ò€bI	Obž
+¥ŽrÜ\AÕ„ 78Y˜ÙdÍHÊ%¬áƒh±ùùla+°_¥™ê@0ˆF(ažsý®7
°t2ÏRN†,
+ôœA)*ìaˆÔqf§†dJfKÖñ›Öñ 	R
+}å7A,û�+£c”ú…%%”Æ8yÿiU¢¿^OI¢
L�Q¦=úP
+F”Qò܇‡àðYÔ<P
T.�k´^Íã߆WOcãè«$cÌUynBÚÁû¼*q.Z	
+�
Œ=¾Aæ‘óB´f3bØ„ç̹ljj_jÊü¹×¼Kúydð„ S×íKTy<.E#¥Ðæ)¶`¹‘‘e1k½{Lò²ƒ&¦*v8
òÊUÿ
+½´HÙ5#¤‰ºÁFˆ%FH#U¥362(¨«ínx±î 	ªˆàF.ÑDßÖÏØ�ºÒ�¥¡5ɸ��m *Þ¹ À.ë2ø°¤òŠƒÝ„t)ø0dY$ƒS™Ì®“	Dyغ
++úF…ÓŸ°3±
+hÇqÕR®°„ë%KôMK¢á³´ýP>ÇG¸²ìÚÖçâMÎiªÏñ¶³õÁqØÚ_‘ĶV&�myœ³žŒ|ÖB‚¸
+ä8'&éˆÉK{h,$_ÆœQ“SÛ”•«ü‰—¦áöŒª/»ÀKÒ;
+Ãêó¥6ñLæÒ‰j6}u
gA˜�°Œ„«‡‘á¶ã[§pS‰•ïÊm‚+zz=ßâÛ¬ž–ü‚ÙÚFérúÌìŸî8MnÂ¥Žõõ!”ë�S¥^ñ’ÃÕƒBÖoÂÜÿœ8ð„øœ)θ	'DnŒ8}·)áäÚL‰l“»VXÂ=|عoBÝJ
÷zÊk;	xòã¿þþ5wm?Ì4�×êXÝ.¾9¨�H1ºAß_€Ã¿±/
¶ÛŸ¿
+}ëmDÏNùmŽ›!úÒsàž%DÏ<÷}õ›ãØè÷¥*‡Ým𾚽"ðÆ@¿"RC¤Té—ÀË¡‚Gˆ
§²¬ÒÅšw?ƒŸÙF¯Æˆ—ÆCU_ÂÏÜø€~ò
+B·€ójæþYpÃÝ]KÝ‚ˆŒËùÏ~W?ÿqOÁ@¨0_k½øaüéo#q¿$.¢G@
+Nå:(¹(dWn�¿6žVŠ»ýñG¬endstream
 endobj
-871 0 obj <<
+929 0 obj <<
 /Type /Page
-/Contents 872 0 R
-/Resources 870 0 R
+/Contents 930 0 R
+/Resources 928 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 886 0 R
+/Parent 941 0 R
 >> endobj
-873 0 obj <<
-/D [871 0 R /XYZ 85.0394 794.5015 null]
+931 0 obj <<
+/D [929 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 6 0 obj <<
-/D [871 0 R /XYZ 85.0394 769.5949 null]
+/D [929 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-874 0 obj <<
-/D [871 0 R /XYZ 85.0394 582.8476 null]
+932 0 obj <<
+/D [929 0 R /XYZ 85.0394 582.8476 null]
 >> endobj
 10 0 obj <<
-/D [871 0 R /XYZ 85.0394 512.9824 null]
+/D [929 0 R /XYZ 85.0394 512.9824 null]
 >> endobj
-875 0 obj <<
-/D [871 0 R /XYZ 85.0394 474.7837 null]
+933 0 obj <<
+/D [929 0 R /XYZ 85.0394 474.7837 null]
 >> endobj
 14 0 obj <<
-/D [871 0 R /XYZ 85.0394 399.5462 null]
+/D [929 0 R /XYZ 85.0394 399.5462 null]
 >> endobj
-876 0 obj <<
-/D [871 0 R /XYZ 85.0394 363.8828 null]
+934 0 obj <<
+/D [929 0 R /XYZ 85.0394 363.8828 null]
 >> endobj
 18 0 obj <<
-/D [871 0 R /XYZ 85.0394 223.0066 null]
+/D [929 0 R /XYZ 85.0394 223.0066 null]
 >> endobj
-880 0 obj <<
-/D [871 0 R /XYZ 85.0394 190.9009 null]
+935 0 obj <<
+/D [929 0 R /XYZ 85.0394 190.9009 null]
 >> endobj
-881 0 obj <<
-/D [871 0 R /XYZ 85.0394 170.4169 null]
+936 0 obj <<
+/D [929 0 R /XYZ 85.0394 170.4169 null]
 >> endobj
-882 0 obj <<
-/D [871 0 R /XYZ 85.0394 158.4617 null]
+937 0 obj <<
+/D [929 0 R /XYZ 85.0394 158.4617 null]
 >> endobj
-870 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R /F48 885 0 R >>
+928 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R /F39 885 0 R /F41 925 0 R /F48 940 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-889 0 obj <<
-/Length 3125      
-/Filter /FlateDecode
->>
-stream
-xÚÍ]“Û¶ñý~…u3‹~öíÛ�3“sb«“i�<P"¤ã˜"’:ùò뻋]P¤„³Ý6�fî�+`
ìö'þä"Šƒ8SÙ"É 2Zl7b±‡¹¿ÝHÆY9¤Õë›õÍ_^ëd‘Y¬âÅz7Ù+
DšÊźø°”AÜÂb¹þîÕíJEbùòíwoî	¾¿û�GßÿãýúÕÿ""ñòþ=|äíJÊ8Ëo¿»ûqýêÍKÞòÍýúÝÛ—ÿvýæíýí¯ëïo^­Gª§œI¡‘äßn>ü*0øý�t–F‹ü�Ì2µ8Ü„‘¢Pk7Rݼ¿ùiÜp2k—z%%E t¬<¢RÚ'ª(b
S(ªõƒ!övMU5§²ÞÓÏmS?šz(›º§�¼»•é’‘�½)*kú¦ßve;YÐìè;¸¾ysÿrÜü!ÔþØå¸ÀÉ_¨ÊüõR¤qÄR
-h�€½t+æ[­O«D« ’ᨯpjÚIdi²Ht¶$bR×­”rÙLe¾
™­dª´^þ|«ÄDEòï‡'�|Ã,	2™á9#-ÿw(G
wñ"0%‚(‚½½î$¦àö…Qh%öÑ<�k»E�¼ƒÿÈ&K”JèDa±_—ŸÐ²c!–?—Åðð¼´ˆ�ìO..
�
-3o­»Ë+ç	Ûã
-Ë~€Ìá8XWèE>䛼7�ãêìa á~ ÐizÚ®¬wMwp¦ð“fy»ò	¿%µbÞìl~ÉåCÓ4^c=�VÔˆú#!åEÁÇ÷…l
-€ÇrkëÑt}nS@FYѨ]؇ñü	íYŸ÷j@û�(ÚÀæ¸3ŽÈ{lØN&ü µm¶ùo0.ƒØŠÔ.û¶*AÿÖÚ¢eÕ4	:¶ô�KÖЗӷÈ\�[¹|"4ZqÊ�Ê­eÍrH…î=�CÙ,ͦ™yìPk/Z2rUB êžlÆù‚Î;�=Ði½©ææ·£éJ« @¡ëWµfº­…À÷À¦ä¡µ¨,‹æ¶S[“×ö°µì!|
-
‘(¶
-ÕVx ›–ÎC™k'HX-hÊ€®V±ŠèÊá$yI„2>zæäpd¼<VW8õÌ
-|	„S»P
-B
×ó9õÅ|›4´£xx qFPB¬ßæ©kɆO’ÉiišÁ#[	%J;…ûS8„J#E9%óhº¦\8ä̾¤rvÞe(GA„š¾§®Ã?0j”óúœ>è£mdØ
-¾•“Â` nç‰p�€rÿ0h…‚ÈfÇ#äbpÓæ`àn›À·h´p(©–w¾|È’@Ž©6®lꊓŠ�ëÞÔ%DU‚O%ìÌÊ�]]Ë7¿æüƒÏ›y¼¶÷2ŸòC[ÙËD.
G‹˜-R÷�[ÃXœ®áÀ@dB0°mm^ûÜœ‚h¡uì®ã«Ùñoêmà‹çI�ÆÚ¹Æms¬
-:fc<	
µ".ÆnŽÒ0Ÿ
Pæ3P©ƒ(	åxûÉ:#ˆ0fÚ:a^xNZæÝ̬T2Rê=@‘:Gƒ.³”D50˜WK#•yD«@ÐéÃ"6„Gi×5	Ò
-Xÿ»üGAfn˜cSï]Z0—.zSá8ä]}I�R™f\æD{Üœý0¸Í4	’0Œæ^
-b5:”ÀyÈ,º¸+¤€$u9@yß7Û’C.üƸH«#™D³dŒf
-Î
-J�}¹¯¹šÛù«Í˜Û2ñLM/ :i
5
-÷&M¾d)#þjºàZK×û^ÙÊ�ÏVøË8–rFÏõÛ‚Ãú×»=ßÆ@Š³8UWmÍmŒ>v/›øª„JÓ£¯mM‡ÅŽ lÛÖZe¶â×cú Å¬Õ+Ö4a“	XQБä5|ÔíC2:Íñ�¢Ü!;­õ–OÞ˜ád°>C$_œEI¾Ò“”×qHHS9kí=³¡­-¡:½Åø—êw½ypv»ï¸)
-S™ýä-ç깇bë¤Â�ˆ;=Ÿµmê®c?Ý*؇ñù	»”åþèmÓ+ô‚¥ÿ±%:W€Ï�$üE‰
+944 0 obj <<
+/Length 3187      
+/Filter /FlateDecode
+>>
+stream
+xÚÍÛrã¶õÝ_¡Gyf…àBðÒ7g/�3oºv'Ó&y EÈæ,E2"e­÷ë{Î
EJtvۦӌ
À¹ß`µ�ð§6q¦³E’EÂJeëí…\<ÀÚ_/ìÐjõíÝÅ7ïL²ÈDëxq·�•
+™¦jqWü¼T"—p‚\Þ}÷ör¥­\¾yÿÃÕõ
�o®~àÙÛÜÞ½ý�Æ¿H+ßÜÜÂG]®”Š¹|ýÝÕ�wo?кâ#¯oî>¼ó÷×w×ïo.½ûþâíÝ€õ˜2%
¢üÛÅÏ¿ÊE
~!…ÉR»8À)T–éÅö"²FØȘ0S]Ü^üm8p´ê·ÎrJI¡M¬gX¥Í«l&bKȪ»GGämšªjeý@?×Mýäê¾lêŽ&òÝ¥J—¼ï\A£²¦oáºõ®lGš
}ûp÷×7o†Ã‘R?ìw9nü—ºr9eiœŠXIÀ:ŠDøOu&™œðô?Ûð�P
+‘Yû;Ð>	gñ0옵
+4­£…UÑQµ³‘¼’Hdi²HLº$c×¥RjÙŒy~<[©T³üéRË‘ˆNøßõÏ3ü�²Dd*Ã{\þ;ê��lñÂ0-…µpö¬†Ži°¾ÈFžcÝó¡ñº[tHû7ï"5Ú¢uB7Jý®ü„šK¹ü©,úÇ—¹EˆdrvIIp˜¿Ë.¥á4Iþà)ß•ù}åþP^�°øóò*ÎÀ?F©ý}^Iôµ–ÂÌ{ïîò*xÂv߃%ÆFÚåÏw—™^ºO=¯±OtõºjÎ|g÷Û~â]ïwùú£ë»__äè×?Š£Çóÿp¯Zf"M€å+T2cÌ8Ô�…<�¤"J
„¼äg X¥¦*&‚x8Šy1œ*3ৠ'	z;D¿7Í6â¸É·<{ûÜõn{žxÓ˜¨D OfI6Šª©Y¶û]ÛtüÃGDøö�^R½,šõ~a–æiÖúºOmEXùM|JYw}^U!rÂL^tܾýè\{zïãð#$å[·ûè*÷L3×uïvµë‘²q¤CZ˜YÌL¢IgvÙ5›þpÔ\€hAqó÷êredÂxÁô�—ï݃'‡Ïtí~*§°DÃ`³¯‹Ù“WA{¢Æ ƒÜ`ì�@fú’)­é†(ùL#ÂøâgsL_‹^
æD²‡-c“ɧbý‚«hó»1)óêc…‰GÊGGâb¤
+Á7§õÇÒíH@ëÇr�W¯p"aÙõ�8ì{ï‰
+OåÚÔ“Ûu¹'LeE³~c³ï‡ûG¸{`s<«
áïhˆŒ |Š;c÷¬&#zP�Ú¶ûôWÛR¡UB>çuU‚ô½²ÙeÕ4i´oé;嬟 /go6¨XÎ¥Z>Ó$ZqÆnAä^¯&)¤FïžÆGlæfS
Ïf´Ðˆ.F1pUBÚ=û„óÝw
+^�0ö5žy ›–îCž›ÀH0Z�”Y­bmÉäp‘œ$Ž2¾zâãpf0/+œ�r¦Cå‹rúìcÆþ2‰€�Á}Œˆg&fƒ›‹9	I‘eà&ˆÞWc›°™7z›N¥ìg¦¢<Ç
JU‘@™y”|uع9~›²¥4 €îÂØEÁÞªbP¬ñùVŠ$Õ#ź/ëYò€I¤ç´uB‡ÿA9P]u
ÍäO`þ˜¼ÒÏ
ù€-ýº¾}Íðž.T:)¤ÖéTérNÉ\›ï†P4‡ºjòâkÝ¿îß;ðP@×Å|®ñu

’öNF%GÏ\Ð
+ž‡ß>€zw��È&Q`9�EvØžìÜd–Æf,‚‚QEðúTc%b;­Ì{‚?
`AØ>äuù9\Ÿ3bLQOàŒ~¾^sÑæý›'­¡/ͯXˆ6Ra"86O>$ç˜
í8U*¶e�«OœÝ7œÑ…�>G2[¾Í½—ƒ¥º)ÜéTÀ�0SÞûhŠ—ÌðÕèLòì	cϹ	;M;²p8<$†€sÈùèêî*FÕÄ3Å
+‘ëøžúd½ÍûGšÙ©
+FD|Lá¥sÎF
+œb’©±×hš~†·
+*‹$ÎϧP
EPŠ|J¦»£4=â¬
+¾$r,
)B€š¾‡]Ù÷Ž`D§QÎûsú`üðQÆž�ð­¯p
+N1({z¦ °Ûð9<Ÿ�ÿô|‹¦G
‡joy5—«yÈ-Õ.Ô¨M]qÂsKu	ŸÆ‡jveeÏŽ®e˯ûà=Qñf³¢wÞ.
!÷)߶•7&r	89h,ŒYc¡ªØ„=Å©$NôA*ëfÛæõœ›Ó”¨&æøvrýu½s¹F"ÒØ׸nöUA×Ü»™f‰É„N’pA³ß!ž‚é€Ùœ‚*#l©ÁúI;­ÒÄD;˜³ªi£³>�˜ÎÞC™Gƒ®²”Xå9¨WK3•{B­Àa�‡lŽRÂs”g°ùwé·ÂFYØêØÔÝ«9î¢7•�B>uæÄȈT¥Ù	•9áÞíï�~Üfšˆ$ŠN²P0Ðê”ÐÑ ÜˆÁ>Æ „WÇ$`F^ð*M¦¼š£áL2¢fÒà­‡ÆÅYïÝ3ŸÈÌ@�->¬œ¢Ádò$@â71:,ëS6/‡ûpÔAáÏCŸoÄÞô%
+ï}
æ#x<<%äÉ¡s&fF‰Ð&
ÕËg8k.
ÑZ(�’bDÒùîqëŸEàÝ=Yæ1˜JbO²oŠ<V…œMa'
+®µ”OiDõŽ
+œV`/ù†FxLGC*‚ŽÐ£¥£$×¢0$zýÐÓ€¾¢ gÛ³AŒ±ôc® ÂÃþ¹
+6èÍ8‡·#çÒÈ(t&ƒ�k›UMEd&y†‹P?¢!t,éü�Q	+��õ'êû™ËI|Öž¨æÓ

j�Fƒg:0µ›¾Y7Õœs·"ÖƒCÁ#(¡2{b+$€$
Íå]׬K¹ðã"�XÉ(š%C4K¸Š�ïD8Ï�}¸Œ³	�4µ(át”�ÖN{jþð4™u1›È'�ùÇ¡ÄÖÒ‡¶–Pñ²hyÛ¤½{aäˆQ‰±´'®³Û·m³ëƒ~Íà4̆lŸ%ûܺ¹gÇðàuTØ“¹NÀßCyª

(Àü3­í4ø0i#øjÞû?;ÕwÝúøv	5“P§È`ʯ‹ãÓÏZÙÔ�8?m¤¨:�²SezΩCB3ô^|¥U8ï7ÊŠ*±dÚ|òՙठޗ5Ws›ùj3æŒJf–ƈNÚ@

+W¹‡Ñ;ÓÙS×Q3„;W4{¼kÝÔØc7>JØÇái[¨åÃ~5gë@
+½þ`J9ÿd�ÑÆÇVþ¢Ì!ûȨÀÌB�Ö?e‘úñcΗ`ùX¹žŸš¦-zXæç-@fØ:\a½ã¶Gî7žÛù¨ß•=Éȧv)½»@2wl(kz+0h´zx6�éqŸSS>u»ž�Q¶àðI¼þ˜CÍ-í‚f¡œoMoqÓâ›äÚµ|Éï…�2VDÓWÜãÒ|ññþkÿ=êø_bP*˜4Õ/øÃ[Df@
+�ž!þ�êó
y©òendstream
 endobj
-888 0 obj <<
+943 0 obj <<
 /Type /Page
-/Contents 889 0 R
-/Resources 887 0 R
+/Contents 944 0 R
+/Resources 942 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 886 0 R
-/Annots [ 896 0 R 897 0 R ]
+/Parent 941 0 R
+/Annots [ 951 0 R 952 0 R ]
 >> endobj
-896 0 obj <<
+951 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [272.8897 210.0781 329.1084 222.1378]
+/Rect [272.8897 207.1951 329.1084 219.2548]
 /Subtype /Link
 /A << /S /GoTo /D (types_of_resource_records_and_when_to_use_them) >>
 >> endobj
-897 0 obj <<
+952 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [190.6691 182.1322 249.6573 191.5418]
+/Rect [190.6691 179.6723 249.6573 189.0819]
 /Subtype /Link
 /A << /S /GoTo /D (rfcs) >>
 >> endobj
-890 0 obj <<
-/D [888 0 R /XYZ 56.6929 794.5015 null]
+945 0 obj <<
+/D [943 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-891 0 obj <<
-/D [888 0 R /XYZ 56.6929 756.8229 null]
+946 0 obj <<
+/D [943 0 R /XYZ 56.6929 756.8229 null]
 >> endobj
-892 0 obj <<
-/D [888 0 R /XYZ 56.6929 744.8677 null]
+947 0 obj <<
+/D [943 0 R /XYZ 56.6929 744.8677 null]
 >> endobj
 22 0 obj <<
-/D [888 0 R /XYZ 56.6929 649.0335 null]
+/D [943 0 R /XYZ 56.6929 651.295 null]
 >> endobj
-893 0 obj <<
-/D [888 0 R /XYZ 56.6929 609.5205 null]
+948 0 obj <<
+/D [943 0 R /XYZ 56.6929 612.4036 null]
 >> endobj
 26 0 obj <<
-/D [888 0 R /XYZ 56.6929 551.1302 null]
+/D [943 0 R /XYZ 56.6929 555.4285 null]
 >> endobj
-894 0 obj <<
-/D [888 0 R /XYZ 56.6929 525.7505 null]
+949 0 obj <<
+/D [943 0 R /XYZ 56.6929 530.6703 null]
 >> endobj
 30 0 obj <<
-/D [888 0 R /XYZ 56.6929 422.4834 null]
+/D [943 0 R /XYZ 56.6929 416.0112 null]
 >> endobj
-895 0 obj <<
-/D [888 0 R /XYZ 56.6929 395.8284 null]
+950 0 obj <<
+/D [943 0 R /XYZ 56.6929 391.253 null]
 >> endobj
 34 0 obj <<
-/D [888 0 R /XYZ 56.6929 166.2827 null]
+/D [943 0 R /XYZ 56.6929 164.815 null]
 >> endobj
-898 0 obj <<
-/D [888 0 R /XYZ 56.6929 138.253 null]
+953 0 obj <<
+/D [943 0 R /XYZ 56.6929 137.4068 null]
 >> endobj
-887 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R /F21 658 0 R >>
+942 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F39 885 0 R /F41 925 0 R /F21 702 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-903 0 obj <<
-/Length 3414      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZKsã6¾ûWè¹jÍàA
-a²¢´á¦�f²”™ËÕW„\€Ž™ ®¯Ë÷tÎ
-Bƒc34ÏõÈå‰â‘=½ r‚
öÇÇGÒ}0N:
-$¿vG"‘ÂUk"þð}O-ˆÂ´7¤›9½D¸×ð”Q½X4


-Ú½¢¤bü²êÿr…û€º–Èuüç˜â�ÙK
Šy{„°ëÐÆáäÍ0Å#÷—Ì‚² _Xy‡«4Øòǧ�Çšh>½�§Ç*x¶uÕs¿K�Á¶ÑOuÊ-~Çf->øDÄ)Ày•ZNŽ/£øLeð~È¿Qt
œOpÈëj¨¨EçÄ#é˜,¬`ÎÊ9ntáæ‹ëRÍÑO8Xð„òuÇ ‰¢¤tm}¨|Bd®@
*�4‚I îêá¥;<õ¡jÚ#GCè‰c?ÐH¯4nã5ϯôÒQ£ã‰c†é©,é›RM•…#$΃B2Ü?Ô§ù"³Ü'
ýsÝï
ï(áqór·[|+ÎðÊÔÏûRÁ]Cñüâ3ttý�=FÜÞúÊ…ï_úxÉÏÏ
JÓŠqf–³ç–ºöÕê))ªz@¸4ºW@áüù÷1�Ýá•iQ ùÜ
È@}!´úº^‚ã'T�¯:Ø
-n±=*‚«w
zŒÐx¢KìÏñ¸‹¨i{
-˜0¸†¥^!ž¥ð
-ÍÈ)´c‘Â|Fæ�æ¡f63
-O=°& wœWðdcZ*…—™¤µùiÙȸýd‰ƒ6™Ì]Ь.dJÐæ&õÅYs™©MÔ>²�W˜S·ùñMš fHÁWUOA
-fD
-_tÀ€ÌvØüM„ù¹…S &cÃQðføˆ‘€:úMÏ£Î
-4´â9§îåÌüváâ}Ï1[,ò\\ÔG	S=Ÿ^ÌÉ:ÐmZc´“1àp¨­/÷‚ã~¤Fñ_	[€ƒUÁÁÒß.¨rlõØpŸ…Ô8èm¨þ�°�·ì§_Såþpäœþå‘óß-¦ëE*ý�CŸ«g
¶ÌŒÖgeŽÑAè)�èpÅÔ%_*{ Ðå7‚¤§ºÞûÀ(Þb1AÓ!ñG¢·Âñ¦+ܪ³_Ç¥÷uÍ7kÇ=uU+
-¢ü
XÇÃÕXT
�p~ÅCê,x^®¤zç;š›ˆ|¦„§¹`õ\5mµ)"_œâ€´íÙ$X5ìÆ‹¬¦j¹Ž8Bé…D›^¿šr
-¡‚—†HÙ[�‚ÿï”(L‰Xãÿ¿ÿV5þ»,w™.
-•®piQâEpd
-�£¼(
+958 0 obj <<
+/Length 3415      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZKsã6¾ûWè¹jÍàA
+J$”š.º\.³/ËA*™…_ÕÏ5ŠAç ãîøˆ›ÔoÉÛéÌ‚ÖþoâFð6ñ—·'\d"`X¦Ûµ¯Dí”»@/HhBg©3¡½¡&+JNaz
+¢â¥ 486Có\�\ž(ÙÓ*'Ø`||$Ý㤣@òkw$)\µ&òçß÷Ô‚(L{Cʱ™ÑK„{
OÙåÑ‹E 
pàg`6Ž;ð’è:×€4Î"ÈÆÇ8@Yƒ67¿	¡VÇvHÙ�	ÆÇåвº}³Júí{-Äü»�wï¨Eë�÷®ÚÖ[¸ 
Òoà<Ãã;[9´ÈʱÅ"µ7ìX×pºÔ܈Ó�S¸O‚gÚÓ2´é1Ì1„ÞðÛª<¼ ?çÇJûïÛêÙ�U­WmuÞHÇëÙ7ã
~]l/¸³5x‡ÝCÊ/ª¬ˆ&ˆçÑò¢ý¾^5¯´žß„WAê‰D¶VÜ›+çÿÙÔ;¢³ÆYMžˆÒw[ž5À*.Ð]Jpä./‹3{E
j,�®º§÷—¦mIµ0HèˆèÑÞ+z
Â
+�&‘|øD`ñ�‚ZÈ
+æ<ð¡œãFn¾¸.Õý„3€O(_Çq’(J@J×Ö‡Ê'D@öç
+Ô ÒH#˜â®^ºÃQª¦=r4„ž¸P�1ö�ôjAã6^óüJ/5:ž8f˜žÊ’¾I!ÕTY8Bâ,0($ÃýC}š/2Ë}Ð?×ýðŽ7 w»Å·âüàq
+p‘æPj¶]åK]¼´ç‡3õBypÀ&؈\û`‹æ€¹‰";$×ë†ê`Ð^²
+“©Ò�3
:­Ó8˜k8�¾óšlùø¿óå	¥BÐ=&óرk„Óâ¼nÍ€¨µ� Žöu“ S=qsz†€\…nß|
€ÅtMô=M¸ª{^!ȧï×¢Q%à�)Ì	€àà
¢úþ!éœœ‹Íåè,Œ-Ï�……(œ‹�,²2^
+�”r¬¾*{êÃÂ4Òçাc¡Z¯;	·]u�‹ο0b0–9›7Œ÷13;w|rQ'èú¾Yzlq\QF‡¤A_
)â)b—×i|H£>î’àœ‹˜¿„›#ÎJ*NUF+�	•¿šâ ªúºåL²xnô'sLÑÛof2ýqÉë6;„�7Öé¥`F¤ðE|
Èl‡ÍßD˜ŸûPˆ0b26o†�	¨£ßô<ê€Ì$Íòý1J4˜DôTE‡_Ÿ‚§OFŒ»¼ÂE6ÅÉ}b`¯OµFxìë8gâ¼//	•ó—vC3ÎÔR&Z¸Ì¨<V×ÇûÙ4zÉxõâ³ñi†Éá�²'ÉêdÀ¸?_VÍ+÷•|ÖŽ‚öƒÉšÔ(ò1-ucBj‘9=VÕä4†±jtòÐ&]Gû°ì·íB^ëd¨Ýž·W$/
+,Ê,ÿJ@T&¸«j_ÿ™¾,07šÈކС¶’Ûù/¾¶r$:]iYíEE¤Q°¸ñ]b¢o¸6wCûò¯¾(ÏsU#i[•¹Ü˜ókAº§ž˜
+¾P(Å& L®©§&à™`Â稙þ˜£­á
+?6`³<söÔq¿qÁâKNÿ¢@C+žsê^ÎÌo.Þ÷³Å"ÏÅE}”0Õó©áÅœ¬ݦ5F;Ž
+—%^G¦ð8Ê‹`øûÕ%çÿ^_'kendstream
 endobj
-902 0 obj <<
+957 0 obj <<
 /Type /Page
-/Contents 903 0 R
-/Resources 901 0 R
+/Contents 958 0 R
+/Resources 956 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 886 0 R
-/Annots [ 906 0 R 907 0 R ]
+/Parent 941 0 R
+/Annots [ 961 0 R 962 0 R ]
 >> endobj
-906 0 obj <<
+961 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [519.8432 463.1122 539.579 475.1718]
 /Subtype /Link
 /A << /S /GoTo /D (diagnostic_tools) >>
 >> endobj
-907 0 obj <<
+962 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [84.0431 451.8246 133.308 463.2167]
 /Subtype /Link
 /A << /S /GoTo /D (diagnostic_tools) >>
 >> endobj
-904 0 obj <<
-/D [902 0 R /XYZ 85.0394 794.5015 null]
+959 0 obj <<
+/D [957 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 38 0 obj <<
-/D [902 0 R /XYZ 85.0394 570.5252 null]
+/D [957 0 R /XYZ 85.0394 570.5252 null]
 >> endobj
-905 0 obj <<
-/D [902 0 R /XYZ 85.0394 541.3751 null]
+960 0 obj <<
+/D [957 0 R /XYZ 85.0394 541.3751 null]
 >> endobj
 42 0 obj <<
-/D [902 0 R /XYZ 85.0394 434.1868 null]
+/D [957 0 R /XYZ 85.0394 434.1868 null]
 >> endobj
-908 0 obj <<
-/D [902 0 R /XYZ 85.0394 406.5769 null]
+963 0 obj <<
+/D [957 0 R /XYZ 85.0394 406.5769 null]
 >> endobj
 46 0 obj <<
-/D [902 0 R /XYZ 85.0394 301.1559 null]
+/D [957 0 R /XYZ 85.0394 301.1559 null]
 >> endobj
-909 0 obj <<
-/D [902 0 R /XYZ 85.0394 276.6843 null]
+964 0 obj <<
+/D [957 0 R /XYZ 85.0394 276.6843 null]
 >> endobj
 50 0 obj <<
-/D [902 0 R /XYZ 85.0394 200.1512 null]
+/D [957 0 R /XYZ 85.0394 200.1512 null]
 >> endobj
-910 0 obj <<
-/D [902 0 R /XYZ 85.0394 175.6796 null]
+965 0 obj <<
+/D [957 0 R /XYZ 85.0394 175.6796 null]
 >> endobj
-901 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R /F21 658 0 R >>
+956 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F39 885 0 R /F41 925 0 R /F21 702 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-914 0 obj <<
+969 0 obj <<
 /Length 2458      
 /Filter /FlateDecode
 >>
 stream
 xڥ˒ã¶ñ>_¡[4Uš
-Yþýî×ßÂU	üù.TžÅ«LÂ@ä¹\5wQ¬‚8RÊCê»ç»Œg«n뢤DH•ÈQIµ$ª8K(ªwp9®‹®ý†òe8j[u-
O{s¼ÙÚÐÔîyp8V�>žiÒèÞš÷æøêÇ•íM½ãqO_ÍhÖèÚîö0^·³†y væHƒ’Yé˜ Û <á¯RFûª,a3(¤zò8–îªÌ6"
z]_ô«âhý¹5´<ô<ØuÈ_ƒ‡·[	H‹1Ê�!$2
-ëÖòT„
-‚>a·£ßÑÉå£-}ùÞý©àÓA"U¾x¬Û\wÝ·á°dý)^Üï¤`êðIxåº2­í6ð0
-¢,‚Ì&Ò W2%ÿ¿Ïåô£’l]5ÞÇ
rϸn&
™òšAÜÕs¨q;
-G·{¦Â
-jÛÓ
-ú.X�êïè÷�/Ž�'·Ÿ+`cÚ¸˜‰F¿r¤rrÙ(œóíl–(ÊG¡ã™¼¡cp€IÕZÈ/–?r鼿3ÎA"Á6�wÕ«€½0UohN`K½UnP*yí"¯Æ“2çâoÒ-ÆAžÇÙ•ãÌó›¯0ÕõÞgúsÛµç¦z�†€â U07'*fÒumÚªERR�aò*Y+Nûª`,M%Ü’`�>…­™#Y]µ†Qª–¾Ö3À–ˆ»èüñ„IP0a×…ÑT1¥\1e¨pKFå‚Ç‚ÍmÏW)}sÇëªgä^8þeôi¬‰7›_¨&&@(Mí£SßwEfW^×
F<òAspƒÂÌ¡^vS)q‘ý!Ï	1«è¡°àZâ§îxÒÇeó?놯d"	ÅÜd&U˜ø€˜ÌBqº.;ç–¸ÞYôV¨2¨HJf9&,Ô««Cm,Ïn¢d„ÆT"c¦�ù”Ñt‡ñY)Ÿn—ªì|ÒhŠ¯(›¥T
-�i�â;.Pw…°s7¨ì@Va$ê÷´DF…Þ˜óY€GZF£éKõê‰÷•]ÌÝÎ\‰)ZˆÂÒì²ÖEC•(_=HyrZ~DŠ­áefkŠ(Å6Ýá’P£0-$æçÔ
—‰µWìDh¢‰‰vh¶d¹×"o�èB­#®bê<‰&dg°¬[Ìx†ÙeÇêÞKÔØá¹}¾#Elr|¨¶uÏ«]|3–ϲ{ŠÃËÞ¡ýQcLÖÇÂ�JÍý
’<_±Z0F~tmŒ0Öºå’ñ+‹áE%\�!¥yNb<[:·;_�6IÁÔ~�Lô¥ÊO½U>Nšš÷ÿþÂÁÌ· ®CO8«Þ6åÔp…õ	êâêàŸ¾tµùÓ]{®x|zO#ßzͺŸ4dq#°jà Ý*à MïD7ÃE­SzHJgoO0¦J
	tžþ ”b„[@X¬õ«¹ÚÀiçfG»XGM	ƒ»µÙ³–K9*œæ�ÞØ�] õõì·FW5ìÇîd¦ÌI蓹õȹäW9œ6´6¬=M�»Ã:·Þ¾ËÆ%ÒŽ�Ûªà	9=lá»~Ý[½µUÌŸR®åXw/c|ÏpÛA¡”Ä‹I¥EÆ©#Í}¥� ]¾êÖê4‚¸@’bÿ–A€aØÞ44êÚË×ëWw/ãbmž»X›…ÎÓ—bgëŸf�NÎF“k
Ï_’IJF³Y®ìB©ü»ÑÅwöB³i–§¾Ês—`3„£ØÍ’QVäº=MnºOX,«C6¦ˆU¤Ì.ãíÔ�SѦÈ/1•ÞVueÏ$SBCÅCL
ÚCaå.§DãZFÎàK)I]Ù/€œ_Ñ1|žóç«£Ig8ºÐÙ‚v¯Ë÷<šé-W”Iòé]	@ì®wz]ª+chft¶ýð[
-ä4	Õ’BánUàhjU
-
e*Ñ�²€Ç,EJ¡¼Mq	9jÕäå/œÆGi²5—Žøy©Ö…¯¿«vzOÖSo9¯ÞøoÒþ!²ðOH8&ºÿû—éï§(
T–Éå¿TðA8Ê€3åRjxùÿƒæ–õÿ÷Å:êendstream
+Yþýî×ßÂU	üù.TžÅ«LÂ@ä¹\5wQ¬‚8RÊCê»ç»Œg«n뢤DH•ÈQIµ$ª8K(ªwp9®‹®ý†òe8j[u-
O{s¼ÙÚÐÔîyp8V�>žiÒèÞš÷æøêÇ•íM½ãqO_ÍhÖèÚîö0^·³†y væHƒ’Yé˜ Û <á¯RFûª,a3(¤zò8–îªÌ6"
z]_ô«âhý¹5´<ô<ØuÈ_ƒ‡·[	H‹1Ê�!$2
+…>°®Á€º}á’`
2™#Xô
++x¨mO+èG¸`=ª¿£ßw¾8tž@Ü~®€�iãb&ýÊy�ÊÉe£pη³-X¢(…Žgò.„ŽÁ
&Uk!¿X2üÈ¥óüÎ8‰Û0,@ÞYT¯öÂT½¡]8�-õV¹I@©äµ‹¼.OÈXxœ‹k¼I´ygWŽ3Ïo¾NÀT×{ŸéÏmמ›nèAŠƒ`TÁÜœ¨˜I×µi_¨II	@„É«d­08í«‚±4}XH”pK‚5úL¶fŽduÕF©ZúZÏ
+3‡zÙM¥ÄEö‡<'Ĭ¢‡Â‚k‰ŸºãIK”Íÿ¬>¼’‰$s“™Taâb2Åéºìœ[âzgy`Ð[¡Ê ")™å˜°P¬®µ±<»‰’	GS‰Œ™BæSF[ÐÆg¥@|º]ªJ°óI£)¾¢l–R
HE„cñÒáÍ‘*š8~±È$
+K³ËZ!U¢|õ },ä-T\Èiù)¶†—™M¬)¢Ût‡KBaŒÂ´�˜ŸS7`\&Ö^±¡‰&&Ú¡Ù’å^_ˆ¼=¢µŽ¸Š©/@ð$.˜��Á²n	0ãf—«{/Qc‡çöùŽ±Éñ¡ÚÖ=¯tñÍX>Ëî)z/{0„öG�1YC*5÷Hò|ÅjAÀùеa0ÂXë–KƯ,†•p=†”Fä9‰ñléÜî|uÚ$1Sû52Ñ”*?õVù8ijÞC@üû3ß‚ü¹=á¬zÛ”SsÀÖ'¨‹«ƒNøÒÕæOwíi¸þáñé=�|ë5ë~Ò�Å�Àª�ƒtk¨€ƒ6¼Ý]´Né!)�½=Á˜*5$Ðyúÿ�PŠrl
a±Ö¯æj§�›íb5%îÖfÏX.]äü©pšwzc4v�Ö׳Ü]Õ°»“™2_$¡OæÖ#ç’_åpÚÐØ°ö4uîëÜzû.—H38Bn«‚'äô°…ïúýuoõÖV1J¹–cݽŒñ=Ãm}„R/"$•§Ž4÷•>‚tùª[«_Ð@âIŠý[
†a{ÓШk/O \¯\iܽŒ‹µyîbm^`8O_Š�­j˜=:9M®<uH&)!Íf¹²E ¤òïFÜÙÍv¤Yžú*Ï]‚ÍŽb7KFY!�ëö4¹é>a±¬zÙ\˜"T‘2»Œ·SCNE˜"¿ÄTz[Õ•=�L	
A05h1„u”»œd�kM9C€/¥x$ue¿
+…3¸U�£©U
Pk\‘;cpËÜÓ…à8~*”©DGÊR
 endobj
-913 0 obj <<
+968 0 obj <<
 /Type /Page
-/Contents 914 0 R
-/Resources 912 0 R
+/Contents 969 0 R
+/Resources 967 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 886 0 R
+/Parent 941 0 R
 >> endobj
-915 0 obj <<
-/D [913 0 R /XYZ 56.6929 794.5015 null]
+970 0 obj <<
+/D [968 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 54 0 obj <<
-/D [913 0 R /XYZ 56.6929 717.7272 null]
+/D [968 0 R /XYZ 56.6929 717.7272 null]
 >> endobj
-916 0 obj <<
-/D [913 0 R /XYZ 56.6929 690.4227 null]
+971 0 obj <<
+/D [968 0 R /XYZ 56.6929 690.4227 null]
 >> endobj
 58 0 obj <<
-/D [913 0 R /XYZ 56.6929 550.0786 null]
+/D [968 0 R /XYZ 56.6929 550.0786 null]
 >> endobj
-917 0 obj <<
-/D [913 0 R /XYZ 56.6929 525.2967 null]
+972 0 obj <<
+/D [968 0 R /XYZ 56.6929 525.2967 null]
 >> endobj
 62 0 obj <<
-/D [913 0 R /XYZ 56.6929 393.0502 null]
+/D [968 0 R /XYZ 56.6929 393.0502 null]
 >> endobj
-918 0 obj <<
-/D [913 0 R /XYZ 56.6929 363.1913 null]
+973 0 obj <<
+/D [968 0 R /XYZ 56.6929 363.1913 null]
 >> endobj
-912 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F47 879 0 R >>
+967 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-921 0 obj <<
+976 0 obj <<
 /Length 2095      
 /Filter /FlateDecode
 >>
@@ -2716,212 +2878,214 @@ fhWü(½¾YhovçåvlŒ25©,*Yݳ÷›¦¿ªîÄqˆ�jØ|SüÍ‚Ø{©uÏ•cq�À]#Xg±¬,ÕI’Êøߨ	´8Í
 dXõcsý.Û~¸ý¿ Šç•‰×:%<ä7IE”èÚ–Ø’ª2yÑT
 hZvýxªY/ý‘áÝN6“dy 8xp]Óc~{î0¨”~‚’$¡½„3×|Ó$ý$ÈR¸2Æ/{ë³ý4±ò�Õc¯ÕW¹aµ¤ôó,ÎXT¦JP¶Ø¶ÖVDÙ6
 ^AÁ³"r�
-DŽ49œvDü¹„šný~¹� æÒû/å¢õ>ÉÃP©_¬MËZç¹—ù
+DŽ49œvDü¹„šný~¹� æÒû/å¢õ>ÉÃP©_¬MËZç¹—ù
 ÜѸU‚>Gy%â*哦�tð–RW8
 Ÿ¤IhsÜ]W‰y
 Õmíš™Q‘‚z
-â~ó
¯	fÙ"‡èâ9Lt¨ž¹£j¡	mK(ÈÏbµ
+â~ó
¯	fÙ"‡èâ9Lt¨ž¹£j¡	mK(ÈÏbµ
 endobj
-920 0 obj <<
+975 0 obj <<
 /Type /Page
-/Contents 921 0 R
-/Resources 919 0 R
+/Contents 976 0 R
+/Resources 974 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 886 0 R
-/Annots [ 927 0 R 928 0 R ]
+/Parent 941 0 R
+/Annots [ 982 0 R 983 0 R ]
 >> endobj
-927 0 obj <<
+982 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [519.8432 268.1131 539.579 280.1727]
 /Subtype /Link
 /A << /S /GoTo /D (acache) >>
 >> endobj
-928 0 obj <<
+983 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [84.0431 256.1579 143.5361 268.2175]
 /Subtype /Link
 /A << /S /GoTo /D (acache) >>
 >> endobj
-922 0 obj <<
-/D [920 0 R /XYZ 85.0394 794.5015 null]
+977 0 obj <<
+/D [975 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 66 0 obj <<
-/D [920 0 R /XYZ 85.0394 769.5949 null]
+/D [975 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-923 0 obj <<
-/D [920 0 R /XYZ 85.0394 574.3444 null]
+978 0 obj <<
+/D [975 0 R /XYZ 85.0394 574.3444 null]
 >> endobj
 70 0 obj <<
-/D [920 0 R /XYZ 85.0394 574.3444 null]
+/D [975 0 R /XYZ 85.0394 574.3444 null]
 >> endobj
-924 0 obj <<
-/D [920 0 R /XYZ 85.0394 540.5052 null]
+979 0 obj <<
+/D [975 0 R /XYZ 85.0394 540.5052 null]
 >> endobj
 74 0 obj <<
-/D [920 0 R /XYZ 85.0394 447.7637 null]
+/D [975 0 R /XYZ 85.0394 447.7637 null]
 >> endobj
-925 0 obj <<
-/D [920 0 R /XYZ 85.0394 410.3389 null]
+980 0 obj <<
+/D [975 0 R /XYZ 85.0394 410.3389 null]
 >> endobj
 78 0 obj <<
-/D [920 0 R /XYZ 85.0394 348.7624 null]
+/D [975 0 R /XYZ 85.0394 348.7624 null]
 >> endobj
-926 0 obj <<
-/D [920 0 R /XYZ 85.0394 311.223 null]
+981 0 obj <<
+/D [975 0 R /XYZ 85.0394 311.223 null]
 >> endobj
 82 0 obj <<
-/D [920 0 R /XYZ 85.0394 189.9853 null]
+/D [975 0 R /XYZ 85.0394 189.9853 null]
 >> endobj
-929 0 obj <<
-/D [920 0 R /XYZ 85.0394 156.0037 null]
+984 0 obj <<
+/D [975 0 R /XYZ 85.0394 156.0037 null]
 >> endobj
-919 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R >>
+974 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-933 0 obj <<
-/Length 608       
+988 0 obj <<
+/Length 605       
 /Filter /FlateDecode
 >>
 stream
-xÚ¥TKs›0¾ó+8Š™ ê�@:&I�'ài;iŽ‘S¦¹<’æßW aÓÆ9uFûüv÷v‘~°ËB
-"ÜH�!ÌÜÍÎAî³ö];ØÆøc�?�ºÈœOW4r!	Ýl;ÁâqŽÝ,
-@6¿½6¦ô[šÅ‹Ôó©0˜}>_fqb\Ä]Ìom~§w«d�ÚýjžÄ‹ø6K½ÇìƉ³ÃÓ91¢ý
+xÚ¥TËr›0ÝóZŠ™¢ê�Œ´Ìƒ¤îŒÇài;iŽQ¦QIó÷HÄ$qW†A÷utî‘.`óÀgh&©‘Ç„ƒÝÞÃàÁÄ.=âr‚1)˜f�¦Þç
‰äŒÎ@z?ÁA@šÝ@Š8ò
†ÉfµºZû,‚i|î”cxµŠ×'~Ât¾¼´®äG’ƋĘ	<ûr²Jãµ
Qt:_ºúuœ\mÖgñh]oæëx/ÓÄ¿M¿zqúÚôO‚YßÀoïæƒÌ´ûÕÈIÁÁ³10"RR°÷BÎ=…—xׯ€“èPzT7‚e3zD8J
+4‹$
+ó}å*!²á]�ÖÑUA«ƒlÛ*kyÓÚË54<ªàmgvd¦gíTúä,¥ì¢}Tã�?9_¸ûÿcZ8^¾Klue…zR…]fù •Úµº~±®�Û´î0lÒqÐÝPµS#HÓÖù]ךÃ@ÿ;ÆQ?+G†Ä¼îPÿ{$ÿ©0BLz˜¶éTÐH PGª—œÐÌÇÙýHý/š�@endstream
 endobj
-932 0 obj <<
+987 0 obj <<
 /Type /Page
-/Contents 933 0 R
-/Resources 931 0 R
+/Contents 988 0 R
+/Resources 986 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 886 0 R
+/Parent 941 0 R
 >> endobj
-934 0 obj <<
-/D [932 0 R /XYZ 56.6929 794.5015 null]
+989 0 obj <<
+/D [987 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 86 0 obj <<
-/D [932 0 R /XYZ 56.6929 769.5949 null]
+/D [987 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-935 0 obj <<
-/D [932 0 R /XYZ 56.6929 744.7247 null]
+990 0 obj <<
+/D [987 0 R /XYZ 56.6929 744.7247 null]
 >> endobj
-931 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R >>
+986 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-938 0 obj <<
+993 0 obj <<
 /Length 1222      
 /Filter /FlateDecode
 >>
 stream
 xÚÍWI�ãD¾÷¯ˆúäH¸âZ¼©OÍ°‰Hs`8Tìrb�SeìrBƒæ¿ójs6sà
-©Ç¥·†EòS€Š2Of=§&ü¡W.tÀLFXôÚyÉß'1´¦÷fÓ¸<Žn§&=Z|KÁµ½áDnãÖ
[;ÑiteL-dçÞ^z@3Š Ñr0¡sSùØò¶Ð°´@EžQ/ëph‘@#†I¨„ƒÜkg+¡Û“€:cŒ£¯&L0À3LDc‚o`Â=æÕÔÕn¹ó"¦iâ$ü©ÏÍZ™Z}!W‰37µu£VDS' Ðò‡4A¤L\û6è@{{VnZ&ÜvœvR˜ò›ÍÙžÛñàVÚkÙRºåÜX³iuD·°qÅâUwñwñð—{à’ œˆ¡dCØËía~}øée	”®[³M#AJTyy+W·´@Aÿ­äóFèjc†£Þ=æ0Tè½>Ú˜ÍEq)·+\]gR½
=^Œl9¯ËσØÚ»Ç
-ÿ¨2ûù@[ –¤('ðVt„(þ°	F—7¯€ÑK‚sTRRx;Ö›#<鹎{žëøIÜý7¸Pé´«Õqþ›ð™˜1t6Ihb–{â^Ž­(áÏ!½Žm‰CÁe
-5€B=—âÿëÄæ�/n¸GÂä^xÞ`W>¾QAF?°9¯ª™Ù;ëƒû9âãòíÊwÁ®|»�0«ðœIª
Ÿ:½äÊ0
£•0ö1¦ÿ˜SM™^ÿ^r0m%©ßÑ1¡¨Ä	ûOèøéÛíü•¾]hŠÌ—ÐÒwP‰/2î#èñ4ÉPAÊ<2yazïmþ¤zt÷7¯Ì™øendstream
+©Ç¥·†EòS€Š2Of=§&ü¡W.tÀLFXôÚyÉß'1´¦÷fÓ¸<Žn§&=Z|KÁµ½áDnãÖ
[;ÑiteL-dçÞ^z@3Š Ñr0¡sSùØò¶Ð°´@EžQ/ëph‘@#†I¨„ƒÜkg+¡Û“€:cŒ£¯&L0À3LDc‚o`Â=æÕÔÕn¹ó"¦iâ$ü©ÏÍZ™Z}!W‰37µu£VDS' 0|‹Cš R&®}›
ô ½=+·-n;N;)LùÍæìÏíxp+íµl)Ýrn¬Ù4ƒ:¢[ظbñª»ø»xøË=pIÎ
+ÄP²!ìåö0¿>üô²J×­Ù¦‘ %*Š¼¼•«Û
Z  ÿVòy#tµ1ÃQïž�s*ô^
mÌ梸”Û®®³
+©Þ†/F¶œWˆåçÁ¿
líÝc
+q/ÇV”ðç�^Ƕġà2…¿@¡žKñÿ‹ubóÆ7Ü#ar/¼o°+ߨ £ØœWÕL
�ì�õ…Áýñqùvå»`W¾Ý@˜UxÎ$U‹†O�^re˜†ÑŽJûÓÌ©¿¦L¯
+/9ƒ¶‹Ô�ïè˜PTâ„ý'tüôívþÊ	ß.4EæKhé;(ˆÄ÷t�xšd¨ e™¼0½÷6R=ºû*Š™Üendstream
 endobj
-937 0 obj <<
+992 0 obj <<
 /Type /Page
-/Contents 938 0 R
-/Resources 936 0 R
+/Contents 993 0 R
+/Resources 991 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 944 0 R
+/Parent 999 0 R
 >> endobj
-939 0 obj <<
-/D [937 0 R /XYZ 85.0394 794.5015 null]
+994 0 obj <<
+/D [992 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 90 0 obj <<
-/D [937 0 R /XYZ 85.0394 769.5949 null]
+/D [992 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-940 0 obj <<
-/D [937 0 R /XYZ 85.0394 575.896 null]
+995 0 obj <<
+/D [992 0 R /XYZ 85.0394 575.896 null]
 >> endobj
 94 0 obj <<
-/D [937 0 R /XYZ 85.0394 529.2011 null]
+/D [992 0 R /XYZ 85.0394 529.2011 null]
 >> endobj
-941 0 obj <<
-/D [937 0 R /XYZ 85.0394 492.9468 null]
+996 0 obj <<
+/D [992 0 R /XYZ 85.0394 492.9468 null]
 >> endobj
 98 0 obj <<
-/D [937 0 R /XYZ 85.0394 492.9468 null]
+/D [992 0 R /XYZ 85.0394 492.9468 null]
 >> endobj
-942 0 obj <<
-/D [937 0 R /XYZ 85.0394 466.0581 null]
+997 0 obj <<
+/D [992 0 R /XYZ 85.0394 466.0581 null]
 >> endobj
 102 0 obj <<
-/D [937 0 R /XYZ 85.0394 237.1121 null]
+/D [992 0 R /XYZ 85.0394 237.1121 null]
 >> endobj
-943 0 obj <<
-/D [937 0 R /XYZ 85.0394 206.4074 null]
+998 0 obj <<
+/D [992 0 R /XYZ 85.0394 206.4074 null]
 >> endobj
-936 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+991 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-947 0 obj <<
-/Length 1859      
+1002 0 obj <<
+/Length 1860      
 /Filter /FlateDecode
 >>
 stream
-xÚÍËrÛ6ð®¯àøDÍD0^$ÁæäÄvêL⸲RO'Í�"!‹>’²êvúï]<HQ2e»­gÚá
`±Ø]ì“ÄÁðÇó‘ÒÐ	BŽ<L<'ÎGع…½w#bq&-Ò¤�õf6:>g�¢Ð§¾3[ôh	„… Î,ùâ2ÄÐ(`÷òäãÙxB=ì^ŸMÇžçþƒžº:›žŒîÎ.>]^�'
¹ûöÇ“«Y‹ñ4�·Ÿ.Ï/Þ}ÞÒ�½�Í:)ú’Ì”ßG_¾b'
�ß�0b¡ðœ
L0"aH�|Ä=†<ÎX»’�®G?u{»úè æF”ùtHuá�ê¼ùŒ2­ºßËBŽ'>ÆîFÀ
PZL¢$©PT­¢#³÷‡Ô¡!"€'"…žG5�æ~e	äQÝÈêµFÅ»H‹4koÉÊ8Ê–eÝ JÞía›ç,Ê&]Üü¢4(“ÁËÿ¼íøØœ½±wF•šå«®eu׋Òò·(_eÅe>ÄaOk=Ì—WV�8JæÃÚj¥½¸²ÒÂÛɺ–µ™–+fÝɾÄv?ʲr#« ÒŽUTÔù”2¿šÂd÷È#: !EÄ<„
-Ô"xÈcÏxüçYyÜ2¢JÚ7‹â=¡�¾iìbÿóÐŒŠÐ·Ž]úhþíèQس�]ûØí�ŸÐ7Xu+žz¯L_›¥ïEzïu|N‰C8b„,¸È£ˆ’Іy:ž¤>”QbBò›(‹Š8-níqÖxpš
-ä¡	u'ã	ž»ªÒ<mRõÎj
-o›HiB�™&® yG\O㨰ëöl/Sy'-vjwu”QÀ©Ê3ÿތ뺣•¯³&]e³áʸÔcR›Å_±‡ëu¼´wÕƒªïÈ(eœ˜a�Ð!fCÛ±´�* ˆr‰:Â

-
4ás�*Xëü¯`R7]¨UîÞ—câ®
¼Ô>£p›¥¹Zš�››³Þ5Ù¤ÍÒì²Ù”Õ7³¬ŒR6¡Kí—³ETf‚Üdy°SjωÁ¶ËìÕ`Œ%bŒ4Ðo
ãCÅ+,£t€"½Ò>),,JìÌ+Â4—ôØ,#K;ÎRY4vy“f™].‹BÆGZ5ʨ½*WÆTØkÊh–©aÍðѲ­ø�²IsùÃ~M@Ú0u˜Oó9yVQB ìBì%ÿìTËG/ŽäÀœÃ@Ë‚­t»¤&­LÆCÄqØ<;þ/ÂÜgƒ†ž¯ut	?žpÁˆ;›}PøîÛ'×ÊWy@ÝÙ/WPþqB}w*ër­õ[™v¶bæÊG§Ó­‡�FM´ÿ
-ß×
-ÞƲƒZéÝ÷²ZyQ7$ºMñžÒ
-dŠx¦VØa­ôî{)­l;¬ÿ":RL� 8b ¸À¸AÛê=hùh
-€¬SËþ‘.oBff¾ï¾¹¸<5û6íµ˜e5²#’ÛÛUæîÝ¿*Û�
î–Ÿû–²*ÚÝ�ùAJ§A¨k35FfH Ž�]Õ®(ä¢Q%”E挄ڦR->‚‹Bá^ØÚؚȒœ—wº<Á6õ«
£Ak””yvog†A©KÐÞÂ0ÇÝ¥-s•á•Ö9ô•ý—ñÚŒÝÜŽÄ®›ª©¿aGªd&ØýºYÙÊ+@ëÚ¦Dà΅˜Ví©]™úkͺ*d²ÇF’ÖqÔÇí¨Zãhº*•BÃÑ«RÁrs‘4³D6Qš¸Tzät«>]¼Ñ³ƒŠS‰Ï¡Ä_ªÇ�¿kaº+Ù:%D!â3ÚÞ*¨*'e•˜æhß1ò|Á,n½ž×Êrcrp…~æƒW	h_0åöt¹jR`và检ᖣî
--”ªzå¡U$äÈ×™ÀìT·Ž
¦C¿æ¶Ø‡C�ÅQ|L§ºÞÖßúÚßã…@ŠczÌ<xΣ<ìSRL ¡¾r�©ï¡~ž!_´ý�hûKS$ê_€ö7€b%«¨ÿ¤Ë*¦Ûd~÷O’Xr³1!Ä-ˬÞëÃ>·Nt3f�k£¾ñóqÉÌz¸á…™g‹Î–©îBB°€Xñm&‰¬ã*�ëðŽì
á(3{i
ž¸’EÍuoªÐÓ趀h�Æ*ÊSÕ©åi‘Ö�ÒÅ�E2±
+xÚÍËrÛ6ð®¯àøDÍD0^$ÁæäÄvêL⸲RO'Í�"!‹>’²êvúï]<HQ2e»­gÚá
`±Ø]ì“ÄÁðÇó‘ÒÐ	BŽ<L<'ÎGع…½w#bq&-Ò¤�õf6:>g�¢Ð§¾3[ôh	„… Î,ùâ2ÄÐ(`÷òäãÙxB=ì^ŸMÇžçþƒžº:›žŒîÎ.>]^�'
¹ûöÇ“«Y‹ñ4�·Ÿ.Ï/Þ}ÞÒ�½�Í:)ú’Ì”ßG_¾b'
�ß�0b¡ðœ
L0"aH�|Ä=†<ÎX»’�®G?u{»úè æF”ùt@uœ©Î‘Ï(Óªû½,äxâcìa,Ð
+EÕ*:2{(A"!x"BPèyThîW–@Õ�¬^kT¼‹´H³ö–¬Œ£lYÖ
ªäÝѶy΢lÒŽÁ/Jƒ2¼üÏÁÛŽ�ÍÙ{gTY Yî°jàZVw-¼(- ‹òU&Q\æCö´ÖÃ|yeõˆ£d>¬­VÚ‹++-¼�¬kY›i¹°bfÑ�ìKl÷£,+72±
+*íXEE½�O)Ãð«)Lv�<¢RD|�ÀCø @-‚‡<öŒÇže�Ç-#: ¤}³(nÑÚè›Æ.öß1ÍÈ }ëØ¥�æߎõ‡=Ùµ�}ÑùÉ
+šwÄõ4Ž
+»nÏFñ2•wÒb§vWGœª<£ñï͸®;Zù:kÒUf1«1®ŒK=&µYü{¸^ÇK{W=¨úŽŒRƉö¨
b6´+@Û¨Š(—¨# �Ñ@>ר‚µÎÿ
+f!uÓ…Zåî}9&îÚÀKí3
+·Yš«¥Ù¸¹¹1ë]ÀQ“MÚ,Í~!›MY}3ËÊ(õaºÔ~¹0[De&ÈM–;¥ö\‘l»Ì^
Æ(P"æÀHc
+g:+Â`ón™é‚W­|_Ë*UiXMtÕ 
+n9ê®ÐB©ªWúQEBŽ|�	ÌNuë`:ôkn‹}8ÔXÅÇtªëmý÷­¯ý=^¤8æñ Ç̃€×á<ÊÃ>%Åê+'Йú>êçòE@Û߈¶¿4E¢þhh!V²ŠúO@º¬bºMæ
1áwÿ$‰%7BܲÌê½>ìsëD7c¸¦1êÿ0§‘ÌÁ¬‡^˜yö·èl™ê.$ˆßf’È:®Ò¹ïXÀŽ2³—à‰+YÔÑ\÷¦
+=�nˆi¬¢<U�ZžiÝ(]ÜY$Ë

 endobj
-946 0 obj <<
+1001 0 obj <<
 /Type /Page
-/Contents 947 0 R
-/Resources 945 0 R
+/Contents 1002 0 R
+/Resources 1000 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 944 0 R
-/Annots [ 952 0 R ]
+/Parent 999 0 R
+/Annots [ 1007 0 R ]
 >> endobj
-952 0 obj <<
+1007 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [55.6967 190.8043 126.3509 202.8639]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-948 0 obj <<
-/D [946 0 R /XYZ 56.6929 794.5015 null]
+1003 0 obj <<
+/D [1001 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 106 0 obj <<
-/D [946 0 R /XYZ 56.6929 480.2651 null]
+/D [1001 0 R /XYZ 56.6929 480.2651 null]
 >> endobj
-949 0 obj <<
-/D [946 0 R /XYZ 56.6929 441.7923 null]
+1004 0 obj <<
+/D [1001 0 R /XYZ 56.6929 441.7923 null]
 >> endobj
-950 0 obj <<
-/D [946 0 R /XYZ 56.6929 373.7178 null]
+1005 0 obj <<
+/D [1001 0 R /XYZ 56.6929 373.7178 null]
 >> endobj
-951 0 obj <<
-/D [946 0 R /XYZ 56.6929 361.7627 null]
+1006 0 obj <<
+/D [1001 0 R /XYZ 56.6929 361.7627 null]
 >> endobj
 110 0 obj <<
-/D [946 0 R /XYZ 56.6929 167.4388 null]
+/D [1001 0 R /XYZ 56.6929 167.4388 null]
 >> endobj
-953 0 obj <<
-/D [946 0 R /XYZ 56.6929 126.8733 null]
+1008 0 obj <<
+/D [1001 0 R /XYZ 56.6929 126.8733 null]
 >> endobj
 114 0 obj <<
-/D [946 0 R /XYZ 56.6929 126.8733 null]
+/D [1001 0 R /XYZ 56.6929 126.8733 null]
 >> endobj
-954 0 obj <<
-/D [946 0 R /XYZ 56.6929 98.4089 null]
+1009 0 obj <<
+/D [1001 0 R /XYZ 56.6929 98.4089 null]
 >> endobj
-945 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R >>
+1000 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F21 702 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-958 0 obj <<
-/Length 2706      
+1013 0 obj <<
+/Length 2705      
 /Filter /FlateDecode
 >>
 stream
@@ -2929,207 +3093,216 @@ xÚÕZÝsÛ¸÷_¡—NåéÅA°O—Ë%×ÜÌ%×ÄiÒÌ”– ‰w©);Îô�ïÀ$EJÎø©ã
àò·ËÅ~f3
 l¦SBE.gY.IJY:[ì®èl
Ï~ºbž&	DI—ꇛ«¿¾Ù,'¹âjv³ê`iBµf³›å§ùË¿¿øõæÕû넧t.Èu’*:ûâ—W¸ò
¥éüŸ�âå»·¯ßüôñý‹ëLÎoÞ¼{{�d4—ðæåwßýúêñ½ןo~¾zu¿¢û¥Œ
 û	\}úLgKøàŸ¯(¹Ng÷0¡„å9Ÿí®d*H*…+Û«Wÿˆ€�§îÕ1Í¥B“TólDuœ�©.͉\8ÕÙof„]'ŒR:ÿ±,ÖUÝ´å¿öæš16¯ëmc¿ðD�ήHγÜ!ÝlŒ'ê2e9¡)³²Zše¹
b’äRhOóÝŠ$Z$Ø€€c(9*ã%á’Í‹j9Çaw¸–ž´j¶uýûq?‚)SÐ>Ë<áþpÍô¼^Š]ðBÏ·bì$ŸÛ-®.êÝÎ2v“mYµN�ŽtUp
èŽðÞÎþ8šÃCY­qV;�ܘÃ�94ÄJ8KÏ@ëvž1’§)êÀM[–++ÕÊp^VøÛ´[ƒC”õ±Ý[ƒP»¢%'6MaÁÑ”ÎÁ¸r6(éRM›`¤êE—g¯hÁÏóD#<{vAÁ¼”LûL­µ&œfóe½+œ†¨M¡ʺ‡kÜñ½S%ÌÿMS:fäR°6ñ
VH1Ë™·A¢�µo7²›Ò¸]
 Ü5XÛoMëéëUhü’7h7vfq�çjþÆoŠÆÛR
-’S¡ú¶ÔÞ×׉ DYšæo׉d|Þ”–)®—UkÅ¢-ïÌ#!Žœiˆ%ΰçðš³oRÀ=“øEöÉmÑ.6C¨ûMͳ8¶¦ÁYÑ…³ßAûò£{�I›Ât� ÀŸmÙx«wÚ³Þa@ÛÅ'ˆì)+cÕ'�¿Øž>¯÷Ö\�ã��,¦iÊÛàt+4¦Îp»að-<·S„TÇ5xƒTD0H‡#ÞÀ •ÂxÌU¼@Šèbœú'£0–ê‘“ÕæǦX›I™„$"ÕêY2u00ãçc2ªàb‰+ûô=ºZÚu5‘­ÒÔ»FO$ë!E8¸­'û<ŒÊû5†ŠS Ɉ–"
-Üx"âÂ×dU“
-¨€©¾PÕt©¦«šHÕ­R»LmÈ“T©ó\#Õ[1ŒÂ–Å=¾Óe8“ü|ÍÁ�iŒ‡G(<ÊÖU¦éÜìöP3”×lþÕ4¸ä¬¾\D_ñJHºÎ`ɬ€SØJÓùžxiVÅqÛÚÍPµ¸º¨+0ë¶Á·nM{oL…�6XÁ²-‹}õ"¡gR”‡Xƒ
-ˆöÆ)•ñÆY,—hÖMc‚Ñ݆ҷl½u®ŽÕšeá?Ýšo°£[o¡æKkª¥Y·n7g>‰
ÞÔ'{J9¡
-vòI´‹1�Ø#ÕÅÄ.sP.tIÏ‘©‹1�Ø#U4MïIñr¹­ÍÍý]ˆøÉb,�ð{-Cv›Ê�<‡&r˜B’·ˇjY·“x±)�€íEÀ‰ÄßÏ\ï_—ñÊ��>î	IÎC¾�„¼­‰Ê¹ì'îƒi¥ižŽ½»(îj[¬Ç>‚^¦ùOÆ‘+Ðzˆµ×4�‚dyD¿X¡}[ÉØ/xšð¹ÿ¯Éu:;è4ÚûÓ²«ä™=j’ç³k—j:»Fªá™M/Ãr
ýlÆÏsŽTX3H¬LÃNò>=/Ò:çE¶ËNx&°Ÿ¶ƒÐO‹4ë÷Ðö!nªºJ:OmêÔ>�ué±Qvon·õ}àµñ‹�…˜&UN˜à|Ðã;‘2["BVwÝ,Ìü™Œ¼@�s쩳ìÑfá™3[X+nk—JaxËÅ¡¬�þ=kM~è?Pù’Õ¯"®Šíðí¸TàŠwXpNA{�?&,„9º�ðŒ\÷žÍßöÕŠ„^‰@ëÎa`ô¶Ä‘“ž‰`é·cãG>Û‹ 2˽OÌÑÅA³@ÌæƯœ�‡c
-Ø¿±C_ñXgîUú“U„È8äAö¬*¢‹1]EDª‹U„P”¤\=ëÈ¢‹1]EDªž‹úÜ�á�Ù„ñ©†Z
-"U·FNÚ:Y•á¹ßújÂhpôÿ"ŸÄ³C×ù<ž Œ¦*ï%‡¾gë<%ŒœQ¯±$Ϊ–¸p¿q•qN!Zà
-ž=­�¶ámºKj
ðí1&Ú/L|)ŽoÌ:œ9{fغÂÈÕÀ¹+q—îsÄpÑ\£ˆ*VÆ–1å4ë¾ÀH‡.˜;ï…éæa�)ŠüŸäÏþØÔÒ8gë‚7ú‡å%l$·èu$xpŽ¢«Në0b:�Ä 3ãO@£A…™œ“äv�Nâ‘ài8ý„‘Øþb<²#T¨¹�\yfvÉ»Âïc×cg=aÙª‡+·Tãï­b](°¶®dù•£Q7˜–†
þ¢šað¸åöig[\G¨ý�
-<Cug*0‹›9xË?Ý›Ei‘Í��ßUù}�¨.Õ`ç¤ïO-ƒ13~Â>:º�V_Ó…ýuͤ ÜÐ?:Ÿ‘‘ÄnÒªXø7ñ«˜9ªÖ^
-!-h¢�è¾Þ®ÜšMqWÖN"{�ÎõüÞ#-½UíiÏÁ–(†/‡ßÛíZG®Ì4Éd,Ï•@P2©,ôYþàüccƯá4Ð~Ù
­)–d,a"·­­²IŒ(Édç~“ûûÍË]Y�*E¨
-=Ï‚PVx–%�ÿªt*úÿ
+’S¡ú¶ÔÞ×׉ DYšæo׉d|Þ”–)®—UkÅ¢-ïÌ#!Žœiˆ%ΰçðš³oRÀ=“øEöÉmÑ.6C¨ûMͳ8¶¦ÁYÑ…³ßAûò£{�I›Ât� ÀŸmÙx«wÚ³Þa@ÛÅ'ˆì)+cÕ'�¿Øž>¯÷Ö\�ã��,¦iÊÛàt+4¦Îp»að-<·S„TÇ5xƒTD0H‡#ÞÀ •ÂxÌU¼@Šèbœú'£0–ê‘“ÕæǦX›I™„$"ÕêY2u0œLrT¦@\,Q`eŸ¾GWK»®&R¢UšzWÃè‰d=d¡·õdŸG€‚Qy¿ÆPq
+$ÑR O#@)ɳLyg=Iû°7#X�œ³,ÕQ(üÊ1Ù ®{˜‹mÑ4# *%Y*ä
+›Ai:ÿÁ/ͪ8n[»ùJ WufÝ6øÖ­iï�©ðÑ‹"X¶e±¯^$ôLŠòkP
ÑÀÞØ"¥2Þ8‹åͺiL0ºÛPú–­·ÎÕ±ZX³,ü§[ó
vtë-Ô|iMµ4ËàÖífàÌ'1À›údbO)'TÁN>#‰v1¦{¤º˜ØeÊ….é92u1¦{¤Š¦‰á=)^.·Õ¡¹¹¿?YŒå
~¯eÈnS9�çÐDSHòöbùP-ëv/6¥°½8‘øû™+âýë2^¹3ÐÇ=!ÉyÈ÷#��·5Q9—ýÄ}0í¡4ÍÓ±wÅ]m‹õØçCÐË4âÉ8RcZ¯±¶ãšæ‘B�,�è+´o+ûeÏA3>÷ÿ5¹Ng�F{Zv•<³GMò|víRMg×H5<³éeX®¡ŸÍøyΑêk‰•iØÂIÞ§çEZçá¼ÈvÙ	ÏöÓvúi‘fýÚ>Ä̓AUWIç©M�Ú§³.=6ÊîÍí¶¾¼6~²Ð
Ó¤Ê	œz|'RfKDÈê®›…™?s‚‘w
hàqŽ=u–=Ú,<sfkÅmíR)ï`¹8”õÑ¿g­Éý*_²úUÄUQ ý
¾—
+\ñN
+µ#÷‚+ÏÌ.¹cWø}ìzì¬'¬#[õBcå–jü½õO¬ÖÖ•,¿r4êÓ’À°Á_T3·Ü>íl‹ëµ?P�gè£îLfq3où§{³(-²²ó»
+#¿UÃ¥ìœôý©e0fÆOØGG÷ãÑê‹aº°¿®™´”úGGà32’ØMZÿ&ƒÃ`3GÕÚK!¤M4�Ý×Û•[³)îÊÚIdÒ¹žß{¤¥—¡ª=-â9ØÅðEàð{»]ëÈ•™&™Œ%â¹J&•…>ËœlÌø5œÚo8Ó�¢¡5Å’Œ€%L䶵U6‰%™ìÜor¿ùb¹++På¡ÀSï8±;{?\ëÙZx[<„B<ø­YÇk…}qhû×ñÌ
+ÏÒ¡äñ_•NEÿ…6_0endstream
 endobj
-957 0 obj <<
+1012 0 obj <<
 /Type /Page
-/Contents 958 0 R
-/Resources 956 0 R
+/Contents 1013 0 R
+/Resources 1011 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 944 0 R
+/Parent 999 0 R
 >> endobj
-959 0 obj <<
-/D [957 0 R /XYZ 85.0394 794.5015 null]
+1014 0 obj <<
+/D [1012 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 118 0 obj <<
-/D [957 0 R /XYZ 85.0394 769.5949 null]
+/D [1012 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-911 0 obj <<
-/D [957 0 R /XYZ 85.0394 749.3395 null]
+966 0 obj <<
+/D [1012 0 R /XYZ 85.0394 749.3395 null]
 >> endobj
 122 0 obj <<
-/D [957 0 R /XYZ 85.0394 221.8894 null]
+/D [1012 0 R /XYZ 85.0394 221.8894 null]
 >> endobj
-963 0 obj <<
-/D [957 0 R /XYZ 85.0394 197.4323 null]
+1018 0 obj <<
+/D [1012 0 R /XYZ 85.0394 197.4323 null]
 >> endobj
-956 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F53 962 0 R >>
+1011 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F53 1017 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-966 0 obj <<
-/Length 3396      
-/Filter /FlateDecode
->>
-stream
-xÚå[Ý“Û¶¿¿BoáÍX>‚lŸœÄN�™Ú‰ïÒ´ãø�'RwŒ%R©;Ë“?¾»ø"!’’'éL;é܃Àår±X,~Ø]àØ‚Â[È„$Ï*‹‰¤L.VÛ+º¸‡wß^1˳tLË!×W·W_¾j‘‘,áÉâv=�•š¦lq[¼‹ä$Ðèõ󿿸^rI£›o¯¥Œþ
?úùÍ÷/Þ>¿VqtûêÍë›ë¥¢Y}ý·çßß:ŽË2¾~óúå«oìå\¿¿ýîêÅ­Åp¤Œ
-¯WïÞÓE
þ¥rñ”°,ã‹íU,‘±Ž²¹º¹úÁ¼ÕŸNY.–”HËÅRÄ$…þ§¸XB2‘HhO‰P 7K94dFÁEoül`ü”™erá¹Ðøu¾-‹åê¡\}øÔÔåõ2¡4z·,~ùõñ›÷îi…–úò¥iLÁ¼¡F(eµÉÛÖ0]òŒ¤©Ê,——×LÈF/�ÀæÐíÝ„Ä�ÍKì.J,ª}¹êšýqB¨ŒIÂ%;ú4!f	甩Œ1’IɯôUþ™JZÝ×;4¬,°ÆŒ¤±pR™ƉJTlžò}=!…’¡«¦”u^m@+67Õéé ë?á ÇþüÓ¤£ð”(šÆ¡£ü§‡û™ŠN¬_«”áÐkÿ’˜wb$É”JœåªM‰€2!)V$åT

- —ÅX²PT¥Ôôcy–&�rœMm1–i
-º¡»gqF“êlÿži¬@`XXï4S,Ðà¦ÚV›|‘�Qgñ/Ð;–„RæL}ËÏìÃ~Ò|Á[ôÐR¯ôo囧üØZqØîZCîJC3h�¤USweÝyÝÌçæ±Ý•«êgJyY 
-‹%§1á	eΫ™õjÊ7¥ÙfÑûã®Zå›ÍÑ�ªÚüæ槨Ö×,�ÖåL×@^7ûmÞ¡C“9÷HAÒKî1`šwÇ„ÚïëbuÚ£R„%2;Û£ã÷Ì',V"èñVÏBÊ#c�mÓÙg½z Å¢"rm¨8Cš³ÙÚx‡ŒŽÆ~Q»q�(Ä)A}<ü2#sgz¸ßç[C€ùkžZ£Mçn�mW:†b[ÕUÛísØùI»Ï”Æ(@;«Qmµ!,6»¤T8`Aã¨Y›ßÜü«*¢¶Ü?‚Û@
-uÖ˜HËÌïW_´Füê!¯ërc„o›¢çàõ¯ÖÆg1æK™„ wl¸ö×it˜RI(ˆüRyÁß84…Sû©êšƒEļ¶
-½Ñ
-ÓxÞB®3&r\¡�À	ålöÖgT�È M~7!E»òD]%�®¿Y1nE<VåÓ”.á‚%eö/
-þ}Þ–žklÌpŸÃè"KYhÍáÔ{÷¿¯˺ŸäÙ9Ž3J
-sÏ\Çð6ü½¾
-bXvÞ¨žklÕÐ/ j†¤�‡f½9´»·w!âè°+ò®lÍÖ„)KáOq¬ómµ2–2ᘰiRÝô¯L«²‚tAkiK‚Äâ´aª]˜§f½M×`¤Iýyjd¶–æÓVxh�òe�•	CĨã¼4R$xm}È­¤²¨:K6uÝ•æÕ6/ÊáS�K}ÙZ5–˰Ćc¡ajjl‡†½;â/C£AÎmíφ	µM Õí³I¾±µÊ­6?¶!A¾7LWó�h‹4ú¥9ìë|c\¨†œ�ugÛ#
-€¿±\¶4DÃy°ë{ɹ‹ù¸«CñAŸøàÃChk{
ç�}v¶G=1Øóó�ýÌ{>k˜oó®+·;=7ÜçÙœžÈ\ƒ}¬ZOÕfr­z8sÑ¿…µOe=‹_°0ˆL“ô<~
¹æñËsµò§yô
-å²ÿ+àåbÔ³í#Ù‘I§#ÙÀ¦/êüN;a’öØÅ“Ìx$sóØÏ»!÷^/-–‰$ÑX†ïë¦e(•ŒXæ L¤$NéÉ©d5À2å±L9,S¡.ðì±M
±
kô86�làíÙR�ø�-+W°0ÄÆ0a6Ô2;<SÃm>(ªöó)hÓP
+1021 0 obj <<
+/Length 3394      
+/Filter /FlateDecode
+>>
+stream
+xÚå[Ý“Û¶¿¿BoáÍX>‚lŸœÄN�™Ú‰ïÒ´ãø�'RwŒ%R©;Ë“?¾»ø")‚’'éL;é܃Àår±X,~Ø]àØ‚Â[È„$Ï*‹‰¤L.VÛ+º¸‡wß^1˳tLË!×W·W_¾j‘‘,áÉâv=�•š¦lq[¼‹ä$Ðèõ󿿸^rI£›o¯¥Œþ
?úùÍ÷/Þ>¿VqtûêÍë›ë¥¢Y}ý·çßß:ŽË2¾~óúå«oìå\¿¿ýîêÅ­Åp¤Œ
+¯WïÞÓE
þ¥rñ”°,ã‹íU,‘±Ž²¹º¹úÁ¼ÕŸ†,KJ¤Œåb)b’Bÿ!.–�L$Ú!
+ôf)‡†ÌH"¸ðÆ�ÙÀø)#2ËäÂs¡ñë|[ËÕC¹úð©©ËëeBiônYüòëã7ïÝÓ
+-õåK)Ò˜‚yC�PÊj“·­auÉ3’¦*³\^^�'$Œ^:�Í¡Ûº€Ä1›—Ø]”XTûrÕ5ûc@¨ŒIÂ%;ú
+³„sÊÔbÉɤä¿Wú‡‹*ÿL%­îëf_VXcFÒX8©¿„q¢[†§|_¤pA2tõÏ”²Î«
hÅæ¦:=dý'äÔŸ
+:
+O‰¢i<v”ÿôp?SÑÀúµJ½ö/‰y#I¦Tâ,WmJ”€¤X‘”S5Th½Œ(Æ’…¢’(¥Â{ŒåY˜4ÊqÚb,Ó
+¡~&�=Ÿ¡;Ðè顺fÑêÁ|üd‘À<国H‰¨n:«°™
+"¿T^ð7MáÔ~ªº‡æ`1¯-€6;\­ESûö©Bo4€Úî6ùq²‡6¿·ˆ¼-Ûþ!oÚêåý—	ÔBr€VL%”³ô¤#CS$véˆçÂáÿ¨�QIbÖ˜Àrùý*
EÌgHžËOÛ™Dr<Hg�ð­«ûPâ’ÈÅièØ^�-ä%róS‰»‹q)…‚½Q˜ìå/ÊûP†Òá¯Ì’ÏA-’†bÇ”p–±Ï�BÏÒñµe#„¼Á­Hc$F8ŠdiÖïØA0d‰��G�1PÁ¹ie— ‰À°±6¿f—õ‹³ªï'ËÓy²”÷²ÞÞ3gOCÎn™´¯—›&/&Ñ1"N
+þ}Þ–žkjÌñ>‡ÑE–²±5‡SïÝÿ¾z,ë~’gç8Î(
¼°
+†\ósì¹Ì¯! yMò(�=7É“´yvzþ˳C
+þä�o›W˜{æ:†·9àïõˆuy¦Ä_p�ñÇe|
œº]»=x4
	¤øÒ—Aÿî
+”¥ð§8Öù¶Z™K™pLØ4©núW¦UYAº µ´¥AbqZŠ0Õ.ÌS3�Þ¦k0Ò¤þ<52[Kói+<´Fù²ÀÊ‹!bÔq^
+)¼¶>äVRYT�%›º‰ŒîJój›åð�)È¥¾l­ËeXbñÐqjjl‡†½;â/C£AÎmíφ	µM Õí³I¾±µÊ­6?¶!A¾7LWó�h‹4ú¥9ìë|c\¨†œ�ugÛ#
+€¿±\¶4DÇó`×÷’sóqW‡âƒ>ñÁ‡‡ÐÖöÎ;ûì*l�zb°ççû™÷"|0Ö0ßæ]Wnwzn¸Ï³9=‘¹ûXµžªMp­z8sÑ¿…µOe=‹_°0ˆL“ô<~
¹æñËsµò§yô#Ê
+dÿWÀËŨg-ÚG²“†#Ù‘M_Ôù�vÂ$í±‹'™ñH æ江wCî½^Z,I¢±ß×MÿÊP*+±ÌA™HIœÒ“SÉj€eÊc™rX¦ÆºÀ³Ç65Ä6¬ÑãØ4²�·;dK=Fà¶D¬\ÁÂÃh„ÙPÈìðL
·yø ¨ÚÏBЦ¡
+À3¢MÙé¡J.£çî3®·ø±[
+ðVV4.&md#¦,C8à¦XÒ�oŒjxzšáwÓ
+¯ßܾzù¯Q�¶�KƒÎæ>KßbæjN?÷®3sï¸LîÓ×3G!˜Ö˜Ó={®i×ãš�ˆIŒw†F}ûÊ€HÜ©e¨
ÑoÿÐ6‘4ú�kpÝÐè†`(2w^šDEc¹KA<—«¶«êû^Æ°×ÖžPpó˜�¡ª4ÉL–Eby–â8Ž†ò�?–†fb+�­2qØŠß´æýÚÅA@¨©
57„õ
ðcZ—ä‚“8ñ§4Ã’ÕÈò‚AúêÏŸžœ¾ §‡ÿÌn8@ÎÍãÆì
úD
¨õa{gL±’iŽ‰“k¶|Œ‚n{ÑЦ÷Žñ‰FþØTE{âùuYºú�…Èò# ©§ú|°)ô~·Ô
»jë:œÔXÊØ©œ__”¼$jC®3ëËqéÚ~—wí´ÜÊ`/Wò|·žkÚïxq±\
 xÔñO˜7ï«ÎÚÂoÙØ�ÐãWíØêÞp§Æz³ÆËbT°Ó�kÞxžÇðë¡Ü7Í<8�í¹§I×apõ}{�ñ¨¹¿×™SFlÂê
 endobj
-965 0 obj <<
+1020 0 obj <<
 /Type /Page
-/Contents 966 0 R
-/Resources 964 0 R
+/Contents 1021 0 R
+/Resources 1019 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 944 0 R
+/Parent 999 0 R
 >> endobj
-967 0 obj <<
-/D [965 0 R /XYZ 56.6929 794.5015 null]
+1022 0 obj <<
+/D [1020 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-964 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F53 962 0 R /F14 685 0 R /F21 658 0 R /F23 682 0 R /F48 885 0 R /F55 970 0 R >>
+1019 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F53 1017 0 R /F14 729 0 R /F21 702 0 R /F23 726 0 R /F48 940 0 R /F55 1025 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-973 0 obj <<
-/Length 3750      
-/Filter /FlateDecode
->>
-stream
-xÚ­ksã¶ñ»…¿Už9ñð$ÁöÓå’K.3½¤wîc&Éth’¶Ø£HG¤Îqû绋@R‚$OÓñx‚‹ÝÅbß ¿fðǯ�N˜ÌÕu–«D3®¯Ëí»~€wß^q³ö@ë9ÔW·W¯ßÉì:OòT¤×·÷3\&aÆðëÛê§ÕÛïÞüxûÍÇ›µÐl%“›µNÙêÛ?C3Ÿà•Ö«¿yˆ·?|x÷þÛ¿~|s“©Õíû>ܬ3–+Xyyí?~3­ûtóËí÷Wß܆]ÌwÊ™Ä-üzõÓ/캂
Å™}ý,áy.®·WJËD+)ýL{õéê/
áì­]“œ–&ÑFdÑ	9—<1©4יΓTÂ;”]SݬejVÍ@¿»nVõ¸ßuuÒHS½ºÝø—EÛöO~ÜÑoýÛXﺢŧ|õh×÷e=8°±§ßª°mÓÕôø´©Ýú®ØÖŽ‡MQ–²ß>¶° B
Ã.ל'¹ÖÂr<ŒýãcÓ=$‡ÒçLÁfUv�ñ,‘"Ï£â
-Pë9˜—2sq1«tB†´7E;‚P[ý´~üåˆ�T&™Ròê˜�åy¥&É„>ààìTQÈÕ¸©q VC½ûRïh²Ù‚4›b¬ÛçÎù
-ŽP2¾úX—u7H¹)º‡ú†¯zÞUí1Òéí64Q=Ãé4%‘Ù?V€—^ôŽÜû¼ûhÏŽ
”‹›åQ¤MÀ׫®i0_ì‰ÃÐjW´œØÈ{ÁñÏŒ‰¶^Á“ä«»½[þÔ´-�îÜ"âºm=Öû~÷D¤+BO[GÔûW¿wš;Qs4H=ðB	Éå™ç©5‘;6êa,v£µ¥²Õû{z·~\Â�uÙ Iä_X3øÃ@+B𦊑
-VŠ”ÈJñeq³æ«˜Œס±âo0Öˆ]-‰‚¯ÃÃÁß™éâ#ÉGÎtqhM“éºùv<k«©æ	癸`«s°Ó¶ p?ã®(ë#º2OŒ”ùºê˜îÒD•Jù-¿ïJ:Ÿ-ÙŠrã„Gz3xÁÞí@<ôØÖ_ê–†wÏôÛwõÑ	–dÙ%Á 3b#˜…Ð^¿Óz*5˜7Ì0Eœò•é$Í!ú�ãËÃòµ«aIj˜™3ö©‡¨,!x«Õ.JÔ+sát·þí±mÊÆ�Ï—¢ÝŸ‘´ÎY¢„0d=;-í
-w»«Ëýn@ß~ª�9O;2G´ã…Ì‚ø×ûíãÁQ¶ÍàäÔ;™ÿº¯w�÷³tÓø'ùucû<xؘˢ*R40’å)°n ž”Ê¿�Dß̤›³ÃmQ€‰tM�¶6žÆ¯ûÆ”(ŠËP,k‚(l�K ÞH!�nÆ
�¨
(ïÏpÒ)öðºq©-l
-\5‚sÒ9¼¥i+,˜G–p¶ Çaã*¶Ê¡ª]&;¾Â‰Ô™ŸE8
-Ï‘œ¡7½ÅíÙîb¥
-IPHEŒ«ãÃÒWt¶VPÕ4ëý…]×öeX °n¤�+úü	0—€ït®b×UeÌŸˆÄ°ÔGØ_ÊñEãf �ŽÌš\Pïk�âu=–¯‘XÈî#�„d9åüiº)èt)6[B•Wźl
-`z&
P;š¾óAwQ³Âw0
-[ìCL7YêX[ÇäÅU¢“¤DúxdœQíì�øLÏ&¼
Ò„ñÒ'ÃÄ}¿ïªW‘³DáCEÃò¥!�:T™¨Lx&]‚q�ßÐÓ¨íûÏ4jºˆ$2•è”§GGú¹~Ž�({ð“úg¦*&"«©ÑS“€$•KåµfxP]ªfÁŸ
-pƒÚkÌS1òªFYvÖÙXZ¶#rS0øêý‡¯]»‡ñŠÞìPÁšu]bæ8ÐÁv8¶, c¸�j
i§V&;;!'HŠ@¨Y�“S稑øCÝÕ;òŸ8mËjøÝݘվë\ä;P
.t¢4Ëfô×(Ë›�ÂêuáNXpå3Ú<Št(wÍ�kd®e&“\è|)5Ò˜Eü¤‚éÀÙºŽ^î®iðq‰=üz¾ ‰�ðR!XNVB¢b¥½L_ð-î-Ô%.Ž°ÙüŒD”‚ð¹â>DÛWÖwËÔ:è-†
™RbŠs£yÀ
Ê+P[A€Ü6m±sË{¤x„3ý}Ì•i°`Åù¬rªN9d�£y™à�×°×¾ô-P§€>£Þw‘i‹û�Sp�’§ùa÷ÔKØiv"VAÊ•3¾ðªC„U‰$¡ã
-9dì,Ë^ŠÄ¥:^D×܃a¦±Í<Qyˆ®‰áÅÊÁ$3Œ, ä Pz
-�üôŸÕԲƗO”¤À¨†¾Ä¾:��€M‘Ëeô @eÒeJc2Ü@ol>„¿šÍ‚0ë*Ž6M¹!
-´6ÐÝôûÖI
-”µƒŒ¬ªfÚ©*Xª4\õ�v:æf}�YïÔ'r³ª)h³çàv…¯£z¨íéB7Oƒg_žKÈ�U$§;ßÓKš
Å­ŠD#ƒôXЩ9(P:G
¿1le P_#Ü€¦
-m^p´9÷úçnG‘øÔ¿¡N”‘¡�s¤CYÂD0	jtEÅœçAym•¯Þ�n³Ã3x½ß|¡�‚Tuæ¿è­*b‹Xíîàõ©¦‡áI†Î	öPå¤%Ó‘Xj‘™Rfü¬DH—Õ }r‰	!_v.
+ú'8à‰Jƒyù�Þ÷ø½ŠÍµ5¹$I¾ÏQ�{å«Z�䆧Kçs1aVÛ½
uÂ5E`¦ Ÿ/EkïèaXõÛÂ@n×ðòßUä+ÛЮ®Ý"Ê­_9î‹ÖöçfT6
”±VDåOîOÔË7{[HéùÆ),n›Ïu,�ûY´Â­Ë]?¼^S :0A‘
-ŠR
Õu
-zô¦è�\Ë)î•rt½Æò±W”³¢O~êiæ\¶
-¨RâyÑ>ô;ðÛQ•Aõ
-Í““Ô¡ÄäŽÅE‘&à8ÅäZPß4¾³æ?ƒÁÎ4ùß…JE:séê±Ø
6]S©OÒ`T”eý8ºq÷Lƒ ¶JSF¡|‰¤ÒÔQ¹*
-ßxá ¨ìè:
+1028 0 obj <<
+/Length 3881      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ÙrÛ8òÝ_á·•«"'	î>erÌxª63›x�ª™<Ð$eqC‘‘ŠÇ[ûñÛ�x	’\5[©q4Ð�Fß�ù5ƒüÚèˆÉT]'©Š4ãú:ß]±ë˜ûþŠ;˜µZO¡¾»»zýA&×i”Æ"¾¾ÛLö23†_ß¿¬Þþðæç»÷ŸnÖB³•ŒnÖ:f«�oþúžF>Ô֫xˆ·?}üpûýß?½¹IÔêîö§�7ë„¥
+V^^ûÓÏïÇuŸo¾Üýxõþn8Åô¤œI<ÂoW¿|a×øÇ+ÉÔèë'è°ˆ§©¸Þ])-#­¤ô#õÕç«¿
NfíÒç´4‘6"	°NÈ	ë¸ä‘‰¥¹NtÅæ�wUq³–±YU}÷7ܬÊþ°oʸÇzu·õ“Y]·O¾Ýзü½/÷MVc/]=Úõm^v¬oé[”
+c«_Ö�_Žˆe”(%/à¡Ž	˜ßWl¢DèŸáô ŠB®úm‰
±êÊý·rOƒÕ¸Ye}Y?ßpÎWp…’ñÕ§2/›ž@òmÖ<”7|ÕQ—¥ß‘nïð°¥�ân§Ê	Íá±€}i¢uènÿõᓽ#¸6.næW•‘4

\¯š¶§F—}³7M+\ÑYp`—u=žÛ¿2&ê²{=ÉW÷·ü©ªkjÝ»EDu]û]7íþ‰P´ý† v©Göïöà$wÄæp�x:à™Ò5<Oc«:"ud”]Ÿí{«;J%«Û
Í­ç°Ýc™WˆiÆ	«ê¨3Ó"¯ŠªAKi)Nf7k¾ªá‚IYq*+~e
èÕ)Ø:¼üNT»Äl9ÕŦU]lŒªëÆëþ¬®Æ
__ÐÕ)Øi] ð<ý>ËË#¼2�Œ”é¼êï\E•ŠþÍß69ÝÏŽtY¹uÌ#¹é<cïÀêÖå·²¦æý3}Û¦<Ã:ž‚W`É%ÖMÀΰÎCÍX÷úƒÖ`©AÉa„Y(¢wI]¢£8xž:uLÝœÁ†E±afNÞç²ï‚|G®VºÈ]/Ø™“ãò÷ǺÊ+wWß²úp†ëÚ »•—¸>;Íõ

+�2(²šG‰IùÌêóœ£:Ž’„©9êÿGÙ¾éÇù6
;Ã7…ÄoêC·=©èçñŠ~„7¬è3ÄqùÆåY¾='R"†Fj.±fv†5j`
šé€2ƒ cR§ÌhF`
+V
BÐz¨cç<LuÄE¼ 0ÌÇêÛÔÉPkôâ�ß*�#‹Küž‚�æ÷
+ì&‡¸ü<buŒx¡Á,JR˜�a~Wu�u†nƒ	O†m·�0.²!\vE¨ÕǶwSý6ë}Ë
5‡Ý½
t`ÚJ¬þnÉí^5y}(|oXU5cœ
äó©Q¨AL8¹»¯šâõÛàôœRÆè$Ä<LAäÞ|Q(ÊMv€ýk*`æ=Wôúöc
+éô¢kŸ‚�ᮇÂBLQAöTµ�ËÛæ¿ífóÅõÖ™i‘J'Œßªò‰€£("ðVP*#Xì �2SaÒH$RŸ?â
+·ÂS$'Hh¦µ{{²›Pé€8‚B„«ãËÒ—#lùFAn_Ò¨wpv]ÝæÃ…Ej¸ŠÅB‘€¸ôÖ	ç¾)ò�‹È°Ø‡„
º”£‹Ú•Ó5Ed’Hê!¬|]öùkÄÁn›
+´ÈNAã»Û�ï\±’ñ(Ö<™+æý¡ªQ6ÐVá®Â‡fpŽ7ˆqï‚RÃ�Û1B£¢�à„ñÀÔdà“g©ùCÙ”{2 8l‹BðÝߘաi\¬¶t˜7(Í’	þ5òòÁæS°z�h�\y-¤Ã#K»|_Ý»2üZ&2J…^IÌ,ž.’j	Ä cÆ(‚&÷×Ôø4�¬<üzº ;íK¥‹|ÔzHi#*Iɘñ=Á’”…ºDÅÑn6£ ÅÀ|®øÜG[ë-ck¢wè8dL¹Žõ~òØ…”—
+ G.rWÕÙÞ-o	�<Ž´›�-ƒ¸H+Î'É~qÊ"ëõËy-Sáªï°}
ØÉ¥O°·
úd:âaï¤l£äqº|¼
yƺ(–õEœœðV�%¤ŒÏÌj(â’ˆ‚O}Çb
n$ñY_X
9$™,I^º‰v´0ð¯©ÃX#ÍF*Ü…Ë�C{Å hÊ_ÁÈ3t- å Pš
+àü8‡}5¾¸àä…)Ðʺ®ÍñYˆîFà‹&3ûGžÊÄó Æ$ȸŽflD„_M&õlu[Û*߀>ÓàHtveÖ¸íý¦÷ýÈ¡¥å©
+2<HØ'Ö
+oœ�{ŸZJ,Dõ`ÜÅË$ì+3bq=Zyœz(
kW¢Ì	º_­iÁ¾;@Õ»µÓkrI…
+IÅ!v!‡
+š*
xW½Èäq“ÚݤÞïC¹IÞ4H³çàönŸ
åPEàÛãøn–}~[è-!:V¡¨î„‡�/‰ä·*àŒÄ°£nF’sh�«t–¾à2lr P`Ô€¨
+m^p·)÷èž÷ùXáò©‘CçHˆ’ˆ‰A'¨:äsšÒkó¨tuÛ»ÃvÏ`ö~÷¹2R-R
Œ€Ñ\Dæ±ÚýˆDŸ*|%¸Á¹+Á¿Åd¼‹­!4cÐŒ¿‹ÒÅõ
+x¤âA¿üA7-þàÊFÛšl’$ãç°Ž„½ò‰­ŽRÃÞÀGc¬vëë„«‹ÀHF[�¥fÑî2«U
+¡B5p<º\ÈúòMX
ëÀB&«Lü’è	ØÕ˜ðÏóÖÃŽëé–�G
y©€{
+çâÕc¶ïl¼¦b¥A+Ëóò±wí晃Ø*M!…òI’Š—1£ryÎxæ ¨äè
@(·žíç�jË/ÑŒí.Ë×»B‡ïÈ!sp¢gÅåe¯q/k˜¾Ùßu
RçQ&™ãÄ¿gî-$ëÊu¬üóFÞþoàw¡ŠíÄÕúðÖýÖW+ãœ4wL¼ÈE|Ç3—b�M©
+!Ù˜Owd©2&?
ýi4	ã÷þ(Ù	'e‘¯}'TŽ–j¦ÈåÞ#-³g~ÈËü#»à®°^€ª”¾0»È⡺l=—àSÏ%¨r‰_ô\‚¹„(²Ç–­#Șpá�±�›
qÌ`	#yAhg’1p�¸v@fåÖ®aãlqò§“fÔ0u¾
+´VÀØ$	ÄÄá;çéĬņŸàl<Æñ')†íè°pp«l7ôhh›øÚ$4Ü5%®l9N¹ÐÔŽ´4pïÖPhŠ#®Ÿ¨é{"êƒ�¤÷D»¥«ÛÀáÐÆq€¯?ÿdi	hÔ���`/„]’¥é‚ãûÑäýÖ…Ú“÷Y˲Íó"]™`š‡âà Œ¾øþ6ç(Ë¢Ç#—eM8J•¦:âO¤Žðï	pøïäñÿÙÂø×èá�áRºd1é°#
+Í“%åÃß7“þ?(†�endstream
 endobj
-972 0 obj <<
+1027 0 obj <<
 /Type /Page
-/Contents 973 0 R
-/Resources 971 0 R
+/Contents 1028 0 R
+/Resources 1026 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 944 0 R
-/Annots [ 975 0 R ]
+/Parent 999 0 R
+/Annots [ 1030 0 R ]
 >> endobj
-975 0 obj <<
+1030 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [120.1376 365.8002 176.3563 375.0156]
+/Rect [120.1376 318.9001 176.3563 328.1154]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-974 0 obj <<
-/D [972 0 R /XYZ 85.0394 794.5015 null]
+1029 0 obj <<
+/D [1027 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-971 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F48 885 0 R /F55 970 0 R /F21 658 0 R /F39 863 0 R >>
+1026 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F48 940 0 R /F55 1025 0 R /F21 702 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-979 0 obj <<
-/Length 1632      
+1034 0 obj <<
+/Length 1676      
 /Filter /FlateDecode
 >>
 stream
-xÚÝXmoÛ6þî_!û`Ãñmý”iêM»ÄÉÖvÅ HŠ-T–2Knýï;Š”,ÛLtÁ6þ`R<ÞŸ{îŽ	0üHÀšê@êqLx�,G8˜ÃÚɈ8™°
-‡RÏf£ƒçLiAE0»èR+E‚Yú~ÌCЀǧ‡¯Ž'!åx|~|6á||	íüõ›ã³Ã‰ŒÆ³éëÓóI(±ŽÆG/ßÌ:‰¯ë8z}ú|zr±Ñ3ù0{9:žõ§ž”`fŽðûèý¤pà—#Œ˜V<¸…	FDk,GgˆGŒuOŠÑùè§^á`µÝêEŽ`D™ >èô
-·£†1Ò¸„[�Y“ïPR•×CB
¬¸3x[­‹ÎHQT·vØ,2;Hªå2.Ó<æC¢€SJpI¤•­Þï¬h¤†©‰´”Â6.ZèWYQÅ©ÇÓÐmpŠ-bM.I.•e–4vÒ=ì£h§7ÕÊ	hÎì
-8PvH¹§H›âà-öa¯1ªÜ¯äTiĈËÆGsÀ}غ¬µç@®žQŽ'r;÷ÎzjÙÚj#ÃW€
-‹¨„¦ͳÒcZ0D¥ê„o,qç«xi-Üæ…	�†—Ÿ²2‡�wv-±é
�²±/DàbèÌ}Eú²ä½Û¶[C&ú­…»j
yÏ°vÌ2F‹º²x1&PD‰ÜÎè4¯oŠØxL¨+
-q†£>ÛÛËÚm'Pû#%†i‰"ÍÈCº	kß3øN?ù¶]�ƒk˽Ø}t¹a‡óNCëÎ2Å
Õ·³-5ERIÅNC1Š,cϧ'/.Þì‚D$!ÁY0Pø÷\ì5îû¸C�ˆIŒ-'�ûë�Ûô†ô¸/A®�¥¾LÔ‚H~C-èêÍæêºãJC:Äu¶G¶®7„èǃ‘i†$–
+xÚÝXmoÛ6þî_!û`ÃQ$×Oi�¦îдKœlmWŠ¤ØBõâYr³`èßQ$eÙ–Û ¶að‰Òñîx÷ÜsgÃ�x<D¡¢Ê*@îÅÅ{sxw6"VÆwB~_êÙltôœ	O!ÒЛÝötI„¥$Þ,y?fˆ¡	hÀãóãW§Ÿr<¾<½˜p>¾†K»~ýæôâx"‚ñlúúür⬂ñÉ‹ã73'ñu'¯ÏŸOÏ®6z&f/G§³îý“Ìô~½ÿ€½ür„S’{w°Àˆ(E½bp†xÀ˜{’�.G?u
+{oÛ­ƒ‘#QÒ�ÐQÖ�$ˆ+Å=Á
+¼Ò¡;6'«£b™§æ¾Èʬˆr³ˆ«òWŒé|½Šš¬*ÍCýÄIgµ¹Föz[åyuWÿ Csô< =°çS…¤”­å�éýÄ1¯Ê$þ­[ý©7zVÎ')ÎM–£|^­²fQÁ'‹"Šý"áOž¶[°“¦­t�Æ«´±¢1»¸¿¡¼œž]¯oØu�<+nØtþöòYóöç`þ¶¼ÆÓ3²xwv5W¨ûéÙé<¡J¿ûѪ÷·]2F>ï˜6ŽVKªúðyÌæ$½�Öyã×éêSº2Ò„
+„áGÏäv´Á¢A/vƒ>’ž�;Xp©ª•™-\Mj¿·¹½µ×²n¢<O“.ÕûÉ%#…
ó¸Õx”6ñ‘ö
‚n<�…@kÄ­Á»j�;#Fæ¶Y¤ŒE•É¶|"
û2äp'�bÔ€ì;+*û‚”¡5¬]´0Ló*J<õí«X´ûš
+\\×G™Æ�Y¸‡]ÍrY­¬€âÌÜÀ)ìþh]§v÷ÂÞ”Qaï4úÊW"Ç­¯:h’˜,i�_ÚÝ–nßH^ÅPã ƒªZd¥�ø]jÌ™Õj"Çë²Ìʹ}ÕدúîD¥i7V¹Å
+é„—¸óUTwY®S£B�ËOi™AJò{ó.6å
‰2ÑPŠÀ†}g‘"Ì‚wnwméì·î«5Ô=ÃÊ"KÍëÊÄ‹±”ˆí�dõ2�´Ç„Z ³2Î×˪Lt<÷ÃHHHæÖŸ®,÷gF
+åûÈmMF�±	ΛGeÚ6xÔÒ<‰’̓�C*Ì5Ç%ƒ¨�\vHjãwœ7骄æS
+¹#„@Ë1!ƒìTÛ•mÕLæªÔpßÔ8ÔBZ»Ï�\Ðüp—ç6ºàS[êë¥eˆ�Hh"
+•êƒi¸ 8”5!lK-ñX*+k°¨’ìö~ÀšVU”?$ì!E4�hÔtmuAë"M5À1
�óG„à°›äéća¦ïl^FƒhÓ C('骉²6Þd|u>ýÅÜÕv?,h×gá¹'ˆë”ZÔuJýº2;šè£{»LãL06ë(nç»ï�œ|	gu¼ÊnÌ�]¹Ü±¶Õ"µú›<EC
x¶Hk›©ÞzP¼qo»Þ°®»Ö;̇Pt…üQ3Ú
 endobj
-978 0 obj <<
+1033 0 obj <<
 /Type /Page
-/Contents 979 0 R
-/Resources 977 0 R
+/Contents 1034 0 R
+/Resources 1032 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 944 0 R
+/Parent 999 0 R
 >> endobj
-980 0 obj <<
-/D [978 0 R /XYZ 56.6929 794.5015 null]
+1035 0 obj <<
+/D [1033 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 126 0 obj <<
-/D [978 0 R /XYZ 56.6929 466.6686 null]
+/D [1033 0 R /XYZ 56.6929 424.8255 null]
 >> endobj
-981 0 obj <<
-/D [978 0 R /XYZ 56.6929 439.3642 null]
+1036 0 obj <<
+/D [1033 0 R /XYZ 56.6929 397.5211 null]
 >> endobj
-982 0 obj <<
-/D [978 0 R /XYZ 56.6929 409.8468 null]
+1037 0 obj <<
+/D [1033 0 R /XYZ 56.6929 368.0037 null]
 >> endobj
-983 0 obj <<
-/D [978 0 R /XYZ 56.6929 397.8916 null]
+1038 0 obj <<
+/D [1033 0 R /XYZ 56.6929 356.0485 null]
 >> endobj
-977 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F48 885 0 R /F21 658 0 R >>
+1032 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F41 925 0 R /F48 940 0 R /F21 702 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-987 0 obj <<
-/Length 2297      
-/Filter /FlateDecode
->>
-stream
-xڥ˒۸ñ>_¡[¨*K<ÉiãÇ–÷0®x&‡Ôz’šáš"µ"egüõéF7(JâØ©ÚR•Ø
-ë2‡‰�+>ÎBØ„¿™o vfÈWt‘—»º<1c…âÕ%KS”œŸð�Xú}Fb(59J“R`cÓ1'
-cß·C¿yQQ`MÖéh&×Ê�ˆ

-GID濯œ	3ßp-“kºgÊÁ«²rò+–
-Ìg]©†q~ÄÄ%d!ÄØ"¹_4Èt6ÏÍÿB�že´=…б/û–nâ¨pØ×eó)MdÈÙ´Í@*28²É¨•d>¾{M€tΊK±LV¦¥�tã?o~û=]U ž_oR¡]‘­¾Â @@­v7F*á\fâL{swó¯‰ D°BË%Â2-Ú—-ãŽsR›ÈÜF›ªŽ,›+dŠâÛ•ÃðR€Ë‚y9×
-ln¯·Ö&MN¾q&
ÈK&s’·«‡Ás1d’p^H”0¨q@܆ԙ„JKÏÄ‚XÍH߶÷U¸øo&er‡®µ}nºÇ~UjPY,Ða!‚6}×"Áç,ÜÂia
-�1�PÞ�몧LŸ—&¥?†
--/HØÁÎy&å»À®”N¤Vº)ì|O¼…p©ŽEÞ$P¤>ÙG~²­�Y¡Ê †¿3y^¦kWÔÀàÜ•ÿZtÀ8”9ëVÞû—c×yÀ‘ópÖmD4( ×p×b„âžãÍ3è«))êþ{_a
øãdÚd]Üàöáë鳫ǧ>ØBšlƒ’p­ªÀf±è„J’*Å}ëK´ã°ñªº­Çi–K*-+>&¤�ÙqQý
-oQÈ"ú5QÚìû¶)—ª:kE¦òXÕ•-Åä…£¹ ¼>Å‚3eSojÍkâ
-}FÇ>ŒÈ	E?n�gÊ�›Ìº­Eñß`{Ó¤p0ú¡†.�[$.d2ÐèSš¥ßbà2Éq˜öƒÍݽ}
ë’–¶=÷ò¸H¶
-–ýG[¨R¹b»ðŽàK¦`ý4ðÓmpp{ì÷J0	F¦åǺ«~F“‘þÅÉe‘<ßéuô…$ÒtŒ{„"ù\?¯%dCv¿)#Oý¡ùæcq™Å£=ø!zVl”C·ëc©Ž>Ø<vø¤Cní©þï̵a¯Ÿî0Û1q:½	�ªÂ+ca´)b|ž^…¦ˆòG<t1"a8h_
-Õø†¢fðçð,‘ÍÞdT†ÏUMÓ!EÃ×Ó'öûÙ¤
˜¬N9âD¦Iï°a¹ï¯h‘‚”�OöôÖȳ»X¾jPåp]RKœfb<‡ÆµYÒåÜâ¤NJb…­
&x�¸‘ú¤€¿>ÕÝÅ2~F�
-f2€ïFt-˜¢~¶åônwâ-ú¬;]àc×BλÈs¤Hz	ƒúÅå©9Eª;4UUw—iwÉIÎ’iÌ�œæšÎž¿“²‡§þØVÓcïb¢uÕŒ1tì|w|ON~™
ˆI›ÏŠ“<>Ú<¶=
-ö
+1042 0 obj <<
+/Length 2335      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XKsÛF¾ëWð¶`•9™7€ä”õ#åœZK{ØJr
 „´#ÿúížžÁƒ„äT¥T%6æÑÓÓϯGl8ü‰MfW¹Þ¤¹f†³)7|ó
+>VfwFeÌd2ÝìæLþ}wóÝ;)6’3k¥ÙÜídzlš2#­ÜÜ•¿&¯Ýq¨NÛ�4<ÑÛßï~¦mš¥Y*p‡#R&r؉~,?»¶¨JÚñæÃ-ï*7œOU?rš)�‡xÖ0asã9h&¶;Á9O>tC½
+[Ô&g¹•6ìPœ¥:³~‡?E)›|øåîý»ÿ]÷ø›&Ž>UñèÚº?Ðçðè†0ß4Ý—>,r½¿,Ò}uú\�ÂÄÐÑâ–$
+,ª:®mÜçêj[št{Ä£ª^/†W‚åÆ�¾¿vmõ/X(•IJ78k¹IÞ·4tÚŠ,©úc×ö� 7üu£f'5	i™i‡ ï �kujÁ¬ViX¶÷‡t‡È×ÿDÍ MWܦ:y…j"Ì��üR7
QÅcU|Z
+ÛWQzo¤ê!ܵWwá¾ @TÒNؤ×](‹ÎïB­…VÇßqª8ŸHií@øpmù*lÜÓ/X8Ž´õP»!ðq—'
'×ö{ÒM™ƒWŠ„wzO“CGÐWÝî»ÓÁ
^p÷Ýy yÅŒî,uú-3*8œK–½"–^ÕHx� QV}qª�“
+º¢kèf>/�	ûcUÔ¿q.¡Bú̦ ô¥
+Ù"³Õ!?}|÷š¨¯–]ªeô2ÒàV¸òŸ7¿þÎ7%èççÎTž™ÍøàX¡åæp£…dyntinnoþ3r„–)fHXçEû8ð
+dܱdµ‹Òí”æp3µ°ÈxÙý&Çü’A̘’šböÃLÇÆj�4gÿ²ÝY‘ÜÁ™¼½ÔðÔDS¡	÷Qºùs#×y®hÑŒöw�tà¾{�›7Üh3»Td¼›sö—,3Oš)ã©
2È5†l„N�g¾–ä9VË­„‚´•‹Î|Ý
+È
+Ž…6 0i“‹`¸CÕ÷. !�øó|¥„�
+?HZ_;µÔL-¸ªè·é\é/
l„Hn1¶öOuû°"¯ä
+ǪÖÝ7È?PQ~²-š3é	‡Ý<Á4ö(„A_¹;?ç@V±Ô¤0€×�7ËDãš8íŽ]Sk°ÎZèÚÓ늆òJ‹ÊQ
Q^Ÿb!˜ÌØ\x°yÍ\bȨ˜Áû
%¡ì§e‘ùÒeÐn�ý5�uX¥
Gçy<uøT=íÀÒÇzWœªv£§]Ë!¸Â'Œ¸ÏÅܹÔ[άµÙœwÙ\Ý®i
ò™ÙBkèd™ Ÿ‚ßgÔ&™¹hwúµ¶`‚r®¹õ¢Àš|m:Æ!PCm‘:l±,¶¾Š`¯Z=t³.:v¿1ÐB
+ÐçÍÓôCÕV'wʼnü.·S�
+%8܇	’F¨É:@y¬Ú‹i<üä|�
+¾àæZÅZÖÍÀ
+@ׂ!z6šMAb™^‹'ÙâkR>3,OΈÀZøŠlIO°
+ù³/‹+'þ¹ö|endstream
 endobj
-986 0 obj <<
+1041 0 obj <<
 /Type /Page
-/Contents 987 0 R
-/Resources 985 0 R
+/Contents 1042 0 R
+/Resources 1040 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1001 0 R
-/Annots [ 991 0 R 992 0 R ]
+/Parent 1056 0 R
+/Annots [ 1046 0 R 1047 0 R ]
 >> endobj
-984 0 obj <<
+1039 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
 /PTEX.FileName (/usr/local/share/db2latex/xsl/figures/note.pdf)
 /PTEX.PageNumber 1
-/PTEX.InfoDict 1002 0 R 
+/PTEX.InfoDict 1057 0 R 
 /Matrix [1.00000000 0.00000000 0.00000000 1.00000000 0.00000000 0.00000000]
 /BBox [0.00000000 0.00000000 27.00000000 27.00000000]
 /Resources <<
 /ProcSet [ /PDF ]
 /ExtGState <<
-/R4 1003 0 R
+/R4 1058 0 R
 >>>>
-/Length 1004 0 R
+/Length 1059 0 R
 /Filter /FlateDecode
 >>
 stream
@@ -3142,12 +3315,12 @@ q�ª„Ñ«ò�^ÿï>‹«>÷—
.13×…Óƒ!¶3¢SËAÕ”ih¥Å¨Š^…(€<Îm䦽ªšÛÆlLÊâ³ò7Ù
 n*Œ1½÷¨¾x¥Æˆpîâ‹
&Xî
Ãœ§³±è\íD¤ß�ä0}#XŒûž˜‹¸À>#^V°¡|2Îi‰9ÊÎ�r)`˜¢Xh¡Ò& „hb—H°Œe"Ãê
 þrÓGçX5¾ûû8‡´ÕªOª«t–Ô³$Ây°‰—BÒ›ÀÄ5
©/¨�vp�÷o`kA“ôr±ñœÓ4N.4Žæ
 endobj
-1002 0 obj
+1057 0 obj
 <<
 /Producer (AFPL Ghostscript 6.50)
 >>
 endobj
-1003 0 obj
+1058 0 obj
 <<
 /Type /ExtGState
 /Name /R4
@@ -3157,487 +3330,505 @@ endobj
 /SA true
 >>
 endobj
-1004 0 obj
+1059 0 obj
 1049
 endobj
-991 0 obj <<
+1046 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [470.3398 482.8902 539.579 494.9499]
+/Rect [470.3398 477.3512 539.579 489.4108]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-992 0 obj <<
+1047 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [316.7164 470.9351 385.3363 482.9947]
+/Rect [316.7164 465.396 385.3363 477.4557]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-988 0 obj <<
-/D [986 0 R /XYZ 85.0394 794.5015 null]
+1043 0 obj <<
+/D [1041 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 130 0 obj <<
-/D [986 0 R /XYZ 85.0394 769.5949 null]
+/D [1041 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-989 0 obj <<
-/D [986 0 R /XYZ 85.0394 582.0558 null]
+1044 0 obj <<
+/D [1041 0 R /XYZ 85.0394 580.0302 null]
 >> endobj
 134 0 obj <<
-/D [986 0 R /XYZ 85.0394 582.0558 null]
+/D [1041 0 R /XYZ 85.0394 580.0302 null]
 >> endobj
-990 0 obj <<
-/D [986 0 R /XYZ 85.0394 543.4475 null]
+1045 0 obj <<
+/D [1041 0 R /XYZ 85.0394 539.9341 null]
 >> endobj
 138 0 obj <<
-/D [986 0 R /XYZ 85.0394 324.8439 null]
+/D [1041 0 R /XYZ 85.0394 315.9171 null]
 >> endobj
-999 0 obj <<
-/D [986 0 R /XYZ 85.0394 292.4184 null]
+1054 0 obj <<
+/D [1041 0 R /XYZ 85.0394 282.0038 null]
 >> endobj
 142 0 obj <<
-/D [986 0 R /XYZ 85.0394 174.5048 null]
+/D [1041 0 R /XYZ 85.0394 146.7217 null]
 >> endobj
-1000 0 obj <<
-/D [986 0 R /XYZ 85.0394 146.6189 null]
+1055 0 obj <<
+/D [1041 0 R /XYZ 85.0394 117.3479 null]
 >> endobj
-985 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R /F62 995 0 R /F63 998 0 R /F39 863 0 R >>
-/XObject << /Im2 984 0 R >>
+1040 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R /F62 1050 0 R /F63 1053 0 R /F41 925 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1009 0 obj <<
-/Length 3382      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZÝsã6Ï_‘·*3k�$’¢toénöšN›î%¾�Ùn‰ŽÕ•%W’ãõþõ >líõfnüÀ/Aà�rxÀ/¼V±§Qz­Sé« T×ùî*¸~�±¿]…L³rD«)Õ÷ë«¿¼ú:õÓ8Š¯×›	¯Ä’$¼^¿zÒþ
p¼û‡·�w?ß=¬o´ônºYE*ð>þòpGµõãíÃÓû»Ç'j~
-Tpÿï÷�P†7+¡eä½ýáöÃúî‘Æ%s½}÷Ï›0½Û‡·wïhèÝóxw‹k­ÿñx÷tóÛúÇ«»õ°©éÆÃ@àŽþ¸úõ·àº€ýÿxø"MÔõ�¦it½»’JøJ
-ázª«§«¿'£vê¢"ÃÀ�D-h2KšT©BMVY{&Þ‹�ÍE©÷µ©¹VvTöEÖ›‚Klþ8˜º¯NVE 1DÞ}Ýõ&+Þ
-VmeOÒ2e
-*ºrW¢—ØÆ1sV¿°¡5©AD|Ru7ê,Nu¶+󑶣þ<«ë¦§îºiw Ó‰Fž™±
“'1#òè-º“g‡ŽIáLxòdÛÈ·§Þ—CÚé
±hG6’7 W«�4æcNµ·kì1§Î^sÐ>µÇ­
Y>0Œ|Š"MÝý¶±BBç(4šÚn(.­9Y�îH™²Îg³�ÖyRv
è0uwà…f[¤X21sgÆ£
žu:¾Á.&§8�QvΕæØS�cN(ÜH{“x‡EÀ'€)éë8LAb´­^­ë›=ÓO
^F¾AÂäd¢¨
-Æ„‚[£ÌÈg?Töƈ—²šYo‡4ŽðLŽ½[©àN»7-
-›˜Ýt3Ä!Á†yZ¤Á¡½5�ËP)dâë@º�^~¡›ÓjÓ6»U
| 
B™:7ÝB0HÑ�”K6ËŽÝJƾŒ‚³ 3ÃÍ�8Éd–·B–)ætZ\
½
-U,
-JÎt…Gð‹
�œwúÞý@E‹Ó+/ëUJ?ÑQ2vØs>¿£Ÿ]kl ƒÝÐk–dY³®©;¯¦
r —¬.¿:W�Þcs¨
-"<fu?ß
tЋ"ÀgÏLY|TSè'€N3‡ì·îVþ__x~±¯…—7»�HOå§1Š50Ð9+Ã^+�¶I6é9‰NºvÔÉRhÁ)²æø mPc‚P°Ÿ`{Έ°NãÌWœAŒïhx„óÁò&¼„†{OU‚tÔhÀ,kª’}k|ôÅ)|vk5=q-yf×츧0Ï”EhpÍ(%$KýÖ¦'¸—öµ
-©I3S®8!À@bÉîGG‹»d¬ÎÒ)è¨Lö¹£ªÅb"¢rg_H±ÃDÖ_ËŒ2^aW
pUÄ„Ô¥ˆHñ%Ûí+Ã_ ƒ\™Û×4¬uÙëëé[ç±+Ë?g> •âƒ!N¤g*ËN¹¨ÌwH#'¢¯í³öш­6¬ßH`ðT…ö~hŽè­.?N´Sr^£‚|•À¬¬(­ºód�¶aãF"&؇­É�Oº×8èvöH­ÁmÃ=”¸¡
-9ÐìsÉ3ÛásLÜC¶;e/hÕÒç›™E=žÍ?¹êÜKüä8UàŽs’"ºÃ²	žP~(¥Ëý�sÃ;B^~:_ؤÍZ¾‘3JŸF�åO¦ÿÎ^
À3›ûkº}h´ù=˜'	hÃÅ™î’g¹U(@^�ºÇL­@|Ú󄈥¯¤žiU°ðâ+|j—Õs ñs
-õç씯•P#¿�DÞfno.5ÃÆä“"u%½©§Î—h¦µ»Ô¢=~Â"*•ñù�g8J=x&5Že¿¥ÚÜa°Ç)
ì‡ù㚦0|ÿ�_µrˆUp[¡rR4^žv˜ÂgmùÕ-ÆWx[¶ï~þHwö%h䂌٨9	³åBÊåg#Þø›óÏž.ÿ^s¾áû\�¥Ì¬ë•Gë2ù¦u…~¬¥3̧íÝ"¥¼YDÉìž’NRBþZ�å³!R’z:2‡& O
+1064 0 obj <<
+/Length 3348      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Z[w£F~÷¯Ð[ð9#4Mþ93öÆ9‰3k{/'—‡6 ‹…k4¿~«ºªHÌæa�è{W×å«‹®øW2ñ“,ÊV*‹}„r•ï®‚Õ+Ìýý*ä5k·h=]õÝóÕ·wB­2?K¢dõ¼™œ•úAš†«çâW/ö…
'ÞýÃûÇÛŸnž¯UìÝüx½ŽdàýòóÃ-µžožînŸ¨û[ ƒûÿÜ=Â7¼^GÞûïo>>ß>Ò|̧Þ|ø×u†ÞÍÃûÛ4õá�ϸ»½Á»žÿùxûtýûóW·Ï㣦�/úóê×߃U
ïÿá*ðE–ÊÕ
:�fY´Ú]ÅRø2Â�ÔWOWÿœÌÚ­‹Œ?I´ÀÉH,qRf~"`
+9ù¼-áY‰òLÙ½•µU]SKצ¥V›çÚTm£ëúÈ«ºªçÍÈ×ߢ(.†Ý¿Ä_œéÝùy»Û×e?öš¾lzÃgoÎûB÷eA�/mc‡S¯gZ*·ÑN�€ë0ô3)#ûªß‚ ªKf,$<±ÂåYä¹oÓöÔ(èhœÚíÊ¢‚Kíë²ÐÓ›Þ²æJ�oyý±Ñ»*§ùô(ˆ¼—2׃áÃú­æíPtà‹›l[j˜º=ðªmÙPK/½¦ÖÝu˜z¯x@”9~@˾¾'vAgc—À_xª±O4Þ7¦/u
G"ffG©‡B›ŸW”µ>ºó^ŽîúZ!À7”ôÝUÍЗƞ*@aàUUóJsº(ªÞ*Íü]dÅD¶!³²ÇâW*©µ¯u2tSÌ•”ößįH¿à“œ”†èÒ#6˜^wÌšd”©Û(=³ú¢=ðimGëòN›­}P
+0B
+‡cG.º‘'`d›'ÏO0ú:hàN_Òqõh
KµeH–°˜3åíZ+æÌékܧþÄ
+'9™¬â,ò#&ÉMv¯+j<N²·qýzºá2{»<¹öëGzÈܵC„ …$Ð:“	{Ÿz0rå…ùýœè0ˆý8€¼;N!Ñ“åDs\µž.»$õò´‰¯ãW!8À™«£€^ı§óÞJܶ
éÃø¹7æ\�~wÿð�¦2ú˜aÑuÏÛHÚز*Œ
k°É16!ýršC‹¸Ñ@ÐdŒîŽØ•¬Ç4î oabQ‘7bÚƒN ¶š%BH9Þ4©/Le P--1¸¤Éë¡àŽÃil;*aûb<ŒóP/q
+cKüž|*,rÀ�û°Á†‹ótÞB¢qà€/²Q�¦ÖAÛ\*ôÚw3SFXûÔ¼£Ô)8Ü;ÑŒçœ\a•Í11køè�;Ç��[xFÇß-U�×îË@¸!(ÓƒáÍ`C;�„©	”À8‚ä
ƒ$çÈ‚„ˆ[XÅìƒ`˜QløL68µ·*pé.EšÄέWŸ){Zoºv·.àè
+äd5Çwí×óŽ™-G€
ú¥zjÒy¤fŒ6ïhÆ”%5Hpmiò®ÚŸÎ±ŽW,T€õAš9ÉtXÌ1ýÚjÊ¥ˆ¤ô¥ÌœˆòšóË¿¼E*"·˜÷q	åòxøa(�¶šðCŽÅ˜œèKgç±Q̱ÑȤ?Tÿ2Üy*{Ö%@	L×ð{²+8Ìkqø­*(ˆÕV¸vÌT/Ü9f9‚ù"¸èb¶¸‹
³·µÁEü‚•”Ø
+‡TT”ŸûëÐg”«‰´5EFv+C˜¸ a´žB
ƒ1‡»Â#ü�©,øí�È&œJ 9�`{$ÇXX¼ÌØ8öS¥£´ûaÏAýóÉýÙ»N
ëà5TÒŠ™VmÚÆ0y
M�½ê¦úâlF]ítÓÏ_FÈTVŒ¹¦3L>²)ôS€§³J€KÍÿg™çgñJ`Ùyg	RSúiŽœ
L§e8j	R6êÀ.ÕýqÑ|׎™
+%8LVì ” *Œ
+&
âN‰°Mó|®8Ø‹iK…mØš79K(H~ꊊéØiA-j’~+¬üâ–Œv�(9•8ÎV¼Ó´;)Ê
+##¸bV¶XÝom|‚—ñ×–¬p5qfz*xŽ°ØžØ_
+AîO†–H6ÉDžÅS0P—ú“¡¦cZDß�-“bËЯ¿Uš:%„$|ÃÒ
0UÄ„Ìň¸â³Æ_*ø'" “ÇÃmI
[F¿½¿&p^:ÿ'³€d†UCÜHµ*{œtUhÌ_H3GZßØÚŽQÄ6[æ?ÌïJˆ`PªByß·´V §Êƒ-9ßQCÀJÀ.]ŒVæ<¤gXÇ‘Š	öao’õÅ®$ÃN©7ê¢í¸j)l€°˜’BálÑþ°B§ã\YNcʾpAÛ@8ÎF}ûßBÑ#,&Æ,¨’qÔP¡‹V	!¨ër)S�ÔÈ·-…ÅŠÓ\øn@ÓÇ!/4Ù¦Ok÷üª½º=¾Æ€@J4Õž†Ð{1Mú"–õf~àÅÏ,¯¡7„7ŒmW‹¨xÓ°ê` :"£HæÈs„Œ"™ £�„Œ.¢NƇ6V»@Ý⎺.j¶äCßþ:DCÕ‚`V
-cÝ«FgÃ/å¶jŠ¯þÞדß� RÅ8hSwD§0SÆ:vô*²øàä
+^0d~œ,Ĉ5ˆF(,Ú|ÀÈ­]¼ÇýÆ|BÎI„@„qHð°ž7�o¬*žQ¶A4ûÍä…õa0îWWÍvb�6C«—~ÙiÔàÙüw—ñ×:WŽŸˆSNœ“ѽÆFxBùi˜
+ú!G‡·½\@_x¥
[¾5&~(Š7,ûol
+©mø¯(
¡Ÿ¡AAÉM@rgJ'Ï¢«P
+ó§ñº«¾¸Ë8‹W‰=öÃO¿PÚ¾
 endobj
-1008 0 obj <<
+1063 0 obj <<
 /Type /Page
-/Contents 1009 0 R
-/Resources 1007 0 R
+/Contents 1064 0 R
+/Resources 1062 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1001 0 R
-/Annots [ 1012 0 R 1013 0 R ]
+/Parent 1056 0 R
+/Annots [ 1067 0 R 1068 0 R ]
 >> endobj
-1012 0 obj <<
+1067 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [464.1993 519.4233 511.2325 531.4829]
+/Rect [464.1993 488.466 511.2325 500.5257]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
-1013 0 obj <<
+1068 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 508.4843 105.4 519.5278]
+/Rect [55.6967 477.5271 105.4 488.5705]
 /Subtype /Link
 /A << /S /GoTo /D (proposed_standards) >>
 >> endobj
-1010 0 obj <<
-/D [1008 0 R /XYZ 56.6929 794.5015 null]
+1065 0 obj <<
+/D [1063 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 146 0 obj <<
-/D [1008 0 R /XYZ 56.6929 584.989 null]
+/D [1063 0 R /XYZ 56.6929 556.0057 null]
 >> endobj
-1011 0 obj <<
-/D [1008 0 R /XYZ 56.6929 551.635 null]
+1066 0 obj <<
+/D [1063 0 R /XYZ 56.6929 521.4772 null]
 >> endobj
 150 0 obj <<
-/D [1008 0 R /XYZ 56.6929 396.4263 null]
+/D [1063 0 R /XYZ 56.6929 361.9951 null]
 >> endobj
-1014 0 obj <<
-/D [1008 0 R /XYZ 56.6929 360.8629 null]
+1069 0 obj <<
+/D [1063 0 R /XYZ 56.6929 325.2573 null]
 >> endobj
 154 0 obj <<
-/D [1008 0 R /XYZ 56.6929 173.1662 null]
+/D [1063 0 R /XYZ 56.6929 133.2872 null]
 >> endobj
-1015 0 obj <<
-/D [1008 0 R /XYZ 56.6929 145.9427 null]
+1070 0 obj <<
+/D [1063 0 R /XYZ 56.6929 104.8892 null]
 >> endobj
-1007 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F55 970 0 R /F39 863 0 R /F48 885 0 R /F47 879 0 R >>
+1062 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F55 1025 0 R /F41 925 0 R /F48 940 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1019 0 obj <<
-/Length 2880      
+1074 0 obj <<
+/Length 3001      
 /Filter /FlateDecode
 >>
 stream
-xÚå]sÛÆñ]¿‚o¡2æù¾qˆŸÜDi”‰ÇVÛLãÌ"!‘5E($Yéô¿w÷ö8€ )5Ó§NÆÁÝa±·ß_”˜pøOLœa\åz’åš.Ìd~sÂ'×ðîÏ'"ÀÌ"Ð,…úÓÅÉËoU6ÉYn¥�\\%¸ãΉÉÅâ—é×ß½~wqöþt&
Ÿjv:3–O_ó×S!ÄôõۯϾ¡Wß¼ý@‹oÏ^Ÿfzzñ—÷gp"œ6¾‹_~x÷ÃùE÷ůߟœ]´”¦Ü®�ÌßN~ù•OÀÔ÷'œ©Ü™Él8y.'7'Ú(f´Rñd}òáä§aòÖ:&£3Nf#â‘jL<&gVÁ+Ïùæt¦ŸVÛSᦋr[žO›ŠŽ‹ù¼º¹]¯êe8_®ê°”–%�!D±y¤Vë5×eCGw·áÛ‡€ÞÔtT]Ñɦ¸)ãWÛûr[ƒ´µË§?nÊ
²€V—áU8@z@ “™,7FzW›zµ
-BÌò�aΘȄìQZ~.ÀIKž8‚RpÁ¬È[”3�‘ýîâ–Ž�­¥b�OBîØQ]ZZ²
Á¢U:ž¢%omgAX$S™qQj"ZR
 "ç‰-á®E‹²%\-‹û
-¸ K{ñƒ©CºäÜé 0u›)ñE›)qãx6I{)n"•e	 #Ù1UÉýä>/ß]®WsŸ”ý‰ŽdhŸ\�Øc¼…kCµ7ÞS’Ù¼õä½6k3.žÉÁs€…ðÉïÕ¦ôe‡Zª>$[‚|îÖâ€T\Fv@×
¦¾£FL‹ºcÖ¿BáÓÉwÊÎðe¾¬º�.3°s3Rë(¸ÁRn,@ª”<zâÃÃÃ	äx—Í�ÉU˜Ü˜«æöNz°*Âcýè=D‡ˆ7[Ó
-Š–e±¹ö®"<So~§â#ÛϹ0†eÐ7DVØÍçgµ„èkŒî'ØÃ<X¨
-´ÇäåU¼ð/<"lìn�ÙdQ÷
-®“®|Ÿ"Á¤‹:3z°jÝ�GÛ!ŒCõŸRÐ2Jy�GÉ·Ïu)'”L]ŠØ¨—äHH:U+þô¶œ¯(Øñ雟épGïxè«{J	V0è
-_©ƒ©A˜[ÌÛªÃ3šÍ?¾ü"—3.=½­ MQ‡o(GèËuËámˆå�­L˜¦MY.|^ÂÏÊyqç³
--Âm¹]ŸŠé£ñùÊ[wÓª0á©Ö±Î$žï› í8L=t?/§þ`%ðHiž@ù
-ªºìIú³ÏÎ$ÿ¥þ08Kpó<ŸÞà3hóešf8™Nf8°iìbÂ/­xN¥|Šýï°|Gÿô?�ájQÖóíê’þ,®º¬îK,ú�˜¾­š2¢*š¸ŠDŧïQúÍFÇoE×Ø%?¿4 ½_ŽÓp·Œµrl->Vw
Ñï­�ø^£Œ¿º,‡ö¬…cN+7‘ P…ÿCz¹½žÐâ}bÚ-ü,ý`׶wñ¢ >`¹RLìPc!âä}bv¼+£`ˆ+ùiXA¸4Æ
Íy/_
ºö¾à÷Œµ`Î9*‹ùšÆ|1
Ö´ýWfàœ–ÁÿùK©_…Ãéá¿_E›¢1 î£�é´�>f«Ûzv]Í–å¶ÜƒŽrFu‹à-Žt’Ùk¢cc¾sLÐ40YVô–W |GX
-Ã?�1>øÿÇ×%&
�·srÜŒ·ÌÉ<‹D!/rÇqÚ?ØÛ%ý?mwendstream
+xÚå]sÛÆñ]¿‚o¡2æå>�CòäÆJãLâ&±Úfšd¦ 	›¨)€! Ñj§ÿ½»·wÀ
I©™>u<2îc±··ß» ˜qø'fÖ0®2=K3Íf¶º»â³÷°÷Ç+áa
hCýáö곯T:ËX–Èdvû.Âe·VÌn×?Ï¿üúå÷·7?^/¤ásÍ®&áó—¯þr-„˜¿|óåÍ+Úzõæ-
¾ºyy�êù퟼�aµ±ð^xóí÷ß¾¾íßøõö›«›ÛŽÒø6‚+$ó·«Ÿå³5\ê›+ÎTfÍì
+¶û7Á’T8_9äUÛ
+GźØÔ{áÁ2Üxº-›�_ß”
*£4^°Ös^8”H!.7EKK÷;ÿîÁ#…�†–�p\Aý	oíQ Ym³ùŸªb„Ìã‡ÑÒoÕþHϤ<Ÿlǘ¤Ùün8HÎmã`à
‰XØëïi§Ùå«Þ4ujŽûÝ«5Œö©ÅM¢—–
ª¢�eÞ´eí�GB¶Jʺ)WF§0ùEJ½sõÇGœ/KÞÔ!+Ø*¯üR¾ýàG5=—5šŽ�IÍP›Ê€Ê³íEЭ‘²½úîo“ªEfi¶3/aœØ NX^zàU]ý¹|O—_ÓªÓGx¾«÷bËšäáýßî‹}Y8å´�N±k;ò ZDL™©$	.´)ÛB°Žìc�kKl"=ø‹	ŒmãÝ~¬�ˆYþ>Ì)©PJŠ,q¥àài…Í:œ�’#— ?Ëc>È'a!Gqi™�Žhp�Ðq5(ÚMz
Ç"™‚8ähR "‹=Î:´8!]Âùl9ïU´E
+î·ÚÞ¯Ëê½ÇïbЇ½ð™Ð1J5màŽË†»Hé’Ö)qâx¶
Iw(N•Eñ ÑGÚ.•uç��»¸|¿Ü–+”݉N¤#.¸ZqByÁý
+Û9S§¼¦$K2¡/él’rñ,G–Wð¯¸\Ó0Åd}H¶þÜo×tq®²ö0Í=%0bž7ýeÝ2Ÿ–ˆ¿+Ÿvú7½óE]
+Ž“v¢N‘ Rëu‰ÆŒ¬:3äA7&ãP¢?Á¦ãVʳw”œñä¹&!WÆ&E×h6dHHº¯0quW¬Jrv|þÝO´x$w\tÙ=…¨£�²ê($¸ºÔ©¸¹õªËšÑ=£ÚüýÓO‚ré)åÒó]
aŠ|8¼C1B_®#_»Þ—C´2Á]`𘪢X»¸„¯«üÞE
+õ’Šc"DŒdñbTnbBÂëê8¿¨i@Têuï÷b3TyúBá9¨7…

+/ª}µX
϶N‡ø¯=™Ÿ4!µ¤§·¨a)šwŽÙ�‘àsȳÏ'ŒŽGûåškŸ:šÀfØ,ÕÊ�£ys½H8aƧàôš:Èû§ºq‹€tpÝ7¨`J_—Ó¨x¤v–v~•Ä‹#—±8ƒÙäÛw~Í?AÓ]È¥YYuÃB—6Á¬¯ß•Iz >-‚‰ïàÐgEîÅbRC]>ijù‡ÊÝŠgd?]ãˆÛÞ~pÑß©ÛÎùo—.´MÈÑc[gØ�ÂÔ ë@
qQKG¾DØûíµ˜?º²Ë¼uß­·úB‰gÇ$r8GÓŒÍÏñiØXñ
+<‘šGPÎÁž0ÓQÏU®QÓ%>d•£öxw½{¤yÒò~è2«<;pcVÅM]Ü},åûXèj›Cähpç‘ž]²7ÄØçî2í3XîËŸÿ¹Õ(,xbSz(œô…‘Ç
+|_æ«]ûôß;N]W—¼hs²½*!DÚŒSº¨0¾‰Wk7ªéé;•0Ú]», …JXÌQ¹;Í–RÅlØ®·ïPS„	¡wlÂŽ5´ƒ2N<�ää+ á`ÊvE±kqOä?³‰
+I!ñNDÅ/e¤ó=m�Eû$…÷
+Ĩ	ìSgyT©¸¦y32ËÛ>xßUP�‡2Çm‹U[>xHäÍÈõÄ&œí®ûøUÀ
‚Ãv
+“7� `©gŒN¡wbAÎÇü&ePÁ†¬¶ÿL„N|&‚š
+ä•Pn»ÎK0‚:#Á
 endobj
-1018 0 obj <<
+1073 0 obj <<
 /Type /Page
-/Contents 1019 0 R
-/Resources 1017 0 R
+/Contents 1074 0 R
+/Resources 1072 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1001 0 R
-/Annots [ 1021 0 R ]
+/Parent 1056 0 R
+/Annots [ 1076 0 R ]
 >> endobj
-1021 0 obj <<
+1076 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [417.8476 228.9788 466.5943 241.0384]
+/Rect [417.8476 181.7231 466.5943 193.7827]
 /Subtype /Link
 /A << /S /GoTo /D (sample_configuration) >>
 >> endobj
-1020 0 obj <<
-/D [1018 0 R /XYZ 85.0394 794.5015 null]
+1075 0 obj <<
+/D [1073 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1017 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F47 879 0 R /F14 685 0 R >>
+1072 0 obj <<
+/Font << /F37 791 0 R /F39 885 0 R /F23 726 0 R /F41 925 0 R /F14 729 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1024 0 obj <<
-/Length 837       
+1079 0 obj <<
+/Length 853       
 /Filter /FlateDecode
 >>
 stream
-xÚÅWKSÛ0¾ûWx8%+zÙ–Ë)…Жé0”¸½
-g­Vé…³ Œ´QXK`ZyÊÈ
+xÚÕWMsÚ0½ûWxr‚ƒ…¾üÕœhBÚf:™4¸½$9¸F$Ì›X&	íô¿W²°‘ƒ€PÒÎt˜
Y^½]½}+VȆâƒl×^ˆCÛ)p!rídjAûN¼û`¡¥�S9ºÕûÈê�ßAèaÏŽÆV
+ùLšó�'ÀŽäÏ[Bì½eK¸]—q¶Ð]»PïØ8ž§Ûš?Óe„¸@Þ WØðxðEeuG£> A€›;HKôØ
 endobj
-1023 0 obj <<
+1078 0 obj <<
 /Type /Page
-/Contents 1024 0 R
-/Resources 1022 0 R
+/Contents 1079 0 R
+/Resources 1077 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1001 0 R
+/Parent 1056 0 R
 >> endobj
-1025 0 obj <<
-/D [1023 0 R /XYZ 56.6929 794.5015 null]
+1080 0 obj <<
+/D [1078 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1022 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R >>
+1077 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1028 0 obj <<
-/Length 2146      
+1083 0 obj <<
+/Length 1946      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ÛrÛ¶òÝ_¡É“4	a¼"�>¸‰“¸—4'Ö9/M'‘�ÄT$^ì¨gοŸ],@‰2ݤSkÆ
-ƒÀAv·ÿžìš£S:‰‚”E©H¦”"§”I"0Jùßw(òDÀ$÷Cý³®ô‹}þ¤-:Í™þ¢ÊýN³¬.ŸÐÆL./	Ð;ß©;;5¤ð
-ΙŒ"1óhB6é{‹Wª¶ÓÍÀ�ÃF¤uáè>)/‰Ÿu]^&ñÕnWß{]£ªv­›�]Š
-.©Ô®ýŽÖúËxmÕáM2ûMº“ºú�}Mþö’îøKùI•íHpUÕÝV7W°WÔÕÇmÝvKuXé±äþ˜½¢ÊIMŠM^¾'<ú'\@ðXœ›Š¢Ø&ä‘3‹¨…!n£Ûzw©Ö„㔉0ä÷ƒùuC´õ羸S;]u
-´	²gíW€Ùtn¯8§Ðê¬oŠî`Ù´ÐnÞ¾d4½é¦Ô˜ë6kŠÞðhžmUµqÃŒè6f·®>ø¾Øô�¢‹ˆ��EPöä½ÞíÎ [ÕM\¡HbZÐü—&9A×èÙ8É‹5Â1hq»²ôÖú¨¸gS"U¶ës²ÃiìÍ¡:ÓmkÃdMcFÔTw<3Ò6
-‚!æò&tÏ
-™XDËU7ÚгvW(šL7ÈJ™
-KÖûcâf±$îfˉ&Ägqdd<h< ;‡'ȨÜc>’ᮨl–­÷��L\Ø&¥¨ŽhÊŸzœ†»IEC#Â÷#Ë!$â)IcûIlqر!pRPGÊQŠ
-ð�eÏ¢™˜…¢�“Yéî^ëŠØOŸ–�XøÎèØò	nEȤ/ϽgL	_|qzBHL÷IR9XÞž�ð*bS5«Šæ<\¢}Íû½±üÐ×ÕsêÉô¨>‡îy”>q<ÃÃ5&XHUKטpB7à¬ìÛÎ:§>kÚ
ÉÕöUíê8ÞѲ	ŸÅg@ÀÒ4G¼ìªïêŠpFD¬ÓaëðU‡!b¬ø¨±­¦<	EXÜØ‹álsôgX)¸H=Ð8-°åä1ÍW‡N»ÖSÎßürõÂûåeD+Òiitm¤½S­ê;SÉâdþs
íÞdAµM×âµ;i0"ª*¸cºmê_ÒÇNkÕ…:ŸÔ6*GŽd8[w¹3]©p•'¥úR”}9ÜAxOmŒ™mÁ�ˆ#.,ÃE‡/D!15ñÚ‘¬/©á=¦:×#�x\^@/Ô¹„slÉx¸µ±yŸÙ“Š†£a­“cƒf½3LÇNEÝ9U^µ�q<8
þBo+OѸ-Uæ•yd¡+ûò©Xô7¿Þ.í�“Ø›vçÓ›É�¥I˜UKNÏéÂ&öÑñ°~É
+xÚ¥ÙrÛÈñ�_ÁòYeŒ0ƒ{ý¤µd[›¬ãXL^Ö[®!0$Q‹ƒÆ!™IåßÓ=Ý 
Ú�7¥*ÍLOOß(—.üÉe×Küe”ø"pe°LË…»ÜÃÝÛ…dg@rÆX?nWo¼h™ˆ$Tár³ÑŠ…Çr¹É~Y½~wýasûqí¨À]ùbí¡»º¾ùçZJ¹º~ÿúö†®nÞßÓæÍíõ:òW›|¼EˆT	¾øåæþîíú×ÍO‹ÛÍY¾±ÒõP¸/‹_~u—¨òÓÂ^ËG8¸B&‰Z–?ðDà{Þ
+6WWhLÛ5yÚÑiDP§©i[´íH)’ P#	“öM›×ÕwóWþ³ü/Dgø
+!¦`9
Ÿ�“GÀ�ß(O$èb„þ«®XÍmÞ)ÌW]#Òº|qVHzcKµƒ÷…~à­%…,®öÝéÈx¥nÁ¯æÛåÝåɳ«k+Ë«9�É
]£«vgšïµÿÈVêOØJÍÚê0€µÙéß^�ßÕŸLÙN×UÝLóyw?ŸuÛ}.õik¦šÏÆòŸ3åZòê
äì%��µ'…ù¡Å¹«¨h�Ø„<É}
5?�GˆYR`‘j7C8Œ…ò}ɸŸÜÀ­¢m¾ôùƒ.LÕ
T¬ñµ6ÐnH¡Å?Ìæ@U‚º7èYž­ÑMz »|“¦d’J—¦5ÍÃ`e)!C
ÿÕœ�ŸG÷¾�ºÏ“KéÏ»"
+-VÒ¼;±˜ýñîý� í]7gÇÌ´i“o‘§'ƒUzÐÕ~8 vÅÀ±·uõÉuÕ¾o41F B
+FÐüòÑÅÈAw3,4iLÚCÓ&#èc7Y¾C8¦-^WLog.†{9Yy•}F~§ÁÑ>ªm×£DÙÑš5Ý]ÞL¬
€ß̉é*£Mß>�Þæû©{
ö˜wÚ‘“É!eXÉñP¢
+eS	´™¶&ÐÖÐÚ·f×tKn`v‚:–§ŒqÌtgЮ·º&ùýD‡³SÇ$ô7”’Á]øäP÷EÆÂÕUG!Ïb<?ñÙÌ�bÎü(¹�G(	J(Sž_‚—úŽÀwö>`Föf"^æ-¯UÛÛÇ‚’æ�ß`Š0�ð&!@�ætìê}£�e^òÖ>É�îP¥3‚lO´’ÿpge�ðØé†Õë�¦ÉkîVœÈŠ3t˜Qû–žðbü öÔ²‘¾m-~ b•DŒÈR�Rå™#§öT´‡\Óf~|�@6IbÅd�ßf8Ë@Dž8cZÎŒ!®}ÿLæ4CÆ�Ñ>gâ'ƒ7Ö“s1,òŠ«l}ì83ñÀcJ^]ÐT?Í´w³††QD(é,!â9MCºQÈ8â2ò‚
+ÌKÔÂKàÔUÃd $ÏoMeé(ÎýA7†Õû˹üï•nuÊåüƒÎ›©&ï`Æjç§’Æ<TAÎ{ž9«/
φæ–P�|Ïâ1šÍYX±à ÚS2[Ó=S‘^2ö¹J„繃Óq"”3Ò*_$nò4z¦”ð9ŒG„Ô!Ÿ(NÎÞ�Ñ
+^Ebêf›C“Áš‡Gô¯ÝàÀ7Õ?ú¦ú�¦rSª+a~žÄä'¥|«ŽcexÆ¥j3Œ
–nˆîʾí88Í“¡¡=#
½}[}y´b&fqšŒ Æ¢ècç(»î»º„&œ:þ$þý€!BìøYãf2JE8<æ8‹án‰g8iZ¤Š°8pä”!í·§Î£g²z÷óõkç盀Nd3$ÒÒ:Œ‘ÌSoëÛÉÂhõ×ƽنÊC6ˆaÄj70ê*xc§mš_âç^Ýæ
+M>1:C‰õ¾î¹³S©:nJý5/ûò̃6ðEµ·n憥 R±Ày‡ßˆ*Q$ÔLC-ÈKúüE¦»a´NE\–Ã,Ô
ç2,’ðq=c³>å—š–‹c9Èq@ãèôãiP�§™¬j¡â8ðâ…>®Më¡Ô©Sf
C·üé¥b0ú»¿ÝoøÁ(÷žû%Îþ|6ó»™{®×ÿ÷¯t—Ÿ%ýút¬Î?ÀMòËsCjÎ,ÚCyO%?ÿœ÷­èÿ¢ „êendstream
 endobj
-1027 0 obj <<
+1082 0 obj <<
 /Type /Page
-/Contents 1028 0 R
-/Resources 1026 0 R
+/Contents 1083 0 R
+/Resources 1081 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1001 0 R
+/Parent 1056 0 R
 >> endobj
-1029 0 obj <<
-/D [1027 0 R /XYZ 85.0394 794.5015 null]
+1084 0 obj <<
+/D [1082 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 158 0 obj <<
-/D [1027 0 R /XYZ 85.0394 479.27 null]
+/D [1082 0 R /XYZ 85.0394 427.2881 null]
 >> endobj
-1030 0 obj <<
-/D [1027 0 R /XYZ 85.0394 444.0186 null]
+1085 0 obj <<
+/D [1082 0 R /XYZ 85.0394 390.6298 null]
 >> endobj
 162 0 obj <<
-/D [1027 0 R /XYZ 85.0394 287.5734 null]
+/D [1082 0 R /XYZ 85.0394 229.0656 null]
 >> endobj
-1031 0 obj <<
-/D [1027 0 R /XYZ 85.0394 259.9325 null]
+1086 0 obj <<
+/D [1082 0 R /XYZ 85.0394 200.0179 null]
 >> endobj
 166 0 obj <<
-/D [1027 0 R /XYZ 85.0394 214.4637 null]
+/D [1082 0 R /XYZ 85.0394 151.3455 null]
 >> endobj
-1032 0 obj <<
-/D [1027 0 R /XYZ 85.0394 191.8161 null]
+1087 0 obj <<
+/D [1082 0 R /XYZ 85.0394 127.291 null]
 >> endobj
-1026 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F47 879 0 R /F48 885 0 R >>
+1081 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F23 726 0 R /F21 702 0 R /F39 885 0 R /F48 940 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1035 0 obj <<
-/Length 2336      
+1090 0 obj <<
+/Length 2296      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]sÛ6òÝ¿BÓ—HsŠ‚—éƒâ8©{M.W«÷Òö�!‰)E*"G×éï» H›¶“ëxÆ‹Åb¿b¢C&2™DIÀ4z²Þ_ðÉÖÞ\™{¤yëåòâÛ×*š$,	e8Ynz´bÆãXL–Ù/SØÀf@�O—7×ofs)d§—ß/Þ/¯~‚©æ€‚‹Wÿ�	!¦‹w—W¯péÕ»¼¾ZÌ¢`ºüù§«›ÙoË.®–ý;®,s/~ù�O2¸Êœ©$Ö“[˜p&’DNö�VLJyHqqsñŸŽ`oÕm•‰àLªPŽEŠ1¡è„…JªN(‚ÉÙ\pΧoÓ²M¼çSšcÚäUio	´T�Ÿ
-‹UæÉKÄ[¥µ™‡V‡ŠëéÛª¦C7—××D¸9æ嶦ƒ‘5œ|J‹<³7µw‚%Zã݈ªÅŠ‡û嚧uÝî
„Ë�—CaÊm³C`^÷îO÷mÑä‡bp·xJôA/Q<11æ€k�nºṉ&ìþÚÚdÀ‘ 	ÕÕ€¥¸¯šÁ-Ñ9Ší¯Ó+ƒß½3
Ç̶h&c±˜)ŽØ¢¨+ËF$Ü¥Ãhú{YÝ–8DâO��;¾ÇY<m	ÖìGU»Ý‘ö­YÄ’©0‰ál{ä~�&1b«Z² ².ä«#R'ÆÀó"%Ø
ÜÓ=±Pá×_—˜í,&Þ­@Î
‹%†²ÍÒ&eÝ:Ûr^¤B¸?û¢÷ÄËêpB1�´Q‡0¸
:«·cИזã¾/+gtÚzòz——¦~Ìwù®3Ð8DC�5(ãT9;
Àz]ÂœÍÂB"ÃÅÀˆÚÎ$íæ™°n]ªcƒ�½
.ózOvU[dþT„Y;²�ˆ:Öôtíñ¯w؈׾^¾ŸA|Ÿ>GqÔõŽF�)ÌaW•†æ¦Y?®ÙéF‘n®ËMuÜ�hÇ?¡oÂÄ	©¿ú/sz6Ó Hœ^}ÎëÆŸ'£ëõ>Ý‚.1èç9C$¼ì â‰r2`<L4aÙsŸ’H˜Ò‘êQB6å½�i+¢×iÜF‹Î
-êÓ(êܵ>WP	s!ã;•†c$$ÕK
9¼ÊËÆÅv_ûÀ²s[;ðX^áÛ2ÿŸK7
-r¥mÓd-Äô—…½!ª>.Ù14 sÚ˜zRu�nýŽ|[¢”"ç'CÖ-—¶ëx>œÉò
-%Øõæ1$¡#ÂR»^Û¶(Nçc¬òMæBBt&ƒû!¹—õ]*tM;^ÝcT?æÈþö_š�ƒ.CEÙ‚µ?��‡öþsmîçå§S°�2<¶|Ö8JÏL��]\™æÖ˜'Ím…›0h·‹¤¨n°>åwfeÇû¶n�þŠV›ª nwžü,5•g¿¾²‚zÊFä|yvnvfÄÉ…�P�„êÿÍľF8ŽÕ:‚©H$OÕ:‚é(öXTãåwk±ë÷ÝÅÈŠÏUÛý“cˆGJö«,ùd•åE½9´×L�Ö*,Ô:æf¯[
øí�”Â{Oí‘(P^üùw«†·çÖ5JèH�•¦'­hé@R5Šmuß6¸D�-ŒP°ÝêþXÓº|ÉXUú¸˜wsàe•¡eÕ \“ºG
€¦%w.Ü#‚í ª1Èßðž†Ù3/)Ó¥ËùC™òN_Œ
Þõ˜u%,P±zº„W�ô%7È5s—Æ,c5Ðe™¨KY=·ÀrŠSdöckj’”óæÁŽžG8)g5
θ͋G+Zîr›[um@äS0€êƒYS"¡„®XsýhJrq2üªf‡Ø´íÄg`€T‹6ÑÕ9˜Âêa€;§jîo~ÃÛE“.Þ�5.ß¹ÑàrÐa€N÷VÐ3‘uÛݳ„�4PCeÚàs¹eÖ}wC@^Žµx«aðdDÐg]^Zåm[ztÀ.h»±æîö#8X]äöçöìÑ>n!p<A„ÚSñt˜DwŒÓ¥“÷¶$­HÅ´ÖáÐ.‡ž3f#ŽÍp¬¾êÚ£ÅpyÚ ûE�¦"ˆ^´©œÁ· ´öV¹pEŽ/!8«âé’ÇöoV8zD(
-œ>$fN;ëÅ	Á‚ðÍÈ=ù d
+xÚ¥YK“Û6¾Ï¯PåbªlÁx|Ä•Ãx<v”]{½e/q”DItø�Ej&J*ÿ}h
+l$#¥<ÅiH$er´¨®èh
cﮘá™X¦IŸëõìêå[�R’F<ÍV½µB“„�fË_˜@Æ°
fwÓwã	g<¥ÁÍ�×g·?CWR`A†ë7ÿ3Æ‚ë7·opè͇;l¼½½Ça0ûåçÛ»ño³Ÿ®ngN¾¾Œ
+%Ü—«_££%¨òÓ%"Mäè
:”°4å£ê*”‚ÈPK)¯î®þíì�ê©^›0J¸ˆ¸Ç(\øŒ"S	RF™mrPìð{~ÀFѪ/Šû�åøD)/s¥òË·!ë-œ
+ÂY¨äQ+þcÓ´›¨ÿ9yÎdüœªd»+î³ÎÌÆI•v
ðA(Xð¡é6E½Æ½—ÅnÌ’ _t¥sßæ­ЊŒ¾O¥Á|߀MG'D2°ñ„1’JÉõvó¬Í'QˆÎÍëE³Ì—Øi»
+
+{èéü¢ÛYmxÁ<¦•µæk”ÚdhJ«d¾À~÷½G¡	‹cÂ
ÇR§Ø$+ÿ3{y+o>¿Kÿõ¼iÙç/4㟗×?üàQ›טYùûf>cWÉ	O„µØ7ìÉBABH�‹¦~l/gßó#fÇ¡ÅRIbÈÛÑD„�p4v‡#|<a�Áû¬Þg%.÷.¯ó]ÖMí·—*[{&ñP$õDÂq�Š^T[�0@Ëð³ƒÑ!¤§}ÙCÄ›E›RçE×Bñ°Ÿ@×ð™„!*Ídðòé×w7Ó©YX»´5£hعÏÊb©Ó‘žKC‘碒fm»¯0J`¸³v(ózÝm�X´==“ Ú—]±-º%�YÓDÑk4ObÓÄXW¥Ý®5Ü}T €DÌX¨m"%}×x´8ʇ•Ž-ôÖù’¸Åzt]¶�#fZé(~¯›‡›.« �»@CïßÝ8	ö†ÖmðXÙ¯7žpf	'"J“AU…!á	UÈÑ0v9Úìpu#bQf†¶Å
×»¬2"4øµêa]D@ÇF"ä�Y	`ÄжˬˎéFt	À¾Äd‘JE›ˆ7Íöà—ñwàC›íwà1ë--'|_7:è¤Jä€ ÑåÔÕñ™D§‰_†@Ã��Ø.šmŽ4²ð…ƒàà5 †ö."Õä1SYÝn›]‡”*‡®‹¶26;\Ú]‘¦ÂX
-‹�h2XX¾Èñõ6ó„óÛÙÇ1TQÁs2¶Óêò2ßnš:7ý¼[|Ý5¹F×LëU³«<ÎÉw÷˜šÐÑFê�2=K0$voÿ(ÚNq—4­²5xù
+`éJÉ9Äo©ñJÛg­‚¹d„RiÍPgТ©WÙ#€ë(²¶ÀúÄ[]„œ‘$@	˜&ÑüºUµE¿�DÊ_:müB1+×Í®è6•™[e‹Iµ”¯Î�Â*§ãw窉ïpêäd7¼KüýÊP¨;¢µ ü(šªLYèd3]åÅÖY~%A´©ÝoUz+÷)úü€ä×Óo’Ün}ˆQžåsqèbÄœ7÷9ñÙë®ÐE‚ˆBSl«–ýfê#{Û*µR]ŸO¦€o„è8Äå2Öƒ� þ<�' r‚ôI�Õ…”CÖ¹‘¹nêÉC³+Íž(H¶ÌæxWH…F+ÇLQ1ˆP7HÉù‰û�בâ>¸'ÉLåÝCuûb<.äÑ0ýì”{·öüà3•º‰ÁEø	–‚;`»lF¯O\_(ãÉI™¡‰ì=K€7EÝé“Ý>0ŒHi
+C9¹‡h?ƒÆÃxÿ¥Í£òE
+mÀ·lr3£n:ä‚€ë2ý 
 endobj
-1034 0 obj <<
+1089 0 obj <<
 /Type /Page
-/Contents 1035 0 R
-/Resources 1033 0 R
+/Contents 1090 0 R
+/Resources 1088 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1001 0 R
+/Parent 1056 0 R
 >> endobj
-1036 0 obj <<
-/D [1034 0 R /XYZ 56.6929 794.5015 null]
+1091 0 obj <<
+/D [1089 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 170 0 obj <<
-/D [1034 0 R /XYZ 56.6929 769.5949 null]
+/D [1089 0 R /XYZ 56.6929 691.7741 null]
 >> endobj
-1037 0 obj <<
-/D [1034 0 R /XYZ 56.6929 752.2692 null]
+1092 0 obj <<
+/D [1089 0 R /XYZ 56.6929 668.7722 null]
 >> endobj
 174 0 obj <<
-/D [1034 0 R /XYZ 56.6929 663.7495 null]
+/D [1089 0 R /XYZ 56.6929 579.8329 null]
 >> endobj
-1038 0 obj <<
-/D [1034 0 R /XYZ 56.6929 633.2462 null]
+1093 0 obj <<
+/D [1089 0 R /XYZ 56.6929 549.1878 null]
 >> endobj
 178 0 obj <<
-/D [1034 0 R /XYZ 56.6929 587.2939 null]
+/D [1089 0 R /XYZ 56.6929 502.9124 null]
 >> endobj
-1039 0 obj <<
-/D [1034 0 R /XYZ 56.6929 559.4406 null]
+1094 0 obj <<
+/D [1089 0 R /XYZ 56.6929 474.9173 null]
 >> endobj
 182 0 obj <<
-/D [1034 0 R /XYZ 56.6929 362.928 null]
->> endobj
-1040 0 obj <<
-/D [1034 0 R /XYZ 56.6929 335.0747 null]
->> endobj
-186 0 obj <<
-/D [1034 0 R /XYZ 56.6929 132.2109 null]
+/D [1089 0 R /XYZ 56.6929 277.7919 null]
 >> endobj
-1041 0 obj <<
-/D [1034 0 R /XYZ 56.6929 104.3577 null]
+1095 0 obj <<
+/D [1089 0 R /XYZ 56.6929 249.7968 null]
 >> endobj
-1033 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R /F14 685 0 R >>
+1088 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F41 925 0 R /F21 702 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1044 0 obj <<
-/Length 2916      
-/Filter /FlateDecode
->>
-stream
-xÚ¥YYsÛÈ~ׯà[¨*žÁ`pÄO²%¯½©õndnR[ë}€HHB–h(YI忧¯ÁEÈvUŠUœ»§»§�oz¡à§©
”É¢E’E�UÚ.6û3µ¸ƒ±δÌYùI«á¬×ë³—oM²È‚,ãÅúv@+
TšêÅzûûòÍ»‹_ÖW×ç«Ðªeœ¯l¬–—ÿ8×Z//>¼¹ºä¡Ë¹òöêâ<‰–ë_¯¯°Ge0/
-bY¹þÛÕoç¬<»Zwü
eÐÊ sŸÏ~ÿC-¶ Ê�g*0Yj�ÐP�βp±?‹¬	ldŒïÙ�}<û{Gp0JKçtbMØ4Lf”š9¥Ø,ˆ
¡R.*–µø’ﻂõ-—¹æ»]ý¸:¶y+3¶es®Óe±iËéz¬�»-WoŠ¿¢fàP²Áþj±2a�†)ï<&+µüO\¹¯]«WøÜó꿯˜ðH°	áõ}é|K}ûTåûrÃ
ÞUFÚšKwÜlŠBD¨«Ý×JQF{/‚²äŸ�…kEò\(¹ò®òndyÎ	…àÂOù†‘ˆ£â˜LÊÂA)g¤…Sá-¹
e2’¤Y‹UÙÀÆQ¼
-u6béÄk»Yßbä„2tzFåZ8˜ºŠ”
-²4´xøAñT°� >_iþsÕ4uãæ](Ì‚0V‰¸«N–:ãzS8WVwÜGÑAÇËõÇ÷?pOg÷PßÃÔüŽ|Z
-!0™mÅw-”•,-Š&ßq£hx»Æ�¿‡Yº|Ëù³û5Ç»8¶è!;îWVuµ"·
-aë˜*h^Åå±ú³ª+^…‰

-hÜD)«ûå¬uå„$[	,<!ÙfÆ2Ëöf-$¡"âD-hžøƒþά¹¹©·OsE+$j.__\"*B~î!
B™ó
-¿…iš�¡>Ñ Q¼Z4�^€|N>”<o�Ý*AÑQ�J–Ûš(C9v=ä»3ê9”4‡ý=ÃÑ3ŒÝHO§gêÆhC!"bC×@³*iE³*!ÍΘ9é9²¨g pƒTŤ¤Èú½ 6TqÔ;&Ö'*îW÷*††HY�ʽ
påÖ7n¹dyq:/5yuGj�³¯‡©NÉZy%kÅJÖ=¸âQbLûsÒ�e©l¨b誚¢bí�WsˆÀ”º~ÿÓÕnQdí ÂC
låHzóŒÎˆD
/½nÿA�b´†£ØŠ)bÇÍ8žè
-Ÿ@”ÂYA±ÝBÆ”%yõÄŠá´cÑÓu…Þ¨~{9ø¿¸
7¤¬3ļ7aײj%ñ!T󘸘 Ë?¯1Þ^üº~'0¨q^Ã8}Žª¶Ü€+n‘Ú
-$,‚ªD\†ß¬3	(‰EŠÇæ6¸ëYŸ”±¶&pr*_‘%Š£oŠëÔŸÿ¦ƒrµ]’Gç¿O-ÛbWøª‘"(yEøgÖ¦*)ïýs‡òCY�ê•<¯èÐq¦3º0ÌÛ4Ì­�¿Qe£9“6–&•UÙ–0±Iw‡˜247»’¼ëK¡ìpŸŸN}Õ–òÓ`mï!Söp¥¾‹ÿÌóùX4²úÜwGÙº�°'Ú4°qœ�í*?ˆø‡¦¤×A
-òÃ#÷{Ã÷{,ˆ§,\®†˜—žúûÝÊjÍ9¡z‡e ,œÁL`"zøÃѲ•T¶ágC"À`L&{¼šà�¶Í1ò1{³`dvžw
uQçI”V)#Ô.Œõ°gª7…lÅÏ)ñòⶥ(¦ðI�j>‰½à'”Nb°ð�7
+1098 0 obj <<
+/Length 3185      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Ùrã6òÝ_¡·•«" ;O�'™“¬GÙ­T&´[ÌH¤"Röx·öß·/ð2=NÕ–«L 
4�¾!½Pð§©
”É¢E’E�UÚ.6û3µ¸ƒ±oδÌYùI«á¬×볯ߚd‘YÆ‹õí
+n^l6®i¸}YWí±Þáùa3`½Z¬Â(È"ú×ïÞ#[S½Ìw»ú
—§áòÝÏ+Šã¹N—€×5ª
+nóêÎÉü¶fØ�ãosp›ò£R!ÑÊŠ..àFáp¸*Û²®	bfzõ€^é@Ù$‘^¢rÅóàý¼0
’Dg2ívS$i$ãžÜñqK˜$ô›ý1ƒn#‘áXÐܺã¸òPgÑð¬"«€b›-V�ÀÔÓ¡È[7‡$6‰áÝÌÅ&A¬;ÒŠ’ïmÓ–÷®
�0Ö,×ÛYÛå6§Fæ*n¹Ï­«
+º/˜@
+Pb7ƒDø
+?åcFs�¡FwÊñÂ}Z4™ <QÒ,�’T1Žâñ}ÿzž…ËúÄìóG‚ª3ƒ™¥ ³§v†}Ís¸w¨Üñö´›9Oˆb¡�Y¿:Ô»ró8sž
ˆñzÚ´0yï<u`&'+Ò`‘¢0Z€rÚ€ßÁƒÇ»7®Φ›¿.`g3$ã)^$ç
+|-ZaÆAô„¤4X·IO¼^7ë%Bž`CB‚ŽÏÿ¸Š”
+²4´‹XÃ4ŠÒÎCÆâ!¯ŽÇúؼìöØZédy K®Ñs–ÕÃÈ<èØ[<€t‚í=LÍÙóAoC6&‹Ÿ<íZ �‡Kݽ;æ;î¸#owD“féòÝ-äÏî#ØÞ¥aQ
	r¿²ª+òŠdÿþD΂]~È;�†nãŽ@ÆO_! #D
+!Ûè+h^ÅßSõ©ª*^…ž#|ฉRf3Âå®
+J–Bè<"Ùf†ce»…YFJhÈñŒD;ïÄš»›ºp<­q­ ¨ùûúâ
¦HoÀâ |s^á·Ð#B·ã ´'4ŠWë
¡Ó N"òöÔí¡b8(*ªQɲ¨	3ÀH¡tŸïJtMÈçPüÂ'|†%Âg»HÇg‚
+a´¡ ‘chÀY•Œ8ƒÂY•ggÔ™øYä3`¸C,ŽbbRäQl
YõŠ‰í	‹ûÕ=‹¡#'‰,�Â�ʽA@Д…ïÜò—Ï‹Ó1ò¢CÂ"Ê„�­qöÔL…3Õ1Y+Ïd­˜Éº�®x”Óþžt'Y*²àCCWX¬½ðj6ø¦®ßýxõ÷ȲŽv�ÃCdåD|ó„ΉyàkñANÀAÕ’@�("„ífOx€vžÐð¸(Dmˆ³È|¸PI$)Ï
+©}èM¶Z¾�ÄØKʵúÖív{ÒFœâ>£LÜ9Ob�F‰Þx²úK¸OËNˆ;µ¬Êïeïœ
ó$๔/G{¢¥¤]ù®ÝÖ§;¤Î 
.�±
wæ–ÐåÀ—•ÒÌÑ�ÃD·áh¿1	ƒÃ2Šñ
Å?øù7\k49»õÖÍe¿~EY—
+È„uÒÄÝIv'¬‰6
lO<U~�ãŽ%UÁ( Ék8º0’ÞNïñC4eár5y©ºÐ§w+«5+ä`„Ú](f¢ô&¢ÂŽ–­|�e.ŽÅd²WLhÛ-“7ŒŒ*Ϫ�†¶°ó‰•V©¼4@®À¡B¦|ÃQ¬FS5%^^ܶdŦ‘d8 å�ØW\A¹a'ùšò�“‹Å©ì pÌUâN
+cýaÒ±ãIׯª‰ÏñNý)yQhTŒ—ÈKmjäÁ-Fà[Ÿ‰ÿ8aÛG&öRPÎ~©GáôáQàYpb)hÈHî�¬&{@’*âCbÚp̆¡¨}1Þ—$ð}î3eÍAà/A¤¶D‚´Óƹ´9õ±•bâ›÷>\]òÈh¥×­Ü׃qñ°à (èe
+Î&ßÏ&ü �Ù"tíM6t¯%Í+ï‹Ëûrçº(£|p÷ÐvÏ6G	Te÷Ó?
ûÒ}÷ˆ1z–™­
 endobj
-1043 0 obj <<
+1097 0 obj <<
 /Type /Page
-/Contents 1044 0 R
-/Resources 1042 0 R
+/Contents 1098 0 R
+/Resources 1096 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1050 0 R
-/Annots [ 1046 0 R ]
+/Parent 1105 0 R
+/Annots [ 1101 0 R ]
 >> endobj
-1046 0 obj <<
+1101 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [418.3461 669.297 487.0181 681.3566]
+/Rect [418.3461 611.3335 487.0181 623.3932]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1045 0 obj <<
-/D [1043 0 R /XYZ 85.0394 794.5015 null]
+1099 0 obj <<
+/D [1097 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+186 0 obj <<
+/D [1097 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1100 0 obj <<
+/D [1097 0 R /XYZ 85.0394 749.4437 null]
 >> endobj
 190 0 obj <<
-/D [1043 0 R /XYZ 85.0394 648.2128 null]
+/D [1097 0 R /XYZ 85.0394 597.4103 null]
 >> endobj
-1047 0 obj <<
-/D [1043 0 R /XYZ 85.0394 619.5539 null]
+1102 0 obj <<
+/D [1097 0 R /XYZ 85.0394 573.0707 null]
 >> endobj
 194 0 obj <<
-/D [1043 0 R /XYZ 85.0394 444.3683 null]
+/D [1097 0 R /XYZ 85.0394 410.9267 null]
 >> endobj
-1048 0 obj <<
-/D [1043 0 R /XYZ 85.0394 407.9434 null]
+1103 0 obj <<
+/D [1097 0 R /XYZ 85.0394 378.8211 null]
 >> endobj
 198 0 obj <<
-/D [1043 0 R /XYZ 85.0394 220.8457 null]
+/D [1097 0 R /XYZ 85.0394 204.765 null]
 >> endobj
-1049 0 obj <<
-/D [1043 0 R /XYZ 85.0394 183.187 null]
+1104 0 obj <<
+/D [1097 0 R /XYZ 85.0394 171.4256 null]
 >> endobj
-1042 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R >>
+1096 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F14 729 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1054 0 obj <<
-/Length 3094      
-/Filter /FlateDecode
->>
-stream
-xÚ­Ërã6òî¯Ða«F®Œ<Ìžœ±'™d×Ùµ�=äq DØbE"‘šÏ×o7º
‘�Ij·|P£Ñ
-J$š-RÂUÆÎR‚ŒòóîcïšnÒ½t6¯Ü/B¨ÆU8TpWú½{û
=O…ÖLÊ8…¸”qeS�øIƨXÚÚK
-véÜŠÅ•ëVûzé:’Œ€hå…çÊ#eÜýÐ1
(o'Æ·
-Ž�VÞÕOt€?µ�ë’¸¢HR«ÈÞ5È"(ÛŸY¹=ͼo	ݹž‡!J†ƒˆ4é9¦9<¤¢•À+
gÊã îÔ¹}�ðL<2®w;F}
-Äœæùüëw·×DPŒ…Cñ£[×q׺_æß»}¹ÁA·n7LѯK>lÄ4È¿"Úº	„5/ّͯ\×ñõ#óùx÷q·)놶ÊâVÛvHT¹¾¬™±¥ƒ{^jîojYk°ëf3e«²sÞ®³Â[•w]œ%M•B¬"gY¬'ü	ÂŽ)RÍ$펭13pѺé;‚Kúy<
-¡°ì<Ãw¬¿)`ê¦Âkú0�ègBs¶Õcöùšyô·
-g³y¦ñªm0T=q¯hÎ’ÈÏè¼WÝ”
|ŠÊü
ùj*ŠlŠ&(®a¡ŒéÊeû>ÚH°›8[7'Ä¿§›¸„u
etàÕ—Ã)…Ejcc!¹„þÆ5Pô>úã>߃¯NÔ*Çh,CpŠçlªHd–lSUÓ�k/àâO®™Ø2CI‹P¿r1
Eúvì3T�ø+¶ôûD,Ë
tam’É|l‚p 2Öl8f�ÄAFaøn ihç½N‘®�^ÏÁ
’‹—ÊÄ,Aj_1(*T	**˜€cWô‹å<pÕOx=e•%®�Pñ9¿7@
Ck
`î¤	ÜINHÜ<0˜Ì‚ó{]ðxmUóŸ&öc©´.ß»:(�j"4Éå멲¸Õa)@ýóŽ!jN¬2³I!bKõÓ·7ƨŠD«"„Ã×´å~@K>éÐqÆ°!µ ý¨©ÄŒ' tå•Þž­ŽúÝn]S9>€ëB€X9
-‚Œ—f/Á-�ÉA�jl…ÇÓ¡ñ{�¶3Á�0 )™__ćAïvãw@aÞ¬µOù4vâ‘þ

-a+ÓtlÈ+ð˜~CYˆ|q`õ2¿œ‹ñäL
-üãqÚÑÑ\5áy-ý!Œ(p†÷O'Š›jºg¸Îa¹�lB%¾3“�õv'ã_Œ™)7þ<[eI*äÔå&KÂ¥G÷!tþ="dc‰Ü$ÆdgA2,ÊíPJy1¨Ñs¶Äro�󓢸¢
G¾�Û÷þ™gQ4ËäËþtƒ’Uýˆ«Ý {žÈ±À—%áihçJÞŽ¹°±w
-ScvøÛ»Û7ÿøñzª2„"rU.NÞÓ±£ô•Q÷g;.Å×=˜j¬Zb#÷—Dÿ·¾=âÓô¦yÕÈ_ﻸo9–Q¸=û~·0À¸÷jž§ò²JZ�ˆoC®Ÿ`RÛÄš¢8Ó©€àÛr�ÙíÚ¦ªÁ±¼	ÉÏøòä‰X?,}dzÁ˜³�ƒg—÷L²GÀ›±àO{ÂrÑ#bdõ¯
ç×]`©“ª“s;ýÝJa]“™?¬k@ÂY¡C¸»»÷Í”øT’ËTN¾ïøº?=ö-\ §áqEA<,™ˆûH€ÊnŠ
܈øŒûÒSS)–IøÔð˜
LJwEf€®'ŽÃ�”Ç­^-ªW/
-1ôr5ï7xŸFK97uBf ·õúð–BòR�½FšŽ¯Ã^Gçg‡ºæWœ»;p†n¢¡†=¹ÇY‡ÏÑîÔq—¡û©ª0yààŸÃð›ñË}–.²aŸ…ÃØgá
+1109 0 obj <<
+/Length 3252      
+/Filter /FlateDecode
+>>
+stream
+xÚ­M—ã¶í>¿Â‡¾·ž×µBŠ¢H¥§ÉÎl²I»ig&=äã [ôX/¶äXòîN~}
¤%[“M_û|‚$€ø -g~r¦ó$/ÒbfŠ,ÑBêÙjw%fOÐ÷õ•dšE Z©¾z¼úâ­2³")ò4Ÿ=®sÙDX+g�ÕOó,±É5Ì æ·ïîÞ\/d¡µš¿ùææŸ�w÷׋T "’›Û_K)ç7ïßÜÝRŒ"àíÝ͵Éæ�?Üß=\ÿòøíÕÝcäp¸)²÷ÛÕO¿ˆY›ùöJ$ª°zö"‘E‘ÎvW™V‰Î”
+˜íÕÃտ℃^?tR*R$©ÊÓ	±¤r&³DeÐ9”‹.`R­ƒ\@BD¹À–` ÈSÌi‘H©?âÍáyß·O‡r¿©W “"Ÿ—Ç~ãš¾^•}Ý6„k×øÕ,8@Ôͺ=ìuGß}Ûuõrë¨Õ_Ëùæp-í¼=>m·áÎ8Ùƒ[uÿL­Ÿ…ĸ*Œ«"O”²v€ŒÓKX÷r“ hk�dR˜P"Ñl‘i�nªíl!e“ú~÷©wM;é^*ŸWîg!ÒÆUØLa¯ô½û
5Ï„RLʸqãʦ
ð�¬Q	0µ�—ÌÒ¹‹(*×­õÒuÔ$
ÑÊÏ•'Ê8û±cPîN„]É�€ÈÌ»ú‰vðïmãº$Ž°`nžþ]ƒ‚ªýŠ•;`SÏû–Ð�ë	qÜ¢¤fX†h@�ž_êÃ¥@&*¸¡aOyjÄ™:w¨qÿž‰5ãz·gÔG0Ð
awÇ®'ä’ç[·ÛmûÑU ä̘ùWïÞßA1
)¼ÛÔqÖºßæ?¸C¹Å†�]·[¦è7%/6b¤_mÝš‡ìÉâW®ëxû‘y3žÅ}Úo˺¡©ò8Õ®U®/kflé`Ÿ×E:÷;µ¬5˜u»�2‚UÙ9oÕyámÊ•LŽJ–%i®ŠŽÊb3qšÀëè"SLÒîÙs
­›¾#¸¤Ïúœxh[£–Ò<#ï�äå¡Ü¹Þ:<ZÏß·½£.’2AŒŠŒHÒ‚$™ßŽu®ýêž½¥"Œ‡xë::úÚ&6SzlÞ¸SKf”²*¡í§CÄÇöðkÝ<¶â%W}{x¦þöp6à‚Æλ½[ÕÈ‹×2Ð,ŸOƒ.’Z
½ÐA#Õ”Ft’J›Ž4‚––r¸
+Ûí�¹`ÕÈ�½«H6JˆÄäÆŒ…CG]'„Š$M>H~
+K‡8„ãª]Ý€±JPZG�Þd‡DûrÈžwò_´^fSo+"C—Ç#™˜¶évu?åˆÐZñ g�¥`ðËüøW>”*r§3p…eäÞ3`ýN
S7nÓ;yD?šc­³ÏëPÏÚïP%µã±Ԫܗ˼®Ý~p<¶8ásúõ�³Rļöþ
€ªìK<öR„ˆ½¡“ņ1L†²g\³bLŒn9D®9u¶L‘d¹µ!‡x˜övY¦	ŸfŠ<sÆYå¶î)ÚpÚ‚[$ÛEÉ%…Ìòa¨}ëÝF–Î[
”ý@®á½_Âo%’ 	ïý`8ä
+Éùó×®�l ÷¾çùNêÙ´N”±Á3Åeévn
+6¨ªéà\/`ßO®™˜1ÍŠ�ºr&
ùùn|`(ýð;léûDŸäÊÞsam’K3ö¡èm -&lØfyÄ&EßÝ@úÑP#ö{•"];=ž=D/•‰^‚>Ö>]H)G%¨¨`	
+
+ЦüàÎè 7"¨‰Ð$—¯§¼.zo«ÂP€úç=CTœYen“BÄjêÇïßßM#TŠ*-‚/|MÓQà·1
+
´ä•Ž‡â
+Ò�êIwòVéíÙª¨ßÝÎ5•ã8)ˆ•Ó/ƨ’ì¼@ÿjÏ2¼ÕY}k¡€Ú>µV7;jBå–Ç:´’DøŸÓ4ÛÁ^KÊäå�|ëÝ~ë€Ñiµ$Xð:‚ßÝ=¾ý�ƒìf(YÛnrÂxÙ¿¸yøæF¾”UBÑo¡Dc¦Æ‡íÂY”ô1¹…zº-væ¥×CW~_•ðVSŸ%îS‰òš0/ë¯IBa�:þ’'µª…²àA…ÑÃ:v£‹üÌ¢¤oäÜ#—ô…½1‚©½Å{hÄe2íäG¢¾.@”¡U
yJ¿?ú +b½á;HÖùâ¾ìË«ãÊU_NOæ") cq|7æë¯Bè¿ÊTe:AmLä-&OŒAö¨ô‰H@µ—¿´WÚ€Ó±
žV‡šïZÎBƒžd~ºve?X�Ÿ
…Ux£V>ÞS;X‰Gúò�%5½ù!ЗOx™“ â,Ùü©èIèyö¼°·Òû­FŽG{%ª2;¸Š›¹Ld:måSöcU’Û<ÜFa¦fFžK7\MÑ”fÈPo^F‚:,ù?n5Ï£/úð
+<ß�"/X=ƒ¸/çÁb<9¹Àât4‡|Á›Hk“‰Œ÷–§E"R}’0Z�¿õ#N;Zšs&\¯¥ïÀ
B‹â
+Jb±ß„щÖù…“ƒxƒŒJÉƒÝ°í –Ëj÷
ˆâ|PìùöîÐû>ìEÑ,�-ûó	JBTõG­Ý p®È¾À'%áVhïJžŽ¹°±p
+RËâV²³´¡†AˆdÀßÀÕöXÑ…¡}É­©T%Jhõ™Co’¼°ùèÔw´Ê±Ã.%™!ƒû_Þ½ó÷n§ÒzÈÀ!Õ0âìo|ZÛýÙj9åjù
<ML9cþ#ç³ÿ¯šýÙïÓs™ä_3sÍyJ�qz¶)|nÒÀ¸nnž§²ª4�¤7Ø$_A_2©lbuQ\¨T@èl¹>èömSÕà½
	Éï/òìmX?.}µÉ½Á–Û²�ƒû²‹®\ò�€.¶bÁ/CÂrÊ*b\ôE—Û]`¢š¥ÙØzÞO¿7¦xý%T,!/§[°*¸FœEMÉ.MŒ•˜Û‚Í‹Õûû‡w_¿4‘È'¯÷üíj …·§"Þ®	.±
+UˆÄuV¼¼Ô)e	ç/>–|}Ä[¾¸»¿‡CÔMT�4ÃðF‹Ó
üIT¸ ;?ðËPñVUè‚èô7 ø�piKìOD“"VØØŒ66ð8uRÈ(L0”lÙuÇ]‰¥¶â§s$ôuJAï¡þœ.ºj2˜dàJU>¨¡“Ï•ÝPK'ºÈO1ta øŠ#~Õ
Ä9ÖsåÖåqÛ³ºÊp�0ºÈe©ó['‚|ËÅežÿ~(!ˆA§Ò`xË0zDúÜMç8kO&.βºóhB×íÄe
++â~Ú;Ä(>õw¥üÎÄŸoDÌvþç¿úœþÝ’QÖ¦§ñŒ“<Â�I˜)Üvš_pþtÉú
 endobj
-1053 0 obj <<
+1108 0 obj <<
 /Type /Page
-/Contents 1054 0 R
-/Resources 1052 0 R
+/Contents 1109 0 R
+/Resources 1107 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1050 0 R
+/Parent 1105 0 R
 >> endobj
-1055 0 obj <<
-/D [1053 0 R /XYZ 56.6929 794.5015 null]
+1110 0 obj <<
+/D [1108 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 202 0 obj <<
-/D [1053 0 R /XYZ 56.6929 769.5949 null]
+/D [1108 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1056 0 obj <<
-/D [1053 0 R /XYZ 56.6929 747.8139 null]
+1111 0 obj <<
+/D [1108 0 R /XYZ 56.6929 748.4014 null]
 >> endobj
 206 0 obj <<
-/D [1053 0 R /XYZ 56.6929 540.916 null]
+/D [1108 0 R /XYZ 56.6929 549.4516 null]
 >> endobj
-1057 0 obj <<
-/D [1053 0 R /XYZ 56.6929 511.3349 null]
+1112 0 obj <<
+/D [1108 0 R /XYZ 56.6929 521.7105 null]
 >> endobj
 210 0 obj <<
-/D [1053 0 R /XYZ 56.6929 239.6059 null]
+/D [1108 0 R /XYZ 56.6929 231.5025 null]
 >> endobj
-1058 0 obj <<
-/D [1053 0 R /XYZ 56.6929 207.3747 null]
+1113 0 obj <<
+/D [1108 0 R /XYZ 56.6929 201.1114 null]
 >> endobj
-1052 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R /F48 885 0 R >>
+1107 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F39 885 0 R /F41 925 0 R /F48 940 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1061 0 obj <<
-/Length 2903      
+1116 0 obj <<
+/Length 2902      
 /Filter /FlateDecode
 >>
 stream
 xÚµYI“«F¾÷¯èx«§Ýˆ¢XÃ1mOûÚl @b‘
-�WýÀ«,0,TøWIá�«῰¯6¢µ_@Æó‘3}<rÕÕ—êw(½*Œ"r⫺{�%3¬,ƒWÕüµÒèÔ&jkööÁ	l…gÞ>‘­Ôš‹7
-lr݈nf„Õ->†�évɆ€™òýæ%[

çGÎB%"ÑøiÆhk�o¬'I¨HdåÊOØQÚøð
-ºˆâ,\ÈüJtâX
 Â?‰œˆl–Ø<¹py+ɈBW™ÄLTKý!A•
-”¢4’°È8³^øÔ<óúTàì_�l”©â×ÈÆ›˜VlDîö3;éÓŸ™ÝÍì÷�…Ñ3sâ¸Lfhœ}Ôl˜"ɾOºj�ç°`	VêÝ>i£“µü3~*Å¬(”`†äPˆ&‚0¡S¨8»»”N⳪žd%&cÊç…º™‰%§SD¢Ç6LÌ|‹æHÎâ�~Nœ0rTn/W–Ƙj†t
-«‘w²‡Ì
-¬¯ñPߣe¸8‘¿‚\DÈg¥¤•žLæçÚ’®YÛQpâCß+¶EÏ"B"A�È�‹
-|ŽÍoÌ7*™$:€O�oõÑš¿FË!»Þ{ce²Ñb•®ýp›Hq«µëCÛmÛºz�÷nQûpë-ÃÍYìJ“{ïL·F×m‰%-à
ê–bßx­
îíZÇ[õÍ_w�3G¯÷ƒ‹Ñà4Åß8S;š`‡ÕNÍÜ�,yà½à¾†eλ§Ü*åÞr\kª“ûü¢Xº¿—@žtÚûú@_$ëË¡ê¦vܯmg÷.îZ^ä¦~/KÜá”7‚Zc&©ù�¯×uI›U·V³“w©®–sW\ùao°m+sãdHžÄö›'ﲚÁa™ŽUOÓ³íÁ²AwÒ›»¦ß‡›´áy¿š÷·{«ÊóþÙèØÁUöÖn˜œDÑî‡ætÿ^*Ñ­q ¶Ó–tV”å] tNÞ­éÜÖÓ)Ç~Ÿ*Òü}Ð×ÔãÔ8qÒLª©°ºœÙô67ºeV�NWãÎïקM“ÛMMû¶5šjÃÓØƬnº®•†£ûª
¿ýR|M¡îý{AŽC›„©pxžóAôY¯~Š.tÅ5éKþ¥ê•ƒ
-þÎÿJbp"dX
-Fd¯ªýa«mVKMtÏ—ïü©×Hͳku·óvøÕ°fÌÞo®ÎQƒ®6¹øÕ0]Îäú²ê,Íûø”™8o¨Ž×ÙÁ›»ö¬æ6©†`¬NY¥Æþ3�÷O§ýß>½wß<¸é
-¹›á�þRÙ—Ð]‹“„g39]æ˜îè£ÖlÎ&5fÔRÿ(Χã`Îß‚j×kÇú¤·¡}¿·±9Òo¬@žž6Át:­QuÀpä;ô£Ã‹èÝ8m5µ�°.§­{ïG½ÅÞm;…ËëH›P4Ø2‡'ñ}}Ú&ÃñíiCnÜûá~X]Ñ‡íª¥g˜¶5»úØœ³enNÇ]±nOâëûzcÞ½õPïöÚ;~È›iØï:ws“N¹ízíÓi™ü Îz
Iñ0]÷;�µ5»Ð�'·}wºòÍ“=îµOïtŽk³biÃZ¾ƒ›½î9JÔèî´q¤Û·Á¤Í]Vj³:«÷&T¡6(3BêôÖ�žSÛ4…� ,.ûù$Þô:V³¡¥Ëut™l¬xÓìÎ.N³Y¶¿ÀÍû—­cYjOóÅ–s¸§ÉhÄÍGŠ8�ä}ÕíÊî¶ûRoþû—\2Mú'ýd_~z\Í0ÌûÇ¢P‡°ìÿ
¶H¦¿ýoÊçHH=(ËÜç%OŸñ—stÎÏ•"$}Õ¼øÛåGÕÿôtúendstream
+�WýÀ«,0,TøWIá�«῰¯6¢µ_@Æó‘3}<rÕÕ—êw(½*Œ"r⫺{�%3¬,ƒWÕüµÒèÔ&jkööÁ	l…gÞ>‘­Ôš‹7
+8?r*‰ÆO3F[ƒ|c=¡HBEb  +ÏP~ÂŽÒ†À‡(¬Î�„c”Òá1t1¨„=ü²£Ìdº‚×b›Rò
+d%šÏ8!ÊK–e+�0À!aŸ#3·¢‹•á‹äpÈnaŒå¨o
+WÁJp©¨o=«ØüÁ'�AÅd@ºOCë‹d
+r!ŸÇa–ÿO–?Úô
e…�"Ÿ]îŸãÌ�ÛÂÝ_<šZ1ñ#HŒ¢ ºô8”Áÿ
+QÐE”gáBæ·ˆP¢Çr
+#¡¾•±2%f| ŽÆÈ
+¾3 7^¬½"º�ü‹ˆç%FæXtÑDG°<a®’€/u¸,2)á„�ëó@˜…¸ìa±}‹v0�Ü?¸’å™Ü‡yºß@—�Sàsl~c¾QÉœ Ñ
|z|«�Öü5ZAÐØõÞ+“�«tí‡ÛDŠ[­]ÞlÛÖÕë¼w‹Ú‡[onÎbWšÜ{gº5ºnK,i
P·ûÆk
po×:Þªo¶øûº{œ9z½\Œ§)þÆ9˜ÚÑ‹8¬vjæ~dÉè÷5,sÞ=åV)ð–ãZS�ÜçÅÒý½¼
+uïßrÚ$äH…Ãðœ¢ÏzõS\p¡+®I_ò/U¯Tðw6øWƒ!Ã(=£`Ýtÿˆz¯�_¥"dR»¶j5ý63îÆv¶Ó¿´6u1l5Wï;ŠBë¨ûh	6zmæOœÖfCÕ0+~¹»ÁµâîìÖù$]6Õ{{£™­öh™¾÷6÷sÌzÚ1¹ÚûöÕÑæ@äΖïõµí¶,8ƪ1”�ו·g[î
+†Íïßó<oõ15@ëk»ªß�:—ÝuÝ©Ö-Žk�²Èð"7è÷Ž`lóéõ>V–¶7<Hûín	¡­õ/n¤v"Nh¤¹:Õîõ­ Å·Ò“’ìÙAªj�$°wm¬§¿§ï7¿¶ØL8ÖµU÷æU00"{Uí[m³Zj¢{¾|çO½Fjž]«s>œ×°Ã¯†5cö~suŽštµÉů†ér&×—UgiÞÇ— ÌÄyCu¼ÎÞܵg5·I5cuÊ*5öŸy¼:íÿðîý¸ûæÁMÏPÈÝ$ð—ʾ„îZœ$<›É1øë2ÇtGµfs6©1£–úGq>sþT»öX;Ö'=¸
íûÕ¸�Í‘~c%0
+µA™R§·îôœÚ¦)eqÙÏ'ñ¦×±š
-]®£ËdcÅ›fwvqšÍ²ýnÞ¿lËR{š/¶œÃ=MF#n>RÄéì ï«nWv·EØ—zóß¿ä’i2Ð?è'ûò£Ðãj†aþÛ?&…:„eÿo°E2ýíS>ÿ@BêAYæ>ÿ(yú¬ˆ¿œ£s~®É é«æÅß.?ªþÛúÞendstream
 endobj
-1060 0 obj <<
+1115 0 obj <<
 /Type /Page
-/Contents 1061 0 R
-/Resources 1059 0 R
+/Contents 1116 0 R
+/Resources 1114 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1050 0 R
+/Parent 1105 0 R
 >> endobj
-1062 0 obj <<
-/D [1060 0 R /XYZ 85.0394 794.5015 null]
+1117 0 obj <<
+/D [1115 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 214 0 obj <<
-/D [1060 0 R /XYZ 85.0394 717.5894 null]
+/D [1115 0 R /XYZ 85.0394 717.5894 null]
 >> endobj
-1063 0 obj <<
-/D [1060 0 R /XYZ 85.0394 690.1986 null]
+1118 0 obj <<
+/D [1115 0 R /XYZ 85.0394 690.1986 null]
 >> endobj
-1059 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+1114 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1066 0 obj <<
-/Length 2379      
+1121 0 obj <<
+/Length 2380      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YKsã6¾ûWð°ªÊBð"H:'gÆ“8•õxmMö�É�¡1w(RCRÖz«ö¿o7¤(šv¶jì*£
4�~|hÐ"àð+‚È0“Ê4ˆSÍ".¢`½=ãÁ˜ûùLxžeÏ´sý´:û჊ƒ”¥Fš`µÉJO¬ò?BÍR¶
-F‡ê/Ç’Ý¡ nŽ!‰\°?xRˆ8¥3Õ†ŒÓ°Þ`›„Ý£øº�<´øç¹¥©²h;›ÓlQõìEK#v¡xøïl»+-Me�—ô´�Qˆ�¨t^W4¾ËšÅRó°+ÖûhHÀó‰M]w44RÇk൪€c& G›N¡
85I“`ßWÁQj °Ž¹ü}QªZߪ"š)mä8£8àŒuœ€�œ#p>õÀ¹ßíꦣŽsß4�Ñ݇˜T&’€àÄ3ó›Í¾,ÑÜ„-Ioi"+K"Öû¦Yˆ$´UGœq˜ÛÏœËÊʨ›mK2\Â�ר*ÛZ¢ºÚKÎsØúEY•ÏΗ…”uýu¿kÙ\¼\{Ë
-§;PYÙÖDí[ëïšÁš£ÝlKC�çÞf_=û·½mŠ~úðh½Ñ›E¨¾P¿öãY5Ýe�íº±Ó>Cúm�ÊÇ,U2qʨ!“¤ThÍCæËiÀóJ&½a<¥Æ»m!–êÊù	¨Kø!Šº®In‹YÌEx÷áM+eQ¹Ý�$ÏžVÀ0e3dGÜeã÷0³;œŸ:ˆŠ
r´IÃuY@8-Û"·4Б
��3N6´Ù4xÈ<‘­ûp‡;ú°d[?Y¿åÆ�Ô[Dœ!i`Ëeâð—ú`ŸlƒµƒC0fûî±nŠîÒ';o½+rEÒ‡)P­m@Xë;$�e�åDý‡`(Ì¥ÒzÞu]uYáúdÞd0
9'&+HÈÎÚg糋"Ô^)°u{°
->1tȺ3¢ç='GžÃ
-ç3{œÖ/µZ0)¢t¤mQu3ÊJ,ž†Š‰´Å,Šãð£ÛÔí�n
›¶¤Õ&²÷	P)MxŸPQ2R-ÿPTYóL|eö`Kçgslj:˜Ï`)�ù&
-¿Võ¡"’°Âx©]Û5ƒØ�‚XÈÁç„
-ûŽFGÀÑ! ô‰%d$ªæ7x¤�€ÇZ¿÷ºÆ‚ª³MÑš¢pçL‹�g’ÑÙÕ]&ü{V9)2Ìv»²X»:¿¥ŠÅÁÄFöaŸ×Ô­\!ľ/µ�‡ãÞè@&ÉàDcöíÛÒOm)}í¹7y/Ý]Ç3Ç"înßTx¶ÔÝ�ØZB4Lwìj¿
-c˜,/<+”Ÿ}åI�®0zy'øí†È4H¥Ôb#EˆM4nM†
·K
�R„ßs÷ÝîóíÌÛ¾Q
-Œª	•æ©°ßÛxÐ}´Þ’{ÜÔâX£¬Á¾ÎΧk_©‚ÎýZk§·Š8<	˜x$”{<ÓdóÅ?oîF¯Þ�9^пÓÆÀ7•‹¸‡ë¬èkªK&™xñà1¬ƒÂ,þÅÛ{àú-^JC-˜Ç>1~Wº“Å©;"<Âx<|æ¾^¿‹RÊÿF7u>µÇ›�J3 îðÞƒë|¾vÁZЋ`E5XÔ;(�!Bªñ¢É%Jcî……¯(jð¹&0u]fÀ+x±ÉÆOêpVª+.\”yj_•ÅW{"DO¯RÕ¼!¯ÝÙu�ydÛ¹<"ŠÆbγa|ú<ò5Z¾¯ÂOU@dü˜t–Àçä�“O4è�”%	¥éß>Þ]ÿŒŸ®ð+‹_Å
-tÒ“'--$¤ƒ�Þ:Û­…k"wŸÜTx½ñ¨¡ãà:wá¹™ŠZŠ œí†ÐEôz82CT¼~1ŒCÜB—×Ñ¡h±óþ½×=ÎxKoö¡N¹¸ØÀÏ…H
ML´•‰}q7:ñ‹²v‚µ£3ÍÃT’é(–=>˜
ä>ô/Îz:¼�7® õ9	ñÿ2þ鬊Ó#Ò‰ÂÎ~Gmæ'O’
-?Qù=‘ê#Ïg�Ù¥XíÀÕXu¾ŸõùŠ�¶€$y&zT¼çNª	ÿµwQŵ³»Wdî¡!æÁûî¥ë5”ÓÂ}…×ÝlÆ`DB"zÆ^gÈŒ}Ò]„£Ã™ý�÷eç-ª]
™¢c$È6
-£”òåjÎ$PšÀƒ
+xÚ¥YKsã6¾ûWð°ªÊBð"H:'gÆ“8•õxmMö�É�¡1w(RCRÖz«ö¿o7¤(šv¶jì*£
4�~|hÐ"àð+‚È0“Ê4ˆSÍ".¢`½=ãÁ˜ûùLxžeÏ´sý´:û჊ƒ”¥Fš`µÉJO¬ò?BÍR¶
+âæ"�XÀûƒ'…ˆS:S]A`È8
ë
¶IØ=ú�¯ÉC‹ž[š*‹¶³9ÍUÏ^´4bŠ‡ÿζ»ÒÒTÖxIO…X��JGáuE㻬Y,5»b½/�†<Ÿ(ÑÔuGC#u¼^«
+8fz´éÄÚ€S“4	ÆAð}q…¥ë˜Ëßõ§¡ª5ð
¡*¡™ÒFŽ�3Šc
+-˜Q:Ò¶¨ºe%OCÅDÚbÅqøÑmêöG·€M[R�jÙû¨”&¼O¨(©�–(ª¬y&¾2{°¥s‡3‹ˆ9‹ãD�Ìg°”Ç|…_«úPIXa¼Ô®íˆAìÀ
+A,äàsB…‡}G£#`ŠèÐz�Ä2Uó<ÒNÀc­ß{]cAÕY‚¦h
+MQ¸s&ƒÅˆÇ3ɇèìê.þ=«œf»]Y¬]�ßÒÅâ`b#û°ÏkêV®b_�—ÚÎÃqot Ž“dp"�±ûömé'�¶”¾öÜ›¼—î®ã™cw·o*<[êîNl-!¦;v‹
µ_
+7�&C‚€Û‰¥†@
)Âï¹ûn
+wƒy�væmß(FÕ„JóT؃ïm<è>Ú
oÉ=n‰jq¬QÖ`_gçÓµ¯TAç~­µÓŠ[Eƒ‰L<Ê=ži²ùâŸ7w£WïÀ¿/èßicà›ÊEÜÃuVô5Õ%“L¼x
ðÖ
~�Å¿x{\¡ÅKi¨óØ'ÆïJw²8uG„G�‡ÏÂ×ë—`Qª`AùßèF¢Î§öxóQiÔÞ{p�Ï×î Xz¬¨‹zç
2DH5^4¹Di̽°ðE
>צ®Ëlp/¶#ÙxáIÎJuÅ…‹2Oí«²øjO„èéUCªš7äµ;».0�l;—GC¤CÑXŒÃy6ŒOŸG¾AË÷Uø©
+ˆ¬‚“ÎÒøœrò‰’²$¡4ýÛÇ»ëŸñÓ~eñ«€=›;ÂcÝB†ÆXðÃVšÓ‡/ìöá€cÀ".ò‡äâB¼¨‚üÂÊG)í[)òß²¨–dœÙÂM�N@zòäÁ¡¢¥…„t0Ð[g»µpMäî“›
+¯7^5t\ç.<7SQK„S£Ýš£ˆ^GfˆŠ×/†qˆ€[èò::-vÞ¿÷ºÇo	aàÍ>Ô)ø¹) ‰I˜ö 2±/.âF'~QÖN°vt¦yx�J2ŲÇ3àƒœÃ‡þÅyCO‡7ãƤþ#'!þ_BÆ?݃UqzD:QØÙï¨ÍüäIòà@á'*¿'ÒC}¤àùáì1»«¸«Î÷³>_±Ó�$ÏD�Š÷ÜI5á¿ö.ª¸vv÷ŠÌ=ô!ļ"xß½t½†rZ¸¯p㺛Í,‚HHDÏØëƒ±Oº ‹pt8³?ð¾ì¼Eµ«# Stì�Ù 9µØ¦.Ëú0øâPïK¿�fý„¯b*r¹f1“"÷ôÕƒ©1Ľæ_a”²C¾¼@Í™JxèØ[çm`2‹#Õ'›‡o2耵_EQÎNöÀrh…ëIvâÉ)Ä
+Æßú…ìK`¡5¯£ïíê=ÀÉHlŠåsÇ!¹õ|ÑÁ8øî/¿ ê˜)¬’f«xÝaõ¢z¥œ³’š÷ÿ‡x©úÿ
 endobj
-1065 0 obj <<
+1120 0 obj <<
 /Type /Page
-/Contents 1066 0 R
-/Resources 1064 0 R
+/Contents 1121 0 R
+/Resources 1119 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1050 0 R
-/Annots [ 1069 0 R ]
+/Parent 1105 0 R
+/Annots [ 1124 0 R ]
 >> endobj
-1069 0 obj <<
+1124 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [349.4919 384.4828 408.4801 395.2672]
 /Subtype /Link
 /A << /S /GoTo /D (ipv6addresses) >>
 >> endobj
-1067 0 obj <<
-/D [1065 0 R /XYZ 56.6929 794.5015 null]
+1122 0 obj <<
+/D [1120 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 218 0 obj <<
-/D [1065 0 R /XYZ 56.6929 594.1106 null]
+/D [1120 0 R /XYZ 56.6929 594.1106 null]
 >> endobj
-1068 0 obj <<
-/D [1065 0 R /XYZ 56.6929 562.6395 null]
+1123 0 obj <<
+/D [1120 0 R /XYZ 56.6929 562.6395 null]
 >> endobj
 222 0 obj <<
-/D [1065 0 R /XYZ 56.6929 370.2937 null]
+/D [1120 0 R /XYZ 56.6929 370.2937 null]
 >> endobj
-1070 0 obj <<
-/D [1065 0 R /XYZ 56.6929 341.714 null]
+1125 0 obj <<
+/D [1120 0 R /XYZ 56.6929 341.714 null]
 >> endobj
 226 0 obj <<
-/D [1065 0 R /XYZ 56.6929 214.6004 null]
+/D [1120 0 R /XYZ 56.6929 214.6004 null]
 >> endobj
-1071 0 obj <<
-/D [1065 0 R /XYZ 56.6929 186.0207 null]
+1126 0 obj <<
+/D [1120 0 R /XYZ 56.6929 186.0207 null]
 >> endobj
-1064 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F62 995 0 R /F21 658 0 R /F47 879 0 R >>
-/XObject << /Im2 984 0 R >>
+1119 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F23 726 0 R /F62 1050 0 R /F21 702 0 R /F39 885 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1075 0 obj <<
+1130 0 obj <<
 /Length 1913      
 /Filter /FlateDecode
 >>
@@ -3645,249 +3836,246 @@ stream
 xÚ�X_�Û8ï§È£h\KòßÇöfoÑÅ]±èÎ>]ïA±•‰P[ÊFöäæÛ)JNœqºE€˜¦(Š"©)³M?¶©‹4M¾©š<-2VlÚá]¶y†±_ß± “"-r!àeet[ˆ:-j^m¶×J>=½ûðOÎ6<KË’›§ý¼VYÕi#òfóÔý'ùÇAGuzØò"KŠ‡ÿ>ýFÓò´ª+†Ó2X¢H«&«ý„§ƒ"áOŸ¿<ÕÐã_úù0žþã«r¶
åQ+ËS‘—<h-EZ•™Q¤ìa˲,»è¿¯.ïNòôt‹M“6%/ƒj^§eÕ2ø¡É’“ìô¨­‘}ÿ
 5e"�Ç^·™Ž8ù¢�ª’�R†x½6ßUGôY�—Äpã´#êôÀêd6�&’y^~<È1LQ¦s×sÚéä4­[&�_þ 	MꤕÃÍávK›¢à~;£¥ýKzô¶•=‘­lÚ<Ó‹‘Cð£S'´ªÊ“tÖWA@Æ ¾Ï¿¿”[
«[Ó*¤ªD›Ñ[g»©ÅÝã¨QglípìÕÿôøJ lid<(bÍî˜Ð½Ä;’ÆV9÷þa霸©=ÐDéHfoûÞžý�ý1Ö¤6.ˆšnÍ+�_>þûØ/¯£_­v¸Üσá*qz˜úQe'Gzk¿OGµ{â�Wr¢æ‰ä(Ï꺰C§\
 veÒÖNϬ—ê¼g�¸rÞÊ.ÎèŒÈ¢h¡Á¾¨îý<æBh%�ÒË�Þ:z³á˜èáh�Ó»>HÅôÑhÇ L8[Ú,²j¼œ—�D>Õ/…T¿—T„
¬ñØ€0š&îm´Ù­4DÈÞY¢Bž¼è.ÈÜ&ò0§5¤RP¦†³à÷öÆ'çSʯ†í°ÓF^b ®Æû+ìY‰Óò¸ó†_Ž;oDHàJz+ÞI©!úê`Dñ:™Œ¡£Q�’â™Þ
R-ÅãT!pº 
-M&PÄqíèÙi7jÓŽ4¾§Y�yŸ"A¦͠ì‚d,"û©ì±‰kkÒ;¥)ÏR^Š:”&JÓ×9*—“²,J�ן©IW؃È!6Š‚O
+M&PÄqíèÙi7jÓŽ4¾§Y�yŸ"A¦͠ì‚d,"û©ì±‰kkÒ;¥)ÏR^Š:”&JÓ×9*—“²,J�ן©IW؃È!6Š‚O
+q¿–D"mX•
‘¹ÈjmËúÿ@CH®2#¶¦È²&RØš8"u�£
+:åô³¡&Ä«»Û†ý5é˜âB€û}Ye¡ødÉ �°]B楖x¬†Í@”üizT(þ¶Úxe訳vTn3o-òÁa^¨ª1ü8Háã=ô6³¶µ{Ó‘¡š»hW”P·Šj‰v¢æwЮ„Z[Š´»ƒhM	5ƒ©º¡s?‡+ì
+ïp,'èñ+)jä‘jåQúk ©ï¯‘ÙYºÝÕ¡�Eâ¦Á§âÛð´â·I-§Ñ;ÀÍÍ$b®»Ö¬Ý‰ÜQµ㩺›{JýÐà4;,ÿ‰f`¨º


��‡W$‚7€Úù«1[Ë/¥nÆÏX	 «EšQS£»»·ž;šWïP{“øÄDN�)�ój=u”ö¬ÊùßC;»òÕ]Û Ñ_;Œ`ÝÄF
+q…7ÉGb†N0bèKNôJ…$ȳÈBÏ"g¥OØêåýµ	G’^—=Ys{}ñJE½Ó6l`‘“TÈ‹«Ã}%­JüŠÆ‹ŸêIÙmS:_Óß	Р*çóýÃì(š´ªŠúºWy÷ËÓü-1~!EŠß×¾6F‘íE†>5.NF�¸áb¼¹]mþpùv¹ÿÐÆ�}endstream
 endobj
-1074 0 obj <<
+1129 0 obj <<
 /Type /Page
-/Contents 1075 0 R
-/Resources 1073 0 R
+/Contents 1130 0 R
+/Resources 1128 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1050 0 R
+/Parent 1105 0 R
 >> endobj
-1076 0 obj <<
-/D [1074 0 R /XYZ 85.0394 794.5015 null]
+1131 0 obj <<
+/D [1129 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 230 0 obj <<
-/D [1074 0 R /XYZ 85.0394 769.5949 null]
+/D [1129 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1077 0 obj <<
-/D [1074 0 R /XYZ 85.0394 576.7004 null]
+1132 0 obj <<
+/D [1129 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 234 0 obj <<
-/D [1074 0 R /XYZ 85.0394 576.7004 null]
+/D [1129 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-1078 0 obj <<
-/D [1074 0 R /XYZ 85.0394 544.8207 null]
+1133 0 obj <<
+/D [1129 0 R /XYZ 85.0394 544.8207 null]
 >> endobj
 238 0 obj <<
-/D [1074 0 R /XYZ 85.0394 403.9445 null]
+/D [1129 0 R /XYZ 85.0394 403.9445 null]
 >> endobj
-1079 0 obj <<
-/D [1074 0 R /XYZ 85.0394 368.2811 null]
+1134 0 obj <<
+/D [1129 0 R /XYZ 85.0394 368.2811 null]
 >> endobj
-1073 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+1128 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1082 0 obj <<
+1137 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1081 0 obj <<
+1136 0 obj <<
 /Type /Page
-/Contents 1082 0 R
-/Resources 1080 0 R
+/Contents 1137 0 R
+/Resources 1135 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1050 0 R
+/Parent 1105 0 R
 >> endobj
-1083 0 obj <<
-/D [1081 0 R /XYZ 56.6929 794.5015 null]
+1138 0 obj <<
+/D [1136 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1080 0 obj <<
+1135 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1086 0 obj <<
+1141 0 obj <<
 /Length 3113      
 /Filter /FlateDecode
 >>
 stream
-xÚÍË’ã¶ñ>_¡K*šªŒ7�ÍiýØd}p{o¶«Â‘8#ÖJ¤,R;ž|}ºÑ
+xÚÍË’ã¶ñ>_¡K*šªŒ7�ÍiýØd}p{o¶«Â‘8#ÖJ¤,R;ž|}ºÑ
 Waƒš)m%ÂÌ ™æLZEBµL€ap~ƽ¯Wq/¿£ÍïòI:pH^”ïÛÕª}Žòâäv -©YÕ]O½`ùÐV	sø·ëª¨ý’XP»ëÓXu¬,óݤÔ_´ó.>¿Eúï¾û8øoAè…žh!™å^¢óÿíîç_ùd
±âû;Δwfò8
-h\±›f¢š%žfÊÁ¾x燈v œ0“)¥ÌDsͤæEؾr¾:–‘�‚9sÀ/’dÞ9—gv6`œ�QfH„@ê8€Ñ&rf€â
-ñŸ‹S5Ë~ÐhÙx“áÔ1·ÏfNùÔP”yÃííø0^áS#íXð¹ÙV�õïN•� 7Ä£³œªð	ôcV¸}ÅéíXM¯±êa¾Gž£^äânô«‰Í™…z¯ÝfØÅ\mM:ãLÊ!!Þ©ÍÜ:èùjÆŒ³1ÊSÆe
¨-šy»�r@¬ÐƒE¦Dö
å�]U�X¨)˜Ä 7&�>nŸ&Ôùqt61ÀŸÒ|¤hÇx‘žŸªù>#†DRýcõ‚]0¢ôœœ�PW¨8Å6T#ù
-]·
-°Éä¾ešq6ÀBmã%Ħ+
Ö€*È·º¾Ú^¯zÃà: ¼Z÷ž‰YP2îC† œÍÇlLé¿p0$ÒØbü
-�-�\Š_J@…eÏûuåãd~#

ø.
-Hy‰¨Uc
�‹\`e*Y;�
Þ7hfå*óUÌ8ëÏ;xÃ
”èÚÞŠç
ßEž
w¨µzÌsÖµƒëðL;s”=—Í⫬ƒWŽi
}n‹¥÷ñ<¸u­™†šâõn=aœ�Qf¶™CyÇ�´
,„îvÛ_MQØ=Ø#ïrs`X¥<ïŒå+ Ñè$nÅõ€ñ
-׸6VêC®ÏØ?ðÂ
—/P{Ya§u3_íþ)¦m8óÍDváøôFcE9#é1•õ ôq_Ü@
"ÆÙe&º{¨L·_8É#w°QŹÂ��Õò�l"^uŽ+E}ËJ\²¸È 6F›Àó¢]—usÉ”g…·ÅöÕ±,aœ�Q梙„”ÁQyî<ˆ[ÆñÌdˆgRÛéo»{
jNáo×oé¨R›éó²0ü\‡³]çÆ0&u¼|ÐtÅ
Í·?üDãHÆ{Äxˆ�ê÷r=ËùoÒñä/RêŒAIH×`Ç’1¾°¾êz¶ß�#^Áú¬³)6!Îê:R„?îÁ†t 
.õu•0Áj-¢ºö¸±çÔu€½�ºŽQ^P×C*«y½.W×5öï!»¯‹—J Zí¶4R7}õ„ž5Œ.W»�¤Á§ìOÏ	FC_ºjSnËžàm<b+Pv]î6çˆ	ÿb†F¤Â†®áðL¿ËœÊð°Î$¯)¤Ê1ª™×ÊVÆX
-…—×*Y€’ªxToôÙÓÿ
ðv§ÿc”NÿH<“œ�þ¿ƒº†ÄôÃ?>ëØ
3Ã%dG(‰‡.GO=—�áYZèîï§Âß:wwpäÜó~¬‚)!ìDZ•Û¥Â÷K³ž„q6F™Ézäû²‰
첂dT#eµMKwgìa¤i·²‡á¾òËqSÎY„àKæk÷ajf'•‰aÏ[D¼¡EŒP^²ˆ1‰_nJt0‹=3¶píÚ%×¾å\;’é�†ˆQr.Þ.ÜÛ·°”Î�‚CÑQ8±¯£€ÇÑúݼÝ`BªÊtå#H2ŸC‹J„â½¾6ßðn{Ëòs…=7-×õÓ®î_è}hUo©V$àãÙ…˜vôo½ë"º‡*uGØ)pjÁCàÔBàe"µ›
…ÜͶ.ñ¥IEãa¡Ðûð-Í$¯£ã½Vø´¡—4sp4Ù"KÙóðÐÊMŠÉ
-1™0%ÅvQ­êuÝÓ+”7çÓ=}«#d¼�ÌæiõB#$Ûy»?· öÂÈ!�Cº ý�7+p�Ä!Žb
-ÜÑ ¤X*†aج†F›ÝºÚÖs®Àn�~�É€*íÃk¤s¤Yv/Â{+ß*ARth‰¯‡°•ø¿|‚d™þ€²½@)º>~”Þà ùTÑk"7ý[ûœÍÛGO 
-³ÆGZP[ññk(ü[wÔ6-µ]_6zü´ ‘5hÉ�sª\0Á03
-“ã…õ"GÌX€2Á K!§óÝ–(Š¯x¼‡]Ç^ 2Èíc™¨/Öìªn>EXX'»ÃîÅOÃ;"¢Ùmðx¥Z 5=J·[S­  2³¾�ÍAèAøñ¡êŸ«ªÉ²œÈK’dB©
›Êó>”_>u|¶ô&2¶‡œ­Úy¹Š(FiÁ©Ï“�Ã[ã’Ï{¬—=+K�£z©Â�©«Â&±ÂPÙ÷å|qh�
+h\±›f¢š%žfÊÁ¾x燈v œ0“)¥ÌDsͤæEؾr¾:–‘�‚9«üð„$™wÎå™�
gc”!�:à€D´‰œ 8À‚¢|D]QÜxè¡Ê)
ºØdlµ�Ì9íâìr±ØV]w,
+e5¨.·’DBxEÊLØcA€š/OHô³ÚÝ’Æ„ñ
+‘šC^¢@Èº[”ÔsŸÄÝÑ-*4Ý}
+{Häí¶–Y
@ªùîj
+&1è�I �Û§	u~�Mð§4)Ú1^¤ç§j¾Ïˆ!чTÿX½`Œ(Ä
=''$Ô*N±
ÕH>ÀŽB×­l2¹/G™fœ
°PÛx	±éJ€5 
+2Æ­®¯¶Â+�Þ0¸/…Ö=�gb”�Œ»Á�!h
gAó1S:Æ/‰4¶¿BgK —â—PaÙó~]yÅ8™ßH@¾‹RÞ@"jÕX@ç"X™JÖNgC�÷
šY¹Êðl3ÎúóÞp%º¶·âyÀw‘gÃj­óœuíà:<ÓÎeÏe³ø*ëà•cZ€EŸÛbé=D<n]k¦¡¦x½[Ogc”™mæPÞq m
+h4:‰[q=`¼Âµ®�•ú�ë3ö¼pÃåÀÔ^VØiÝÌW»E…ŠiÎ|3‘]8~½ÑXQÎDzLe=HF
}Ü7Pƒˆq6F™‰î*ÓÂíNòÈlATq®ðãcµ| …ˆ×E�ãJQß²R×À…,®2È…�Ñ&ð¼h×eÝœD2åYám±‡}u,Kgc”¹h&!e0GTž;â–q<3â™ÔvúÛî^€‡SFøÛõ[:ªÔfú¼¬Ã?×álù1ŒÄƒI/4]q@óí?Ñ8’ñ†Æ1b§ú½\ÏrGþ›t<ù‹”:cPÒ5رdŒ/¬¯ºží÷ãˆW°>ëlŠMˆó‚ºŽá�{°!H€K}E]%L°Z‹¨®=nì9u`o§®c”Ôõ�Êj^¯ËÕu�ý{È®Àëâ%…¨V»-�ÔM_=¡g
ãŸËÕ.$ið…Ç)ûÓs‚‘ÆЗ®Ú”Û²'x�Ø
+”]—»Íùb¿؟¡©°¡k8<Óï2§r<¬3Ék
+©rŒjæµò‡•ñ

+'öuð8Z¿›·CHU™îá|éAæshQ‰P¼××ãÞÍcoY~®°ç¦åú¡~ÚÕý}À£/­ê-uÊüo<»ÓŽþ­w]D÷På¢à¢î;N-xœZ¼L¤v³¡�»ÙÖ%¾4©h<,z¾¥™äut¼×
+Ÿ6ô’fŽ&û@d	!{A¹I1ùO!&Ó
+²>Ÿ2˜ÄáÎG9ü)¿²ÁrÔ™½ã7àã~€ª;'è¼UðB4²nÃÑ2–'ÁN;ú3Þ*ü?ÚªŠª•YZêð€rõ\¾ÄE^í…
+�¶ÍÍ^f"|-Ô—0zp™=Ÿ?¬†3©­ÒŠI®åÍØ^fSiÓ¿ŒËX9\+ÒGêý:ƒÑZ0)-Ø �ºÈÙ"{Kšž‡ã$¾6Ï_Ôri;��ur-;<IߣJËý~ÌÑóendstream
 endobj
-1085 0 obj <<
+1140 0 obj <<
 /Type /Page
-/Contents 1086 0 R
-/Resources 1084 0 R
+/Contents 1141 0 R
+/Resources 1139 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1093 0 R
-/Annots [ 1092 0 R ]
+/Parent 1148 0 R
+/Annots [ 1147 0 R ]
 >> endobj
-1092 0 obj <<
+1147 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [356.2946 363.7923 412.5133 376.6291]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-1087 0 obj <<
-/D [1085 0 R /XYZ 85.0394 794.5015 null]
+1142 0 obj <<
+/D [1140 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 242 0 obj <<
-/D [1085 0 R /XYZ 85.0394 769.5949 null]
+/D [1140 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1088 0 obj <<
-/D [1085 0 R /XYZ 85.0394 576.7004 null]
+1143 0 obj <<
+/D [1140 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
 246 0 obj <<
-/D [1085 0 R /XYZ 85.0394 479.565 null]
+/D [1140 0 R /XYZ 85.0394 479.565 null]
 >> endobj
-1089 0 obj <<
-/D [1085 0 R /XYZ 85.0394 441.8891 null]
+1144 0 obj <<
+/D [1140 0 R /XYZ 85.0394 441.8891 null]
 >> endobj
-1090 0 obj <<
-/D [1085 0 R /XYZ 85.0394 424.9629 null]
+1145 0 obj <<
+/D [1140 0 R /XYZ 85.0394 424.9629 null]
 >> endobj
-1091 0 obj <<
-/D [1085 0 R /XYZ 85.0394 413.0077 null]
+1146 0 obj <<
+/D [1140 0 R /XYZ 85.0394 413.0077 null]
 >> endobj
-1084 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+1139 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1097 0 obj <<
-/Length 3978      
-/Filter /FlateDecode
->>
-stream
-xÚÍ;ks#Çqßù+èO
UÂܼvåÃYæ)çH'G¢ËdÕe	.É­°vq<:ÉO÷¼°
-áªën³3===ýîYvIá�]*M´ãîÒ8Ieêr¶¸ —ðîÛÇLÓ épÔo.Þ¼æÒ§¹¾¼¹À²„ZË.oî~žhÂÈ@ “o~øðîý·ýñí•‘“›÷?|¸šrE'ïÞwZ×ß]ýáæ'øE…›|óooÿrsýcx§#�?¾ÿð§ÐãÂcÔ¯ß]ÿxýá›ë«_nþ|q}“73Ü0£wòëÅÏ¿ÐË;Ø÷Ÿ/(ΪËgøA	sŽ_..¤DI!RÏü⧋ÿÈ
-¨Íꮃe#:Feu—Ëfùp5TOªŸ*,Ô¶=PT8¬exݵ‹:˜U
-À‡ŸOójV?¶ó;H೫çõ¬�]UË»vÚ�ÍÃã4ž;Rñ®DäF²-eÒ
S0쾑Ø×é
-ö¾�Ï[PÏž@Ôž�2ݼê£ú2ÀðN뱈zÉ~%["-—
-°5ÅÈÒ	s¥ÃN ‘yäq DUF”p"}ÃK$’ÒŒ\†€ç4ÑH™q3¢=âà/0!Çë–ÎÅ
M䡇ɣ€»äÉÿdimà…±ÙµÚg‡öæ\V1è-ù@&M·×*‚û§„µ‡­¢~±Tûª_¶÷ì ``FmƽVE$€Ó!Ä‚Y!D¡á×ÜM"ÐÁe‡ømɶQ"
Oœ
îQÕ,w”!¾Æœo§â‘­rèq­Æ{]V‹º¬œ úHÂܺ§è#×ËÞ{µô¡·.Øðp %½)ž*<:ðM£Wèãá3ÆÐdrã‚�
Ý·Qí8eØXë�•{»
-�Ð|Þ¦]†Ž®ž­WM€�©
·¾N
-ýQoe6‰â¯…½ú‡Æ¬…ý~éÃ�&ªäçÇf™«I¯ºðD�¾ŸÁG÷:føgêhfÔ*0÷LiXAÆp»êw”4xÃHœ¾ZIG€Ó!Ä]üåDZèa¸Ç`ÌÊì€ÿµ�üºnƒ‚6æÍ|¢K›têØýÜÌç¡åsOðŒ¹'hù,
>Ãiƒ«#O;3éÖ	FÕTüv°
-æ¡{³ðY²7‹Ò×]O6þ×ön4Û£þ÷ð„Ï¥çœ"Z²ßâ‡ûù‚)Â;¢è·d£tr‘ÓÀóñá
-ÐCŠq>Þ+–AŽ0Ø7©D2’’ñÝภ¹AdqDp“°r`
NíØ;»ÙÚE‰�àq£3V	–Â~fÏ�“H§C�¥œ„
-ÅÈ4E„ÖnÛ2£²g(-Ç4EsˆúC
¾”Ñpœ\ïK¢«o•'ulf}å…°5*ùc‡_¶f˜ÆZ¹Ç2¬¦Æ°nBË�ó%ôÐ
-t:( c切î'l
-èøÓG©Îó`’W`ÅÎð€ˆº¹;£<Np}(8—R‚Ì:ózÿ$CœAÔ®Ð`€A?æaGq4ZÆ!¯m6Ѧ¯Õ¿%[›§ì‹—ÄPy8·
-Ä!Vò`Ø»æõ¾x)<[¼4„x ^cÎú)ñ’¯c…´“‘>?Lâ<‡œê]Ac8F´ËÑÓz™²A»k‚Ö6Î,BÎYû–MÉÑuˆU”ú¾ZÏK|	ªÊÊ|E�lª¦Êȱjx[4@•Ë¯›�{Æ‹'.Àñ5Æ‹ã=
s�!AœAŒ¼,Vvà̹%’±qåæ×uÝy·¶¶µÓ5hJá�	;sš	Ì�³eƒ«/Íbíc?ІŸ«fò‹þç¢]/ñr“Q®\$“|
-ªº¯ç/Iƒõ£:d d¼ ‹š2EwÛ^Ì~�tèé½Ò{üg^ ábC·/CRA!fÃ
-3Òö%X—R±?�;[±q±„_ÐCô`£àna¡î\øeˆGôihPa#—mÉ[¦à:)‘ŒÌu(wU  hg’†‹g±í€¿¬ò%·}š”:“ïá·Gï
-Ÿ"Îä³Û¯�†¢ýÿ÷¦fÚß—´‹
-ˆ[F$Ö ¼×Þ€)ÜIh€
)Ú<öÕBž N‡ KB.‰„ž’Á!-
-º&TóÄ®?àÝ"­D¹Œ…©d­ÜAigx:Ã+9‡ÐrùNé	²~Œ¾¹9úÝΉp¦OU‡îBI\@´­>¯U}¿ª»Ç¢ƒ,¬œá§8è2ÜïŽ)Ú½Èmç
-I"øæ<=¡y
õÿGÁ0Lendstream
+1152 0 obj <<
+/Length 4061      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ[[sãƱ~ׯ`žB¹ÌÙ¹_’ÊÃÆÑúlŽ½Nl¥òà¸| 
+’PK2
®V©üøtÏ�
+­«o®¾½úpýü¢ÂM¿úŸ·¹¾ú>ÜÓ‘ÈßøSèqár€ê÷W﮾¿úðÕÕåO×¾¸ºÎ‹.˜Q�+ùåâÇŸèäÖýçJ„³jò?(aÎñÉòB*A”"õ,.~¸øk&8¸ë-1PJF4Wb2³šp£Õá׆WPxml*GŒQvç­3m‰f÷„ZÂùvK$l‰‘ÄY31@D.üŽ4�»<±†(áÜvؘÂ�°µe–ÌÁÙ�âþì%ŠïNï±]÷8Á7ï c;–qh�¯ÀQoW(%vúþ/x5ƒ§Fo�†au|hµYÞÔëq¡ˆÕJÅa jÜééõC] ÈAl¬<IÐ'„‹Ãš.LvÑ,›¾¾
3îÛÐIãχõ%³Óvsÿúa>B}‰´'3&1œCƒ§÷TŸš‡23ýT-6uÚ7õ¢}¦�2Êeè쟛yµX<‡ŸþMuׯ›y˜‹Ó�îÍ%›vuhßÄñ�ajóºëà58#:žÊú\­šÕýåLP=­:¼ªð¢¶í�£ÒÀf­Âí®]ÖaÀ¼Š_B›ÓiµJ÷õºé>†ÿ Šþß¿…·çÕº‚y¯ãOxl4£`vnðÊL7.[~N
+ȇŸ�‹j^?´‹[OH൫õ¼�]W«ÛvÚÍýÃ,î;rñ¶Ä”F²«eÒ�P0â¾ÕØ×Ù
+JÜ,Ð@ÔõŸA—[ÜKÃ<5¼Ve‡â„“w”[JœƒG´QÄIÍ^½£™âlHrG¹…]²€lò°c;jˆ¦:íè²z+nÁ?�G
+·–ÍýCzï6k0äëÐS— Ì6ÿ¥B¸è�°·þИ·°ÞÏ}øÑD‹üôÐÌ£p5éVÄChÐ�Ø`ï^'ÿUM½ñãÆ}>Ã…4FÕ?ìYiˆ2ð8|µ•ŽgCŠûóc”i!Íð
+´1Œ?&‡`2`¸Õ£4}IóÀ³Éá�â9Íð\Ø•C°N-(’KØSLèaðK³C-d€ÏJŸoý‘Þ‰åsg‰’@¤¸Aû?L"eb
+ùÕ†‹Ƴ
�ñ=D•3Æ™L¢ù.wC³é"J S;¡ô0]*©‰:¸†D4
+ŒhÄ�:ÂHÌXa€‘šàùr‰âlH²”“09Í·o>*4RÑdÀ‡g®…T?Å
}Lxà…þålkÎO¬YhX³Ñn¼æ£Â38¾QÞGÄO
+KeøQ½‘†Ê©>ßÒ3ÅK—€FÀ–È—l7¦yÁc›£·Ü ·—´¢�
Ä–RŠé"$š|Ø%Cj·x²ÇÀ˜Ë�	Úzá�ÀMg^�Ê3ÅÙ�dI8ð…#
{±eÁ3ˆ.ýÉ.|ò3rÍF¡µÛõÌhì
NË1ÏC1‚¦46”N
+€®¥ê[åY›Û„8þ
+/ÀÖ¨”;üai†iÌÙûY†·©�\{BXî\Jå;è 0
{G…	þ�maþôaªsAÄ<™„J­Ø.R7·§c”âèC
üMÀƇÙÖW›ÝDq6$Y0»Bƒû˜‡�(âd´4ŒCÎuZ�ù+Eõ¯¡™9/qcGÃ%ŠèÃD$Üü³>.¥�ç—�…K£VI¸ä�CÚÉHŸ�&qžBNõ¶`0#Úåài³JÙ ýw‚Ñ6ÎRÎIû¼
+%GäQê»j³(‰%X*+såÙF+#Ç–ámÑ
+Ô±41æ(¬œ~líÍs_w%L „ËüÌ·ˆfÐõ‚‰-_<±e}_ʼn�çwƒˆzLjs•ë_¿>Ãï_<Ãû&—ÂÂ4ÛÙ¦íô…ÈÁ±
+Ô1‡ž=ÌÏ\rEm¨H…'´ŒÇDеYuÍý*
+“@ÄŠçB”‡bW°ÖÌJ©�”ÔCq]šù#!¦öŽ„`Üôo]¬ Û˳ÄKú%¾]˨ޖ9…Õ“]|Ìßlšnê.ÛµtlÔFUÝÕ‹T
+S÷£sÈÀÈX÷Œ–2w»(æ0 
+žèͶKê-‰?˜^À¡E×°NžÄô;,)ÒJ”¯0�¬•;ªåëÉ3½&„–˺/ÐñÐè›»ç“_A½�Îì±ê%”ÔTÚêÏk]ß­ëËAt•Û…e›(Cµ|LÌœÜnè?cX/J�•–±È
+jLŒ˜æxqºñ�¿IýÅã=þ\%öú�oõ꾈CþuèÃcUJ‡w7žæU¿ú£äí'ÛÒagÐ;ð-JZœòEð½™3
 endobj
-1096 0 obj <<
+1151 0 obj <<
 /Type /Page
-/Contents 1097 0 R
-/Resources 1095 0 R
+/Contents 1152 0 R
+/Resources 1150 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1093 0 R
+/Parent 1148 0 R
 >> endobj
-1098 0 obj <<
-/D [1096 0 R /XYZ 56.6929 794.5015 null]
+1153 0 obj <<
+/D [1151 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 250 0 obj <<
-/D [1096 0 R /XYZ 56.6929 194.962 null]
+/D [1151 0 R /XYZ 56.6929 165.9801 null]
 >> endobj
-1094 0 obj <<
-/D [1096 0 R /XYZ 56.6929 163.332 null]
+1149 0 obj <<
+/D [1151 0 R /XYZ 56.6929 136.242 null]
 >> endobj
 254 0 obj <<
-/D [1096 0 R /XYZ 56.6929 163.332 null]
+/D [1151 0 R /XYZ 56.6929 136.242 null]
 >> endobj
-1099 0 obj <<
-/D [1096 0 R /XYZ 56.6929 131.4748 null]
+1154 0 obj <<
+/D [1151 0 R /XYZ 56.6929 106.2766 null]
 >> endobj
-1095 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R >>
+1150 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F23 726 0 R /F21 702 0 R /F48 940 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1102 0 obj <<
-/Length 2913      
+1157 0 obj <<
+/Length 3064      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sÛ6òÝ¿B™{ˆœX4Aðóú”8vëNëægîfšÎ”¢`‹cŠTIÊŽÿýíb DÓòõÚÑÁÅb±Øï%f>üÄ,�<_fá,ÉB/òE4+6Gþìæ¾?Œ³0HëýõÑé…Lf™—ÅA<»¾qh¥žŸ¦bv½úu~öû�×矎AäÏcïxÅþüýåÕ‚dô8ûåêâòû/ŸÞ'áüúò—+:¿8ÿt~uv¯@Ö¦ðÌ‚‹ËŸÎitþÓùÏçWן�»þñèüÚÆ=°ð%žä�£_óg+8÷�G¾'³4š=À‹ï‰,f›£0’^Ji ÕÑç£Y‚ά^:%ÀH¦^”É„1%Á(óbH-A<´ð‚ã…ð}þA}õý .û²©é¤y½¢Á—.¿Ux^ *ªþlÄžïÇ™¦÷nµj�E:W]ë9ßä}±¦aUv½†óœ�¾mËMÞ–Õ#½î:µ¢QßÐs¥zÕnÊZñ⢰䋦î5­¦"ÀMÓÒàH6;Þ¯Sí½â‰f«ÚOØ�ºe’ͯ×êO†gÂË¢(Ðgq˜„M«®¡ÑîXÌ™Å`^Öôì×F8{"OA©1hOÓÃó«z
¢}*ÆPz~%Œ‰RJMd^”„‚qº¦í‘â1z�L
±®Ï{µQuOç�ð¼Ä´ªNoë’4%Pª]_ö»ÞžO™ïk7`í¢ììKøajd(ì™É€ŠœMj©Œi=Ò ¹¡g¿æ™›¦ªš‡²¾ýçsgÂóA\Šƒ¤½A„ŽŒ2¦r „Ì~õE2ÞŽkÂäà–éÉž{z>ŒÃxoO#•Ë�,•=à«ù—ïC–UkÐïc˜Ï
-(	0bd/HÈÁ: "ƒõ²Œíêi¼í´”ÜmÇbÚ’�0\}äT2Ö璘iP7½võƒ¢‚›„~ú‚¨¬¢2X/‹êЮŽ¨ÆÛN‹ÊÝ6§£ß)v¯Ë'lZlQ+ŠòŠ#ûòqp¿‰ Q'…‰:w*Ç|d½R98ÏJ\Â
-/)Í¡`„Úµ¯`=�‚ñ¡i$R7µ"ÐDA„USäÕºéz^¼¹ÌÄ€P«¾ÃÛB
-_8r[S‡¢$
Î~n$7Ôqæì¸Ê<{Øš	ñYp¨ÅŒƒ%ÏÝ4;ÃSiWªý3‘¾Vª+Úr;T¼Oªt+=°¾ãYBŽâ©ªŠb4/[@ÇL.2äb—ã9hw×1p“¯ÔÏÄC"†©²£Q÷X÷yÑ—­á:Žçš�LmEÎâœP7eWB‹��Né¼+ëBM©»SÅ®-{.Ë�o]ô…lÔ	µS±‡¶b¿Ï«r•SùîìhóÍ®§Rù-ÙLjDN45š0…=ØÖC£=
I_Æ¢\¸©˜_�ƒ+ØôdJçVµØVpõ€ÞðB\ ƒÖÑ 3QVl;*ú55$»[>¨kL«¦Ø¡®´iOÚÑ¿×
--Vú(
dóÛòÞ@°úAЧ8�²Á‰ý²g�Uœ)šÍ–ýpE3(hMÌl·G&øø8‡Çs‘aFG10B,™‹¾Í¡ËÒ‚ÐàÚ2‡ê£›0²]
2Ùd1åÊÌ5ç,&&j6cv2
-c
l¸ÒdC²Iœà€�hªV‹±8ÉS«á‘О”7SuL˜˜þd‚^ìEIîQûc§ÚIb‘'Ãàÿ µ :*>/M娳/òb=u!„5iG¶‹€H"÷¶ƒÈQw7!FôâÐi¿DoŸýÝVgŸ	j¾'…ü“ܵ8ûCÞêm¢ÌxýaÙÐÁ2}æ"/Ì@ŽŒº¬òânÝTSì†)`J1pƒ‘5�ëºái"€çBF‚E±®O�ЗpM¡æú\nÊ*o«Çc!„fÙ&
-Š½°%Ycj$˜z ´§+/ªa2g¡½lC`CO°t"ƒµí	ˆFVêz”+<|ÒµnFt7`qe­^O{ú 	Õ™hXšô½jì}À“Ônã$x5é÷ÊœRdÄU`V

-²ªSÍ”4I‚u€—„PûàÄ=aÄïL\ëK†Ø§ÎŸ9=H/8²ö¤g
vMÏ3"ŒñÒ�ÄĞ̌?e�õ3/Píµ"§§D÷/óõöíT§ó�¿‡:N6<þruùi]zØËà@«þ€º¥£î¿ï»ìÙàÕºúáÐg½’¾Ç¹n­CXÞÛRjpë猚Ôá;üSGÖßkÈ‘'”r¶Ð^�·��$”¬]Ÿ·=MÐí©4wžê‚ë¼Í‹^û<Nœ¾!8^œvUÞa'#"§¿
i,ê7ñê•îoN	¢)À*¾@ÓD� RÁ¿D©­§ož°ðçNÔOökx_©
-JsjuᕹðõEgÖØ#žpù
- s/
²Ä0…ç•r̹ýÆSÖÿœÐådendstream
+xÚ­]sÛ6òÝ¿B�{ˆÜX4A€y}J]§u§ur‰3w3M'¥%Øâ˜"U’²ãéÝ¿]ì"%Z¾´7z
+ÕÓRÝTöh¡¼C¡w™Âª`’Ò‡¹z¬}¶ƒÍ!ôU2dëtsñ–u3Ptluxñö^±Æ‡~Ÿ¸ã>ª¦HZÆé3jêaP“Ãz^M‡¸öÔ´Ëv\M}¶»jZ“’Ði}Þê©`¬ßN_P§ª;{àª
+ø©LfϨª‡u@UëyUâÚSÕ.ÛqUõÙæ´tc¬Ê¾;aÓb‹Z�¯7ì߯·‡pÄõ€ïQJ8ßsGsWŽ|X*wÝÎS�3<1°9¨ñ>ÖÓ÷XÏjü ×­Æ÷ØŽj|ÀÖ»/ŠÛ}ÏæìvïX»èÝ­§ÜÙ™‡¢[Ú›(RAªUìbǼÛ›8ˆD”þÏ{£!qu`ozXöÆa=¿7‡¸ööf—íøÞôÙòi¨DàÅ—ì…©æeݺ9γ\79¤ ÷@ûY˜$
+Ƙ׫5ÅA¬®SÎòLj:
¤äDÐbø(ÙyD±hkžßåw†g®Kp”Ì¿Û„|M’ÖŸ¡ìÖ€2Ó7èÛ„Í×ìwW¬ÞDÑô‡úÁÜ{Ó•2£³$£°'HKÓh¿o
+ïU�Ö2ï\�A䱇I‘�#äÚMkr`k÷?7ì:uó±ccuÆ篗†9›±®éd§ÆyHÐïÉ
+ûµéãi�$m©Ú�	™†M£s~†ìª±¾ÃF¸ýFȬMµh	îЖƊj��£ÏJPÑäÚX ˆm�Ž çØ+ã1š„‘K‚�Àˆv·¥4Õ
P·'ÃÚÈÅêÜéŒÊå]�ûµhÏ—ŠK™9l�ª™,8WçbNµcNÿz`Ë
+è¶�'’X!;òž¬rëŠ=�'æ/LU?6¦c$Š®T@ñ€áCe[¥OgÌUMß–þ	õ½P=<ËC½3)CŽ€íXf«D&PÐpf‹kžA1WÜŒ•q%Šv·'#ô SÓq< Ö`tk‹Ñ;-ˆ#ÉŸ$H:ëNƒT©h¨ÛQ~€
+5p–}UðíU{¶½O/Q�HÓäËèÑÖ+(
´ñ0âmÖ6%¹µA¬ÄaN¡H£
'¢6§ú�7ö–{v…7sZyÊ3ÉžbäÈ%A:‹¾†è}·¬Ë1iUô}^ŒÅ6	¤Î ‰�Rù Â•HËþï‹UQæ
~!„“�b
+cú+S¨µ"
*P;gÉ¥íP¼<P&½9§ÕÐåb(ÙÞ#°¦–®GF#ÏŽ,]U"àf‡ä*Ç(o^ð„Þª
w­
+ÝóF_�é§
+TÀh¼yCÙ2EaÍ\CÔƒEºÀžr$Ö�ÝßVTÈÚ�Þ,�ü킧¬¶5Ì€ì¨b’•¡Ž†Ä€Z‡õêì§!+WtiÒ±åàò	M††lÖ¦²8RÙ±»÷�ù@>Pc:g»ýÜ
F(ºáð„¥ŒE%{�!§q
+¨4TGá7Øë@`:[ªyy[C}¿\Ñ'{Pyç„8ÖÿÁ¬²®ï6kÒKÛž\Ö±Šhß¡‰�ZÉ»–
+£ÛMãîX“ÔšH‰2Ó«ãÃ�°Jši¥†–
ç¶ÉaMMK@ëopBÉØw”Ñ'ô¼Ú-íu
 endobj
-1101 0 obj <<
+1156 0 obj <<
 /Type /Page
-/Contents 1102 0 R
-/Resources 1100 0 R
+/Contents 1157 0 R
+/Resources 1155 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1093 0 R
+/Parent 1148 0 R
 >> endobj
-1103 0 obj <<
-/D [1101 0 R /XYZ 85.0394 794.5015 null]
+1158 0 obj <<
+/D [1156 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 258 0 obj <<
-/D [1101 0 R /XYZ 85.0394 769.5949 null]
+/D [1156 0 R /XYZ 85.0394 731.767 null]
 >> endobj
-1104 0 obj <<
-/D [1101 0 R /XYZ 85.0394 749.6335 null]
+1159 0 obj <<
+/D [1156 0 R /XYZ 85.0394 703.7216 null]
 >> endobj
 262 0 obj <<
-/D [1101 0 R /XYZ 85.0394 336.0663 null]
+/D [1156 0 R /XYZ 85.0394 229.6467 null]
 >> endobj
-1105 0 obj <<
-/D [1101 0 R /XYZ 85.0394 307.6963 null]
+1160 0 obj <<
+/D [1156 0 R /XYZ 85.0394 201.8883 null]
 >> endobj
 266 0 obj <<
-/D [1101 0 R /XYZ 85.0394 248.6123 null]
+/D [1156 0 R /XYZ 85.0394 144.1965 null]
 >> endobj
-1106 0 obj <<
-/D [1101 0 R /XYZ 85.0394 222.7648 null]
->> endobj
-270 0 obj <<
-/D [1101 0 R /XYZ 85.0394 150.9902 null]
->> endobj
-1107 0 obj <<
-/D [1101 0 R /XYZ 85.0394 123.8975 null]
+1161 0 obj <<
+/D [1156 0 R /XYZ 85.0394 118.9605 null]
 >> endobj
-1100 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F14 685 0 R /F39 863 0 R >>
+1155 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F21 702 0 R /F23 726 0 R /F14 729 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1111 0 obj <<
-/Length 2398      
+1165 0 obj <<
+/Length 2262      
 /Filter /FlateDecode
 >>
 stream
-xÚÍYYoãF~÷¯ �‡P™Ý7ÙÉ“ãx;“ÄãÅb‘XšjKD(R!);š_¿ÕÙ’écÖÞ 0`öQ]Ý]U_-!øÉ�DF©d	G˜GÅúEK˜;?ÂŽfî‰æ!Õ·WGÇïhÉD
-"¢«›€W– ,ÃÑÕâ—X$$™
ŸþøáÝÅù?/Of)‹¯.~ü0›Žâwÿ8³­óË“÷ïO.gsœqŸ~òÓÕÙ¥�ŽÇ·¾³#Ò~`zyöîìòìÃéÙì·«ŽÎ®†»„÷ňê‹üqôËo(ZÀµ8B	•�î ƒ,%‰ÖGŒÓ„3JýHuôñèç�a0k–NÊ£„PA&Hè”
-vIS°6ŒõY¢?@ë-5MØ6—…bŽ/Ö4ú®�+FÁ-=ßyÀØ\2öÑÊ¡¨
"Ø]rpWÂÚú¿g˜�êÁû04FRÝ6QG7Œ=èF§ÖeÑ@’c»Ú=üç›/­G`)2¾g†Át�ÿ±k·
-#¡0ÿØ«Ï=ÿàW€Ù]iN ,F,
¡DšÐŒâˆ`€�áÙæE5
NŒ2(GSJC°6ŽTHã.!>ÔùÚÔc0rñ“Ê«‚Α®ó¾X}éé
-06C¥M¶ŽYQXjqÀmaWMÙh>$™
-ß|vup1$5þEÌM6“Y@[~
-² m7Dª«�ç�¨+�Äkù©×W…¢
-?eâ,M2žÚÐõêRKàó4FSH(Lò-÷°ŸA‚ÐÞŸƒÀפÌ¿Z˜%j|÷ÖZË`
Q&_BÙwvÀ'jì&³úA[£ ^WYì•fˆ?¥-Í…¥6¨Tw­z:¢„5’‰*÷c
“‰¿:Ù,á>[Ê žQGdÞeu2`2F“IèŸÌÐ~ÒQ•ËU?¿Súc'ÜAšÊ؇Yä.GŸgPÆPyðà¿öøÔïÄù	ÔÓ
-4ŠeòPÜg4x\Ã�˜L Ž¿-ÀAXLò§Ü1B	¢ßë¼3?+|Nú˜r«I6¤�0♎N-…ÍaÈÄÀΖã¦kç»~{íXÖŽSWé—ý‰ç¸OÍðï73ÙO•?žABùÛ*N HçùãzKE‚‰°zk6:F=ë>WÔâ’Y¼¬škó”üà‘aü~‘~CaµÔŽÜTk0¿P7ù¶š.Goü3o�ê�ÕÞÃêEñ2Ñê‡ÃŒ¢´Å̱œúEÞÂ^ü«ýø
”f™þAž¤àG2`¢g)µ¦MÙ½7\ÿû¾'ÿ_À�¶endstream
+xÚ½koÜ6ò»…€~¸ÝÔ+“"õ`ûÉqlŸ‹KÚs¶8Ú'k¯P­´•´qÝ_3R¢lÙIϹ€ÅÇp8ï—þx'a¢"¤J†1ãqPìŽXp{—GܬÐʇz½>:¹i B•DI°þàáÊB–e<Xo~Z$a.
[œ}ÿîâêòÇëÓe*ë«ïß-WQÌWÿ8§ÑåõéÛ·§×ËÏb¾8ûûéëókÚJ,Ž×WïÞЊ¢ÏH¯Ï/ίÏß��/Ywt¾xñùåL #¿ýô6ÀöwG,*‹ƒ;˜°�+»#‹0–B¸•êèýÑ?„Þ®9:+?ÎÂH$ÑŒ
+ãab¢Fd‘�L\„EEplB#®Y"64ÍãäM×Ñ|Œ]8˧wtßÂ8‘Wam›´°MmUs;žã.LLˆœq·™€yLc�ÛqÕ…WN(jùÑƨ$F-MҚ͸.tÛØùlL¢P�xÑV_iV<28´sÍßí
ÃÜŒ~ݵƒã»ƒwÌÇ4Óuíˆj·[{¶Ÿâ°ê�øÌ…Ïĸ}«?–Í¡{ì¼3E™ç�ï·ºª|D·qšØëÖîY*­Ü7AÉèƒnGÏú”–á;¡ eA…J¿ša&
+È#%€h‘!-Áo Å¥ÈæG¡˜…“«�Þ4Àbàqé¯|̆KhUG;‡n Ò@
+ºÝ•unÞK¦=·½ÊôLÚ_»rÂ!ˆÙTáoï{|"Ñ›oúg–†R—жIÆ?Ç—„_â «‰/ýo§¼Ì	Øî¹óQ|p'8³e	Tª ã©lþ!ò‰Èx·€ö9å”2ò¢šñNÎ2èHS›7ô¼i"i¢L¼„Qç;Ó’ÁÊÕ´”o6¤ƒÎ‚îò¾Ø…ávN‹�aJ�*[‹¬(:5ï�=õvÕœ‘oªM¿ÕíÐOu�#p
+IZòÀ—ÇË$ŒºŒy’Ž}>Jwâ)¥1(SR™|Biʉ„�îÚ6U÷š+*ëÝðÖ;Ș¶P&誛>
ÞèA¾Vè7÷cqO×údrÅ°qÅT[oŠâ iQ‰pÄú²*ûû%ç|ñŒ=ñ¼LàÿGª8„*ŸW¡R
 endobj
-1110 0 obj <<
+1164 0 obj <<
 /Type /Page
-/Contents 1111 0 R
-/Resources 1109 0 R
+/Contents 1165 0 R
+/Resources 1163 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1093 0 R
+/Parent 1148 0 R
 >> endobj
-1108 0 obj <<
+1162 0 obj <<
 /Type /XObject
 /Subtype /Form
 /FormType 1
@@ -3907,2690 +4095,3034 @@ xÚm”In1EOPw¨u€$ÅIg0²Êľÿ6¤¤êV5oʯÅésÀó�ή¯�ƒÖ×O²Î Ž¢‘ÿ¨#h8Çùø:„5?ù
 6\>RgÈbÏWÖ¹j[†�›
 WŒÏ¢®{6;»²þFÃÇñ÷ø]š¨)Õ/Ô¬Mu;pk;Ì©Ëdh<åE–ñ¬AÏw³ð¬±±Nê¦ó¡Ä½�t•‹ùD„™Â²]°Ä(�‡;�„ ·åŽ°Š­r²ÂÙÄLûˆ
T¥Í¡誋ŠŽt’¹w_=Î]ˆ‹=¦uSä÷—ä"ï±yl±‡µÃ-ËkHsŠöreOÚ³êvg›<7ºt,‡Ýe—;ãÒèЭ/I…B÷&ê(ýê³ö󻉨YÙ¹Ç,çkRÔšÚ'^
m"	^�˜h±�ÎW9AVªy­Â©/f�ýÆ"•œãûFy-Sng	\Çdª¼˜©Æ¥†Í}B©•µŒÎ$âw1.¶&�Øíþ²C¶O–ÃVç X×9g¹E{îÇ<•ãóP)!ÍZÜÅŸLÞª~ÑÔ'¯UâXLµüc“ÅXsЖõÚ¯½˜Ó’~òBL–§èªÆ¹O¦ºNZ�_[Èü.øšŠû*]3QôçÇñ!Ö-žendstream
 endobj
-1112 0 obj <<
-/D [1110 0 R /XYZ 56.6929 794.5015 null]
+1166 0 obj <<
+/D [1164 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+270 0 obj <<
+/D [1164 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1167 0 obj <<
+/D [1164 0 R /XYZ 56.6929 749.9737 null]
 >> endobj
 274 0 obj <<
-/D [1110 0 R /XYZ 56.6929 330.9243 null]
+/D [1164 0 R /XYZ 56.6929 246.2071 null]
 >> endobj
-1113 0 obj <<
-/D [1110 0 R /XYZ 56.6929 299.0803 null]
+1168 0 obj <<
+/D [1164 0 R /XYZ 56.6929 214.3631 null]
 >> endobj
-1114 0 obj <<
-/D [1110 0 R /XYZ 56.6929 240.311 null]
+1169 0 obj <<
+/D [1164 0 R /XYZ 56.6929 155.5938 null]
 >> endobj
-1115 0 obj <<
-/D [1110 0 R /XYZ 56.6929 228.3558 null]
+1170 0 obj <<
+/D [1164 0 R /XYZ 56.6929 143.6386 null]
 >> endobj
-1109 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F62 995 0 R /F21 658 0 R >>
-/XObject << /Im3 1108 0 R >>
+1163 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F62 1050 0 R >>
+/XObject << /Im3 1162 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1118 0 obj <<
-/Length 2415      
+1173 0 obj <<
+/Length 2334      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZÝS#7ç¯ðÛ™«X§oi²O„e÷Hí’= O›­­Á`níÎ3@È]þ÷ëVKã±óHUŠ‡‘ZR«õëVȈ‡?1ò†q•é‘Ë43\˜Ñt±ÃG0ö~GÄ9“4iÒŸõÃéÎ?Þ)7ÊXf¥�ž÷xyƽ£ÓÙçñþ?÷>�ïN¤ácËv'Æòñ‡Go‰’Ñgÿ§£w‡ï>ÞÛuz|zøÓ‘�ÞíìN„7ÖËÈaË‚w‡¨õþxïãǽãÝ/§?îœvgéŸWp…ùÏÎç/|4ƒcÿ¸Ã™Ê¼ÝB‡3‘er´ØÑF1£•J”ùÎÉο:†½Ñ°t?-“2S£‰òLã·oK[pØ66…`™1›»N„0L…:1–qm\§)z:R0'33r&cVI”ÒË›b‰ØÀtÕŸÎ=Úá64¯mÎi±ló²Š�ºú…syq½ÌÛ²ŽÄú
-Ûqz"æô¹‚Í„Oâ¾�v–7eÃ6õc¸cÞq1êëeP©L2#¬CÐhÂk¢¯5ã7�¡¯³ÎÑ•h—×M[Ì&ߊ»æqÌ
-ĺ*"²ír×�Ãzê¿=:99ا62|
-‹ü.ùûyjM§×ËDœ+ÿ?9X'YÒ=l	&-™Í,˜4Üq!¸
{cì�p8�¿“$PúË|±Èc`SYï´¦Y¦
Xâ4©òEA½ÿâÊ\�sƒî’†³Ù²hš¯‹¼�^~�—MæN6&“‡ÿýÍÐÁ@ÜßH>r ·tóÊU˜Eu†ÆÏM~1tw7NºÝ”„O¦„»8

-BÑ€;�Íã}¹¬á¾¤P$ipÿ}a^šB(f!ÿ9˜�3Í Ay3ˆFy²ïj8ïz
-¡D²‘´ò¸iaˆ0‰¬UÑÞÖËoÔ)«¶Xžç�àˆqZPu~§çÉÚäwš;(ÚÛ5ׇäe0¯4醗ü95tZ±]sÚ3)ùcÖ®<¼Ñ÷ÕUÆŸ¬:‘éàX ¡‚Í	³ ¢RjYÒ—tŠc�¾�|žÆo/K¥8!¨i¤š!í]æ¨\¡(wr¥wHRdæÇ'uÈD`1ihÚ¬&bU·Ô¸¢DáÌ¥œÅ9}nC
�ãºY
Û,Jr+¡DϤ¤ŽLC ÿ•(ó¢&íeCý`ÄHG
P3=´ÖŒ>$]b|XÑXs²IRaš7ÅwC¾l@.ÙU%ÛU=é殧`]í°è;¼îâ$Ù¡e_Ï׊æ;¢ý;$A”±}Êz%§Ò«¾¬[<Šæ�BÛ”=pk{×áeWlukŸSæ¾~b! \åFP—a<ÒË\%¡œk™C¯öIï®ü‚6Jt�ŠÐ“ézÞ¼¬®[qY•s)\3ºÏ4nXK-LØ#íêk°®Ðù±»�FGÈœŽyÏßã1í
`ÎO«ã.Wõ²íx¯:_b	Šùhx"$çCÅ&
üNIs2¡5·žü
+xÚÍZÝsÛ6÷_¡·“;%Š/â£}r'çNâö÷)Ídh‰–x¡HŸHEuïú¿ßP”MYv­Îdü@`
,»‹ÝýAf#
+ldRB…•#m%I)KG“ÅÍ`ìÍs’8)éÏúñêè»×B�,±Š«ÑÕM�—!Ô6ºš~Ÿþóä—«³Ëㄧt¬Èq’*:þñüâR,~N¾x}þæ×Ë“c-ÇWç?_ ùòìõÙåÙÅéÙqÂLÊ`=v,x}þö[o.OÞ½;¹<þxõÓÑÙUw–þyî ÿ9ú𑎦p쟎(Ö¤£5t(aÖòÑâH¦‚¤RˆH)�Þý«cØõK‡ô'¹ œ[1JRJ$c»wÅ(ìš°Ò:9·7MK‰H…3‰”„Zº1	g=“0Έæ6éÔ%¸ð6)ëÙ¬¨fN70_ôçSC˜Ôn7±¹Í'Åo”ò¼
­
+=^ϳ[í<w
3nòå—|‰D`Ü|MIÇY5�K`”™q¾µÎÏE‹ü˜�›&›á&fœ…ù È
g%6M9
+”W-¹oÓ”jb4e£¾.^¦_a9I™Ò£$N8¤É8Ì4”ï3™H¡Á,šl½õì5ؤ®œ¹f+Ta\Ñç/Á”’aA•-òé
+µ™5m¾|‚çLsç8•»ƒB§hOÜÃS"'ß)‹¦Å7õIE5)WMᬇ]oÚÕu`YNM™}¼ÝÔUŽ¶ï6s�I™­š¼Ùm¿¾b¾â{¯4‡–ݪ•ÑÄR†¡º¾mA¥O»ù­¿kuéÔfÍxVÖ×YéÚv¤�¾‰YëÍå&Ä}üŒÝÖÅö¶Áñi~“­Ê¶2›w
g¨º�ç¡Ù´Y›/ Z?f¶ž>¾f³IC¤´ûµRÀÈR×îøpEŠI“LæYUåå“® xzÜPå(0Õb±ªŠI0”'Ev¾ç"³ûÎòÙd’7~P»Á�ð)¡œ‹=ñ?éæmçßî\�˜µ§¯C™5Êðt–qÅn³
+E¤•û¬*)Ô²T…êÃߢýe^ºòe›!¡=¼xîÎtÏu1ÃÏ-VNIw{�v�5ÅcÊßœêeŠú{uÏ
G³/“)jå©Ä"d¹‚œ0M>çwÏKgNkÍدÇþ«‹÷ïÏN±í>¢Ðž¨‡Õ(;¨F07
+M
+ŠÉ–ì6uÒÍÝ®Á:ð°è¼îÞDÙ¡dß.ØrÿKÐþí« ,Ù>•½Ü¡SnD_Ö
ERHp*F�\ÚÞmxÙ
Û\ÚçàÜÃÌÅÜ”§ ‘ jµ'â\f”å[ï=ô¯†à
 endobj
-1117 0 obj <<
+1172 0 obj <<
 /Type /Page
-/Contents 1118 0 R
-/Resources 1116 0 R
+/Contents 1173 0 R
+/Resources 1171 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1093 0 R
+/Parent 1148 0 R
 >> endobj
-1119 0 obj <<
-/D [1117 0 R /XYZ 85.0394 794.5015 null]
+1174 0 obj <<
+/D [1172 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 278 0 obj <<
-/D [1117 0 R /XYZ 85.0394 656.7756 null]
+/D [1172 0 R /XYZ 85.0394 537.224 null]
 >> endobj
-1120 0 obj <<
-/D [1117 0 R /XYZ 85.0394 632.436 null]
+1175 0 obj <<
+/D [1172 0 R /XYZ 85.0394 512.8844 null]
 >> endobj
 282 0 obj <<
-/D [1117 0 R /XYZ 85.0394 563.6675 null]
+/D [1172 0 R /XYZ 85.0394 444.1158 null]
 >> endobj
-1121 0 obj <<
-/D [1117 0 R /XYZ 85.0394 533.5536 null]
+1176 0 obj <<
+/D [1172 0 R /XYZ 85.0394 414.002 null]
 >> endobj
-1122 0 obj <<
-/D [1117 0 R /XYZ 85.0394 456.2156 null]
+1177 0 obj <<
+/D [1172 0 R /XYZ 85.0394 336.6639 null]
 >> endobj
-1123 0 obj <<
-/D [1117 0 R /XYZ 85.0394 444.2604 null]
+1178 0 obj <<
+/D [1172 0 R /XYZ 85.0394 324.7088 null]
 >> endobj
 286 0 obj <<
-/D [1117 0 R /XYZ 85.0394 307.3784 null]
->> endobj
-1124 0 obj <<
-/D [1117 0 R /XYZ 85.0394 280.2293 null]
+/D [1172 0 R /XYZ 85.0394 175.0326 null]
 >> endobj
-290 0 obj <<
-/D [1117 0 R /XYZ 85.0394 163.9859 null]
->> endobj
-976 0 obj <<
-/D [1117 0 R /XYZ 85.0394 133.872 null]
+1179 0 obj <<
+/D [1172 0 R /XYZ 85.0394 144.8676 null]
 >> endobj
-1116 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+1171 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1127 0 obj <<
-/Length 4048      
-/Filter /FlateDecode
->>
-stream
-xÚ­;ÛrÛ8–ïþ
-¿­¼eqp%€ä)“NzÝ5“îMÜU»ÕݵEK´ÄŠDjD*Žgjþ}ÎÁ
x‘ Û³IùA$
-¾«Ð+>«�़Çq¹(<°%²
-	5õæ‘ž�ħ¤u&“ÒDxûz¹H¡.3¥m�zM
-Ü„úŸšM
!lÉyä(<xÇݶ!
-€�!—8’c8�föß¡õ°Ý Nø²Ûm*ÏaD¤™ dAúhmÝÑIJ
-iC×ì€ö¹Cxò�WôÒÏU×–›{"E†€è(4zZûY"¹›íöÕ¶ð8ÂKqèÖ;ú{�

mKTäªÅ'·dÿa¸‹ß‡p5¼ô:/^?ÂÒD¨‰¨»>öKøJ¡Á¡	f*ìee�§Mp„8ƒL˜`q½ÓÖ/{ql‚Éëëj±&Š¡aˆQÐ�‡åŸbÁ`‚À\ª<Ó¹OG
-‘ 8물ÔNdBéo/‘D€ó1ÄSp<˜Àõ«ÎF>ÿ�†ÊÛegï
-r¹Ç„G£ÆÜy™ÀŽÃ
-Îw;oñ™£Ùv,w/81‡(C«è½;rç¼�°™âO(
 Œ¢è¾ã�#Äg, @·<âäÀç”À@ৣ�õšGŽæÄ›M$AC¿å×rqðN^†|ß(ß�ô‚sYàde‚(}*Ëså`mY&|þA3ûÕ%=|L•Á‡Õçk¸a
ò·�å–<Ÿ³…÷xFÎ~(`¸¦Ñ·ÌaÒ;‘…·®œ¤Zg` äë“’s¿æId�ÇÜ{„mUŸìÁºæ‚¿ŒJýê§w>‚é½8¥ëD™ÉŸӔ€gJª'ÏÞ¯yƒcH#�nb‚Œ¨jŒJŠ
±â®9t4ò†ÑÜê?˜�å‹K4î'r55ÌUªºÍ}�Ë=S‚e™2ò¨€Ä1£s‰’!×X2LX
ªÞd¼Â4›TÁŒ¤1°o»¢óÉ�öj¿»�ÃÄuºvgtq®AòSFB.ûT˜
-×¼-Ãngúß‚~–å}qØ„¹©ÊóQ‰_ƹ
×!lÒ1lÒC5š‚%púFkõDÞ/­UšáUúÐÔ�W]XÚ äPwåb¾Ž¦^½â`Œç³›š–t¾6�s‹¢-¯)Pîa›¶¡ukßy±ê\”¤]ÆsýÎ*†e—ü”³þ1Éq¨Ÿìˆ#~c’¤fw‡ð°lJŸ¸¡Ø…¡uñ¥¤§"%ó‚S1ç鲟„¨�	(›HIäd̾@Ð ±“SACô: À.`í=�@Ñ(–adŽ1°ø2$­Ê»cÿÕ=Éâvø’l
¤É
-«¥“0<d›‰fD¶Ûò‘=È‚Ã?v6™¤‡ø!ÙØÀÊ
-pâ—Æß΀�C�]QgR:""NÀvÞúÂÒÈÑ“î.ÁÔ3AdÂD�höŸÃQ£å…
-×¼
-HÈYgGÆǜ˩L¡…žhUÂlD1á«°àìó÷·TáÇBÚ5Ýê(܆MÂõ13«KªÄÙ~ÿIh�ø$óˆ?Í—'ÔÐ÷­z©EÀuØ9¨¼ÃŽ�Á_€×€Ñ²¸‹ßzŸ‘ƒHb…„œÈÞŠïOáJÒ¨þ®ã•5º¡´cëp
k0M,Úglõ{ùE*ÊôY
-,[Vm@y¼Í�]â¢×=ñ.
ýbºšŠ[V’tþ‚ê/\ŠãÀ«”|a!(wI˜\�…ºÿ«dê\‘‘÷¯Sâš)ÇòqäAô\ľ‡™qRâSÆÃ]Y¼l¬¯æœ1ŒS›Ã2îÓ¨~…7�÷;•ÕÛ 
-ÜôvöÕ-?ºdz–�Z¾ƒŠgèX3»/è`¬�Ü€4q¹­jH¾úX{ã÷4wšvÙHì–VÐõ
o§‘{ƒ�²Ÿ¡+–ÔÊ°NN)𰯺pc7±¯z¡¨…F}ÝCê«É¥ù¦�1³÷âhùµÀûUèh‹
¸ž&˜Þ˜âL¯,8¾ÛW_¼ÃÁŒ~èÂ"‹¡	>Å^v"@=òšõq#Ò�Íobñnî+^F¥-Ï©¢› è!^üÿX;DÔ9Aú?,.àó?üÑÀ�;ü…iiz³j€gë-­Äû›õêuê¾=Ûà/›Á%Âýóõ¹>¶]¥Lu]XO£oþ—Š¡Ñ¦BÅ™’±™²
+1182 0 obj <<
+/Length 4254      
+/Filter /FlateDecode
+>>
+stream
+xÚ­[Ýsã¶÷_¡·ê:C|ÀÝÓõ¾êLsIv’<ÐmqN"]‘ŠãÎôï.
+?Çß®>¾¥K�“~z÷þݧwß¼{ñÛõ÷ï®ã^Æûe¹À�üçâ—ßòÙ
+¶ýýEž	kÔì
>òŒYËgÛ©D¦¤¡esñùâŸqÂQ¯ûi’,ϸ(x‚�’¥¨lV.ÿ÷
+÷ðÝ{ÎfŒeV)ŽCs˜ÕdZæ&rYãò<Ÿ/ۦߵ›Ž8ñ¹/ûj[5=}¾­~ÍsÞÔ}Ý6ÔR6+zù¹+ï*¿–QK‰<ËØ.u½®"Aà ÛWZÃ`I8žM+€ï4®ˆ…�¯ªå¦Ü½`f^
õBû½`C»¡!ËuÙ4ÕÆw÷-µÞTôÜwÕŠzn©¥{ì`j+WÛº©»~Wöí®£þ0Ãt!œš¶9[y’§g‹È} ¼½¯`âa¡çí->�û‘khÊmEM]µû½Ú¡tf¸Gþu¾o²(þlØv{VPm
ßpka±ãƒ9ÈB.=ƒwÍj™8.2&´ñƒö}½©ûGšBt7~½e»Ý‚�x¢ ß±Ep›	ÉÌ”/Q˜ˆô~WW¿WÔÒ´ÍâíÇÏãîn¿é½˜Þ¶^&ýOˆ‹ð6æ".2ÉY&½Š¼nŒ`*3@°ßcÝT}‚^
ãc±�çÁ£´á‡™×5–ôyýæ'úîÚå—ª§÷
ˆWÕÔÍ�)}3É4t÷Õ²F
„ÃL(‘,À:¨@òý¡ñÒfynĬà*“ÆÏ1_vhLÚx-⌋ñ”Î2M¥JÁ![͆•‘Âûv—b*œLnƒ)p*ò|hø­aâ$¤»­At¿âŒgX •ÎXQè)ÊÕjw‚‚ù]\ÂÆ…˜?¬ëåš”GB¿Êå�ò,Kä•1Îœq’濯~ú]RK»‹-½9œ2u``$W'´
ÌãZžd,çè‡í1phBʯflœq1žò˜± ™aàã°§+2›ËÀY°»nÈÄ‹K‘ƒ³eàÍö×ÄT&3
+ìúhÔ¯¹ÊKPà]Ý}�wFvz¼¯è¹÷†ÍcdGOoÎÊÌêÍjI6|åÏs8«W$œiQA`Á5ÕÝ‹ós
+§rnI’§ƒ–r¹¬î{òvÊ)ö–Í£o¸¥§#_Èþ¥£qD¤›g ©B
*À¨–Ï[ê'ƒF¿¢UF“’z‡½z=ñÃ2 
‚qôgð’#þH›
i”>)­L˜Œ
ÂT�‡ãÿZa
.Æ3Ë*“Œ€5ÃÂOɪÌrV¨3²ªAgý�—/S.ʳ‘† Ž+�²[bÞc»Ѳ6H4µÍæ‘Þ�ÅǬµ:Bó³
+%#ãSÓ€nZÁ‚ð
ÀHÝ�AÂ#ÀJ•>·ÎDÃ˶ü£Þî·
¿,÷;ÄXŒ1a A2—ÅÉà¹X¢§ó°“EGîóòpŒUb:A#ÂN–;ØNØÊ8úú•s™`ø+@ü`Ɉª“FTeVëb6åftsƒ?kZOÚM5P40*!� _F³ÓÈ™å@˜ÂCUøzf\Œ§L@ ïŒóaå' çÂì ´™¨
+Z™£›f'
‹7`e´\h}7hD]˜§Èå¾
+Ù”Çú–
+šB„¾A¨‹"~³­Œúzôf\Œ§L¡ožÒ²aegxWi$bÀÅø]T—¹ñìi½ãJ+F
gÏ-;£F!pÿf<ˆ3žá�� sì�iÅÐy¦€‚oGd˜ñ‘¢#�vcLä)ŀЫˆÐsdÜ
+LDÈÜ>é¦Ázh&˜»]»¿O;|«clý4øh=ÿØöž;Îi:.m}Ëý¦ìÁ(o;bâýÏûæÇÏÔë)Âè
+Ü$:þÜnJ
+c�˜I€Û«˜¯æQ˜p1žñ˜Eü†oqÔI0á‚ß`¨œÍ�fþ®$�{”}	Ííi™Àì�ÅôÍ7Ûoœñ̆ÑlÛ¼°ÏØ1�¡d˜ 9å
¸É${B	€dEû
7f<³aøÜhðˆ“
ŸR
¸OÅLG[æÄ™MdAKÏê�j¹wN>FU'ø¢p7ð^ô
²À_�•ñ¢ô¹ªNÕ~en2‡†¤¾ÝÝŒ^>¥ªÞãñÄ‘(ÚÆQ¸Õ_>U[òšÏ?RK‹ùÛšj}3¡:�+Y:ûÛQ| TfJLh?ª3ÇQgH†#ÉášëæhUÀíŠqö\ŽÅñçÖ?š×ùuŠß‰;"
+G%fi±ëåK6J36¿jhHï2Ø·,»ê’ðsœ³Üt-�{X»RŒ‘§À“²+”yÖ-!£/_ÃÀM„ØÇ¢šærŠ6Fç�±“œßìý˪­\<‡bç›Ö¥+ÿÃ[™yŽaÏ$F*P�‘’4
+ð^:ˆó}×í¤K⥛Êé&6iÝjÁëv¿YQ#Z<zKyt�]0~Ñ:©B…Hß""«‡ÚhUO|ûÐÐKÜ`};¡/<uk¢1^ˆÍ°ü@e"ÝÆÛ.¾‚¶cÖK
+—ØèÒÒη=¬ýͬÁ4åÁ>cùß�QÊ-ÆF­êÎS<^e-ñƒ`èe$ \/ 'ƪ)ÔÂ1‹¤Šg¤v
+Lò�$UÄ„Qþa
 endobj
-1126 0 obj <<
+1181 0 obj <<
 /Type /Page
-/Contents 1127 0 R
-/Resources 1125 0 R
+/Contents 1182 0 R
+/Resources 1180 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1093 0 R
-/Annots [ 1129 0 R 1130 0 R ]
+/Parent 1148 0 R
+/Annots [ 1184 0 R 1185 0 R ]
 >> endobj
-1129 0 obj <<
+1184 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 576.4843 256.3816 588.5439]
+/Rect [55.6967 404.4849 256.3816 416.5446]
 /Subtype /Link
 /A << /S /GoTo /D (rndc) >>
 >> endobj
-1130 0 obj <<
+1185 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [268.5158 576.4843 332.4306 588.5439]
+/Rect [268.5158 404.4849 332.4306 416.5446]
 /Subtype /Link
 /A << /S /GoTo /D (admin_tools) >>
 >> endobj
-1128 0 obj <<
-/D [1126 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-294 0 obj <<
-/D [1126 0 R /XYZ 56.6929 311.2132 null]
->> endobj
-1131 0 obj <<
-/D [1126 0 R /XYZ 56.6929 286.8682 null]
+1183 0 obj <<
+/D [1181 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-298 0 obj <<
-/D [1126 0 R /XYZ 56.6929 252.8569 null]
+290 0 obj <<
+/D [1181 0 R /XYZ 56.6929 724.3071 null]
 >> endobj
-1132 0 obj <<
-/D [1126 0 R /XYZ 56.6929 223.8335 null]
+1031 0 obj <<
+/D [1181 0 R /XYZ 56.6929 689.0661 null]
 >> endobj
-302 0 obj <<
-/D [1126 0 R /XYZ 56.6929 155.208 null]
+294 0 obj <<
+/D [1181 0 R /XYZ 56.6929 117.0915 null]
 >> endobj
-1133 0 obj <<
-/D [1126 0 R /XYZ 56.6929 127.8981 null]
+1186 0 obj <<
+/D [1181 0 R /XYZ 56.6929 87.6248 null]
 >> endobj
-1125 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R /F48 885 0 R /F14 685 0 R >>
+1180 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F21 702 0 R /F23 726 0 R /F48 940 0 R /F14 729 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1137 0 obj <<
-/Length 2663      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÜ6îÝ¿b噈å‡(Š—§4urî]“«ãÎ=¤™Œ¼K{5ÕJÛ•6;¾öþ{A‚ÔJ+ú£ãñ  
-É`=÷Xðîòß½¿zóÓOo®Î¿\ÿxvq=è2Ö—QaùýìóºX�Ú?žQ"t!P´æ‹ÍY&‘™
SŸ}:ûy`8šuKcö“¢ ²à*b@ÎŒ-%ŸXPj’.œ­Ò€RšüfîQ½O}Ù›�izþ`~¥”7U_µ
bÊf…À/]yg¬`31:-ºHyFtÆ2·Ëõ:±§$ϸbKcwŸ3©¬
Mw쑬P0Óá°ÄŸn]îÎY‘˜•›%Žý*§¦nÛûÎ p¨ú5Bן.ß#ô+•´3æô¬3ªHÎAH%2’kª­Õqrw·@àjtL}:^€Ç4VxÎ×*þÉ,ÑúV"8å™4Rða=‘fæ*ÕS2̸YÀvë×ÞnËv³±>
R-R¡()—‹tp>X½\—Mcjt›lÊ2§�«…âœ(!Õ6èÓñ‚¹>s¾›bòà$›É£Á<tÌ~fÕ�ê))fÜ‚U	Ž1JT.¬áÑ‚«Gb‡D1Z<;@“g,;œfɲlh—ËýÁÒϹsåT&}»ELm¾¹³³ô·"àÔ66ïö»ÒÛ�S{‚Ö³¯š®Zy\ÑIPI$WA©o•9Ä2äVEå©V�º¹–É¿Ì}‡;¬Lêý1Wü-›ú#f›Æ„•AßU�K§œÉ×�Y¼Cîhr
-NÕ�¬æ,%Qr¨'x¡°+xìÁëV<Ū8aÅya–[Z‘ý]¹¸Ìd&ÿ.3QD%ƒ[3ÊR''ì€*“'ü$ãò™Ð?Ü8É>
%Ü BÓH{ŒÍæœ&×çšBÞ€ax¼¥3HÝÚ:—"ñ/Kœðn„t"¹¹Gt¹ÝB‘†ÙÐþr	¤¦j³ß Q³ßܸ®¢–Ç]
ÏWǶrùæ·ˆO§yÅ?¯–… €“C»¨²ÃˆÿÊÞV,1äŽDŒ­¡>f‚ŸzhZЈµƒ·K¨
ÁnÜÍd­î±|¸¡ ñ™þ4e	–“
-fxã®sö┦cŽó”%ÀÁ¤fÅqc¼E]ŠVÄJr”¶¬eñd5›tÜDëOÂÏû:t6~)_ÎW9È#\ΟîÐoq[ÛB÷NJ±²¿¾à,;“æÜ‹«@ˆ:’¡î5ˆÀ¥à½¯T¦†Ö�ö­¡º½»ó=k½ß•ðúßEë¤40É�ãNßPÒN"ó3RƒÑà+Vl#^üÙk‰n«Ú“oK{¹[ȱ°k¹ Ú¶é&kýæPat�:†¸µðŸø³oêjS¹“ð´¡/±Àóïªÿ™7ÝxeUÎïÚÝw`Ï1üõ¶\V5\‡±üVõ+³ÛÅäú3èW×G=^�å`QCuÆc°é`¨%!¯Ö#Á®íÔl‡r×Þvoa¥	(»·O7'Åóm;Y¶27{ÏÈKåûhË	é=µ«8¶øt»É‰m!núÔÞ±^Ý{ã$èÖ´¯£gÏ眦†{	§¾
-1ñ—S�BÿÿŒ�¦z‡ÑóÂq»¯'‡õà<!ä…Ò[¸tšhxXOƒYN÷OT›}F|I›\<Þ&§B…Ë'H½¤¸Ð,Ò*jԤ÷—ÅbÇ\؇�mËYè[¹«ŒõI;°u‰¥”vÈm�yÑ°ƒ.üÜÒâZ”BªÌV	RÙ·rkúIM 6	¥cHúsõ ŒSDªâ$_o×»߸öìÚezwØ3h÷ývßãÜÆôëvÕ½Â7'¾)ýÌ ‘k3¸#ã¼fG.Ÿx’ƒ}�ೋ,AC#AÐá
ÍB»ÏÕ	Â'4;vNÜÕ¿@}K(b,M¨•ó’‘G	<‹`ÒÁBÒW&¶
-0µYz¿]·ìá·{_H,k°¦ñ¬P­;ëÉ¡Ö8ÃfZVš¨lÚ°úظæJ–%mS-ƒb#d~ÄËÔGYé{
-СBxñGýã<d |Qðø×AsRp­‚PVq¡N%¾þÏEÿ(^Øendstream
+1190 0 obj <<
+/Length 2372      
+/Filter /FlateDecode
+>>
+stream
+xÚµËrã6òî¯ÐQ®
+<,Ÿ&ÛëìÆÙxœÓdjŠ&a‹>‘²W»É¿§�)R¤,ﺶt`h4ºýB‹-(üØBKBE.TI™\¤å]<ÁÚõó8A‡±¾»?ûöJ¨ELâˆG‹ûÇ
-M¨ÖlqŸ}^~üÛ‡Þ_Þ�\ÒeDÎÑåw7·ßãLŒŸ�?Ý^Ý\ÿr÷á\…Ëû›ŸnqúîòêòîòöãåyÀ´d°Ÿ{
+G6\Ýüã¡ë»?þøáîüËýg—÷½,CyV�ßÏ>¡‹ÄþáŒk¹x�
%,Žù¢<¥ 2¢›)Î>�ýܬº­sú“B©¹šQ gÆH,%iPÆ$\8
Z¡#P
+Îq³æ_I¹.Ì70âùrD÷ú±Dà’ŠWzg±óëMþˆ8øÍìÎÙ²éxIüÞÄÛ”‹Žo´“>y(¼÷ÕU±CèÁQU
+gRLöõ„ÝáÉC)’g~.™‘	R
‹ë„zÎÍË\D€úQQy($-ËåßÍ®Á2x{Œ
{Çöˆ‘ÃU?–3ü‚¼
Š:åN)"B®Ni<éDã
RG•ð`ðqgÄ
+·Önꢙ+ƒ4x¿d»qÚÁH!>Èq;æÐ4$“j*A4„”SÝáÃ
3®4¡ûF‡– Z�mH~êÐÖ).&ÔöaÒ²PnŸA|UÒ%,Ÿ=“ö ~AÀ¡–8åÇ¢‚<´?ØèH
œÃ3(Š\ˆ�t¾åÆI¬µž…=Å`HÒ)kÌÔaUG�æjñl΋¼›¢ßX“fàM
WËߪú¥B0ið‹
+´k®„á‘«ÝNŽï‹Œ+Y]&¹ßïëE€¶UþûÖ¸ÂF¦ª6ÜaÉÍ£ñ
Œ±¥sM¾¼iq]€‡Žžum¬ÒÁããèóš£Â%
+I»²È²3^J	e|îédãFˆ4éC–@ cÓ=›	:ävÆŸŠ³õ0jÁ¾ü©œX0áÞÜ©NENýX,ŒB\–!/�Ç/“6]ùà¢G6“cK‘#Ëðr¬h½Þàvü2
<;êÒ¿’ô¡À°¾Jž
®=Sá\/À^í*I;�Ö€c±§ìEÕª·²Xí«ønìË¡™‹QÒ/Ÿtk[(+ѹõþ½pèܸ(NH™-!ùû}Û†g\;„Æjpðq׆ÊG²þ%j„=VÝöƒO„ñVCp1ת€G£ëV48×m0PºäíîÛd
+›ú
+ÄíÔ®
+UÕòî*óû¶ëum›"Ó·\‡àV”�omU&iPfrF"xLiNU¬¦$%Q²¯%x¡°RRkqŠ”> Åy8C,²¸ýÃéÍ|q%&ÿ[bBÏrY3êËRï'ä€*”ô$ãGéu‘Ð?ÜÉ6èJÈ B´Š†C°µqSˆð ¬`³ta£Y¹f�}£Â-x3B<á»Ó×k(Ò0ZÀ´Oîbi›Då¶D¤j[>¸
+ÉÔ`Yû®Hì¼Ê3`߶nÀî
y"3ÊŽ¡>f‚Zh éŒ¶#Jtµ¡íAn>µ"ÈcQŸ¡°wq²‹H³p•Ë{CVG0Rœ†,a[‚1Óûƒ1‹º
+êUÛž
+û1ú†Á`ð¶

¿ïài')"=æ…G_'í
+wíÃùs¡¶h $48ÚÓê<ÖÂàg[y™»;ð¸¡/s©ßÓoò›	9n¸3˜•ËŸÚìPåþê{Ó»¹ÈÐíj3³ÙÌñõG'_Qìå¸òÁæ1¶kw{E¥¶÷œ&ÅHIpj=VÛK²©zCèN¯a§é¦ìÙ>ÐŒdÉ«Çz´-3[OÈså;¨Ëê®?O‡"5>>n$è<¦
lF
 endobj
-1136 0 obj <<
+1189 0 obj <<
 /Type /Page
-/Contents 1137 0 R
-/Resources 1135 0 R
+/Contents 1190 0 R
+/Resources 1188 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1145 0 R
-/Annots [ 1140 0 R 1141 0 R 1142 0 R ]
+/Parent 1199 0 R
+/Annots [ 1195 0 R 1196 0 R 1197 0 R ]
 >> endobj
-1140 0 obj <<
+1195 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [406.6264 730.8852 456.8481 742.9449]
+/Rect [406.6264 524.1437 456.8481 536.2033]
 /Subtype /Link
 /A << /S /GoTo /D (tsig) >>
 >> endobj
-1141 0 obj <<
+1196 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [140.5805 719.5976 196.7992 730.9897]
+/Rect [140.5805 512.856 196.7992 524.2481]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1142 0 obj <<
+1197 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [103.6195 677.087 159.8382 689.1466]
+/Rect [103.6195 470.0794 159.8382 482.1391]
 /Subtype /Link
 /A << /S /GoTo /D (controls_statement_definition_and_usage) >>
 >> endobj
-1138 0 obj <<
-/D [1136 0 R /XYZ 85.0394 794.5015 null]
+1191 0 obj <<
+/D [1189 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-306 0 obj <<
-/D [1136 0 R /XYZ 85.0394 769.5949 null]
+298 0 obj <<
+/D [1189 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1139 0 obj <<
-/D [1136 0 R /XYZ 85.0394 749.4437 null]
+1192 0 obj <<
+/D [1189 0 R /XYZ 85.0394 749.3189 null]
 >> endobj
-310 0 obj <<
-/D [1136 0 R /XYZ 85.0394 543.6821 null]
+302 0 obj <<
+/D [1189 0 R /XYZ 85.0394 679.8163 null]
 >> endobj
-1143 0 obj <<
-/D [1136 0 R /XYZ 85.0394 516.3776 null]
+1193 0 obj <<
+/D [1189 0 R /XYZ 85.0394 652.1211 null]
 >> endobj
-314 0 obj <<
-/D [1136 0 R /XYZ 85.0394 259.6272 null]
+306 0 obj <<
+/D [1189 0 R /XYZ 85.0394 573.4726 null]
 >> endobj
-1144 0 obj <<
-/D [1136 0 R /XYZ 85.0394 229.5133 null]
+1194 0 obj <<
+/D [1189 0 R /XYZ 85.0394 542.9681 null]
 >> endobj
-1135 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F53 962 0 R /F39 863 0 R >>
+310 0 obj <<
+/D [1189 0 R /XYZ 85.0394 335.1831 null]
+>> endobj
+1198 0 obj <<
+/D [1189 0 R /XYZ 85.0394 307.4879 null]
+>> endobj
+1188 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F53 1017 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1148 0 obj <<
-/Length 4006      
-/Filter /FlateDecode
->>
-stream
-xÚ­Û’ã:ñ}¾bŠ2U£«/ìÓr˜=ì�³À2<PŠò$žÄlb‡ØÞì@ñït«[²�Qvfa+–[r«Õê»y-à'¯mš¤…*®³Â$VH{½Ú_‰ë
ô}%yÌÒZNGýêîêouv]$EªÒ뻇	®<y.¯ïÖ]¤‰Jn
-Ö.ÊÝ!z±k7›Ð½¯º®ÜTüéñFæ‹jSºç:꛾üLíêè:Û#R7ôì·¡_µÍOB¨Íp,ûºå^„ì*joZþ¢�}iëê¡v=î°c)eRX«ÜÚVÛ²iª]÷Šv­=ÒQà–ܬ™j‚2éµ~àp.lü¤”Á‰@2‹	ceª€³9l’›v¹¡13æ{ºhˆCDDh½Ø>•Sv¨V5®¾Z'ŒKNp-ef’Ôj{½Ô&)t®ƒ.€(H�p!ÄâÎSÍl —?l�eWEÞ)›dFäÙ›
-ßQ²$¹—uÝ­jÇÒH»x×B”ˆÙÒÉI�Ž�)ÃMÔ°»‰ÓùbWï란D'À˜Ïí*Ø{\
‡·�§zÇ°{þ¨\­ªC_­©ÿþñl‚q'
-&§Yÿ¢ezÇ­Â7Þ*lz“†›4ÉužÎ902Í>ˆ¦íç6nÔi4#Í#26	71wÛ*Æ't»Âo]3€Ø<e“’I–zO27E:ŒyÍŽàÎM#pb$
-š!FpÅÙ‚ÄåAJ¡^ȹùŠ€MÚº§h!'J‘lñ¼x@˜[ù�©ÏQ�!0ø”¿Ü öÍIŽ�JÄòG
f§
-¯>¶ x	>ª.|ô��ÃþÞe2ÐvŽž~B\hÒ;GcÌ\ºÈý”]ý¯˜C¿ŸÚ =!µœµ”º®]Õw"}§}ë$2J9á-Ælˆìa!+ÎÂÒ}!Î¢²–£HôÙ.í€ÖšsdË&a¥£—ƒîûŠ±¤ÞR8põyUUëîìúY×+^BÎ$(ÐÙâ}K#¼ÀöÔ£�»ÑYàõ2jÝs&Í1òëþrÍäsÝõLï¤Z0®g¨»ì>V`eë^ûbüœ'xYòÔžK
-÷Ür/i4†¦¯ùË®Ýso;ôËöayO\À¾Â«îöôJ”í�»pdüÇ›P¢)ì.Íèi!a¦1ç%£`Ù}%ñs½öÞ€‘q•“êê¬tp_mËOu¨_*$x9Í��A;/YNmiÔRÞR,Mã®[�áˆdi’AŽõ¬)•…ñƒBttn’µÍô‹´Ù\êº_F¡¥ÌRØ“ÏײìT ïù;çŸÁÿí8¤tRàÙËl?jdúŠÑÕÏ4š|Óô ýÀ–û×19ë¦_RÆŠã«îu̯Ҹ±„5»Œ’ûŸ×ñ
-½†(H+ùe'ióPúà"mÄe€c)ä…:“šÔ™Ô¼ô�
-œôÂܽ«¹C#ÙôG‹w)†=רÇhÎNò÷Ši.0ƒ¹t•X
-ŒufÖ
Â�˜Á³�âK$ÙDJãåvV‡•¤¹ÉŸÃâÆÕ1ºY 9…²/%÷
-Lާخ{˜—bzè—ø,äK‘ìÚU¹‹eÑ
-D0ê«ðÈÿ��âQ߈ý�ð˜o´.û�èIcxðh6”¬.Æ#&
å[‡*{
IK•j¬o»Œ�R'�µ>sæ–¹Â!ýy‹œYz×ò
xé†Ã¡=r­A.ȹ†�±@ŒG`”�ápç0]5DëÅo¨Æ~²
îÊcèö%ÿž‡rñæ
-›Î®`\`qŠ·ƒ‚ßÇ‚�ƒg¢x|ÕÑ×…#ÈH©8Eä9ßòéMg¥žè×QoN)¹Þƒ98l¦-^X÷QR{;Žy#Í+í’@•]œÚãGÏ]ý1"!+~a ðóŽÐãmðxíÑ|{5V쨌fÃþº
-Ë#Áø‹ñ7\í�žT�Â>º…d½P›i�n¬áÐávj’"ËõyÁçXÖ›-ή
-’x¢ ëI�@`Œè¶	Û:Ú 5tŒÿIèš'2Ͼ2¸r•½øq´=0…×DUL6>qF(?wUÙqÓe¸ÚgÉ
-MÄ
-Ëé×xÃ2žI•E‹¶˜DNÅYñ/
ÔÓ;[TØbìíª£;ý‚ø9y~ݺ˜_·.&÷?1HÐ9,’ÂÉbžMïN
9I†uf ÈGçŠnú(0í|ÚšûÚd®yØv¸s<YÀó2õwÇ[9•#ááotðàà®EÁgz_Á^¿¢´.PP…âüŒ
-g›7ã<ô˜Ü€_FO$`’Kÿ7Ð6Á?	Dþ ÂÍóÿû¿ã5L–€áQñ¿(Œ¥Á&z¢�x�?¡Üÿiá)éÿ—±hendstream
+1202 0 obj <<
+/Length 3489      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Z_“ã¶
ßO±“'ïÌYÿJê=]’½tÓæ’^6Óé$™ŒlË»êYÒÖ’ooÛéw/@€”ä¥ïÜöÆ"A
+@ø�²¸Lá'.�Ml!‹Ë¬Ð‰I…¹\7éåŒ}{!xÎÒOZNg}u{ñåk•]Ia¥½¼ÝNxåIšçâòvóËÂ&2¹éâëÞ¼¾ùöç·¯®2½¸½ùáÍÕRštñúæÏ×Ôúöí«ï¿õöj)r#_ÿñÕ�·×oiÈ2�¯nÞ|C”‚'˜¾½~}ýöúÍ××W¿Ý~wq}t™ê+R…Šüãâ—ßÒË
¨ýÝEš¨"7—�ÐIQò²¹ÐF%F+å)»‹Ÿ.þNFÝ«Qû‰4‘Êʈ
¥¸")Œ‘3š"±Jª`A‘‚UÒ4]캻»º½#-Ê¡jªv î7Õ¯i*Ûz¨»–(e»¡ÆÏ}yW¡-`E5Ù²ô†“ãò°Ôí½Ÿ$&“dš¤*30çx	ž3S9hYž×�Â)•-Ö]‹ÒÝöW"_T=RóEIƒ�õ¦¢Öûr_WÃuº-Í
+J;âê×SgÛí©1ÜW4·-fÕWû÷Õý�'“‹›¡�h§ÀÖ*‹½¾/Û¶ÚEÔ[j‘%&ËÕå2l¼ðp¿/{XR*°wßwëôî±/Ýax84ÖTÃ}·é_`O£àMÉ#A#|…¶¨}Ò×h
+ìí ·ã)�õ•
+09¤ …@Ã&tž™‰è¯øìÜáÀV¸ÚÕ½	�.v`+ð…Ý­½o�d�”O¸/y�UÌfÆãZî{çÁ&ÍH3a¼fÂ.rÔLÉE=ÐÈ£ãsi�@fÑwNŽ	%Ï$z/¦í3r[*U$µÁ�~�™%ÃÁø
+›0©j‡òµ«½ìöüJÝÒ“ó¨Šl*Œ†M…ö]Çot³7u8\‘}öQŽƒ&ïYR ð±ÔD	bR·ÞE•_¥Ô‘P!¬ •ûýZÆvÔËES#êa’JÎ4ýCµ®Q{Î0Gn´™N¬Á¸ª
+¨}ùÔ
‚¡Ë«Ä{Ä"8É
š
+Žú†šbƒ#ω³
+‡H¿nê�ˆ$'ÐØÎD�¢âœP±ŸN°7÷8h+~©\¯«‡ÁA2_=-0îPMMFNÀ‘º�ÂÆ<)„)øDÔí¶‹Åš<ÉEbMjÄro­³$SFÌ]ÃÁ?%²Ñß°ã-<ƒ'c§Œ!7a’\ûœ†•Á&v’Ó¤(”
!²j+õ¯<Ô
¯
+Ð]’Fâ$F˜ü]¡PÐ^"…<­˜Æ1¤vDtþýÙƒ «dê6q(/@�¡‹€Îy
y˜
+’˜ÈT&ya—�~&[a‹Ë7há¶Àtú,[¼vQÈÕïc€©ÀF*í4Ö÷]G§Nòq’‹wUõàסµyB·ÛPc¢’·A*l¨Y˜áöôøè4À(Áý|¾
¦H²,@QÜX�ñM—’ùâïùakUm»P®B¿fº+´àIþ«"`§m–†+� 
 úçò@P™÷AÏ<ì�K¬@ºÈJŠ†,²ŽŒ­I‰ ösf(Ôœ™Ïð.Ø~~^q¡4æçš
 8…ÒâH¡ô´BPNÈ3-7×̤\œ{Îê!‹b§Ÿv¨
+0sÈèi.AëÆò9¤}kÂé	e5ð¬=Lò×å’�oŸG\d¹Ø-ÆRˆoÍÒĤG †o¹�=
+ˆÒ†�–/º°µáúØpˆD ;&9^UÌÅúHáÈÕ‡uUmú£ëvS¯Y!˜„–Á{Y™-Þt4Ãg
+
+̉ˆµ·üƹ|Aƒ*ŒEN( #Ëì§Ñ�0Ai‡(ö*›•�Ã~èÐx!”J´qŠ¯
|½…„°�ІX
+íISÓkè K¿q:Ö©J”ÍåÜF‘#%�ón·#w‘|×+±vXïëU ¯º÷üWÖÒ•ðh«Gj€¢‚ØJ8ñw‡Ã`aØ©äôs
+vk^)úåDa%“…Kå�ãVYH13øŠmG+4ÝtÝM9”\k
+ü“Ål7·5Ú'}Á¯"´ú‚HcÀÀž¢í¶dÚ¼Œ~?Ú×í°¤jç=U}ô#Í›ªs—QqÏùw2Eš<\{ðõl$a@Z)ĉ+&9¹b’ók$0L’Óë#Ép2
+kî²Úc¯0¹¿C8_Pø;v! ¹(Éï3S|µŒ@x"BÉ_–
IJ,Ç÷xc$†âÖ•Æ'Ëýн.ô'
&
 endobj
-1147 0 obj <<
+1201 0 obj <<
 /Type /Page
-/Contents 1148 0 R
-/Resources 1146 0 R
+/Contents 1202 0 R
+/Resources 1200 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1145 0 R
+/Parent 1199 0 R
 >> endobj
-1149 0 obj <<
-/D [1147 0 R /XYZ 56.6929 794.5015 null]
+1203 0 obj <<
+/D [1201 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+314 0 obj <<
+/D [1201 0 R /XYZ 56.6929 769.5949 null]
+>> endobj
+1204 0 obj <<
+/D [1201 0 R /XYZ 56.6929 749.2381 null]
 >> endobj
 318 0 obj <<
-/D [1147 0 R /XYZ 56.6929 728.4063 null]
+/D [1201 0 R /XYZ 56.6929 540.3599 null]
 >> endobj
-1150 0 obj <<
-/D [1147 0 R /XYZ 56.6929 705.2957 null]
+1205 0 obj <<
+/D [1201 0 R /XYZ 56.6929 517.4049 null]
 >> endobj
-1146 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F47 879 0 R >>
+1200 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1153 0 obj <<
-/Length 2604      
-/Filter /FlateDecode
->>
-stream
-xÚÅ]sÛ6òÝ¿B“—Ð3B
-òûÅ/¿…‹Äþþ"d2Sñb!ãY&Û‹(–,Ž¤t�úâç‹Œ'³f©O±T,V"õ(PHŸãŒ%¦P�÷
e<èu÷Uw8ƒ"o,p÷øX¨ÿtÓW_-~©vëuÕ¬é³jVm·Í‡ªm}¿Ñ–H5ØÿžfªÆC!¶m©Aý‘ÁÍŠ0†SæÀ¯{T:H¾äœeq,Œëº}Èk@V	ÑÅaÔú«¶P³;ü¯»K®�FXÀ6FZ˜ú·6síÜ4ÆÝB™r
-xÈ)Mì«ú’5}<hšÎ‹
´„¢ðÌêf½&GSäÐ#Y¯A}Y®€¡Ç°Õ�`ý�wƒá¿P]@
ÌÎ'fç\0!e„‘^“ouiѦÞ!ÁcãŒ[,§p$»‡�iÛq™MV¦!S2v+—>â<f\„±Eù5eny^µuÝî�£™\9ý=¶}5�ïªôÔ
|�€‘¤ŒƒÖ2éVv—*Ø5
êä\K!“‘’NÅDº¦,ðXgÁÐå…öðE,
—°ü3Ü:±¦…U£iaìL«Ñ´
-S@õ�º¨VúÈ'0ðxQÐ÷è 0¬uÕp¸äœ£?#l…�ýG¾}¬õ;Ï�Ã
90JRÃhAÜ\.“бP_Ì>_¬âÌŒ¬B²ŒŸZwrÒ«UÛ¾z?�CÜFˬÁ³RàPúÒKùÏ÷—
Ê2daÈ•Á� 
-,B	Ö&ÖÅ³Ô GåÓøºù·’áPÚ™Ž°kp2‚äÍ�CµÕv´±ƒ1ÂÁŠÊâ£CžmÏÍ¡Ãp“&
yÍ:7ÿåq'àÊ»i3%Ç!U4#SFð«|àèW8câîùÉ!ê.uÁ¨<@D¯
-_Ð’Œs9tg>$½ë513r8Ï°fîÈ´töF°S<@!x‘éq+Œï§HwÛªÑäÐûñ˜L¢
-�¡ mƒ1’.ûã´	O0WBÑ@#
-:8gAäÅD˜þëv½Ö%ó™0Féâø¯s¿ÍÓM&áÅ	€
„‚Z1•ÄÑÜ(¹‡�JÌÄ1Óz`Üè9¤Î$³h6è¼±im7Pº2UVœ‚ƒíòÚTŽ1¦q��Î
-ÎõUSx•R’EýFFòºo‰®QcO[’Í
-TâéÌ:ÐY·ÝÁÃO’°4‘.“Ú*nE	HŠ“RÃÄ�ßwºt‰ÊSÜyDâ:�ƒq7ó…!ÿÇi{€h‘u<
-ûßÈr$¸œP¤Œ8oÚ8Kp¹Ã"ñPxÊÁb9Þ}Ž¶Äs= ÓÔ6
+1208 0 obj <<
+/Length 3336      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZYoãF~÷¯0ò22`1}‘lÎ<Mf=ÉÉd×ñ>%A@K”DD"’²â]ä¿oUW5/·íÃ`_ì®ó«ª¦ä¥€?yiãHèÌ\¦™‰b!ãËÕáB\naîëÉk–~Ñr¼ê«»‹/?êô2‹²D%—w›Ñ^6ÖÊË»õO‹ß¼ÿçÝÍíÕRÅb‘DWË8‹¯>}þ�dôøðÃç�Ÿ¾þ÷íû«Ô,î>ýð™†oo>ÞÜÞ|þpsµ”6–ð¾âžyáã§ïn¨õõíûï¿{õËÝ·7w=/c~¥ÐÈÈï?ý".×Àö·"Ò™�/ÏБÌ2uy¸0±Žb£µÙ_üxñ¯~ÃѬ{5$¿XÛ(¶*
Pé�
+Êi€dLíó®\íhöÔ:1À ¯{(šGšª÷ë~¨-k>´Þ¸YÊÄF6K§bzIG*U†ùévyGîRWûGjy²Ä¢;×Ô Ûž .?ÇSψ8‘Ò©7°¹
+ÈùYÄþe€,ž-¯’Í©ZuÀöuFå[%Ÿ¿Úç@(µýX[î�@ÏG¹­jrŒuD�2ãD
+lô‚ÃÎé
+
+ˆY
1Y^(14Qo¨Ï[(I©Ä+É91ìÊ�–í¸Ê¹žùZjzrÉÆBl!þDIjfð¹>í94
+CDžU=yØv{òæÊ.NA=Žç-?é±ávË‘a_;Rº¾¦²®§€CÉœ
+‡ÍÛáz
+h Ì’kP—†Ã`ñH¯-xý˜è"À5o°œ)Æ)®�¨`¦¬;€½×ëÂU¯Š*1WCΈ#ƒ˜ðÇ�e_ßçhN6áèÍ´Ïã`”•,¶l&i0õ¹*Lý‡Ð­všˆ}µK&2O¥4q.!Ur—yÁt%σc ƒä³A
+“�ÂtQ9k‹Ž µ()¿ÖŽz¤1ðŠ†1zÏUÉ
+J8�¼Ž½€Ò}™Dòî!Ý�Úïo&)¡€û,dÚët%<úƒ¡êœIÞÔû}}F(³•ÓãXCøq‡=ô^�öv@fdäsä†�
+[A£ÍPá�o4ÕzÅ
+ˆü‘1ƒ½
¡¢Ö‘HŬ„´ãÑÀrЬDcT¼xO.‘MÇŽCšµ„Öþµ#\ÍüÝ‹µ„pvð®Îœ“Z–Ì÷uR`-¸%ð²(GÎc(b&,C½�—{dëSw<u¨y)(xù”þê¥=«rÃÕY>Ch^Q¿7�Q5'¥\\ÏjDFÿ·
‡›!xJáI(W¿ºs~eÄ™ÿ:^•†<l®ÝM‰a}±©ë/Þ…ÈP�à:æ›ú�¿“	ìü绀ÉÀÎ�Cdi&ÇùvŒ®ÝQcd6º>M¹ÌžÌ65Ï4´zFF#yõH�®<ÜÚq£G8¾vÂ14È'ÇKçt7©Ïx·œ‡'Ñ…Þ“ ë³ºGmÍds˜r|€]¥`ƒ]áÌ3©´""õ`´~@/W!ÐÒ‘”z~ï嶦²Æš�ÂYÆ…sÑÚ뇽àa´«Yõx”š×z£‚ÛÝPôn2Mlýý£K�Ÿ»¬x*†PJË¡þ¯º¥Ór@6²i_	î\bf$@±‹îFPjð–Ñhü�ÏYan
9µtpÎñŒÛ˜žPl¹Üš«0îL_
ý
êùãø�¼x@ÔÙ$žÕ¡R9� TŠÿÂ7
mŸ 0è\sX;u®(ÓNÁÀøB�5ðG¾‚smY­ÂWÍ’æ%û«„ø»Ï”ÄØÒ‘\I¤^g±0„‚v!\‡-KeY_à�vV°Ï¶nB÷ÆI¥I_ú�Æ$À�˜Â�ßOP4¹’S{¶4@¢:Å›]>ÍõÜM`Óì@ô^Ê—¿ð$㶳ö÷=¢Œ†Œó#”k¨u°ˆ	ÉAYÙ_)�^¸?{K¥É�ˆ¯®ûê©bÑ°8¼D€¥Tc¨‚ž‡h:è—rXÙË
;F uÏ#Þ
—&Kž)y
b"­ú»1âñ™šWô	`}Ä2§e"òÇé±t÷Ž-O¤�C«´Ã=Ë×�hôÚ}É{©³UHoY¹�mæûsþØÒ¨S4Œ9r^ê²)í­f)µ¦Ü‹2ewÚ¼¥«!tT
Tʽ¹y“ÐvšœDtßóM1\¯Ç¤axºÜÎêU$|7Z›¸K�@méEP5
+¾_í9}�OAÜvuó›óiGoÙ€¡s
+4rÿêçºCt²¦ûc:•õN¾Lt@”¯CUS¯¶Í†_:ºŲ̈÷%͘
+)×ÙœòþYOIÿwB)Îendstream
 endobj
-1152 0 obj <<
+1207 0 obj <<
 /Type /Page
-/Contents 1153 0 R
-/Resources 1151 0 R
+/Contents 1208 0 R
+/Resources 1206 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1145 0 R
-/Annots [ 1155 0 R ]
+/Parent 1199 0 R
+/Annots [ 1210 0 R ]
 >> endobj
-1155 0 obj <<
+1210 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [173.6261 465.0053 242.2981 474.4149]
+/Rect [173.6261 273.4719 242.2981 282.8815]
 /Subtype /Link
 /A << /S /GoTo /D (the_category_phrase) >>
 >> endobj
-1154 0 obj <<
-/D [1152 0 R /XYZ 85.0394 794.5015 null]
+1209 0 obj <<
+/D [1207 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1151 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
+1206 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1159 0 obj <<
-/Length 2725      
+1214 0 obj <<
+/Length 2391      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZKsÛF¾ëW°r1Tebç�Ác}Rl9«ÔZö:Ê!›M¹ r(¢
Há¦òß·{º
HÚk¹Ê¥ƒ€ž™žž¯ßʉ€?91¡&*™DIà!Íd¶:“;ûáLòœi;iÚŸõýÍÙß^ëh’øI¨ÂÉÍ¢Ç+öEËÉÍüW/ô•„÷òíõë«~~qÞÍÕÛëó©2Â{}õÏKzúáýÅ›7ïϧ26Ò{ù�‹w7—ïi(dß_]¿"JBÿ0}ùúòýåõËËóßn~<»¼éÎÒ?¯òûÙ¯¿‰ÉŽýã™ðu›É¼_&‰š¬Î£}hÝRò³ŸÎþÕ1ì�º¥£øIá+ª
-ï?J§Nú6#}'	Ã9½A¼eGSDZ\×YYÐ3ƒ Àì<£ÿ³š¨ žbΈÅnÚ
½’Á
V•[Ÿµ¨}Tbä'ZENŒ·Å–·$	�ý6'šƒþÏ-r*ì�Õ"ò²šè3˜[òó­%,y»Ô¡w³l˜ie°8ôÒ¼¶çÒÛÐ��<›,¯§YÁH´Š&í°É·çRJïù˜Þn†Ž¶…Ø–Vå<[l·V½s»H›œ×äåÝ;ƒðnyêºÌŠº£ÎÀ!ïÊMf+ž—ödío¾Lï»�:€û°pÚ’²é1ÐAüB
-f?2ŒZÇH	/�é¸+‚Ø챸P´µ
�a³,8ädv$@ü±°›)f§~„Àm1`_!CP
¹cãp ŠD‰ã÷ºE°KíøBn„Ôû4ËÓÛê-¦ŠœáªPx¸Ú‚続m2Wªò¬r1`eøvm÷Æ(ËÁúÃf•r¥K«¶¼{YÔiVøc
-.Y‰®È4m�h‚Ž9/ÂJœ@›vS€B¶4½ö±;¼ÓâR ½ºéÝ}Tõ iü·,ìž
ÌÒY×ïƒHGÔ¼Ã充ܚ觳l!8¬eû"�§ãj¤F‘áb•KËSj¾X¯é‚é>Í÷PœÛ"k‰.ßw9õ÷ÆVuuÖžÀ_Â>®êIqU¡/µ9‘$`‘â+å6›œÄõå~ÚÙ]×ñ5Sº©ºŽ©Ãœ•1çƒÁ#÷D*„¿FòÊWÊœJ>PvGaDa}c«2¿ïîí#üêú§ó©�²”lV5ˆôsüÜyU3[â0]Qã4]�À׊
àoi,/Ë�ͺ¢ñ5e‡Ñ¤ƒEn[�¶ZÅv7_ýd–gÔŒ÷oÓ]tê4ÿ(Ô¹žù Ú{x>mÀzRÇ’‰ðU$ÔqµËDû±	)/aåP§²£šÿwñëMZT°²Ú»Iè§�ö^ˆÕn³û£žÕ—ýŽ]2æý¯a£ÇÀFÈpˆ0ß±~ˆñ¢ø8¸$µüÖÁ
C_›äD•!Ђ�.÷öŸT2#T×oo®^ÿ2úu9+ó#Øõ„ú–±3�ˆàDR•pª$‘œT]°<‰Ý»An‹·ŸS£ôå|*8
T
-‘‰?ƒe»â œ
-*ñebøv\ôIÙRnÞš"½Í-ÏäÎln¡ª_eEK^òƒëæƲ'jKljûš©A_T�ð°Ì0]#­î}½Â‘´":ö÷Hp‡Cý�|óˆ±ùt÷™}»TP8…í‡\hX#{´=º�š$þn£ßŸäî¨JC kV«Ô}—Óý´à[t¥¥»æpU‚æ®EºÇ”Ä�Æ»½¥<ä	
-*$
µýÞw¼4Åv(anð9}O‰Ü�¡>t©5}¡×:€Ú¿y!…?,iú�””^Û¢IN_[ù9~˜†Zå95x·[Ø}õÁM˜a6jUç°mc7x—€Rásoz{~Ï¥¾ÌK¿j�ز>FãÐW¡ (ZØú¡Ü|<éõ×<�›`©A9){’|Ãy'~$ãQ€
-y!B�xôS±öW[<«'úÿ
+xÚµ]sÛ6òÝ¿BÓ—H3B€	^žÒÔιsIZŸûpÓv2´IœR¤Ž¤âª7ýïÝÅ.ø!ÓŽï27z °X,ö{�œð“3‹8Ué,I#¡©g«ýE0ÛÂÚ»É8K�´b}{{ñê*Lf©HcÏn7ZFÆÈÙíúçy,”X
+E*ƒh¶”R¤Z+·—Ð^ƒF“0_½¢÷uÞÚ†ÆmE_¦ˆ¤O„hìgN„——›
+	†j@°*^nl¹¦Ñ¡Î«ñ6âSjPc8æÓÓÉüæ]¾ÝYâf©ÂMu&ÚŸ¯=¯$yøPYå±(†*’‰HCeÆt	åI‡ò´UÓxŽNí./·�tm§6'�’B&A<ÖXGf—3Ï×zu¥Â�G x©0&IÎíÎ2ÒÐmT "…=äÜï%¸`G³X¢«ä9Ž¯DjŒ™vû¥'¸Rt.=âMÊP„”Þ¡“wÇ털¡:¥3f˜Äó]Öà 
¥Z‚4»Ê3^>ÔiæÕÁÖèqiwYK;ò– ä¥ìõqe^;¶‡#ãßïléiø³l
A°XB’yÑ�
1í-¯‚¹T@Ø4D/ÀoY•X:òY(ƒùuëWê}V {8óñ‰cŒOüfôù%Tai¼‚vMjåXœ†õXf{»õ±œÐ8¤eLʘyɇîøˆ±ÜÄ\Uÿæ'ë܉cWmUŸRʹ í„A,¢$Aõ¸¨#»_U@K¥Ð])9àŒhdMU6/¸•M€kÄ
+~Q*š�UF¡0©”,Áò8!¤·¡8BŽäªÚï]ÊÁI‘—î$
^ÔæïLßcc׎7í8šàC§"cý<�'*õ
ÛYtpÚŠ5ÒÚ5³„®KŠM”PR�%�lÓRº<O
JiÔ�©©°ƒ¦�W¡‹4¥[Ç�6쇉w
3/í=A~ºþî%�H—°Y“ ]<˜.¼µ¥­Y:�
—S‰
´-"“&ÿû9sß´Yݲ£šùñÀêK�¤Šä™úãàäM›cÍÀa½€]eI`î´’°³VJ’„t@×y³ÊÜÒìŽbÔüzCk§êHƒÒZ>Çi¾«ìÐÉØD�J.‘¾P³&èIì�M;ä�É9£ ÿ¯8¾ÏÛÝT=ï‚û‘ˆ‚’¦LêSÂrûÜ€Š]äèÀ;CÀÑÝg
+Î,- °Æ‚íª¶~"ñùì
+ié“‹ql|,WÀ¸%�ûú�0
+-
æAJ%G3„¯
+r-›¯<oð:<|—}îêô0†g-)×
송ã
+ /ºÝÙÑáÌØ»:kì#ýP$ÒHF¾òÁ¦�ú‰™ï]Bp/Ø<
+õ¼©hÁÉ‚¸N‘¡öATú
škÄè�¯2lqÔV´ÔXƾ÷¹0|°‹ÀЄøžî¶-Yü‚ŽVžSç*Uù¢%Òs.™R¦�UFKz4n“œs †˜pÞ0‘j3ŠvÈ
Õ鿳9'ŽSPIHÀ&¡ímÓd[Ë<çå”s[¦ÌÀä¡JA%˜xŽÑ‡j¶â´�v²ý•‘†@‡àó:¡EêsÖðp¬6­Í0À58j¡d98—µ‰°N›ÏÖ¨*2žoP„‘P�õÙígSEußÅ!¦ÓQìò¤O³¾ŸÄ¦äo<w]½¬ƒ+¤¿�¯•§Œùzt5œaϹ¤¼ÁpQ�…1¦T<·¿gûCa�. Í²í‹†šìD˜¬èØ€Èäš|Ë!w#‚!¼Ê–ÉxÔŒ¦T(ø4—3GGdEÃøþ°xþ›µ>ÖE=€^tîÁãTj!ÂEŸ¸§ÿ×"UP½_pYëão˜œ;›?i?óðR»?}òªø4Z˜| œ²ÁöÊ!}3ÜŽào^O‰8uåç«ëÄ+߯§ÙØëzó}áÉbB¾IÏ]v‚ƒ3þ’
+O§‘«AV¢¾¶ã„¡Ÿ³¼Èî
+h¸2êbõ¡0¸؆†kÛ¬êÜõªŒUmF„¡?ìÙ•9`<Àu�[]ÚuâÓ«²ÍòRL)è}Õ‰0Ñmí³“Ï(ì4ëµ]�ýhs\ôð5” Ü¡m#¼ý)4`A
+•R	hôs n‰$HÎ^=ÿ·]žì¡VÇú	h_
+™Ìd‰ÀÈ/ti$ùHsÍi&}ÉŒÂA/ÄKÔû64miKÜ	„VÞÕp‚½Õd_T5¸7–#×Àù}ßåF1†�]êÀÓW¼­*q¶=ÖìšÄËüÔ]ÂÚrªyºM¤I¸}üu6Cï€ÖÑôo¶Ï'éw<êF‰8	“§Ý 5Ò©v: Gˆâyn S—ZV»%äz�
®œ¿w7é©ÀÖ
�ù	
‡œ³\óèYÓ8“ad#î_UG|9e©þæ2ºTsÊÖë׎¾¡±Û<nÙ�ξÎÿWËjÈ)qø…
 endobj
-1158 0 obj <<
+1213 0 obj <<
 /Type /Page
-/Contents 1159 0 R
-/Resources 1157 0 R
+/Contents 1214 0 R
+/Resources 1212 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1145 0 R
+/Parent 1199 0 R
 >> endobj
-1160 0 obj <<
-/D [1158 0 R /XYZ 56.6929 794.5015 null]
+1215 0 obj <<
+/D [1213 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 322 0 obj <<
-/D [1158 0 R /XYZ 56.6929 687.8392 null]
+/D [1213 0 R /XYZ 56.6929 496.5566 null]
 >> endobj
-1156 0 obj <<
-/D [1158 0 R /XYZ 56.6929 663.0573 null]
+1211 0 obj <<
+/D [1213 0 R /XYZ 56.6929 471.7746 null]
 >> endobj
-1161 0 obj <<
-/D [1158 0 R /XYZ 56.6929 346.0859 null]
+1216 0 obj <<
+/D [1213 0 R /XYZ 56.6929 154.8032 null]
 >> endobj
-1162 0 obj <<
-/D [1158 0 R /XYZ 56.6929 334.1307 null]
+1217 0 obj <<
+/D [1213 0 R /XYZ 56.6929 142.848 null]
 >> endobj
-1157 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
+1212 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F23 726 0 R /F21 702 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1165 0 obj <<
-/Length 2655      
+1220 0 obj <<
+/Length 3046      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZÝsÛ6÷_¡™{¨<­pø 
+T
ä^S°QÄxÂõ�`#ËŒµ¤í³ªü�sy7(ØÓÀ¸Y§M^•$>¬)Ñ«t]çåÝ¡‡Ó˜¹ˆ¸³ö×±T,9xe¾²íñ¼ˆ%pÆ\‰XÁ¶¤H¼äÖ®®Š{·ñÙå
Ø
+®‚VB¯
Šú'4 v\oflŽÆiMlÍÂQñÃ
©ó{GmEU}Ú¬jj_9Ï1ÁÀ\A÷H
æÕzéÂaµÇúÑ-Òb¾SfEîʦ�á˜C[:[l�¾L—A#j·Æmƒ½;pî�~Ý!}Û«Åc&åàÍ‚qb!Œìçy�z^žü«2ȬY§e
=ƒ ýwdéé¼î¯™Ëï_­ÝÚ¿cãeð•&‰Dl’„ÅÚDû"®6Í7’qíÊì t»ë~]ñŠWo1%¢!§kbË.Èé–U“χ]îm+¿Ë«Û‹óÿìÙý¦šUÅ
áuVõ=릕Lédèú«Y™àX½½Þ‡=ÿØgr_Tº}-y³öE°íñ¼<…d:VƒÊhÀÒ'œ¼è¦\¦Íl
®jH¤ïA–é�ƒ,
·;m�Š¼cʨò!­©nS¦ÀxΊê2׸õ2/ÛêE fEZ×û.Tú	ñ¼TœŒ+°*áèR©âa‘£ÏÆ:…Ž0´à°¾¬¨Âo5€v·'�X
+PÛT¡\¸¾%kXNF‘¾Ò2«¬nÙÒÆÝU0¿· 
+[/7EÑ'ÁZŽÙ"-KwÈ–v.Õ×]ÔokK9gFƃ¶”GLŠ ¡¥kªõ§Á›øÈŠêõ¡Ê!{ÙYÌwìtƒPj@f:‘Lê$ØËUWc8æx³˜ÏHdÔ瀼ºùŽÁŽ¶†YEi:†Ixwä5ùV‰†p/ðåÝM¼š¬�eÊÊè%c¶]ž•vĦ"=„ܵ�UD	G°ùuîêA)߬Ü1¨—Û÷âg;áôEµ)²6|¥r민1f}Öúlu„n¢I×Íff?Ša0šÕ2lõ
+¿2ð=ä`øýØÞÏ7
(NAĶç¦]€*Ò&8ú±{O
_¸O�ð±)W×}g+#wø={V'f#øªUH÷ÀØD-ÒÆ aW¶^™³$Vñ'ˆDë²^±SÈ
+jÐúm9 Ÿ\m3­šÛó3íôØ%¿+ýúŒösÞl0ã)æ¸z„ðp++©ÜÔ(ý(ò#LÞaNåٕ؃ÞLOéûê2Sßí¨(‘wg4�ühÔ‰�žµiNÍOnöi¢�å5ÞÆŒæòÆ)ÝfšN/d`tÇ¢îm|2Sê
 ãEåð/þf¤Væ
D’“¹{|Ó+¼‡æ>§ËUáجZÒ(—TžÀQ?ÞLû6Ù�úÍšÔšT~1iéšç&�Ф½®ë8¾Ò}Ó¤¯‚GJAÖÀdb-‰'Ëë†tÃ
+èe•m
+W÷*ʾ…îmw¯ºÚw£�~0罧ٕÒwœÉUV1ðñCXZY¸„Æ–ÎJØúì¯äï½Úƒ·7o¿L‰½ìq¤»æׂ‚J³Ø¼è´ÚÏ‹(#¢! ¨Œfá[J>€G��ú£ÁwþiAé$(|�ÎVY„uhØj2~,óz¶ÿlå=6'/ļ¬(Pú2”÷“ (”oô¬ºw[÷«Aù
(éy©„
+¸i%Q€eü%ötE%yÍžÚ,ªz/|J1Iëzö‡(Mç4¾î„¿­Òp
h3¼�2
ôj‚qu…»óç9©Êb8V;Ûò#*Tcß©M2
l|WÝÕÔ²‹)¬
+©C¤é½#Ê#_Oa–Nbæ¡rW}:tùﳫ÷'þµßŽ	#˜öÉÁ¶‡ésKøMᢥ‡5óÅF}ÛŸá!Ã"zéQ¢´üƒ´mrKÏF,ŠxÊäåÞcxª
+‡òuÛΤÓ{FÕ3t,Yâ‹�ýèB
+j{$jçÅàÃo97erlª*£¨bbÀì\„δ’>ÐGŠ’¡“A£?MWÛ²¡éî\Ca˜Ÿ†ÊÝÑ™¸ÕG¨ž§yºVT;¶ª¼`LüŒ5$i>ÍÝ„�÷iV•?„Ê°m�yo.áí
æm‚YU*ä�XÒ[}ÌÒ’
+Ñúš¼6+Z|¢$’ w;`]³>éþìÂEDeOT'®'L¢Žò¾¶óKªµAÕ¡ºUõYÿE%ùØN¾¢rÔm‹&�«é mÀò–wß´°GH£à�5ප˷!]i·oOçÇEïVˆfœhk& ÌpŠØËÈÐu÷nßuˆ°älót»-
+Þ$diö2ªs8E7YUuÞø_½ì°‘ϪÒ•ØZÌ&-Ыj©Û×A$)'§
ó‘áÅ:$–pýVÔÖÐdi^í¾@�þ÷:˜ôhÍ*}µi2 &Xn(I€Ú€ù&�XŒéª
ÒŸ×òiÌðàØ]žG�9¨vCdûú|„'[mODÐö‰U||ŽR.Ìõ9¯|þØkQéà£Ý½AG"*
%m¿m(iÛ@„mãqã%¨coçÀ•/{g‡I½€cI=c±Ç î>-ò¬E€ð^f‘­ÍƇÄZ$~ æý(k«›Ý¨/ü"§µ¸ýñôÎK
+§; ãëpÌí~ð9ôRìc¹}òÒÿ¯×v!Z²Hà
+8³’~óñô‡§|4ñÿÕŸ¹î~YÀeq¾íeã¹a±L,K‹Î6O�E«˜éXîØ:‹ÿ®æ¹÷endstream
+endobj
+1219 0 obj <<
+/Type /Page
+/Contents 1220 0 R
+/Resources 1218 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1199 0 R
+>> endobj
+1221 0 obj <<
+/D [1219 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1218 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1224 0 obj <<
+/Length 1962      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZmoÛ8þž_aà>œŒ=©")RR÷S¶I{Y´é^’èEfládÉkÉÉå÷ßo†CêÅ–ë¦Ý()r8CÎçá¸lÂ_6KdŠ4šÅiÈ�ÉY¾>gK˜{wÆ,�ïˆü!ÕOwg¯ÞŠx–©âjv÷0à•a’°ÙÝâ“÷æïç¿Ü]ÞÌ}.COs_ªÐûéêú‚FRjÞ|¼~{õî×›óyywW¯iøæòíåÍåõ›Ë¹ÏÉ`=·Ž,x{õþ’zïnÎ?|8¿™¾ûùìò®;Ëð¼,x�?Î>}g8öÏga ÒDΞà#XšòÙú,’"�‘n¤<»=ûGÇp0k–Né/
-YÀ¸3_$A$er\,‰A¬í2¤RîKõ™ˆ�SŒ6‘*¡ÛÙ„³�MX$‚D9‹e(Á…1Ên³ÈZí7:ßm‹ö•ëÄ`¨'–QÂ�þ|³ÙÎYâÕ�YIêͪuº*Ü`ý@-±§¾Y§ÿØé¦m‚}kD`ŽX)>âû#¢$à} ")ƒˆÅü%<Ý’£ÚVa(žÈSÚŽâ@Å1…
-)á8œsϧ
š�^U·¬c–êòâúv$VØ­íM(æ×Ðx½s¶GSV­Æ!ÖÓŲrñ‹\o‘k@+Ò�Ãî”|cŽ“‡^Â_öÙF½†¬ÉCº;ž_Oiééé)ÐÿÎÖ›Ry½&.W×ÔžÃêýp{9µ÷¡èׯIhü2¡•n�	õIèdºÞÂßyµ÷ù‚‹ ý"$8àéVÍ2VAÌ~"[È”\¦©QÏ¢h6Y›¯N¦‹KH·¡à”~¡-*°¥eÞ&Ëÿ¥MàÁT[ÛÖ8&t½}4�ýu½Ø•t�Ølœ�`¹MSÙh¸ç$r¸¡ìÝ8iÍ¡–¾Oóƒäo7ÿ'-	I/Vâ”-l!JÙ²‚“ç§-y}{{ùfXÝÝ^½©±­óº<P,Øùší·üg¡*!ƒDÉ—Dž[q\±<	’4>…©$`D€î‘QY	ÉÉ'ç=
¬Þ1$-™Zwo0o‰3sc':?Æ�uÑäu…)}¹Ûf	LòÍý�D¼®
äN‹‚øŠ+Œç¼~Ô]&)ó¥wöRj Î*ê
,0!lú5µG³H»ªsN'Î
Þ›{ âM]îð@_ð™�5¾Ï½Ó
-ËÁµ„B ³´<FUœ�xÙ1,¡DÒºíëP6‰‹ãf¼cƒâ‡Fø:à3Ž=¾�
-P›RŽÓE©_Opô9ø!KÀh,
TÂØ`çêþ×xºÃ4#?ÿDeÑ´£Ì-0M±ùÝ<ÍÇ'zçÙqüøL_?ÚùoX
uìðÿ~tŸw‰ðX觾÷;jpzÕè€�ζ€y‡§[Ô묨ƒ©ƒ›þÊ=�¤W‹ºµ¶ 7òh�¿g:.ðuÞ9ˆ¤áPG}ñ“!t¡ÑyªÂ†(ð×&[ꯉ­ÉXIƒ¤/n
•$SÁcEpæõ8ˆò�R¹
-ËŸéÞûÅE ÝEÏœŠú®ìŒý,Ïõ²q‰Ÿf”ù˜îê�ªšZ[‹„^aIÕS,6r5 I9#	Žxgê#ÎVÈi`
0x×EÛQû?Nز»)Q‹tRWšstWj³œhÓæ-Î^àk@�Åò!“:',Âý«	0“ﾨ
uIØë¿ ‚6£bμÞ'pl�8âo×#”áIŽ“lEQÉ:˜wCF€ØØ€ßd9V—¹H<S&6�®Í…«›
-W9n6ð×D‚Ý—ôqoÉà’iÚí<ñv9YÊ…ãj‰“«°·ÎªŠŠ^ô â-ØTõv�Yîtt…{³´¯¸Ùœ€FC)7+dÖW£ÎW£±¯
-Ï
÷Þ)„…Ç8½Ð™yà!
i{nF…‰�ÔVçq®Ù]ÿCA�Ñ�³èvmÅgÑè-]¤ÛNêTb[,—®Èñ2ÿgQÚ
uB�¿#±€GÑÄ]Ë£„ž‘	äâ1+»qã¶Qzì!
<•êqÏ·‰®&ð¾T}Zx¥ÛüÕÖDÖ±gD*1—?ÁeD˜âO*fïîw×b¡í)3j(‘`¯~ 0
-Å|ï2'˜ìn·U� û p›m6ºZô?oÇÙ�–ÎDõøe+Á±Ú
á¯ã'œ�,Ò~í�ðýÿPˆðÝ7,¸�LéÞÃvS¨Ÿˆ
+xÚÍ]sÛ6òÝ¿B�ôL…üÀõ)Mœœ;W·g»OnÆC‹°Å)?T’²›»Þ¿],@‘•(i:ž1‹Å.°_Ø…ø"„?¾ˆbk¡‰V,
+y´XUgáâ	æÞŸqG³ôDË1Õw·g¯ÞÉd¡™ŽE¼¸}ñJY˜¦|q›ß1ì8„Á›¯Þ]¾ÿùúõy¢‚Û˯Η"
+ƒw—ÿº èýõë~x}}¾äiă7ÿ|ýÓíÅ5MÅŽÇw—Wo	£és„éõÅ»‹ë‹«7çn¿?»¸Î2>/%ä·³»á"‡c2©Óhñƒ�q­Å¢:S‘d‘’Òcʳ›³G³véœþ„ä,‰äb)KAü˜è�8I™J¥
+Y	›i®}Zp=JŽž|9¦§Ü8VÎ
WÔÑ�Y-É5”ŒX†|êdG®U1±¿ÏX¦‹H¢Þ“Ù4ïi–#¢Ã½ísBÑ´I[hŽ>AÚ¤­TÙG,BÕ¶ì‹M9ë8aÊ%Ôç<'f©ˆÕ¾çt$gç:EýD"'æFš©¹Cæîˆþ¥èׄ΋G$}tG÷´úç1$z'Ó¤²±DÍÆ´}a:6D¾M¿é'F€‘!tÝ©‡¤{xr%Y"g"FFA·1«nƒEÆÖÕ
�ì�7bl"¶çïˆ6²¾mcé0!wdOœë×™cÐÛ«qE
Òë•Ùcì%ŽƒæIšsÝŽ ôÔq‡¸ã<È3S¡#Ü­›m™œ­Vfƒyèþ¶5g›¢&¸|$DÝЗ®„
+GºSTþ
†z<¢Ñ‚“O¼íà"žrvZ@N#�€™›¦©Š¾·¢0¯NwŽ˜—¢,	zpe	�Ô¸LìS3‡ÚÜ„qlj6mIÁ¿À× 9+;²·æL€)Üÿ\“ÊࡨóŽ@RB;‡À‘­¥à›Ñ§,Îy0ò	ÄM#1Þð–q3a@—;Éñ’�¨·W7à•Ðùô¨ XãûÑ™­êN¦
^Â:4º¶°NnpûÚ4ugˆÛ/iðàÈ Ét}{žÛYÊ…çêˆ:{K!TeumωqÙ.£OÝ´Uæ¸Óa
+ çJ©™(P)5ÊÆrñœ•Þz®ÒÇÚàÇ’ÿ9ÑõLµ½Ôp3¼2ýêUkƒëX¡#+î€×ÈP—=íÝÝcÏEnÜ)3úÐ]‚PóH‘&c`”ˆ½|NE²OpëKl›Ù¼gØÁfcêܧ9«·!A–Y_<;:ØÓ
+Ããð†ýŒÉ÷µ&ÕݳݛN5Ÿkߔ룩Á
O�>ap�¨ø$Éâˆä#öN£�ïWYjZkñSW^¬@hçÎD2$�Í—U%vó¶<Ûº¨¶0S±ëaN¨$
+Ç]‡&]‡VePñµ'¼sL<
 endobj
-1164 0 obj <<
+1223 0 obj <<
 /Type /Page
-/Contents 1165 0 R
-/Resources 1163 0 R
+/Contents 1224 0 R
+/Resources 1222 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1145 0 R
-/Annots [ 1169 0 R 1170 0 R ]
+/Parent 1199 0 R
+/Annots [ 1228 0 R 1229 0 R ]
 >> endobj
-1169 0 obj <<
+1228 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [519.8432 216.1999 539.579 228.2596]
+/Rect [491.4967 546.2465 511.2325 558.3062]
 /Subtype /Link
 /A << /S /GoTo /D (lwresd) >>
 >> endobj
-1170 0 obj <<
+1229 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [84.0431 204.2448 117.8035 216.3044]
+/Rect [55.6967 534.2914 89.457 546.351]
 /Subtype /Link
 /A << /S /GoTo /D (lwresd) >>
 >> endobj
-1166 0 obj <<
-/D [1164 0 R /XYZ 85.0394 794.5015 null]
+1225 0 obj <<
+/D [1223 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 326 0 obj <<
-/D [1164 0 R /XYZ 85.0394 429.0696 null]
+/D [1223 0 R /XYZ 56.6929 744.5408 null]
 >> endobj
-1167 0 obj <<
-/D [1164 0 R /XYZ 85.0394 399.3522 null]
+1226 0 obj <<
+/D [1223 0 R /XYZ 56.6929 717.3918 null]
 >> endobj
 330 0 obj <<
-/D [1164 0 R /XYZ 85.0394 269.1889 null]
+/D [1223 0 R /XYZ 56.6929 594.9189 null]
 >> endobj
-1168 0 obj <<
-/D [1164 0 R /XYZ 85.0394 236.5067 null]
+1227 0 obj <<
+/D [1223 0 R /XYZ 56.6929 564.805 null]
 >> endobj
-1163 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+334 0 obj <<
+/D [1223 0 R /XYZ 56.6929 340.8686 null]
+>> endobj
+1230 0 obj <<
+/D [1223 0 R /XYZ 56.6929 316.529 null]
+>> endobj
+338 0 obj <<
+/D [1223 0 R /XYZ 56.6929 259.8095 null]
+>> endobj
+1231 0 obj <<
+/D [1223 0 R /XYZ 56.6929 229.6957 null]
+>> endobj
+342 0 obj <<
+/D [1223 0 R /XYZ 56.6929 197.042 null]
+>> endobj
+1232 0 obj <<
+/D [1223 0 R /XYZ 56.6929 169.8331 null]
+>> endobj
+1222 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1173 0 obj <<
-/Length 1372      
+1235 0 obj <<
+/Length 1102      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XKsÛ6¾ëWèH€
-#lvqA-h)”‹\‹qõô,ú½e÷$ßÏ‹JÏ‹i¹†QàúGI¶_�\j'Ûz{ÜWTįÊ«üÆU™Nˆˆ<è»Ø12>¤Ã¬K¡•geÂb)”›¤-Ý|!ec(¸%p”›}.
–FyžÝ!±¢-$˜ë[e[li£èÀªR=×ÙÛÍH¤n†èas†C‹æD°{Úo-ˆÞX%)̬ȈÐϪ6O†Ü¼ÍÍZÏGŒº#±ÐSq¦góªúÖÖzzKÓJ£tÆ¡±Qœ’nQqªü¨‰0Í»“ázD„Ô5-šÀ}ì!S%Àñ¡k;î>ͱ#S!$Uä‚6òóððe’7¤(¤˜ç èŽ.{_"jÿ)ꦮ¡IVoÔàV�þÖ�¯ÈCš2
-õ¢ë’
iŒp–?jºåÔ±53…yVçf/íö‰µ<'÷fõGUR>Œ 7ÉĤwp¶gœ]ÕÊ•GÄäÈUO|ºÎ˜A蟦² ëÎ`ŒóB
Å!t=×3Ðk6qP²&"LUQÔ•ˆ‘ŒQ2D�õeZ¦OòR!õmhû~¯�
-»œþ6
	ìA/
-¤—¥
ŽmJËÞ±:	Uñ±©ËuT‚nôŽ{(]L.VÞ™œº�*`†;«¸8Ô‚~ôS~<äç´‘2
K†Ã
KŽ× a
�EÕ˜Ú 
-éFép«¬#à4ö‘îÝ!‚]J›ÓE‹N¶¹�:3:ú$îlX7‡SP#AŽñ~L⌂”åôt’¶¨g²´P¹#ë‹ùñ#Õk–Ì”.Ï»•Q^ÞÍäÿeÕUÙ=ùHù¦j6eu„¤(wÃð9…=¡ê^QݨJ@wL…�ÇYGrÕéè�®;GÈOÉ7
-Ø÷–öIwŠò©lD3p—·ôt¥Ó¼åèn-e9ÏZ‘T3<˜	�' ΙnÕN�…òÔÀ?

+xÚ½XKs£8¾ûWpŒbyjN™¬“ÍÔNf×ë9eS.„QYHŒ${ÿ}…<x
+g+•€Zô§îOÝ­ŽlÃR?¶á{¦åcLLϲ=#LG–±Vs7#»üT�æW߮ݙ˜ÁÔ™˸�å›–ïÛÆ2º¿¸úãò¯å|1Žg]LÍ1ð¦ÖÅûۻߵ$Ð�«Ow×·7Ÿ—ãÙäbyûéN‹óëùb~w5Û÷l¥ï”G®oÿœë·›ÅåÇ�—‹ñÃòÃh¾¬}iúk[náÈ—ÑýƒeDÊí#Ëtß3žÕÀ2í pŒt4ñ\Ó›¸n%!£F×€�Ù½jžë›žïÌ:œØ
mË7ƒI03f^`N]ÇÝ3x?S˺�´k!`†AÈQ„¨Ä�蹌câ’wzüP¸­Ö¶mžçü„±bªú�ÂõÖNÔ_=V/«Bõe$áºÇnâ„0Lˆ1)53(“UO¢<ͪ¦(J,$…í�X1¾¢¬‡Õ-õ�&d8¨ÉQ˜s�麿~ËúW›þ•QNä¯
+�
+
¢ð‘ÈÑRý	A9h×JÂØ
+¡æù\¿<Wéi˜0Þœío_Z
+\†aˆ2©êq†U_2 22þyô²½ú­È’ÖfƘYÕgKKdÄËØù¦U�e+E%�÷ã²–ƒ=*—1M³ZoÿøÑ«QQeJÕºp£èæOµG×ú¶s\3(zÓW/¼èÝjt]Gá¾ïá*ÃZöó½ ¹b¡€�X55mN@§Uÿ— ÅJ£ú¾øw,�[’ªø7ìì Î9 Nm‡Ĥ%ÀkÊ8:d ¾åQº=tç•kZ¿ ï“(¬3ç”ÌÕúªN£5Çr7 ÝêôôYð§·]³ÃM�‰j»ô»ª]}Íf¡¬@Eî!!V)TMáŠàª®ýèÁƒmt¡Ã0�#˜ :¹Î»ÿ�ï-HÐÈç7[rHE\U¢³Átugã¢Æ=?y¦:ô&  <¢ëô:%²ÎÝ�Øœž·RE•3Åi¬¬H~
Ðu·äzfq!ÔqdÕ‡ñ«ï�^.å&3Óõ}§¾RrÜÆ•’kMMß	f•Q…“÷Ðòú‚êgÓÿ]Ágendstream
 endobj
-1172 0 obj <<
+1234 0 obj <<
 /Type /Page
-/Contents 1173 0 R
-/Resources 1171 0 R
+/Contents 1235 0 R
+/Resources 1233 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1145 0 R
->> endobj
-1174 0 obj <<
-/D [1172 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-334 0 obj <<
-/D [1172 0 R /XYZ 56.6929 716.8068 null]
->> endobj
-1175 0 obj <<
-/D [1172 0 R /XYZ 56.6929 691.8907 null]
->> endobj
-338 0 obj <<
-/D [1172 0 R /XYZ 56.6929 633.7645 null]
->> endobj
-1176 0 obj <<
-/D [1172 0 R /XYZ 56.6929 603.0741 null]
->> endobj
-342 0 obj <<
-/D [1172 0 R /XYZ 56.6929 569.0137 null]
+/Parent 1237 0 R
 >> endobj
-1177 0 obj <<
-/D [1172 0 R /XYZ 56.6929 541.2283 null]
+1236 0 obj <<
+/D [1234 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1171 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
+1233 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1180 0 obj <<
-/Length 1187      
+1240 0 obj <<
+/Length 1162      
 /Filter /FlateDecode
 >>
 stream
-xÚ½Y[s£6~÷¯à1îŒT]
Í>eSg›�n¶uݧ4ã! $L¸xvÖ³Ûÿ^a.Ç“L°è;ßùt$)Ø@ú6‡ˆ
-fX‚AŽ07Üp„ŒýîÓ߀ò#Pÿêãlôë%µ
…ILcv_ò!²ml̼›³‹ßÏÿœM¦c@8:3áp�}¼ºþ-·ˆüqñõúòêÓ?Óó±ÅÎfW_¯sótr9™N®/&c€mŽuR èpyõÇ$ÿõizþåËùt|;û<šÌªXêñbD³@¾�nn‘áé°?�¤ÂæƳn ˆ… F8bœBÎ(--ÁèïÑ_`íí¦k›~œÚ�ÛÄjPÔÄȆ‚	Ë°¸€&%t£à͘�ÝÇɳ“x2QyûGþ(Þú‹¹ãyIa[ÄIZÙ³ÆmÞú�? „ù�Âü߇²©ÕÒ”
ÆPpNêî½¥
-œ•lX©q¤d�g‹txG:�QæÞñƒ†Áˆâ¤†Ú7¢ðûn8'úD/8{öÏÕù�ÛÖRÍãdÅíýñ~?JåCâ§ëN
+xÚ½X]sâ6}çWø:#U–mMž²)I³ÓͶ,ûDƱEâÆX¬-ÈÒîþ÷
+l°
Ø&Éð€-ù�{t¯t%l ýó Å	7lnB†03¼Yºï¦ƒ³oÀö#Püêðóë5µ
¹E,c8-`996†þ¨kA{
u¯>ß]ßÞ|\öl³;¼ý|ׄ¡îõíýôéfpùéÓå °Ãp÷ê÷Ë?‡ýAÚeenï~K[xú÷è Ýôï®ú½ñðc§?ÜùRô#ºvä[g4F†¯ÝþØA�r‡ÏúAÌ91f“QÈLJ·-açKç¯`¡wcZ©F�P‹Thâ‚€‚ÒP6ãТ„nõ€…P×
Cù–HV‘zI�¤íÿeݾ‹$™Ì\å=N QiûÏ‹ô¼B³
CÎ)B߇®÷ô(Cñjˆ‹D€¥	þÌe¬ÊT×-§ñpÉù¥üsZ¯‡—1´^Ïçõ×"2J_G9PúÌ'ùËøÕ¦n7¬væ}Gþ¶ñ
+$r{Y$þ�Ú
+ææd=Júöcƒ‡m)±™†…¶IÍ
ê/iW6N¡CcáMÀ–
©MÌJýs‹ƒ<ÏÆÆ:ÿm�ÆéØ쥱Y>vQ· #œVÇV*j-%¨
MÇ4›³Ii˜š”[•4Ú	Rg2Š‚ä
G©á—Bg·ÕÑcjÆmH,Dh–2r¤úíÅz×è±NEOƒ©;=Eï#HÝè9Ø6´&£o¦í+‘Ld<‰dÝÅkg_Ü
¢Åì^Ä5ü=ˆ R"^ºái”‘™û¨Ø�’©ˆ�
+fB�
!ª¡3%ŒÀÏ¥±�¨E£„¡¼9ðÂ@D�gC猖_øzUñžDsR6÷q,EýáKözðÀ
Ó°±«DCúû@$-TËê
+ÆÎK›Bjr~ÌϺI“gà[ä7Ç�8Ä>FTIÍÕÝ›ÏÚs↉)Ré<¨Y实b;ja!,€?kÁ÷iBù
+¼¤-‚’s©ÃoUïöd|ql>tRäß6…*W­q"�±¿­Í2´MËá$�Žöî§fž¡GnŸ\}ÚP*lqÚˆ<×{¬i|�Î'm«î�)ƒë‹ßŠ_´;¬ž}¿œ_¾›z/s²»:&´puLlGÝ5HFjíŸi0ß^DRÿv2°endstream
 endobj
-1179 0 obj <<
+1239 0 obj <<
 /Type /Page
-/Contents 1180 0 R
-/Resources 1178 0 R
+/Contents 1240 0 R
+/Resources 1238 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
+/Parent 1237 0 R
 >> endobj
-1181 0 obj <<
-/D [1179 0 R /XYZ 85.0394 794.5015 null]
+1241 0 obj <<
+/D [1239 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1178 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R >>
+1238 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1185 0 obj <<
-/Length 1261      
+1244 0 obj <<
+/Length 1750      
 /Filter /FlateDecode
 >>
 stream
-xÚ­X[wÚ8~çWøÎY¹¾`cŸ<¥)ɦgKº”>¥9aÐÖ¶\I$!Ûýï;²ÌÅ@RÛ<i>�梑dümÃóM?tBcöMϲ=#J;–±€¾›Ž]ŽA›AhÔûIçݵ;0B3ôߘÌ÷°Ó
-Û˜Ä÷]ßtÌ XÝ«»ÑõíÍ×ñeoÐïNnïF=äxV÷úö¯¡¦nÆ—Ÿ>]Ž{È<»{õçåçÉp¬»üãýíèƒæ„úó
-èxx=GWÃÞÃäcg8Ù®e½¶åª…üèÜ?XFËþرL7<ã	–i‡¡c¤�¾çš^ßu7œ¤ó¥ó÷p¯·=i?Û2×wN0Ü3``™¾P/4}×qÞ÷�oY]œ†2&é|­ÿêͧ8Ž¹nÜçŒË-_5të¢ìo!cš¦&Jö›&˜Ö‡lÛ=ÏÙW6Åψ>Ï9JØ	úB4;[¥3ÂkÊÿÃV<ÃÉž¸¢¦"'Ñi{!bœœ�¬¬ì-
b,ñ9òsšÑ@¸¢¼�8ú~ÎìQBpF³¢™$ü'
í¿$˜ËÁ²
@e…ØG¤­`I…¤‘h‹ YÎ üªÙ¢Âž1M±Œ–Óf(ƒúáâ-@RìÆ6…ªhŹ 1^A+8ÇN¾³÷05wúº	N	’²©CUFfŽ–5…�Ò¹­¬ Χ1•ë“¡P;«Rš!Θ
5X	Rlfºµ&bÊø4cµ“1çì‘Æ'1jhÍÉ�²¾t5	¸Jâˆ#,�È!Û.¢0™CÄ/‘¤)iç
ˆƒ6 '4‘|}D¡GSˆÊRŽŠf�iaÇ ’2UÔ朥¯ä²­?±Šôj
-i“´É!Îç
-»R-†‡ì·Ï¥ƒa $S*´N=
rîKù·J˜êA7¡$“å„£Â7­wÄß…$ÔÑŽ¿hÎ8¤ó.÷$y–?9~RIU{}$Í¡ð°ðF‰F»’�XGjÙZþ…eD4ûTàï5_QÍvÚÂÕU	†wªæq|
-¥‰¯/H9—»ww†©Ï´]OO5Y’­B»Av`†a8€ÁjÌFƒc0ׇû·ë•ãÄžr®Û…¼ÐÔ*×ßEÂf*ÿ½[4$Sß~wFJ
AbMÍÖú«4LMN–´;˜0Åå`U1/ç)özMED{Æó”ÚNÕÛjSu}¿‹Õg
+xÚ­XÝs›F×_¡·Ê3�Þ
ÇÇôÉMíÔ�Æiuú�fÜœ$&(v”6ÿ{wÙƒŒSYi<–»½ýüíÞ">gðÇç¡°™yó òlÁ¸˜Ç»›o`ïÕŒ«c²†\ß/gß^ºÁ<²#ßñçËõ@Vh³0äóeònñòÇó_–7g–#Ø·Ï,á³Å÷W×?ÐJD�—o®/¯^ývs~x‹åÕ›kZ¾¹¸¼¸¹¸~yqfñPp8ï	O¸¼úù‚¨W7ç¯_Ÿßœ½_þ4»Xö¾ýåÌEGþš½{Ïæ	¸ýÓŒÙnŠù=¼0›G‘3ßÍ<áÚÂsÝn%›½�ýÚì¶G§â'ÜСLÐãƒ
+$€ªM8µZŒ�8S²½�¦®Ú#ó.O*˜‘5q–ª\×V©*«ÍÍÉ�ùdInÕŽu
+)^”óCíiõQÿSÉ{,ª£-S»Æ™"Üñ¬®DÇã"×2ÖÇ�ç�Ï*rU%l:à?H¤u¤ž×i?©ª€¹Ìªii��Z‰bŽ½B,ǵ#œŒG¦AõÁæ·—Ÿ÷ËkTÓ¯ãù¢eÂéœû0ª3�V”سjÆßj©ÕàG¯?¨?sòö†£¸¡ˆø­–et¹ƒÑT9�í´ª–[Õ4˜Ÿa|Ž"˜‘§³à±0ׇéÚ†¯纋Zá‰TSÒs“+¬¤Ü‚]àÓ[¬”9P«„¨Õžžø¡c¹Ü¦æØ�Â�4Ìx+ÊÊèi{=Q±¢Ì�fóqf°©º¾¿�øP
+ÛMSIŠ.îáJ¦À_D‹«5-ê-TŠ¢q¸ ˜¬ÚañÿŽl
+‹„S“Q±cþì”C×£’s=(AùAå´$kz’/ȽS´Òºeȶ
+‘zp=朷^EÜÄ9:ø "@ig)lÁÝGÄ®¨5Q݆ÌE£ËƬ“Su÷"˜²76•Îèãÿ ‹cð»jò‰*ƒ¦D¡kªŒî[ÒÒ6˜ s©I'ÝÐi»
+2г¦…¶sïŸ�p}׆û¨k"öT
 endobj
-1184 0 obj <<
+1243 0 obj <<
 /Type /Page
-/Contents 1185 0 R
-/Resources 1183 0 R
+/Contents 1244 0 R
+/Resources 1242 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
+/Parent 1237 0 R
 >> endobj
-1186 0 obj <<
-/D [1184 0 R /XYZ 56.6929 794.5015 null]
+1245 0 obj <<
+/D [1243 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 346 0 obj <<
-/D [1184 0 R /XYZ 56.6929 122.4687 null]
+/D [1243 0 R /XYZ 85.0394 285.8176 null]
 >> endobj
-1187 0 obj <<
-/D [1184 0 R /XYZ 56.6929 92.1609 null]
+1246 0 obj <<
+/D [1243 0 R /XYZ 85.0394 252.9894 null]
 >> endobj
-1183 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R >>
+1242 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F21 702 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1190 0 obj <<
-/Length 3581      
-/Filter /FlateDecode
->>
-stream
-xÚµ]sÛ6òÝ¿Âo•§‚‚¦Oiâ´î]Ó\âÎÍMÛ™£%ÊâD"‘Šãûõ·‹H�"åÜÝÜx<„ìb±Ÿ
-®p!Ÿ.~ÿ“_®aÙ?_p¦¬Ñ—�ðƒ3a­¼Ü_$Z1�( »‹ë&ŒzÝÐ)ùie˜62› TSÔ–¥
-ºP€ëb“w-­ê±Üí¨uWÐ÷Økv²Jθ†
ȤeR$Éô®z¤eŒEL‰)¦–cª<«¶><�)©™µZ�'ÝaMÐŽ"g6KÓ!ñÛ-¬]I½x¬Ëêž~
-°‡	s
-PhØ\~i‘Øš\¤2rq³!„|
-o0YU·ÔhŠU‰«)Öß
ÄpÚMìê´ir.P°vÀ	³!@[î?'¡RÅRÎ3¿<6%
-_ʱÏ
-)Ƕà<ìý!ßcà�œáÆ)‰éòX³°MR
�†~7ÅC~ÈÛ)ŽD’1¥´øŽ4¤‹ü3BT\xƒoUëbý=² eë¡›cµÂ�Ëweû
-P?bRþDm/KEÁ¿sk ËÔ†Úã
-	Îå5e¿.é\þTìv{—aZC>
-�ünç[N&г«óµ‡„)B­ãTke
B½¨ ÕÕÐäø•f©•fèø»ÚU9¨t§úýá�æ3PsÝøaó¦êÀX”mý‡·íæ>ooÜ‚“�Ež7¸ëŒÅ,™òÕ¶Xö§`ÃÓÁŒ¥ƒÓ§ƒk‚üðtP²TòlHŸÊ·Iþë"¾ä-Ý&ÕÕn°7¯k/µºíNVg¥§29|òÌiEŒ5/½˹âãþaVx–™ôÚ
i‚öPt	3‰§üV¥ƒËg3ðmC·ç/ö®
-�¸Šf4h�·ùh»×ô}¤$ZeÕ´‡+³8®(ç��ÖþÛÔDj&^Bœ4ýul·‡j½òf	\­ïfBœNe”£­nFú0::ŒÍppF_6áßùa³¸èo0±Lñ,½T)Tˆ˜AÅí„dÖ3}7±ìf\ÆSÒÍÍà´2L¢ä:´ ‹lR`€n%âÃÍI+Q)ÏYI„uÆJ–KuŠ}Óæm	æ¼jæÌ¢qj­=ÏE‡5ÁÆÀ`RËR#ä�2cbƒ1–Æ„
-ÃØÞ`b`g0
-Fƒ[Tz”&žœ�õÁ$¢0}Ù„l¶Eˆ}õh|X%yWúWá(ΰÄÉO…\Ô]ÂB,ÓòÑÚ.vªó·

-)Že}Èê㘙ŠcYo–xVÙúãK
-·*¸yN3±LËè^
-;è�Be£Ð¡RÞ“ëïçèpõT‰1»
CÞöE(©Ak´Ò}Î/Çêi:ìÀó,†;É}ê­U¼mî7eQI¨R
-s5“tŠ/ÀS1tQ$ɺçZ¹w²;+ͺ'ý#
¼l-«ÝS÷JÀ_qc�?Q�î'ð¾›NW¿§‡ù)B¸yÐYè%yb_í:¤‡AÄçÔ#žþX¢¥Ýã�.ë‹âýþX•«<¼äñ·"±ñßïê»ÜO	¢gso†!äâCß	Uƒ/óÿù=qÿØŸ‰3g™<eFÚ,0…‚Iô˜óîáñ)ëÿÍ6RÀendstream
+1249 0 obj <<
+/Length 3961      
+/Filter /FlateDecode
+>>
+stream
+xÚ½[_“Û8ŽïOÑo箋٤(ŠdíÓlÒ“ÍþÉÌ%ÞººÚÝÙVw«bKŽ%%éûô$Mɲ{î¦ê*•˜¢ �
+.q"_oþñ/~»…iÿù†3i�ºýœ	k³ÛýM®$S¹”¡gwóùæ?â€É[÷éœþre˜Êòâv)sf€ÿ¼–ÓB
+<Ó*ëIAˆ.þ6Uµ­¶@²EÝûÞÇ¡Ùà•»ºI?°‹õPïzßÕô^f¯ÀÛeÆaör¢R8ºaW¿�´àšì̽µkZçZ¿â	Õ—T(Eÿ¥zY>u]y¨—›#̺éërwæ
+Tlsu]ŽH5#Hº¢È˜ÔÊŒ%Y¡5
+‹êØG§a|Ú¸5Š‚¹¾ïuÿì[ÏõÆ7ûÓ÷N�Ô~n‡Ý–Úå
+±C„‰Žšdqô¹£Žî¹ô®NÏ„gØzªš
+Ãå–¾p€y¾¸2 ¶¼ð+¶úËÃÍ,k¦™ÈÌÉWpüÿtò3–…†¨Æž¸ÙÕ€Aˆ°EŠ°s}9‘H–+n_È2®퉪›ç²yr8ÁÁ==¿}ùB�öHìbGÓz’˜ák>
+À¥®ŽZuô.P#Í#�Uœˆ«„öbñᑺ)TÌþ
éGpÉ­ž(ȃaà�-\dü�¯ÒEÆg‚Gh|¯wžqyw`Eþa]Í€ŠÐS…	«¦àÜk¡ÆáñÒ¬~Fç¬Àš€ÿ>ðÍØ߆
+ p
+ä0lÍëðKò,xÃk»'¥<W?¨±­Ÿ0œÑÏ¡mÕYNòÔ�*¬K’Qø}Ûõ4³MÙUÝrñùlJ)Îr
C�ìŽ;Î0Ï
+šq«K›��£“Ì•°Ë0Þ2ðü-|\@‰ˆÂb{˜˜‰÷°@&vque šÔ˜7�‚½ÜáÆÕ—vð!7æ`ð0tuóä7b¨÷ÉXÈ¿•ÇÚç”ðtŠÝ!bo+ÌÆšj{1n+Y0e P\�Û)Õ帩N®òŒ:œ¯Ú_á©f˜Ëóª}ÂÝ…íÌêÅ»úuŠj¨–ªv»½³ek<"ÛPˆc×Ú÷ôáë˜-[ŠñØ‚4õŽpÞj̱EåÒnw�-«M*M™�ÑY9vŽ’
P²u˜!ŠÎTÖ 9Uäæ—àÀ¤57ι‘UA/
‰Xx‹ƒ–Ó	¼ÙµåÖ÷„!ÃzWoü®ØÁÎcý�T½^UÐz¤jcThOfC¨¬ðv_7iY�ïíñKt—­Ï6}{Œ�Þ9œÿŒ°˜J ÂâÑ` XRæ$MÜ*RN‘ºžãØ8ÆE¿ð`ByÝïRªË~©\’Pnž«%ikÊw¤FÌ1D3̧¡3òhÄ}¡)üºìË)
rȸD®˜NVæ]êÅ> ßÝA£È
Ž¯ë.¡º¢»@å`|Ø.¨NpÁ”È_a©f¸�•W°w´FìW!JwöŠóTÉKè’‰RÈ°!¬ip*Ýä»m	uuÙù'Ú0„üŠŠhÕM×ïÌbØP	’m[Ï"|4_š@*ËŒ-&y˱Ùn¼g‚TÛõ|ö’©"K’Ë$>F£pI¯ÄíÔgGûu7—("¬«Ó
Çé*CJôBÜæÒ2H¼íïN?âˆËtHg#餀arkOœƒA²Y…å‚™\Š¨°K®ì…Î_Ù�L©®¸J rûÕ¾ëËr¿zÓ]òˆÈâ«RDª1F>S–ÞŽäð!‹'>ƒO®3Á>�>“tŠ$ÌA9Ö½/ІÉaäpí¡+Ÿüw§	ûqZϬ¡_H…{0ÝœSI‰]hº.¨a(U6vŒßgÏ\‚¯ÙÔœ™_•¹RÇ@šd»`0²(pGà•¸”R]6˜Håvíëí31–�ÿÈë¬ÑëQïΠŠ1ëÕü‰	áª>¨œp59e9�ªŽ6âmzŽãw�7Uç;>¼Ç:Xê̾p8æÆ­»,ø‰]\wÊt¾îhþÒØàú÷d_y†–�œV@}pš{gô/ƒ…˜«„¥†‚&OËûB{ï‚*6Y=÷ì¢;üúÜZ.w.lz:ãiú粧Ö÷²ñ-ç:–¢�ÿ¾«Ÿšr×%¯5?eÈQ¼QNè‚UÓ¸¬Bj¶t6:œYÚ,>Ó®’ÎdÌJ2X…xÀ”LÖ
Û6³7|$òXÖæÅ}Bë	‚�ÄYt”ôø«³hœeXêÀÒ÷$bø�h­Ã	•
+H
+
+u;RªËØ©\žÖÒ¡WÊTÆâÕ¥«LÑÓ6r–[ÀëS�fñ÷w¿Þ¯ÞþJNhA’?ìסˆà&ÁƒaG¤nk»¼ÝVõ7Je¹¿BŸ6ÛØûîãgú4½²ây˸_¼Á|ÍäÑðøa1)
’X¢ã
*ȃ±òÈâ>žŽ·ÞN÷¦ô;v/ñâ”?Ç7~·/Ù9ÇSqÚùûÝ
+Ï	âQ‡oIŸøÎ9Q'¤M�s|?†`ܧ°i0
;¶§C’è7í~?4þZQŒôcïÚµëÒ	ª¿láÂê•›�	ÑûöD§£Ìå¶úVoÎÃb–3]hq•w$:g>Nø,Ó`/#]íàŒmãŸÛGúÜ%#<ø;_¨Yü]{Bª
]ÏËüe/*Ï2èx˜Vû+^‡c½/�õÎwÓ?jûs}·4ŸÞú|Ï@^f&ßðÄÌØ»
+(¼%9FG¿î”ĵÀ‘š®t˜ÚÑ)¨÷E@~<ÀC
|[g;ئL�»"¶òÄÿ
ÅO‡Ž¨l¸DŠ”?°‡ø˹«^.æ"•AP`Èu–
 endobj
-1189 0 obj <<
+1248 0 obj <<
 /Type /Page
-/Contents 1190 0 R
-/Resources 1188 0 R
+/Contents 1249 0 R
+/Resources 1247 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
-/Annots [ 1192 0 R ]
+/Parent 1237 0 R
+/Annots [ 1251 0 R ]
 >> endobj
-1192 0 obj <<
+1251 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [250.9056 118.4935 324.559 127.9031]
+/Rect [222.5592 220.8351 286.2499 230.2447]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-1191 0 obj <<
-/D [1189 0 R /XYZ 85.0394 794.5015 null]
+1250 0 obj <<
+/D [1248 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1188 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R /F47 879 0 R >>
+1247 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F39 885 0 R /F23 726 0 R /F41 925 0 R /F48 940 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1196 0 obj <<
-/Length 3429      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ6òÝ¿BÓ'y&B	 Áé“›8½ôçÎvîcÚ>Ð$dqB‘ªHÙñÝÜ¿]ì‚"%JÎÍ%3æX‹Å~¯ä,€ÿr¦c§a:KR%t õ,__³G˜ûéB2ÎÂ#-†X?Þ_|ÿ>Jf©Hã0žÝ/k#g÷ůóX„âVæo?ݼÿðÓçÛ«ËDÍï?|º¹\„:˜¿ÿðË5A?Ý^}üxu{¹�FËùÛ?]ýåþú–¦b^ãÇ7ïh$¥Ç‰Eo¯ß_ß^ß¼½¾üýþç‹ëûþ,ÃóÊ ÂƒüqñëïÁ¬€cÿ|ˆ(5zö/��iÎÖJGB«(ò#ÕÅÝÅ_û³îÓ)þ)m„UœŒD¤âpšËR$RR¢¤�ZG=—C9Åe�…\ÞfuѬ…}*s{xf*‘ĉœ
>ھǚØ?ì/ÃT$ʨ1
÷+÷–ó¶Ùm/¥™çüÞ,éiëÎ�7›èz>0⮵�xŒ~M»}²[¼aƒ®+[zn¶å:Û–×Ö~Õe³%àÝÍÝÝõ[dÜŒR�l)Eª5‰l³±Û¬+›º}s¹ˆd8owù
-  ˜g-=ïÿ|ýO‚:`}›å‰Kçp4U¼ÔÙºÌée·)²ÎŒ<Ág[>Ö–‘ÿÕÔ¶…ã)�3KÞ§ÙðÂ}córá<Å¡£ø· -bIE\C€…
àt€çÇqD®,ŒHz_+×ôö¼*Ýaá#¼!ró6+èmx‘RJ¼0	óK¿}É„øgæIÀm‘£Q0`ñp‹?v嶬�÷™8òsYUÀï.6+z^Ù!ILÀ!Ú•àÞÎ>\ʹõ¨öë*Ûµ�-à QBAìºéplw.Þàˆö«K`ñ2ÛUŒ÷”U;Þ	Ž$ƒyLŠ©D(4�;À÷p?ß“ÞòHËb#Œ€¯×ÝI¬Ô"UJ�EYûÏè^C•zn
-i¢yU¢®Z÷²±¡„_š)º‚,Ì0Êêã¼�]—]¿Òƒ]òñ"(Ì4õHZ	ƒeÍÛzZ²¢`{
-fW¤:¿¡x¡yéjm¾—*4àNPè
°}
-@»
ËæIäqno-¢EfF“?Ä'+ëÒËhVóÒÌ-8nÝ|º¹Föœ³
-nÓÉS‰XFòä|<]ásÙ­üý²Lm†âf¿æÕ®àûF�½Ï�Ä©[ð¦é¥m¼ñ¢3¸•{�ÊÙž
Þ”U/{±²â‘Åö·0Tï®ñïžð—Ë4œÿí`ðóþ=0�8ôñóÝõç�õ’zàá<Q TÊ�‡
-îñ]a¿û�Áê©wm®!øÜ­ýë~`›0ÞšH¤É)…SFb
-ðŠ]b�V¸·,Ê6{¨ì"«›-Èͺ=R7
-ú<
=Ö#uÃ@EI3¦âQ
·s�ÆÑÐÒÓG×nr@°›s.ŸNH
-•]v4Äk¨ùËçØaæiæ.)äû<D*%‚Ðèƒ@‘ñY�¯ˆ§	+7q—Y»ÙX*$”\ï¯6¦íqíã{äŒPÞ‘û¥±±ÀœÚykyv·nƒ’1RÉÂT²Tä õ£{&ÉefÚ	¹
-
0ÜËì+TÇýºí	±M\dÒ–ë²Ê¶.dÃå›ÕxÎxÆwšOEc)„›�æÞl{\=ñ,Ò8p!_ûtÐÇîÞŠïåç¤!�$ÒAôJx>Ä:mÈ{¬�R­QìàÝöØšëThXæ<=Ö#k+¡“D�	¹C«±D�
-“ùª´[òš9€-
r­	A$— ÇÃ�L“›Éx	Š`îhÞ‡^J¨¤†ïd&
-ÆõWç0#¨§¶/´qîò
-¹ûèXÍSûV³!”ë†@[s)Û+›!ÑÐÜet·j×
…!o´Ù—vÜ8@¸Š�¤�¨¤€‡�áXÙÒÃD{P^ž§/¿y3á*Êvd­¿s„ŸnSHAP%¯ˆÂ
+1255 0 obj <<
+/Length 3390      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]s£Fòݿ•—ÈUa`€¡ò䬽9'YûÎÖ^.•ä
K#‹ZŠ@v|W÷߯¿�„äMÝn•fšéžþî©ó
+HS¯dÄg �;[èkØŽ
‚—¸àÊúO¢°¿…¡¾ºÆ¿ïd†?]dáäŸ{“Ÿð¯;Í|·ðñÓÃõ§�8êtô›º¯\pžHùÊ:³
+s%òÖÊêvÝG�€y	P!ÊTˆVÌ@ÝrfÍfÚ•RÒ?Eé>Nw:ûÕI·osDmSJEšbU”ù†r4ܾÞ3�—\VÜ÷Çù4¯-çl#ÚܹjG
+¸
—v>ŠÕ|ŽÊb²ç9Ù>qÄ9*ŽòÙÌ®[WÍ‹Ý4ü‚V‰O؉@“]ª�Ó»ãû\M�’ÆX…²ª#^pŒxq¬8vŽÇ=ÇJüAt�DC�ÁÚu¦97*ª'|‹&r“0
åSO�踀pdç0ùè‰]”b¥Zq�pƒT
»
+l�aîâ ªù®®KëjÍ;)´Ž¸ªHC© Þ¨dz@Ç•"ÝضK¯úSÄtЗÒ~šÀùOá»R™Ÿj¨)ûØG�à¢ø¯™z*±–(0.MØÏW!
Ô©K?//Çö5~œ(òèq—®•ÝdL�‘Õ’�ÝþëêîãåÍm?Üq¯©í³K	]¤—¨‰)öæÙn:l’ã(?LM:´eö¿&CÕÛ‚-¿ÊˆK§I%©¤Cú[°¾ëo#ö¸®À§&N¾ÜK}ë¸M±�¸gÎ�Ù2¯ž,£\p¶¿âi/ÃÈ¡‰t'³Ék½•=v-Ãb89,ÜèÛyÌŸôN{Ñ£.ç]Þàš0‹öE¶“þcÁ:0—Ê°²ûIÄ.ÓØ5
G¸†
wÓU¥§ÔÕÌÑ\òY?Uú�J²uÜÄ;(rt�þb¯WWžý³h«I(ÝÃ8;MC5BÄð¼ÔÔ‡TL—.g㎒ÔÛT
+Ä
+dì$PÈÒîÂ0jwÍC[IçVgK;ûÌ
+oÑH¶vUsëWA�‘vÈ+×Ë+Zj(FÄ <QáP¥ä
+réc7{Ý„þyºV›sÔ7¶ kµÿÞ×ú1°ï
}èA�ÐEqÌ®°}R4m1;l[A]Ÿe‰>�¾ƒÁ?ôúÀÈ4M‡üŒ—Bà­��Ŭ°=,”jG½;±sÆL1Hþ�9ÛS°øø:âþÃÀø)yàÉv#	
+ºâ yA—EÐ$ëFNýÑ€Z¢¼à®;p®á)LGðÝ•8ýèàí
+9W÷±Àn >XH•„ÙøÆmÍÓÈkŒ9sKŠF>6JüX§{ Bñ¢8FMüŒ)“	�
+â,vCh@µCœLãöiÙò‚ûaø"Ý]üR¤§¢³§ú`vy	}A!
+GÂJpS`ä ‰^¸DÍ+Ül^ÐöxˆÌªÚ±n�˜
+"RT9‰½20EÅ<™»4C÷‰NÍ'篫àØH‡FIÛmø&ñ-ÄF
+‡Ò§ö°‘„
+âC`D~ÎÄÔÀ…Ç*oZ*Mø¡Uæªíþ]k\‹�gù.>WÝv¾½›Þ|ø…Çl‚lm#0äÖí³CSæÏb©{þ	[�bFÜcôtž;CÿµÅò0JЋ§'¢69à@¸�P,-Фq\mW�”rvÞŽ|eÿk¢Œ‡HÊ=}ÂÙA‚×
_:z
+f‹ü¼Æ]fvåM§2‚¬_²÷¹Õ«³ÜÎ�꺒©—VUÿ×3.yt�­¡�êjbç
YäM¿@Þ€½,Ò	|�¥ÒoA8Ǭ†Í5 �³˜º,];šÚ«LùQÚ¥�UÝ"F¬$ðU’¼é+¢8uU:1ïè~*ÖÇ3Y×n‹}üýÙH>t•ÿûgn»ß
 endobj
-1195 0 obj <<
+1254 0 obj <<
 /Type /Page
-/Contents 1196 0 R
-/Resources 1194 0 R
+/Contents 1255 0 R
+/Resources 1253 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
+/Parent 1237 0 R
 >> endobj
-1197 0 obj <<
-/D [1195 0 R /XYZ 56.6929 794.5015 null]
+1256 0 obj <<
+/D [1254 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 350 0 obj <<
-/D [1195 0 R /XYZ 56.6929 293.8263 null]
+/D [1254 0 R /XYZ 85.0394 396.2024 null]
 >> endobj
-1005 0 obj <<
-/D [1195 0 R /XYZ 56.6929 268.1652 null]
+1060 0 obj <<
+/D [1254 0 R /XYZ 85.0394 369.4308 null]
 >> endobj
-1194 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F48 885 0 R >>
+1253 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F48 940 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1200 0 obj <<
-/Length 3311      
+1259 0 obj <<
+/Length 3376      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ]sã¶ñÝ¿Âo•gŽñE�—‹}u¦çkg:i’Z¢,6©ˆ”}î¯ï.vA‘%]Ó›é�Çøvû
ˆËþÄ¥5q¢œ¾ÌœŽM"Ìåtu‘\>Á»÷‚q¢€õ±¾}¸øæFe—.v©L/æ½¹lœX+.f¿LÞýõíß®ï¯"i’I_E&M&ßÞÞ}G#Žï>ÞÝܾÿéþíU¦'·ïhøþúæúþúîÝõU$¬ð½äŽ|psû·k‚Þß¿ýðáíýÕoß_\?t¼ôù‰BFþ¸øå·ärl‘ÄÊYsù?’X8'/WÚ¨Øh¥ÂÈòâÇ‹º	{oý§cò3ÊÆÆÊlD€Rõ(€uz™§
-^¡
-þ]W•
=sz¬ò¦-6;¤7W‘?¬ö¦hŠÍsÀ|)—Ë0Zͪ·í`æ»�·7?¼¹vRü±-ÆikÆ
óì–YæÏEƒ[
-ㆩߟû*ÒºG) ï˜‹Á°颎©(M¸ÉLI,¥�eó¤	äŸN‘7›AÚäHoUÏ|Ò¦ÍiI«D(R¤5é–ÈTv€µsiý}
�+	¾ÏÁÿ&”¿�tü
¦'¦'g1&gã$dð6eo:b
-_ìÞûo¦ù¶ñkpë-ëõê,7–ì$oÛbµnûÝ&K+r¯)Íb«ÜP'ˆé,LM½õÀt0:­ý»
-æúX^ÕЗY9TŒ¼zå°ÉØýŽMÙÍþ¡—À�F�ôü±K*”îêæ{²ï„�S§Å.Ë)Ê™…3
W%6Ö:;ã”ûX't,`ù]\,gÑtYU{�ôAˆŒ&'	è°F(0EdWbHŸÁeiç™~Éy°¼“
-\kRë{Î8¾Z/‹íûÝ8À_’A#„Ñ['|œàQÂœOUÝù	x„E^÷?wxHhíäáÊ�j’îi¨â¦åÝ£¾û®1ê
lyV³‚Û¬E—¨Ñop|#Ê&Q.]š6²9{*e¸UB÷*ìóÇ	aNLh9iÖÅÔŸHn_êÐ^盼åaÚ—QëÐØ}Aóm»ˆªO³z•—c
ÁU@‚½w 2N¶Lb-;»;u béf>• Y¦SbLXP!u²:Ö"ÓÚ„^r	ñ­ÈgG�RBÁ�juÆñ÷±Že‡å÷½nÚ¨i!OkÚrzh”ÌȦú4
ÖC£„­H³lH‚Ï€ŒèEGŸ
-Ra€(ýå
->“iîO-ñÓgJ~
Df‡%‘ØAcˆá©BN°?Lȧ|Di'Rd{g&e»`oŠ¥�ËðÕAp|·EgXÐ�ÞíÖ‰ÝXH)ÚJÿQù‰ÚÑcÞæÈ`ê.Õ§ÉH‡dèlàdÈf�Ž�Zé]†0�©]3’ÑÚØd‰ëbX¤¤˜Ü¶ô½÷ãpž‹SòÔAêPfÑtWACT†ý]•º5¦œ ú‘Ó£ÝäU*
-H¨0™æl~­k¨ôÁ¢xöÛùØ•‰×zÒÔ ÅáŠ_ñ-ŒmûTïúü
’£–y'mÛfô,=u18”ÐXoðúJAj;r.ySÿ|÷hò#Î%?Xf9—œñ³}¬ã–×ayË+«r•/£
W‡ž6
-!(Ÿ&¡Ã¡aˆÓØb>8 âv>"<9§M?#¬Û^X7Y¸øaL¨Ó
-̦i¬2e‡$ðŽ¹^?`Š.
±
-†J~Å® K(^×�¡xÒƒ³_�Åù‹3~褘N„ùîîí‡k2¨’´Äjª¯c‡'Q'å乬©«GÃ^£d¸ËÔt”x[ì,ç9¼
t)¼¯ÃT/ù`¡|ù’¿6aŽMIe¾)ªyÍ=¥foÕKÉ>/v²í2ÇǺ]Ó±p­a(¸e‡Ú5mf¯ ÙrÊÑj�—ÏšøØÍ[eb¼.;¢EÉåٮϽ•»»²%¢²öȽ•@�.D¡8tvpÖ®ï’þ§ÿÛendstream
+xÚÍ]sÛ6òÝ¿Bo•gB” ><¦©“sçâ\wnz½>Ðeñ*‘ªHÙñýúÛÅ)Rt.—™Ëx<Z`w±ß$ŸÅðÇgJ3m;K­d*æj¶Ø^ij˜{wÁ=N�¢.Öwß¿éÌ2«=»[uö2,6†Ïî–¿Í5KØ%ìÏß|¸y{ýî—Û×—©œß]¸¹ŒÏß^ÿõŠ w·¯ß¿}{q£øüÍ_^ÿíîê–¦´ßã‡ë›iÄÒÏ™Mo¯Þ^Ý^ݼ¹ºüý«»–—.¿<ÈÈŸ¿ýÏ–ÀöO1Ö¨Ù<ÄŒ[›Ì¶R	¦¤adsññâçvÃά[:*?³DèdD€‰èÐp¦¬U³TY¦L¡
+CñAF—*™¶‘ÊËç(2¿lTT"¾aQqÒ
+ÒËét¡/­½š’V‡ŽoØ,cͬ� 4--(	TÊÅ!ÿEåš0Ãß®n)«X™ð´´T”šë—2½3ÒúŸÕ%ã–,N¥|AX�%jÍ»‰ó—‹l»Ô|-™‹èÿG.Äm
+UVfÌhaºµü ¦Olâv·¢ Þñ„O×ôJà=¦8|S59%"Íú˜’S�nxšžãXÑ&¡~q¶B¤U¾h°¾Ã‘ûç±zj!¨wÃuû¤k¨(€4
EÝ wUœ¥œëyÆ…<×ô ¤¨‹5ÔÚÐ�i±\ û#�
+¬-9��¶DˆéÃ[¬‘Ó{¹ÇLOêþñ×X¶CÚã»MFÎ
VÂu9ÑÃ\µóå=Ìæ%Kš¨‹ía“5tWFù–	`U÷uµÉÝÅÃð�7	 .Fó¼ó³×?ÿru{	‰ë¯—œs¸�=jn}),XŸTFeN�¬XªP­tösÏ�Ȫ<{¹Rƒ
i1}·¤óW�ÜÍæÍb=lùðb¦H§n‘†'÷®5N™Ž;LàÑwtwÚï6aÌ߈�
+À°9@f´O
õ¥4mÝØáò€øLÆþY(ìº5‹ìP;Ý�3|{-íôãŒo™yÖ4ùv×t;J†Nôý$�2#l¿9@´$Öø¨®XôF•ûÅJ‹†~—ŲüÎÃkê-ä›j
+ܳðB¸®OK3­f]¬ójÖb¹F\\l–ÑbSäe3Høx"@¸œ& Å¡ Çl‚¹<ä©=ȪEª[çŒðSæЪ¼”פƵ–q|»Ûä[ ÚµµqÀ¯$›FC·Œý[‡ö|(«ÖUˆTQK¼·Ö‚ªhcæw—ô’O¦,æ‚Ÿ(õÖ�ÍO`[³\澕š·9=ƒãÑ4�Ž”m†6r3'ú¥
8}�z<Ñ¢¯S™8™×»|�5zŸäæ©
+�ß]¶Ï?L—2j;¬<(ovhÖQùiYm³bÌ@98‹í‰ÝŽ“�ÄL&"°ÖöwûÇ[ˆ¥i0Ìýj‘ˆØD˜Hñ1aa¦.'MQ‚øUèßòlyÞ"cY£á/XdkÂ"–»÷ªn¢º�­nŠÅÐ"Ñ©`'d’€k„‚¾E‚å‚{ë“à2 Å;ÑÑ%ÁŠ‡$ J|}€ü#ÏwÞçrŠêðÛáÁ!­Ü›I\úHi/€Èl¿òoV\,†ã·
+9Àî…A¶ ‹
+Úþ…Ú¾z„Œšwäí¤MÝ·¸_žû$<&_6m{¬	ÛXÎöŠ²Øf›hïkŽ¡¯•‚)
Ió$	-Ö
ýø†"Ó´OÄõjDxRN£?#°›N`Wiø¼C©P©
ô
+Ù
äˆ=ü}ÙN'`ŠV‡HC…ŸòŽ C(NÓá1Ûl\AúñÙ¯ÃòùŒüÐIQ­óÍÍë÷Wd* 2	Õm_Ææ–¢.Iæ�EEý<vú”„ïµ`€Ú�	~V–ù=œ´)Ì‚Ïñ”OYï ló”=×a�}A5Îäåªò=¥úäÔ#Kñ)/f~h3ÇûªY÷Ó±m‰·oÁ@µ�´¨mÓfù’->Víð³ú¼Çœ�/}¡QÝÅšPã€ÕÏÙ=ÖHȨŒ™>6 �ÛK¬°À‰yÿØÑx�ªÔNŒ„3Å•é¼ì§^Žný
+:8ìʘ”tF¨ÎW[º÷u̴ΧjÈ+"¿ìh€Ò„è<eÛ0ƒƒEØî@ñ€¼/µ¸-S‰<Iã\Î&b1_¬³Ò}B>#×0i›O´”(G®áEsû‡
·]—УþˆK9݉úºšH˜dü”(ºéKÑÎÖÃ×J
iš€Á^>ë–ÚP¤@:Wwâ"Nù«Š)ßÆéfÝNá½Ôô°�Ú͵G
+É—fèsýÇÎCÒÿù§3†endstream
 endobj
-1199 0 obj <<
+1258 0 obj <<
 /Type /Page
-/Contents 1200 0 R
-/Resources 1198 0 R
+/Contents 1259 0 R
+/Resources 1257 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
+/Parent 1237 0 R
+/Annots [ 1263 0 R ]
 >> endobj
-1201 0 obj <<
-/D [1199 0 R /XYZ 85.0394 794.5015 null]
+1263 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [154.2681 85.4256 203.5396 97.4853]
+/Subtype /Link
+/A << /S /GoTo /D (notify) >>
 >> endobj
-1202 0 obj <<
-/D [1199 0 R /XYZ 85.0394 625.316 null]
+1260 0 obj <<
+/D [1258 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1203 0 obj <<
-/D [1199 0 R /XYZ 85.0394 613.3608 null]
+1261 0 obj <<
+/D [1258 0 R /XYZ 56.6929 679.1143 null]
 >> endobj
-1198 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R /F47 879 0 R >>
+1262 0 obj <<
+/D [1258 0 R /XYZ 56.6929 667.1591 null]
+>> endobj
+1257 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F48 940 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1206 0 obj <<
-/Length 3763      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿Bo•g"Ÿ$0÷”&NÏ7çÎqçzÓö�¦(‹ŠTE*®ï×ß. H‘’Üi'3&,v‹Å~
á3ÿøLÇQl…�%VEšq=Ë6Wlöc?\q³@‹>Ô÷Wo?Êdf#‹xö°êá23†Ï–?ÏãHD×€�Íß¾ûxûÃ�÷ï®5¸ý|w½šÍ?Þþó†Z?Ü¿ûôéÝýõ‚Íçïÿþî_7÷4{ßßÞ} KŸHïo>ÞÜßܽ¿¹þõáW7ÝZúëåLâB~»úùW6[²ÿqÅ"i�ž=ÃqkÅls¥´Œ´’2ô”W_®þÝ!ì�º©SòSÚDZ¨x¶�*2@ZÊ<J8 DÛ(–BvR|JÊ

-¥\Õm±z9^¬Q‘Œ�™õŽÈ 	²²GÖØHÂÖÉÞ®�äÛ�Êô 9‹„N,`G�—¼!˜
6Á#͵ñ0¿0ÍÚu~½�°ÅË|•îËúøè1ÉüÃÝhh;¿ûüpûñ¿¶É›&}än$Ý]s3÷š¼j©õ¼Î+@ÿ«+Dô`¤Éwßòu
ݾ]×»¢MÛâ[ŽìÃÎYÜB9[pY­…c|UãD&çÙ:­€d˜k@™o×:±R³D%Qœ$¥Lƒ»§5î{»ÒÁ/úÆÛ2Æ‹|}ɳ¶¨+â
ý˜Á)mùH3:¨<Œ±!pbUlæNÎÀFoØèmù
ƒV[Óp»î†pwúQM›/	¢ð«ë qk¿óØ�Â@Éj÷]6´“\°È*i†[‰:˜ÿžå[äD*�›ˆî¨Ýé
-´‹%p]ü˜p,aOu4õËçwÔøt÷îÓ
5Ý„rÔ[ëyZùùnñðM«—>¹†~t‹?¢D‡«o!XXmDZ6õâ` Ž6­ŽÒÚŸÄz‹z‘ ÂØãì¥8}ämd’$ñ8H`‹º*§èÅ:J´TE ­3_N0¸VÑ×Áç‘ëöz}tð «ÛèD
hÐQuÂ2¡Ñ7`õ‰xþû¶,²¢�àÙ–ü
.o¢ã—㆒íà	ÚÌá¶t›‹þ*°‚3ñwØllzšØf.ˆ2	¢<¿ÍÊ‚QVÁàFh§Ø	!)ØuðUÌ;–	dáÜtÒA6
ÒRÂß�”ðJÉk—`1ø;1Ô®‡I…†®:–N¬Qr
-jàjùR
@Z5ÏŽæý26hiœs4„Â:oáË"Niaè ËLy¡…è{º•B{Y;­…a8{~BI¨Óå�|­êç#®<«�Ç EårNžéØ�{9
-ã¹õÇ
~§ýî˜�t
-CIÏßz¢�Î…b£iI
K{D½iã¿

	ÁÀ±ˆ$z\á*§¬ð«Þæ»´%³" êjöà$'ÎAêã‹�ºXc¹ôºî˺þºß6>Þù’û0Ä…
SÎ=Ž¬AWy›­Oå~ÊÅ+)liúîú¤ÒÂFLšø¼êC�vA”;#«LHfíË6åxŽ$ã±<O¾ƒš ?8ß�±[›ÄC¾„Ó!Yâ¼kÕf$†¸2¾à¡0336ÈŸ,"tQA ’“vv¹t_/—Ô¢0e€njZÖ�éç¢]'>k°áÜ�<ÆW‰�¨¸à7¢š
©™³èAûÈäjÖ3¹š�0¹Ú‚VXþú |¤|`MµµôT�e¶¯ªtIã
-wfºÒç/�›Åú4.šÇ
- �3ùÆL‰$Ò‰[Ëì·øe­$˜^Û­ô 
×ñöv#fjXϬ¿$�wÑCìV‹Á9’�
-*9SREÕ‘þÜ9‡•˜ù˵€dÐÿ(6ÛÒådã�Kð뫠в£}W1dzÆšY_²n³$ìBl!m^jœN• 芌ÁS$À*$üBtŽÈ8
-ð¬iì P¢`/År±­ërd„
6¨�vlÔ˜ºJÇ6: ÿ@Éœï.Ù¡³N}�M]æí”[
$JÇGyú¨ê�–ÏéKȯ˲Π{ó?CØÍÛ¾¯@àú hNº,ˆ÷À½Iya_zPgö%@…„y�Ùf
qDÖŒö<€‰AÎ2ÐAMp0tZ:2p֜Ȟb8™4{ŠC’¢{™Žî25Ï겤Aª]¤>³Ò×'?šJY„“ûª¤�Ñ„‚àqa$ôaàŒâò‰ŠsWh6
8�
-…á”>oጅ¯�CÏcÚ¾äúøâë°Huõr¢¡d,zE‘þ;“>Ü€‘<¸¹~Iw¢d"ýø…ÂÕ®l×5°ØêÊÑ�pJËGb„K•)0åJh5Œ7]ÕC'ó4êçâ“Å9F C2S-3š�D§´KÉHY¡ú%5
-D8ÏëP\î7[ê9m|«¦1RGè@ý(sê<Ôò úT9I0p·ŒÛžüH@�o"¯ë¾½’]œwqöT`"ñH%æÂEH)ôá'®§Ž±®Aè
-Q€}Ž¸_ÍÈHÄàÞúÆ6'@]`dŒm2<6TX%§î
;CÛ‡:mh;¨Î
þ–ÿ¸:Åñ™ó„ИðÀ÷ÙËœ|H˜\ŸLu>lw}§]Ÿ‘ä}×ÛÄUf¤aó—zOªÜjª7âwY4é#*;þ¸ýéãýp8¥Ï6Ý�&ïËtGÁ
-ð¹Ï ৻OHÂm ^ä)ÎÝE![ûk@ŽGD³£dQA°IʾÓçÌhˆ�ü:·»ú[±<ìÕñùJ°þ§�jÚ.˜¤¯
-̆èöä…“À}ø‰Û½c¬Ó'kt¬ÀüEqÌõ€�‘¦uP¸cëÅG£¼~ÀGŽC±W‹¥ƒ¿ÄÑïH0*’£ðœë¼ú©tPxc;olå�¢œ·5 3¦ÆMið°
‘��C}Žt4¦=LxAcHûÄ»­oÙu“íŠÞA©WGÐ&êÂø¦<ð>àu•ç^
-)¶»<måDi³h¶i6~Î#,„>–Ÿg£ƒšàc tREZ0=dÄ×?¸}h?§¾Óß“*FA=ôø2
´}\Z
-’w/*à×S^á}	邯$@wê¿wôuKƒï‡Ï_¨±q—;thæ·<¨P<·oèûXc�[žKh�ÚžPéñ•û_M=J€È8½ýËY†õ¼õKЧØHt$“.‰}­WÒ׿hNm–µ>Jªü¹,ªÉ3ƒJ_†ÏÓòå›p»°<rJSµÆ⩪ýÍøi[Ê�qÃ.\Põ¡ÎØÒ
+1266 0 obj <<
+/Length 3662      
+/Filter /FlateDecode
+>>
+stream
+xÚ­ksÛ6ò»…¾=2x’àܧ4qrî\œ;Ç�éMÛ4EÙœP¢"RQ}¿þv±
+exý^™d™$‰
;B¬³¦-va½©^t€4ÖQ¢¥r°¯®C)Ó`S·å¯Œ‰¢�g!‚lwÍMPà,"»Ü›–ÖVõŽ–ˆ-þ·Þ
nˆPólrÔ²ažxñû¶*ó²�áR%‘,ù\zÞDÇ/ÚQ/BÉT ¨žó(ÕZX¬M±ûVì²Ï~ŠÏU	r-i¾oÊÍ“c’÷Å‘t™hÇeV5uˆ<®æô®ÒHhå%-IÎNhIE‰ê 7õ2ƒÕƒl¤�jÂçNMø€jŠH+‚ÅQÂ(%�d¬,ª‡çbFPÁ¢XpÕqtBDÉ
Œy®êm[Ö�3�ÁJ^h‚:¢ÙcAc³-rbw‰:(Ý7í,+ìW$ÜëMn†¡#-¥ç¤i³¶Xƒà (%EGáð\æÏ4ͳÆñS¶4Ö`»rimí$7¡P2b*Y‰Žê7éiuÅ	ìó˜E0%âඥ�õ¾ZÒ”ÌZcUg1yÑ4Ùî…Ûš^·ûÝÆ}²Â�_¹×Ï¥ãÈï—îméæÙ¾±vïš*ûV4rk4Äô@Ú|—5ÏÑij²ˆipúq2òD$q@aŠ!Ÿ‰$ÔÑö›:Sç°/\3sž|5CpÜ”‰8ú�
³‡×€zRox/ ½ã¡;׶ÄMc¥¡Iþ\ä_pšZ›£—Ùº8z+X@Ʊƒ¸ûLãý}S´ôuö”•›¦
~þô†&ïÞ|¼‰Ü×õn�U.@1D!†›œ
$øÖ»O·ïÿCó5ßSAÖ¶`$9ºX!„$»„â
&ÄL,4ý•iÖ­º¿ýp{Kœž3‡¼l‡Äšýv[“¹"þšèå5PæAf•„ôéè‚ÂCï7­ý€R
@ÆxLìHÊ$ØWm¹†IË.ÄAb�^›éàs½.
+µ+òý®AG;öM²tgIwP3´¾I
+Èm؈ø‰,QŸõM�(¥R˜^ÞÅ„³�TX³NyðÎjž¿î|`J9,4mCP´âtà0ÁÞlžv).£Od5H©…p¸miÙ,.ÝH†�/<’C½ûBÎKcVž˜¡}yæJš 4LZ&A¼æ`9À5ò“ʉÆ9ÇC/R›ÐÚ±�=Ûðêná�”Æäe')Ì—µµvxí?|PêlùBo¾lêÈ+Ǫs4\”<�]›Ó£0Ž[—ÀsÖ_^A†“

+B=¨3AÈCÙ3²Ê…d&l_¶Ÿ&É
+?‘œ'ßAÍÐœop½R�èö‡C²ÄU vVÏ8‘êÞ˜éK¹sjR¯~òsˆÐ–-žJAÆéíÈ´#e#8Æ£óçµ—
}šUµgúP¶ÏÄ	åh6ü–üqÄU’O™í—ئxÓýæ­Ìúso|>s9:\Ìkf®N¡vï
+�3MÑ9Üñî»î’ÉÐéwô¾¤±­<3ßû‚ã—ð(f±>�‹¾c€ËMýCT¡ç.”&Žt"Ò¾ÑušE!u•,”RðAJ'ÿ®§+NÝ´HËîä~ºc<ÀÜLTH¥Ðf¡‹wÄ_~TšJ‚êÍ­´G-Ø…×·k±xWƒL‹¾XsØGmåŠÅ`ADÃ�ƒ$2�Ú‘XµKÅ_®
+÷P®·•í£ßµUa–Nv_¥Ø‹å¢¯ß?·eÒ
+õ	>#,—ᶮ«‰	ÈÐÊtÑG;õ�jJû

äÁbä¨#g¼ëÈÐy§µÇ¦®Šv.²€Ò”ŽÍ°—8i¢gÕ!{iºZªÎ¡ds�>q‡éí;·ÖË!ðP5'£–„íÑüRk§uf_<”ïê…؃ò®Ì›iÜJ#ÁŒ8Ï@5ÃÁ0naS:ÕCNP1ò;²Ü~ãšùê>Õ½bGwÅŽ‚Š½ª(
B/¶Ív`Áey)&…4ºúGSÃ�p`ÿd¿©(­A4¾­šÛÆŽ]Ã2ÀúÄåj³à@'Žæ {²½[,�h€œ¿mÇÕ®<f
Ås˜¾Ðh©®^N´ËÁ§A}*z­Ûþ&[³�Ò~#¹�u¥ãk¾#+Lðía…,÷^±á„ý×8ÅPÜ81Ç,bšKýsðœJh9Œô¶9«“ ˱9K͉øäœÞ\v›eN_#Ñ9óR2R©PýÆ¿ñ}lüÎP\î×[ZE­Ý¬¦w®E’h UA‹Ç^Jâz)§ºÞb’`¼¯?RPèðÍÔa�6Ǻï±d—lÇ]²=—žˆTF±²~•^íž\�½ÿ0“.ôÀO_¨y ÊPó£ï…
� MxÁˆ§”è33õ7èc\³É™÷ž"` Æœw±}¨Ó.¶ƒêBßïàó'©„Üjì³”;¨)éa܃“f’4Ò¦¸'“ãMλµÓq/$<îÝ¡Åib3Ò0j^"‚Ma¯’ºÁqY6Ù#Ú9>Üþüþ~ø:£a›íÀˆ÷U¶#„à
+
?ÝÝþìØ}�Rm=wåánÑRt?û‚§§bƒw&d®“
+ƒq“‰³ìu@Sþ†EŒ€ú
kŸAß
+JÕñw}Òví6äk¼ƒJÝE?¾y,ž³o¥­Sû«
 endobj
-1205 0 obj <<
+1265 0 obj <<
 /Type /Page
-/Contents 1206 0 R
-/Resources 1204 0 R
+/Contents 1266 0 R
+/Resources 1264 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1182 0 R
-/Annots [ 1208 0 R 1209 0 R 1210 0 R 1211 0 R 1212 0 R 1213 0 R ]
->> endobj
-1208 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [154.2681 743.8714 203.5396 755.9311]
-/Subtype /Link
-/A << /S /GoTo /D (notify) >>
+/Parent 1273 0 R
+/Annots [ 1268 0 R 1269 0 R 1270 0 R 1271 0 R 1272 0 R ]
 >> endobj
-1209 0 obj <<
+1268 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [80.6033 320.3921 154.2566 329.6075]
+/Rect [108.9497 292.4924 172.6404 301.7078]
 /Subtype /Link
 /A << /S /GoTo /D (statsfile) >>
 >> endobj
-1210 0 obj <<
+1269 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [265.4578 275.0376 326.6578 287.0973]
+/Rect [293.8042 246.568 355.0043 258.6276]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1211 0 obj <<
+1270 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5441 275.0376 416.2908 287.0973]
+/Rect [395.8905 246.568 444.6373 258.6276]
 /Subtype /Link
 /A << /S /GoTo /D (incremental_zone_transfers) >>
 >> endobj
-1212 0 obj <<
+1271 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [280.9692 244.2883 342.1692 256.348]
+/Rect [309.3157 215.2488 370.5157 227.3084]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1213 0 obj <<
+1272 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [277.6219 213.539 338.8219 225.5987]
+/Rect [305.9683 183.9296 367.1684 195.9892]
 /Subtype /Link
 /A << /S /GoTo /D (server_statement_definition_and_usage) >>
 >> endobj
-1207 0 obj <<
-/D [1205 0 R /XYZ 56.6929 794.5015 null]
+1267 0 obj <<
+/D [1265 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1204 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F48 885 0 R /F62 995 0 R /F47 879 0 R /F14 685 0 R >>
-/XObject << /Im2 984 0 R >>
+1264 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F48 940 0 R /F21 702 0 R /F62 1050 0 R /F39 885 0 R /F14 729 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1217 0 obj <<
-/Length 3807      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]sÛ6òÝ¿ÂoGÏT<àøè¦N/�6Í%ÎôfÚ>ÐeñB‘ªHÚq}÷ )ÑÎåj?X,€Åb¿!uÁ¿º´I™<¾Ìò8L"•\®÷Ñå=Œ}¡gå�VS¬oo/þùÚd—y˜§:½¼ÝNÖ²ad­º¼Ýü¼ú×õ»Û›÷W+�DA^­’4
-¾}óö;†äüyõóÛ×o¾ÿøþú*‹ƒÛ7?¿eðû›×7ïoÞ¾º¹Z)›(˜¯e…g&¼~óã
·¾ýÓO×ï¯~¿ýáâæÖŸez^<È¿þ]nàØ?\D¡Émrù�(Ty®/÷qbÂ$6ÆAê‹ÿöNFiêÿcÃÄêl��ÚL¨"hÇée–äaj`ø[éº.7p¬<ª¿6ºª¹gЦèn�WÊížám¿+�<Pý®=V}ÑW%�þÙ6e'£�,>�o˜Îàu±Þ•À÷8I‚7
úv/£]Õ°nÛtnZÕ	­rX°R*Ì“DÓy†fSvÕ±¸«Ëo®V&2A7¬w8CÍ4Áã®lBg
-ï·”þÝ#M¼ÂKîÝp•(�ű¯Ê.Ťip]w-Cƒ*mµaÑHÝÂô®,h:1ú[8îì(¬¬rwV#µ^jQc_9!ƒ‘ǪXw(‰<
-m×U .?ʦ“!ºª32tðÇPáÜK×з¬ø|Q][Ó¥
-lœ­ØHÞuz±E(ˆ
♞¸YtŸ:nmÛ+Èì¢áïOÿá¯Hvë×Úº­vm×#)`›ó‰iÑÆ„™Í3 )Û¶m(D…kPxš0³ELPj¾PN‚‹»7pßsZ�öÁá‰	X�1ÁRÆó+ûMëx�Ö8Ì­2²3:�¢@EüÝUíIoÊ~�teÙ4—p¢_M{ÜuMÜŽÜ!èJEj:ÌO%Àߢ$º–	|¾(¸†?€+î‰V�²^G¡Î”P3£_˜“¤!˜|=gÎòÙ`­(5V]T10|O dSáûXÖ5²A+@}jÚÇF`å™\€‚«îÑN(2¨O²Œ7ÃÐiÚž•Ÿ##S¡"
-ÚLÅ^…PÞeõ©lx(×ÕöIÄuah:ãx,×ñó"‹›&6ÌàÞçzÈ나�[ò­ÌÙ„
Õ}Óz
d>ˆYd^–͹8jO"Ö
-u{/ñ‡Å±áX
:{°~Å}¹$K^bFlC«¼±%~µ=¶û…X°A¬Ÿ¹•…*UÎ:k&É@㌉ÂÆN	¡ÁƒE	Ó‘Ùn½ 5n9VËXÔä˜5“بÒ$̳=du5)r®ý4P…ˆÒP\Êâ‚-Xq1‰§Æ°�D Í õÅœlbjrPS´B8TÉêC'@ ŸH13ÝÿFˆðF‹&7ný%�ZÒB]DÐ(Jíi¸sIcô´=ÅBÆ‹”‰‘KøH,€®ß
‹öËÎ9Ÿ‚ýNSìÅ¡x•Dÿä~š•…Š÷PÒ�
-ž
-&AêV„Üg ˜KLð!é,6¦JÂëVâ’�îвS±’wå.‹ˆKÒdf¿c„÷7¯?~¸ù.d8>š¸si™=Lrñ‹"Ȫ7¦jp{136g¼³BÏ{²JS{';Ä?†ÑÚR¤ÕO,žO3‡ž=ÿHÒìdxVx‚x7±X/RaÇËu6ÁYM�¸J¤Êl‰³Š~½[í‹Ã¡Ü¬0�
8MžÒ £(Lmœ¿H„G:§bžˆ$� BD3%ãÍ–¥1¶³h)ÔƉòSudanô$Ù4–r
-ò©–m@’oÞ=ÄrH
-­xŠÎH
-@®jm>»ºêÐD
-ÍK·‰´x»] É¶$šT¡H]8*€q<#LÈÀúZ7
X�É9
-bB@Ç
w̆º¯öŽЙíP/Ù:ÑŒöNW%nB¢
�«føÌÍî	tßQ))eÅèc{üÄ-ÖÎî©ÏŸOå±)kn£â¶xYh‘2wž€˜[·¯ÞÉpÛ4\DY,ì8â8•…¯K‹`�#¸Ñ­$DZl‘’rLX¯Ë×РÇjª$Q"=8¯kן(Ã
-–ú–]h&É4Ø
gNˆr`[5Û‹uG�sÏ‚Ãp<´n�å2.Äæëv8BÆ°yÖÖ™T…&ù‚­› =oëî\}fïξpSm±2P‚õ?3y
-ö‰u”½H‹G:'ff¥€š8Ò3b~ñ|fótŽþ×¼hô´
-ãÜøÄ©Ù°%bë
6ÊG"
-"±)þ厽¹g¡7p’ëyL¿ÛXÊŸ=SSºÉ=Àaý¶=ÇÊ•™PÅÖd¹ÎÈ6�²kÝ»œèžø^¥¨tÆkWÂêÃ…z®ë_ŒN<snCÈ­]…XŠÂy&ád·°_’„‰NRÿÆCjq¾°1¡ÉÓtâòŠË:è̽ð°‹\ÒPGþˆ,rž¹—íŒêë³ÇýlR†N]>”µ´w¿¿g.P?'j…ï‡zóËÿjÆf¡Í´í.‚ìúD
-–µ"R&*Ê¿Èdæ:u»¸'¹9�UhÓ$þ�“é[‚{Ûsÿ&-T|TJÏFÁʦ¡³ðr<Åz>öXÄ�¡î«ÕȇYÜÈâ­}yw�µ°ýü͆i©ùþRÂ
ÓáK8©–ß;(1—Ð�s@ë©g'¿˜P|†Cízt–nöŠÆifê³>o©Æw¹“ìŒA¾â#¨­<¶âCL¬N“™¹u¡_*à[ózÖ–~f‘çËÕ
°:Ræ(oØÉ[ºÍ¨ºá}ÜO*\ʺ§š,wܳ®ôd©d[n°¿ã\D’ãç#¢ÿ±Í?쀅¹ˆOëÉk
°nÕŒLaÇ<þn‘ŠVy8:9¥ÝÄ q´JÖºÜp±þ`¡(dñ÷Ö¾øP'7Ä(Ïë—QaAöö²~M°^Ð/‡ERÑ€4­¥Zr®`y¨•�_ÞÞc-ì?;jã�˲9
7�„Öß½ýðá涱Ôz
-œt᳆“.lOH¢~%_'`‰5ÁÛ¶/ü*ÕŽÓܱôL�NÈJ³0ÉƧc~MÅ� ¦ì¸Ù·Ówñ*2p~í+¸NˆúæõLõK>&>‰EÜïÀJñäàÿë¦ó0²ñß1n®ð•„øãÒ…»�üû7¬ã|ã,4Ö>˜(…ÐŒ”…„Çù)åþÇ®ç¤ÿ"‹™‘endstream
+1277 0 obj <<
+/Length 3827      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥]sÛ6òÝ¿Âo'ÏT,
ðóÑI�ž;mšsœéÍ´} %Èâ…"U‘´âþúÛ/€¤D;—9ûAÀb
,û
ªËþÕeœI®óË4�‚8Tñåjw^>ÂØ�Jp–i9Æzsñý;“^æAžèäò~3Z+Â,S—÷ëßI ƒ+X!\¼ýõý»Û?Ý]_¥Ñâþö×÷WK‡‹w·?ßpëÇ»ë_~¹¾»Zª,V‹·ÿ¼þpsÇC‰¬ñæöýÉùç…EïnÞÝÜݼ{sõçýO7÷þ,ãóªÐàAþºøýÏðr
Çþé"LžÅ—Gè„�Ês}¹»ˆbÄ‘1R]|¼ø—_p4JSgù§Â@›DÏ0P›3Äy_¦q$†��¿mm}µ4J/šnË­fÿÝÖ¶›jÑ컲©[†‡+•-,wZÛ	vƒÜøþ]”�öT)Ò"­¸Û³miB˜VAhò\pþãvæE×vSôU0%{×ki0aõöðÌ�RÈ{°eýè°Û£ejeÚ†zÍNÆû%Òs¹T¹
+t
+¿*ÈãX!ݶ9”]Ñ•O@ŒŽòźè
+
+d…}qèJÛÂ¥˜$Y\WmƒÒ	v¯xjÊ5‹Fâ®0A‰d;@Œ†þŽ;s¹»LO…;SNÈ`Dä`íÞy
+Uó(ñ†Å¡æH
:;0Å£�ób_cF”™J\:0ˆürshvK
+°0ÌÕ/\†J•(g‹„’Æz¬±‘ÓBh0Ç"-�õhd²['Hµ[Žõ2½9fÕäŒ"‰ƒ<ͦ\d}5	r®ùÜïQ…bˆÑP\Êâ‚-Wq19¡
0Eä)qú‹é)ÅÄä ¦”ÁP)«÷­p
+J[°E܇ßQìÅ€)ÅÑ”b
‘á87ªFé Ë¡ýªU5/YÕ¥Ÿ?¹½-ƒq‡ u3B~ŽPL%
æ÷�skŒ%�Gæk.ýh÷
{•LÒ®Ü%ñ
+ãf“ůÓá±f™¸ï4
$‚SJn7sµE*{¾ZY„X 7z”tšŒrr­œ›8]Ü~xŠäœ<
+ÐiY‚õGQÀËN&1‚I�EZÏ<HX8ãO\ÍÌB0ÞòHÁLôò
+œÆ¢Ûó(²æPÙÉÙkΨlÕ<>ò[—Tï"W½‹bbã?Zþ›WÐqw‚m±ÃQì,û°B´Xm‹úÑÊ«B6x�õérve×9
+ÈPÃïR‰¶cú‹�ìƒ"ÑòÄ¢��]�þD$¦µ³±HÌ&Ÿo0 DY¬ õcC½óU½ é‘ µÒmø÷A†Á¯¹Å‘#*HïúòŸrÅ#ôV„>Äø73T(1ÐØn…0û
Di9Ç…c¹¦Ô14BŒ‹<Ìð¢bBÎ]èV�zûᓬPdgw
¥lÐÇÜö;ç7Î÷‰œuá²F”äôHˆôJ…‚ïR¥X~IëЃ’ÖaÃkv¸ä ¹t¥ýõj)2Pò·¯lÇ¥€ØzÓ�žâÈè‘3ÖþS5¦=)ƒŸ q!ÒÓcæÕÈÜÌh %¹,�ó�ðõoË)['Î/qÄåWBCŽeÍÉ0qXQሕàH0w¼ÞÁ½m“|Ïcú݆"Q>s&-�.Oò¯çv·oÅ¡tµ&T®Ù?.6²x�§l÷4'Ê@Õ'¾T©,�ñÚÕ±º`&‰>Qó¯'N9ÏH°½WæÒpžJ4ÙÎlÇA¬ãÄ?õ�Rœ/lL`ò$¹û™3D
:u©»Ç™¸!	t蟃Èç©{ÝN©Ê>yàOG…aèTöÉVÒ>nK~ƒO]œ~NÔŸužœ„ßÌØ4ÈR¹Ûwï¯CR2κ–»z²ÂGC/ó[¹N܆î‘nÊndI}�ÝñøqÁ=õµ€=¦/TŒTJ¡)4*\ÜvÓbhÃì‘S‹ȇ3/FÑ*ÑR*}=Šc½E{,bìZ.ÖM‚f³¼º»ÇšÙ~4ƒ.mÒéþRËã«@‰–/&”X[hÈç ÐznzÆÙÊ7ŠÏ°¯\�ÎÒNžâ8GM|Êè
Ýð¸w’Ú1È�µ‘[|̉Ôi245Nô­>X¯¶`¬éC�<Ÿ/�€¥Ñ¡2ßVÑYJÅÔ5ïã>Êp•¬Ì=÷¤¹ã^æªWU}ËÂMèwüÉF(‚|@t‰¶ùÓX˜h=yq
 endobj
-1216 0 obj <<
+1276 0 obj <<
 /Type /Page
-/Contents 1217 0 R
-/Resources 1215 0 R
+/Contents 1277 0 R
+/Resources 1275 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
+/Parent 1273 0 R
 >> endobj
-1218 0 obj <<
-/D [1216 0 R /XYZ 85.0394 794.5015 null]
+1278 0 obj <<
+/D [1276 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1215 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F48 885 0 R >>
+1275 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F48 940 0 R /F41 925 0 R /F21 702 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1222 0 obj <<
-/Length 3299      
-/Filter /FlateDecode
->>
-stream
-xÚÍZ[sã¶~ϯð£3³æò"Q⣛Mö¤ífSÇ=—iû µåÄGr-9Ùô×€
-Ìf¥ŸiÎg†E+âJd×±¶Uv�ðN š’6:}¢‡W0Á!¶	Ix§l ÙJ»„Ùþ(å“àLIë`Bj8˜:¢ÒTè(V<Ç"[®úŽ¤XDN%­#	æîW]cMkµ‚£§gBg Øþ}š¿d›¢O�
&Ý£¹’ÕK¾©|r$ ë ¯ŒI;ðt⃇Ï`Ë••Ö"ÆS‰ÔÙ0Nû¢¹OæBЂéÔž¸�}â#ö�øïâ#ä/å¦w+œ0Æ%íð8€I®��Ž4ØB3Œ½Gh«Á(épëýP[3\xsy•ßg+¢=”UÍŽ=>B ý	
æI
-x
-ö
-î�HNÖ†‡–µ�oruAdØ'Y0#w™aªåÉŸÊùrÔuKÍfÅã®{TÑ4ЀC׈³Ê`“¾à¾g[+Eb’
-8‘Æ2=-80õî–PÐ¥#ù%£L«€Ćü~»h"øZžm*Q¶ÍDLÎèçú–çsNe|} G_èj…~é·áÄc?GŽ¥pÒéo=#AÚg¿T:¡–2é~Z¶.«jÙ�ÏÙjjÌÌ{ŽlÈ#¢4z#Ù€ä5Õ�	ÃDÏA
-‡Vœ˜ÿálëƒm„‘Nº7Rÿ6×qØ6\;ؾ,WóY¶9¼
ÑVDR�˜zÄwŒfì�:ò)÷×&Ú]@;Ð(÷׆1”ƒšt¨¬ ‹Uuþl
-¯§	ÓFFNš”%.N�ç:4r"IõÞÓÌ
ìš¿Ùê	‚ ¶#h¿d¯pTüX臇|ž½*¡;ò¸Û6a]óòáw[@ê
5¹?Zuðqh´WL”§¬ž=P™êUƒ"uY?<‘
-¾þˆØ*R
ñ~FËž½ÃN^?t‡åñK¾*_ˆZ—kf\�­�Q¤jzvFÁ�-£xغT8e\oqãcOˆG"	µ:
-¯�z eDbµù¶:⨴5ØÞxÙæ:ª†k·aÕæù$ªNËL=ò{0eº
-Á”‰Òo�ì¢jCʦ)뤀 •˜
-Š]Lø^á¤BI­O‹o¸zäw_á!S8/:
-ü‹ßÚášB~í˜t²¾ˆ“‚êõñ•´Bª5ñˆa=žÌ‡�}^IÒŽu·£ÀÜ{襜J¿¥¶8º“*5Ô8¹“m®ã;Ùpù|-ß”£¢Ue6ªëÕaB¯EÅæ´
W�ݽ„-Ô6éªÀ{©B
-Zo¡¸�ÒÏïP³mý€µdV/ŸùN¶À”ŸÔþ.$yÅ�>�‰^†z*d—¼Óé�Dñé”
-÷š@À(«�…Ó‰:‘Õ‡‹óÝ2e¹ÿÚ8¬‰Ó¦
-ªÚƒ¯þ ‹ÖòÛÓ�8!�ü[ŒëibÕÈkq�@^àêAÞh–�S~#EC¦rR�†«G�îK»X$¤3E
-2TÁ
-k=‡ú‘²þÑcõx˜—@.aÝiñ
Ó¡ü.Ì!}‰eW
9:¼Û¿Ïñ»þœÈ?…îÉäîúcEÄE¹‚ò‹o¸œ¿Š
êÏ·ü^å²=!쾿š0ìÎ;~põÖM›óuÛ»ö]cxÑ9ÏÞý2iåâáw?Pêü«”&»'¢.Þq}¸¹ûáò?Ä8™pgI¿Íg)Ô½\„±>7�ÖcþJ]Íg<@üÂ3ó5)€8ÍS²
ó=-¼EßUA¸Š�wË0vh»„mÎê¨[/ àqWíâç
-þÛÓZ;'žòKY?PëeI-ËE-“ $f*ÑÀ΂Z|™ÛúòÁëØç{à¡BcbóWŽýP!Æ?cì�¿l>ŠûË_Kî>%�ð­Fz$Á×I
-E4LÂJ¡ât¥Ú
R€�t�êÿ£„‹�endstream
+1281 0 obj <<
+/Length 3465      
+/Filter /FlateDecode
+>>
+stream
+xÚÅZÝsÛ6÷_áGy&B	€ ÁG×qrnÇ'»÷1m‰²5–I�HÙqÿúÛÅ.(P‚äæÚ™‹g"p±Ä.€ß~��§	üÉSkD¢‹ô4/RaiN§O'Éé=ô}<‘Ì3öLã�ëû»“ï>èü´E¦²Ó»y0–‰µòônöËèâoç7w—“³±2É(gc“%£ï¯®ß¥ Ÿ‹Ï×®>þ<9?ËÓÑÝÕçk"O.?\N.¯/.ÏÆÒ	ï+áÀ®~º¤ÖÇÉù§O瓳ßî~8¹¼ëçÎW&'òŸ“_~KNg0íN¡kN_à!²(ÔéÓIj´0©Öž²<¹=ù{?`Ðë^�­_j¬0*ÍNÇ:6ƒ1¢«œˆÄÀª�sSˆL+ݯ²’±Uö\¸Ê³ºm«éø¹\.fe·hêÝyËÌ•åÅi8øž
+=WDè óD¨´ÐC%.ëò˲:ƒIÊÑûëÛÛËjZ¹çÿÖåS5Ãý´ztÝtê¼3Y•$"Ë
+êÓ¬H±‡ze¹0yV0w¹l–TU³–š“¾°¢mÕõnÀÔŽµ‚­3°2RÆ(7îkÕFd«D¤J§,Å QþVó3iGójÚ-ž+˜³–Éèî�;gÕ¼Ü,;zX´=¤*À¤üàqd.
+P—yÄò^¹Ì„Íù®#ô\Áæ”ÓiµêÆÕ×Õb]ÍöphS‘)£�«ÑsEôLÙü’,*rî4€5ÖräÔÀ¥U€�ŒÚÅ}]v¢µÄôòPÕÔû\­ó×E}O=Š¡=|aÉm!öö[ˆÑ-ç	PN2�%Òµnb;É`ó;éÐr[u�SAÒ=€×jVdXŽÊ ûU©0‚?DXVåsÅ/8«£æófYWk2Úð}šãjY¾ÒsÙuåô±=©,Ggj�#*`:(Ï„óþϦZ¿.›û=©L$‰I�Ší™öåVZ'¢°Y>|»ª¦€˜{š"6º‡j�šT":(vOÛ
íC³YΨí,xÛ®\wÕ¬¥¦–_~|9I:±£«yÄýi	ë"¥GB¸";I5„ˆ0ÄèÀ�šŽE­ª39šŽñMpj
+¡u‘‡òÍÁ½&¸V@啳3Aᙂ5±£�3C•éÑÜ­&�—Õ}¹$ÚCÓvlßØãÒŸ_ŽDž€‡`£àðå´Øð,6ðM>\¹0Šß¬™‘»ôÈ*ÉByð§f¶Ǭ’Þ0XÑ0Ѐ°«EdY¿&Qÿ¾[�(
xë’ÕjI¾ŠVçqsÍÎÍKí¼мgDêœ~ÏßQ×9ü#
+9] }ú©ì‘0±È¬]uÄÅÕ¾¸UC³©SÃm½Wy°RÞm«¢wÛØ$’eTaòž
+rüïœH.ÄÃïõí;b¾ýÌ=´uÐÀ	àïþR“¹	8v7
×òp²™øGt¸¹›q C÷r�W*LÙzPÂ#

Þ&lâJPkQϘ­à„$îiÙq‡ÿåQKú¡‘¡Úhy€eÓ<nV,a>àõ¦DOèXXít�(¼¦'Ç�yUÏ8C[pJwu=>ÿ~"Î'7g…rØrä›l—äL›»®®ïÐÌ¡RH+%„‰ã9TÈu8‡ê¹¶6öôu¿°B¹:.¹çŠˆÖMs›
e_ l\”F{GLÖ‡¿C
€Z•ë–ßhBÆy?“Kú¹ºáÇÙŒ3W!ÈÂèÐõkN¾u|1Ì’
”7I¡¾5D‚´Ïnª‹\h›î”«¦m}éø\.7¾ÂôÎ<±!�H­y#×È¡$S>n¡“ˆÄQZ&×ÿCl‹Wg0Áü
Ün™ŽÀ–™¶¨}Y,gÓr½bR‘§¹9*¼gÚ—>ÌÎ
+H›­ˆ§Ì_ét{D
+ÏEƒÈ§5¤T
+ÌѸCÙ«ÕEäÁÀ™óÆN†\‡w²çr)[µnÆu3n›rÜuËýÄÌ¿vU çŠh0ÜKp¹–Cx/¥ÏB»
9�»�
+VW™¿&å‘f[èô
à\G€ç¹"ÀOËéÃ~ŒÂãGq\�ž+¢ÇðŠL
+	O.‡Šü$ä"¨‚³Y¸¤m‘†O!Òˆ
w{˜Ýá
é|A
+³åz}ûã忉q2áΆ~ûë)Ô½˜ûw]j­Çꕺúë<@üÂ#ÓU	ÅøE
+/`µ£‚[>+³ý‰¬ÙÎAg#OÛ&k3î˜SG|ˆ‚Çm±‹ÜLˆ“	ù¥é¨õ² VÆ5-“ "f*Ñ`‘µø@7¸ûàtŒ˜§€Z[ý)ÏëÏߌÀ»´ì'ý­¸?}ew{Ÿ9ÅVÅ­H'P8áí
+V
+7rWs£­0VåÕÿƒ^'endstream
 endobj
-1221 0 obj <<
+1280 0 obj <<
 /Type /Page
-/Contents 1222 0 R
-/Resources 1220 0 R
+/Contents 1281 0 R
+/Resources 1279 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
+/Parent 1273 0 R
 >> endobj
-1223 0 obj <<
-/D [1221 0 R /XYZ 56.6929 794.5015 null]
+1282 0 obj <<
+/D [1280 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1220 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F48 885 0 R >>
+1279 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F48 940 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1226 0 obj <<
-/Length 3218      
+1285 0 obj <<
+/Length 3124      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZKsã6¾ûWèºj„/¬œ&3ž¬S›IÖã=l%9Ðe±†"‘²ãýõÛ�nB$EÉ»›r•	6@£Ñ�¯AÉErᬈufif„�¥]¬vWñâú~¸’̳왖C®ïﯾý¤ÓE&²D%‹ûÍ`.'bçäâ~ýkôáoﹿ¹»^*G‰¸^Ú$Ž¾¿ýü‘(=>üüùÓíÿ¼{�šèþöçÏD¾»ùtswóùÃÍõR:+a¼âÎøtû÷jýp÷þ§ŸÞß]ÿ~ÿãÕÍ}ØËp¿2Ö¸‘?®~ý=^¬aÛ?^ÅBgÎ.^à%2ËÔbwe¬ÖhÝSª«/WÿzýÐ9ýYí„u*�Q ’s
-´™H´Ò^�¸g	ÿ@q;lö/ù~]Ö�¸5˜@&ˆ°wa•IýÐûmq½Ôqmü ké"?h6Ú䫲*»WâXå5‘xÈ¡-ÖDéfñyÇ9uW4ñ#SÛ²+–/庠ÞU¾ê…hx…œe*^xD±.öí;x“YD‹¬+4‰º}¾Aâoq¬V¸iܦ”"³–L¬�áÀjâ¨*ë¯-5½Ô:‹Š?»b_çQë|WP‹WEsJ³è¶#*©
yÕ6Ôzà
 �k­³{¶ªy¡æ‡b_¼úÃ+­Î«ð mÎˬyxÝ0a›?ã­)¿µuIúX!ŸJ£|µ*Ú–Ú^å`Ú‚·5nµèP“&‰1¼”ív8$�ª¦ùJ­Ãñx5•Íž¨¨&^%¯__ò×k)e„º2Š-p`LÀÕ¬V‡=�hêê•&…ŸÙS·m@•ÞIƒÎðeƒ«cãe[®¶Ôô{Ã)’Ú%ðÚÃF~€9÷e—wå3óçõš릘²{e�§Ïëö%L_ó³ã�Þ†ÅI$‰El!È%I
-{KÕ|äd¦å�ë¼ã.Ô9ízº®TRØTf—\3+#†T‰°Â×héû-êXg*jžºÒ;n&£@£Ê®Èk°�Í¡¢žrCt2I ¹
Ъ²íÆ’
-ÇörÆr�Ϙ�˳pŒËöxô£Ì	ˆÖ¤™½,Càšb”;SÀ
IìÆRŒr§6–5ƒåW_C
Ñ—UðœäQäò]¬GðCý¡à3\ˆca×P¯åCóS{s‚Nj>Ó%JXiܤøÚxCSÀàžd	B¶¥N�¯Ê¡Fù¹H¢è@E7@¼,{h}=þÂþÝÁ慨ZJÆL/ušϨžûŽ-óöëá:`ø2z¤7®3 ubçr¼ÄxP}ðs›ãæLœúÍ!…A£êÕÌü-=Ñ”°¥#oO5ã
-�Í;i./¸fVG!ùâþhùq:Ú0`Š…ÐÍBú1
-9‚šžØ~%BÓß™ät˜E?¡®þ–t6¨`Z�ÝD/“ÍX'”LÔ0¨>�×9ˆ-±”3—3pÌ£�êà9#œ‚¹LöFˆ0 B4†åâ°@¯ÞÔPˆ Õ;z6àýÇxp^	—*c¦Ñ
-1PJdêuHÔB©A„»–P`{«ÄÂ!z]®òÕ54zóW¸[F—gƒÏPºÖ4	½ðÕ7—ºø<bM,¬û
-cÀ@Fš:þ<s�—É
-Í^éâÝù[u
-Ød(ÁøzG\ŒMÎHØ\ÊcFÒºÿ‚Œ‹Ž{ý§3wŒ6øFxü½yi­_ÔFÊÒ1”Ã&±§éiÙãb`NÓÉ·Ì Ãi¶H$<7´q#9ÆÉý†ïCN¥I R'6	³/ð÷
+xÚ¥ZKsã6¾ûWèªj„‚äq2ãÉ:µ™ÌzœÃV’MQ6k(Ò);Ú_¿ÝèÅ—ì­ÍL•	6@£Ñ�¯AÉUÿå*²Â¦*]Å©Q(£U¾¿
+WÐ÷ã•dž�gÚ¹~¸»úþ“ŽW©H­²«»Ý`®D„I"WwÛß+”XÃaðá—ÏŸn~üõöý:6ÁÝÍ/Ÿ×…Á§›^SëÇÛ÷?ÿüþv½‘I$ƒÿxÿåîú–º,ÏñÃÍç�DIéqaÒÛëO׷ן?\¯ÿ¸ûéêú®ßËp¿2Ô¸‘?¯~û#\maÛ?]…B§I´z�—PÈ4U«ý•‰´ˆŒÖžR]}½úW?á ×
]ÒŸ‰)cA“J$¡ZV²±”À	2¦g%+¹¤dÏ…Jî§M—?mÅîP´�ÓMK%EšÄj5œz&@ϵ �H •…vbÇ"Ü­Ó08œÖ
g×5ø„÷µL�É=@.ê|,¨ñŸ¦.ˆïØ–õï>|¡F¹£¾_?2áÏcq(‹–^vYY�MX©‚OÍ�hd8&!BÞ쟲®¼/«²;­¥”Á;舭
t„'#´Ö°õ(Rn'Ûb—«Ž©l‘qrF#­µ!ÿ©ð<#-‘�0�X˜e“h¡lš×J(cÎþ"áxA†¸¹—ì°EõÌ×W…ËHCGàÚ`ç¡Ò·¤×0…å¤Ç‘g5‘ïyȱ-¶Dqg‡,tjYÇuW4ñSÛ²+6/嶠Þ<˽
¯�±LÅ�(ÏÅ¡Å“�)[Èö˜³ p6‡l‡ÄßÃPåî”Âñù40XMTeý­¥¦“Z§AñWWê¬"j�íjñªFâ4¸éˆJj€FVµ
µîy
+*Ê(6¿�%
W“çÇ�hêêD“Âq/œU÷Ø´yR¯3|ÙáêØxy,óGjº½aƒÙûŸ{:ía#;Âœ‡²¿~fþ¬ÞRcÛSv§ìñôYݾôÓ×üìx 3`1Ë›mh!~Gæõ
+BEÑëëz¦…u‡Á’²
+m2^÷î¬S4O]é\6•AO£ÓʾÈj0€Ý±¢œSË�09ä@«Ê¶OH>
+�h&Pš
+B”Î?‹<=×[bÌf»XÿhÏFõb
¤¹
+©õë"x¦ÆU»þŒeeNm"Ö^¾z¢+¨à9É¢ÈåìºX‹<àŽ…úûRÏpý�%]C½™›Útº3syÎ*I“LÊ® 74í6µÖ6:N\1õ/Êϵ1:*:
‚eéq=ôyä…ýû£Û5P]‘”L™(Nê8íý¢zö�Ìë×ÃuJðWNÂКY¹oÑ”ü|Ìps&ŒÝæ�ÂpQy53KO4$léÀYƒÌ°GÂʯ?±J°~
+„¾¸€6¡è½çN¶çîPæ�Û#Ð
+¥­ɳþ™ë
)|üWx1
+.à!qÑeeÕŽmøoä†>áŠÈÝÉg6v”Ña8#o»Ë• ¡õ©lÀt9“y&çÁXl
+-µ/"öÙ‰fçKâ„ó<WDpxŽe›Ë !®…Æø‰�Ü·#‘0‘‰™	R
„(vÜ5–êWàÄfñˆõ�2Ne<VX鲶ò塃ðÚA^3XnS/e_â˜7J–ÖÎDGGtë+Æýõ"´F׋1ß-¸õèá‰š¨4?ߎHX�¹íËSµUcü0¹Wf¾é§žQ(y"´~N7½ñ#jöP´çÒ’17
Ú�24Êü]ë�4š(úÊÅø#¡rŠâ8z=
+i(åØì‚€cÅ$¸PÏå‘(˜Ë¤o„
*Yˆ*	ûù½vcC‚Gc�õ0\–E&¡ˆ•ÑÓH€#^×æyø7¬0-Â(™ÜãÝì&÷+ÿ¯ãò‡ºùG§±oºkd.rç` ‘"ÂoÛ³ub¢ÿå—ha’$Ë¿
 endobj
-1225 0 obj <<
+1284 0 obj <<
 /Type /Page
-/Contents 1226 0 R
-/Resources 1224 0 R
+/Contents 1285 0 R
+/Resources 1283 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
-/Annots [ 1229 0 R 1232 0 R ]
+/Parent 1273 0 R
+/Annots [ 1288 0 R 1291 0 R ]
 >> endobj
-1229 0 obj <<
+1288 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [367.5469 543.9652 428.747 555.8654]
+/Rect [339.2005 483.6075 400.4005 495.5077]
 /Subtype /Link
 /A << /S /GoTo /D (zone_statement_grammar) >>
 >> endobj
-1232 0 obj <<
+1291 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [483.4431 345.7585 539.579 357.8182]
+/Rect [455.0966 291.3684 511.2325 303.428]
 /Subtype /Link
 /A << /S /GoTo /D (address_match_lists) >>
 >> endobj
-1227 0 obj <<
-/D [1225 0 R /XYZ 85.0394 794.5015 null]
+1286 0 obj <<
+/D [1284 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 354 0 obj <<
-/D [1225 0 R /XYZ 85.0394 769.5949 null]
+/D [1284 0 R /XYZ 56.6929 712.783 null]
 >> endobj
-1228 0 obj <<
-/D [1225 0 R /XYZ 85.0394 749.7875 null]
+1287 0 obj <<
+/D [1284 0 R /XYZ 56.6929 687.8416 null]
 >> endobj
 358 0 obj <<
-/D [1225 0 R /XYZ 85.0394 528.8451 null]
+/D [1284 0 R /XYZ 56.6929 470.2923 null]
 >> endobj
-1230 0 obj <<
-/D [1225 0 R /XYZ 85.0394 505.7912 null]
+1289 0 obj <<
+/D [1284 0 R /XYZ 56.6929 447.8217 null]
 >> endobj
 362 0 obj <<
-/D [1225 0 R /XYZ 85.0394 390.6092 null]
+/D [1284 0 R /XYZ 56.6929 335.2388 null]
 >> endobj
-1231 0 obj <<
-/D [1225 0 R /XYZ 85.0394 367.7147 null]
+1290 0 obj <<
+/D [1284 0 R /XYZ 56.6929 312.9276 null]
 >> endobj
-1224 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F63 998 0 R /F62 995 0 R >>
-/XObject << /Im2 984 0 R >>
+1283 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F63 1053 0 R /F62 1050 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1236 0 obj <<
-/Length 3335      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿B÷tòŒ…ÀéSš:­o®iêøæÚ>Pi"‘ªHÙÕÝÜ¿],
-¶>¼lêbd{žhÆe"ÎÙT7QéÕ­aÑd&­e6Ix%Y¿g,²eÈ=Â
–Å*?nzø%I“1†¹ãÊ3±­ù¶,šúkZåžQž²¥ÃYaN‹ÜIàOÂμ„7Em
K$ºj¯]¬Ëö±Z™÷˼)ÎŒ•b¢ÕõÝ#ÖÈö=cpÖ˜þþ=cI4V‘˜`¬�Æꂱ"+ëã|·ihüí©Ìw›!|ûþ#Aé�5AWÕ� »¼n
-?þOU5˜©Èôô‰ô|&øSkE_�ZeÑ™×Å„X�çeQžÒn	àùˆMÁ!ìNÉÐYdÓ÷US´YçMD¬^6å'‚·ajž“ö¼ñ°öH``LuƒGÿów¿êáƒ;X2ð5Ë%-©ë¾^nÊ�›óz^çºbSfЗh-ÂEš<|šÐ౫5
Ö]0¢5gt�Ö‹fãŽÜ&‡Ü)˜²€Ü%~¦¹ë„T,3h9]HƒœãhòͶ¾l»°�sH×m·ƒuÅvÖÐvgÀÎK~X¢¢¯Æp\#¯3±F8é]ˆÑÌØî±ÎÍXËhÆ0fÃÖŒñ!š1<�íÈÖŒaÜš1>83†AǦ:˶ù³·×,eÜ
-Þ×ngÙx]~I*¦ó‚žIpÈ×Ò1S„"Cl�ÁIP—Ü8ïàf:QC¢É8¿¯lW{„f	WÒ;þÿB�$¢K´&þo,ØIÉkXsGäƒL‘¡"/kÏ,y
-
-‚�´ª“%!ßÇúò<Ñâ:– Í{
-GËãÂ+‡ä ‰ÅAW9ÈxïðÒÁÈ6åï6–
:àcƾ*ëÍ|³Ý4'B ïQ#
-dª©Ö=FÎKä€t}%(=uÖc ¦»ª+éׄì\‚Oºž t±.'«õ¡ÏzVŸJÐÚšâS/7€Â9K„¹ÎCÄa¢—(ͬU}&žÖ”§Ójï¯Æ/¹jPÌ&:"*åR/G�±Ã ÞU•ó
-T»!H‚:l–®r¸Ì�±L¤6HŒl¬G툋GÃõ_–5<@°ËU°Go !Þ]kmCŽáyô V�4ð­ŠKÖ›€Ä!¼b½¬+Ö°ðèó-äëj{ÞtH8KëêÖkdo9èFª,lÞï&á’7øÙn07ÅQµòm"p}
-éF
b¦'„¯³pänÑ�ŒkïÇm‹Zkv{z
-G—
-ªjà9¨¶ÏE`—*&Ål¦QŽZ­œó©WªŸÂŽxÛ�¸JÊZ¦ƒƒ’ï:õqî±Û
-a"ESùýž.ièy-$Á”IB1T^6z|›Š»‘N»Ä¶5 R±Ô$6¾Âæî-¨”VX!­rÈ~G6�ø
->>5™ò	Ž«HЧÄE®B¡ ûêà: Õz&B!ãFàØËÑ-®_4*>t®ÅUA'Ï}YÔ÷¥vÈ)
-”
„¤!‡©ÀzCþu‚¯pù€{íÒåÐù¾×�oúAÖ�ןjŽ#R	Å%].Æ
-™B0¡‡íªž™…
-Öâ÷|\Ü�XÐÌJ–¢
{¶ù€׊ò½)È™a¶×~–#ƒ•$<AZ§zÔþÆÁ)K¦<9xúŠëk­=ØI‚!áûšt�éÆ¥	
$
-lz–‡>…ko¨Á@1–Uø€œ €æ·˜ÇÅ	KöùÁ1Á—ëL‰¶Ž÷ß—T‹ÏÎÙJë�\wN­ëŒ�FѤé±ïå¥×Ui|"²(­SžØÊo¸öäª}
Œ’
Âc}qíh¼Î=�¢¤Ï”püæÃÇ<î�	,>ìeá–¾Ž‰V¶ 7KˆA_ÿdļu¯ð­aMP'€>¾{K
+1295 0 obj <<
+/Length 3121      
+/Filter /FlateDecode
+>>
+stream
+xÚµZKsã6¾ûWè¹jÈà
²ršd<‰SOÖñž’h‰¶X#‘Ž(�ãÝÚÿ¾Ýh
+>»[þ:ÿ?ß]Ý^fB³¹É/3mØüÛë›wD)éç»7ﯿÿ×íÛK«æw×nˆ|{õþêöê滫ˌšC{á{8Ñàýõ?®¨ôýíÛŸ~z{{ùûÝ�Wwq.Ãùr&q"\üú;›-aÚ?^°\–…ž=ÃËyYŠÙæBi™k%e ¬/~¹øgìpPëšNéOé"×B™Y¦A¶,§µÌr¦Ak™• SÁMÔ²àSZ\¨åj½îž³?öõö%ëÚñ¤¹Ö¹Z̆=�¹&�
¸�©2cR	~yªÍoŒ‰º‡�ÅüyÕ,VT\w‹j�E;¯–Ëí%/æußÆEÕR¡Z,꧕;ǵlÚjûB”w7¿P0Ë~×tm¦
+Ú¶ý®j�¾ë�\’Ž©ˆŠnp(ü
+NÀÖ­�k´{êé3Y°%Ù#ÊUæ–³S–82+rÅ-4CîM…’qÍúŽJ÷5ýöÑ –DhÐL¸tr‹ÁÏ�´ÜwüoÐÉÄàBæVxXä]½©ÛªNpß¿Š†ÅEÕ{iœ=Áo÷©Þn›¥33ø<!‹5¹Öà4P÷äÌ•Ì\½Ì¦«ù9Z³Öè±è9ujýJXÇtýà´óæ0Ð蛑	,ë‡j¿ö|�_z4|gd¤XŒ†OfëOÙJ…L‚ ‘‚ âŸ{eáRI1{Áô,¬º2êt_ÔŽA_¾Z¤]eAºLkŒjÖƒ_\*X[®s#”�^äRIÒõÍ`É´�¹!'˵Ê/Ù‡ËÌðùü/æWGªá.ô3ÐK.XéŸý1ã9Se)‰kPv³=hÁ¾¾ÞˆÙ»æ4N+ôœ
»vó2IP×0Å‚�ÏÁ²y4ËK®çdš�„Ùü%[T‹K(Ë7b˜œJL†ÁÃœ!Ùb¾ï�CÉ™ü:S|x¡Œû}Ÿ2�eZÌ(‚Gö¤J³®Ø—�, Ë`AvÈæ_f¢™(s¬ÿÈMQÈ3™–HʼP¬<Ÿø#×8p�ªÆ¦e
+…¾vTÛ	iŒÌ™Ñ6f[/öÛ¾™Žø�ª
+Pp:œw%(54Œ‹Ñ\Éy#oŸ›~2%1Dž†ëbbhmsˆÏòï
Š&Wº,‚b)šLg›ß˜f¬V¢Ów�Iÿ
5rßhZßLˆY0ćþyš×p"GÑ$ oe‹\eÏCô!×iO�\“ž:Ôp/	Aþ¬‘kBŒÄYÜv
+2™|Í\\gÌ5p�Pé–<\¼2~`š?ÝPò\1 %¤IÅÄ
%CR�â!©àGL*† þâ®�JÄêfôÉ“;9l±"Þ?®¡ñU}½ä�‡
`ÉÆè錓
ŠRBϸ?ë@eØR‹>µX~2µ
+tf's"·pû3ÅÕßO.âï%iK
+V§;\0lÐgà³cÆæô¹Ùd$É—î„£9H�+¿{=c®3æ¸æ°ZV»ã
�‚¡åùÑ#×Äðé¾öDR‰tüÆ8BÆ÷±©1v»�»‘É­
ûýýƽ@ùÝK[mš1Ði Pi’
�àR7U¿«}�‚z�?î‚9@z…#R€z0SúÐäÍ
¾—µƒ@9	ä
è±Á
+ûÀ–¾,vxCÝ�¢@5짼°)€Øz±}4wµt=â�1Üšq¡S×Ó§ £ 7.8©‚””§z=m°d’•ó»ËRÌ;â©Ûê~íùâÐÊ=¿!æpœ7¡§öOZÈN7•yÞd^µ°ašýæ¤jeÜ.e`#d¿/t#ÙüSµÞÓ•Ç�þôiUµ¢s	ÐÆ
+û×–Øâa`�–i¢_‘£Fݦ7Õ+(/X åÞ÷{Ðç},º=^ã<Q:Zîጋƒfäa?í�b
+Ù‡k)@ïr0Þî‘gÉ`âþšÎúsEUĹa9µvO««Ý>î:�@÷u€`¨#ŠZŽâgàÊîªË
ûçS××�HÓ=0÷S£ÑÖ/ƒ¿ã4NÀ
cJ„
+7øtµîuØ—=0FÛß6lz›ÇÖ›ùòð¶ÀGƒnS‡Q¶mŒJ|mðxfÃË$²Â¼rþ1ä:ã	�ëà	Îpêíñ–·Ì…(Θ&†O7¼îU¦ã'HY	P=RVÂ�2Ò#RÆ´7üõëS»s$¸‡Äâgçû:x…«\y®áAåÄ•˜Ö¹Á\C8&
+þÌâÄ‹9<ß‘“÷×,¾�øâ×t‡§†ÊÒ
Í4D`öø¥
B¡õ$вÈu!ì„èÿ¤â/
+endstream
 endobj
-1235 0 obj <<
+1294 0 obj <<
 /Type /Page
-/Contents 1236 0 R
-/Resources 1234 0 R
+/Contents 1295 0 R
+/Resources 1293 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
-/Annots [ 1238 0 R 1239 0 R ]
+/Parent 1273 0 R
+/Annots [ 1297 0 R 1298 0 R ]
 >> endobj
-1238 0 obj <<
+1297 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [184.7318 660.5919 233.4785 671.3763]
+/Rect [213.0783 309.0057 261.825 319.7901]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_security) >>
 >> endobj
-1239 0 obj <<
+1298 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [369.8158 538.8963 418.5625 550.9559]
+/Rect [398.1622 184.6228 446.9089 196.6825]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_security) >>
 >> endobj
-1237 0 obj <<
-/D [1235 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-366 0 obj <<
-/D [1235 0 R /XYZ 56.6929 372.9462 null]
->> endobj
-1240 0 obj <<
-/D [1235 0 R /XYZ 56.6929 349.997 null]
+1296 0 obj <<
+/D [1294 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1234 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F48 885 0 R /F39 863 0 R >>
+1293 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F63 1053 0 R /F62 1050 0 R /F48 940 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1244 0 obj <<
-/Length 3002      
+1302 0 obj <<
+/Length 2626      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZKsÛF¾ëWpO¡¶óÂÃ>)¶ìUj­8Z¥j·’@Q
†
-íœxö‡JC'¤òïUWî*{`¸a1¸a…ÐÊ`$©MÀÍÑà¡:˜8LD?¸ÙueS3wö:-_ÌΡ-V!Êl —ã§|l¼ ¥U6X:È’Pi•:ƳÄQ4ÿ}òúáµþûÊw‹�'¢è¨%¤Ò£Åþ"£H¼\-Ò—/¿Wò•‡‰$`?ö%%íw,«
-ΙyQç‹
-õ1Ò¬˜@¬ó-“zªÕJ kH1Š(Vñ�
-`ª)Úú»Ž:>ÖÍq26¯Û#�bCsrúùÇ¡hQŒh§	
/‡ ³8¥¡À‚Tv9=^a@h%0î¾ìJAÛöËÂsà >Ž˜ý�¢;Šc>U<rÔCNìò`†	¢‘ÓƒF{°1:‘¡²
-~1Îtr’*ÅŒ@›(”Ò¤c+99´1@ò 5¯¶€×ÒiÌ›Yóñp$Â$SŸÓ…QÖûg¿ª¨,N‰Q)²””"ËJaA=uîÁª›-
Ø�ƒBÓÆõa»(x…µÕ7Œgr¼–M�þãîpÀ0Ö½+ÆûïJˆï+¢v¼VÍ–0�ßDfÊÄcC&‡cy¢ã%Þ‰|©€Ã�åB"5¿Ý0;>VB|¡z·l==ƒ	£¤ŒR»!>o#Á{¨4vv
L÷:8¬v
nìóij
-d@¦à×9j6Rln
-²–ü>/+,Œø®)Ã,*6_¾¦D¦z|M°&Êvº ,›½s¢MMñûûK‚!½@°ÃÆ›Wx{	ePDz-Ч‘M·pŒg¿’TÎæ¨"=I‹šc=öË/¿œÏ?2¯aNÏxÈ–° ÜR+6F™'JaÂo^ß°æSÕ‚Ç×Mþ`CÌe% (}Ú¥®–žb;´LkkŠv¼,!›«ˆ^Q,¸ã¹(ã‹åa_v'œ–j[“†.¬¢¢Å¸.ÿ]¸¾]Q¯xoª½¥óû|_6&îòÀ'A°É´Úh-æ‹êà—#*‚Bkð²�d:÷²ÙnMaDÉ3
-DÄq“O3˜ç/Z|1/Kò6pŒ–�CºG­G	‰pø”§@>™$“‚˜ÇŸÙæÉŸQír5‚¼CøŸ·
¾#ðIJ&ße+]öaê”M¨ŽOW]?5§W'«bËÜÂno	‚]z�y&ÿ„y€±Š§‹Ï©Î‹Äc_oóèA‡ÂÄ—ÔV"ˆuð�Œ¬¥Õ­écƒñÒ¦\”QH
-UΉá5}Ûfˇh  j"‡�R
-ÃY»{Â$¯×6ÈQÑ
+xÚ­]sÛ6òÝ¿B÷tòMˆà“É“›Ø=w7q}ssÓö�–èHc‰tDÙ®çæþûíbIQŽ3éøAàb±X,öV	jâR‘º˜d…N*7™­�ää3Ìýx¤'	HI뇫£×g&›¢Hu:¹ºéÐÊ…Ìs5¹šÿ6M…Ç@ANßýrqvþã¿.OŽ3;½:ÿåâ8ÑNNÏÎ>¥Ñ�—'>œ\'*wjúîŸ'¯N/i*e?œ_¼'HA?ˆ^žž�^ž^¼;=þãꧣӫx–îy•4x�/G¿ý!'s8öOGR˜"w“Gø�B…ž¬�¬3ÂYcduôëѧH°3ë—ŽÉϺ\8mÓIb¬Èaÿq)+‘)H™+Dj´‰RÖjLÊ
¥|½*g·‹fU
Ï«¤NÁÖ]¢{[G¬‘½Mgo%Sa7Øü×»j¶ü]J]µÇ‰ÑzZÒÏjÙniÔÜðÄ|¾9Vù´jÛ€»]”Û0ªhÐV›‡jCãÇåjE£ºa¼r6«îxüå¾Ú,©O»YóžLá¾õdÍtÛ€9hVU`„6I4ÜM‘Z�†…sÚŸ
7x:VJMA�’ÓOaGT³ÝŽøÀ½p88(‚è$8ò'ÁÁ5c3ê]SÏ«9Ójx¿«#Í«›ò~Å+—-òüúÌæ�Û1&6“Ü)²^7uEX½;ÔF¨ù„$£«a‰ÉÁjóõµ
+|³–ÉÁ×k•öhïûgéFjHOù …ªêòz…È«
+Š}‘�ˆ¢`Sû”„Š'F÷ÉÔ–ÑI°0ë¡=QòY�š¡BB”gHÜóºZ”èÍý²œH.wGl)�
PÙŽlùoBÖ‡Ú3îO0=Œ­¥¨Õ
Pþírv¿*7ôMrEŒa&g¾„ƒA¹jÂÂ|!ý˜otæSœ�˜…–Bë}“C)n¢¨N…¹ó7î[¼Ž™ÊæÙÛg?Ù+!^u;ŸY‹V±¶h8Kz\TÀñf�ÌÌ«vI+™0)F'c9XÌ�â�†Òo¯#ºÍLEdr›Ì�¿Îý¢æå…D‘	(!ó¾ªõøéfÿ�xÿ|>WJh)Õ›ùuþæÍk£ßŽïð’jÂH«	#¹@ UŠ:
+P¯–
+�»ìùN<ê¶	vj:vŠ}bL›ë¿oiâ¶n¸¡áî�
÷–éjÛ–“9ŸkšØŠ`d—4òʱ òÑŽvÈ+ŒŽ6ç)%ms¿™�½o$½ŸËô©R®mLêú‚3äýaÀ—8Ô|@E#´÷>û‚I®ëAwS—Q€G„ÝÛbûr±7À8Ÿ5äõCïq–�“°x—£íkÈÞsËfÜ%…>…ì=Kø+µ:k…ÌÍ~�? ‹OO¹êx†}JP‘[çãc¬a=p†‘­;Ü,Û[‚ „4”Óïw=)DÝõr»%×IâÂÉ~€G4ß~L‡­B
+�ãìçؘ1©aýÿˆdM3endstream
 endobj
-1243 0 obj <<
+1301 0 obj <<
 /Type /Page
-/Contents 1244 0 R
-/Resources 1242 0 R
+/Contents 1302 0 R
+/Resources 1300 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
+/Parent 1273 0 R
 >> endobj
-1245 0 obj <<
-/D [1243 0 R /XYZ 85.0394 794.5015 null]
+1303 0 obj <<
+/D [1301 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+366 0 obj <<
+/D [1301 0 R /XYZ 56.6929 725.2846 null]
+>> endobj
+1304 0 obj <<
+/D [1301 0 R /XYZ 56.6929 700.2184 null]
 >> endobj
 370 0 obj <<
-/D [1243 0 R /XYZ 85.0394 558.6856 null]
+/D [1301 0 R /XYZ 56.6929 148.5316 null]
 >> endobj
-1246 0 obj <<
-/D [1243 0 R /XYZ 85.0394 533.2657 null]
+1305 0 obj <<
+/D [1301 0 R /XYZ 56.6929 118.3446 null]
 >> endobj
-1242 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
+1300 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F48 940 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1249 0 obj <<
-/Length 2437      
+1308 0 obj <<
+/Length 2999      
 /Filter /FlateDecode
 >>
 stream
-xÚÝYYsÛÈ~ׯÀ[Àª%vn`’'¯-;ÚÊÊŽÌ­T²»	Š(ã 	PŠüëÓ==
-\÷
-£ašOt/2QQbyÜ·ÜD1Ö1Œ…«+_û.fœóÐÝVʧ•;:e‚E#]=u~Ò˜p“6D”Ùr“VySú1WøÜ©i@º~ÇÄá:]æ3!³MÛŒ¦>9US¯…R "&E^æ­[{!A‘½¬÷•gÄÎÀ-¨ÓIi7i;:2]ë@*»î¢:ê;šç¦ÍJ,~
-�îDú«+ñÊ¥J‘¸®WÄáCQߧMyÓå.ÞÞ¼óÌ�]›Ö4´>ö,IX¥eFT“í	EÂ_<­¥•~€�Ë14Yånß.n^ÿ•è$@»Þø"â�°G5øÓÚþG—û
5ïÅ×^½
Í.ëí3QIÞá•õ¸gTdÀ+Dk¶úS}â�È958"?ìr8+ÐnîptëGò~ç%ݾû}""Õ—µ{®
-
-Ç€ÄG+Çí¢Q]E˜rT½ƒR‡SJÃ%C@ÙH3v”ûþo¢Ub#!¹¼Œ¨
Óy@uLçCÕ$ž FVö²=Ó©"ãH•DR²±&0IÖ�I26ŠTŒ"Ð.RÁs"R1F‘Šu¨¢µ.R1BÕÑãßøHÅXn•·‡‡–‰bˆ_ãX›ü�G«îs€Žð·ò‰eýͯþI~ðÁ*†n+ÓØPÁª6ñJ¡¡µ:u
-ÿÛý©êÿ
+xÚ­ZÝsÛ¸÷_¡·Ò�ˆ‡Olžr‰“úæ.ISg¦3w÷@I”͉D2"e'íôï.vA‘2e;I'3!´X,‹ýø
°œ	ø'gÎÆBgf–f&¶BÚÙr{&f×Ð÷æL2Ï<0͇\?_�ýôZ§³,Ε̮ÖY.ÎÉÙÕê÷èåß_¼¿ºøp>WVDI|>·‰ˆ~¾|ûŠ(}^¾{ûúòÍÇ/ÎS]]¾{Kä¯/>\¼}yq>—ÎJ¯X‰
¯/½ Ö›/~ûíŇó?¯~9»¸ê×2\¯òùì÷?ÅlËþåLÄ:svv?D,³LͶgÆêØ­esöϳô½~è”ý¬v±u*�0 ÒS´YœhèB^®q
À)œÐo\Ò‘£©wó¥)§™fž²��"E,²$c–¿NÈHaQ©d†z¦ÍÊ‚oÕÛ²ëŠÕ³ó¹–2Ê©s—W«zK͹ŒP7ÿ£ÚoKXïÎ¥‹�l<±˜/ëê!Ôõž~¯ˆ	ä^ãù›rù‰º]´oXVÅ„»r³!Ò¢À…ÍæÆÅ™¶Él.eœY«üšöm�°¦å¥Q‘/oˆôy_쾞KXxlttuÃ*4¼¬”ôúCXÑÂr¨`u7yG”¶)–%®*ÌVV�¥˜Ø•ÚX»Ä°áAÉù­™ïWÍ'n'6ʉØhvõY‡íº|k‚n©7Ðý	ð¼Ôêá|ɜͦDì²c³= 
+ØY(c�UÑJ¢*	©¢•Šê¦+ëªEÿÑYT|Ynö«²º¦N4Œã
ÜqdFìD3î	3ZKg‚ƒç·u¹zÌ�™€Ð2ÁòÓÖ‹ˆ$KÇb{{ATeJÛ`0ù¸Á ʤR!Êz«`£Àuwåm±	ÞH3ñ¸¹Ìbi!ãprQ¹*Öù~Óµô«^ÓwÚPÎÄ©•!νÛÏÛz¿[ê&�W„{Ð@ �¶©™�všJ3rh26
+€šßª˜oór“/6ÅÔ6e¡ibߦT93Þ&˜܇æ Í
ʲޅ,ZWT`°¿ß$`é
‚¾à<ÇÝK£¤ìîʶÀtìDT2ÏÄ|%¹*¬ÂQ“�-QßUã¼<•ÒÄ8•Ý/Ÿ/þCDØ”Po©•X«ísjÿ÷ùxGätx}‡Ì£­ã´ñ¶î _nH¢mþ	ýJ¤à(´ø˱k
+w(îÐ^0­Ý¯‘ãxYUEÏÓ7T®Y"y*òËý®ì@Í™èuAXaHìÐÕ˜¹üwúš¢ZñÜuEßÛ|WÖ{&6ù|ʧ!&ðj_¡�Œ{ô	
+%�
+"=âóFÄG8‚Úʱ³³@­ìÁ�µäWáéžr…åc»	!e�öÆ9º5@¸ÚÁñ·X…›€�EG]¸§H ›Oòà�‚ÑùðhXÞÁ>6ŒáŽ
+í«€[ŸÑ•˃’Hâ ·dÁ]õfO�FrJl‰ð˪Øäð¢(Ó¢8fìBaÅ<€¨r‹KÍ+æöù¾Çùw¸R¶ξf�²ãñ¢¹èBzXæ]œXÚ|]„dtH,eu” ¥ú}ã|3̾»º-É[+€FÝdâù?Üf<éÖÇAS«o¸Óè/}ž,õé×NCÂ;¾Ö˜X!÷c˜¯Né7d?…àÝ(ÝgýM½È"8øÇ1î4cÌÕ~IÈäÔVà}†„Ä *û˜C�@­z3}'\ŸïÉl<GMª´û†/`�˜Íóïð¥³)öõwÒ@
éA�þÝ)ËcžµÚG€I
+„kÙÐ!²ø­CVLôk—Ó§Éw€|÷ˆ‡ü`Þ[è¡#‚‘'¼KãmŠUO¾¶Ld’<t57Æ€»ºd\Ó¾ïþò9gEN¢�­{|éZÙâ©´=Ê™ä:ƒG¾§VN£lhу
+
¶ÑÄ�ur¦’,†cÑô‹óÌLô%'Þ£ÓéÎ�ŸBƒR gº¯Áа2u±
 endobj
-1248 0 obj <<
+1307 0 obj <<
 /Type /Page
-/Contents 1249 0 R
-/Resources 1247 0 R
+/Contents 1308 0 R
+/Resources 1306 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1219 0 R
+/Parent 1310 0 R
 >> endobj
-1250 0 obj <<
-/D [1248 0 R /XYZ 56.6929 794.5015 null]
+1309 0 obj <<
+/D [1307 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1306 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F41 925 0 R /F62 1050 0 R /F63 1053 0 R >>
+/XObject << /Im2 1039 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1313 0 obj <<
+/Length 2984      
+/Filter /FlateDecode
+>>
+stream
+xÚÝZÝ�Û6ß¿Âo•�šå‡(‘�i²ÉmqÝäwm´¶¼"KKÎvû×ß‡”%[ò¦—
+®p!Ÿ®~ù�Ïְ쟮8SÖèÙ#¼p&¬•³ÝU¬Ó±R¡¥¼úpõ�nÂ^¯:¶èÆ×â‹Ä
+ɬÕñ¸XÆ€¥¤°ó“sÑ8sy2ŒNu4/ügZ*Ó™Wª™Ìj-Ѿ‰d*É,Õlž�}oq‡§e:‰2
+δ’ ¹ãx;_$"ZÂ�Ùæä©Lg)È1J¢äÙ§™`<¶VO�vK=n�køáf'g¯jXЬ·¦0ï¢7±[R"{ˆ H—Š¥65Nßu™í
„:*šùBÁ®0AdV­‰È=OYä{jY×¹ç¯ê–ˆæððPCẉВ·mQÝÃKj£v›ûÖú°_y:[¯÷yãgÚÌ�j/`ùònÚ¾³
+èÛÔ«¹äÑGü—·Í”b§Û'–Icͬoâ¯C
âSÛ`sDþWcüC[n¿� �ÿÌJýˆ)ÿÐ4Lªžq�¼]ñø›ºGÂ-)ßÞ?ú3O;H"&dœ’ƒä
+ã4NŽ0#IXkX”ìR0Ø/…xÅ9�þSW9eÉå\9ûäû¦‡Ô0y¤JMDÙW%I´Í"vùj›UE³óïEEχ2s

ȶÆgm²U10۬ͩ駊cê´p¯f�€xIDYìŠÖ÷Ö^ÅOdßÕ‡Ê3Ö? ÎÖ$¥ÝfíXàìÉÄÝð*#‰ðé Ñ<5m¾ƒ"D
Ž—¡uS—eýè¹õÐuågËÊ'?KMÏ?º�ï$ŸaQ+™Åiíx=æ™}®i(t\Î¥Àgä4§²‡¼ƒ·_Þq�Hx)„¹3é¯ò_9—•K”>Ò辬ﲒšÊ¢i‰r†„Þ›wžã\˜’#�O=‹‰ªl—ÕäûÏ„"é
Oci¤Á°åš¼ò·o—7¯ÿMô$d÷¹sp
+½¸r™ßp{ª
#§PæÕF½â_[·V�n‚J™ÐÊö7ÁñNo>TÝ<‰OU QLE	‰¶‘i$3R«®V‘
+¶t€ù»�³h¯€
+Á
é.¸ù¶™.k�Yê4Ñ­óMv(=CÑœ$Ç|÷ÐúTçÕêW®yå_ˆïHãº1¬2Šlað‹élÈ¢1~&ö¸.dÃÀ…{µË~_„dŒæ]´Å._ÕYjÔP³›Ëzxž5pTëD¨¡7ÕT0îh‡ì
+‚´‰UEçGè.ëêžNŸˆÂ¬
+�[cX]õD#wEuhsßLHBê.ÈÉ÷»bA Jè*Ò!¦*ð½õ¡BHî�D4H"·P©7díát`‹bwØÑËç¬<äÙ¥ñb³§Þ¬1W'/"IAYœè©{®€¤>×4’:®Q$ërIqÊÔP—5é¸FT¢I²Ô
+3Ôåˆ&Ñ¡IÑ$	I@£§âóÁé^߇XG­®ž²D‡,¡qÓ¡¨÷à‚w.áÁ%NÀ% ÇIù¿‚+™Â–8bëÿ-‘2-éBî´z\ ¸¦ƒT}hÏ£œÒ…—Ué¸Ft`+
cqDj_™·‡Öƒ«ŸÅ±*í¦àµªð½�øhå¸]´"*ÔR„)Guæí<‚éÊ2͹Ö!™h%ñ:ÄÒmÝ4¤ú\Ó�긦£Õ(¤ XŽí3ªt\#ºÕaJñeŽ�R<@Jq>ˆW\ãÐ.^Ás$^Á@¯xÀ�uñŠ¶æˆ!ßãã'x¹Q~K<À–BF,˜ä¯³$œd?sÍÐçº
+,…ûyY
Ï3"
+š{ã%�~áéî1ÖÄ€~ã‹
5ø°H²‹Ì¬»;Ï›  qpµ%���ðVíÞ!,–It�­¶ÔÞ”ò@g 2z�é}“¿“†®T°�Jwœ®ì$Ò*ç‹4Ž¾ó³UyûXï?ÒË]V­‹u»eÃ6…Üå܉8!ừ:$µm�@;-°@3/¬/@¤á3ðØÞ”ÍÉœV4»÷¸ÅÆ•Ÿwˆî!�¥»ª€—Æ�dá0e¼¿
7¹ØÈ‚S—O�°e´áŒ:†ú¸¦)€Tä¸j!"—9Þ$´9fJ°„ïq>ÏýÕ²ƒ¸"Ž ìqí\„“ w˜M«ºZ3:Á.iex·§˜Ñúä@9Ö$Ÿ*xÄ‘)¦ÆîsM•Žëd{ºžDaXòŒtÏ3"|Q¤bIe ýÍ#m
+}FvPœØ­—V�ýõf,$
4"¯÷p\ ǃÎ}UûRâkFîs˜Öv×J_bZÁe20­?7ÞiRÜ“tÉ7wáz	t9
w1†;ˆutK[8Y¥'žÛ]Ñ—‹Ÿ&ºP8¸%ÊšPÅÐýš^M÷�cb7RÃ4lÉŸ‹�iœš“
™'Æ2‰éýb4é1M“ÀÔÿøãJ½M½ße絯Ô0N©‹tLç*‹Îüh××�¾Ä	«û¥.¾®0 qçûÉJHys¸A�5k¨;`~5+­ªù~,k©”‡¼z,@�G˜`äB2ójqúIöÄ#˜áîË(�.ª'?ߨ;hH2�;øe(sðŽtˆßå8à`ãN¡	Cž"N0�˜³èª�Oh©+?¨%ôxï1ÇbP§]™äjz®sw$­<;¹¥ãöú� ÿ[®éÃßé¹@£˜žMüÖpƒ(×Ãð6i/(‡%þ´‰¦¡ÚP¹eaè¥^Ý~ L­®4ÀV
+endobj
+1312 0 obj <<
+/Type /Page
+/Contents 1313 0 R
+/Resources 1311 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1310 0 R
+>> endobj
+1314 0 obj <<
+/D [1312 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 374 0 obj <<
-/D [1248 0 R /XYZ 56.6929 401.1388 null]
+/D [1312 0 R /XYZ 56.6929 573.6377 null]
 >> endobj
-1006 0 obj <<
-/D [1248 0 R /XYZ 56.6929 376.7118 null]
+1061 0 obj <<
+/D [1312 0 R /XYZ 56.6929 551.8981 null]
 >> endobj
-1247 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F62 995 0 R /F63 998 0 R >>
-/XObject << /Im2 984 0 R >>
+1311 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F62 1050 0 R /F63 1053 0 R /F21 702 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1253 0 obj <<
-/Length 3630      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sÛ6òÝ¿Bo'ÏD(>�xL§çÎ5Í%îÜ̵} %ÊæD"]‘²ëþúÛÅ.(’¢dgz£`±Øo@Í$üÔ,³BŸÌRŸ+•�-·rv}?\(†YD Eêû›‹ï>˜tæ…wÚÍnÖ½¹2!³LÍnV¿Îßýóí§›«Ï—må܉˅urþýõÇ÷Ôâéóîç�®øåóÛË4™ß\ÿü‘š?_}¸ú|õñÝÕåBeVÁxÍ3œðáú_WTúáóÛŸ~zûùò÷›/®nº½ô÷«¤Á�üqñëïr¶‚mÿx!…ñ™�=AE
-彞m/k„MŒ‰-›‹/ÿî&ìõ†¡SôKl&¬NÜla‘9˜c’ÊRHT[¤Ög´é¨¬Õ•#R¹)ve¾Yü±/vÏ‹]Þã}+'…öÎÎú“¡ÐAMà`z8(g…NÓlˆÄ—MþX
-,Ñn~•/墳ÙÇRDŠû¦h¨”Óg[Vû–gÊ·õ¾Bü²l^¯©­½çÎfÓ­H»¼\
-¹Ó[ó
G«$ûGËÚçº3““Ú±oÇÚ.‰ÚÎi»µ¨ºpŒ:ñà¤~xŽ4dõ°]¨4!TX1`3w¯Š`Ú𠱺oˆ€P<A�ü	 É·iÀ4I³AN)¥…² aÏk“Ôu¡uvyÕ¬‹@�źÞm�®c¥b˜�G¢ƒšÀb¨V¼� Ì‡hü7ø
-ÊÛ¡†ªK´X¸å~:+,ñ¡„AO5Và|ÀNxC(m¬y3eºL*2ß©œªXÀúO0þøÄ`‡Vu6fJ,D&}”Š->Ï7)ÌŒŽLC.º:B%#ãs3ÍuÔ%@ÈsG9f;%¬ËÌXÅÚŒmZ\j‰=,BÙÁ!°è*€š¾«ºÁïbp’Í
-‚��Ž;y^‚Œ(hòMØêO@êýÇ/Ô²-š&¿ãÖà`+kÁz
-ˢߺ$¹¢!‘ôÔ·šÚ“¶N
-+ÉdØä-XcœÀHt󟨓£�P¤˜V7:á¨ÛÃ!Èèa‹0�%‡¾LüÉÀhX±pèK„–ëê)çÓÀ0BŒiQ7Þƒ®H|ŸÄ|þ±gB(¦Èo@ÿfkur‰wCß|ÓàÑKÓ£jè@úá—Ù¨s§*—¡©nê57ýçÒZà¡UýÔÐTUDôì¹Û
öàY»‡ãL�O^Þ½~i÷àû¦2í«ÜÑZVØÔ«oÕ©I7d›?“§pËÞE
{Þ•«UQq�¿9}xöƒ>…¡y#ŒÛçWº Ô�é¬Ï6A
-Ôš¶‰AßâÏ%x<|þëñùsvŠœKí)|šs�~´ +Ç
’H,ÁœO:–`c
„ØJ‹ŸâBP}™Sî.ìA�áÂ5äÂhǪ㬸¾iæÝy,:¨	4†™n%ÒâÆ
œÁ”½´T)AN)yPçXáµ’}^Õ{òŠ˜±é–!�xo0~ÇJŒ(`=öLÖä(!~ž\
-@-d†l1vœ0rY:ðœp«Á:°0K°ÝéÈ»
6Cq"Ø(=a3%�±³óèÕÁfè”m¦•[‚#ë€-d§”Y‡Þ’Š­¡u`Ó?Dì C¨ôñ˜†£ë„×L¬íùƈz¦ÉûÈÌÀýÄöš¿9u�ÝÏ0”ÜÏP|&0v?±é„û™@Lcœ3ÀÂ`u\ÒåHîwD\ÄmM«M/
¡.Äÿ‰RéÿæéíÁš,uê´Žì Ž‚É—Ç—�`X½N^@¢ƒz
eSá¥}cnª¥Y̽t	�pñ'»ŒŽ9¸@FÍóÕŠó
ŒïYiâ—u.@Óå!¨”O�	•nÞ}¢ˆqU,1%Å„J�1Îù!CO뢥LSF"νôgŸ:ýo=GW½×@Ëî0'«¢ë˜
i2Û϶@�7Ëôôfêâ�’ïÖq>Ž/c¡Îs§ó_Þ¢ŒÇßu!»6€wÑáU况—
w‡5apÌAÄùVÏ ²Ê%õïV :µ
›Z^LL\84%k8˧»è¾¡Z80´~Èy¦2~KÖq³	ˆ@[´fPŒ¬‡Eb/(í›=K“ÆkÜsaÈ—ZóÕè—K5' ®wë|Éc~Ó:Ynêf1uNà%"`‚á°ÌËaã@íCGn­ÆûÕ O
f€m÷qÎüá¡ÈwÔZV¼Î=Ï5œÛàÜÿ˜Ì”('¬rчëªE'ùɸT$R�ÓÁ¸ò›`#<ÄRS×*Æ€¼
1+®Ü”¥À7CáׄŽ˜y÷6 ä9 
lþ²Ä„9Í2a¢…¾¨»ãs‚¶9wéh$ÄÎ]ZýÕjOËÎÕ&y‚òøN‚"HªÁ³;DÄùìNð•œY`hX`¬sNÕh�KJAÀŽ
-u±­wSgð­��ÈúLÎ#SÙ[0X_‡!^Î�êAÖ»Ûïòx"CöyS¹JÂ
-‰›i¼¿rIöšK&ﯲéK dR'\ªÝé¹hœ„¹¸G§ZDìÊX‘x­ûATwVH@DNÒ™ò™ðœ*¤ÑÇ­G!Á
7:’úçË…Sóø×ó«#ÒÀ¤,_¸2̤o¯fÌ€“>9(‡Ý¨¾»ÞêÙûö4ëo+μèOör8~´ 
ѤsÄ—_ê
*V2eàEú¹V(*R~
-ÃlÊàC_ÃC‰®á�çŒ8ÄDÀ=ÜR´-IŸã7E¡•ÄŠV
-×é%ÁD�ì„ÒÓ—'õ0Xè,ëò¸oÉ©N#ýu”Úšzã
-‘È—ëž|¼Ú;‡¬órÓ0Ò“Ïð||÷€
-„’:^•�æôft{þj÷Ȥ�½�wS úĩ缨•Ìä½�ììÐß~ê{x
Ž¨"=}úF:pØ|‘Â=X;ÆÜšLØL§¨ÿß»xÊendstream
+1317 0 obj <<
+/Length 3275      
+/Filter /FlateDecode
+>>
+stream
+xÚÅ]sÛ6òÝ¿Bo'ÏD,¾?ÓÄé¹sMs©;7sm(‰²9•HU¤ìº¿¾»X€"%JN&¹¹ñŒ¹
+g&¼»ý×
Aß}|ýï?^ÿv÷ýÕÍ]w–þy9“x�?®~ù�M–pìï¯X&½Ó“'h°Œ{/&›+¥e¦•”©g}õÓÕ¿»{£aêÿ´t™vÂŽ0PÈ9X™‰Õ>3†��»kî¦ESï°(àxÜÆÞE¾Ë†:óøÝÖMSÎ×µ¬Ú:ŽÓgS4M~_dÈ €÷)ð"ƒ›ƒÓ„½7yõ<Ë«æ©Ø5»O¯�{æÒGä2î¾!¢âîÅ
+¿2&eQµ¯ WÈé|ßFâ⤺Z?Ôì·Ûz×KÜp2†eÎk1™qžy

+¥“*I:g#²�ÖNÊ0Sào+Ræ"7¢ :sLš#
I×x´ kt=Ý@Š›m�FÁý¿*Huè
+ä2.„4HqÐ l$
R‚…KÃ> 0ª¶H…ê©¢“
+á@P!泯BˆzF…Hs€XkŽ\ÿæá“I-Zâ�}Ñ´Mú. â‰÷¿:¾ÿrS¶>•ëõÐàÓš«}S,3òòwiÞÁÕA#jpØtLƒ%‰Ìsñ9*|F
+µ7™R\–Â>Öy)ì°†R˜üXÕœ£6™uÞ\¦¢Ã!cpbÃ3k™ÒAæì ŒØHÂ( è
+wÈÙÁœcƒd¡ž,†æEEQ±k1Odo0�&°8ŽLV(!}žB
+hR><*‚îÞ| 
+1còN
µÂ…‰`}ðCÁ3Ápù-yÇõ:}É›
˜DA/€öÍ>2K�Å{<D`(—‚ì’Úk>%$‰…®b·ÊqίB¨Åºnfc÷Q"r
¨á¸vÌ>Æxq÷ì)àHB¤Í>­™o·E¾£Þ²Šû<ĵ†kK\û£•n2ÍMòÃÀœúiÖiþH1ÎfŠ‰d‹Iüh”©è‚eæ!—:rN�R‚¾
3«Ø˜T¥€LöHùP*¤™–+B¤¸KÆ¢t€Ï_”X𣠙©È´0–l7M
‹ã~B2È�…+á\2{‚u¡6él�“)p †X
‘Ý!à É�á„Žù?7ä�¡cà�±Çsj&üXR	v„�FbÑ
F’gFð™� DYï—ä�¡;
+•iñ¹áF»Ï$t(w–=•íCY]*R)›Y͛ÉOw
+›¨­wcgˆ­�NÄþŒ®Ã¬O�ìÖïïKçÀô èÝïw9)
+†že]D|ôu
 z8dD ;±§h[Ò=h�µÆ^R*Ú
,>Y{h¬®!ʉ†õÈ·Pd1ŒX\6ýÿ¡¥¢N„Py™DÛ½kþ2Á�4br2;<I}™XC*—áàôP*w©Û3dã—Ãê댛=š¡4ò]X­¿Ãid�°FÀ*Z%�(éÊ;
eë:<�äÈ&ãbümá¬í\WÆ}u¨Mmc鯓ÊV,Zå݃½2àóE±<yM€(՜͉œ×`Æq1'êc�¿¼‹“vö)yäã"	i„ŽáÝ�ÛFS7 ä5:ck‘ bWå!¾²¦W%ÄÁ~d�mŒbðK
+èä ¡g]6á¹,`Ucy2=3Ö}®/62MYå庉DWË1'á�WÉdC–0Cn§÷2•9/õx¥áÅIÚÎé¦*°€g}¤`†•_ÅG:,¨Ï°ta‚ôg]$W`˜˜/ùH
á“…¤ø«úHn±°%ÝÿÀGö—¾à#¹ƒ Þ Ñ·á}…MŸÑëÔ{j,±ÆxôózL%Š¯5Œô%a•A�ðá»	î.(¬Ò9EĨé;�mLe±,ÇÌ�‚æ¡Þ¯—.âÛ«‘çkfIÚI¢‘ØR�@’ì!O¸È„ÖÉÊB&¶«·1f€Sa‚©©
+ÎA¼µ•—�R‡uÁ)�E,2ÄþýMNýRD!eà—FdViA¿$,ëû%lö^¯ 5¨8YNÙµM‰�e1Ͷ¬óK�û%æ2λø<Ž¨w*S\‰¡o
+„�û&0M‡ß_ ¶’Z(0ÊNXuü^{6J8&ŒëjÊ—|SŠZ¬Í„5/D6=¤ó2”�NíÏåØïÝÀu_¢¤C:%e CDM93 åçð¢í’}p~ LÎõ…Éùž054\Ç
°háÉISñF0qoâ’]”	ý½"�¶TÃq®_Äþz¬¾úb™0úJU�={*Ö$E5œo®)½¥¶ƒ·Ö(
+£;rÈá­ð©Ôð\Œ=W@ÀÂù•iË­ý_$ºTHØl󶜗ë²}Tž�û)¡ÔþþoäÎY„|ñÏ¿ÁT6ÛzæIÜ.(d‘‘(<§¶Ç”w¿G<%ýo
+~_õendstream
 endobj
-1252 0 obj <<
+1316 0 obj <<
 /Type /Page
-/Contents 1253 0 R
-/Resources 1251 0 R
+/Contents 1317 0 R
+/Resources 1315 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1255 0 R
+/Parent 1310 0 R
 >> endobj
-1254 0 obj <<
-/D [1252 0 R /XYZ 85.0394 794.5015 null]
+1318 0 obj <<
+/D [1316 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1251 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F62 995 0 R >>
-/XObject << /Im2 984 0 R >>
+1315 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F41 925 0 R /F62 1050 0 R /F63 1053 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1258 0 obj <<
-/Length 2802      
+1321 0 obj <<
+/Length 3347      
 /Filter /FlateDecode
 >>
 stream
-xÚµZÝsÛ6÷_¡·£f"ß/OibçÜI�œã<Ü´} DÊæD&‘²êÞÜÿ~»X€"%Êv'm2c‚Àr±Ø�ßîÂæÿùD›Ø¤"�$©Š5ãz²¸?c“[X{Æ=Í,ÍúT?Þœýp!“I§F˜ÉͲÇËÆÌZ>¹É‰L,â)p`ÑÛ�W—ï¿\¿™&*º¹üx5�	Í¢‹Ëç4zýæçŸß\OgÜj½ý×›O7ç×´d<�/¯ÞÑLJ�L¯Ï/ίϯޞO»ùéìü¦;Kÿ¼œI<È·³_~c“ŽýÓ‹ejõd/,æi*&÷gJËX+)ÃÌêìóÙ¿;†½U÷é˜þ”°±‘&�‘�/ØVZ§E;¾-›Ì¬Œ�’éi^ô^~¾²šYë4Õ“™1ä´ª3¯�ÎãTk�öµI,+&‰”1Ã)0ï*ئ±6Š#g±–B
s¤ø8�ÝÀO™Ãš8SL6å7ž|›ð˜©4•DÓ»“î5à&~¸¼“w5œgÒ?’ç;ë1v'2¢ç°\€B¤’“„%@•¦NàËåt&‹§‚Eõ–^òŸ<ªê–&vesG£ö® A¶j‹
ú_Te­Ÿk7S+U³œJá2riêíf(jzÎýû¶)òW84C	š»z»Êý¸hIïFöŽ>AÖ¢ÈF3iÖnÜöÜmg¸;@b2Ð	±Ð:ñÖËÖëM½±¹ŽJ8Õêq
-îœÀ‰r Œ<�ê)�¶´ÄıSòb]T~r»®+Ü…õ[Í:'ƒo‹¶-«[Ðcb£Ì?ªÕ·ó‡psól�‡øJo¨E÷DcààWÆĦiéeS,7Ú_¾mÉ(:è2>ôIeÒXØÔNúáð}&!tL
-p3Û£Ä÷ÅÿL¤±µIêLs>Ü<N87²™u‘ÍG€»£r–ï\ÔÅ-¹Í¢˜=˜C…q€@©
-
ÅÀ¼"‘È>a’11t,YÄ(ÊŠ
-¦Ÿv£Ñi/
-DÇt$õЋÀî ö'%鈎Eø�
_cBdùÒ ñmÀ›œ	ç÷΋{gjh¹ö€j1B™v™WÊb×x–îÏ°Y‹�ȹ¬¶w¥g–Ël»jýW€^Ǿ�y9a0ÀcU�˜›C1ÃMêÍ]Ã
7�Ÿ
-²zÙÒ³·¥fã[BE'"5žÑ#}d³$VRiOó+ÓléT£û噥Ǣ¾_gm9/Weû¤ü´ÿI@]ÁÅ3Ø£zÂ)¬-—�§œÞÛ==³;`¦böéí´‰žª
÷ÚÌðÈû²BŸ“LE»»ráÊ­êE¶¢Ù>ÎáR–çävMƒ•·”ž‘´^·e]e+ÌÛøþåÝ'úf]oZO¼+Wžñ¼ð™ý
-+Üf•=„a±yÀ…jÿ͈KHÞ\tÅç}8¿óbic-d@È?03xä…T­´"ïb•m1ž¤TðéÄ”t="ˆ¡�ú¯w3r…Yt'‰E{¹†‡åÁvM@u_T­-Z¿€j	e•sjÓ¸¡QXlPÞ
-gÌœgÀ
-”0ÐFp±ƒÍ„ŠYÒ!.œ|Ä”<¶F—vÊåcDÌ=´øêá¿ò€WL®0'Ýn7bMâ̪8BçÐ*­ ¡Jø_Ò¸&
-\ÇÏ„Î_<8§û^w
-ÚâÀ§ VPt–‚»¨Ã)
-&œÙÃ.ÎìâüÒÙ¢¾«W!ëB¸Te÷E>Ö�AQn�ôT¾	þ"vpý•ð—v}á¨ô@övÄy§–æŸP²ht�d®[…u™Â¿W&ÜW%‡wϨd>L+Š>"ÿsX£IÕtÎÀcÉ´¥ÃþîåÀÝ£²A5ãøË!='2ù“øÛc‹ÝÛL0N8ÈD
-~ê:ò¶Âpf,ÌáxŠwWÐîÚ±!¾]ÚƯöm•gÎ�aÊ
=5΀n›âµ7ï]ñ8äC
+xÚ¥ZÝsÛF÷_¡·Ò3»ß\^žÒÄɹÓ:9Ç}¸éõ�–(›ITEʪ{sÿû
,EJ´�L’s?@
+0��ÖOò¢÷ðâf|cÈjµ›ZoRŸ»ì
+ŒPz‹­�À3`!’¦
+fÔOÁ‘¢'c_ïè%ÄZèäsyR‡£1„l¦õ
=hn{Ç
ãº_5Eòi�þôŸp
!¢œqØÍØÙOÀÄB$³«¾>#hÆDÏkÑÌdpT´"-ŠÛ:žùûz”¡Eµ,n—Ü�¶Å:ÒÔ銥9VB½,3å_Åj³,]0e;’°¨1#§¤q$%
+>kún' ÓiÆÏDk‘ü—Ûb}WRS«Ìyj:kµ}Míÿ½‹Š#‡§ÏÖ
+ú¡0è+GÉêpØGfiþ
I‹•ÑöHêU˜×9ü{E8¢À{Á%³á ‘å0¤z‰ü/ÀŒ%SÑ…
4¸Í Ú©oÀt¨��¦‡^`ê3�}#ôöØbý6UB
+qN�ÅpdCî
wýTƒ23Ûʼn'·ê)!biÒ¹M�3»¯ë†Î!Hè
+£U8ï0
+r•mØ
+z®ˆ€€ôÄ™nÍ¡óØ{Ë-øU?ÓG¢u³´÷õn9§—¨b€±»²ísu‡7�
IÜæª4DoÂûÙÝùh«:¹0|O—B–�7<Éb�®¸+ª5^@I“\Õm	˜`¥b�`~^6iÄÜQ±Ž6ŠeSù-OÑ+|(
+ãëõzÉ’ÃVŒƒÀð.íEPÑw‡ë‰ì�„˾#³·<a+äSF¥^)7À™±cË32²¦‹Ç†øva;löÝz^?†¡
+ìÆZA%b£‡“ÉËp
+´ÔÛ’‹ "“–«Ë)l·ñýîø^<KŸ«�V9‡MƒÎè¦á7ã,Ïì7oŠ?*80ÔÌUšy§†G3¬ÅB­Øåýù!øC3 ><ë2½…[Ê�Q&T¬—ccô_‚¤¥„Ùœƒ©¦ªyb‰¿Ühù•>ïŠe—ÍÂG³ O'£jÆ�3¨Že›È¢.Š ð•»x·
­$V�ÚÇŸ’à(oœc
 ßm¹µ,CU#ûÃ2@çiHPÓ�"ÆŠ:ï®>Þªf”yž|ÿ»§/û%§R˜&ê\Ъ1�sT£vÛrÝ*mRïÅQÛéps„c=öÓ„Há8@ðÇË7�œO@Ÿ4n‹˜“€[ØÚGj>ØLP^ñúª…édK1¨\‚2+©É—DšÍ	ÔÛ¢jx2Ò¢¹íEsÏ+´bûÉ­ë’[G�Óݺfú]j¡>�4LJ0s‡þþÄOÄ´Mñw]#(%ºïîßýó±Ãoë ìÐÞ«q¼S$I˜°R¸Ö?ùAãTõÿ5µùÍendstream
 endobj
-1257 0 obj <<
+1320 0 obj <<
 /Type /Page
-/Contents 1258 0 R
-/Resources 1256 0 R
+/Contents 1321 0 R
+/Resources 1319 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1255 0 R
-/Annots [ 1261 0 R ]
+/Parent 1310 0 R
+/Annots [ 1324 0 R 1326 0 R ]
 >> endobj
-1261 0 obj <<
+1324 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [442.7768 250.2874 511.2325 262.347]
+/Rect [442.7768 483.7823 511.2325 495.8419]
 /Subtype /Link
 /A << /S /GoTo /D (query_address) >>
 >> endobj
-1259 0 obj <<
-/D [1257 0 R /XYZ 56.6929 794.5015 null]
+1326 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [361.118 212.4953 409.8647 224.5549]
+/Subtype /Link
+/A << /S /GoTo /D (configuration_file_elements) >>
+>> endobj
+1322 0 obj <<
+/D [1320 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 378 0 obj <<
-/D [1257 0 R /XYZ 56.6929 318.8054 null]
+/D [1320 0 R /XYZ 56.6929 540.8756 null]
 >> endobj
-1260 0 obj <<
-/D [1257 0 R /XYZ 56.6929 288.9425 null]
+1323 0 obj <<
+/D [1320 0 R /XYZ 56.6929 517.8101 null]
 >> endobj
-1256 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F62 995 0 R /F63 998 0 R /F21 658 0 R /F39 863 0 R >>
-/XObject << /Im2 984 0 R >>
+382 0 obj <<
+/D [1320 0 R /XYZ 56.6929 293.4989 null]
+>> endobj
+1325 0 obj <<
+/D [1320 0 R /XYZ 56.6929 267.9627 null]
+>> endobj
+1319 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F62 1050 0 R /F41 925 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1264 0 obj <<
-/Length 3378      
+1329 0 obj <<
+/Length 3260      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZK“Û6¾Ï¯Ðm9U$kOŽc{�JììÌlí!›EQ3\K¤"R¶'¿~»Ñ
”(M\©©)âÑD7€î¯”\ø“‹ÌÄBçÉ"Í“ØiåîF,aîÝ�dš¥'Z†Tß?Üüý­Nyœ[e›`­,Y&ë_£×ÿ|õËÛ»Û¥2"²ñíÒX}ÿþÃ4’ÓãõÇoß¿û÷Ý«Û4‰Þü@ÃwoÞ¾¹{óáõ›Û¥ÌŒ„÷¯pá…·ïzC­ww¯~þùÕÝío?Þ¼yöîW
-�ùýæ×ßÄb
ÛþñFÄ:ÏÌâtD,ó\-v7‰Ñ±I´ö#Û›û›
³îÕ¹ó3:‹M¦Ò™Trî
-&«§tK�€E[ÀÁ‰òmÚAëÐAmjÑêÐðÖæ¦Ý¢8Ø6	¶]U'/­«®<Ôû¾ny¹Y‚‰ØèÔðÖºú�ê5 V–fja
«e&íŸ
B…–ÍÃàrXq.yŽqÚX¸ŸtdìD��¹"¥âD¯àtâ“]ä"N¬H'» ÉÃã‚w
ô32NTãl]ä_•ãÁÛXžJ“è4V2É'Òœù‚�êÎWCbV:0}™J—
\È
-�»=ãäÃ�öþ\¢è|‚(CSû¢wHÀ‹$Z2ÝÅ{1¹‰U’æ×ï%¤º|/•“¬è‹ù{
ˇ á:ç�j†õô^ÒXäŽNxÓyæ2¸è�Ë¥¶»™\8)™´Úµ‡gj÷þý

-ÜZ<zŽá—V#ŸñÞ 3{o¢0ˆŠ¾ýÞ€‘FÎȆÅѨ8ͬšš©Û‹‰ž(þ\SÏ›*4øÃsÜWlÜP¸Œ<½ßÐFø„/= Í"Y¨HÕò wYôüJ¸vͼ«¯ˆ¦,ÏÀƒ÷u;NôïxS/‡õ,È“AŸ€
[±u
K�Ј£|q–%°Q<pk[ŸyÕaùq›`�#6$hé	¨ÞcG�>Ü�oÕ%Å ã.˜ Ãç 
-Fðд륶Š=µýØ�“ˆí3õAí6GDp«£‚i
-z|)˜Æy
Ë΂�ßz‚äl
!©¿"f±&+¸Úgj^ð|L�k¹ð7�VGTlÃIó“Ò'6]úÄ
[î8aæPÔO±�zvxvëíZŒ²a˜k‡0×’SÂÀ·m™~W85�æê™æØ�c·¨ï3Û|n�@, q«;Ô'P-'9Œx¾8ä”ÆŒœpÂØ`"óû‡ÑÕóÉ«Ó•)ÒŽ$3A2dâ©Î=R
-©.»¥�
-¥ø¯j[ug^IÀÖ’,½Îx šá<ñJ"‹3=eÌÁmf…iÔw+Š5SÒxz]§÷¯�Qiʈ)çÁ¾¼w	´Ê¶�k#ìhz@)eätÜŒBŒV©Ápg}Vª!‹Ð>}¹–4ôn�;½m$Vank^¸Ö€êʵz*‡F}Q~š7Lœ§Æ^g=PÍðž\¬ ø6Ÿ2Ÿ(A'&ÓzT¸”SÓ%S\ýíq¢I³1õü¦8ñ´†’
-)±Eš
-#ÎLBòAbìpš	­OǾÝ
,”Î\ü‚³k?ñoðàR¤€&ÿÓÑ—~)úRÂ×Ü^·ì€è²a{"d÷Ôvý›¾îà(º%˜Ô¹iç±TZ]•` :abØ)~÷LìD†÷xs6ó
-`’™z1‘ÎëXÿ|<ñVîEk—ÆĉÒ×�= ºlëžÈ]S¹¿häZÁª*½Êy :g=MšSà=eýà«­A…ÞŽm*
ÛS‡‘A‹¡ýðúl›¦œy>”ÇÊn:©ìŽEcÊø»$~NÈN´ù|¶U˜F<÷[‹4εJ_rÖRêX&òoR]¹tOE6âÎa½ìÚòS5sõ�wÁ¹˜ëT3"LñÝÄ+eSÜ‘Bp3Ü8L¸Ç1\cÛÿ^ =t4ÀY¼Û
½æbuœB]��…GÝ®_×-¶MU}	`™	ˉ¤c]Ukn¢•ãsUÑ’«ú‘qßÄZ�èF&]5íñÑY2ׂáY¶ìJrï_²À]qL
OW1Øôû" ƯÎkšÚB„QQ}ñ�ÖŠ‰�º™‚ßüR‘Çò#£,6®×‘R¿ÝÍ…¨ü!NÿØ?¶\s÷v�ß�‡:®@ÏÅûº�Œx þÃýÇÕß1¦ÞT‡Žkê\o´a½Ñ^(X	Ê*}µØHuÑv²ÑÿEMÀ’ºñ•Uë];gùAÖ
ÎÔ&')»TÙœß�L?¡¢cH<²$!Š%#çÄ\põ2ÇhbøA֟ล/fŽ¥«OoÁ®�yèòžS0dÎ
;89zí™+–=HRh nÆݱ“1ÀüI~¶9öTG«âK¿QÔ
+xÚ¥]sÛ6òÝ¿BoGÏT<|$8÷”䜞;iÚsÜëC¯Ù¼P¤*RqÜ_ß]ì‚"eJnç&ãp±Xì÷Rr!àŸ\X�'‹,Ob#¤Y”Û+±x€¹o¯$Ó,ÑrLõöþêïïu¶Èã<Uéâ~3ZËÆÂZ¹¸_ÿ½û×›ïoʈ(�¯—&ÑÛÛ�ÿ$LN�w?||ûíOwo®³$º¿ýá#¡ïnÞßÜÝ||ws½”ÖHx_ñ
+g^xûᆠoïÞ|ÿý›»ë_ï¿»º¹Î2>¯òÛÕ/¿ŠÅŽýÝ•ˆunÍâ	"–y®Û«ÄèØ$ZL}õéêߣYÿêÜýmccU6s�J�.P
+€“t‘™<N5Lá>·8‘È£§ª{DÈF}K˜ºÚV=£áŠm{hÙn·uÛvÿL¸CçÖ„]=Ÿ¼Ú¹ý·Çý2CÚ#	\$°+Gì*8L¦s<&2º-¾.Ë¢|tË®ú=Ð��—Áj™3yѬgÖ”n ÑL³wåaßU_ÜIKmul¥Ñ‹¥”qnŒòTe]¹¦ïfvÔ*ÖÆ&¼Z»ë«¶éH?ª¦ë]±Ž_(ˆˆ…
Ýͤ‰³DËyƒ`¢å˜Šä)ç"P!ÿBÕ®;Ý”1¶‰Í.o<PÍì<Õ$[=ÝøÞËYg(¨j{ØÒ 9lW t{}�g`Ñúð«/�Ê£môX|áévç‚ʶ
±í¯¥�@.õóµ”2»Õ™X»Mq¨{Z¥º–Ë/_ Îtœ¤Ú²
+H{,Ù=F™‚‡è „ˆ>�x¿s]{Ø—ÌíT›9!K•�ÇɎרUmÚºnŸªæ
‡öè8p®s=
5-J
áú°B¸Gp¦ãÉ ºtýàá’iÁ^ºÃÖïV)x�‚^¢M\³iùÅ5MWMïöMQƒ�ù1¸tô“bêg…»/
+þÍgð–Û³Ve2ð9—­jLuÞªªSª¯êeÝ>,g-,•q¶p™��j†�‰…¥iœ¡ŠM¹¬PŒ¹fe@XEnÕµµëÝ?®—IšD”ÇÓEYº]ï…†£fÍÓ
É3Ì x=@ùÒXB”ívâXUuÕþ4ÏyO‘•BdLÕTòÌëK‹Ò2ÖB�#÷ÿÀ\@“ÎÆnˆ'²=z
”xÝr(-XGÀê‚UjshJº'
+¶ôå}çuIÙX*™¾¢K#ªº¨Î�òT�¡’ËT3,œª¤+vÊÃ'ç=Fâ/
ƒÃÆ�çÊC¤	
+9Ô ñD’Ärx„!+,÷Õ®o÷!¸YàO@¯ù’
+ï�˜sQ€|ê¾qûÎw5ÓÐÕLÇ]ÍôL[L¤ ¬2ô¤�TgmÇŽòécë|IÕ„þm	¶Tg÷ƒâBjšœt¤²sÑW@†¢ô¨C¿TIð,ÉØ‹%Ç�s&àËsŠ°ÚŸÙ±v]¶ô-)Ú3X°c¹»üÄ•nÎuL…PG¯=°bÞGµ!ªæx:õà¹UvRn=µë\<(ðŸÙqcˆZfdžÇcÑ…@Ø÷5ûU·Áe6ྦྷ%ÏÏ×®°Y·Oçë¨páÎ^	�#¢óN2Ͳ™æÁ:¹Î.n>½Ü}¢ÑÆÆ"3r²=õ[;î‚¿`á„Ï��€{Õ8ï3–ÄÒ×)¸Yº¯€9í¾Ê³°L{É#Îgf E)XWèäG}H°³�Ë“®@hª§Šë(­‹¾ Èë<¹S´-�œVq3!•@äU¦|ºä=¡9¾:„q€9Œû),9奨XS‘ûº«BóÇ;Öÿ"hó|Ç`EiŸ�$õL"ê
›èÃÝO4	Ÿ}Ñ»‡gš â>	9‰	‡
 |ª„Y²L-¹¯%Ä(jQ¨$zCdÁ½ 'zŠé¾ò-j¼7ïŠ]õlÜ÷ÓùòÊyl²'pOC{þÁç¿€¢ös»%jV2D‹`Ûø<@O¬Fž®ÚÓ÷÷x«£T|›JGoà|gù@ôÒg÷üÄ|²sµÓã^lÎd˜�„`‚×ÔQo™N’Ë‘ù
6T&9UGˆÒj¹
+=íCÓU
u¬¥�ónÏ¢k_ÉË]þÝ7æ,*ƒ«|‹ÓóñL5¡­xŸè(/6´ö
+°bH${^ª%4¬æ¶!LAÃàuEõb±6©vuà²rOTÑŠÁ[žk°w�}ÔšR+ßïÛè2êðá±=ùðæ¨Â?@¸ñ5èÇkÍLÿgƒ©2Ö‰yåsÕ˜ê|8¨B±Iùíʃ›ë,ÉLä—9¨fX8í,I¨	TsN´	&n–ÚßÕ®ôAÏi‡ô
Ø `H45_+"5¿{»™ÝÖ¾q5ÁlC½:DT“ÄJ¤zjÎT˜¢Áð/z¯8R*ÁØÊ‘sýŒš¢Ø‰õ”‚Ú¸'W]óÜcûDÀ¶hž	ò?S+iZ²`.(Ú"äÍÊZº¿5áªfNáÃé•”dö>E…
!H@_
 endobj
-1263 0 obj <<
+1328 0 obj <<
 /Type /Page
-/Contents 1264 0 R
-/Resources 1262 0 R
+/Contents 1329 0 R
+/Resources 1327 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1255 0 R
-/Annots [ 1267 0 R 1269 0 R ]
->> endobj
-1267 0 obj <<
-/Type /Annot
-/Border[0 0 0]/H/I/C[1 0 0]
-/Rect [389.4645 694.3759 438.2112 706.4356]
-/Subtype /Link
-/A << /S /GoTo /D (configuration_file_elements) >>
+/Parent 1310 0 R
+/Annots [ 1332 0 R ]
 >> endobj
-1269 0 obj <<
+1332 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [375.4723 314.3269 432.5882 326.3865]
+/Rect [375.4723 524.316 432.5882 536.3756]
 /Subtype /Link
 /A << /S /GoTo /D (journal) >>
 >> endobj
-1265 0 obj <<
-/D [1263 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-382 0 obj <<
-/D [1263 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1266 0 obj <<
-/D [1263 0 R /XYZ 85.0394 749.7681 null]
+1330 0 obj <<
+/D [1328 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 386 0 obj <<
-/D [1263 0 R /XYZ 85.0394 443.842 null]
+/D [1328 0 R /XYZ 85.0394 661.0164 null]
 >> endobj
-1268 0 obj <<
-/D [1263 0 R /XYZ 85.0394 420.887 null]
+1331 0 obj <<
+/D [1328 0 R /XYZ 85.0394 635.6995 null]
 >> endobj
-1262 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+1327 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F41 925 0 R /F48 940 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1272 0 obj <<
-/Length 3275      
-/Filter /FlateDecode
->>
-stream
-xÚ­]sã6î=¿Âoç̬U~ˆúxL·Ù^:mÚÛó]z}Pl:Ö¬,y-9Þô×@€ËÞÞô&3‚ ⋤åLÀŸœ™$Jr•ÏÒ<ŽŒ�f¶Ú݈Ù3ô}#™fá‰!Õ·Ë›o>èt–Gy¢’ÙrðÊ"‘er¶\ÿ6O"Ý1ÿó㇇ïÿõñî6�çˇŸoʈù‡‡ï	úþãÝO?Ý}¼]ÈÌÈùû¿ßý²¼ÿH]	óøöáñ;Âäô¹Àôãý‡û�÷�ïïo_þps¿ì×®W
-�ù|óÛïb¶†eÿp#"�gfv‚†ˆdž«Ùî&6:2±ÖSÝüóæ=à×
�ÔŸ‘Ò‰šP Ò�3™<7³ÔäQ¢¡¸Ü–--ªÙweS¼-Y•]WY‚íæVfó�]u<€‰½5f^ÖëæÔFg
-‘Q*e2KÌgé…Ñ"¤"ùå”
x*”W|Y¬ŠÕÖ.Úòûvz©â(�S}}þžjB€P�zS•%c	–[Ð�Ž3¥ÜwØÈçÅ®9Öu4&°»æðJý]C¸cË£7Í�{<¿Ö^, ÁôþÖÊ­ôÀ©�îéµ³ øE"Ìü×­­. ŒÙ"Î"�W)£ÜådöÒ©D9éð».º‚ äŒ_'	nZhÛh!‰"g@ÐU•»²{‡°†úE |*«Ê3të®÷]3+Ô~í—}IÔÞScWtG‚ªW·Já—GQ¡Åá šn[tBqJBÎÉ
ߺa„ý²²vm× L-òùa_Šêh	tª‚¯¤óvoWeQáÒAó;[ÔeýL]ƒçëdÑ/{ZÓ³]S{ãšÍnXÁh©´“¼5Z¢?Vh\RÎOd€ƒQå��Ëå�-!­ÂJã\Îï@[Ët¼"ýd_O,2Îþ͇8B¥i”ô#åX;åZ¦¹øn–‹Œ)QEm/ Më½Ç­Ö18˜LÇkõ;aØhá«ÕâÉí§Ñ0[>×N{�¸³ÏöÐRë?Âñ…Øõ@)ßÃÓ¶\miü®x%`¶ÅËB¶@[ì,Q�C¥š,†`ék"ÛÁæ•5xÒ„
“åÈâÀq¿oÜØ5Þd°D5AZÑ´Ñ„*r#8ê8Vûb…›®r›ÎÈ}Ó–]ùÂ,�’™EeÛöíDê§o	 ovsòPÐ>K·ž2Uêj-êDjòqøC”HªùCM˜‚>}è
-B«¦î(zWÜ·mNì
-ô;„–ïé©kP}µžeÁR�“!„N¦³Œô·&$ê	[ô«W.˜ƒÃx*ÀË]^‚†«6A³ã~ÎÿàOvÓGìy²ý¸}Ѷ.ÂLî#Yk.ª¤ó£‹pÁN
-!ŽÜ…„4D倛�…)+[wos:G�¢l15Sn	íÒc”‹$Å´Å:8È$’b“bþ‹=”ͺ\‘G.o%JÞ~¢æ$‹D¾ö’Ÿ�5s¦¯ûiHuÙO{*—¿+*%‹pî¨p”Hdv]„žjB†±£æ‘Œµáœ/Ö‰¹·rŽV�MÚ!„¸îj^¡	JˆuHÐ6Tì˜ì¬èAÒ¡®A’ÎÏÍÁ×q‡¸ÿ:±ÓênK_pôºã¢!K"“ÅoŠ†P¯o”�ºÚø¢¤¬�\I§‚ãQtl8O‡o"è{aÌp€W-áp•1ïâÕa¤«Ob¡Õ˜/Ö"/Že­íaCæK9Ã[Ã	ç}knïGÆïõF-vC<ЭV°}pܸ˜®bcà¤Å
BªËnÐSáJ¶¶8tO¶è®ø
ûáÜs]†žjBˆ‘Ä:2KÆR�ˆáè‚Z„À¸#ôMÍÄ»e®‹ÚY=tuWZêsqq…g‚ãZÂíŠÃ'ç?€.Ú){×i¤áÜϺ†²ü¸Ÿ0d°Ž
-qH»£t†Ç
-
-]ç){Ú´ÎïÓ¤Éβ‡ÖTÍRØNE¤Í›”Ô»•Ìg øE·ÂïÀiNíí[B‘ÅöGûÆ/Ù7B�}|Ù¾‘÷Æzœ}#€ö�ì�}C|*¡‰=¨w—9&Œ›w'Ëù"BåÞŽ’î$¢-
-3®›Â^ÑùæŽÏ<q†ä
-ìm©4S3µ/ìmÔc`&‰¥³HŠZÅl?C¥'áä¼HÔüìåÎ^yšÇ38ƃØZáÔ³Ï3°¢8Ï5°[ê ‡øæa§fß5° Y¸&f¼9»E%jô6£á<u¼’Yë4¦E¹ÛZ¨2_o•˜[n”»}ew¶îÜM"júòû@ùÙÎÇIAÉf�nÿÚnAý
-ÁHÀYexÜûk¶@ö©Ìõ((I8`Œ.L_˜ÐI³oÀ^'"®2 Œ¤áw#è)!v«�ZBó%¢íç£{-‰�ªˆý-,Rö‡/@®¶MÓZfQЧv±{Jº�B&êWB
~´âZÐ	º!Œã7QÐw¼]Ö¹œã�²ž 6îiA'šoñ!­¶S0qéiH�å
-’ù+u­*\Xçû™¾kmµÁ#UÜ‘os¼
-MND_ÿýåŸ$
¿×ŠÓê5}Ì�**‚ÂöB¡žMv~²ãß.�‹þ_±ïŸ5endstream
+1335 0 obj <<
+/Length 2714      
+/Filter /FlateDecode
+>>
+stream
+xÚ­]sÛ6òÝ¿B÷tÔLÄà‹_“'7uzî\�œ«{jû
+'Œ'“Åö†MÖ°öÓ
w83�4±~˜ß¼ý ³I©H'óU@+�YžóÉ|ù[”Æ"ž½ÿøðáþ§?ÞN3Íï?>Lg"aчûÞÑè§ÇÛ_~¹}œÎxžðèý?n?Íïi)u4~¸ø‘ }.}¼ûp÷x÷ðþnúÇüç›»y—ð¾œI¼È—›ßþ`“%\ûçË"O&/0a1/
+1ÙÞ¨DƉ’ÒCª›_oþÕVíÖQùq™Š

+>&À¤ˆS)d/@žÆœƒ\cÑ'³/›e¹ ‹Î§œóH·Ÿiz_wfÿ¬«öìÞ<Î8O'™à1—B]à“�f!Ö6=²¹¨Œ®Ëz=+§p	Oy~�…k„ðÀes%ù�‰ù¦l§3™‹¨ç‚fjVSžG+³èÊgS½°yj›ÊtSвŒ¥Ñ§=¢™ç²9´€…~3�)žDÝÆЦ¨›=�_šCµ¤!mÜ6ÏÍ|Ý•[¢<@Äjˆ˜ó¸HaÙ&Œ¶9ØÁ÷&…ƒ.û]¶\ÙY³¥±ƒ…^ø¡
¾^ñ°“WãY¥
+�óÅ÷:rÎc¦RîvlËúЙd”ÊÌY"XЧn^h°Õµ^›6dÌ^]€Þˆ‚û«“{Ø‚°ö¯„[ÂÔ4ÔŽ]ÞÞ,�ÚfïÛ•Ý™eVmŸ
–uí€Ë†NÏ�§.”¥}q
+Š_4+ü	‰B�,Øë7/2¯ßávÔoü’~ã(ÐÓo¤�ú�+V¿q€ú�ä­~ƒ²
µ$® ÜmhQn÷:y
á#¥(¼[ :#Ñ“Á`ÑÔ¿3&Ö‡½v1¶ ¤rÖxá[5zi–À¶yt»êÌþ„òLKƘ×<¼çíɬKwj…©gcn‡¢·LÈbqðå
+9w4Ž'UÕ¼xJO£#;�yŽ¶”8�tnÇB†Ç\üäIP[Þ�K²éÑÐKµ]³£�Ôg/>ßïMnOw>eyvþoMÎOxÑ”,_vz,�Óo;½
+<n‹,’c¹$/þhA’*nUb#–Ȥ!áãÑþÑY$Oã"+ÔD1(¨ÖàèÉ—	‚E!	)Û»e`
oï·bòc7š„—r„g!e{©T„Z.dœJ%'ŠËN¡ÈCc3¸<z�
+¨ŽÜ¤Üî*³5µ­- ¦¯ëÁ¨8{z•P/@J
+÷ûÞòXpIj–cèû´i¨`£ßèÄH(‚ Dô‹„ëQ‡¨Ù5`¯#.4W¤�;)ra·¶ÎÁ¶X…¡ÀÊ£^·~26J Ø|9è
+#	wÙ
!Âìk0
+qXA€tÍ
+’ˆŠö’�à‚©¼æ iw”nÛr]ÇŒ;RàK`êtͲ4–¶%ZÕCSÏj³v­8Á=y¤>z�NÁšæž$
Ÿtë·ÙT\Ø´¿Üh×´%Õ¸`…
+õnLåÿ$€ó–§ïh"‘’ý÷�ëÜ��H‹çɱ/-„[š» L}8[nðØ‚	gôuý
+�Õ-ýt[D’ÄøX‹Œ�Õ
¥²JF™R	\¶ÛÐ2±óua|û0щ Ø3ª¨�K
Ee•4²	ˆžM˪/ïñt§û°§t´�2‚:Ñ€Êh¯ð�«» ¹9þƼf_óõý/*μŠ:»;Wê£þÔNUÛ~ªR+Ï»`÷o9öƒ®Lbüv¤¦g}ÍôÝ?ö	WY)¼o@åC…-=S6-gçM÷«ð9ëÿ‹aè�endstream
 endobj
-1271 0 obj <<
+1334 0 obj <<
 /Type /Page
-/Contents 1272 0 R
-/Resources 1270 0 R
+/Contents 1335 0 R
+/Resources 1333 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1255 0 R
+/Parent 1310 0 R
 >> endobj
-1273 0 obj <<
-/D [1271 0 R /XYZ 56.6929 794.5015 null]
+1336 0 obj <<
+/D [1334 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 390 0 obj <<
-/D [1271 0 R /XYZ 56.6929 564.5444 null]
+/D [1334 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1274 0 obj <<
-/D [1271 0 R /XYZ 56.6929 539.4426 null]
+1337 0 obj <<
+/D [1334 0 R /XYZ 56.6929 751.9325 null]
 >> endobj
 394 0 obj <<
-/D [1271 0 R /XYZ 56.6929 176.3615 null]
+/D [1334 0 R /XYZ 56.6929 369.5823 null]
 >> endobj
-1275 0 obj <<
-/D [1271 0 R /XYZ 56.6929 152.4304 null]
+1338 0 obj <<
+/D [1334 0 R /XYZ 56.6929 344.1885 null]
 >> endobj
-1270 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R /F62 995 0 R >>
-/XObject << /Im2 984 0 R >>
+1333 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F62 1050 0 R /F41 925 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1278 0 obj <<
-/Length 3129      
+1341 0 obj <<
+/Length 3169      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sÛ6òÝ¿B÷tôLDã“&Oiâ$î´NëøæÚ>Ðes"‘ŽHÅñtúßoP EÙ¹I&ã`
,‹Åb¿(>cð�ÏŒN™´j–[•jÆõl±9a³[˜{wÂ=Î< Íc¬Ÿ®OÎÞÊ|fS›‰lv½Šh™”Ãg×Ë?’×ï_ýv}~u:š%Yz:×K~º¸|C#–š×.ß^¼ûÏÕ«Ó\%×.iøêüíùÕùåëóÓ97šÃzá)Yðöâ—s‚Þ]½úõ×WW§]ÿ|r~ÝŸ%>/gòùä�¿Øl	Çþù„¥Ò={€K¹µb¶9QZ¦ZIFÖ'O~ï	F³né”ü´4©6"Ÿ � ¶i&…tìšûfÝÜ>žÎ3Æ’¿ñ@3!S‹ÜÏ9O­ÖÂ!rvf^ºi6œø±É3¡F³tAaÀ9ãÙKêH¤ä hÍ|rGš<{œî�äóÔJaÎCµ^Ã�žÜoO¹IÊU¹¥~[n¿”Û;"ij¬Ëî¡Ù~¢gÔvw%amš¶{� MVÍzÝ<”K¸y¤öž¤’`©'û'Óf7Eû‰–­Sü˜ãSÒ*jÜQ©ˆ¬’‰D¦”†Ãvw4M,P~]”÷]å¸
ÌfEÃ�Q
-àÜa|
-ÔëŸð'ʨ47Â:™¡åYÊÁºpï©Òm³íÖU°»¢sÒ›6ñB¥VÁóØ©²1í}S·nDÂMÒLAÝ7—©ÿyWn	Ü�4¹€e´=Œ:Cƒ02Üã`ƒfç€Å`tѸvÙÒB´šWW­³ãkÕl7U}K³ÅÿCoÂd¶%òiUئìp#ˆMØg’LÖÅÆCäëöç�%°´�Ô£m»Ý¶¦>¹« VvwÕpV%nwÃ\QÓÂêÜß²ìJ<9\'�ús
;þ
Ïs³Cz,®Kºðfê6ZKÿ·[àcÞl=á‘Êh–
-ÎnÛ+—#|�ž!¼¼”ñl¦¤»À�~ÓÜöÖÛ¦«(À
-èó?ØØÈ	�©"/Ë…7"ÀIxjÌ�ä
-Ì�rtèõXÏ0rHÍËUHØÌ«0´XW½˜‚¶®I•p¶Yz¼ö®Ù­—1^±Ýõmt�@]¢€N€}chÂc½.œåIqO‘Cs¿­àª0ÀÈ3 Rt4_µn(Ov-½)\S?z`¹ô¬¶¥§GF:Dr
-±­~�3&H¨l'¶ÙIÈÞCXˆðÅ”Š“ƒPƒbÁ¶4´po€%nª,p^ù©fë—Ó2�ßøkѹ÷ì†ê?·;z!{Ì&ÿ½+=é‚(÷W¬¼ƒ6ˆ5`™^`
-õyáü<Y^,(i†:¶UÆ�8[ÔN'#ä
÷èãžh/÷Î W@•<ðºÒB6 @‰´I…
-ì(Óû��»µäj”ü�LŠÏ1™ëTäàªLSI@ÉAÍYoöü�­¨-�õCÈY?¼õs &“N
¡ƒÁ¶‹»rñÉÁß©4c¨¦·EU‡¢B·¯5D)7†j{-"û¡b
-�tSº 
+xÚ½]sÛFîÝ¿BoGÏDÌ~’ËéSš:­;­Ó:¾¹‡¶´DÛœJ¤#Rq2�þ÷XjIÑqñŒ	îb±X
+P†L3Eº˜§EëÐb0¬“:¨7+òÔæ¦Ô«ôBÊ´°V¡~‘æÔš[:ÏH¿(a�Y¤63¥H­VÀ¹Çx{ºÌdrÿUr6ÕÐ4Ò³&S§î¼x¿�©0E¡	'‚ýQ"ð/Ï·jñ]ZDg
+t—a¤LE+UžŠÜàö.u…Ôžá«»Š•é@mùL}{ßnÚÛOŒÓ4ö“
±½ïë¶
“Ì]RwôlÚž¶÷›j[5}µæ
Æäû
P‘N%f@I™Öbm=Ï
+3V<ÜÕ+&íK(®y%Ù…JÎ!+’VAúm&¹Þ!JCäÔûý2[à2ÿdg‡||œ ¼zý
Tã äÏÏP‡WVÞÇ©60¬}" 	Å«™(Ÿ¥Î¿B¬`ŠË˜ä\¬0àA…=ìüx@ËA®Ò÷¯Çd ø“¹MUAjÄäc&i æ�™‹Áí±ÆnèYyï‡�÷~°÷ó –‘ÞáÓ8|®îªÕŸ¤^`Z˜4�¢Œí붬›ÐNè]†¨ØÆ$í`…4à+ÿxEè
+—„Ž.w>]",2]*_*CSÌ:j™±]byÓSÕ…†'àV57…;4SIÅ$¹7Íèa†7£oý3§h0têù(ŽwwíCCà5У¬C+ä¨cª*´Œåm­N~ð'†	Ø‘aÂ[I¶0Mý[OÝPIs®ÉŽ«ml è`þ�[¹NMÞ’qŠ“›�ÉúDÆxh§úðD}dµS…P}ä3£ˆƒ´l1•–]ãCÁÃÒ¼º¡f¬v7¼{(–fPì”Aš"t!#<”g,Ì‚…9sšé]F‡Ø±Þ¸®Gll—F7«±Ä^¾1rüI0δß3!’¿<SJ§þ(`ÄÚ_„á
+ð¼ŒøYòåKš9ƒ¿Nìº\½ÈghË#ÚÀ{÷
RÊ"ÚW?œ]tSï³75(¢Œ7>ì1‰¢ñ=@ú6Ð÷<G1Ç‘‰9ý0£±ù~3Ò‡¡¿�ŸÔ)òÎ|VS.5'ápàÕ¦ÄHŽàëÉú'9Ý)s³òÞw¬ÌT¾`iïx@MÞõãÂÿ¿ÉM=Snê‹å¦¾Tnj*7ù_ËMþÏ䦟)7ýÅrÓ_*7ý”ÜÔs䦞'·Éæx;Þ ��‹Ý39’å3ßï(X�W+ûÁ+Í9¥Àï¬ôiòøg!Ój�ªg±ÄWÎœé…
ЭoP Äõn×6åuÀ»®îʵO¯<Eú°Gø<
+ Åa„¸T¡¡Ž@úæ�M£Œ¢Ý\fvȦ´rɹokeÜsÊ“®ÞÖ›rGƒ¾asvÄ<¼Q-MOZ`™�žD×WR0~Ò—%&-Ò�ÌÅe”Æã2*ç"†ji
IËcuÔ‰AŽ†ìoH>4$>培À /š»ˆº8ЋG¢D_ãÔ4Ïâcà,ÃSléy(ªà%ÎT‰‹G~„…:þ*p曑~w÷ì(~Š…Ÿ}œS�|~Üú"LùbÉ)çøqÒ:•Ï°þorc\endstream
 endobj
-1277 0 obj <<
+1340 0 obj <<
 /Type /Page
-/Contents 1278 0 R
-/Resources 1276 0 R
+/Contents 1341 0 R
+/Resources 1339 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1255 0 R
-/Annots [ 1281 0 R 1282 0 R ]
+/Parent 1346 0 R
+/Annots [ 1344 0 R 1345 0 R ]
 >> endobj
-1281 0 obj <<
+1344 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [242.0197 432.1255 315.2448 444.1851]
+/Rect [242.0197 602.0286 315.2448 614.0883]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1282 0 obj <<
+1345 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [238.0484 354.4169 311.8142 366.4765]
+/Rect [238.0484 522.6184 311.8142 534.678]
 /Subtype /Link
 /A << /S /GoTo /D (topology) >>
 >> endobj
-1279 0 obj <<
-/D [1277 0 R /XYZ 85.0394 794.5015 null]
+1342 0 obj <<
+/D [1340 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 398 0 obj <<
-/D [1277 0 R /XYZ 85.0394 498.9148 null]
+/D [1340 0 R /XYZ 85.0394 673.0194 null]
 >> endobj
-1280 0 obj <<
-/D [1277 0 R /XYZ 85.0394 477.595 null]
+1343 0 obj <<
+/D [1340 0 R /XYZ 85.0394 649.1998 null]
 >> endobj
-1276 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F62 995 0 R /F63 998 0 R /F21 658 0 R >>
-/XObject << /Im2 984 0 R >>
+1339 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F62 1050 0 R /F63 1053 0 R /F21 702 0 R /F41 925 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1285 0 obj <<
-/Length 2262      
+1349 0 obj <<
+/Length 2450      
 /Filter /FlateDecode
 >>
 stream
-xÚÅY[sÛ6~÷¯Ðä‰Þ©`Ü	¤OnÖNÝi�]Å;;;i‰²9¥HU¤ãhwúß{p£À‹lï:™Ï pp.€ƒsŽÈÙ	‰¤¦z–jŽ&b¶ÜœàÙ-̽=!žfˆæ1Õ7'g—,�i¤%•³›uÄK!¬™Ý¬>$Qt
-pòæÝõåÕÛ,ÎOSžÜ\½»>�S�“Ë«Ÿ/\ïíâü—_Χs¢IÞüxþ·›‹…›’žÇW×u#Ú5G˜.../×o.N?ÞütrqÓÙÛK03†ü~òá#ž­ÀìŸN0bZ‰Ù|`D´¦³Í		ÎX)OÞŸü½cÍÚ¥“øŒ(“t
-@
H¨BœÂP*4’Œ2‹àNçã„hŠˆTˆžQþ}ˆ†þ·€ÀlÎS¤(NgsB�‚>Â>aðìÌM^]šý€N]¹�e™5�뾬·¢(Cš`þ,IRE’n~¼¸v½û&wD¿s�zçÈà›E2Y�I¦d’o†{!nìÙ¸±çâÆžÂ�¾7ú2ÜøX€èHcs‹µ7�LÞæí._ç~°½ËZ׫òÖj†û*}'‘p“g—p—Ô0H‘fTYš›;ÀœJ™¬ë²¬ŠêÖ}æ_²Í¶ôsEYºÞmñÙ�íN‰Jò¬©«ìS û”ßeŸc‘ãè;m�QÖËÌ3º«›Öõ²juj\×:Ó®
-'fÙ–{7²¬«
->óÕ
-T[·l$Dûg±†!'‰ú[fFšl“÷¸‚ñ÷÷&ÁäGÌ�÷;ÚRt‚^U·®ó)w­9Cù
-¹kÚ{K»kšZÞ†°,š6x #^
-”
-6íqí	1 ~}ƒMMßÏáI×y„x>)°s2¤¯=§ŒuA‘ˆ€Ë#.Mî‘x·[
Tàu&=…‹Ä	·Lþy—[¯ ’Í}Ù�sòÇ£¶íªq$™�)Úû]eÏLUð=ž¼jìÞ™9ï—6ÙÞ
|òlàyZß—nÌÞ]há,þŠ1½½�åy'¯Sîý õ)fñÝÕ'¶d[fK«5g µ˹ç
-ŠàCyá¨n^¾Výf0
-î%dZ‹#,Ìr¸ßœ;„.ð3çç‹ËüˆBfbÃC‡è¢—
peœ³
˜¶
%GHâ¸Ý�ïGŒú/8,pÁÉ¿ë*Ÿ
-éͪ2GÃýæ"Eœ@¼#ó2´Í¾Â+¥ñóóY†Ç73¤8gOl «ÐÛ¬#«V®´ñ_쟈aï¢ùnÿÞ'hðŒ¤<yõÈœ—AôMQ§R"‡ÞS¨S
m*\¼¸Ü/ËbùÍPÏ"‚ú¾ZÍ]ïS˜&þ±a_ÿÃoÿ¿I¤F,¥&_‚œ‡pgU£ìŠ¦
-¶ŽÑ™

ÑTN'Wá J!SaÞ1^Ö¾î䫶¯§JæEç\�
-
-…îN–»ž“%¨ˆÊ�[_{šTìX�Rqo
-×ËÌþºàŠ>û¸ür¨ìÉ4ªY[Mïüh™Ivu$��é„'_T4uí,ÔÌQMok¨¦pPHˆ†øMØ×[šºX/Ê1¦y%2×4÷k£­}7MØ•’Pº„0M!Lè ´’•Ù¾é×(�ßüG¼¬-²œ‡ºgTÃø|OãÙ¯2<áWëA}h±qðª‡êÉš˜dZë;Á‚í6Ϭ.‡ðv?a\W
†},„La1œ(Ojˆ ¤,òûQRBóKîDíÏž|Šžûƒñá×tn}E§ý”wg,(eËÀx¤yøey¬úŸåF˜endstream
+xÚÅÛrÛÆõ]_�ñØ	×{Çnò¤8’«L"·4;�Žãˆ„,N@‚&À(Š§ÿÞ³7`q¡$Wét<–‹³gÏý’`øG!‘ÔT'™æH`"’Õö'ŸàÝÛ3âaæ
hC}¿<{}ɲD#-©L–·.…°R$Y®?¤Q48}óîúòêí?糌§Ë«w׳98½¼úé­Þ.Îþù|1›%Húæ¯ç[^,Ü+éq|uýƒÛÑîqéââòbqqýæböqùãÙŲå%æ—`fù|öá#NÖÀö�g1­Dr?0"ZÓd{ÆC‚3vʳ÷goFoíÑIùŒ(“tB€”M	Ph$¼2¬š»â
+¦LÀt/Ÿ·XD¶…ŸÇÆvŒ×Ðñ¥Ó‹M5Î
Ùˆ&
¡FiÖ£ië[¨§(a3” §RÆÁµä!¼eöåùnJôaÀå%ÚÚjL8Ü$•Ê¡(Ÿ�ç$=
+Ä)5�òæ
á<ÆèX쑆1’Y&º‹­Ò÷ÅjÂ0(E‹àMŸÖ…q‘ŒúíÛª,«ûú[qA§‹~.ø°*óºv‰ÞEA%AüE-T,0Bʘ‘˜ä¦’a/–X‹q£´"ëG@�5"`†È�I¸"cHÌ='�h>4ûb‚mˆlDÒ`'
¨Çµ9b%ÿD®Ƨ¸€
+ePw÷½÷¿;1u¸�L�Dw.¿'†q305çY�œ�H°D þÍ5…ì"�2Á|~‡|9(4&ÖÒœ@½f€ã¨àdØÀk[Oò`‘
+**œ[ò¤©¯ÔŸˆÅÞó­þnû�ºÚwÑ ‹d<}Dê;/Q'už
ï8û
+”áÄi©C¯âOH]H¤2¨mø°*7«ÿ™Ô}æo逫ãn=w«›
+Œ™3ƒ7……YŠ²ÈMp2?Lž6OW˜•“â\wãaÙ›ïpcòR·F<ƒ#Î�gwËa‚£Œ´�u4^7÷­«Âf­Õ,êã~o£é.ÜŽ­qLX™AýP¬C`3s)À
“��˜¦ ‘:½1ä=¸5tà�éÂMè€færã1;€‰ó+÷éDû¯#:5å–ÁY†C.þꨎ‚Íf[Œ	°ÅÌíƒï–G
STйæï½Â.Sî£<�+üêŠÇ¢ƒ¶BÝ�Â�ÑݸJ‚R‚*­’؃^æ”Æû…£ùŠ*éñˆÑ÷s–i5Ý 0ÍŽ¢÷qNø�sË�Rô¸óÚ˜
+uÚƦ>àäÉV󹟟;ž¸™():]”ùâ�¢,KtDyøN=&ý?o>¤Uendstream
 endobj
-1284 0 obj <<
+1348 0 obj <<
 /Type /Page
-/Contents 1285 0 R
-/Resources 1283 0 R
+/Contents 1349 0 R
+/Resources 1347 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1255 0 R
-/Annots [ 1287 0 R ]
+/Parent 1346 0 R
+/Annots [ 1351 0 R ]
 >> endobj
-1287 0 obj <<
+1351 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [325.3322 434.7534 398.9856 446.813]
+/Rect [325.3322 596.1482 398.9856 608.2078]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1286 0 obj <<
-/D [1284 0 R /XYZ 56.6929 794.5015 null]
+1350 0 obj <<
+/D [1348 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 402 0 obj <<
-/D [1284 0 R /XYZ 56.6929 505.3435 null]
+/D [1348 0 R /XYZ 56.6929 666.7383 null]
 >> endobj
-955 0 obj <<
-/D [1284 0 R /XYZ 56.6929 477.7522 null]
+1010 0 obj <<
+/D [1348 0 R /XYZ 56.6929 639.147 null]
 >> endobj
-1288 0 obj <<
-/D [1284 0 R /XYZ 56.6929 352.0635 null]
+1352 0 obj <<
+/D [1348 0 R /XYZ 56.6929 513.4583 null]
 >> endobj
-1289 0 obj <<
-/D [1284 0 R /XYZ 56.6929 340.1083 null]
+1353 0 obj <<
+/D [1348 0 R /XYZ 56.6929 501.5031 null]
 >> endobj
-1283 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F53 962 0 R >>
+406 0 obj <<
+/D [1348 0 R /XYZ 56.6929 101.3093 null]
+>> endobj
+1354 0 obj <<
+/D [1348 0 R /XYZ 56.6929 74.6262 null]
+>> endobj
+1347 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F41 925 0 R /F21 702 0 R /F53 1017 0 R /F62 1050 0 R /F63 1053 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1292 0 obj <<
-/Length 3119      
+1357 0 obj <<
+/Length 3401      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Û’Û¶î}¿ÂoGž‰^tãã6Ùô¤Ónzvݾ4}�-ÚÖ‰-9ºìfûõR–lÙM&Mf"	@
-.y|t
->ó∡â‰Q*†)<0ÆÀö¹P^W‚6ÎâX>ƒ4<aÉtüµDþ�êŠ,Ž
-eÙe{í·íî”1Gkñ®qî©&XË‘EA(’xÌûQ·hP¡ðZp(
-õKcQ“®€¾+”ºÎ¿§š`ä
-¨€s9–`1W`ð 
-YëÈ»ª[„^©ÛçªþD“m�­qëŠæéâFÓ­ÍM˜ƒ®×U½ÏÊ•~…e/WDG'�š¶¢…
Í•z.ód)³²yÖuLø€ÂaâHŽÍû\�':À“óÞ*�—	éu�Î	2Nß;2’óh�€#‰[x À¹íºÂ„
-¤Ÿ;]Ú²oí
-¹ºº¤ñ#Ô¿ ªßßa±zûþçW´v©iG<$;J"eêíªÆ”Š4Ú–f„1°â½Î°fšyxh̵"Œ'o:¼0¤Í,öþ‘¾æQÁ‰�9>¢náÏë[‚]C—g³âIÆ
-›IЬuÓ”"Ý‘J7í	�u^5âšžp­ˆdi�Êc¦'q;[­ô
brð5É-TÎ}±ÊíÄUÆb⩉•@EAg†ÃP†1déð"¥\|Mɇ´,MÓË-(HõM©YqV=:é@-	$ÄâRK…ó(ˆ¼ó2‰‚$bêßè©à¦îp&%‡tÊâ«©Òïì·žèª@�U)C	 ¡‚èX®«0êgDI_ÛH]nUú}·$SØR1ù-mƒë6äC¸ÀIlôEñÕri¡¢€’âz4³T¤Â¦Øøð`yѾø&üÃèìþÑ–ÒT—NF6GåÉ&"ˆ›`@	òxЫkó&1›g#à¢Âæ¡‚/¥g’a¹Ž�e´`ÝÁKib�Ÿ·º$èíýããÝ‚áäeæ-Ϭk«}ÖºþR!£q„*VµÑ <mt©kJ!%çô"r“âÐîl¢�ì€Ï_Êl_¬ÙrØ ¡|`Ou/TÉuŸ¨ Lc
4Yo¬{=n¡§÷‡Îoá|_ÊáVT¡lð
-åŠJp
ÀšÎULëÊñuwV]MøÒUB6£ÔD»]õL Mú:iW싾ÚÊöUçv©l�µÚU«O¶Öú¤Ÿ±¿q1»ƒZƒÙõän@t%Z¢>µÓëZ7[ÏöªïjM¢
u[¿œÓ:ä™û`0‚ˆwMþžèü
-­ÝfKSKÂjÇèDt´g"ýªl2a[³£u�múbƇlõÉš¢qé×.ó¬±æwBì:AlhL-m +	²vÆœ‘^øß02
-Âé&3ë»ßý?eŽ?©‡I 1a™N”°3$Ày­Pæ·O~*y$SxÔD2!úßL*úhendstream
+xÚ½]sã6î=¿Âoç̬´â—$>¦»Ù^zmö.Ioæ¦íƒb3‰fm)+Éɦ¿¾
+kÌJ9‰R‹2cãTIÕKYŠ9),”ò¦Øº¨ë6ûÛ2‰µNÕb¼æ
åk†´‘ÒÄZfé”öµëZ�¹–ËîÁaC-«ÝöÖ5¬ïèÛºU]­[Bèj®ŠÍ‘Ë‚Fp'aBó)«u¹*º²®àüU’/‚¯Ë¶¸Ý8^W+«S±¼g¬_“Ü<”Ì|A<{âT9´…Ô 	ÜÌåçFo<Ò‰‰½[c¤ÇmNE¾„]m·®Z»uÔÐÉòÆo
+´píîŠÝ¦£N ¯Çô¨„Í{úi’ÌÐÇó‘*àà®DBknËj×¹–H# ¨ÖÔèÛâ[¹Ým©óTlvî5v²,–VI&%òy~ÒX'bÄŽ:d'>0=ÖïL¤±•&{ÃFX¯AÀBF`£Qå5jÖ€%-­}�~�5ÃÀÄˆ@5åàæԂƒ(¤aíXïV(n©—•ëžëæ
vMq‡ã¿&‰\Ñ8Œ•ÕŠæ­#È£kîêf[T+÷!–†z#�Ú®¦‰-�UîLæ‰1‹ª}vMÏØ@¤a3©QSõ>çžÒ<NE¯•ÞʤZîZ·¦–7rø¶®£FA|
+	0â¸s7Ï+½€ìšA®eïƒ:eÕ�ZAaP“ç
¯°¦Í/¢À8o—.*¶Ù¬·ÙC9�«ƒ«ø3ò±FÊA>‡æn4×Y0¶dÞÚ”ïl
c
~xõ¶G͇z×†·o/2¶‰–�ó`à«¢ªêŽ¨¸o+çÏÚË«xanP…½€E‚‚�(Ôs¹Ù�›¸eÔ–8øÍ{¬æ4_ÎVÓ7coÊ”ÀwÝñ®›bô¹gê¼.¿wÔ%¥noY^wIc¬ã.©Ç
+’>î‘4\*Z毓ï±fèO=ŒJ-¦ðålÒp¤ãûÀ[0Ù4žÊÕÃdÎÈÍà8cÚßÞÐ$ϳ.«¢y!ªæcÝ–]	¦÷äÂ
•Ž(R2÷fçuF×Y¾§2Ãý™kò0ð­+$š›å³s_„Ä2j¢’�DZ¨åAý‡ÓïhöïÎó\t[¼PcUìZÆ,üF
õëÎ5¥còÏ`ϵk*ê_C”¢úï'IÏ.~|Gso­ˆ›L¦.9Q*_nê¶Ã–%‰¶¥Qn´xëÖ%h3�\]µþX±�;owx`ˆ[0ôòš¾þRÁ�{¿}�Áßû3j‡†�£¢I^
ÀK½Ùy?=ÙÕ#IsåÚö¨�™\Å©öu;c·³ËÛYYEM]wía
+*£T.ÏD‹*8Ã…†Ë]ÊÔ'•‹¯'ÚZEX£¶ßí x±•‹�5ìi1ÞVX9/í÷Íñ�[ÌäÀÆ�‘S»ôŠ–�o7R#ºÍPÑ—³hÙƒ×6ƒÌRѱHÿÞ)©–´�ëGCŠþ÷t(w�ƒh.Y¦^@†Zƹ"u;îÍz,â•÷\Xåºì^"ïþ¡wpþ™‰³<—‹1�CÏ°fø˜x6`7K!Èœ0rýèV%æ(þîËB@�eƒw ÷nYx®	Æ ¼ØÁMé}õŸ\E(/¯¯Ï?v^
±¥ñb×Õ[Hd"rQYçR™©‹ZÁU�÷·N—÷®r
‡�Ð-ZþÒ‡W&·¥™wø®_ªb[®¨³{\Ã</Ø}Ù+

+Ÿ€JiÜ€¸P¨4Øܳy]�N¡Ç�ÆOáp]ŠáVœ
;p
p“‚àxÇ‹hB�õ«q’/ˆ
ÿ å¾=òÝäË-o†þˆa¼œŠ¾~Ä]<™Ò¾u�LÑ ÆgêõnƒñK"BPŠÍv¬”x¨Ÿ©±©«{jݺ»:°‚}Ïêµé¦¥ï«�§è÷I‹Ñ—†{ýÂ
+
+±øMðFC踜Ù؈g›Ïçï:‹¥Èr¾¯Õ\ö.tl¥!ïÖ»/ŸJTWl£…ØŒO8Bm쇦Lxwߌ&ˆ÷’ú¸,ê£Q¼G€
yt|þÔ‹ÞH¡ã‰°Ô‹+š–Ë#2ÊfSåõ•†4M†L¼¯5x¹åqfS5Š‡¥œš�Ê
+cI.õȾÔ#¹|$1ÿ­,ÉUxŸ>T�$—”$§€ÐÀÓ¥ÖØä=jàbµk^uûDÃr@	}H(9Íè×6å¶ì«ŶÞUþÖ\�XmêÕ®M|qÏXÜ“‘ìetX¦A÷oT¨»
ö4Ì*LüCÝ‚H6ëÖcš’›@ÀÆmÇ°ÖAà¶`
å#UÒû„%Ô
pýùŒ ƒÓ§>ñ,¬R
+’©W(!$DfY6)'*É2T;áÄo7¡8�ËáÞó%£Òýj¯¶ýT4e½ã¢žk³WŽŸ”.õ£¹)Ä£�«¨7j@c¬ãÑ\�Ž‘M:ªêµ;ÌQSÈ
+r•¾ÎB�5ÃÃÄß@¬Rm§LøHî!BP&Æ.BŒB:hûóâ—&Õº…³æéîÄL•7@ðן¤/
ä뮨º°<|€€Âà`.±¹Ý»'½ïŠy¿“µCë¹ì&C•{¦‘ÿ:ÿß©ìÍCþÂŒ„4ÕŠ¾Þ)f«°"‹­’Ù±LµW#•ÆBgê
5a½¢F
k_�‚c�Ñ¥<�Á­g¯óÑcÍ02Ù³±Ì§|š„�
+üœñÀ±ËC½áWŒ^› íµ	ñûѽŸê}´8°D˜k@¯|¹Ë?•%R��0j«Rj¯ö^èºðìÅÊçKÎárý*X¦ �^Õfõ‹ù~C¿x{­“7^ÏÆXÇõ«ÇÚׯîåѾŸYÈ…“ôuz¬&»Mu,29eaP-«)&Òpøåit®>Ò{¿¯°ȳJ-tPÖÐãôù!
+Z|úÐâ虣+½üâ˜Ú(æÒûeQ¬´*ÕFcQäX¡ú˜hØ(øððÎkŒ2s/«XYèfü^Ú£m¦Ä\o:ÈÉë`V¾0‹¦Ø:ŠµE¨xCÃL„moë'Z„ChAG
ŸI
+ÃXF¤ûY`Q~åA7Æ"êý"mw3E LOð¸º+²ÊÞ¨�±^Q÷€ÕWŒÝ¸Ð‡‡wýcù,ØcwÍË!n
+ÇÙuK¡;ršøá!èîË�€%¢±Bߺ‡â©ô!šRKÊ*¼ÖÞoO£èe>ìH=È|Ýa¨Ð¼0–æˆð(š„Æ
+ò½ûþçH¨êúɘåÆ+&´»¦¨Ú;~DJÌòçI
b¹�†O”×ĹXž¨[;JŠ,ófCÙ ¼h�&ëÝÊ;¬„CŽ½ëž§÷Öœ$Z”Ã
 endobj
-1291 0 obj <<
+1356 0 obj <<
 /Type /Page
-/Contents 1292 0 R
-/Resources 1290 0 R
+/Contents 1357 0 R
+/Resources 1355 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1296 0 R
-/Annots [ 1295 0 R ]
+/Parent 1346 0 R
+/Annots [ 1359 0 R ]
 >> endobj
-1295 0 obj <<
+1359 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [326.242 275.682 375.5914 287.7416]
+/Rect [318.204 427.0782 366.911 439.1379]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update) >>
 >> endobj
-1293 0 obj <<
-/D [1291 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-406 0 obj <<
-/D [1291 0 R /XYZ 85.0394 667.0947 null]
->> endobj
-1294 0 obj <<
-/D [1291 0 R /XYZ 85.0394 641.059 null]
+1358 0 obj <<
+/D [1356 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1290 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F62 995 0 R /F63 998 0 R /F21 658 0 R /F39 863 0 R /F48 885 0 R >>
-/XObject << /Im2 984 0 R >>
+1355 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F48 940 0 R /F62 1050 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1299 0 obj <<
-/Length 3888      
-/Filter /FlateDecode
->>
-stream
-xÚ¥]oã6ò=¿"�«üE	=°ÝfÛ=\·½Ýôp@¯ŠEÛº•%×’’uýÍpHZ’å¸E±ÁŠŽ†Ãá|Ëü–Á?~«’(ÉDv«³8RŒ«ÛÕî†Ýn`í»îp–i9Äúæñæ«wRßfQ–ˆäöq= •F,MùícñË"‰DtØâí�Þ½ÿîç�oît¼x|ÿㇻ¥Plñîý?hôÝÇ7?üðæãÝ’§Š/Þ~ÿæ§Ç‡�´”8ß¼ÿð-A2z\ úñáÝÃLJoî~}üÇÍÃc8Ëð¼œI<Èo7¿üÊn8ö?nX$³TݾÀ„E<ËÄíî&V2R±”RÝ|ºùW 8Xµ¯ÎÉ/Vi¤DœÜ.e¥°ÿ¼”y¤9$­²(‘B)>'e�…RÞå_–}±_¶åïfzdÎÓˆs@Ò=Û=`Íl/ÛJÄ2™Œ÷ÿdºön)ÓxÑm

€¥r×ïhòðí‡O4úù۟ܺiÛ|ã�-ßvTç;SÐð¥¬*·lj+kz>;Ó‚Rh.ÿ¾ËÄ"¯J‡òœW½iQ
- yÅYŒ§‹2¥„å5?ÜñtaPQäBq�à»!@̲„ ÿeŠ9Zv¥é»¶,ŒCß–|Èë�Ã|r�¶¬LÝUG‚æÅÿú¶3PæÀ»lñ¸u˜…Yç}բݖà~ä˾Ãí;x:6>Wßö9nÏÄ‚N˜·MMóus Akº®¬74)�…X!À3§GÝÔË_
-còiåùD>èN6N¼�9¼zîFœr± ­’ã�Ó•²ExÖ…Ùƒ†ÏhÖôìH9(γ9te‹GÂ91°2å³Cxê×Z#G8GÝEŽ&¾Cèl|³ü™¢nGncbë	øH�9dRÚ©;u>+ÑY”*xëUÇ6ĺìØ960˜^~e– Æ;¸‘©“*Zǯ3°f¸ù·˜EB¥zÌƧ½Y•È:	’&7b�ÆŽ?;Æ;ÄçïM=ÂlýD±ÖœùjЦd Gg¡ÅÃæ–§
-øWNuN—¼öª+ÑG GI$#}ÆOÊ¢TBt{U¶
ëgÔNŠZ“7Df‚×Á‰ó:8,[RS™
¯ŒAHbÂéig¾t3ºa+ÀOH÷.<ˆ$â—‡žçe[®¶°]Ì­…â“n;ÿÙ�!gP¸%ØÎú]œ�]îé
A«ËQ¾x8ˆKïJº}¤[Ó³
Â’î´´�w(“ƒJ‘ER‹äÊIu$¹C9ù-dõ¸/Wà<�45_–$‰–—Šdì¼@ã­ÚG­(¬Á|cjsÈÝ2€�mkfœ—2Š%X±dürÕìö kçGÈTÄ•VþœMS¡óLåâCÓÚ“|3îú²Å�°œ
-zÊ’�ºÐ¹-I`€ÐÞãvï8YåŽñ'ãô	–N"bÙç¡,
-ëg¥^ØÓÊÔê<öäC—NÇá0^y.Í­<å­
-,Ú¨
 ²^U}AU‰%:s?JCÑ™ˆ?''`þº†W
-�².»’jhuªu›¬ï`q×ï0Y¥õ[¸8©ûÝ“	aQÀ�ë‰o¦âNù®?´å3„ZCÐHU�d–MßRÀ‰Ž–ɬî~¤å
Ô€5ÁH¨¡wAÚÅGv$u”Å!UøÛŒêHÇ©÷"¿¡+¼ÿ
GøUaí~N4›„$åï—h¦ƒ:’øõN<öJ
Ç7‡gªa]7…œ\yʲi~±Z™=H0 d\[æuö{r+
-zHó’¦<Šuâ?Šx†.¢í8ŒÍ7™7CH®ÁžðsõÈ þ�=»êr2Âá§Üô€$u:�1o{-Á1FÛ'Õ+ëA0ÕaYA8YmËz€KñnˆâßNµ�riÌí2…d+�Çö³¦€ˆ5}‹½�mγ„é·Ë<
cÝ×+÷£É|Ý/ìå.·ê€“þ€ÍzÃê
-X€ú¤”èÌMö§‚™ûM\Óïij÷„'ä„«Ü~f™“‹ýù_ê~?+üùŒÍÄ,>þfÐýB1Äë@£S¿Rd×è–H…šè8ÑA÷õ\È‘‘V©wïÁ³Q›I¨¡Ù$‡ýkþ.4E"üíðŒÏa·~³¿üåSéëH¦©¸ðÁL£ŽÇ”íˆsOÍ°A&fXÿ?A
+1362 0 obj <<
+/Length 3826      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZQ�Û8~Ÿ_‘Ç0ñZ’mÙ¸Ã
Ýît·‡Ûv¯�=°»žXI|uì4¶gšýõGŠ”b;Î‡jJ¢%Š"?‘ŒÅ"„b'A’Él¡³(ˆC/Öû›p±…±oó¬ÓjÈõýÃÍwï”^dA–Èdñ°Ì•ašŠÅCñÛ2	dp3„Ë·?¼{ÿ㯟ÞÜêhùðþã‡Û•ŒÃå»÷ÿ¸'êÇOo~þùͧەHc±|ûÓ›_î?ÑPÂs|ÿþÃÔ“ÑãʤŸîßݺÿðöþö�‡¿ßÜ?ø½÷+B…ùzóÛᢀmÿý&T–Æ‹gh„�È2¹ØßD±
+âH)×SÝ|¾ù§Ÿp0j_�ÕŸ©9£@©
+LEgY¼Ðq$
+†P�ÝÎО>|CÄñV¤K³¡G»£Î¼.†£ÝñDͮܛ–ɆŸnÆö`Öåïa(
¿û”W½iƒ¥‰@‘,´LÇÙ•MÓjÈE{sFâ¸p�¦¨ÛU_Vmù§™®.d¤Zd//ï¹fÖêXÈ8Hc%Ç|6�U’vÊI–yñdŽ]Ù’nôòþ‡Ÿiä×~¡®Ç~ƒÊÞ˜#µ­ô–¥¬™ãÔ¡>WJ…ËÝfr™WeA,¤kbËéШIt^z…YBÔïaò{ ¤Å*Š`àƒ+!‚,ŽÉãš¾kË'“¸�×�Éò˜×[î|.«Š¨GîiËÊÔ]u"Ö¼øOßv¦€å
+ªåƒUŒf“÷UG¯YYˆtË °Ówú¶ÏyAÚhÞ65µ7Í‘%0]WÖ[»¯ÐmHÎXÇJ&¬šGͺ©WgÁ’Ä–°`þ•d¹5ÌCLj“Ôí³9NØyÛÒp·³B7ývGC�Ôþbjj£ѾžóªòoåÝÜf«fý…¼msÌ·{P»ó¾C¾þÂvhýù;« ï°íM˜íbôÚÙ’Â喵ݙ£ç«‰b#�…^ñø$A("ñ²Ç¹®{¼çB5ìóo×^¤�àµ/®î¹f–;¼
+ÂL%ãõÉáU‘Ã#
"•û~O
òv¤¬Æí¸iÛ|ËÌdŠHÕùIò+;ljîC$À§C-ä	phäÑ"ˆ²hl2ƒ3Uîà"FåÑ!¢ƒ9
²@·‚Ø	Œ��Ü3
+ØIŽŠû4’CÀ¶wml8˜¼CV9e>Oïm#`¾znSTX)�'^2Ìøg]˜X8ÈLÍfYŒ/O”¬MùÄã«3´¶‹M°Cê"!À˜p>N˜øzA�Θ™Œö
+°Åk¥B¿lC®ëÀæ¹ØÀaŽxø•Y�ïéᛊ©uô²žkFŠ¾E\Æ©‹ñÙ‡vh i‚9 H4¢Y>KãâóϦq¶®‡­¹Àj°¦
+²,Ô¯
(Z©”™,þÃŒU“¦¸›Q]
+²«¡æffýjt¦�óDÓ6û’5Ô6{Ã}·	ÖÊzgÖ_X6|«Ó¦¯nÅ’�ÿ‘ß>˜#jÂYFVi"	0ËlìG¨h03`×öØŸfTè
+D!dÆYòºŸE"ö–ÐÔ¸ì¶?æt‰âô¤\{J©‹ô ®�Îì)¾Ã&ešWÅ©ûô8q%º¬v…a20Z!·)	h
íÒ
+x›ø åo¯ÍÉ!Ä-å4`ŽO†ÁÃVS” '‹ .žÔqÖks°ÅG¼aP3\Ö�vAÕƒÃ�`zò¢(ÑOìñ&ÂY,Bu”¸ª2r_é
+¸wP
+•îI}R„“ß.D~Yð)$;�•Wœ»@¶;ˆù
+¢iV
+¤òA>ê(’))	´³†È�ž#-YÏ–ç¬glº9jûž^ö«,ìzlzÔ’\
+¢÷óšXËý¡±E_Ë|š‹R…ˆ¡e<VêÑnãs·2„šiæbê«1#ÆÞq¢äË1ã�ëzÌè¹ÕºrsZ¦ÊO—¿YÉ ÎÀC^\ÝsÍ,?:T
£rÛÑút»j@J+�b‰.“rZ¬1B„ »°IþädºgcüPÍ)‹Ö.ŸŠê+	ï�úø‡®–FèVÔô[+<Ãmq+
+ä®{­—>Ó�ƒLG“"�³Á`Î4 —ÈBð‚&2¤†î‘Àßí
+ƒpù}_VÝÊe>þ²¥V>¹°äŒ!�GB-¤ÎÎzUéy2•Š%ÕD›§²°p‹£6`@jgªÃ¦¯ˆ±(ómÝ
+WØ¡5}Ѭºæ°²õ‡UÑà
0W&Q2HbíÐü±¬‹ùª¬ÔÂEÉV$¥¯•#àzð…Ÿ·?½ùøyfBˆ‰³ÔGÕ68ÇB3 ç88¿Û2æÕ¾Œ»Ë�QVU”Ëcs 1hQÞŽÃW~¯pŽ-€ˆ´zíç
+ÿåÓ�ÿÒ_/fýX!Ef­XªKÔˆ
T:g5˜ë).g¤/ ƒõuxò¢Ñ)*,Ö§É+Ç\©ð…@W‚…i)DÇ”ËF<RâGÖø÷4ÆQs6@hpµÅ‰o]Q†)äȱ3¢÷ænDÀ¹kâ/~aþlŠÓ®;þÔ…rHK«æ1wé[œ >=†.5^ïx´-5ÚÞª ÓXí›»ÛE�ÊÔ¹[^A”wõ:‡•UèymÁ6K¹`„+ØfîC¥ÌÞÞ-“Ö{À©"flˆ}§¦'bclQ2KÝ«zYSº€]¼RQ¶ùc5šÙWÌ…Ò“:›+Ñ©$]öÖ…#÷A^I
++x¶�ß=Xvª¸aÿÎ~¡0zÏ»ôÌùÃ
'“¾5X×zX¹¢™O´h�©¢¬í}ˆýyMOóíP•kOC˽æ@Ï5³„´9tšM‚š�PˆÌAëùã¸5Ö;Ÿ)»ÀÒ'þWâ�ÁW¨—Ã�
ÓõhÇ1Y¥Çšzºh†Õó—×d–Ë%'?˜EJ«Ñ’N¤~mÛè\¯÷?¤]î4ÿ†Ù;~»Ì‰à‡ðuÊÑÎ`N›×_Þ�RCœ¦”ƒB–'¸rSjü¦Óÿ¢À©1®r:˜+¿‘)Æ>üûaÀTñ‹¿ýÊó5:ç(^ñò5,×A"ý•ŒQ]&9âü›vFŸÏà³s£üMIE-dØð‘
ÐÖu2WrBŠÏQG¸ †tÜ~«°9ñ×ÓK)„02Õ“£àuæKÛG»¨xVmì^ß­!ÖåªÆÌg,¾èp%ŠPhų^.Ü)ýß_Ÿƒ�H*M¯äø©L”Â$,”��£KÐàO‘/Eÿ/²Wendstream
 endobj
-1298 0 obj <<
+1361 0 obj <<
 /Type /Page
-/Contents 1299 0 R
-/Resources 1297 0 R
+/Contents 1362 0 R
+/Resources 1360 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1296 0 R
-/Annots [ 1301 0 R 1306 0 R ]
+/Parent 1346 0 R
+/Annots [ 1364 0 R 1369 0 R ]
 >> endobj
-1301 0 obj <<
+1364 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [324.9335 676.047 381.8296 688.1066]
+/Rect [324.9335 578.0115 381.8296 590.0711]
 /Subtype /Link
 /A << /S /GoTo /D (zonefile_format) >>
 >> endobj
-1306 0 obj <<
+1369 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [55.6967 244.9849 116.59 257.0445]
+/Rect [55.6967 152.6674 116.59 164.7271]
 /Subtype /Link
 /A << /S /GoTo /D (view_statement_grammar) >>
 >> endobj
-1300 0 obj <<
-/D [1298 0 R /XYZ 56.6929 794.5015 null]
+1363 0 obj <<
+/D [1361 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 410 0 obj <<
-/D [1298 0 R /XYZ 56.6929 320.529 null]
+/D [1361 0 R /XYZ 56.6929 226.773 null]
 >> endobj
-1305 0 obj <<
-/D [1298 0 R /XYZ 56.6929 292.5255 null]
+1368 0 obj <<
+/D [1361 0 R /XYZ 56.6929 199.6254 null]
 >> endobj
-1297 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F11 1304 0 R >>
+1360 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F41 925 0 R /F11 1367 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1311 0 obj <<
-/Length 2800      
+1374 0 obj <<
+/Length 2801      
 /Filter /FlateDecode
 >>
 stream
-xÚ½ZÝoÛ8Ï_aìËÉ@Í凨�½§´qz^\“^â;,n»Š-ÇBÉ•äd½ýÍp(™rd9E�CˆÎ×oHšňßEšqû£0ö™æB�O|ô}/„å™4L—ëýüâçkŽb2ÍWŽ®ˆñ(£ùòwïÃ?.?ϧwã‰ÔÜØx¢Ý\%¦Ç‡Û›ëÙÇß]ŽCß›Ïnoˆ|7½žÞMo>LÇi
òÒj8!p=ûç”Zï.?}º¼ÿ1ÿõb:o±¸xWäÛÅïðÑ`ÿzÁ™Š#=z�ÎDËÑÓ…¯Ó¾R
esqñ¯V¡ÓkDûâçëˆi飉òY€ŽÞ(sÆ5Dmê˜Jª6ÊRôE¹áÂ(Wiùœ–cy“lyŒYHͤŽäÈUüÊ|ËÕc_9ö…âLªXw˜¯Sˆ{z3Ø ðŠ½×Ô4.bµ.v›%Ñ�×é¶(kê{ÎêHèýÛ.-÷'tæÉSŠha"ÆŽ‹2à,öãÛìŠÝOïþ3½#Ö0Aßr¾dõš4×û­ÕÜ	¾¯™<°ìóßæ=*4•¶,ïÈãÅ&©ª}ŸKª(‚øk-›Es{ߣZ…,�QhuÃR�±´¡�…·-³§ÄÄ
-¨Û]¹-ª”^LààYíkâŨfiEäÌ>ë¾/Ó¼/[Ye/댪Òóh†¯Øm�zóý"©jkÕŒ¼�+ÀBèà5@˜’E½K6›½}Ë«ð2¤×}±+Sœü*�Þý6]€§È÷:À’‡Db²î:1Êò"OÿÞë�³Hˆff,³*yؤÖÏ-¡^¤UÕºw49/
nBRcÕ
-Pê]™SÿÍoW·Ÿ.g7ôF½Õ¶È+P�Nþä>À$†mRÖÙbÒ7.»
/|hánÉVU¨[§Ã&nÐ '£%´ð5 Ù�ôd¹´“·@ZQ�Ÿèíîú‰ˆXDVÆŒö¡O{
-’B‰…½eÛT‰fùb³[¦}°Èc%�<†dæzýä1ÐgŸŸ"™)HDõáÂ:LQ“6«ì1O—¸t0†*h5	o“å_‡t¦•Á-¹ñØu¤ØNúæÞC²øJ¥ë LµMóØ°ú µË¿æÅKþJÒndh$b2rs�”±Ýa°•Ô5æôŽÓìâ2…µô”å)½f+ËK“­HÀ$D aæ°<r!Yî‰�þ™UuEmN_È›È³Äa ùÙ¤4µ?X6YùB©k9ÁäÖH‡‡v{³-Á']™àŽuØÃÚ°Ú`@‹ò�ÛXX4µ�|B�ô°
XèÚÃSÒH'UÚ3ív¹Ø•¤?·›¬²-ó�òÚ’�YõË©³’†mB1x2<ð˜ìQζ
-ÍHµzÐß/öÁãc
-÷Aćìµ<Ç»_à<Æï× g³›ÉåÕÕ»¼û<†�ÒË“hñ‹Qñsx®
Ä
×yÌCVÔÇfûq»f…ߌÝ�ð“ŠËaì.×iì-×YìƒVØ_™íÅÞ1+5œòƒøíøá£?Ïâw¸ð7\çñYuð›íÇïš•kòíøµd*æê~‡k
-*X	ævË­3Þ	™
8÷~b?õ•Ü'}:f+*ÔØÎX{;{€åǦìØ­Ö`Ý1É›Zf·ž
„f®¼Ã±fÜ¢g·‚f×ÉsêÔ4ÛÊW|˜?�­Ž=Å‘£Öw�ØØa­bHejŒHÙ–X Y¤ôV¯3+ë4MJûb.#àiJ&Øx0üvÞ"
« Ô¢;l=%¹-q·Å_’5ˆc™ºôkLö:*_•IU—ãÈÛ-ê];`¡pŠ·ðb™¶\HMS²	Å¡F
-2۱𰂋ë+TÞ}AtòØZAtñĶªdQfNù؉—Ôõ/OÓ¥™¡¹Ôé
÷Ð^¬l7žY•&;âB\'yžnŽ–Us‹ëªH¬Hò’Xš“Ó\©Sa„®¶x~b‹oNô›®ç…„Ïí÷_ÏøH1úò´.’ã Ë6‰®*çgœ…¼»E¶†­zE;¯Gߧï£'_èÀ´™2
©½Jº…•" ÷Âzñ¦Çq
�>äGqÀbAf£o#ÔÇŠxœ¶Azˆ€!ü<{’£«ðŒH�Þ‰£Ø@
-dç¦-d"ð€äwjŽaä•)M̯¨ðÔ
-ï¤ä±„
Šfkä­Æ@¢eÖHäý56ûvjÙÚì\&�%¦têLLqͶL�<uìò%ÝJD§–xëi¹²Ýß‚±=õuQ £]Ä×-�(²S>jC
jJÚ®¢ž@€ܘbn 2Ñ3´Ø€`Û²8öçôl ë!dÆ«žÜ<'õ[�ƘåÝ`‚ëO¶U4ÃY›‹vøØhfÔR¬,s¼Yéò/ÓtÛD;ËQ§F™¦­îŒöáܨ@�œÅôcË�Žƒx49ü燓ÇÀvø¨‰õÿˆÈ­-2E'j|Š,’1|ËkøúV4È�:­VÓ‘<°9Îÿê°
Üendstream
+xÚ½ZÝoã6Ï_aôå Vù!ê£÷”Ý$=]ï^’;×íƒbËkaɵ䤾¿þf8¤D)²œE�C`h4ÎÌoHÉQøŒÁŸÅÊg2	fQøŠq5[=]°Ùhûé‚™¹š»Rï.~¸•Ñ,ñ“P„³‡�£+öYóÙÃú7ïý?®>=ÜÜ]Î…b^è_ÎUȼw‹å5qz¼ÿ¸¼]üô¯»«Ë(ð—ľ»¹½¹»Y¾¿¹œóXqè/Œ†n¿ÜõÓÝÕ‡Ww—¿?ü|qóÐbqñr&È¿ýÎfk€ýóóe«Ù¼0Ÿ'‰˜=]Jú*�ÒrŠ‹û‹¶
+�VÝu,~�Š}%‚p6W`5Œ‚ñ(3Ÿ)ˆÚ<
+@—xeÁÇ¢l¥0ÊÛªnÊô)Âå"ñ%—3Wå+ÃVhÄ°tsø"	–¶<;ô[cÙu¶Îö†ÞV‡b�täí/yìe»jßPÛsža²ý‘Èj3Ði‘þp¸‘1÷ƒ(L
+`õ³WI÷æäi”‰YgHt^FJL{)8L¦vïqÒ&Ñ1G˜·"i§mQP—Uz¨3“@c	‰!äýX >\ú‚ÑÞ#¸wÐ{–°	'{C{Z×îœ@ê�šÚã;'vrwNfô4'ƒ±�Dq?âq2—×�„ðÀçck‘±]b8ð#Z„€4Äí
+9hàS"‚ÈÂrÄŠâÉŸÃ	,‚õÅ
+…¤ÚLIž^6˜­ÖšmÚ/iW9­”ÕþÉœ6àñ˜Ñ“ºV¿&NQ­¬˜"Ï‘kCIè¡çÐtY5}å5ä,¢ô,OÌ‘‹²ÉöeÖüÍè¡Um˜…YN_8]{€(Eª‡>¸Õ­òVž�Ò9gÉ õø«ŠvH‰±ÒqEJ½KW™é@qhû’Ú—¿^üpµXÒµÖ»ª¬©ƒ$XÐÑÑ٥ɀI»tßä«ùظ
+^¸¦â^‹VU¤Z§#7 È	Äh-|
iv ?]¯�Ãä-°6ä'z»»}O]`oŠM=Ú]›ò¤„íaŽF¬¨+êš—«â°ÎÆ`‘ÇR<–¼ç1´“ÇÀ_|z‰¥§ 1Ô†«›¢(
Á—2[ãÒÁÊ°ÕĽ"/¿NéÌjÓŸÛ÷¢ÚÍÇ&ÞcºúJé¤ï2tÝc°ÑÔ¡üZV/å«ž~kïIÜË@B$f_A*mÌ6èžÝ8Èá°’žô

_ó�‘¥‡ÎUÔA§C`aÞ02ù�®�ÄÈþÌë¦&š†…ÑmEèÛJþl:â Ðì´‰M;Ë7ªý%®õSÛØ$qdÚ‹Ä:ƒcÚ>ÅíÊl`n\M0€¢lÄÊ€hLÄSzd]Ö7ˆ•‰�žÔöNël0î)%{²Pš.E^7ýKÏÀ–™yýã©S
+¹·ãXÊiä®Ôiä­ÔYä“V;ä¯ÌŽ"ï™åpyx3v¸©Xñ3Ø©	ìVê<ö)«ö¡Ùqì®Y¡–ÉÛñã-9“3ø©	üVê<þ)«þ¡Ùqü®YácÑW¼
+
+Þ2[£—OÇW{ÿüžècu°—ܲ';¨Q8Å·ÞmÙÞ‘[AÝ@@ÆUpðügú´+²G¾EÜ�$¬	Çge®NÆ™¹ïœÌ†Œyßùß�Ûçc:ªÔÄÎDyó}2	»Êc¿fƒ¥Ç´übË™ý¢0ì\Áïô,ê̸uÏ~ÌnÓçÌ)k¶Å¯¤›?ÖVÏ¿±oÌý2–xµH°r1…ÔeFäìöX¥YeôÖÐ
 endobj
-1310 0 obj <<
+1373 0 obj <<
 /Type /Page
-/Contents 1311 0 R
-/Resources 1309 0 R
+/Contents 1374 0 R
+/Resources 1372 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1296 0 R
+/Parent 1346 0 R
 >> endobj
-1312 0 obj <<
-/D [1310 0 R /XYZ 85.0394 794.5015 null]
+1375 0 obj <<
+/D [1373 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 414 0 obj <<
-/D [1310 0 R /XYZ 85.0394 693.6703 null]
+/D [1373 0 R /XYZ 85.0394 592.2428 null]
 >> endobj
-1313 0 obj <<
-/D [1310 0 R /XYZ 85.0394 667.7108 null]
+1376 0 obj <<
+/D [1373 0 R /XYZ 85.0394 565.4551 null]
 >> endobj
-1309 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F14 685 0 R /F62 995 0 R >>
-/XObject << /Im2 984 0 R >>
+1372 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F14 729 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1316 0 obj <<
-/Length 2594      
-/Filter /FlateDecode
->>
-stream
-xÚÍZÝsÛ8Ï_á·S¦µNü’¨½§l›ôÒÙ&{ivæf¶û Xr¢9YòZr>î¯?€ )Ù–O?ævvº‚A$�@�›Dð›¨8ŒSžN’T†*bj2[œD“{hûp¬ÌÔ	M‡R?ßžüýB$“4LcOnç]:Œ´f“Ûü÷ yx
-¢àÝõÕÅå‡ßnÎNÜ^^_�N¹Š‚‹Ë_ΉúpsöéÓÙÍé”iÅ‚wÿ<ûõöü†šb«ãçË«÷ÄIé³GéÍùÅùÍùÕ»óÓ?n?žœßúµ×Ë"�ùóä÷?¢IËþx…"Õjò?¢�¥)Ÿ,N¤¡’B8Nuòùä_^á Õt³ŸT:T\Æ`Iêˆ�™…	c “HsL{#s6fd'…F.ËîeÚ«Çbµ½bÐÊXóÉPïÎè^jdx1žqJ	­ã^³rþr:"
ž²Ž(;!C×Ù¢°íeU•-—EfÛËš¾Ýƒ[�2ÝzU9q>_Ÿ
›f�ùÚÆyc[ùߦ.ZDN¢ƒË9f2i¨ešâŠÃT)næ_ƒ 
§léÛ⊾D/ò·Ä�‰Õž"õÿÍv õ!EëCêÎrÖm‘‡;H´þ#†ZÅò0(†RûAá¥zPÌšºËfÝ*xBˆ&‡‡÷R#ão¢B…:›ã{Pp--(¸V�›�a[«
ÛZ
xH#*°•LŒMT`“AEßÔ£çÍ)VD[` ¨†dÒCÊ�ÇB~0¾p.Cüß×

²DÄ„x©@pR=Ìš§E�ÝUÅ$$(•¤‡çà¥F&±�L‰2åÆ,ÎidcŒUüæeÛ33g-ç(aè(Á ÷[^^̳uÕyã[vFþ·*Ì`lÍu }-èRlí¤p•vEÓÞ滶ŽC�Jvx^jd›¶f¡N ucï{»
-ˆ¡¼|,óuVÑoo^90ojÍ+‡æÿbh^áV™cW·"h–]ÙÔDϲš4ÞaIòDm¥ÞA<‘ë0x¹t èÊÎúoY
-¡–F1xIˆ�±Aµ
;ÓPDDÎÌêùÜe]Ùvå̆ñEIQ°eΈôB^0ê|÷v«;NØMñ¾¨‹UÖ¹ùßY<î”*>ƒ”‹²sBÁb3ÈÝÚ¢¹n,QæE
£e•Ë1�ƒ{Ö9ª6Vñ$LO¯(_/–.YÝ—uëRX÷`Ë>UYoùŸâ§ÏøµñÍ›7ã.xïGô"_"¥‰€2•)ü`ã.ÚY�ÐIP¯w¦Ø
-dăj«4kº™÷=Z’2ûnY[µ±ë5kÖugì†C½,;ªÃ@à1«Öv §Õ·¹ÎÊ#‹£t
- �ü&ƒûª¹ƒt¹±"J0aË6e'T¡
-–‚‚xdäè€e£
-p”ND¢B•¨£ÕjÉ$J¶Õ_×ËMV-“Pó(Ù?ê�.Kº›ª¦~Qˆ’
-¬x¼dL…R''!�b²w»žÍŠ¶qL*QWcô‘€aíÀ´I²¦VÉ|]ÿϵËïðc‘嶫
²K¦Ÿ¿ØÉÆæ DÇb<ü
-åìa,:ú3vfçÅÏÕõùÍÍ5ÞðˆØ
-µË¦nj¶™å;úV°ñZ’²¶ÕíÓøronvÊ©’PÂN;:õÛ€‚�‘ÖP8Š0=x¥´£ÒõØ�½H„ZJñ
-öX
-“­‹y±ZÑÞõ:ö$ã{H#ö$=Ö�I~5¤uäyÄ
r°Òê[ìØFq¦£›¨ñr{À=ƒu›-¨{xÖò°wx
-ßDQf¨ŸW«¶èŽÌz°-
m2ƒ�9ÊZ;ï ¹éäPœúHÛœÖ#ÛEm�yÖeû½50Ã÷u–ü®Î‚óz™æo%,T±=F×ÏyƒßqîâJyw!�î¯wþ°îBrÓ]0=ºí‚–«¿¿þtvy5–Õ6üuÀ'ƒÕþ•#HÀy}ïm–w
-äÞØ
vž•ÕzUBxÆ
-º¦Ó1^ÎÂ�6×/æyá�Ræh¥U_AÇn;í_1 F·Ïqpùëئœå¹MC-^Ç$i°lV�!µS�™§Ìm³9®³ÀþÂk›²êœˆY•µ­åU¤;ËG/¤î
->\Á�#wéšC§¯búG`“qØÚÙ+
-p'4>£ÊG,çUÚ—óŠ
-Fä4ñR㞃$Fýô äWô˜:Kšh*~Sé.ðD¤,ê�I—N@XÔ
xP
ù;£i}×0vÝU£h¤80^8
-8ƒ¦$S¼¢IX�ýÇ6
Ç|-:ZÑÞ…TpˆJÔ±š°
-�îûë¡Ð c‹ðÏF×7ÿåKÿgALpÚä㨳ànRæ™Nî>ÌF!WøÈÔÿ^»îùendstream
+1379 0 obj <<
+/Length 3229      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ZÝsÛ6÷_¡·£f"Ÿ$ñ˜6NëNëÜ9îô¡í-Qç$R);Î_ì‚%ZI®“™\,‹Ýß~
+shšnJ„¼�)ËỪE&|f´7 ø«-	©j|†-ë`2¯Õh“‚<T‘=Ÿ«Þfõؘ úŽFMpgwtû2IÞkåá04lÇü«²ÜkWõ`uʲ×/´N-“¹Ígq,ý³ðt‰ÀØâsH1ÿ,y,4³¹€t$5@*§“¾`™€h_¤*c&WzÈ
+b"é÷\ÎCÞ�@ÈXðÄB “é4—³XîÙê=×Äò*Z^HÁ´¶f¼þÇ}¹¬Ö
+™G:<[·£?9—åê
R@±ºáÀÉÿ}€ûs#
+=åØ–«3䨌Vjs1×ë è¹P,›º+–Ý*$gÐ2d——ï¹&֣°<Uãõ{PÈ\(dn’ �'“Õ€LVZ@…c¾2!3êT¸)�Šaj@…›\7s‘pÜç<ÝCÝCk&SÀó(¿0þ”àî¿ÿF‚&ý"®@\üž.ooË34@ŸdLf/ëÐsM(1Bƒk¿dÁ‘׸²·ƒ/xðô59‹`­à(Š0ç(ã{¢­Êuqô
�OäýO"übl
i̤ا\°uÄuÁÖ�Ëí’v´l~në”å:·‹:ô\JŒm-XžAáiñn°«‚ZUOÕêè[
+xïÍ«#óZ2¯ŽÍ«zü«Ø¼*ìrå>…&€˜hö]ÕÔ8^5J|ÀÖi‘q&3cÇźn‹Wû
+Ôù¡EUÚ$E$Ni
ŽÄ¹É%ˆ+!'¨Ôõ–mƒ,K€5lí|"‡$#jÛÿù„.
+V–åÄFò�½½B5®RÕ]y µHœè$U»½w`óD[éúµÝ7uKSІ­1‹.ÐqRhÆ9ô-#ÏíŠzYbÛܬ]^í�‹@±6O~ÇäsÎv�Œ{o
+ícƒ�sy< ³7’õ‘°õ6+('
+�HŠDUôD_ý}¬(-!uwôµÒ�š¾µT®DÁûÎ`¼{¡¤pTÛàÍk¶¢Íõ¶XˆT1‘
Î	÷ŒÇÖuOÐDT.C§d\eÎj
L�£3íËŠ	eHàµÎÇ}J¥ÑÍý
+J{ÜQKì‰ÀÍ{ýæý�û*èßL央÷ÂÈ[)3VȯpVjq
m€¿\[†vé�nÛB{�ot7úz:ÐÙçÚŽ•ˆŽš'º¤)Ó\«‹YD0�rs1‹£ …a€ÞЭ1^XZêÃeß´mõÐ_W6´§þŽ"ºã…h™ÉO£û¸ß‡Ve[íª“ ïqkNüîc:x‹(z^Â¥À´U%íŒRipZñiA–m«ÏSvÍãÊd½Ep/pN2©U¯·SQ‚Õ~èÐ`†,¨BeUX}á}WÕŸ:ªÿ8…’úŽÄ`Ç„´qÃä»Z·ï_Æ-’	ÚQsòûÜ@Êï6‹© iŽÝ$@Y–©ü[�Zç‚ ?i¨Ë—å¶ZNÉÉ™�}[Ü!p‹9
+ÏÿúSƒyt;ùÇå²,ý8|—�–FÚ#^·¬¶eÛÒ¢ë‘>ºOÇaö‹]Þá
+#8Á¬ÎáLÙ7eîÒ �"¸žqDJ¿<9Jø©ÍQè+Ì¥T²ÁÇQB{'ðøê>"Oº¡o Eà<F›{ÂÁq½ì	Ça/£í»ººõ�õë0ò·ÑUÝâ[��vW`DeI}Ü=`
 endobj
-1315 0 obj <<
+1378 0 obj <<
 /Type /Page
-/Contents 1316 0 R
-/Resources 1314 0 R
+/Contents 1379 0 R
+/Resources 1377 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1296 0 R
+/Parent 1346 0 R
 >> endobj
-1317 0 obj <<
-/D [1315 0 R /XYZ 56.6929 794.5015 null]
+1380 0 obj <<
+/D [1378 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 418 0 obj <<
-/D [1315 0 R /XYZ 56.6929 598.1755 null]
+/D [1378 0 R /XYZ 56.6929 489.6987 null]
 >> endobj
-1193 0 obj <<
-/D [1315 0 R /XYZ 56.6929 575.8643 null]
->> endobj
-1318 0 obj <<
-/D [1315 0 R /XYZ 56.6929 387.929 null]
->> endobj
-1319 0 obj <<
-/D [1315 0 R /XYZ 56.6929 375.9738 null]
+985 0 obj <<
+/D [1378 0 R /XYZ 56.6929 463.7183 null]
 >> endobj
-1314 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R >>
+1377 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F62 1050 0 R /F21 702 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1322 0 obj <<
-/Length 3098      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZYsÜ6~ׯ˜·U™‚Gí“ãÈŽR‰¼++•Çåâp03¬ðó�<ÙÝÿ¾Ýh€Ç˜’ìré�@£
4}|�_1øã«XùL&Á*J_1®VYyÁV{{sÁ-�瘼)×�w?¼–Ñ*ñ“P„«»Ýd­ØgqÌWwÛ÷ëW?¿ü×ÝÕí¥'[‡þ¥§B¶þñúæ'¢$ôyõöæõõ›ßo_^FÁúîúí
‘o¯^_Ý^ݼººôx¬8Ìv…G&¼¾þõŠZon_þöÛËÛËw¿\\Ý
g™ž—3‰ùtñþ[máØ¿\0_&±Z=@‡ù<IĪ¼”ôU ¥£ï.þ=,85S—ô§dì«XD
-|I�*ñC)¤Q`ßh<°Ê	+ü$�1¬�</,Çt1å"pÛþXäYÚ--?ÖñD¢Öu³°�ü0Pn½¦>õvi5GMË×Õ°b®7¿j�WYsÉãµ.uÕé­Ý/­¶4\¦'âO·Û¼Ëë*-Š
eißjìzA>!@@ÆÝÎ�Îú¦…%–dÝ(%,gV÷ Kc×®i»�ÙbåÉDù"dáÊãÜOpN9;†¿ ƒ¹`a˜h¹<KfŒ­_$s}§3ìZoH³C^í$‡U…ò¹ŒÈ6î@žÔD_ØÖ­[3XNƒªe¯Ó¢­‰%Ý78»è\CÄ�UOj¦/È"?Ž¢ÑÍúykªh—UkŲ’Ð@W)/�F•õ½=Jç8HÃí±®Z;tÔÍ®6d�nG€0Šùí”i•¡©DɺÞáu
(	pÔõ]Ñêî’¯‡Û
-£³ÔÆà/\°
¼0‰ž
°Ò�¶ZF6ˆb"g
-·\#
-5ž”®h„äáYͶùßKz�$Ôµ*4BgP
-‡‰|NM@eû¡ÁˆÕ t™URö…~™WäŸÁ$ÿÓ­4 Eˆ‰hsÀdP†ÝwÀ/sˆ¤œtœüq© äwoÉIê¾[.ª£h(㿺ÔZªö#ºü—�2¨ö—Ö‰}ç°lS„ÀŠ
ð=ÃLH2f‚

-LИ%|6…½8hWzÐE1§Ð|Ά:Äš…
‹²Nڶ΋¹'PÚÏÌÞà&T½�ëŸë�h ˆ)	³Ü65$55$A¤ùÙDåC©skPp4w<ÎlÚn\SÛêPYä<ÎÀ€d�m²	
-¹h-ƒäɇ£‘Q©ãP‡HäºMKM¤3™“À¡I@!¾™ª
[ƺqý>Ë´65°›6M;­Ý˜hû”ö(tÛÚMw3y‚!»ÑgQ^ÓÀ¯nÐkb¨)P†Ï`ôðÁÙƒKQ�Ã11s
-`Ÿ¾ØucgQ„ c‘R®3óAŠƒwœÊWœdo›@óÈ™óÜÚ°?ºr�ŽÖŽÝYfvŒyµ0&âW®……<
-
-lÏÑŽû¡E™�/A×Â…G5‰Ðq™G&³ˆÂ|—VúÊÈ»øc+˜J”Är’/%üÌVÿⱕ:épƒÐ9ö¦·§@ª¦}ÂÙε²pÑP»‘Í>r>X4WÌ$XaÖ.kå¥BfíÀ»

+1383 0 obj <<
+/Length 2832      
+/Filter /FlateDecode
+>>
+stream
+xÚµ]sÛ6òÝ¿Bo'ß„(>I }JS'uçšæRwî!õdh
+²9•H•¤œøîúßo�ø!ѱ]÷Fø^ì.ö›b
+?¶ÐŠPaä"3’(ÊԢ؞ÐÅ5¬½9aaO7%ã]ß^œ|õZdCLÊÓÅÅzKª5[\¬>,_}ÿòÝÅÙûÓ„+ºLÉi¢Rºüöüíw8c°yõÓÛ×ço~yÿò4“Ë‹óŸÞâôû³×gïÏÞ¾:;M˜VÎó
+g6'?Ÿü³8ZõGçø'•&ŠËt‘(N4MÙ<—)¡
+¸–d’‘Ô(Ùs™³9.Ç]ŽËÛüs’yqc“¶ü·=¤š
4Sl1}„@¿k1€¥0MP¸¸±§‰ ÂáRn÷[äÛz_uد×aƒÝÖÍöË
+Û«»Î¶Øíjl÷m
+…3bÇ•ôعv•w9ön®õ׺Þ�ýæ”é¥uã6î*CoSnËî…ë«álDÙõ?•›
öŠ�ÍÃ-À2\u}�ö-oíæ.
+Î8Àv Yú#nšJvFŒà:ì!aèODfí´,GJA™…"ŒKDÑY&–�™¢”.Û.ïʶ+‹6)nòª²›1ûìÖV
Ñ7M¾ÝæÍ¶À
+žz›òêóvÃAk¹ÖÑ�H¿dú`{ŽÄE«_ŸˆÖTC
+†›«×)²@g0�n¦‡v�Gì­‹.üÖuh;\Á£)<M¹	SŽÒz@ãcÂ,PÝä�WZºç4*<'¬åÕî/îoÛ0bµÎËM`@ gBôÞÎak”³û•àe5g|@qy½¢7¶3®ººw¯E]ux—Õ›øn ‘M0™ãðâÕ;·uñ›×~è;�`«²ºÆ=y˜FÂD»³EéŒ-¼Ê1ÊlC¢¦ÜÄ"ˈPRCøÞ<cú1‰
+µžO’b2y¾ó…SÞosz[qÌTÎ5©	dxkñxdpX3y/¤æ.+zˆð@B£˜`Sø�dž"ªªÓ!–ŸnJˆQôa]Qyü^äÁ xó£Í2ŽÏßÝJœqIE˜I±çÀ˜Ûå\Ý£)PÏ!2»�±÷C„h€<É	ØðìÙŒí!&c�ÇŒå�Á1•™áæ/1VCeÔXŒ¼�‚f’
+Ê�ƒÂÃP<;Í"Dšƒ7eûF‹ŽÃh�w©
:=Ì*°¿|€ßßJ;›·*0\Y…÷Þêð„  XSA¨ÁìÎÓº(Æ{g>@Ç÷‡Æ]x‰«Þ
+û‰5¶˜|:×裟wÂ>DÒÃP²N€R-—.Y©q-žÂ[F@Q
+‚­3ÉÐèšhÖ}¢ìü±¸¦†è,»ß²¢O‘µdššŠgKk1ƒ<–V�O�@͆›¿,­
+žø
iå2‹[¾þzÎKFŽ<—[¢ŒSWx"É*„ž!œÃüÊÁü¾8Ü£ét/ˮ竮Ü;ôb¤r˜ÕFÂѯœËªdn2¥&(©¼WI1Y–.F»<DÄ
+�©R0�„»þÎ./Ã…@b[vå­?Ä1 rêí}Uc&¥çQ´
+øj×Øuùyc«Ëq�ÙeîƒÙ\ýõª¾Þ‡‚ô�m?ÖÍG4¹á¤{PšŠ¥ã¦¾-W6)?¯›'À˜ Р>†]Ušw6Ù¯vøñÍOUûíUdí#nwðž kòª]Û¦}ìi6w:Árêჺ²	lødûo
éê.Ì·ý6½ôK8ÿfïúï¾qæÈ…P#
 endobj
-1321 0 obj <<
+1382 0 obj <<
 /Type /Page
-/Contents 1322 0 R
-/Resources 1320 0 R
+/Contents 1383 0 R
+/Resources 1381 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1296 0 R
+/Parent 1388 0 R
 >> endobj
-1323 0 obj <<
-/D [1321 0 R /XYZ 85.0394 794.5015 null]
+1384 0 obj <<
+/D [1382 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 422 0 obj <<
-/D [1321 0 R /XYZ 85.0394 732.0195 null]
+/D [1382 0 R /XYZ 85.0394 690.4757 null]
 >> endobj
-930 0 obj <<
-/D [1321 0 R /XYZ 85.0394 704.3916 null]
+1385 0 obj <<
+/D [1382 0 R /XYZ 85.0394 663.4801 null]
 >> endobj
 426 0 obj <<
-/D [1321 0 R /XYZ 85.0394 215.3041 null]
+/D [1382 0 R /XYZ 85.0394 582.7428 null]
 >> endobj
-1324 0 obj <<
-/D [1321 0 R /XYZ 85.0394 190.7685 null]
+1386 0 obj <<
+/D [1382 0 R /XYZ 85.0394 552.623 null]
 >> endobj
-1320 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R >>
+430 0 obj <<
+/D [1382 0 R /XYZ 85.0394 310.6261 null]
+>> endobj
+1387 0 obj <<
+/D [1382 0 R /XYZ 85.0394 286.2805 null]
+>> endobj
+1381 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1327 0 obj <<
-/Length 3841      
-/Filter /FlateDecode
->>
-stream
-xÚµÙrÛÈñ]_ÁG*e"˜3SûäìÚ§obksÔÆ•‚HPBL\”¬TòïéžîÁ%Ð’²•âgz®îž¾b‘ÂO,L–d^ú…õ:1©0‹õþ"]ÜÀØ÷‚ç¬â¤ÕpÖo®.~ýVÙ…O|&³ÅÕv°—KRçÄâjóÓ2Kdr	;¤ËoxÿöÝ÷?~x}iõòêÝï/WҤ˷ï~ÿ†Zßxý‡?¼þp¹Έ巿}ýÇ«7h(ã=~óîýwñôwfÓoÞ¾ùðæý·o.?]ýîâÍUGË�^‘*$äç‹Ÿ>¥‹
�ý»‹4QÞ™Å=tÒDx/ûmTb´R²»øxñ§nÃÁhX:Ë?‘&RerŽ�~À@—&Y
-[Yã“LIøÓå*KÓe{Ì«f[WM}:®þ=5iyÐÿÈ7›#Aþ�/„õ‰’Ö,V"±Z™°Ñ¯Â�I¼µÙb
-̬øý¶˜6f‹–:Ñ©Óc™þÏ78úë·Rt<»—Ât—èLg�ËÜ@
-Û5Åñ®8’UÿØæm±/ª–ºßOSY•mYWÉ«
5~lò›‚�R'I“cl8éê¶èðé'	—d.50ç0�÷’`¤-øž6À-Ë
áV4Ô]ßæÇ|ÝDziË5Ûšþ¯úÏ›¦^—°Í†ú÷e{Ë#ôw¼nYìë6,�Ë*ßóRF| 8JéÕòÝv´ò@K§/´vW\Šeu'Ðu¹D?QìU°û¡X—¸¶Ø¼BˆY¶·²\Ép
-2SÓü(leEw>òÐàì½Í<ß9ò“¬ëj;#àÃÁ/Ä©	P¡k¤C'
-_“B�
…~J
-ÆVÌH¡UËu^Q£^¯OGjæ<FtƒÄ´õ� »â®ØñüíhìTWx
7§cÎê@„ìxBÍÛ—USnxç|†,%L"ŒrŒð]YÜÏé–Nœq�¨B‘±ž„ûÌþ`�}âR;1<çϱ)@sÏX¤¹Í�ì¹e]”`O3{w:Mœ5Ϲ<©Å£ãÔ2ãáÈ pV{[7|<Šz„ÖbvD%Í"Kè ñÀ“êÊn˜]¹Iœ˜Fu0X*)aÚ‚Š–7UÝ+­¶i¸�0�&Ü•`LðhìôlÃU=ÇkÁv:óþdÞÉ9þ(a‰6<dDÛô,¡!fÑò=k†`v6n8
-v[13ÄžAB*†ßò�Þ	;ôGT)áÉð
-¢ÕYLˆ©
D#žžEAÑŠ@³æéí|te!
]xö”Š‚»2*ês}àv/«þ€\°ã8
þovõ5jC€…¥
u®Am?ó6
-ž…8£X2?I+s6ªùÈ‚Îú—³Q¥v*z¹#©ËY²Mâ{™èâm'É2±Y’Nôf	™"š%„�XúÞ,á¼@•£\ç²RKç£ð89ToZ5«up­:õfÌ5²AÒfc96Ë-iÛžIšM4D¶™ÐÁ8üޢ¢fºŒ53ci
+ÛWCþÀX”V­·=3–	PËÎi=}m.3�¤v/Ù|CÌ	1‘Wg2¡F¦립#¬“aèDFÏ ŠŽ‚”>_Zßýõ-–z•ž˜qP²602H(5ÇG8¼áaâ4Î;¨¨�£ýÆ,J
-"ïÍW媛5âEs[Ÿvˆ%¡ùî>h¨}_?£ædLJ
-’ùsæÜÉD+ežmε•1HD®ÍJ£;%zZã¬÷#;Ét•ün:ÞŸA.DÝ�JöèÝ<Š M�±c
…!§©.Þ4:«L.¯“yhdÈœâxg]ס¬06Z¡M²�`}i&PRîù°šG;ɃNIþW,·5ïR|É÷:FKƈ°SŠ|�SUé¥|`P®O77“ßú˜7·1ňVj]�—ny:´<€µ˜|h1s&ëe.Ôimq±©š3…ÝÉcÔ‡Sï:1‰í#zá8hŒè
Ö%zÐæ8sßòÓCËËjúçCìòÍwï?ò
-Š³–3öûSF/8^òr*£ÆwÀeGLÝ¢CyA“ŽË�çsºÙôŸRR)ôÂì˜�9À2è>+˺²^Òê´9¬šò_sea@ÉgÎO<&äèµñžW'ļ…Ö�ßý‘ƶ
Äi»#é±|¬jK*
-Ï°÷`B;¡9#GB¢»rFDi¦îÜ¡3Œ°€7ÒñWÛFÃÌê®x5µe}Ø12hló°<KÃ÷ÝàPû”j—±ÅÖÐc°GQ;ôv$E7£�BþeÆÔ‚¦³æíó/_US0WªËG:¡*ª©PÑ‚¢sûRîO{ìÈÎ*ÖY/šðHDëI�¡ÕR¨ÎØböR…ʧŸh•ŠZEZª¥Ò‰švª&¥$U“’Ÿ~
-V®°}L$?ÓÀT.gqè#I&?WõýTd^.™ÿ»¸±²ô¹ôèi朂uíkªk‚ɆÜâ¾&0¯œ¯0p—]o@ÎW6:?²Šfü‘M!vY”ݪXÁ†÷³•h#c¥éK1Z„Ê
-†°þcŽ®ø?£À2|pÐ)põÀ„͹õüX£CžÕÐÑ!O„ãöôXÑ!óu'‹‡q4(â¦PÜ›4GÂJx|•3cûü4)²{	U÷$=	I"vÂëe	ʈÖ[C~‰uyœL‹d|å
*REÀ€½æ’ôOÕðhëzÃð‚óQ
-ÆÖWß}ÿjz%�bg&‹´ïÀ?:Þ,¨ñaðEoœ½L'v©œî‰|,"Ò΂75S<„Ê›efˆÈ£Š»I_?ÿÑ^ý{xz,;dË6ßñç
+1391 0 obj <<
+/Length 3884      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥Ërã6òî¯ðQ®1x$P9M2ž¬S›IvÆÙG%9P%s‡"‘²G©Úßntƒ/ÓcOR:h
+0ˆÅ·?¾{{óÝÏï__¥ñâöæÇwWKeÄâíÍ߯©õÝû×?üðúýÕRZ#ßþíõO·×ïi(aßܼ{CGO }ýöúýõ»o¯¯~»ýþâú¶;Ëð¼Rh<Èï¿ü&.7pìï/D¤�5—БtN]î/b£#k åŇ‹t£~é,ÿ¤ˆ”NÔc9` Q"
+ÙŒ2&“ÏI¡C…ŽŸ“B�zŸÊ)Lõb�UÔ¨×ëÓ‘š�ѹAbÚú@�2¿ÏKž¿MLu…×°;3V7
+€=ÉËìÕÅ"²©yÉÝ©X>Ú¾A%3¶ôš
{µwuÃÛ£¤hM –`K§¤Yd-4Î<©>,é‚I�‰¬tcU¨½½Ò„„Ïæ5´ØUu¯³q*ü
øi4á¾
+vx;«R62 ×|?Dãì-Ê$	³Šfxm©ƒiéÄS�D&‚–ž˜n@©_bº•ˆâ¸ïñ¾“¸,>mçÏÀÁvN
íÜ&oÑW.öé%€îrÏußñz¯S»(ë5Fbë
¸êØ
QÝ4ú†ùû¬i“d¸g˜B×Ü`ÛmˆßÔÇ!AEÌH]$�‰£k/ª5)‰§G$‹?¼ÝÄV!B³õ´ƒ©~Ç@zl$ìÐ�JKG†àevŸ#H	^²×�Ò&$rqš²¹B4-ï9g•4„¿iÓ9Ÿ“/0&.îœï<=8™0°©Rnì‡z& ¯$¶«TQR3//žŒÊïÊCÝ4ŪÌ#ºÈvÓþ`ˆgö`J§ô‹øå2�Ðg%‡�솻õ(:PãÀÔÓs¼ŸRó!!l­«%çöKúú9AÂKT’ÎjSXÝR�t:!+Íš§·óÁUj"#�{¡Š‚»2:ès}à°U¿Q@.Ørœ
+ŽuE/Ãëd:A†ÑÁ3ˆ¢#/¥/—Ö›¿ÅJ‹Ž'fÔ€¬
Œòɘã#Þð0qç�X§ Ñ1‹À²S[ï!�
é¤Ô3^lÉÔAk•ù
ö}
("jÞÞqòºå€Ø§Ã^ýûd`QêëÐî¿]T¹g@hǪS ¼yAÙ/zûb}GÍÁáíð„®;¡ã Æë(¤ÇÖ&l_·_C+憺ëÕv•áê¹P,Ö±8g>ë(—ݬ/š»úT"•„fåCvn¨ýP?¢æ$	LJ
+’¸§Ì¹UQ¬µy±9�S‚DäÚ¬¡4q§DÏk\êÜÈNò¹
+þ÷7íï�þ@ÖGÝþ”ìÑ»y=@–:“Ž£H2šjÃíA£³Êäò:™‡VN†ÌjŽ·pÖªöU%€±Ñòm’hxëK3á$Åž7«y´“<èäåb[3–üS¶ÇÐ1ÐX0Ed€­îHäkœªJ/僲:ívçI}o}Ìš»�b+µ®�Ç+»8ZÀŒ‡Z||h1s&kb”ž©ËØX[œoªæ‰ÂBÜÉcÔûúRï:1‰í#zi9hˆè
Ö%zÐæ8sßòÓCËËjúçMÒÅõ›wxÅÙËûý©£ç/ù�r*£ÇBÆUGLÝ‚CyA#ÆÕƧsºÙôK&i$”Œ¿ ̘*Oî‹2°¤«Šá%-O›Ã²)þ˜«
+I.±nâ1!@¯�÷d¹8‰ æ-´~~ó�y´Äi»%é±l¬j*
+ÿeÆ4MgÍÛgŸ>«¦`®t—�tB!uPS©ƒEçö©ØŸöØQ�=Ô¬³8ž7þ�ˆÖ“C+¨¥Ô�±Åì¥ò•O7Ñ*´Š´4Ž´5íTM)Eª¦¿ü
+\�ù`sn=
?ÖÅè�g5´µÏa»==VtÄ|žÄÉâa�Å
Š¸é
qƒæŽ°”_åÌXªŸ?
+Äë}�Ù'TÝ“ô$‰Øñ�—(#ZïòK¬ËãdZ¤Â+@P‘*zêc.™AÿTm€Ž¶®7?œ¿G
+½¿…
ÿÒˆ
ÿb»=S‡Q_sö:CmïNÓ¯BÃ{:ldŒ$è&âàê³}ª8v×Ä*ÜE§©Àû%à…D.=íV�À¼-DSo}qu&ùÅš˜ø²ÍR	Û½2úB8ªW`ð<~]×*~â Öa´þvlD$øXTŠ'öK5hv�Üíì›Ki×ñðˆŠ[x×Äqé$�|b°Ê'IØ„ˆ‰õîx�éˆÁnje‡:™v娔�.@Êbï“ï4„Aiø€…æQ-ÓÉj}:öa!ŠjUŸ¼6A'Ô帮8òEÃMFüÇeã<ŠÞU)1㣌„sþ)L—ê¾x†=žØi5wàp'ŸyÃÄÀ³áìœ
Ù:˜äÎY‡G¿yÁR��õõ’Žæå�ÅyVÊÒ8R±çhQx}•‘pþõõÙ8l-�
+üú˜ŸŸÈÞ�HÔ4{�!ûØ€(�‚Ì}„`u÷´Â&Ó¯À”€{u RËT½ä;09kíüW`ËãrˆÒâ59?˜p›$ýÎ^Y6sI¸ŠlMღ
Û›Žø©z¸«Í„
S&´M�Ìš@~bòû0ãùÍZä+pk|GðY@Œ9è+~ŠÐžùÅÀNMQ0¾¾ýpóÝ«é­@š��_¦¹È&HCÇÝ%5Þ>ª³—ƒéÄïá)§8‘€y Ú¦àQÍ”©“(M3$äÑ7}ݤÏïÿs@Òî¡ô�,Ú¬äOð9«æ
+mÓqµÁ&cË•B6ÿ/F”zÞ­à÷Ío\´´j?¿¾=·>¸P–WšN‹!¸§q“=
VvUÖžºr‡éJh†Eþwy•é«;ìžbƒ	é<,B	&„#
+€>ÏÁž´|ãp€œ1LjñD#”®H—‰N¯ç«ñ“—/t»¢ÊÚÎÎŽ“žçêu#óMÏ%¦7/8Ê[ðUWØUaluûdÈ,\Ìf\¯KˆüN;âbÁDbcwÌö{Hê|}n�sr„Ø$ÏXm	ùè¹±B’Y?4ÔöæûSÙ‡’§ NLµ4~éUÂ}�îÓF™L¥ú+eþb»àj€Lâ(}ô…Õ  (™‹œ{rø3÷­°6ø¸1gD÷í_þŽ¸ÿÈ:†xÎZ5oOTjñY¢ü÷ºöåáƒãǤÿC_ý¢endstream
 endobj
-1326 0 obj <<
+1390 0 obj <<
 /Type /Page
-/Contents 1327 0 R
-/Resources 1325 0 R
+/Contents 1391 0 R
+/Resources 1389 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1296 0 R
-/Annots [ 1329 0 R ]
+/Parent 1388 0 R
+/Annots [ 1393 0 R ]
 >> endobj
-1329 0 obj <<
+1393 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [87.6538 61.5153 137.7628 73.5749]
+/Rect [87.6538 116.0624 137.7628 128.122]
 /Subtype /Link
 /A << /S /GoTo /D (tsig) >>
 >> endobj
-1328 0 obj <<
-/D [1326 0 R /XYZ 56.6929 794.5015 null]
+1392 0 obj <<
+/D [1390 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-430 0 obj <<
-/D [1326 0 R /XYZ 56.6929 659.7801 null]
+434 0 obj <<
+/D [1390 0 R /XYZ 56.6929 718.7806 null]
 >> endobj
-1214 0 obj <<
-/D [1326 0 R /XYZ 56.6929 629.052 null]
+1274 0 obj <<
+/D [1390 0 R /XYZ 56.6929 687.5668 null]
 >> endobj
-1325 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R >>
+1389 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F21 702 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1332 0 obj <<
-/Length 2654      
+1396 0 obj <<
+/Length 2509      
 /Filter /FlateDecode
 >>
 stream
-xÚÅZÝsÛ¸÷_¡·R3HLžœÄN}í9w¶ï¡“Ëx(‰–8¡HE¤¬º�ûßoðKTl7ÓéøA ¸X,»¿ý ƒ	ƒ¿`KŸ	N"ú’r²Øœ±É
-Þ}<,ÍÌͺTïîÎþz)¢‰öµâjr÷Ðáû,ŽƒÉÝò³÷þoç¿Ü]ÜLg\2OùÓ™TÌ{wuý�f4ý¼ÿt}yõñ·›óizwWŸ®iúæâòâæâúýÅtÄ2€õÜr8±àòê4úxsþóÏç7Ó/w?�]Ü5géž7`òíìó6Y±:c¾Ð±œà�ù�Ö|²9¥ðe(„›ÉÏnÏ~mvÞš¥cú“"öeÌ£r1¦@©}%à*0™Î„ÔÞnÄ^úmŸV5MTÙªHê=ÍãTì²<§—ó”~Wi‘î’:]Òã¾ÊŠ
ëµ]ô5}²·é"û�1î¨×iË\{Ia§“í6-–Ž¨ž^Ùc©½MZUÉ*…«R"òÎñ@³ ðµ”Üœªw¼¯r—­28�'I¹¡'ôpSÖö¹Jw� §gýeÝ%þ¶Ïh°´¼Jú�; I÷nþäösÌP?Ax~sŒÈׂÇæçy½.÷«õt2+$V»d³IvôP>´o�Üyйó@h?RR
gd»U–ªk,#PÂ-òd_Ù­’</�J»åfŸ×Ù6·$Èó
¨³€ëÊŸp>@ËÂ×hRlSËÊéÇ™
4 B?Ší®”<}±ß‘š‹:·Z¬öÛm¹óUÞݸB´pÎíQë]RTdˆ³ªÜïéˆz"p>®c»-u”¯ušïìQ�°Ž
'T÷4�–Jr˜<j¨¬�ÂìÕ/�!M�±SÊ.)Éa©%Y.Ig•åil^Ì-7Ømi•®9¨.ûJ7W.Xèý»,Ðû˜l�fæY½¶óÆ=aªëBøÂ^1
-ùø3
wþ}ÇŸ8€žb™ ßÝ}ß�4cê»îe¨õÓ§‹D[ok½I(—¼GÌÅóˆÙŒÞÑ­˜%o2$]o2lJz1·�ü%6’†ò¡ÌI2#”ä@8mø‰~ÆçÖ�°†9å@RYÂ%&aʶgêy:a�‹
-Â%Ÿ¿U©ú
7›Û8rH¦Y¬ûzù?:Gü�äË-L½ªà¥þc¶kŽŠ‰mJ
‰œ€*GÙ²×ÄM
u?ÃÒi·¯ Š˜™êÈp½­¡ªÝÎbµo.Ã_èŽtPs€‚u‰3¥]N
-xÿÇ\‡°‰	Mÿê�)G‘¬Øoæ˜SoÜ¥Û¯z)d|>¦{=_óóÙ÷ý/_È‚Feÿã혲Až0‚R®×)™³—*ùCŠ×XdmrCñ¿aô±��öOæa[bõÄ8æ(µÏ1«eö†Z	cÌ^�„&Ãã‡ëÛÛ‹÷4®R¨O³ú‰ž¨·PÖ•O¥p—2«3L…ç&Àéã¬a@‡ñ$¸FJ=—U:úYwÁX27äÛÏ*A˜Ð�‡ÒHš	uO˜ãN”%zF‚#^”Mš&À¹Óç¬Å/Îô°sʆúÈ)›žŒzá×ݪW0ï°NzAy¶ûyž-hlm¡&L÷Š²˜%ûz]Â~	¢?MS9ŒŒÝ~_‹òP˜ŠMzó½Ъp‚ÍíRc)<	‡N\Ρ„2rC"
-zÌ3º1ê
¶ô£¶GñbÇ@¬]~�¸ž2r_¦
-«P5Ú�ñ¸v¢Øg<~±râ8vé¼IÉlq[VépëVwðàêTÕT°Îþ{å±
•¿_üÓ¥
-
-r5H6onª´Z«Ò¿8{·lÈiH_z=w—÷¡|£Fz2	`Rê—k-Pj$	Úf "FˆB¤¦Ù¶%ŽO6œh<–B@’d±nÖVpÑÖE´59í‚“á`ô´ä¼4]$›ô
é›Ô;€™"Y¹þ›E¦º\”ù+eëÍ›AŠÕ´èÞ%{UØŨ­õj8MÒkÝõWÒ©-ù'òÃaΛ>féáÇ’oâ ,¯{Ô•Ql+9ÐÔg¨U«êK7IâMR/Ö³Ež�$M2o~°,´¸7÷¹
œÿãíX >�îÕæTYü8³bvÙÈŒ\éŸÒê¾ÜÝåó‚QOiº°6ßÇtl;»
-0t¤²ŸÅRÈ�ÊCº{ØÌŠ¼H5 h¾¡â9�j>Q+úD�xšXžyZ÷¹C6«Û¯‘Øo¨͘~l@ÝŽ'.!¹�í]›Ûu×
+xÚÅY_sã¸
ϧð[�™µJ‘")Í>ew“m®wÙk’{èäv2²ÍØšµ%Ÿ$ÇM;÷ݤþØò:¹›NÇ")@à@G~á(–
I4ÒIHÊÑl}ÆFx÷ù,t4O4éR}¸?ûë•Ð£$HW£û§¯8`qŽîçã�»øùþòö|Â%«à|"¸¾ùD+	=>~¹¹ºþüË폎Æ÷×_nhùöòêòöòæãåù$Œeû¹ãpdÃÕõ�—4ú|{ñÓO·ç_ï8»¼otéê2�Šüvöð•�æ ög,I,G;˜° L>ZŸER2¯¬ÎîÎþÑ0ì¼µ[‡ì'EȘë
r1d@™JÀ+4àýÒ @vHÃ$9çÀiê2Í«'Sž‡ñxRÛræ÷tÙk‘'±Û“æóa¾"Õq¾“g5À:k*íYÏVé¶2\D$ÇÕÆ̲§œ¨q
ÊØÕ럟#ZB9ü’r[à$<rfÉ|nç¦r<ë‚^L78Í*3š„	‚¯†a�HÉ­@OEy>,ÿ»È
Žd«š]ßeõÒ­/
-щë¢v*S>9¸Û;X€wN$P¯ÎžÍêå<Ã1¸g¤ÅøŠ” q#}q¥Ï7:ä[äÀëðfx‡’±zÓ•Oš]={ÌP,Î�
ái/éWƸ™(ßeël•–N-�‹�ìˆô´_û;ƒ•®Z–cW-Ü{D-.#�‹Ë7{œí�ñ
+}®Ht=^$*ù‹€ÐL8Ä­³�ÖÜÔi¶ªÞ”TÆЀ¼sSÍÊlSgENÅÓP,	@™·©–ÑÉ •Zü� å¡ð¬³|#Ƥk.­TŒ(E/Ëň·Xkè'Ý
‡°vÈϿøñöC`U DR
+ØÞé
+xGÑ
¬,ÀV§íQ¦˜`ï1¼Õ2à Æk/Y¨{‹GÖ&À‹ˆØ¼LŒì¡TÈPÈua�ºhq÷£žrªºÊ!0A]
þ¦ù6“¡î
.ðT…â	♉�¿&ž8€žb™~Ûšòûá”0¦¾NÀPFI2Àð¨vZ4¹µ‰&¡YMB%®:ÐÌçsÍ(šðÝŠÝÒ‰&KÒ�&˦ SGЩ_b+¹ª_„²šdV2¡]
+¡½‰”+)ºœðþ�½H›	4=ç¬ê2ËD–o×S¬©¿7îÒ¿·lYŸáÃ!ÝÛùÚÇC_¿’íÉNôûû!cƒ<¬�8̲Fæ¯5ò'ƒ×˜gmqCù¿`öð�Æú'jŽ¨m±zbr„’cUËÜ
µÆX½Z	m†é§›»»Ë�4®Ìl[fõÍlpE]aWÃÂeVyfX
+Om5€Ë‡U%Â@ÅÐ)GPã$úTUéé'Ý
CÅÜ>ß~U	ÂDA¼/�d`™(é	sد;¢ð¢jëâñ…·ç¤Å/Î’ý>Ìú#olšYóÂÓßšW°ñnirzAu6Ûé*›Ñ¼¡Û¨Á ¥G^ä“t[/8/Eô§ej‡‘±?ï[^ìrÛ±Éñtë„
´Ê½`S·ÕzŠOÂÇ6ˆ)²Š)´PVn(@ZRo»XÒ¸Ò;h½m"ÚÏ0óÒ$ÃäJ+ñ0Í^´&ÙëíaT³s|6)É�ìó'mó*[ä¾’ÙC§/¹Më×øpFÇù2­hejð–piVäxgª¹ÛèèRšÖåy<¶áLsdè²—ÐÎ’®wÕÄ+­ûì€à‰ü†e:÷òœ‡c)?§«lÞÙœ;¢
YóÙäCZ·×íí½ï…]UQ¬0oÞÕ€6›ÚÁc0vg·m³GÈÕª!vvZ§4ÊMµ�΋5øTÕ´Ü´×'î&˜d‹\í
Ú”²Û…=
*‡á0ú•IF0
“YQúR©Èç6§à2úI„!MWÝŽ	õ
+±c N|}í\”¸Ï
€·;ɶJð4ÿ‚ãiH¤Ú2_QËëÖ@ðÜ-SGÙñ|J‰
+£Æ:0¶ŽŽÆãW'Žc_ÎÛ’Ì5·Eeö�nmߧª¦ƒõþßk�-¨üýòŸ¾TPP+¨¤o—ÛÛÊÔûÞßšô/Þß�[rî2ïߣ�ºåtÒ£E
+TÄQˆÔ´ºÞ®êl³24sé$Aõ°íÀ¼
’¤³e³·‚‹v!’8—K|r²¬]€–‚—–ótmÞ‘­ñ£�æ{ý`¦H¶o‰¤G¦º˜+·”®˜Ê–k;�ŠqŸ$`ð!…Ü«"šÐm\Tƒ6ƒðÊÜÛIxΥŠl�@ø»M:3^ž:�úanv«Ì†‹àÊ÷¢û©p––e†•_/ëmé�¬õWD»E^4¹¢Í·Gº‘þe±GÔæ�Ú®Ó—ý¦c•9ÜnüqµãÕq˜Y-ƒ#ÅòAG"\±üœ™ÝŸëDˆƒr¼Ñq¬‰…b%÷Üæ
÷ªúÚíXöÒØ:­gËÉl•�$MgcØ£t>ZŠÇ•EW\ÿýýЕ¨}Á÷­…ÿ³®P%&°
+J³	áÒ¿˜ê±(óât·dÍSØOÒ®ùÁÞgHv·
aþ±
…ý=“A¿¾]ŠNyÀÿ°Mâ<ñ}¶=þ�ã
+Ê
+$_p E›ã<ÔÀ�4Â5@Á�cŒÀÛzÈÁ—é3±A€+<ˆÂÉùP¹O^Á±?~Á¯ñßÚ�¶�5>ý§ÿnÿ1�t â˜7�‚© æPô9¡lô$-«ÿ÷øPôÿLÎ8Èendstream
 endobj
-1331 0 obj <<
+1395 0 obj <<
 /Type /Page
-/Contents 1332 0 R
-/Resources 1330 0 R
+/Contents 1396 0 R
+/Resources 1394 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1339 0 R
-/Annots [ 1334 0 R 1337 0 R ]
+/Parent 1388 0 R
+/Annots [ 1398 0 R 1401 0 R ]
 >> endobj
-1334 0 obj <<
+1398 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [399.2874 660.1853 467.9594 672.2449]
+/Rect [399.2874 719.9611 467.9594 732.0207]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1337 0 obj <<
+1401 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [461.1985 408.6709 510.2452 420.7306]
+/Rect [461.1985 450.514 510.2452 462.5737]
 /Subtype /Link
 /A << /S /GoTo /D (DNSSEC) >>
 >> endobj
-1333 0 obj <<
-/D [1331 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-434 0 obj <<
-/D [1331 0 R /XYZ 85.0394 562.3583 null]
->> endobj
-1335 0 obj <<
-/D [1331 0 R /XYZ 85.0394 535.0538 null]
+1397 0 obj <<
+/D [1395 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 438 0 obj <<
-/D [1331 0 R /XYZ 85.0394 457.3433 null]
+/D [1395 0 R /XYZ 85.0394 615.421 null]
 >> endobj
-1336 0 obj <<
-/D [1331 0 R /XYZ 85.0394 427.2294 null]
+1399 0 obj <<
+/D [1395 0 R /XYZ 85.0394 585.8633 null]
 >> endobj
 442 0 obj <<
-/D [1331 0 R /XYZ 85.0394 274.9785 null]
+/D [1395 0 R /XYZ 85.0394 502.9736 null]
 >> endobj
-1308 0 obj <<
-/D [1331 0 R /XYZ 85.0394 250.6389 null]
+1400 0 obj <<
+/D [1395 0 R /XYZ 85.0394 470.6064 null]
 >> endobj
 446 0 obj <<
-/D [1331 0 R /XYZ 85.0394 122.1428 null]
+/D [1395 0 R /XYZ 85.0394 298.1533 null]
 >> endobj
-1338 0 obj <<
-/D [1331 0 R /XYZ 85.0394 92.0289 null]
+1371 0 obj <<
+/D [1395 0 R /XYZ 85.0394 271.5604 null]
 >> endobj
-1330 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
+450 0 obj <<
+/D [1395 0 R /XYZ 85.0394 137.8852 null]
+>> endobj
+1402 0 obj <<
+/D [1395 0 R /XYZ 85.0394 105.518 null]
+>> endobj
+1394 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1342 0 obj <<
-/Length 2718      
+1405 0 obj <<
+/Length 2683      
 /Filter /FlateDecode
 >>
 stream
-xÚ­ZÝsÛ¸÷_¡ÉK陈!
-“X)?²>ûåìïÃÁ¬ûtÒ~"
-¥Jå„
¥š2`bÂTÁp•Êê©ÕÖôÜ�ë`_½Ù¯Ûr»¶ôÖØÝÁîšõ†Íç2
-SkÇé2/V8»ŠÁ®2ÉJû‰
E“I(c¡yQÓæ­Ýت=Ÿ+!ƒ…ý-Šde|AN£Ž“£ê%M´+K?\ÿB#U¾±Í6/x¼]åÌòS¹^Ó’;žk¬­ˆº»íÓìïÛŽw*Ö%Hf˜Ç&	.œ5€«¦
-©b¶1²ÀÏ�
-‰75™Gà|"%ÁÁèdÌñ	Õ~"²°Ëò"i‚YŸŽæRg@ð»0–JŽ}5Ç´#Á¯²˜G”Jƒ«ª›+Éñ�’²	ÀçŠ�œª
e‚c>SªBúÍ4T"'ZO…±Šä­'LÇIò5ÖÓø‰ìQî]7¬\›´[Í•
d£{�¬øÑÞOíª¦Iìá÷iU‚7Ã9ÄÁÖ™¨>”tˆT(
-Õå-åù-Ig¤îX˜�'𒩃œ{íFIÖßÙb¿kʃ�×Õú~
-½�‚µÏ(àn2K½}d&ÀyÕI%’Ì¢À±rc0Þb8ôÇŽ�?\’�7ÌÑû‚cåñ榨ôê
¶u~âŽÎ{`\%Á­K¡*	j·çÂîøuIÏ.'�]ƒ†Ù'êÐ8Œ³ì¸mˆoÉϦüP¹ƒCmiè7)3¤bW×Á@W÷
=0
°	€º³Ã%M½> ÜfU¯Œc\ÔUk?·�ªÎZPÐ…*ŠŽüƒ¾�r…Üuch
fV]äܩ̼ÉÀ¶ä'WÔ
Ì!™èTˆqSðïÚÕíP3ue<*)0B»rJFh´‰0I8%žQ¤iü°q@¶lgØŒÁ‘×¹-‹bfyç:›ˆ¢8Ž÷X�b¯r¤:¬Fñ#ð…¡l‹³'Ä•¡À�
ž%ô¯îi6PŸB ø%1Zt”B0Hˆà?`X¤"J÷©o€h ë¡©Š)áà„#};‡£(eƒéZˆt
-«®,p\kÏÕ‚iM”Ä^.–'9f$”	œ•XiÄã0òÏó’:„[ŒõI�“Èô�RÃã½Êœ°qÂ	‡èñÚ’Ÿ¼RÄÃé«ëñ2˜Øoì‚ù^×-ïî“\Ê݉۬šûϽЛ½«`P
-(Fòc§èòšâÇX„$‡ò¦ìχB
-ãĈ¯i ú}¦€Hcó6ŒX?Ú¡Jo{\³ ËQ]ÛÞoÑÛŸ(r™/rAY,—Ñû†ûŽã¾úf¨­þ?=ÿ:q7Z«0Òñ‘ÚìR@Þ3_ì?£÷ÿ:c©ºËä¨Ñ}ñ‚–Ü:çCªYÕûõ‚hîÙ�Ä¿£8Âó¦·Ê¶ŸêÝÇ>u<¼[é	Å=Dº/ôKøóe—{ ‚p8’îýŽ¯žðe×_¤8yíîPü‚>úPÈ‘˜6'¥e¾òpݽmN—)ç�jE˃ý� Ìœx+žb†^÷à€w¸c¡ün�ö×û…«ëÝ~ô÷
+xÚ­ZYsÛÈ~ׯ`ù%P•	Ï…+~’½²W[±ÖÑ*IUv÷
‡Ê$À%@ÉJjÿ{º§{pP EÇ*—=zúøúˆr&àŸœEqg*›%™	#!£Y±>³O°öþDòž¹ß4îzs}òê�NfY˜Å*ž]/¼ÒP¤©œ]/~
âP…§ÀAo¾|wñþWg§‰	®/~¾<�«Hï.þvNÔû«³ήNç2�dðödz�×çW´3�7—?ÐLF�L¯Îß�_�_¾=?ýýú§“óëN—¡¾RhTä�“_³¨ýÓ‰u–F³{ˆPf™š­OL¤ÃÈhígV'¿œü½c8Xu¯NÚOŠPéXMPé)FYkXBžçÅ-j
{å`¯2p^„G঻ÒÞó¦!C…ÊÈ”75mÞÚµ­ÚÓ¹–*XØß„P•mp(ƒœf'GÕKZho-MüpùÍTùÚ6›¼àùö6g–÷åjE[nx­±¶"êæatN³»il;>©X• ]¾6Yœ¡B3 Á1€OÊ0‹"åT¡�àë4	Öy[Ü¢8Èñ‘‚§2@EpP.i­lySSﶧ2
P
_|ä—7o›†Þ±F;8›‘¢$”J¶1²À×÷`§Áµ°SΓ„qÄÀSa–¦é4ìæÇù�¥ÃÔH>
XR&îF)�^�dL³0Ñ2~F=ǧdÌT˜(aÆB®Ê¦�ÂtÂŽˆí]/{ç8ñû—f"`ÀI,|,8ÌaJ…Q”¥Sk&$Ð::ö«|×8´§A^-ˆpPCba›¶¬ò¶¬+š@¬¹­C¬áD‡5ÀšFÝɱ…BÅÉ,јUfÏ€5æ8²œÂ$~ÅýÉ_
[Š‰P=£�žãSBf24ÙXÄCPKB‘dr
+jwæÂny¸¤gW“F„^?…Õ'úPš$ÙoCâ[ò³)?UÎaàÔ–¦~S*Aʸ¾&º¾è�±h‚M
+%ÞhàYÁýáÍ�ÁêK$¿È EG%“„þ†EJP¹�ýõˆn=´T1%œpf
e«Ü¬x¥l°üÂb
·
+ž«ï\[à¸Öž«OÓšh…w9£Ž
+L!µ	\u*±Ó0>�Ð×±žFPÔ!Ýb®�‚œD¦
Ü”žïUæâ€'\pˆï-ùéÁ«¤._\Ž·ÁÂnmÌ÷²nùt_äb¾�¸Ãª¹ý®z½sJ
ÍH>œd!ïpŽEHr*oÊÞ?”ØŽ¸¸ô¹›t@.9E½Þ”+»˜{öðåÚÉìíÌá§?ÛYúóÞü°¦�¸kð±8"3“Mõ‹À—Dõ	&ÀjèÚO4B’‹œ"«©¡Vþ'qÈy®ÿЇ/Qe’}·‰§úÅ][Ãî²
+*±ðÜäÛ–(ú®‡(v†O‡ÈLú
+õ’¾ÓR±Le ™(È@ÙQµCdÙÄ÷räÍm/P¾äâ�uð@ÌS
+dQ1ûÚ¦¢l'ï¦.øY–|O
à@Df—Øßm—¢&ì5®ú	
 endobj
-1341 0 obj <<
+1404 0 obj <<
 /Type /Page
-/Contents 1342 0 R
-/Resources 1340 0 R
+/Contents 1405 0 R
+/Resources 1403 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1339 0 R
+/Parent 1388 0 R
 >> endobj
-1343 0 obj <<
-/D [1341 0 R /XYZ 56.6929 794.5015 null]
+1406 0 obj <<
+/D [1404 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1340 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
+1403 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1346 0 obj <<
-/Length 1045      
+1409 0 obj <<
+/Length 1124      
 /Filter /FlateDecode
 >>
 stream
-xÚÍXÛrÛ6}×WðÑêP€o“'Ç•]g§UÔ'U£�IHFÍ[
-Âñ>¬E
-’T²iže“œw‰™¥\nìùC9C9Áè
+xÚÍXÛnã6}÷Wè1)@®¨»�§lê¤Yt³­×}rƒ‘(‡�nKÒqœzÿ½”(Ù’/Éq�…aHâåðÌpf8C¤éò‡4φºé[šë[ÐÖ‘­É@×f²ïf€ª1 š£>Ž®MWó¡ïŽ6ŽXÔ=iãprvõÛåãáè¶~æÀs`;úÙÇÛ»_U‹¯W_î®ooþ]ž»ÖÙøöË�j
¯‡£áÝÕð ÏFr¾Q!˜p}ûûP½ÝŒ.?¾�ß�?
†ãµ,My‘n‚|Lîu-”bèÐô=[[È"ß7´d`Ù&´-Ó¬[âÁ×ÁŸkÀFo9uŸþlÓƒ¶g¸{h 
!èÛ¶ÑÒ íCÇ4ÌRƒ…І-5 ëúÙk–%àW�IH**yNÌ
+y?\[¨±-ºLº®«6D!8Ö4ÅIõ9	bÌù½úø·
+äYLƒ¶bUÏTõLÙ<®7BxßG<i&hÔ†§ù´à]aæëöâ£Z¡Z`rÄI³f×YÅÁ#	ž@aÈ\5ü­Ûú³ta¯è,Í‘m¨µÒ�ÄWˆÉËIá4ÌBÕ¶$|š±išu�¦‚ÌË-€Î4BŠãyÞ|Ÿf¹ µu@ˆhmO\0šÎ~4±%�ŠÅteLšüF³‚¼ˆË^ý'›³Ç]¹m./ š8}­’oSž“ ƒ4R„Åz#²4^®"ʸè%E…Co9Ùÿè7­åéKÄÀæÇmi9;bYBɈIÒ ö¿7l{—„HrÐǶ¶öSz†üƒ-y:9Ú¶Œ$Îf
ÓHçÉC}"t´¯ú
4”&ŸÍÅû‘Mz!µ$k†ò-½¬Ôƒ¼äòÈ ¢Õ¨ÜæÝ™´Z
+„$ÆÕ$N‚,
y_‘
žáþÑ2Ÿ?<‘定½÷4·Š—$ ›@s«á®«
+YÕOü©ÊVzO�×þÜàç¬.÷]™6,îvö\êèë{›w_!mî×,™/xž±¹2÷8¦î@ÏðÝšT¡Pm3_ß5íRÿŽ@íendstream
 endobj
-1345 0 obj <<
+1408 0 obj <<
 /Type /Page
-/Contents 1346 0 R
-/Resources 1344 0 R
+/Contents 1409 0 R
+/Resources 1407 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1339 0 R
+/Parent 1388 0 R
 >> endobj
-1347 0 obj <<
-/D [1345 0 R /XYZ 85.0394 794.5015 null]
+1410 0 obj <<
+/D [1408 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-450 0 obj <<
-/D [1345 0 R /XYZ 85.0394 769.5949 null]
+454 0 obj <<
+/D [1408 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1233 0 obj <<
-/D [1345 0 R /XYZ 85.0394 748.6299 null]
+1292 0 obj <<
+/D [1408 0 R /XYZ 85.0394 748.6299 null]
 >> endobj
-1344 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F39 863 0 R /F23 682 0 R >>
+1407 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F41 925 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1350 0 obj <<
-/Length 1052      
+1413 0 obj <<
+/Length 1090      
 /Filter /FlateDecode
 >>
 stream
-xÚíXË’â6Ýó^Bª¤ÖÃ/Õ¬z:t‡©“²"åA«ÆØŒ$ÒM‡ù÷ÈØæ
‹<Š¢,YÖѹGWÒ½Â2?l9.ta–Çlè ìXýqY#ÓöTÁÙ7`ù(~õ±]¹{¤žÅ s‰kµ‡,"ßÇV{Щº�ÀšA@Õ‡/ÍÇÆÓï­ûšgWÛ�/Í ª>6~®§¥§ÖýçÏ÷­À¾ƒ«?ÝÿÒ®·Ò&7ÃøØhþ˜¾aéch«þXoÕ›õZ·ý©Roç¶íň&†|«tºÈ³?U¤Ìw¬WSA3F¬qÅv(tlJ—oÂÊo•_sÀBë¢k©~AB]R& +è#è"å9º”Ð…€�pªŽióâm(Ás xú~ÆU/–½(N«ÒG7±Û0†ÌqÈ:’Ò\ª´Ò™ÄR§E1é%•nZû+}ü�´Ö­
-•u˜çý‚Á@Àë|å³´d
-ݯÑî@³¶ïGYò–ÊÆ# Ä{&I4?s¹O¼‰¢e©!—@BDt,ÙOõåHZŒO¡„÷�K)ŠµÎJ}.óþ6	E_¬;Gê5 ŽÂÙÑCM¦Ï¹³Yî*+-E4:Z“\OeŸ¯ü\Lì‚'ÏØc�Ï1Hг©³
-©ÍXé쬱<ìò«õs‹ÕÉ0$>ñJå|�#”´9E_�{¬ów²±	$J®^›ûÙgÍå &ZÎN‚ÀÛ<N…Xg1
µ
-%±j>RéC8¸'O¨²éeØäg9Þ	)п)™;7
Ã×Jžnœ‡�kå!W˜7óüÍC®Îu=!WÎC®�6mä!ø&yÈÿ�ó?<p.»N¥Lî@K.?Í?ïâ«ÖÕ=´mòSß'ù-*¡…[TâùÐö
HF*±ÓC[Ì—w²ÛÔÿgCúwendstream
+xÚÝX[sâ6~çWø:#Å’ï³OÙ”¤Ùé²-¥O”a[NÔõm%±	Yúß+_
+ãýíèç²Ç+{@ÇÃëáx8ºf“½ád£K]_¤¹"_zÓ™®Jí=žki�êE‡Èó°÷LË€–i램÷Gï÷
`m´m´Ò!6lÜ`@ÕèêÐÖ”cyÐ6°Qp:
+ÊÁV‡4‰–«�q!;iQáP^yø[ù¨FY6'AÀ«¾,årÓŸ¿Ìv¦�®ç+ÿ´˜ž=…ÜqšKé�§1XRN©K*æ)Ÿ'i[2Î@—ØúΟ,‘ê¾Ógâc”Š#ÿ¶õûŽØ<b¢Xuñàô3]–-Õ˜mÀwÃhªÜÁµyŒæˆÒûZ�'‹øŽòN™"9I„r/`�J^–´B‡�Ò…<Ÿ’dqJG€:PÚQ.I%—�1WÅ
}Ê"æ³Ýà(£äKGkÒåT  ©„õÓ$]d
+DJZe뎮Ùân­u3íkwLå�C„ZŸ}ºM4–™µTZÈñ �K!AÇ4¬è§bÈ‚žãØZ­›PÇVÒ’_^’@C	µá	¾ÚuªöKªž±Úé+ªæªæiT±n¨jÃñ=F"	:™µ†öfź1²¬F³6p=jZŒDŽn¿]ì@dº¸‘îBP°×¼]²ªJÊVAo;Ðp°¹O]ë¼ wh˜žwhéhòÛüy‹ìôÄ.v‰>§	B©öcæ‹S«�€HÒ¥:ÚÝ^T=ÂiÈ©x(v—“÷¨S@ÐK&’/ÏåqÄ"’”{Þ©y¦<I±s
)£ã0
+1WÇPÿ¡Vµ·)¬k˜`}p~ØW9ì£×=ì¿Rìý0wÿÝSûÿø�ÚíxÙt±gX0¿�k¸†SÿjÒ³/ý¶7¢¦ª¿\oîó°Q»ÏÃŽMW�T¤reü‚ùúvð%õ
õ~�Lendstream
 endobj
-1349 0 obj <<
+1412 0 obj <<
 /Type /Page
-/Contents 1350 0 R
-/Resources 1348 0 R
+/Contents 1413 0 R
+/Resources 1411 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1339 0 R
+/Parent 1388 0 R
 >> endobj
-1351 0 obj <<
-/D [1349 0 R /XYZ 56.6929 794.5015 null]
+1414 0 obj <<
+/D [1412 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1348 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R >>
+1411 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1354 0 obj <<
-/Length 1867      
+1417 0 obj <<
+/Length 2117      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XK“Û6¾ûWè(ÏÄ_zMN›t7ÝN³i7Î¥ÉN†¶¨µZYr-z÷ñߤÖv´}e|‚
-»‘_'îhT¶¿›P"Š<‰ö0 „�Ö™’H!§™¼›ü8(<šuKÇâ—ˆœ$9ÏÆXŒ0)H*¸p
üó…Ý(šqA
-F¥ãþÖµz:K)uÔ§V­ýðòQ}‡ƒßÝR\'¢c¤HÌ‹9lüŠªÛîն̠wRNDpð‘&´k›ÃU½í
Œò_àçîŸõèmüCŸñSo>©²ÜzÞ¦Ûš�ow'f!Ážûü9nž›/u£ï•©»vf7€Ìƒî?uÛOm7²‹ÙYèøhFÄ×f„ŸeäÌÏÿèËó+΢�]Y×
-ªŠçE¬pìu9zÙmHu
-™ ¢TÆ/€êDb˜ó`±:€µ¯›©…«tµh|ÖM‡ßÍvÊò¸{¨K?¡vfÕmk€_ýXm¿w]ÁÐ jCÎc£ô±M¾>_¬Hápã,
J°ÿ¢—<�
žBeö$ d²,�d^�òë"Ø7êA�A€‘L0�€›–ÌË:2ä*�ë9
-?.üzÓÔK…ó�a~À‰W}Urî0öeÉsZ�ÌnˆáµñVd$ãÁÛ¦î�wx£—õÌ74™™æò@¶i‡„,ö\Þ"cÝánptýκSòû~XYùas †ÅâÌJ™@y#!˜À[BëC·QK8x§ñnä—Õ8™†zIƒ•!ÄBÐø��žð1	èþ¶-UªE¶júnìpƒ:œ	­=qz$­Q÷«[KæC¦ßÚêÁ	ÈPüò€¼RWjטg˜}³…’¬†*„]8À”£¥_a¡¯ÁÝŒÅx~óŒÇ‰@Ž;Wà‹¡
-ñ^rB3žÞ?ÿû
ä�.“zñýJûóåKÍ‚�b)�hãŒÀ;1„ÃÈ�ÀË+;MÝÏ;$èN˜ ì·wß!ÑL¡p�¿�ÀØÕßñ2  ,tˆ}䮌ÞtAYp‡³Çá†ý
ªyý¾Wˆ)b
+xÚµYÝsÛ6÷_¡Gú&DðÉ�ñ““Ú9w.nÏQ_êf<”Y¼£HAYQ¯ýß»ÀmÓ‰OÇX.‹Åîo™M(ü±I¦¹œ¤¹$Š25™¯�èäæ>1/¡x(õnzôö\¤“œä	O&Óå@WFh–±Étq½ÿçéÏÓ³«ã˜+%ä8V	�Þ]\þ€œ‡÷?]ž_|øåêô8•Ñôâ§Kd_��Ÿ]�]¾?;ŽY¦¬ç^ÃÎ/þu†Ô‡«Ó�O¯Ž?O<:›ögž—Qaò¿£ëÏt²€cÿxD‰È35ÙÁ%,Ïùd}$• J
+8Õѧ£÷
+³né˜ÿ”ȈÊx:â@Éd4#¹ÌÓIªr’.œ¯�ã„Òh]|‰»¶¨ÍR·qW®u\Ö8So×3Ý"}‚Ãg{nØ<fŒäJñ¡¢Ívö_½¼ô)ÚtmYß>[}o£i¶í\#ó7ªh¹‘7ÅbáµþáT°4'‚§
+4‘T
+éýÃM)’§i2ðA	ÃÅ×›¦í�,77öãóˆ}3DÀ¢`'ûŠ�ñ]245yljžž
+frëÉýqUž+î«Šû#ÅBP’%Ð…Ž·ZnÈ,Ë&B&DÒ<s.ô¥]-â)ø‡�ubÓ•õ,8ÕèöΖK¯
+È*žåQ�ß¡ìXzÞlöH5Kê‚
+[ð‘‚ìD¢Ÿó`±:€µ+«
+©™«ŬòQï7í1Ë¢æ®\ø‰bÛ­š¶´WÕ]`Õf窂ý@;€(;ò1Š�ÛØdèÛ×Å˃å	¼- £
+©‡¦[ÞôÓŤà…oÍR4�.–^-ê²^ymöœvtñq©¿x3šxp.�ç°Ä½º&”ð7“�šy‘\2]¿°	
+ܦ@õ†ØÅ°�Æc7Áªj©ÒŒº‘i#Î^’‚ro[Õ@¦xÎ!9ì—·
¨Þ P`,pèýÚ+„×]ÛÙúœ$Г…UË°jľ žS†÷B¯kÞ¬¡Ê,œíœA2–õ<v86Kç<»â£Ù=T-m-ÚnP{àêª\—£´†Zéoy{ýÈ<ªAqFæ΂IW9A`jwå¢[Y�3]6A"ÔðÐ1€p…•êÖK`V›qÏ(j¿¡"‰4êÚ Ë%/pVÛÚgÙ"Ì,½ìªÙ°Íàè0ÅjJm\ûbg,´%Ö¾j:œÖLãu |sûC
2
+üîvM\
d+äBùwÕÍN™ùJ¯½´o¦xßø
+w_LÉs‘þ2¶b½©ô›Cw	åºo=€
+¯ªü^‹Ò—¿®�M>âòwü™1ìß_÷&�<ó¿0f”€Qc?ÓÓIðЫÿ)pø�	4ÙÐÿñþr¿K§	ÉxžÂû›X]62©xäŒðß/50ý/—$Šendstream
 endobj
-1353 0 obj <<
+1416 0 obj <<
 /Type /Page
-/Contents 1354 0 R
-/Resources 1352 0 R
+/Contents 1417 0 R
+/Resources 1415 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1339 0 R
+/Parent 1423 0 R
 >> endobj
-1355 0 obj <<
-/D [1353 0 R /XYZ 85.0394 794.5015 null]
+1418 0 obj <<
+/D [1416 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-454 0 obj <<
-/D [1353 0 R /XYZ 85.0394 589.0297 null]
+458 0 obj <<
+/D [1416 0 R /XYZ 85.0394 421.6574 null]
 >> endobj
-1356 0 obj <<
-/D [1353 0 R /XYZ 85.0394 558.9158 null]
+1419 0 obj <<
+/D [1416 0 R /XYZ 85.0394 391.5435 null]
 >> endobj
-458 0 obj <<
-/D [1353 0 R /XYZ 85.0394 558.9158 null]
+462 0 obj <<
+/D [1416 0 R /XYZ 85.0394 391.5435 null]
 >> endobj
-1357 0 obj <<
-/D [1353 0 R /XYZ 85.0394 534.5045 null]
+1420 0 obj <<
+/D [1416 0 R /XYZ 85.0394 367.1321 null]
 >> endobj
-1358 0 obj <<
-/D [1353 0 R /XYZ 85.0394 534.5045 null]
+1421 0 obj <<
+/D [1416 0 R /XYZ 85.0394 367.1321 null]
 >> endobj
-1359 0 obj <<
-/D [1353 0 R /XYZ 85.0394 522.5493 null]
+1422 0 obj <<
+/D [1416 0 R /XYZ 85.0394 355.1769 null]
 >> endobj
-1352 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R >>
+1415 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F21 702 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1362 0 obj <<
-/Length 3416      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ÙnãFòÝ_¡·Ð€ÕÓ/ì“3ñLìx²/v�$´DYL$R){”¯ßºš¢$:“ìÀ0ºX}UWU×Õ2
f'*Ém>Is¯bmâÉl}¡'OÐ÷þÂȘi4ŽúöáâÍ;—Nr•'6™<,keJg™™<ÌŠeÕ%¬ £·ïÞݾÿ÷ýõe꣇Û�w—SëèÝí?ozýáÃõýåÔd±‰Þ~ýãÃÍ=w%²Æ··wß1&çæ•EïoÞÝÜßܽ½¹üåᇋ›‡þ,Ãóíð ¿_üô‹žÌáØ?\håò,ž¼À‡V&Ïíd}ác§bï\À¬.>]ü«_pÐKSÇøçm¦â$Èf¹Š�÷¯ïË{hØW@›8¥
0úxßifT’¤(íUž
Ô%ÅX­rXh’ƹJœu$•¶Û="kÞ¼Äap’©Ô[Ü]/]Êc
J¢?šºd\ÕJ_µ®VÅ–»»†‘…ô­Šçò0ñ
-Á<*?ÏÊMÇ#ºe!PÕñÀí¥É¢r³ªfEWÊM½Ú#­@ÕԕDZ%òº%¬îlÝ}Â6“ɳ†ÚyË�Í‚;þ\mWnÅÇAlU¶˜Ïè×/ë®âµóP}}>žÒ†C�|m¢"LµZGuÓ	–¿Û®¨ç<bΛbÛqÒ�¢ßÝ}úG�Ú3n°z¿è¢,ºÝßnÊYõ³ÖvvL+ßPÜÞ'^²j½Y•k8ÑUM­ÆNJ
-øPÕUý$3Ï×aÑ÷ÙîÇx
ÒFÎ’:Ú&—“°¡­‹uº¶Ï¨©4z>gúÛ–Ô
-Pp@º¿Ç—=ITf³T.0.6W³¦^ŒÜu0)Ø
-ú윋–•¬¿k‹'¡Px”©µ`<µOŽ9M*íàž¡¬Aaæ$D@²
¨Ë€Tŧݖ”ª»àâœ9ƒý¬}åÜ´»Í¦Ùví¨˜qï,aA	>cédq„ZÖ1€{)ö—Æ<l
-´ÞÊPÙ ÿ&r¼Éƒ,
×m‹º]”ÛVvZÖïk:&lÒ6›Cc44³ÕŽ˜ƒx¾q
-Á˜ŽÚ2–勆�Ì;@‹N3Â�
<i22>2Ø1Â+8MŠ2Ðl—´,bÖÕg¼‚v
œxIûÁ2âçE,q/:ÂWü]êÉ@tï+4ŽV^V£ê>P`§ñ¶ÊRÖö±6ªPØça#ö œ›že–Í3ÿ0áˆQ½£DhY´°˜FHýÔþp®xpçiÝ9Òi\T¬VÜ/.Î÷1ƒ²lÏÂŽ<¢:„Fè)Vm3&Uö,äéÄã-y³¡ïkÅþê^ÉgŠu¦XŸ�éϼ£Îzï {G
-$lœÎÝ÷	QF«ªž"ªØnŠž;^Ûˆ§Ð*ÉX`ü@Áß$ 'þ
[dÊm]¬x”°”–&¢€äLJvÿa³ã€æXÖt[ú‹|qc|@¬cê43ó™WYâ’É0ŸùÊÉk’hv2×$û‹öS^K¼\ê”Ï8‰I¼ˆM.žøÂ&“%Ä/àÇK±��È2MUªaTŸ{yŸG?[ëyŠ¤ˆD=ÂþB?Ž-ÞN/†¿éúB{¢ŸŒ¬Iš�8¼CýBy´)Ç"ÖÌ`&¬‰£Ç¢­àbO-ø­k9—žÔƇc‘•>?»u*=‚¤¨£¬ƒ7 ¨Âën¿)ÇÖO1äu2÷uþºL%ir[²Á¸:°§“³ ù8_âd{�‹˜Ý©DÄ©Ui§§^z”
-Ë
!2[&‘(Ç$¡r“HìNPÈ QoRVxZ!·�&Æ�z  Õ§Á6lF½ •Õû3q’,Cô3Ðÿ×Cža$ñ•ÑÉ!äI
8Õ¿EÉ„WÃ
ý>w_¨3ÃTû¤Ä"ðÝëÌÄ:ƒE‡ª«ˆwðÁ¥1
-e40Ä›¸„´}É“r>@ì8„Ç…
-Æ J}ô‚ªÑ4î?¬à&1Зî
-¬O¼Û šÛ˜KÚˆà’Ýpîð$9ñ(Œh¸E©Rhr¦öt�~ä¾ôTaöB+
-¯ùg¯ú6Í hsn‚¿W€Ø'=ü,⸀ ?90>Uij’þglXPP
·™œÉˆBhÜF´ð}¤drV¹oZ†Ù%#DµI8o—¿eÀ¢Y­š¾pš2ulnÈÝÒ5ÑäÎO»¬Â®|õГ³2úü:@f	)¯	õ
-p�#fݩ̧!ßAÓ9^*5©Êµ
�·TÐ,ÇBM�å!�4œhL=XZŸÛ“ò@Höà;|<Å$@÷ÞE÷ý³f+·¬;+tŠÕx.Zé[¿Š•&€ô v7så]œõb92€:Ü[–mÕ¼–	æ.Ô�Drøh^IK¯ÂöOìá½¾B¹&ô<4“·ù��¯·ßÈ’?rǯl–
-ϘÚ3Ê�VÖ�!>'ýlßEendstream
+1426 0 obj <<
+/Length 3415      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥ÙrÛFò]_Á·@Uâx.\µOŠ#;J­å¬¬­Ýª$	ŠHH€!@ÉÌ×o_‚$'ërÉÓè¹zº{úš‰†f'*Ém>Is¯bmâÉl}¡'OÐ÷þÂȘi4ŽúöáâÍ;—Nr•'6™<,keJg™™<ÌŠeÕ%¬ £·ïÞݾÿ÷ýõe꣇Û�w—SëèÝí?ozýáÃõýåÔd±‰Þ~ýãÃÍ=w%²Æ··wß1&çæ•EïoÞÝÜßܽ½¹üåᇋ›‡þ,Ãóíð ¿_üô‹žÌáØ?\håò,ž¼À‡V&Ïíd}ác§bï\À¬.>]ü«_pÐKSÇøçm¦â$Èf¹Š�÷¯ïË{hØW@›8¥
0úxßifT’¤(íUž
„âÍ@(Æj•ÃB“4ÎUâ¬#©´ÝîYóæ ƒ“L¥Þâö8èxéRPýÑÔ%ãªVúªuµ*¶ÜÝ5Œ,¤oU<—‡‰WæQùyVn:Ñ-�ªŽn/M•›U5+ºRöhêÕiª¦Æ¨<Ž-‘×-augóèLž5ÔÎ[îlÜYðçºh»rË(>b«°ÅüxF¿~Yw¯}˜‡úè“è“ðñ”6‚äkaªÕ:ª›N°üÝvE=çsîØÛŽû�ĈøîîÓ?zÔžqƒÕûEeÑí†øvSΪŸµ¶³cZù†’ØàÎð>ñð’Uëͪ\Ãù‹®jj5vRâ
+3'!’…@]¾0
+:%ŒaÿˆP¯øAç´l•aÊf[=Kh
SÊî¥ÙþÆ»v:.àúIÝ¿{kr“ñÇÀíÊ
+þ&
9ñØB SnëbÅ£„¥40°4$gR²û›4Dz¦ÛÒ_\øà‹ëà“
+Ï$`Àžü­Êmò¯@1òª/@Ì%8’ñ`J\~|¤ÓËì|:�8ù)�®�2/‘1¢ØÅzqû˜ô^q
+NÊØ>Zñ–¬úpóljüi•©WFögj}.Ézù‡ålYÔOG1%,!Ь‚#“û�óiœoÁ�Ü Éǧ
+5Æ�\i«óžo½�òʧùé™(.´ÞBökñÌ’>Ìï¬÷çn{Ñ‹lÛŽ=NîîDQi½±‰˜¼a‡,NŒ
+nr3
+VåÕ‡§áùçÄ„89dUyoCØMÛ(´\JAˆ�³�Ê:MÈTe‚žÓí‰QÅNc§
‹×‹mÑvÛKˆfý#ËŸ?
+²8ªüL¼7¼Ú˜Xrï?Ò
ð(.w©N‹‡«²„�|G_«ç˜¿¨ÔpLì‚_¤b«#‚°ñ‚ˆûœQÄí8(‰Œ?èE3ñ°�“Ž“Ø°éiûå°ex±¿ÎVÌÏáý‹ïò0'ÎããgùÿkR (P™
ê ò³Ê%¨ðšöªoÓ‚6ç&ø{ˆ}ÒÃÏ"Žò“ãS•¦&éaá?PP
·™œÉˆBhÜF´ð}¤drV¹oZ†Ù%#DµI8o—¿eÀ¢Y­š¾pš2ulnÈÝÒ5ÑäÎO»¬Â®|õГ³2úü:@f	)¯	õ
+p�#fݩ̧!ßAÓ9^*5©Êµ
�·TÐ,ÇBM�å!�4œhL=XZŸÛ“ò@Höà;|<Å$@÷ÞE÷ý³f+·¬;+tŠÕx.Zé[¿Š•&€ô v7så]œõb92€:Ü[–mÕ¼–	æ.Ô�Drøh^IK¯ÂöOìá½¾B¹&ô<4“·ù��¯·ßÈ’?rǯl–
+Ϙú3Ê�VÖ�!>'ýÿÞüendstream
 endobj
-1361 0 obj <<
+1425 0 obj <<
 /Type /Page
-/Contents 1362 0 R
-/Resources 1360 0 R
+/Contents 1426 0 R
+/Resources 1424 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1339 0 R
+/Parent 1423 0 R
 >> endobj
-1363 0 obj <<
-/D [1361 0 R /XYZ 56.6929 794.5015 null]
+1427 0 obj <<
+/D [1425 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-462 0 obj <<
-/D [1361 0 R /XYZ 56.6929 167.2075 null]
+466 0 obj <<
+/D [1425 0 R /XYZ 56.6929 167.2075 null]
 >> endobj
-1364 0 obj <<
-/D [1361 0 R /XYZ 56.6929 139.8789 null]
+1428 0 obj <<
+/D [1425 0 R /XYZ 56.6929 139.8789 null]
 >> endobj
-1360 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R >>
+1424 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F23 726 0 R /F21 702 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1367 0 obj <<
-/Length 3031      
-/Filter /FlateDecode
->>
-stream
-xÚµ[Ksã6¾ûW¨ö²rU„àE8:OÖ©ÄÎzœÃn’%Ñc–%R!©qœ_¿
6$:oM¹Ñ|h
-R±bŸoWL'´ßK&—ÿ-Û²M›Á�¥Õ0·úlÒÂø°bŒè(â­5ë‡§>d›üWJy+*^òæ	KF.¼	äÒ=ßhp3UÐ�%ÕÝ'yœˆDŵ٥5èŒ0Öƒ­�ˆRq¼X‰„…Ž6äâ’ॴ³º;4yYÔ#*QB#`yœ0qyfêXЪ�‘g#ïPF¡t·+_V0üùãëP8“ŒH•ÌHw¨	ñ}¿1«�üOYv‘¶°ÍêM•·îÀŠòq½:!”KmGahÅ@t¤ˆ Áy14T0Ab¦cÏPl¬>/°pß3ÙágL÷‹&oNÆB0pÌH%T®õŒïjN‘QoFr–mMÌâ¶õP
¶u¨Ó8ý~̪	²
N1îPÒ}²EÐ
-ÑÐÿždsF¹–%@ðy®Át¡'¹fñ3�û};׳–&qØõ5§È¨·0ר†%O%3\ë¡\ëP§ajª´¨aiÑMÎUX|šï‘-’„S-|ù�lÊ#[ߊ�ð8&q²Ïò�ƒN”	ÏÒß:üŒÑã~ßÎ7‘DÑç;Ôœ"£Þ‚|‹=E4÷>ê<ßê4RÇìW²1Û E\‡¥;Ô„xŸo0±„ä¾ü÷äÛÉŠ!Û8Q$Ÿg˜ïæ Û,~Æäq¿a%5oÐ8ì{‡šSdÔ[˜m°éQ	„�0Ûz¨
-ЪC
§ÿ
-Î[/iµÍ‹ÏC=8¿Áf>¬ˆCMhÒ7žÓˆØ7ëÿÏ
iÎiÅÎÆ6)¨9FhÏè
-ƒü%Ã2¦7 Ð<uÍ–Ef¢"ˇ'«³À~Ô2Ý<åEVw/§¶ý%ßY½1þn2'*�H~ð8"2QÝÚþím›ü
-d�~Šåöîáæ㦲#pÔ–¬ËŽì³ºN?gÆkŸ) }‚ªÖ>¬ÃcÌÖÖøkÌ4ØÔXƒ¯[Ä.¯Û„’)éÞÖÖYõ%«¬€_iDmj_M‹A'‡*ߧx’3»
-b*è‰Á’[; €}HÑ™
U‡Ý±ÆRZ¼báæ'[±Ýâ8ÔuVã{^‚Ê`ÚÕ˜b¶]<ŠO1Í›£YXÙ@M*S%Ë+«^Y5XÚ§V½u6Ðå’-At¸
6]‘?ö˜E3ÞÍ€yêÂ&½IÛˆÁãNÛž�PBSvƒZlm
œêf²y潤̎¤a4šš”¤e‚3AÁòò˜wô[aï3•ÜÓŠÄ&Oë9fÆRFÉ~
-ÄòÕæGŸ²ÍóÊÌÎz¼K$VzF¸CMH÷3>0$&Nyâ0ÔH#vß ¬›Lݱn'žqX‰5–}M•oÛ‚“\ƒ%iáº%�–&ŠÅ¤-9
S¿MúV¶2ïeU“æVò¶ÜcYbȪ­B…‹?	—ƒX‹ñ€"^š	ºkß‚ûuiL¸nÖ‚CYÔ®þ·Xóˆú=>¡‰P(²æ¥¬žÛë…3Õ§‰
_Ò*w
-l6eÛS»¥Â¾Ê©ŒüŸ.Ïݼ2Ká�e51µâ˜PØŠuÚ>™…×-¬�£Ý¢?1&Vî„Hq¶�Ç4ßMmaUÔ¬NÏ«ÎA'%ºµ¯Þ¥_¦ŽÐöVBˆwÔö´Å” 
~ÒüÌÔþ�…á‰ÂœŸösšôû?F3žÃ‰S'<$ÓaFBý�œIÍ-LOêûúºWÖˆÄÒíôÆîP=óLJ:ìóÜÑ€�ŽÌ°r%L‹�¯&¨Â°§0›˜†=a3|ê¡ŒêP§q�=ívG¸³"	«k…å;Ô„þœ×‡•ò5xO~õíO¸Ébªó)6iNÕ”{¦†r!~Æèq¿o暤&{¡“°÷jF‘qoAÆÁ8�Rr†q}ÔyÆ9Ôi¤ò¢É>Wy3>ŠÂ´ˆá¤VÀ¡&4ð)§Ìu¼òUxOÊy†9Ç£<À9‘ÀÁH	ÏÖç:üŒÕã~ÿç$‰y’„ÝïP3ŠŒ{s.SÆg8×C8סNCUçëÝDÖ­½A—°èÅ;Ô„|ŸqŒH®µ¯Àû\‘ŽÌ^#¢´Ö�kóÁ÷-
^#XüŒÍã~ß¾žjJ8çaßw 95†}…Éf>$jŽl=T€lªÝ{f•9¯®ê2]5Ínà(ŒSajBŸnКæ«ð>t›0dH8E„\’ÂqBr¥=SƒñÍâgŒ÷ûøfîW•{ß¡æõ¤Ó“h&ÐG�§œCõ®­0><×Ï#ÎÅ ‹g4p¨	<Î%”$:èð>‹ê”%ÃOíà
-§/Å:쇚QdÜ[˜u°,DŒÏ±®‡
-°®C‰æÂuZ�¯å¹„˜‡« d‡ší±�k¢bˆæžìöž´ÍSÊ.™$t›Á*LÑ“ŽØ^bíÚ¢l¦JÚ¼ �ÔMYaÚÅu,i—Š†vÓa›ý¥]&Ǽszå±4Wc^S_1B™EÜψ÷ý9ºÌ‚8㾡|Î^_l†¤ð3oæ6£~'šaŸ«ejSü1	K,µ>ÀËSÞdõ!Ýd«m¶Ë÷¹}5YvRLzxk14˜„YÕõ3Ðe›M¾²·Vo/må®·ubƒNÕVÃ@~…©â6hêÚÔ¿)ÔÇu�ý~ÄïguOK‹s÷âðpHëvŒÛðùh¾ÀíÔ(ÃêØæu6•†y�cî±ÿ’¾¾žÝØhY£æI²KìuB5á4Il
-Ö $륵à¡KkA<õ¾.Œv«TëæÓ7iJ¹›4ó
²Ý×Þгþç%[ÖX.R{½f$«}¶/«W|D/lWë]
-
¼ÁÇNSkY{õ–Ø$2÷&i+³NNÙ �t{x�}·7é³u’7 oámë�½¢rù%Ý1Ó*NT1
‡²6[ë›òG¬M·ÛÜøt‡õý€"—Û*··bÐôd2“mõ:Ë
-¬ƒ�ú3¦‡¥áI‰µ6`I{«f>„o³Ãlù©Ü8†±¡NOß~8¡'Û³Žt›Ýq;ý]6¾š›Xµ>ž–,(wW&E6Ñeg@ŸÓëW/£JÎ}©/""§ïàÏŽäßþŠÿô_¤ù üìVͤ?¸I RÆ©‰jî>÷«þ?.1Š\endstream
+1431 0 obj <<
+/Length 2969      
+/Filter /FlateDecode
+>>
+stream
+xÚµ[[sÛ6~÷¯Ð£<S¡¸À£›ÚYwZ§ë¸»mh‰Ž9‘D…¤ãº¿~"
+t¦ÞÉd‚Ï
�Š,0ü#%fš/¤æH`"ëÝ^|‚{ïψìzÐjˆúáîìû+&éŒf‹»‡�,…°Rdq·ù}ùî_¿Þ]Þž¯¨ÀË�¯D†—?\ßüh{´ýóîÃÍÕõûßn/Î%_Þ]¸±Ý·—W—·—7ï.ÏWD	ÏS'áÄW×?_ÚÖûÛ‹_~¹¸=ÿóË;ïËÐ_‚™qäËÙïâÅÜþé#¦•X<ÃFDkºØ�qÁ�àŒõ=Û³�gÿöw»G§â'˜BBQ9@ʦ(4ÊÜ2
¼ØWícQƒWJ,¹¾3
¾Ü_‹muØûÖÞ)û÷Ýc^5û¢ý.5[æ¶÷ç‹ûÜ¡>'jYµÕºÚÚ[뮧ÈÛbã$í-´ÚŽ]¹Y-q±ç„/ÿ[íÝ�MÞæüP9KgÏ:ß›ØC
+/Œ¤~�š0  [®bÈõ�ÿŒn*¦›óc¤\R$e&N34ÕB®¦×ãgœŽå¾šqK¤¥`éè{ÔŒ!±´$ã„!(3Œ¢N3ΣŽ#ÕÖù¾y€ÅT”à4¢T¥Õ÷ 	õ
ßGkêK¾
½)Ï2”IÐ}’oF
xšâ[�Ÿq:–ûú§’
+Ïߣæ‰¤¥ù%aPÓ| |ëQÇ‘z:À
+¹ˆÙ™KP�ÖîQêC¾A~cœ†úß’oG/Æl£HaÐ|šm\ a˜“lsø—c¹ß°v3´ÀY:ö5gH$-Í6äÄzŽmT‚m=Êh´#´:TÛr=±zSˆPÊÓê=jBH7f6Î24à£ßÎ56þ¹ýóHüXî[GB£'»ß´×¿u†”½vB Š°¾Â‘ÇcotÂ`Í7´4E«?ãZ,w’Vtê¥	�°ôeé{ÔŒ!±´$­¸â¨Ó´¢NÓÊ£ÆÓ;üç¼Þ”ûOc;(†¸Áö1mˆGMX2tžb
DºõÿÉg#‡Æ4'	­ÈÉÜÆ6W8� ¡ÇϸË}ýÊ
œÍˆâéqð¨9C"iiB^`ŠÍ‘p€J�°GÙ1kªSEK-Íg”{Ô„ö`Ȭ朗ÿ°ß¾@Ø©^îŠ|dyxÚÚërŠoàŒ^¿à?Yõ€å’²ßµvµ;�˜Ã -lÛÔ Ñ>ö·ÿ®ö…ÉŠ˜-ï¬)ZÛ
+_UõÄÔÊ2„a)Ö¿@¬ï“ç>Ò¢ƒu3#Z-†câÍ-‡çd<äåvjYoEMéô´élR¬÷5ÛüëԚŸ1ö†–ÚvªI¢œ-?5õ‰†,ÉÌÔ S¿G§þî¯hÞSØwjIÓš=jBu¸†ƒÝ©9
t¿ÍæaèÁø-+PÆÕé2/…!‚�¨ÀÉÄfÁãgÜ�åžÚ,�h
ï2I4KÇÝ£f‰¥%YFgÆgX6D�f™GÇÖº›5líâƒo])Òú=j€0hÈÏJ…¼%׆~ÄD+•8X0»mLW“?ãt,÷ÕŒãØT5´LGߣf‰¥¥' ¾˜ÐÆ
P	Æõ¨ãH•û¶øT—m¼E…‰‘	X4'
ð¨	BÊ)óaˆ
+MxKÊŽŒ9GÁ4Á9&aäXàkŠs=~ÆëXî7pŽ£ŒJ™¿GÍKKsÎ|eÂÔç¨çzÔq¨šò~;Q�ë¾åàð
+Lª÷¨	ý!ãâTëЀ·9¬�Ü/0¤´Ö‰ãóé
=M/8üŒÏ±Ü׿U5F”Òtì{ÐœcYI²
Ü4­I²
Q§ÉæQÝš´¨Í>vÕTùªm·q‚Ã0JD¥
ð¨	Bº�¯’‘Є·¡Û„#cÂ)Äxâð¶œ*¸šÌo?ãt,÷øfÎ]OGߣæ‰¤¥)T:G¹
*A¹58βùásó9â\,!ÙŒ5aBÀ9‰‘ÔrdÃÛ¼T§<ô	³L&>€3å>94oî´ËágÜŽå¾þ­
+»1-2�Ž¿GÍKK³Î|äÉ�2iÖ
P	Öõ(£±­_Víú°ª‹‡ºh§ìÔeÚ
+µ�4mUÛ Ìq(÷�Àî÷5EóÌñ‘‡ÊÒ¦¾à†64,,ã«Â›Í?þ¹xyvµJÐB¥­
›¿°ý©í7ò…=M¢j™»›¹ýcJç¶ÕÅ
+£Þ()Æ–ûŸ’Ħÿýì{endstream
 endobj
-1366 0 obj <<
+1430 0 obj <<
 /Type /Page
-/Contents 1367 0 R
-/Resources 1365 0 R
+/Contents 1431 0 R
+/Resources 1429 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1382 0 R
-/Annots [ 1370 0 R 1371 0 R 1372 0 R 1373 0 R 1374 0 R 1375 0 R 1376 0 R 1377 0 R 1378 0 R 1379 0 R 1380 0 R 1381 0 R ]
+/Parent 1423 0 R
+/Annots [ 1434 0 R 1435 0 R 1436 0 R 1437 0 R 1438 0 R 1439 0 R 1440 0 R 1441 0 R 1442 0 R 1443 0 R 1444 0 R 1445 0 R 1446 0 R 1447 0 R ]
 >> endobj
-1370 0 obj <<
+1434 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [312.6233 667.7189 381.2953 679.7785]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1371 0 obj <<
+1435 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
 /Rect [310.4119 636.5559 379.0839 648.6156]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1372 0 obj <<
+1436 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [328.1051 605.393 396.7771 617.4526]
+/Rect [340.2996 605.393 408.9716 617.4526]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1373 0 obj <<
+1437 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [320.3548 574.23 389.0268 586.2897]
+/Rect [328.1051 574.23 396.7771 586.2897]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1374 0 obj <<
+1438 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [320.3548 543.0671 389.0268 555.1267]
+/Subtype /Link
+/A << /S /GoTo /D (access_control) >>
+>> endobj
+1439 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [359.1386 543.0671 427.8106 555.1267]
+/Rect [359.1386 511.9042 427.8106 523.9638]
 /Subtype /Link
 /A << /S /GoTo /D (dynamic_update_policies) >>
 >> endobj
-1375 0 obj <<
+1440 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [429.9426 511.9042 498.6146 523.9638]
+/Rect [429.9426 480.7412 498.6146 492.8008]
 /Subtype /Link
 /A << /S /GoTo /D (access_control) >>
 >> endobj
-1376 0 obj <<
+1441 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [286.0435 346.6843 354.7155 358.744]
+/Rect [286.0435 315.5214 354.7155 327.581]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1377 0 obj <<
+1442 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [339.144 315.5214 407.816 327.581]
+/Rect [339.144 284.3584 407.816 296.4181]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1378 0 obj <<
+1443 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [336.952 284.3584 405.624 296.4181]
+/Rect [336.952 253.1955 405.624 265.2551]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1379 0 obj <<
+1444 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [322.5463 253.1955 391.2183 265.2551]
+/Rect [322.5463 222.0326 391.2183 234.0922]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1380 0 obj <<
+1445 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [331.4327 222.0326 400.1047 234.0922]
+/Rect [331.4327 190.8696 400.1047 202.9292]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1381 0 obj <<
+1446 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [361.2812 190.8696 429.9532 202.9292]
+/Rect [361.2812 159.7067 429.9532 171.7663]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1368 0 obj <<
-/D [1366 0 R /XYZ 85.0394 794.5015 null]
+1447 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [330.3165 128.5437 398.9885 140.6034]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
 >> endobj
-466 0 obj <<
-/D [1366 0 R /XYZ 85.0394 726.6924 null]
+1432 0 obj <<
+/D [1430 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1369 0 obj <<
-/D [1366 0 R /XYZ 85.0394 700.1172 null]
+470 0 obj <<
+/D [1430 0 R /XYZ 85.0394 726.6924 null]
 >> endobj
-1365 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F48 885 0 R >>
+1433 0 obj <<
+/D [1430 0 R /XYZ 85.0394 700.1172 null]
+>> endobj
+1429 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F41 925 0 R /F21 702 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1385 0 obj <<
-/Length 2958      
+1450 0 obj <<
+/Length 3050      
 /Filter /FlateDecode
 >>
 stream
-xÚµ[ÛrÜ6}×WÌÛŽª2X\	àÑqd¯R;++µ[ç�šáHŒ)rv.R”¯ßÆuxí�].×€À!º8Ý
- UõýíÅßß0¹ÐHg4[Ün[})„•"‹ÛͯËQt	=àåë÷ïÞ\¿ýåæÕ¥äËÛë÷ï.WTàå›ë^¹ÒÛ›W?ýôêærE” Ë×ÿxõóíÕ�kÊ|ß_¿ûÁÕh÷3ÑéÍÕ›«›«w¯¯.»ýñâê6ÚÒ¶—`fùïů¿áÅÌþñ#¦•X<ÃFDkºx¼à‚!Á5ÕŇ‹Å[­öÕ±ñãB!Ay#É�ÔL��2A’
-è*ß“É(bŒ©ƒ•uß>
-
-(BÒàz¶×ãþ’¨e‘‹�ãa~p¿åÖÿý¯¯÷›RpÐîl:÷}Ùyÿ5ÊMò+Ë2¤5#i‚µQÓ‹(cÖ¶Ù?çûM_®fˆR!ÒrhDn'~)Dq¦ºrßÛ`L,‹¼.ëûí©2ÏÜŽ§©·³f
-nÖLÓƒsS•»§¼™—M±?8LUŽvÉâ–¾Ãc
�IÏ–àXƒ@î/‰=A˜ôÚ¬óӡ𲢊UÓ|‚8êôn\ã6/+G(
-œ0Bº„Ê·ÇbS/�û
S&ž¬PÙ7Î4:—‚ÆûâxŒ¯Ô�«ÌëÃ3t	Ëñw¦"[>?”Õø”)żuàÝt8Ž�‚]ZÃ(<7§ÊËÏ«ªyö:¹šºÙ?æ•«
-Ãamk\]ð.*)lQ2ƒxï*‹Í4û	
-±òŸA	î{P‹úfpû�ÃÊŒ
ý‚#h(¹›ÀL®ý[¢9Ø(B¤˜ãæ©ØïËMák|Á°Ù•š­ÞWÍ�g¨ëR™0¦]\…ÆÒ¿hã@êÆWvź4st(k‡ÈÝ£�’Q¦tAjH#&4’4£ž­PÒßMÀH1šÅøl‰
-9¥(:ø
-~åk;«Íïu5»q²bœÏ4=ßñƸSÅ”Ë9K¦}†ÀVÎúL•ð™€êøÌñq·òÃÙ�è0Š‹%"jD‹nLÏ`�œõÔˆ¾ãÂ��"õ¦YŸ‹:î›Ö­ô¿çõf2‚—בˆ›)¨ži®`3¯O�t5=ÒeYä‰Û?í‘Ál’rhDng·È‘’šwå¾òÛ
œHQXò¶ù©:ºZ¯ØßîÑ‘À“°–ÏÊnBì¯_m7Em#Xø“´tzµ+Žy=´®OÉx.�>üÀ¾XjÝuÀ)F0&<xð¸—Â^T›ŒIßK]”0«”¥ÌíCX!ãÄÐÖù]UD·®â„K”e<èð˜̾t4% Ï‹½	�#}ÁR"dÐôPåOŘ=Â3ý™pŠÊpüV3Tn¡T(gç+»m<ÊÇb5Ìt8.•ÖÃcFÔèD
!�Èëêñu9)kúû)ådj‡eAº&'R;?cþ°ß©ÔŽì«d¶ŠŠšž…ˆšQdØ[2µÃ1¼ª˜œa`•``@�ÎY¹©FªiM"jD•.)’ÚLC[—oÄ–E}BtÇŠN³Pp'&Ù1:Å€Ÿ1Øï°� ª)MÏCDÍ(2ì-ÉB&5"xfEo�¦9@Óa£9‡QkD“¤4T¤ÃÀŒ@#0µ­É·ƒÞž‘�&°‰›¤ „b¸csŠ�
ž¶~Ðëçó�Ánë4"(­Å ¯4ù¸B°ë˜IÀ´Q	úÔtÀåCŒëU"jD—nTpöÅ=eþu2ŽSP›ÜvÜ.�-Å�tŒN®Ä>cý ×/` …½ƒñÜÔ,DÔŒÃÞÒ$„Ã*ã|f'ØF%HP.çt4©‹þ™†›¬ˆJ‹
 ±mK•Ù—o‹ý:t;+ߟeØmeYâ�J$)´Úª§nð~ÆÖa¿_pƒÇÇJ§Ç<¢æô–¤U⟹Âk£¦éQçZmŠ*ÞàŠ„¦*-=¢FÄwÓ	ÉIWþ×YYûVôD›€ªq6Í6ð"%ïšb[ÀϘ<ìw’mb¸Åp€=hrð#jF“aoiº™Ã 3É°6*A·€2w§»OÅ€hæ8»'¥z̈ÐÞñQp8¼w„^›±–<$§ ¤¾é›Œ€š˜÷‚òsî+ËúhSæIø|>Tût²¿áâÛ*“ï5eŸv„·Œ¹¶*¾þTìíÇ:?‹´yK@Êû:_ùD
Gš³þEïéœ
-Ræ–wýàj×y¿e°¿›Óã®Ø8¶ÃÁCaLz¯­LÿÈE±4w—aqž˜V–½¿hÄE|cS`ÝÏaG’Å¡9_ÉM2ŽåÏDÌ6jšseÍ*ïWOyUnÊãËʤýÓ0ÅmÒ+œ«’jDÔˆý$‡šŽ_gC8iÍ0
C™æ‰CJBLl[’LÀxüŒéÃ~?ÅæೂÍP!€fôô•\®	xVsù—6*A¾€r>´ŽŠ‡æ´_ﮨ¹d’3JDÔˆݸ§‘=-¾Îq–žéO$ˆ‡•9“Ž¹)âüŒáÃ~?ûÜË$7÷}"=5§È ·$õ`ÃkÔLú¹š&^
-3СK8Ž¸96·”ø:kl”>ã@4Ö‰kðL¸jY›$œG'íî÷ùtã0k°'N}Ä$Uè÷4ε�ŒÈ|Å?"
þûƒÙ_þc�ó_RÀ�)E'ò	b™‚N¼RFqɇ^‚aógå¡êÿXÔ€9endstream
+xÚµZ[sÛ¶~÷¯Ðô¥òL…
+6§éd2†€�Ø]àÛÅâ‚WüÃ+ÆWD­„Š‹0[m÷Ñê
ÚÞ\`‡ÙxЦ‹úîîâÛk*V
+)Nøên×éK¢HJ¼ºK[sDÐ%ô­_¿{{}óæçÛW—"^ßݼ{{¹!,Z_ßüûÊ–ÞܾúñÇW·—,^¿þ׫Ÿî®nmw}|wóö{[£ìŸ™No¯®¯n¯Þ¾¾ºüý«»Ö–®½8¢Ú�ÿ^üö{´JÁì."D•d«gø!¬Yí/bF‹)õ5ÅÅû‹ÿ´vZͧ“ã‡#D('Hhg
+gn+ôl»kÉËmqJµ<ýë9omÉÈ3ŸæusÌïOÚ"[e[(«2›èÒ`»wß¼¸Þ,õÐÈ›0ó—aíÓì· MeÉ�'¢G‹Ò£‘æ0‰‡¡XÉÀó XšÛõ>Ç@‘žØ÷Y6ϬÞóÃy8«�s­®
J ˆ€KFå2)ø)Ès0ì�}
+[
A`ë
CÉ0§€‘¢„·ñÙ
V%ˆì¼Ÿa–.dv,³4ïÖ´Í
5H…>�óÇ2´µ#§3$“-Me¯v˜ 
+pÒ£LÂõçÎh³1éý0*sDUaé4!½ÇË#W¤/þ—KEÌʆa‘<–b†è»Ó%i4}õOé݋ýaF\·–É>³UšI�&(!Z%.¹ÓØ¢z°-"ýQ�Ž°Ù�"ö•)\¯fÖueúò­Sö
+¹¨Òç�C/µQB¯R†2î(«»Ñ´mrïÏlü«7Ñ8ˆóØë°Oj�—N¨ób¯CàD_
+Öá5­}5aƒðL½@·'œ¡2•1)‚F5OåeíüsãX³©óOãˆ
;âˆ-(àA
+ôw×EÆ¥§Á—9È™²c ^H$³G:&ø%z¶ŽtZü‚Ùã~g�t¢‘N�Ƴðø·¨%MF½Ït((dĤ려ó(?Y&óÙenÅÊ÷Ùf<#ö¨L†õp˜	5zÔƒ]ã˜öõørÔ›³fÕ!)Õëä,y„0Ã}“CôøóÇýÎQPUÒûI1	ÏB‹ZPdÜ[˜�°óŽ÷]T€�59gyZL2VX~YX“5¡JŸ…	¥§¡«Ë?ÄÂŽECRÄ#IæYÈbÄ1=£C,ôøóÇý~1"Š�ð<´¨EƽYH¤DB.„Áhžƒ46ªS3Ž‚°2`…ƒz´ ±"=r«0µ«É?�=»n…¹š§ €¢QÏæ=<lý¨×¿Î?
+[ÄH…¹Ð‚ÂZŒú
+“öVúò+L¾3(@>š�“䣈Æ*¬G+ÒQõ5ù{äSÁè7M>¥¯RÚì|jf0`¸kqp	¶è°éÃ>?ƒxRí°�ñoAa%F}…‰K5añó:¨
+iúq'a©3!tp8Ábhì	½Ñƒ,bÞ%ù�?�6ç«PÓåCù9q•yÙ˜SYý‹¹+J¨v7dîÒ>¶×汶­ÐWXºìnRà+m®©j?ÿ˜Í�í69‹4W1€®ó‡2Ù¸³gˆ	1¾]9�ï´ˆ½ÍÓ¿ûþýÕk[Ö}�‰ÕÃAŸí#bÞ:¼ØÒùº”èk»$õßÙ[˜jo¥yýdY¶×lP©\[åØëVb
ܽœ•IÎJO¼Dô. Åî{ûWxÝð`§k–¿B "øBÚ×
ͳ׃üñö¦n`Úê&ߎŸÀF\r,‚Ò[ÐX|/Lê+ˆ¦]ñ7»‰GUJ¿õ’ÿד*ÿf˼5åóSª§,;ø_ÎÞÄ5ååN¿qÜ…
+Kló8+¯Ï¯³Œ ©®lmí6)ÛçYæozÚ²Ô²¶µ2ŠpŸÝËˉ·/B?Çðéêyb:‡Ã”CATh¿H3
,‡×r-ÉÚ¡9¿2@s½)C3¯á¿óß¿ýüüB>ˆJ9—à	C©WJÛ*øØWÜkñ±êÿ×è"Rendstream
 endobj
-1384 0 obj <<
+1449 0 obj <<
 /Type /Page
-/Contents 1385 0 R
-/Resources 1383 0 R
+/Contents 1450 0 R
+/Resources 1448 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1382 0 R
-/Annots [ 1387 0 R 1388 0 R 1389 0 R 1390 0 R 1391 0 R 1392 0 R 1393 0 R 1394 0 R 1395 0 R 1396 0 R 1397 0 R ]
+/Parent 1423 0 R
+/Annots [ 1452 0 R 1453 0 R 1454 0 R 1455 0 R 1456 0 R 1457 0 R 1458 0 R 1459 0 R 1460 0 R ]
 >> endobj
-1387 0 obj <<
+1452 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [231.137 736.902 299.809 748.9617]
+/Rect [231.137 681.3376 299.809 693.3972]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1388 0 obj <<
+1453 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [324.1075 378.783 397.7608 390.8427]
+/Subtype /Link
+/A << /S /GoTo /D (server_resource_limits) >>
+>> endobj
+1454 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [359.1555 437.0578 427.8275 449.1174]
+/Rect [359.1555 347.5161 427.8275 359.5757]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1389 0 obj <<
+1455 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [353.6164 406.178 422.2884 418.2377]
+/Rect [353.6164 316.2492 422.2884 328.3088]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1390 0 obj <<
+1456 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [370.2338 375.2983 438.9058 387.358]
+/Rect [370.2338 284.9823 438.9058 297.0419]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1391 0 obj <<
+1457 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [364.6948 344.4186 433.3668 356.4782]
+/Rect [364.6948 253.7154 433.3668 265.775]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1392 0 obj <<
+1458 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [226.7331 313.5389 295.4051 325.5985]
+/Rect [226.7331 222.4485 295.4051 234.5081]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1393 0 obj <<
+1459 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [283.1811 282.6591 356.8344 294.7188]
+/Rect [283.1811 191.1815 356.8344 203.2412]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1394 0 obj <<
+1460 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [287.6042 159.9146 356.2762 171.9743]
+/Subtype /Link
+/A << /S /GoTo /D (boolean_options) >>
+>> endobj
+1451 0 obj <<
+/D [1449 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1448 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F48 940 0 R /F21 702 0 R /F41 925 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1463 0 obj <<
+/Length 2955      
+/Filter /FlateDecode
+>>
+stream
+xÚµ[Msã6½ûWè(WEX|¬=MϬS›IÖqjI‰²Y‘H‡¤<Ñþúm D$¨©8•J‰Ÿ¯»€njLVþ#+-f	_©„#�‰Xm�7xõÏ>܇Ùt MõõãÍ?Þ3µJP"©\=î{¶4ÂZ“Õãî—õ7ÿz÷ããÝÃí†
+¼–èv#$^}ÿñ[;’Ø�o~øøþþÃÏïn_?ÞÿðÑ?ܽ¿{¸ûøÍÝí†hAàûÔY˜ùÂûûßÙ«ï¾ÿþÝÃío�ßÝÜ=z_úþÌŒ#Üüò^íÀíïn0b‰«ÏpƒIº:ÞpÁ�àŒu#‡›Ÿnþã
öž¶_�Š	Êåj`"ŸŽ2FX@Ô6ŠÄ\uQ¦d*ÊÊD¹ÎŸ6¯é!ßåÍy“MVÁÝØw¢RZÓU‚€†GMð`=ø*™ˆ!‘Ÿ²ÌÆ¿yv»¬ÞVùK“—…(÷†ØÈ«D!L¹
+QwF†(
+ö[y1ö˜iŠ(%jà±}X=­ìÅCÏw�_ð=´k}ß^¼4R%1ædáñ,xÔ“Кa‚Ù;m)BÌÒLØCEØ¡ºŒÁÿE^<mŠrˆOJÄ4“q
+5Áa >ÞJžIü5ñ%=ñ®Œæ×uæ¿1!<É'tèmLx~ÁïÐî�AâãñxÔ“ÐZTx.4Kd\x}Ô¼ð<jœ-ó™6§jB}Â’hçáQDêK¢zÈãí6¾ioÆ0Cj~ããð˜r:ô7¢?�_ð<´ûúS%˜‰x<j‰I`-®?�‘Hì�Ñ_Ñ_‡g¬9¿d�òDe–q5Aa�v	e‹¢C
+o/½Î‘ÑìJ"ÉId×ã	X”C_c»^‡_ð:´ûª£I­x<þµÀ$´WÀ'¢»€"šs 3]S¥E½Ïª[¢×›º<UÛ	ÕQ”PgàA!…�æ„‚•&†ÞFs3žŒeÓ*˜VvL"ž˜­àâFLu<îv`uNsjjó%ŠEcßaâÆ–¢b9"œ@QU[5/7�šÉÒæUNxJÒ5Ad\à)ÎFLþ6Õ9ÆUG”°ˆðÌnlZ ¾/Ñ*Ïáœí^¯=§!¦Ñ$t �­¸üàÓœŠùõPùu(3czh6×lyR!-tœGšà1T55yõEÜËO †�ļü Y’„
\ŽÊÏá¼í~�ü«x<j�Hh-®@šÀ™Ìè‚{¨ˆ;T$eS› &HB-¥Ò�&¨_°@¹¥`÷pù[E8½
&P›rÑaÂ!h}¢:ìð
í^¯C‰‘‚ÅO„G-	­EuÈ!`Œ³…—,}Ô¼=ÊÌxª³Íµ»¡�„ØEÉxÔ›qÃ+¹–C:oóºeÁ© ï…£hG;ßD%ÉÀñ…ηÅ/„ ´{½¡€•¢ŸÌéÆס–ˆÖâb”Ð;%|áÅKc‡23e“ïÏsòãpvIØ°£Ó{ÔÄüÃÄ”¿L	¼ÍN¸1š[B%@˜žßü(�îÁ¾±Í¯Ã/øÚ½ZoLk86¾G-	¬ÅõÆ4ÕbáEKÑ[‡
+5uôB�@1q5A!xÑ¢‰rø$7}äš7-‚èø›.ÙÀÙ¥7-¿àvh÷ú]Ž¤¨Ðñø{Ô‘ÐZ\uXÃÁ¼´É]@Í9�™î˜›*ÛWYý¼iòcö•�À1ýsr¸E7Õ9ÄvƒáJ‚ê(
+WK	ãtàA+X’8Áš‹�`ÍÀÄ
+
+¬iŸUìíàq~�Õ�²“Ùwxê/¡ !‰…Ƀâ4[Q]1¥áä‘:.¬>j^YÕ.é?÷¶ÒÙWåq³Ë÷檟¬ØNýz�§ÐEéxÔŸa_!Çtȧ
+“Â
+…I>Šy2¹³L Šœt;Õ’[ak�	�µ†#l×}—¢­…Ã/Ä ´;P£q·ScØZÀ kÑdxÔ‘КÕãF
+¾þü±l|fÒƦÆä(Lņ	àLÌ&Oì‚^›8™g•VÔeä˜Ö
”äaâ`W†é:XZì&,¨O…ïëCú:U`1
+uŽ/è·Ïenxµ›gÚw'-œšnô5Í駃O›Ñ‘ü¿²pW‡ì5; ˆ"™]ßÂÏéBµÒGEÖw‡2~üž�!Öª¬ÎSÕqB1�OïQó�«ãC±0 ð6¥JàƸ:f�<¢"Õ1EÐ7Ò�§ÑêØá|íÎÔ)á‰kÞ½0½G-ѬÅO,�N–Äv
E´æ@í=š|sY©C¥1$µÖÑ©=(œ{ 3®‘T˜&›w
+	>O½U“ç~¸·eû¹ó{àT´›«¼˜¨•‘WèrV4Jß\!è3“Q^(c뼶ŸEöÙ
bŒv‹Fûaäj/ŒÜ׎¥oàÎ,Ÿ"Û@äó"shXUM‹)Öp	´�>·m”¹º¬Wcß™´âÀ“a†ZÙÎ$œ²õ;@±®³¶ýà.ê2¢×§ƒí`„uFÍ‚È
Ñl×.	4`óÉ.
ŽXgéöy`Ã
ç�­Ê>èÔÕNXÙ绬È37vÑŽØw(×]¾æc8Øžlò�`Œ
-¬ú4_Êì½�ÙÎ
ží 5n.*û — Í�b“7ÀbÇ	_ßï-ÌÊ—mÔOaÖ̧¬nìC V§OîiîHš¶f9‰¶gn;å‰m7¯Ý.•7ÝzØN»®Ý¼D�ýxüéþƒ[Uî
˜)pÛUN¬A3þÕh•¹
+»>‰Òp¦µ'Éh�pÍüŠŽÅõž%Ltèº
ð’g´%�ÞTw>ÔðÀøš+¨"µ·—Ã=u%f•Ý™*{kÝÖs™¡
+wrõAH¤œæn²2ºjCÈ´ù3:\ø=ÇLÌ•š9(û÷µ$*™à¥h§ÅÖÙŸ©ÑymÇíê€a¿:xoÇR{ë6ƒöwó�ÒSÛÌÂÒÝÎùU[@îæ0¯”¬ž(ƒƒ-¡C=Ù/²×Ô„cæ‰rl²Éƒÿ�±¿üGF—¿Àâ
+1óÇ9ÓíÔ…š&ª#eœPÁ5PÖ#¡©š þ4A‘�endstream
+endobj
+1462 0 obj <<
+/Type /Page
+/Contents 1463 0 R
+/Resources 1461 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1423 0 R
+/Annots [ 1465 0 R 1466 0 R 1467 0 R 1468 0 R 1469 0 R 1470 0 R 1471 0 R 1472 0 R 1473 0 R 1474 0 R 1475 0 R 1476 0 R 1477 0 R 1478 0 R 1479 0 R 1480 0 R ]
+>> endobj
+1465 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [352.879 154.1545 426.5323 166.2141]
+/Rect [381.2254 737.5325 454.8788 749.5921]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1395 0 obj <<
+1466 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [307.1508 123.2747 375.8228 135.3344]
+/Rect [362.4163 707.2832 436.0696 719.3428]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (tuning) >>
 >> endobj
-1396 0 obj <<
+1467 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [334.8268 92.395 403.4988 104.4547]
+/Rect [402.2465 677.0339 475.8998 689.0936]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (tuning) >>
 >> endobj
-1397 0 obj <<
+1468 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [337.0185 61.5153 405.6905 73.5749]
+/Rect [348.0303 646.7846 421.6837 658.8443]
 /Subtype /Link
-/A << /S /GoTo /D (zone_transfers) >>
+/A << /S /GoTo /D (tuning) >>
 >> endobj
-1386 0 obj <<
-/D [1384 0 R /XYZ 56.6929 794.5015 null]
+1469 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [335.4973 616.5353 404.1693 628.595]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1383 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F48 885 0 R /F39 863 0 R >>
-/ProcSet [ /PDF /Text ]
+1470 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [363.1733 586.2861 431.8453 598.3457]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1400 0 obj <<
-/Length 3140      
-/Filter /FlateDecode
->>
-stream
-xÚµZÝ“Û¶¿¿B�º€Ú''9»N;=_¦ÓIò@KÔk‰¼ˆÔ�•éß],ñKäuâNÆ!¸X,v¿ý
-ÈÅ�gŒ0]þ�/¹	äe-&P§,J,;ÆN¡®áŸ1{(÷åYNh–DÚLû?pÍ(2”6�º(Âeu-®	Ô5\¸ã>/V‡l{Ȫ‡U�ï³Wä„}úe”ì¸ëÃiÈÛ‡Á
-èÈL›¸Flè·LVª¨k„ƒ­°¶8èÀ	#…¶ÔÜDŦ
-iÃ?£âPnb¨Œ‡˜Ð}�àjÂt"ä´³׌&Ci“Ó6b‘†`cm®Ë\.¼¿l©ëÙÊýj“oñ:¡¬XgÕ°±ãLE<™V'p�èÓ½ch¦àÆÔÑçëôu³Võo	3I4qÉ:PÓ±{ò’áùg<0”{)ã‰A„À½SÄq4}�kF‘¡´i4Bc"“™»n‹i‹ž	·ûœ�à¨`}y8�5u6âjrïÀ4ܼßÒY®½û×)¯ú�„
E2ÑÑEˆˆ¨mædCçÙ§
H½
-TˆÍ6.PbP’Oì
-p±;yŸ¥E^Üo�;z'¬âÝ;ÊFØÈX,ÿù�Ÿ"1PÓ\%é¥ÐÓðï¿\¿Ü2+uÃ]ÕÀ¼‡ÃClÅoIS*˜@[­&@µ8Rz=÷Ô·p@Ì”™ôJf›K')hÜÅ‹¡ˆãqÝ)�Ä•s¡„N?ÁïŒí×2}ž$ê€6,â¡â¾-6±#z%Qƒ‡D.³/)â¼":E�Ct ó–h)½údð—v6Á%5SëŒØÒÍÆÛUCî÷(ÊÚã)’PØlÔÅ-ÚeO)ºc´Hæ>u4χò¹“?Z™CÙ•ªüÜÍïÊòsõgr™´½Þ×2cú~…çzC#í*
-•“&J-Ù²¡1%6%=·Çƒ¯°¢Õ
-,‘‘킺rWè&.tÒ.Ë.wDN]@Ö’HîûôcÃê<s�jÓeFÂÅñnÔ£ S±Šæ]Š¿Ê1±¸¶ÛݵÔÀûlJ	Œ’Ð\M\ývLw­4ž)÷©û°å?º@Sh4þT£Ã½OŒ[#,4–¡ƒ	|Ü!FŒá¾¤ã'Lz<¥;ÈcÍ�LÊà:—Þ†;adž¿�%¦W#b³F4˜`9ÇcJKèOM4'ªÙË£p3	3ø÷âJª²Ýö¢iê‘æ�©#˜QRAþ³ÐfDb¤Àçá�(Íœ5qð·!¦ðKbh‹¥}Éo—¥2,áÉ…ß.ãÏ‘•0pc‰™–|ôÇ
-ðχûþ©ôùwä`©4æÒ—zƒl²�š�,Ê3Éð§Ò0m¢3[KùÿÿÞY[endstream
-endobj
-1399 0 obj <<
-/Type /Page
-/Contents 1400 0 R
-/Resources 1398 0 R
-/MediaBox [0 0 595.2756 841.8898]
-/Parent 1382 0 R
-/Annots [ 1402 0 R 1403 0 R 1404 0 R 1405 0 R 1406 0 R 1407 0 R 1408 0 R 1409 0 R 1410 0 R ]
+1471 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [365.365 556.0368 434.037 568.0964]
+/Subtype /Link
+/A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1402 0 obj <<
+1472 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [393.041 737.8938 461.713 749.9535]
+/Rect [393.041 525.7875 461.713 537.8471]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1403 0 obj <<
+1473 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [402.9837 708.0059 471.6557 720.0656]
+/Rect [402.9837 495.5382 471.6557 507.5979]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1404 0 obj <<
+1474 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [320.374 678.118 389.046 690.1776]
+/Rect [320.374 465.2889 389.046 477.3486]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1405 0 obj <<
+1475 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [348.05 648.2301 416.722 660.2897]
+/Rect [348.05 435.0397 416.722 447.0993]
 /Subtype /Link
 /A << /S /GoTo /D (zone_transfers) >>
 >> endobj
-1406 0 obj <<
+1476 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [488.512 618.3422 561.5676 630.4018]
+/Rect [488.512 404.7904 561.5676 416.85]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1407 0 obj <<
+1477 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [390.4905 588.4542 459.1625 600.5139]
+/Rect [397.3443 374.5411 467.1586 386.6007]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1408 0 obj <<
+1478 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [321.49 558.5663 382.69 570.626]
+/Rect [321.49 332.3366 382.69 344.3963]
 /Subtype /Link
 /A << /S /GoTo /D (options) >>
 >> endobj
-1409 0 obj <<
+1479 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [317.0267 528.6784 385.6987 540.738]
+/Rect [317.0267 302.0873 385.6987 314.147]
 /Subtype /Link
 /A << /S /GoTo /D (boolean_options) >>
 >> endobj
-1410 0 obj <<
+1480 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [356.8967 498.7905 430.5501 510.8501]
+/Rect [356.8967 271.8381 430.5501 283.8977]
 /Subtype /Link
 /A << /S /GoTo /D (tuning) >>
 >> endobj
-1401 0 obj <<
-/D [1399 0 R /XYZ 85.0394 794.5015 null]
+1464 0 obj <<
+/D [1462 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-470 0 obj <<
-/D [1399 0 R /XYZ 85.0394 484.6014 null]
+474 0 obj <<
+/D [1462 0 R /XYZ 85.0394 256.8016 null]
 >> endobj
-1051 0 obj <<
-/D [1399 0 R /XYZ 85.0394 459.8194 null]
+1106 0 obj <<
+/D [1462 0 R /XYZ 85.0394 231.4888 null]
 >> endobj
-1411 0 obj <<
-/D [1399 0 R /XYZ 85.0394 84.3175 null]
+1461 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F48 940 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1412 0 obj <<
-/D [1399 0 R /XYZ 85.0394 72.3624 null]
+1483 0 obj <<
+/Length 3014      
+/Filter /FlateDecode
+>>
+stream
+xÚÍZ[sÛº~÷¯Ðœ'¹c!¸ìS}'õ¹8©ãN§““Z¢-6©ˆTœÌôÇwR LYJ�Ît<c€Àb±X|Xì.$FþÄÈXfS™Ž’T3Ã…M—'|t}oND ™´D“˜ê盓¯U2JYj¥ÝÜE¼ãΉÑÍìÃØ2ÉN�¿|{õúòÍ߯ÏO=¾¹|{u:‘†�__þvAµ7×ç¿ÿ~~}:ΈñË¿ž¿»¹¸¦.xü|yõŠZR*ö0½¾x}q}qõòâôãÍ/'7ÝZâõ
+®p!ŸO>|ä£,û—ÎTêÌè
>8i*GËm3Z©¶eqòþäoè×ÔŸàL*+(Õ�Mʬ‚.Tàͼ¨iQm9¯¨’Q±>uãÍ"§�Yþç²,š¢*©eQUŸê?£"^¼Ö"šŽ�&2eÎ9?ÏÜðÓ‰å||¿Îʆªÿ¦b–—ߨT‚j46EÚËl™7ßVùö‹j¨À®šªI’ÞÂ[I’Ô‹r‘Mç »µÑÒàÃËUS½Zc™ dEÚVëâK±ÈïóТŒ¿-§ahFÅ2¯ëì>§¡ó,Œ«7Ó)tÜm‹o�.k¦ó|ÖD9ƒ¯4œ«U¾Î‚²�)ì,$K�‘~AÅr™ÏŠ¬Éý.¥¥ø	œ£µ@£_ËŒêY*eEåÝf
s®iD�¥´ëSáÆ9}ä_³eQæ3P�–v|N­[=‡ÇpÙ®æyI5ZTê⾄{ë¡CM#‘�N½v"°a˜/fgÔ×4� bÒõ']¿kPsQRc6�V~¹³Œ6úŠf>À…àq
+¢ jöˆÆÂ*Õ¶Þïmõ*Ÿžû,Ñr€˜jAÖÍ�°TÉÄÏ}U!`E«q¨K¿KØF›ûySPeF½w՚Α‰Ï‘†9e€½_Ñt5©óÅÝÀ�3‚))’@8ÌK2—˜–Ä6•ÞË,a2MU ë”¡EÒÊ[7 vê,^PÖ�d™­VEyO½/¨Xêî«WÜDª„)¢÷6oZ•È©³yËMÝD{¸³)P÷nŒÆw
+¬6@c§´ðx”×èÀ[ýzDÙ xLŠ4jœ-êŠZ‘�ã2¿¯š¢½Èð4æͼšQ�¤ÂÚí7*ß¼?A|�Ñçü C&Ç€€ìvQÔÁnJ0·aòèÐ)Ò[ÖÐÇî¥)¶[%R3þ5_ßæ^ûUM-pÓ—Ób•-èõ‰e7bº(`2Žûë}NÍY¼ Û9—€×Å]0_?Áb×™W
+ö·D°äxážr‰½ahq‚„^`e”IÔ1>qoØnBp°Wðfåêá>"¡´c	OvÿݨVŒ¼Ã�Ø+
�ãÀ+T[ëÐg5é³,‘JviŽ¾!JÑ.
{&™„Kô	;”p–"RãÅ×lÚL‚G¯gj™¡o„
¿u<äJ°§»|ð£‹ãðƒ]•èàHAS;ùîUs›ûxM;9»³~"†®™)º!>¾¨vâ¼FrJYòúÚîÇ·€„‰¥Õî€]¶LwWE¸ÄàÒ�i‘‚‚£mxÞÖ"ˆw®E‹ú¡h1j
+™@‹ŒN^8}Ì´é3§ÉDÚ‹6÷ÑÆ«X	qÔ:ˆbܲͨðM†P´õª»³PYï
ÐÙ3$œc\KóCmÍ�B�2ÌYc¾ƒe;b?‚„e©Nô
ið•µV‡üŒ]
+JÁÒ5sȹáÛ�?œzÏ«
�^ƒ©*([;é<XC©»/ 4gÆ8s”b4j~W1Öè­búŽ. �w!ð<M$¸óBŠï›/«6n�ƲªjÙÔ9Ä¿}ƒ
WßbQ=�4�­¨ÊÀ)$¶äxµû�°�œ&ÛçT€%X7-<–Û·
O3bÔ”<Œ»ÂN8ñŽ‰¬T¸ë•õY©Šª·¡i³‚6R0�Æí¾ ^HÆ]—Ez:
�v:D»„)?!f?©ÚVPQâ*ÞïÔ2Ç-n$K´"7úOƒ[nRÆ�Öh¡èX¶ï}Y›â¨›|]ÔŸèu¯ÿ�Ñ:»Ó¬Î÷æØâ=ÏŠþO]MÅ1‚ã\M°Ì¥Øöd`ÐÑ´½÷ØðØf1�¾,Ùš
ìûiXªœ<�½
+‡êÿ^sA'fÚ
'd’9�—m ôR¢-ø?J¤,hn Â÷Ô…—ú'2<CPQ<vËxp¥ ì ‚ÃP
Oß}*)¬u*ž§‡
+Öªrñ-L�Æ÷�f"àd¤‰Q}+þV»P£ƒÌÑ@‰wàG
œ&¹ùžaÈчЖaFõI¤È$a<‘‡²P} œã‹NYûÚæ=46›çÙ—œj·9ù}SäeèýRdT¹yùŽ*þwH„Ⱦ%¼Ý`u�ã×»•JmŸjñ㎞f–ôE=xoþ%k:²ËwTf³ÝéuM
Eé'Û±@{5IŸ¿zuÍίß�¦Òÿ°

Pâ‹Ëw6î
+O£õ*›¶�õC/Ám˜ÏÃ9Ûu
�U8À¸à€<ð8�±æ˜<ž”þÍFìÍÈ%–Y<9ǃ”F<ŽHZñ&üI0ã:þáQ§ZLl¢ûâÒ‘š
IßW@��ýÓß¼5=oÁ!ãø/Ç�~k%RðLÒ‘
+endobj
+1482 0 obj <<
+/Type /Page
+/Contents 1483 0 R
+/Resources 1481 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1423 0 R
 >> endobj
-1398 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F53 962 0 R >>
+1484 0 obj <<
+/D [1482 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+1485 0 obj <<
+/D [1482 0 R /XYZ 56.6929 512.9872 null]
+>> endobj
+1486 0 obj <<
+/D [1482 0 R /XYZ 56.6929 501.0321 null]
+>> endobj
+1481 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F41 925 0 R /F53 1017 0 R /F48 940 0 R /F62 1050 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1415 0 obj <<
-/Length 3076      
+1489 0 obj <<
+/Length 2789      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZÝsãÆ
÷_¡Gºcm¸$—}»Üù’Ëd|­¬L§ùx ¤µÅ†"‘:Ÿû×X`)J–,_}™v<c.±Ø/à,
-©=k#,¬ÿ’eµ±"‹³ËÆ£±Ò"—±9=�‹a.nÒ}0ÕXƹ�ðÔ¨‘)™ïÔ˜Ô(e"ŒÍFY"…JAèƺX9ò7ï•ðf±È•ÆÕ‘éús1ïÆ«¢›//Ç:ÓQëVEÝ•óôšÚ8š.Ë–z6—6ÚVŽ^üÇ=KWcËDÝ’ûÃâ()Ež$ʯ7se}OHØ®Eçô‚‹øçÂáêEE¯]ÃOœó¦î€ƒ¹›»]·?i2<©’(
cù¨'ä¡R
(`ž_ãX¹j!Ái’L™ƒ„zx�nEl.ÀEU¸ÀÑ­”鸨LèDôv;[4«¢¬Ïb† ¡¹ƒ¾ô�À‚¶Xu’äï[=ä2
-Óôð;C‘ß&#àŠ›
-˜VÎ…!F1/DŠŽ‡QYÌ‘<{¤àËq¤@œŸ$æ,Rr8ê
Rüœ)Øjêê‘`Æ÷ÃÌX*#ò,ÑûNü¨ö‰F�˜—ãd €¯…“]må¿«š¼®Ö"!*ÒÈh¬`CJçÃ"Ï“b�Ê,@@3N
-B´¡É„c?�.H@¯Ã·§ìS$©H+¹R)L%À]G·`ÀŽ¨´[°ÞÎÀ}�¯”`�ß1<éÈÐGV	vˆÅC¤×î�¦˜Lx©eñ‰§Ÿ¹°!ÊLرqD½¾ËÕºr+`î‹ÞõAÉæÝÍ­è
°°óÅ{á!¹*¾ï=`÷p¢
¢rðAGöˆ=ͳ`{ƒ^Çö¶9Œ³¡Zê+˜¥Y8Ô
d�פ8&R‹²Í{ë:šÐë(.hR@-kp
«"à]©àS±Ó;~l̘ýß㥔2Ç€6]rjM‹CÃ/nä±ÅM<\œ“ö�GÄwòˆ¾‡ëbÓ•ó-… Föµ¾PÀ¢ôjÝ´a‚°~ë`dÑ1/€Ë8 Ééñr[™ÛÐý@"̼Рµ‘¥Ê8È:ç09µ0¡-ïk¯L¸ž˜äA왜[°“œóhÍòr›OžGÒëy)è© wÓ^QÍ(H¸К°ÿnyXâ 8£8Ñ—Æä|T.šØÒ÷àéðNÍL„·‘Ì¢¶ÙðÕ1¹ÚV]¹®x¸—•b™ aí6«²#‹…Wº‘psë’Š3
-<çvƒ*ly±žÓ}.Ði,øý½
-›@êê]øC¬™k¨¢š^‡ÙèÙÕt÷¢‰ÉdÿÛú]³­Ÿ)·û:–‘¾ê/!¤�œ?ÉÎ55Âæ–€LeøÔ¤Iô…—§‘«çƒ <ó$’éxVvÔñ©¨¶Žšì‡�a—9¶¡+ðø©‘ÇÅ°‹TBŸ¯­&9íy¬f?™yFO;
|­*ŽÉ„Uñ—LFœVS,E¢S}FO�‘�š8�™þˆ_cò˜
Ÿ�4Ë•Ã-)£qU~b¢uD�%
-rÀ´6†]O>t=vàzò�ë±½ëÉ+ì+¨ƒ‚í¦kæME”»b…`;‰àþ2uÛuð:—ùpÚg~ÃÒËáu’5q,2•¢‚(ˆ*Ó‡!NÜß2¯þEàîW‘
+xÚÍZYsÛ8~÷¯à#U!8ûæq쌧f•¬¬©­�ã�!‹5©ˆ”ϯßn4@Q‡íÉ$S»•*l4€FãëŠ8üAªWY$YÄ4:X¬/xpcï/„ã{¦ñ�ë»ÙÅÛ•Ëb³å`­”ñ4Á¬ø%¼úþòãìz:KÍØ�Æ:æáw·“wDɨ¹ú0¹¹}ÿÓôr”DáìöÄÈÓë›ëéõäêz4*ÒPn‰Ÿ?L®‰éæöÇëÑo³.®g½ÈÃc	®PÞO¿üƃN÷Ãg*Kuðœ‰,“Áú"ÒŠéH)O©.î.þÕ/8µSÏ©)â‚	©U0±f	�åóûÒöu]¡2&¹ÖGû¹é”Ë”%™V½ò#1P¾ˆK•ÒA¢3+©¬ö㮉ƭ©–¨ ·7@ÝÏH8ˤB!�󲪚Çœ!»•¡ΦÞf;ih~å\~vL
¶i8w¼»M‘w®?¢6¯]gvõ‘:‹¦6‹®lj”vÁ2­¥ai7iÖ£±ŠR’BE^
+$Õ¦{l¶¿¹Ùñ™Y‹fK2·›¦.ÊúžÆo?>DÄ�ãsBnV8SZ„³UÙÎâ(¤V…eÝ™º0QQØæ¤?d˜Ü	%ÄöÝäòŸ×44�¶¦kg‚ä »ÉÚ
+
+ÊLRaæÀº6²TÁ½®)*`[7ŽÐ–÷µ½LHŽdAl™Œ)ŽØIÏ}}Üšíƒåv-¯C
+zª-ÖlöÚ¢^ÃÕ€ÖxùÁ,¶çΉê´ù9é«u$8Ò÷àé0Š&Qh“˜$l›­ƒ™ë]Õ•›ÊM·º’N'HؘíºìÈbá“"
+·éÊuù‡C�åÜmñ
+[·YÏi>çh÷gc¿÷ûùŸ‹æûLp›ö™|;w̤NêÏûB¸ô/qÛvŒnãΘãúFE�Ç"	—à¢3fÜÞ»
+o:Ì°=ÿx8á4Å>]Ï{çÞ=Ü;²@‰xRs	Y<”¯Ã-Nš<×+’@ÁÏÀM‹CI\Ð9,õ4ŒsýgUÑó¿&ÀɺϪ":–	ªa¦°ÄxQ=×+’œ®†’¸
+Š\&3ÈpJˆ™MÖCÕàå��|˜ïx7Ù–A^æÂØ?Ž�Ø¿íI(õt’Æÿ«Rsàe¾ ~v3ž}°”:a±TÏÜHÿ`)cÁ$9…æ±öMn
+‰dÇ õÑWîÓ„>£˜ºGç²õ)õ®.N_9 "NbH“‡Ò~�öR±ìÅçç“%ýŒç•Š�1hÓ¯(5ʘÔQF¾’ôÑ8Žb^¢ú²84õ¢¡ÆL‡"ÏËŽòjg¨ë¼10ìkÊÖy»4òX«Ñ¥Ð#kªÈó³c³9,i^¸©�
+¾N­û›Šð¨üKž¸üŒgoJ€¼i&_…¿ÔP§Eô¢9›ý¥3î@Ÿ€>˵C´á¸*Ñ*;ñÊN4€�ŽWiÿàdOÌéSIwã@Â÷ì{kvÈW?_»º´.PQŽŠm×U6ðG¾¼réØ6Ûr�oKû¸Ÿ»Ö8†¹£$AD²åι„aepRÅdÓ†º”BÄuúÂÇ^T!v%~®èyž‡Uc¡Ø樴ˆ_·¦ÎülŽi·-|¾±l†N§ô¯Y«fW‡9IQ¶‹Üå§/ z—¯ƒàßê ³aY*_ó?"I˜–î½aQA�
+pè*Må3u¥¿/(ª`-òfIvR7
¬u*÷láÿêê]endstream
 endobj
-1414 0 obj <<
+1488 0 obj <<
 /Type /Page
-/Contents 1415 0 R
-/Resources 1413 0 R
+/Contents 1489 0 R
+/Resources 1487 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1382 0 R
-/Annots [ 1419 0 R 1420 0 R ]
+/Parent 1499 0 R
+/Annots [ 1493 0 R 1494 0 R ]
 >> endobj
-1419 0 obj <<
+1493 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [312.8189 214.5127 386.4723 226.5723]
+/Rect [341.1654 298.8688 414.8187 310.9284]
 /Subtype /Link
 /A << /S /GoTo /D (the_sortlist_statement) >>
 >> endobj
-1420 0 obj <<
+1494 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[1 0 0]
-/Rect [406.3277 214.5127 479.981 226.5723]
+/Rect [434.6742 298.8688 508.3275 310.9284]
 /Subtype /Link
 /A << /S /GoTo /D (rrset_ordering) >>
 >> endobj
-1416 0 obj <<
-/D [1414 0 R /XYZ 56.6929 794.5015 null]
->> endobj
-474 0 obj <<
-/D [1414 0 R /XYZ 56.6929 424.823 null]
->> endobj
-1417 0 obj <<
-/D [1414 0 R /XYZ 56.6929 392.7174 null]
+1490 0 obj <<
+/D [1488 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
 478 0 obj <<
-/D [1414 0 R /XYZ 56.6929 392.7174 null]
+/D [1488 0 R /XYZ 85.0394 509.1791 null]
 >> endobj
-899 0 obj <<
-/D [1414 0 R /XYZ 56.6929 362.8617 null]
+1491 0 obj <<
+/D [1488 0 R /XYZ 85.0394 477.0735 null]
 >> endobj
 482 0 obj <<
-/D [1414 0 R /XYZ 56.6929 306.2038 null]
+/D [1488 0 R /XYZ 85.0394 477.0735 null]
 >> endobj
-1418 0 obj <<
-/D [1414 0 R /XYZ 56.6929 283.8925 null]
+954 0 obj <<
+/D [1488 0 R /XYZ 85.0394 447.2177 null]
 >> endobj
-1421 0 obj <<
-/D [1414 0 R /XYZ 56.6929 197.5762 null]
+486 0 obj <<
+/D [1488 0 R /XYZ 85.0394 390.5598 null]
 >> endobj
-1422 0 obj <<
-/D [1414 0 R /XYZ 56.6929 185.621 null]
+1492 0 obj <<
+/D [1488 0 R /XYZ 85.0394 368.2486 null]
 >> endobj
-1413 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F53 962 0 R /F21 658 0 R >>
+1495 0 obj <<
+/D [1488 0 R /XYZ 85.0394 281.9323 null]
+>> endobj
+1496 0 obj <<
+/D [1488 0 R /XYZ 85.0394 269.9771 null]
+>> endobj
+1497 0 obj <<
+/D [1488 0 R /XYZ 85.0394 89.8526 null]
+>> endobj
+1498 0 obj <<
+/D [1488 0 R /XYZ 85.0394 77.8974 null]
+>> endobj
+1487 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F23 726 0 R /F62 1050 0 R /F53 1017 0 R /F21 702 0 R /F39 885 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1425 0 obj <<
-/Length 2926      
+1502 0 obj <<
+/Length 2893      
 /Filter /FlateDecode
 >>
 stream
-xÚí[[S9~çWø±©Š5º_vŸ—„™a�TÍîÌ<4v]1nÖÝ@2¿~ÏÑQÛm»“ÅÔò°IUt¤–dé;wIÅÀÆUÐ43\˜Áèv‡®áÛ»‘úÛNÃn¯·;?)7,XiW�¹<ãÞ‹ÁÅø÷lÿýÞéÅáÙîPžY¶;4–go�O¨%P±ÿñäèøݧ³½]§³‹ã�'Ô|vxtxvx²¸;J	¨4Å¿>žR§£ã‡»^ü¼sx1_rw[‚+\ï¿w~ÿ“Æ°»Ÿw8SÁ›Á#T8!ÈÁíŽ6Š­TÛ2Ù9ßùÇ|ÂÎ×8ô)˜4LH£CÙbý¯Ò/pøÕDJÅ®sùGaÓŽiãy­|�¼Tä…VÌ+eÎf|CèÏNügow¨ƒ…ÊM±;T^f³]á³¢®î#1J­ã¼É
`ÇÍ¢çU5»Í¢«+,EÖÜtUÖT6_ïÒ·?¸áùtŒ¼xØ 1¸%�„Œ¬«Û¢)o‹š9šäu
ƒUë»bTþÁ¹±Uöj௳Vº°<j¥=S µƒá‚Ã}"ƒcw+"óß�j"l`Ê
‡Ò1î–Eí‘SÜ2/ƒ
–Y¡ÖH«TÓzî#ü‘ÈôU5™T�åôšª9É‚þÓ‘^Òp\²‡•ÇñÈéšz-ý l$	ê…"ƒ³>ä“rœÔú¬þÛ*Kç¢nATŒpîÅ
-Lze	?€ÌJþõè	0`eë:ò„Üe4i%«wù¬)óÉ7P§è ’³¹¿ÂOèn¾,\z/šnº^Ê鸤yGMY¡"B ÒT©Œ
-	Ä4¿MÔãM‘,TÅ¢GZ[Cµèi»,­põøÆ‚�Kº£žÝÝ
-i¬²b¸1HdÄ.&D�´EÛ/�AË]MËQÚÉ—à‡ho %Zv¨CŒ�GóâõìÐ¥L]P ×—ÍñZw‡Û²%ÂxÉdÊvÄZFè !ëK•Án@*äÈ¢$>Àí¬¸›ä£Èƒà²¤4²
èqu›G�N<
-jœåik5O]óÔÖ3i;RlTÅrLßóš¾Ñ/´’
#ô•OD4mÙ´9kÒJ'}Ñ´´N®—îŽØ<O_ÔÊh“KÝge4ÄÞZ�¤ûü—ûUàÙyS%_‰Q\ˆƒâîþrRŽˆþ\|M¾®«Q	–|L’d/FÕåõ´…~…ÿª¦Ó?\/ê›™¥¹Ú]vaØ–)z�èRk
a£î‹.5$ÂÁØd‹Î1õ‘f‰S"$%Ád7y}Cª–9õh™ˆM‘‰ñ[‡‰Ø‰˜8eæLD™¸–aKŒ}÷:°l7(Ýj´¤•*ˆ>î)Ë8Œˆ½;ýüÓò£ó¹c¨WŒ×õ¤ºl#¦»ª.1�HÀžßßa:«‹qîeÒÆ÷7@ÚYë+’4÷Ìh˜¼RÏu)}|rô0^®IÂ%P�Ø?ýDeí 8È	l¸¯#”@E(áKNU<RCß–“]ø:>#Zênu»&j«�P‘YåûÂ%ÍaBÏiãǧç‡ûÑ¥H§tvÍTõPŽÉTÍíÑmÑÜTɲ\�1#sf-†+X9>­‹…Áš7ß‚¹šÅƒ¬!3’qzò,R|×Y¤ær·º0¼b‡¢,gNú>“¤œeÒ†@Ü:?8�D™‡±mr)˜ýÒ¹…‘tÚdðô—ºÊ¥ã¦3
-! þ\ÉœcÛ3\üæ“‹îV·Å‘8Ý„(zȾœZÉ”	&ÂU0ZŽÆ [<‘‡¢uäHGG¿u9ÖÉ‘wFÅ	Øã=©É>Õm÷rº^w@#¯ËitI4è÷ß©BË‹)јZ¢¥ndhòÎÐËï¤òÙå}óTvQ7å$ù¿dœ�JÑ%PçÇïðt“ãÙeoÀQÏ�ÌÒ©-4ÈñÖËW‡qÛ= Ü®}Ã@7ûäKX¦Åû¿ü¤PbÕ[‚
ˆg6¾�ð�±_F�»]ÇDªÑH#Ѥ£uŸÂzãZ¡Rjùh
ºl’¬Eò%ßÀŒÎ._qD(½g!¸>ó+!•4^QDa¨"D/ÙQDlæÜJ b<§ÖrzUÅ£wµ0t‰Ò.}„w6u]¶Éëðí.ü_�3Ü>c*=gVz
-i‡À÷iG'†…‚h¢œÕŠ;ÕHÚÛkS0?õ€ÆdŽ¤j§–®I‘NnôjƒïK·<Óx`â^€ß'�Û¤zŒZçy¼ŽÅæË¢�°']Ø@�îå£àׯTÒba]cS: 

-ùævžx$$€j‘øÎ|.8ýæ‡îv»œÜ–u}	…Ö‚	guŸÀAŠ—(æÉÞéŤ#\ñì„€G§s¡î¬l¾¶Y]9^âÓ›8b¢´TóʯÀ<1)EŸ¿’�¯zî(B=9ß;D���ŠiÑ<V³Ïér¶˜=”£èÑhq̓(¯àx®�7ßp›Þ]ø+Π%7L‰^$9óFº/ÆÖ§?ÊÍ¥5ǃdjJ6(º¥$šL¤òÉ„¨ö<:³$Ôj]  —�»±ØÞ+¾b¨Àû„\Ë‚–:qáp?žù6(×±XÎãfªÆçPBrLôè´?—x·–úÝÄ—y@��¥¡)+
-®û|¯LiC‘M�U!¾âÔzÆ
-™y½¸'Ž=òYCT¼¢Õéâ‰6=A:=(ÓéR�{‚zÖiÜF¿ÜÙúóÐăd'-æ�À)ÊHWß5óAï£ï}¸¿øÏ`d•÷k^ÍR8ÂåÜ*øJÅx9ïÕYú
+xÚí[]oÛ:}ϯð£4\~‹Â>¥iÒúÞÖÉÚ)°»÷ÞÙV¡Žåµä¤Ù_¿3Ê–]ÛJÈö@9Q4uf8s8TE‡Ã_Ñ1–ÙD&�8ÑÌpa:£û#Þ¹…{Ÿ�DèsRw:iöúx}ô·w–Xi;×7�±ãΉÎõø�È2ÅŽaýû²w~|"
�.º_AJ�}9½º>ïÓ
º~ìö>‘&¡æì²wÑýü½zëèº{Ù#uÿüâ¼Þ;;?þëú·£óëå”›¯%¸Âùþçè�¿xgo÷Ûg*q¦óœ‰$‘�û#m3Z©Z39ýc9`ã®tLš&¤Q�¥™ƒßÎÏ*íXÌã?Ë;'R±Dp½{,zŽÃXA¤'ÔÆP'‚'LÀ?`FeX,E²4£T
3
+a˜vq'6‚IF3žŸØX[l•TÑ]QV$¥ãñüX¸(+K4žL¢î”îTw	ݵ£IZ–@Önæ%i©ÕQJ—Jžó0v÷jËo€¥;±f‰1ÞI�€Sü”•£y>ÌÆäù4øÈÅ	
+W_!ó%¢ÓõuÍ×ÜŸ4“¼¬BÄÝ„}„�E´3+!÷¡Ü˜þ¡âpÝá�(k‘Û”µbÖÆäng@U]ƒ»'@¿“q
+#d9kÓ!XˆñЋ
+d1ï½}FB›wKHG{¼»á6¯sÅ7MFrf¤k‰LFYÆc"Soðûù¿ÀÜ*áÑ *ÍAú�x‹A3['ùˆäÙSHÎ�ˆƒ7‚g¯ž*óÛi
7ü
+)ÿ[LWñæd·«·„"®ölš(6�ÔXÀv˜®…*!™°<„¢
nY¥Y3”H‰‰îÒòŽ$\ئԣ¶!ª¼
ý½µ¬¡ƒ
—O™¥
QFn±…„5»¾ÆxMT»›8(ÏÕNƒUz¿ñ´s�=@Ÿ¯.Áxð˜�ˤPn®ÛI1¬‰î¬(sÜöT‹Yéf¤¡FvVâ×˳=x6&úŽ©­¶œÅ°ÓjÁ3¶L&ÚyD¿t{—
+ÂÙÕw¨Ò‹
�
+"`(y$áNJ—XÅ´‘¬(àŽwfèø
+’Û|ÓwLr5$	§eÜbØ•Â^€\¼{58?óÉDÆJGW>B@j˵PtŸUwE*�úB¤�ˆh¯�‘Êl«–ê{ˆTs_kÃ+´EˆK¯(k.÷«�Â{N%�$%Û¢‘tLÇšpé>õŽO71’Ú�L°bA¥&#©>h°ZO]åZ�0Ãm @<7ª^÷ŠÜ¾¿ØÔ|ÓCä
ÊÑ*Ž·¶…ˆi®™±ŠÂ™_8
+�Iã#(u£@ƒ7æxD$•‹†‹jÛ®¢¬òIÈ}!2ƒX%Hƒîg,Gs,6·2�rYõ1kevP%jÏ.¶i·ÃV”ºÞ•QLÛB•uÌ&Ž¨ãïÿê(”ØL•°þ}™ÍÕÌûs{¶[¿�3¡:�B]5p�ΛxY>Pëå è²Ï³V›.©øc4ÞòSA¥“\´_;ÈØÑRˆKtá±…€¹LR&À¤Í§7…?)QkðBïëÒ(A!\lC×õ€¼ÝÆ´ßñÁžâ†A¤j‰¤JIæ”$x¿�«›Düâê˜À°Q@$ò	Iµ¯Ó¹z}Ä�,K ±HªzaéHå�Boöä½p&7õU'¢‡t²"F¶Iñ藜㾪‡êaV
ã	Çkp}SL°×8Ü}¢–&�Ñá=ªBU$Hâ[bírÇ�
 endobj
-1424 0 obj <<
+1501 0 obj <<
 /Type /Page
-/Contents 1425 0 R
-/Resources 1423 0 R
+/Contents 1502 0 R
+/Resources 1500 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1382 0 R
+/Parent 1499 0 R
 >> endobj
-1426 0 obj <<
-/D [1424 0 R /XYZ 85.0394 794.5015 null]
->> endobj
-1427 0 obj <<
-/D [1424 0 R /XYZ 85.0394 695.8713 null]
->> endobj
-1428 0 obj <<
-/D [1424 0 R /XYZ 85.0394 683.9162 null]
+1503 0 obj <<
+/D [1501 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1423 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F47 879 0 R >>
+1500 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1431 0 obj <<
-/Length 3069      
+1506 0 obj <<
+/Length 3252      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZYsÛF~ׯà[À*	Á¸6OŽ,ÅÊ&²–b6®Mò
-øZˆÃ»Ò
ìʤT~ŠçÜÞôB©/àH^k?Hƒ�ä¥êI^ˆÐ×I<ˆÃÔ�t¡äïÞ
/"8Žw×EâÕ�ÅÌ´ ·$öÙrYTsnML÷dLE�Ñõ%‰”DdÕŒˆw¾æÍfvQÓ¶¦õQúƒXûiJ8´ ÏðÚ´Ó¦˜˜髨Xov ¤ˆ”¿«<Æ ¾^§÷ÒŸ'H¥_�M.Ü€—Ô�„‘I OèF…~,Ejå2º³º‘ÞMõP7‹¬+jM,=÷\š¦­«–,ë%0ŠIiˆ	‘P^—3gV/²¢Rqì]}€%pÞÅ>õ�sSuY‰3DpRYB$ǔՓÂË*K¿¤²¢4òe”&'”RJ„ˆHY£û›†:Œ”wYƒÀ
-Ô‹N„÷úöþþêrRئôÚb^eÝŠ´E¬YÖe ^a_¾Ø…òÅ'Ê÷ é@éÃ2ï¿ÌKÉÌ4‰ÂÿÇçÜŒÃ2�
-¥¨0¶R±Î&iÚsF
-Þ4<¢‘Þ«~Å!PG~,’!P˜J_†)…@÷w×èƪïÆ:H¼n(<TÒ÷¦šAc黺,¦ÏD_7ÙÂ0ÊB³èQÈ°^ƒDvÏçÅ£a�16•DnB¨Oˆ
-‡�KÁPŽß�ÑÓ@Ìãa*=ó¡#yp8ZÛç¬ýÔ$îèuÓ?Þç½òõ�*ˆOÝ6
-ìIæ+F2
%E|\�:Ñ~)mEùN†.„±72KΩ0…âk'Q62Ãç;‡"µ¹h ±›ŠÅAº“Šýí*ÖñL¬ÿ²/¥“MòTYçÄA¼SÖü{³ÜA¼‘ŠAgÝúpon•C?*‹ÂÝꛄkHø‘ÖÔîj¶
-‚X«…é>V÷`H,üX	{Ä&{ÊþŠËoJj!Ox¨‚üH…œü½�@*`@oÈi†²M´—ÙRÇN*ŽŽ’¨13�¦¬—TIlÍŸ`“ß´Dr’ò_,³´ÂW`³ó Fön0Õ”ÒÃ"¼’Î$‘cÓà´ù·íÀ­|ú]¾
-}�YSÔ+^©}nwʲä•�Yð}€5ÅIÖ®-ìãxNÓ¸Þ9ׯ—Ža³èߩѵ5=ÁÛWOq/e__KP
�€sûÄ  Ëd¢ŽRÉ‚4Ù
-@{D$«lÁL2$è|èLŬŲ,¦Eg¸‰×d`€<x„Ve?G`Ã1QÁó![K[_¤ÅÝtÞu4ò‰¸®yeó!ƒm
ï¹Èªç}XHçF$´ßtC»oSe¥jèÄÃÕ‘/gÁ¸y†)>rZ�x«©«ž·ëx~ÎS{;/³©ÅõT¹¯ÅÚ›æ”Ç$XçEà­aÉjTõÌâZh«‘=/G'À„ˆ¾óh
káSZQ¶ÄÚDeÚs5U†Âû`ÁÚ¹Él-a™©{^Ú3kE#ÓãñOXW¢qœâô‚7›â7Ø,££6Éd˜/Ò	ÝZ$mË&8Ñ%Ãï·{@…LÝ7zM¿tÀ¯ø<[Ù"¾]×•1.RuÁíºo”;1$XÄ2—äøîxÜÇ"‰z.§Y˜Œ”�õnkÅ1Û2@zıõõrF
ëQЛñèbÁÃËbQtÄ´`ϼ~⾚v¡»9¨zlO3;áeÞ›%¯RT[;M³inÀÄ"¡Æ¹;íºÇÜfµ­ŒÅ‚¾ªüx¹´…°˜«cÈâÊ?Ü �†ºð ŠÀqÇwøx÷ñâYÙòR(‰1á
-:Çšµû<½·1I×éð�U™³„·ÄÒxáÎŽ¹ïÖ²«¤Ú
ó_°Ë±ã‘ÞRVºq‹ŸÐìáRþ¸•êÍÙ Ü
+xÚÍÙrÛFò]_Á·€U"‚9€lžYŠ•8²–b6®Mò
+o­B+$}¤CÎ×”ç¢Cy&E¨…ˆ{
+ÖIô!é¯?Œ€V’‰à·Æäý�ÔiPVøÔÁ›ëÛÛ‹sµ5=3Y.úLfúäGçå$k�Wd-AÃaCÀcÙeò §d˜Æ1žœ!ÀíAêÇÊ,`gA•Íp5Îé$€Éè11‹6#_�b0ª5‹‡lJø¼v«Ô-
æSÙ´Ûëá9¢Í|®+XPÄ	œ3'`ýnØz´ï†ÐpHÏöinU�U?§Fc*7á®^ø¥éi5Ø<)CY̦݃Ҿ ²”Üñ‘ø<A½(ïË
+߱ĩ¨A{ϧÙÄO?ÑóÚ²Ó-³ƒ´Ì¸l`[Á¢à�i&‹rl—
%²{£Æ]ž
+&Õ¥IÒ4Ôq"-�nFC40"
΀PRóÚÊ 5PUð™�9Ï-Aõ�Vòzf…aj„š9ðí0û�ìR’—Ã,‚w?À¢îËA·y$_”GIÊHŠc<Rq˜Ê„Èró¡?H@@ƒ«õC™£ªr­‚Y6Ÿƒ–¹ÖØ´�ÆTÔ º
 9'ÀÚ>À"‡Ës§à�iÂý6í¨þ°D`Nç­_–9/«@"	e*�ñ&æàmA·‘.ÃË\U`gY[ÖHÅÿœ›ESW
5­ç€(ÇSCHkQ¹¤Gˆ!=BÓ¥Tpñ	–Àyƒýì)g`Ÿ³é3�cú³ÖTxͼb<Œµ8jì¸Æ …ŒÝpx{õ¸!°wÁy]¡¶Ž�­Ý6yД÷UÖ.½DTžµ�—EQÜ¥/vQ�Á-}÷rHFB yçm^Šè`-uÿ§ågì%z¬’P1Í�=’!gΨûB#Ô
"X/[3h2dË{ˆ¦¸ˆƒ1F'6X.À@ ¨›¶!�b1„0&§�‰ì¨ìÁøA¦tS!ÛÏŠ¼$ÆN0”Õå† ù`Œ&£ sZ/>º®MC9Ð^3ת§•^ù·èoy¶ƒúØ%ú×1òÛʆŒ ¬àÇ2Nà2M,Y¬:Æ:M;ê¨x´
+×ÞÒEDy]D˜âI„�¬
+"âU<¹ß™ùS°x+Æ„ÂƘØãÌ¢lP¨•�8…¶`ÁxÙÒ€¦-§S³Äí�
’k`7¬úgGü±£»Yǧ‘GT*Ø
©é°ã¥¤æÄC1K ÐáÇâ¡XðPjI„¼}†‰Ø�«t¯ü3Š¸
ˆ[»Ð¦µaªõÄwôÌh%G˶
+“DPLt;ìÇqð/L¹ÅŠòƒqmM\¢ƒGc-@+ô¯\ùHl4fñPNl
Zhã:Ƶٯ6¿ÿrël!râhª¡4?À©
^q(e!;f÷$$N*Îîݾ½¼ÁÐbÍíT0¶ÖM'ÁcöDmÌݱYæžùr<-›‚º3­G¹Y…å6v}4Oß5„EK[HCîÍb¾(«ö¹:Çãæ²K¢—â¤?ìó—ô3ösRˆ�Ç�ªá$dUZr²—#[ªL €õS˜O-ÄÅ¥µ}æÏ­]ö:Ýó}Ý;[Û¥BV}„Œ\†Z«ÄÛ
 #fÎv+æ±·[>å¤@0q&‘΄!¸2a8›°ÓýBÞ,q9Š¹àìö×ÑMŸñ48¥¶ËVpD×Ü,çózÑzæ¾-›b�	f{YØ¡Í+v?ÎQÙ±¢½Œ¢0UŠˆù�Ç9Ä*šN©Ù{ -¨ÈÏ!Ehís ±�—©(ÝÊËöF
_W&é¾íK1e}Ûrìúç¨Hm]ßü³üA¸N¡€i膑ڼöùâúGD`Ðxª0™T@T½‡ïþnJ@BñØ@¦�ïêé´~ÄÜèüý¥H;3	§Ô¶Ã)“i†,¦q;ð4äBãlP¿²¥MMnmbvZX§¥+Ï
ðƒÔ¬Zë0
õ�MË-!iý@Fø�mY©„@k•J¾-G£oâñãa©cz.˜­#’®]]÷	Þ­8…× Ê4¬³ÏKy®oPøà
+´EË—D$ÃXèÔÝãmX¯ó"« Âé:C… ûÝ^CM±nëI=%ÌÄU¨Zkµ0@o©ã׫!¬„‚$€Y™Xª¢CåýaÖ	™ @¾8
¨ÒÖâ
+Î õÅBñÁ¨‚¥e9YGŒ�ûAw
�õáÆuÞµ¦r¨Ù|ZNÊÖVsu°ÈÜ-7·1¼„Re/'°á‘Èàûš@l¹+q»¸ŸîvC.k·²ù”Á¶Æí9˪§]0йQɺ,ß
+V•M)——öpµ¤†ÆYcØ"£D2| ƒåÄ—Ò›Õn~á¦vvÆ‹ûSúJÃ]Ë`RP*£cú.qðÖ°ä5ª:·‘¸dÒrdÇËÑ	0'¢[Éìw(\rKʆPë°LúÂ.
+Š<½Ã�sù N/ÝN¼�mZû�¶‰(0 ³E{<¿BÚ/ypš–ïrwX’Ôy<Üð
}ï…gî<Ù"¾ZÛl˜•1>Nõ¡íªowŒ;6DU4d>Å	WÇÓ�ƒ¸H_à43“'°ðmEXù¯:
+u¸ÁË4{8÷)>Wkd9Ø9P0ƒÖV¥Î:àÔ��z,ÌÊý®—žn€r7q-%æ +¿åt§Ah€ø¨šá©‚¬H 06ôtÁ¤f®¸É<ð¬ülü„	Òφ.©·X¤¨ðøLÇ­WÛàbì¢S„ûÅ:Î02Ç)ÈÛÒ¸‘V#áé“™]ï67˜T¨4Ëû{ӸȄ´Ÿ Ó¸(B�\ÔË©|Æ®›î�\:K¾‹;'„ß,<¹Uˆ�Ý)`))„ÇÞ´‡T
 endobj
-1430 0 obj <<
+1505 0 obj <<
 /Type /Page
-/Contents 1431 0 R
-/Resources 1429 0 R
+/Contents 1506 0 R
+/Resources 1504 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1382 0 R
+/Parent 1499 0 R
 >> endobj
-1432 0 obj <<
-/D [1430 0 R /XYZ 56.6929 794.5015 null]
+1507 0 obj <<
+/D [1505 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1433 0 obj <<
-/D [1430 0 R /XYZ 56.6929 420.9025 null]
+1508 0 obj <<
+/D [1505 0 R /XYZ 85.0394 337.2163 null]
 >> endobj
-1434 0 obj <<
-/D [1430 0 R /XYZ 56.6929 408.9473 null]
+1509 0 obj <<
+/D [1505 0 R /XYZ 85.0394 325.2611 null]
 >> endobj
-1429 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R >>
+1504 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F39 885 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1437 0 obj <<
-/Length 3129      
+1512 0 obj <<
+/Length 2929      
 /Filter /FlateDecode
 >>
 stream
-xÚÍ]sÛ8î=¿Â�ÊL£?ôÁ{KÛdÏ;Ý´çzo:·ÝÙ–m^eÉgÉIýï @Yv䶷ۙk3SA$ 
-ôûŠ¢hnV?:çH|4NòL³tâ€UÑ„ß^‘9à/ëN`‚xC·*ÊÊ¡…F@ì‡^ÓpþX[ÏÕffW{<bƒ‚³¡ç1»n›�Bb(í•‹àQ%îõh/ð²°Íj�ɪ…Âbч•7!© ©{›á[L:DjåS~`kQ)‘æà
-õ&·Ì–W¡Äjê3Ÿ|±à<¬9K…ÜGO/ý�/ëjA© çGãwhP��s,þ\ÅB@~–Q)Iòu©pU´ÏH~!ù�ùãê$ñ;&yÌMc?w¢ù¬�¾Ð‘½§úLnÏx‘Ï×çÏÄ“OEYÑ£¢‡+ï©~ä
-fòÑ¢xžKÊ$4 5
-•(d�.ÀÂ7¯Þ‡¿Œ§œQ‚#ÓfMàeI,Ü=€Z?���`ìïýWc ùÞ÷ÀQC:…Œ.\�Â(4Cd�RÉm€¾.DpTŽÂ½]VJo»ï¤”ÿåbøþv+RÈ)ébˆC�$Ù7^JÊPƱúòÅ 0Å’8æB‘m¾€ºÓ‹jÅ1TRoáÔÀë…‚Žl ‘�£d‰`ô—‡Ý…]"ËÂ×U»ŠG[×L鮋%*13aÐ.ÃÔÇ`l§øfÊkÛÌ÷­¼,]t-æõnñ
m”[W…“Á¢hæ;;swÖ͸†¦Ì1îâ8u
xM×k 9[Ñ=D×.Ì猗wkmÁCTTµœ¥Ñ9ÕLJ`ýöWÓ½>pÝòåçJSƒr¥¶ÖÎ÷®¹àÞmáŠ7
-—5[<£¹u%nÞÁ¦âJøsöÉsI�íÎÖ®–JƒÕÂϨ©3�röìnOâÆz´tÒ—³¡ùÖ#öÛyðJ4“.õ‡!'=�=õ nC¸yǽm‹Út*¼™öwÁÏ
-ÃíxxÚUUMGƒÍ�+¸¶sÄ#ßsÊŒD& rb�4DQÇøýô~0ƒð¶wM:.*^åÒ‚�
-Ì€áÀØ»³½­tv8kš¹ƒ
-/ý,LÁw—RC?âŠF_ý`þÖŸŒ6§ÓPe™þnë¾ï˜)'5çœw¿-{Îúð{¼£endstream
+xÚÍ]sã6î=¿Â�ÎL¢?ôÁ{Ûf“6�^Ú˦7;×íƒlѱneɵädýï @™väì^»w×ÉL’  
+Ÿ%àâS±Z×ΡÅBxªÊãEïo®h&¸}q¸72‘…&�ë]m¬VU
²s
´J÷]=B‚íûpü®Š®·Œÿ!Ž¥ãϘmwÇóHN¥=XJL»eûìe–æ-¨¨é™Z~Á
+4WlzÉ÷)o&Ê­Œ�œ>VOd-Á(l“ìodæý}DÀ-�DÇSTÓ™}¬&ù\õË
+2…Ç-ªæ ?�Æ'�ÙuËŒxÚ†Ò^¸îEâš{{�FYuÿÂ�dUŽ›Ãâ­w+Û/B»F€v,†­„dˆÔêçbÇ00Ö£PbÍÎ
ðnïB®OîÌ—ÔÀSQo?wÚUÕ÷Ã	 è³ò)Å™Æò—õP�ë»Ã“
+<nNœ,tyzˆ’[̹קžš£©~™qê0ãÔìõ¼¸qÂ=}÷û†ºNžà}4€›ö¹¶å£=A
+4WÍ]ž50äÆ#Õ‘Äp[£â¸ñ¨,òj=ó¼$-ì)¢P¥Ð—„Éu .Î:!ÉíŠÇÁÅþõøžIE$\+’8ƒ;“”_rSQi¥©Lo*¿o–g$âIh^´ô3I]›ºÔ&‰Û_ƒt˜i‹ØÀ%É艆ûb&Têtrûî6º~û3ÃTåñôoïÏ/3•IH¿ Rð\ß]ß¿‰´#�êT
¿™šKÿ±Ý ÜÀÿ;òÉ
ÊD>. )ã(7)ì%O£,ÉéÒðR"oÞò8-Ž`¥¯*ñUå‘Á]K¤Ÿ5˜LGy¬èâ|h˜«ƒÙ€¯ÊÊH摉€%yZ2ÁšbKIÐ*
+',%•Q®ùî:

$¯È  þ'–�Î"§êsÖ‘ 0¤!ë$y¡m
+€ïßG?\½‹þvûÀ)¥4Ýè0o‚C–‚_Ã8€Z¿t�pàM
Öþ£.Ð|åð¸„XgêTБ°2Ä3œ@Ññê»Pbº—öJ-ãÓ2	–ûJ2ùOÂÂ×·Z‘H�0,(eF˜/¨æIj^pf£X˜”QÕ½î~ø4»w”ô´px2	ù
+¥¦.BçÁK´9ÅÀ‘Ö) ð
+7¯à”©¸þ’=Fò\Òg½©ZWJ¥Î¦ô£c¥{o0:ãÜÙEOâúZ:
÷ÙÑxïÃ×<hÍtHü¡ËížÀ@<ˆÛnуº×½-Ѧ3áÍ4\/
pÈFŒÖß°ÜŽÜp5<¥',e8,Á0ïÉ9Cl5ùÜ×Þ
½.‘¯ÐìÃòý£- T<}>�\R>Ý€´ÛUí«ØÁú9x&ì}¸[»ç/}ïfö’sFÇùàÃ×mSòCÆðTžë)	ñz`°Ük!4‹GŠ„9žÜšqApÇ*æy^Ë_O²±Ÿ˜FMŒ<:LJCÓ¼-âéOƒ	áÒSGèe;f“äŽÁ©Ñ=SJF¼£®bÖµõ¶·ÔZÙ¢¡’<à|�2£nàÔ£‚’æدI|à­Ñ/­~Q·qÄâŸd
 endobj
-1436 0 obj <<
+1511 0 obj <<
 /Type /Page
-/Contents 1437 0 R
-/Resources 1435 0 R
+/Contents 1512 0 R
+/Resources 1510 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1445 0 R
+/Parent 1499 0 R
 >> endobj
-1438 0 obj <<
-/D [1436 0 R /XYZ 85.0394 794.5015 null]
+1513 0 obj <<
+/D [1511 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-486 0 obj <<
-/D [1436 0 R /XYZ 85.0394 769.5949 null]
+490 0 obj <<
+/D [1511 0 R /XYZ 56.6929 729.6823 null]
 >> endobj
-1439 0 obj <<
-/D [1436 0 R /XYZ 85.0394 750.0533 null]
+1514 0 obj <<
+/D [1511 0 R /XYZ 56.6929 704.98 null]
 >> endobj
-1440 0 obj <<
-/D [1436 0 R /XYZ 85.0394 564.5091 null]
+1515 0 obj <<
+/D [1511 0 R /XYZ 56.6929 519.4358 null]
 >> endobj
-1441 0 obj <<
-/D [1436 0 R /XYZ 85.0394 552.554 null]
+1516 0 obj <<
+/D [1511 0 R /XYZ 56.6929 507.4807 null]
 >> endobj
-1442 0 obj <<
-/D [1436 0 R /XYZ 85.0394 384.3846 null]
+1517 0 obj <<
+/D [1511 0 R /XYZ 56.6929 339.3113 null]
 >> endobj
-1443 0 obj <<
-/D [1436 0 R /XYZ 85.0394 372.4294 null]
+1518 0 obj <<
+/D [1511 0 R /XYZ 56.6929 327.3562 null]
 >> endobj
-490 0 obj <<
-/D [1436 0 R /XYZ 85.0394 286.7057 null]
+494 0 obj <<
+/D [1511 0 R /XYZ 56.6929 227.5589 null]
 >> endobj
-1444 0 obj <<
-/D [1436 0 R /XYZ 85.0394 262.3661 null]
+1519 0 obj <<
+/D [1511 0 R /XYZ 56.6929 200.4217 null]
 >> endobj
-1435 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F47 879 0 R >>
+1510 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1448 0 obj <<
-/Length 2766      
+1522 0 obj <<
+/Length 2732      
 /Filter /FlateDecode
 >>
 stream
-xÚÍZÝoÛ8Ï_¡‡}P€ŠË/QÔ¾uÛ´—Å6é¹>`qÝ>(¶'K^KnÚûëo†Cʲc;éµÅ
"j8’Ãß|Q‡?¥†™\æQ–k–r‘F³å�î ïõ™ð<I`JÆ\¿NÏ~~¥²(g¹‘&šÞŽdYÆ­Ñtþ>6L±s�Àã__]œ'2åñ«Ëß¡%”NeüâÏßN/&Ôa<믗W/‰’ÓãÅõÕ«Ë×ÿš<?Ït<½¼¾"òäâÕÅäâêÅÅù‡éogÓaÉãm	®p½�½ÿÀ£9ìî·3ÎTnÓè^8y.£å™NKµR�RŸ½;ûç pÔë†T“àL*#èIªCzJsft¡ž^µkÚSù©X®êò—ý-ËLf³(Óšiÿ¤=Éœ¥™Èv÷ôÿ�
-ëàQ"ËÓôÄ
-hY¾FìŠJž’LI–
-½ÅU>ÒW–2žjeÊÀarãôåÕÄfí@c”Öñ% BIžÇoþp
~žd06^UÍv†ìiW糩€CÙ®äëö†Z í»¨Kr–¦ÖÖ¨€�deЯ¡�
-Û×N´£œväÕC3ç?¸~8´88§Gô#$Èãêˆ~äX?즘ýg³bíúî„vFóþ¸Ú198 mÓG¬�£7KÉ‹?´ŸD�LÎÆÏái¦þ‰£*Oþ«ÈjðÑJ�V‘±–É,ÏíQ"³:’ÇuD³S'´�[GÐ@“³\§¨„ñl7€>¤2³L[\µI3&…ѧ©Q9“VQ`xç
-º¶†síˆt¿(jÁ&=Û¬˜¹
Cs2é0hëÕ$Ð*5æe7[W7¥—´hï©Q·î
-[J´…ÁVªÃ®ì?‡ÀÑ�YH,Üñ½»†ˆ	…—‡¦ãºèœ
©±¡)¯gÌQÑP¤�=¨Ð£ÁÕݽ·c™‡€Ã/#¦é"Œ#ëÝù¶uG}ˆfÄšIÉŒvìÉ#<Mã68ÔLuíÍ
-3¸¶t0&h6m.v‘Ì[ð”
ÑÐÇ_ýñòúÍóË+ôèDõ†ºj›®ìaþ–V»$œ}n7ì�ÝV°,>UË�çF?Œc"ÃV]|¬.îUËcE°ÆuÐ�rµÀE?L•38s‘gÑ_‡0IJâP%R�lþ%"È£ …Cgò$f¡Ÿq
I?*ö'ç%4d#¤cA˜hJfà�èüf¤Rì,zzöÄ
!¥]ýŽ#9ä>°EQÙc¹#쀰ƒÔ;˜´ó³‚°wšåm±©û=Ÿ7
-—9ÛÔ•ý	PlÕýu¸�	ý-1�7F˜Ó Ð/žÈ‘E¹´²ÛLÅ`I˜¢¥Ô)S¡±(œ¹A« éß;z’3“©O¨½uˆðR5{œ“‰ËÁÿ,ª0sȈӱ—;îÛ(ŒÃ6‚“ã['ÇÇNŽû½x‡"jhT§
-
tλ|Ñóì@±°ÄBñC…T�Öf¡Î8Rxžµ�öµÁeƒÐõð|S¬VÛçq|ùö£~¼`˜”^ŽÊ!rL•Í·Éõ¦¯Ú†zÑk÷çü�£"ƒ½®‹¦«Ï=ÛpŽ£.ßµ˜Ï½ÐŽ:Ü!BNê~NÚ±CÔ†¥Í‰Š9?R—%ÌE$:p²Q·K�?ŠªIÜü™ŽY±^ô’*0…4T«!«
°R¡¢¬‰ßN'ÔðÑW¯XTd’Çà�*­`
6>¬9ÂÞ\÷Î<C8„Že1/w%Õ%$’XÒ-[H(]…Ö¼»ê®¡0V4à¬Ü–Ù8;:U€<MV̉£.o¯rÇ‚”uu·
-ûDvÞÞÃSîÃSz|a‡
-]‰;u!QU¼ç_­j?€6�=K$¢»"Êì á&ƒæ[žs¹­Ò?¡Ö8q?-eü×®qpó<„È�9¼]’}ðwQÎæ9VHK,¤ñ6î﫤¿Ùåô�€Ja˜ÌÓ#_Ë|*±’¶¤ÀŸ®'—¯ñ:ŠÇ»¶0¸ðƒùØxª¯[ý6û
-áš)Íåi…ðŒåÒXòç‰Í@¨þÍÙ
+xÚÍZKsÛ8¾ûWè0ºj„Å“çæÉ8YOMœ¬¢­Jm&Z¢-ÖJ¤V¤âdýv£%Kv²Ijb
+åMÓ-°–Åqâ ú`‹8[ÝW¨|ùö3OÎû4×p)YRñˆå&´cÈ„i£Â)‘u“òè\åÁ²º«›�êX�'WuÛ•®ÈHÉ+ò9k vy8Èž	•»Q ´åY¨¾.gWä[Á^ç*‰‚ò#Š´uSÕÝ`ª½­’BÞ|"å D
:P�l ÀR~,VëeùË¡{Ê3!5Œ›fZdÆëÏòO:.SÙ¾úÿzÅu¶xrÔOÂX\�=ö‡Ç=�ÓTŠÌ›Þ÷Y5pàŒ…•ÊŒÒÔ
+“‚[@�±œÄ¬Y¡¿1Ö&WŒ– ¹àû“·ü¡äù8“ì¿Ä^·;�Âr½
–óuDQªÌèï"3ëD\h‹1*¥N«¬
Bc	åA±C…¥c‚tôgŠ‡fÎpù˜TøÌë	ùX)¬ËÍ	ùè¡|ÄM1û÷v-šÍÝ#ÒÌûKBl®2÷”ÉiÀ'Ò’ç~h@c³gwG�J%ð_�–Ñ`öXFJ£DžtK*œçó^FfÁð!éÓBLÿ­„´ƒ¢Eì
+¶
+Ì0Œ’ñPerÛ,—Í}¯Ý‚æàÖîÓºl÷í�¶‡ºØ¯>f[Ê€àÔ–lAØ”-Ö܃Šÿ6u“O©ÁØC€R ~.³#ëRa³ÏÂú&7"“™ù2}¼×
+`5pîZ©G
«¹f9Àïqª…vizìw/r½ÕWÿÊf÷K#›	ã½>Ž�{
�ÇÂÃöæÁ)ÆŸã0×`éÿ3RºNendstream
 endobj
-1447 0 obj <<
+1521 0 obj <<
 /Type /Page
-/Contents 1448 0 R
-/Resources 1446 0 R
+/Contents 1522 0 R
+/Resources 1520 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1445 0 R
+/Parent 1499 0 R
 >> endobj
-1449 0 obj <<
-/D [1447 0 R /XYZ 56.6929 794.5015 null]
+1523 0 obj <<
+/D [1521 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1450 0 obj <<
-/D [1447 0 R /XYZ 56.6929 756.8229 null]
+1524 0 obj <<
+/D [1521 0 R /XYZ 85.0394 685.0919 null]
 >> endobj
-1451 0 obj <<
-/D [1447 0 R /XYZ 56.6929 744.8677 null]
+1525 0 obj <<
+/D [1521 0 R /XYZ 85.0394 673.1367 null]
 >> endobj
-494 0 obj <<
-/D [1447 0 R /XYZ 56.6929 609.3337 null]
+498 0 obj <<
+/D [1521 0 R /XYZ 85.0394 537.6026 null]
 >> endobj
-1452 0 obj <<
-/D [1447 0 R /XYZ 56.6929 582.0292 null]
+1526 0 obj <<
+/D [1521 0 R /XYZ 85.0394 510.2982 null]
 >> endobj
-1453 0 obj <<
-/D [1447 0 R /XYZ 56.6929 540.5567 null]
+1527 0 obj <<
+/D [1521 0 R /XYZ 85.0394 468.8256 null]
 >> endobj
-1454 0 obj <<
-/D [1447 0 R /XYZ 56.6929 528.6015 null]
+1528 0 obj <<
+/D [1521 0 R /XYZ 85.0394 456.8705 null]
 >> endobj
-498 0 obj <<
-/D [1447 0 R /XYZ 56.6929 359.8869 null]
+502 0 obj <<
+/D [1521 0 R /XYZ 85.0394 288.1559 null]
 >> endobj
-1455 0 obj <<
-/D [1447 0 R /XYZ 56.6929 329.8975 null]
+1529 0 obj <<
+/D [1521 0 R /XYZ 85.0394 258.1665 null]
 >> endobj
-1456 0 obj <<
-/D [1447 0 R /XYZ 56.6929 240.6043 null]
+1530 0 obj <<
+/D [1521 0 R /XYZ 85.0394 168.8733 null]
 >> endobj
-1457 0 obj <<
-/D [1447 0 R /XYZ 56.6929 228.6491 null]
+1531 0 obj <<
+/D [1521 0 R /XYZ 85.0394 156.9181 null]
 >> endobj
-1446 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F47 879 0 R /F62 995 0 R /F63 998 0 R >>
-/XObject << /Im2 984 0 R >>
+1520 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F39 885 0 R /F41 925 0 R /F21 702 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1460 0 obj <<
-/Length 2195      
+1534 0 obj <<
+/Length 2208      
 /Filter /FlateDecode
 >>
 stream
-xÚ½YooÛ6ŸOá{¡
-�µ@…víõîTèY£S
è²mÌæÖÓ
>—›¢ñd	ÛÝÙ=+¿”DbwJA eíž«n¹_õ©í·ûÆ3»ñ#µ “»)¶&’…tJ*"¤Âãf'�‚ái{©–›ýÊø£§ÑÑSΉÊ3ë�–å7×óéËélÀG„ Š�{âºoX	¢å�Ñtv~ùë‹É
-”J‰`Ó�TÐe>à\†@�“¡ôöúõkð~rç³³+[ê( ¯Î¦³ñ«Éü7¨�Á-Þ/È™¶üPl:ÝàŽe~ô-lO&¿Ÿ]ýr9!ç×W…ö¢d}Iú�ÏXƒo(NEáìÂC:ùjÞËW=Ø•PzAÉåÞB¢}Á%z´Ë€Ï"x½+ß¡{?â’©LÊÀ�ÎCìÀ�™Ìÿ—„
-˜#òP—ñ<¹sî_/�«ˆ`ãx3à.|U
-¡>ËdTuðQø\|ÁÖ.¾àýþ€Ãv‹/^Y9Ü�ËMm˜,=ó»>±É#Í’éíPÑA9ô"Œ?{L)�ëÓ€}I˜pR¨P¤ÎŸ(P;a#‰L€í¾l׃‰N‘wPõ¹�¼‹v�—¡,Ø_”Õ6Þ—�yTœ~:%ÐN?ÿT¦ ü¾±å=‚~žC™’ª~Ù‹  T8G£»ŠàB÷„t3]�´¯Q€Â5Ìίr9ðQh�yÂàŽ®¿ßÝ®¬wÇŸàMFIÞÿ§êcÀ!‚_ÕÕÒôØ‚GAQÐpö=*v$ì¥\aª¸[)дC}/ç²#ûs_ʈÖR7¾
-˜¯èˆS»,E4‹�NfP[[ï„Æ

-@oÝkÈW4YÀ–Ýh›ò@4–[¨„ʶ½¹ÍqQD;]6pßM·lô¢�F‘R�ñ8æì”ÊXH,'©
$¦¡4c
¢m-rí{h¡ÒsœÂpFÊà.ì¨õX*;Ьëýf…+m…nÇv¦ië�ñ£Å­ë5íDáÑ0ë¡!¸O&Q@¨ÜüDÏ[#çïéíäPzh…�ÉÍ)\°²‹Ì%;hñÂ>›‹K×®¹_¼±ƒh &€—€v9¢�cì
-/dr¼�ùÉÂ/²¼LÑîwæöô“ëàiõ8‚¡s’qp‹8X¿,þ-ÒH
ããÃ-Ú—¡SR¤€uÑ•ÛñÕ$K�¾)‹ÊS~Tž.—_¯4µÌ�‹?I@èînÁÜûM;nÛÍ¿|·
+xÚ½ÛnÛ8ö=_¡‡}��šÃ»¨Áb�Lêt=Èe6õLÓéƒb3µ
+7t@ýi~ñWrüœ\^œÎßüzu<Édº˜_^àòÕìtv5»8™M>,~>š-:–ûb1*¿ŸŽÞ É
+¤ûùˆ‘•ÜÔ°<çÉöH*A”"®lŽÞý«#ØÛõGÇÔÔá
+õéPgâvSnLz^€ªwR&OOëÝÖ[Vï‹�²*Û²Ø8_q®ì”òÊÛÉïâÑ«Ó\€„¯*ª€³FRyÚì¯ûio«6R»¶¶BÈ~nmµ²+ç³à#ïÖŽ«ŸDo
¹;ÚèD
+Žu0=àê™fcÙtà#.›rh+ïÕ)ð_ÃD$4¿89ûõõl„’‚ Êø�ê«Z��ä’a²Hs±8CEL¹†Â–S !IfT/±ˆºŒB
áå8xû¥j‹Ï?Žð%QL«1¥©�Ò2"ç
oUo‹²šVδ�/׆p)£!Þ�P@,‹—.ëíÖù䈥 Ì‚�¼#ìOY®	®
B’/äà2Ú¡±­÷+Ý•ÑÌÓ*¸.‹™ û£†�ç¾N¹H˜5~‹êûêTªÒeÄáã�¸ª$ Øpo�'ÿÙ�…hf©#²kZôœ(Ê ú"éÂ]Ä$Æ0|}FuaÙ‘ƒ‹°]Bù*—e;UJNfò1aƒ˜ÑÀDô�¿#‚ì#d$“Æ'ZÏ}” ±…¦>’úÇSRd,0‰TyôŒs¹ß¡ª1I!˜MvˆÐ§=¨/(jRö}À©»îÔŽŠNåÍ&p!7HóÍ­]ö|ä�~ÛõX²ƒŽ€e¹~™ÙAØ^ü�ûmWÊX.ÚaÙð­™Ïf×M½Ù·–ŒXÐDæP§Ðë
+2õ¹™jH]{#ANÆÊÛ»wïÀû]’;¹8>wƒš
øüx~1};»ú
fµÑäÖ¿/ò•¶¼+6�l`…Ç<?8דٿ�Ï9›‘“Ës‚LVô�“!âc›
+à‹	¼Þ¹¶u„pŠV]þö2�‘oæ*û_ê
(I¸iÎ�eýŽâ
+s ˆm™È`æqÞ_»Qw0<
pq·±#ÞÂÀU•”æ«TÆL—=Špƒ/¸Ú‡ü}HÃn{™À^Yù´1—ß.Ú¸Yâ·5qµƒêt~3Ös0A¨áâE3QP Èû)
È÷3ÖêÆÐ<{¢?í˜í¥‘žÊc^»/Ûõh�
+Š.S}mFƒÞ{H—±†T°·¡'«]
¼/û 7}¾"°¬ŸÉÿ–§(¼›2C“'²ºj†>ŠIAšh£»Êè20éwºàТ
+¤Ÿ e–‡	ZÚK9
na4#dÇEƒ�·Ú{5Á…f]ï7+Ätý¹[ÛÙ¦­w6¬7~ÒtE5ò&''Z‚ÊìÛÂÆÀY{¾?†9(¡ü0J©Òk÷,µw¼Kík‚[téÂ}›[×âܯ->†¸ET

+ÄdÿyA<jN‹³¿îmÁÜú
ïFv³ÚÊÞûM;mÛÍÿùaa¬’€
 endobj
-1459 0 obj <<
+1533 0 obj <<
 /Type /Page
-/Contents 1460 0 R
-/Resources 1458 0 R
+/Contents 1534 0 R
+/Resources 1532 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1445 0 R
->> endobj
-1461 0 obj <<
-/D [1459 0 R /XYZ 85.0394 794.5015 null]
+/Parent 1499 0 R
 >> endobj
-502 0 obj <<
-/D [1459 0 R /XYZ 85.0394 769.5949 null]
->> endobj
-1462 0 obj <<
-/D [1459 0 R /XYZ 85.0394 752.162 null]
+1535 0 obj <<
+/D [1533 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
 506 0 obj <<
-/D [1459 0 R /XYZ 85.0394 685.5532 null]
+/D [1533 0 R /XYZ 56.6929 663.594 null]
 >> endobj
-1463 0 obj <<
-/D [1459 0 R /XYZ 85.0394 660.2382 null]
+1536 0 obj <<
+/D [1533 0 R /XYZ 56.6929 640.0743 null]
 >> endobj
 510 0 obj <<
-/D [1459 0 R /XYZ 85.0394 468.978 null]
+/D [1533 0 R /XYZ 56.6929 573.5829 null]
 >> endobj
-1464 0 obj <<
-/D [1459 0 R /XYZ 85.0394 442.1289 null]
+1537 0 obj <<
+/D [1533 0 R /XYZ 56.6929 548.3076 null]
 >> endobj
 514 0 obj <<
-/D [1459 0 R /XYZ 85.0394 217.1462 null]
+/D [1533 0 R /XYZ 56.6929 357.2459 null]
 >> endobj
-1465 0 obj <<
-/D [1459 0 R /XYZ 85.0394 194.0979 null]
+1538 0 obj <<
+/D [1533 0 R /XYZ 56.6929 330.4365 null]
 >> endobj
 518 0 obj <<
-/D [1459 0 R /XYZ 85.0394 110.3497 null]
+/D [1533 0 R /XYZ 56.6929 105.6253 null]
 >> endobj
-1466 0 obj <<
-/D [1459 0 R /XYZ 85.0394 82.4166 null]
+1539 0 obj <<
+/D [1533 0 R /XYZ 56.6929 82.6167 null]
 >> endobj
-1458 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F53 962 0 R /F11 1304 0 R /F39 863 0 R /F62 995 0 R /F63 998 0 R >>
-/XObject << /Im2 984 0 R >>
+1532 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F62 1050 0 R /F63 1053 0 R /F21 702 0 R /F53 1017 0 R /F11 1367 0 R /F41 925 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1469 0 obj <<
-/Length 3190      
+1542 0 obj <<
+/Length 3049      
+/Filter /FlateDecode
+>>
+stream
+xÚÝÉrÛ8öî¯Ð!¹ÊBc!¸ôÍí(O¥�Œ­éêšt”HÛ¬¡HµHÅI¾~ÞøH�ìžt×T�}
+¦‹ë÷74|;3¿�ß\ÍÏgBZ
+ïûûÙÇO|’
v?ãL%±ž<ÁÎD’ÈÉú,Њé@)7RžÝ�ý£8˜5[}dÒ*f:–‘‡NRùè¤*˜B:Ýå- “ðiû˜S'ËïÓ]iGçZO‹uî~%rZSÿ]ñÙŽþÆ5_,ÞA#hà¾ÞR§Ù-›ü÷]^YhÛsOóUmÚ¬¡Á§¢}¤Þ®Êòß8—UžÙóï { øô<:-‹ÁöÄ4% 4\ß÷È
+-­lê�é¬rph&úcÚÚÍUù•zYq�Kî�èÃï{³£^˜<]=Ú ùvÉÒnM+jЛ´…£À
øTæ°’gIæ?Ž+<L…át™cYšáÒÛ<m
+Ä
+ûy…w²k�Òâp“·
õ�z8u@'œ¤ÁßwuFçD`‘7›zÛZˆ»%u~�Ápóç|Û�ýœ9DFØgy™?¤-–ÎÆ5«m±<aãDdmÐêR™7vçõÍìòõë[vyû
‰yéà¹,K¯5¶bûþöúí5xîL"gèF%À½d>W`9ˆæ÷‰™´
+Hž$�8h@Z÷BöÉ•/J(3æG@F/EÁ®<rÞ0R<ªŽ0û!ãàj^*ªD±ˆG{¡â·Ë݃›ð"µ>~ÚÇ
–íºcP³'ŒØ`%¢C‘R0¥Àó:baƒ
+­À W‡Ó˲¤
Škº¤…hQ
+£
Œ/ª‡2÷„/Hlj‹È}H3j·
+ÓÞÊ—"°$.’G„€"9{``�…F¢K™*2XpBÄF§a%ˆ@»|t
ÿ™p~
+Öˆ,ëô+Q£Þ`°˜–¥ýmÚ{�åúÉðGöBƒ6%	‚½¨v]gZw~‰ O�&*
+0W¥=è?³4�
+#	½?&ãnAÏø�†{/�EŸ>y 'pv¨�
|x�v(Mߘ¨ˆ’I×›2¿ð\)ÔL(­ŸÃ*x)V3É/ÔEæ3
	Sê#@RiY.ã‹Fјå-ˆ&²’Ë©äتaÞÎ¥�µ`xµÛ’h›fŒ
’BN7[õfo‡õµT¾„‰Ô.Hi:ËWÅ:-iÌ8¯~î[N—˜yÃ¥4Ë\vÛ)/þ0�™æN‰¥S¬£7Õ�ÏiQ¦KW�#B}“R·÷u°½¿£¦Òª×LrÊ®¾�ù*ŒÇ‘è•V\Ø+¬Ú´´ü‰À´óXŽùsäÈQí©ö•ç˜V‰ˆ&-¢Øíá#ˆr‡Î9(NX :…ùâµGAÐi3(ŠGá!"ìaüê; ¼ä]¨g
+Öx§ÝfCb°}F$LŽ§Œ·2ºâ8þè=¡XøŒÏL€ú„(ªÏå‡âܯ­�H«N6ŽZœ``q´´‰NpÄ
++�E0ýl$§“QyàUuK�tÙÔå®5êÛ'TÁHÉ}œFÉ®¨îj=œ"8]F{§§ÀÏ
+5—øE½²Ábm«+®:Ž±¼7Ü6VYI�µ×MÚË¢,Zqö'ót[F$`KiX'ópE,N’ηùœ›P�
±Âš¶ÀÄá»4â¡*¾Q˜£�Ñö¨²Ây_pC<Ù¯b®
+ã;¹ýDbK¹ãc¯ä ³1Ðtï#½dõ:u
+AQœÉÄ®÷4ž^¯ò¦qjÔkHÔ¶æa™^ÚÜ—'¸0@ïûHÖs¡ÿÌçñ„!Ž€Þ³ `B‘ipß|w¤8~±�˜üòÑ8<ýÙQÓçT[Ïýö$;9þùˆ<ü|ÄEÏ™}ï¦oXFì¶ÂÑ-“»ïböTŽB)�tÛŽóû.j ÚÉHçí®oôîd+.ÕÇô>¥y2Ó$"HÜ â:I¢AŸØIoÞì]¤{®Ç߶ÚI¿ðc¤1Wï.ïîFÅŠC)v\
‹ŽŸ—y¾+ã“gMÂK¿bë¿äL­Hú%¥({)¤R¬ôÏ}îvxõÿ
+endobj
+1541 0 obj <<
+/Type /Page
+/Contents 1542 0 R
+/Resources 1540 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1547 0 R
+>> endobj
+1543 0 obj <<
+/D [1541 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+522 0 obj <<
+/D [1541 0 R /XYZ 85.0394 713.4234 null]
+>> endobj
+1544 0 obj <<
+/D [1541 0 R /XYZ 85.0394 686.2623 null]
+>> endobj
+1545 0 obj <<
+/D [1541 0 R /XYZ 85.0394 478.4096 null]
+>> endobj
+1546 0 obj <<
+/D [1541 0 R /XYZ 85.0394 466.4545 null]
+>> endobj
+1540 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F53 1017 0 R /F41 925 0 R /F14 729 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1550 0 obj <<
+/Length 3201      
 /Filter /FlateDecode
 >>
 stream
-xÚåËrÛ8òî¯ðÁU+WY<H‚Ø›&±³žÊ8YÛ»5µ™(¶XC‰‘²ã|ýt£
’’!ÙÙ¤jk
-çÛÕeÉhÓ˜‚zm�m:š­Oy62ykh<§¦1ëÒ¸Mõµ´²©7¶33€Fgµm·¥�ç­Û¼¬ž¨W”w¸äάé÷�ÝQ/ŒÉgs·£�û%S·5_R[¶f�·pp5rH)5öX�9�t’ˆ×‘
-xžrîH5ÃÃdšŽ¦[åh†#H3lMÞ”ˆöïÍïäÖÂÕi¸1mC=¤N=£NÒàŸ›’:[ç¨Q³Y­êuë n¦ÔùIÄÃÍfÝÄ
-°wˆla_˜ÊÜçmY/R‚Â4³u9µ‚
-E¼øp}ùîÔ1elÄ"Ô
àN,»ë9�{v€š«joίÿ}~}�ÿ6ùõãûó×�âBQ÷„š7W“_ÝäIÄⲃQ鈃\|È+³lé70ñ
-
-£Ä¼ªÜo«?ÐÞ�(×�–?¢—´':ŽwÂÙE]”hÙ!ê%‚<ÎKÌdJ;·ŽÉ“8ÄÖ cÖa-7þîÓÜÒ-¦Hj%­1UáŽ)‹vN]4â
-Ÿæ
Š­‚ØïW¸ä)õ÷ԪשSÚ–®Ql¬®àLvp.°—ƒéd)÷Âr$¹–<ˆÊܵqº�$û€•‹…)J°V•;è?v4W
-í�L�.lDD1_òŪ2g�+AÜÄe’¼„UüZ¬Æ‚�ɳ"dt$å
¶8
-ó%h�â¸ÓfP”€Â‹(ëaüŠ: ´„;zÝ°Üi³Z‘Ì@Ÿ	›ÜIë­ì‚ÂÜåVºðGï1Å2d|ÆãNŠº]-øn+ÄÎXX[!ƒ–�lìµ8ñÀâ$Â%9ñ+,9V¿’¹DoÕ
Þ²n©“O›ºÚ´V}ûd*ÞRò'�QB{l|‘'€“‚Ó…Ú9=~.QsIà�ŸJ=kWV™;-ÅP>X°VYŠd4««¼-§eU¶6âˆm4L“&_W¥	ÆÈBœ+eZw¾-äܸŒ0ë±Âš¶Ä¤áû,â~Y~¥0'±FÛrY”Þû‚bz·|9¬÷EDMe£g}N¶ëx�ÈŒíO‡éØw¦x}ÞøãËRÆQ&y0k”©ˆ¤NTÚêŬñfFÎZ”ÁØå�¶S.̸­ÇäÜ4b½GÌú%¾æ[ÐÏ�ÑVUa–T:Mwdá�$S´ëÆ­Ü §ÆóvnÖeë}›Ë3¶Õ
•—$Àp_¾œ¹UëÓl´©L½œíÌ°ö £ˆ#–hod\,¼«3Š$Ê«L˜`ýãXŠaÕ}ˆ2ÓŇòmJ÷>€"N$7ýƒ@XÒ"ô£
-$?^Ð…†Ø;чË#R ýNÕAõÄÇa‰tûíEHƒ¹¡ŒÃx@ƹò%>XîªX°r‘·ö%[È�<¼¯Xó{wà°‹ÒJ{ùÊú@qþ¿äv(?Jn…Øì[TÁïØ+·*‰X¬“ƒr+4‹Í��~Z½\>ž´$c+—-ØôBrŸ²Ã=-â�{(³®&~C3}Ö
ão¯ÏhØ>œÑèÛ®Ÿ�&gÁúü9ÿ»t\½º9À¶
A¾�ƃz¬»Î7øj·c/ÛR	ÁF|دŠ–g°Ü–ý! „8;c¶÷œ½d@Ðapׇ,E½È½*PèfÓ¯Ë]'n×3Ó4^�šr
ÙÙÚ>#Ó»Å@óæ
-òëü1Ep”–¾ ±Àï\lçÒ¹A¢LenÈôúòÒ0ñËÝ5ó
;û»º«^î€Ï©™–Ë|ý4\ï2H¸ŸàJlĽËôŽ´KNýÍGaÀt²Uämî•Ë&³vÓ×ÁØ@µ
[Îùè¬Óš˜>ùÌ-òõ@	7V.œ¹xžÏTu^ô£å0×è)U`5•µ-7.,a„æø
Óƒé
-ú¬[äŒô:£ ]¡Q
-ÜÛ¡$„}�sÛ# Nw¤Ão¨5_ òá£ÅÕxZMíÔÝbvÃÏAÉr÷ït0ˆŒ«$Ä‘ÈøN%ÁN®aý8î*Õ裋1–PÀºøà}×áÇQš
-oåaíÌED´&Έ¸ÿ lV£-yê¾/{ð_yÕþƒ°�-Å\¢œÑ¼Ê–tù�Ó	»|ÓBpÑ–3û²´çË>Œñs¼ÀwxìøÅàêµ_ýõ_>ƶÚ.Ân·sÏîRH½L<»¹ÿ<ðùÕÿäoendstream
+xÚÝZKsÛ8¾ûWè¶rÕˆ‹	‚Ç<œYOÕ&3Ž÷²³s %ØbE"5"eGóë·
€ DÉÉćTÊ%³ñn4¾n4Ðà|’©D¢˜äEšdŒg“ùú‚M ìçîêÌ|¥Y\ëõíÅ?ßÉ|R$…jr{õ¥¦5ŸÜ.~Ÿª$M.¡6}}ýþmq9›~¼½ÌÓé+üw{ýñöúÍÇËYQh1}ó¯W¿Þ^ÝP-5¤×ü͇÷ï®þÏ�ëàÃ{ʾ¹zwusõþÍÕå·¿\\݆	Ä“äL"÷^üþ›,`®¿\°D:›<A‚%¼(Äd}‘f2ÉR)}ÎêâãÅo¡Ã¨Ô6g‰�JŒHMð	çI‘eb ¶¬H”Ò‰M&ùåŒ3Ʀ¯‹ª«šº\Ñ<ßU+ã¨f».»ç½Êh-Ød&Ò¤Hyj»»®/gR²i麢T׸ïÒÑve½(·—\O®È|îv80&îíp?A"ó«‚Ù…k¼Ûlš-p3ì³¼«VU·Žh‡0¥¤ÙÒw±[o†õþjj×Íÿ+c§Š“òƒÉU8‘MsK$qÚ"€d6½^¬ˆR‰d›°ˆÙ^¶åÓˆOxι«CÝÒUKßùnK³©»Õž²ÊDzZ•w¸J6éj–ŽÏ2ZÏžYÇëõA÷%}ÜîãúV3
+žK/R:bhCŸ8«êBL¤Kÿh‰¨êÎl¸eWÕvÛK=ÝÍ»õãÊ+JÍq¶œóéO”oe�w{Ê ÔºÜ~I¸¼jM<5��!‹$VM¹ès«µIÂZçI!…¶3{‡X…@¹àg³­ÖV0¢àÓÖl�0
+ˆQ*Š�"�°Áo7ŽŽ\&iÊõyt°DËB ÃvÞÒ×|Þ\r”–Y¸ÑúÞ9.Lm¶e(¾'ù¬iBŽÿ „£“!€�´} v-
+ò_!˜�)Q^IYÎ¥…oÐ0×ú°Øp0`[’Œóg£Xz„èÔú×0Ⱥüd¼ôòÆÌ»rþi·qó¹ïù±AÏáÀc—
+(WÌiûÞm~UÓ‚‘VNY±$xÌãzk
HÎÎÚ6„�ù¾œûBò©”EúÖåYI*ô5;×ù·
ʄ»ø^EĨõó”=LA‰ŽO9Ê”®êùj·ðuí4RkÞìjØ?;âUÞ\
+vê³×3ÔŽAWŽô-†]ÍüŒf)¬zŠNQ¸y‰•XAk�ÃÄÁz1!¹»)
ƒ„vcþÜ™–nXb™I–'™ƒ�ðmL‡.ŸáZrthx6d› ”Óz·¾³HÍɈc^ÕÏ	Roߤb‚§› -Bã1¢/¦$¯ŽM?üúæÃÛ«c1
s*øŠÁ"É&³þŽíA¥Ô°[æ"{•L$9OÅ*Û™meNƒ2à¥@yžé”1×”2—
”H[Ͼ=(1õ§›’MØ=	¼
 	í7ÛoÌi0¾œ¾0‚‰Ö*ûšù'Á˜±¤`ú0Ê\')Ëè2ùî{h¾ŒÑ
+wù—Äìä!+œ[ñ¥1/G›Q¨tž…£¾¬%´ŽÈ	
€]ÅÄ#c²ð:ø›*÷Ds¨µç>츎)d^«#Îý‹æcÖÿQ(T�endstream
 endobj
-1468 0 obj <<
+1549 0 obj <<
 /Type /Page
-/Contents 1469 0 R
-/Resources 1467 0 R
+/Contents 1550 0 R
+/Resources 1548 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1445 0 R
+/Parent 1547 0 R
+/Annots [ 1555 0 R ]
 >> endobj
-1470 0 obj <<
-/D [1468 0 R /XYZ 56.6929 794.5015 null]
+1555 0 obj <<
+/Type /Annot
+/Border[0 0 0]/H/I/C[1 0 0]
+/Rect [55.6967 62.1828 116.8967 73.5749]
+/Subtype /Link
+/A << /S /GoTo /D (statschannels) >>
 >> endobj
-1471 0 obj <<
-/D [1468 0 R /XYZ 56.6929 586.2823 null]
+1551 0 obj <<
+/D [1549 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1472 0 obj <<
-/D [1468 0 R /XYZ 56.6929 574.3272 null]
+526 0 obj <<
+/D [1549 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-522 0 obj <<
-/D [1468 0 R /XYZ 56.6929 166.8772 null]
+1370 0 obj <<
+/D [1549 0 R /XYZ 56.6929 752.4085 null]
 >> endobj
-1307 0 obj <<
-/D [1468 0 R /XYZ 56.6929 140.1236 null]
+530 0 obj <<
+/D [1549 0 R /XYZ 56.6929 542.1781 null]
 >> endobj
-1467 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F14 685 0 R >>
+1552 0 obj <<
+/D [1549 0 R /XYZ 56.6929 510.0725 null]
+>> endobj
+1553 0 obj <<
+/D [1549 0 R /XYZ 56.6929 447.7453 null]
+>> endobj
+1554 0 obj <<
+/D [1549 0 R /XYZ 56.6929 435.7902 null]
+>> endobj
+1548 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F48 940 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1475 0 obj <<
-/Length 1085      
+1558 0 obj <<
+/Length 2647      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥VK�Û6¾ûWè(Ç(QÇÍÖ›:(vÛ�{i’mѶ°zU’³q}‡J~¬ƒ¢(ÎŒ†óüfLPøc�’„Š,Ò,&’2lª
vðíÃŒy�hTŠÎµÞ¯fïDd$Kx¬¶g¶¡J±`•ï¹ûmµxžG\Ò0!óH&4|¿|ü%÷O�Ë<ßÍÓ8\-ŸQü¼xX</ïóˆ‰Xr0 ¼‰?Ÿ¨ô°üu1ÿºú8[¬¦�ÏÓbTØxÿš}þJƒ²û8£DdJ¯ÀP²ŒÕ,–‚ÈXˆQRÎ>Í~Ÿž}uWo•I
-E¤âé�:qq«N2#‰€O¶N;S›N&ŸG"‰Ã/TÒb‹ô0gá¾è‘Ù6]¥¤GYßšMñ…R>Þ^í)ÂaoleÀ?;óéÙèRˆÚz®t?˜Î^/MäÍ㥋 9áT�wšv(š‚dèðuoêž’˜P'þR­+ð­i“„¥Êk凪õyÙðñwS»D‚H(h€â*ˆ#™”ÜÝÙ4õ`ê¡G@è-䃤»è¨¡Óu¿å�?]Üx©mËcQï�k»bT9´9´¥'Î?¿)É`ý.¡CœÆ¡ÆÃ{£¶}¶šHõ…Òº¨uwDzl¦¥kcòÉJ×]zºÉ]k7ÚVü'2ÃÉM×{¦:ŒÔÚy–¶,ß
-~¸ˆ/›Z¹K<æaßà9ìµ—ãiG2¡î‘¯4@µM7èµràÆïmÓ÷ÅAÇWf¸Ý+•îŠòˆ¬ù›1d½û(ÖÞ&Ï)ê¾ÈÍ£Á�z€‡öVi.Sì�°Û+˜¬$IÂem·©º(u’9·VÁ@J(Ó(Â…fãB³Ò¢öov‘0Eÿ†˜„ÆoF›�TúÅ\Ärª·®õæåÐú|¶§xœ`šsø©v-°_¡8
-<%ŒÉør³!˜ìüX0]
µŸõ«	Ÿvü­ñï@0âu46-Z`Ð]‹G8tK�üè#$±o��ø÷íþßOœÓ3/Ná7VñÛ¯A¢x–ŽAÙê)qùôzú?ro«³endstream
+xÚÍZÍwÛ8¿ç¯ðQ~­¹ü�DqöÔ¦I'=¤­ãîÎÛéd[‰5+KKvšýë (YvìÊù˜÷ü|‚ ð�¢E�ÃOô¢€qeüž6>¸z“ùïÝAßÇ3áx5Ó Íõ~tö�K¥{†™P†½ÑmKVÄx‰Þhú»wþë»/£‹a î…¬?Bºþ@C�óÏ×—W¿
ßõµï�®>_yxqy1¼¸>¿èŒ‰$Œ÷[ÜØ›r#oFWç7ý?FŸÎ.F�
m#W¨ý_g¿ÿÁ{S°õÓgÊDAï^8ÆÈÞüÌ|¥jJvvsöµØêµC÷�¨ˆ‘Ô{P“bj�a¡’Ê¢††ÂÌý�àœ{£YâL­â*-«tRÒûeš%h,ˆT-‘¼7�>3¾ð­°fx•ü¨¨u[,ç±k—;B§«ù‚Zãä.Íõ>­fÔŠé‘¥yò¶nþ7ùÅé!¶õš%#«Ç›7oö›ñ¡™±aùÎn´‚P2¾�±ßL¯7f*®½|5'Kj§9>#o/û"ò’¼š%eRºN÷Œé
@äSâ›Ò¨oyúcPV™“\¥ó¸æ0\IáÍ“¸\‘`7"v"ËdRäÓú%Í'N§8_ÅËboÑ*k‡`&¤µCÍ2„Þe‘eÅ}šß
(>øof}¦ŒŸZh>cb)ÇQÜÒsË»À�æ·E_xèþ´ÈÑ�¾ôîgéd¶-oWÉ]±Lÿ‡–áÀØuL“r²LÇ–ŒóŽ‹uÂȸ‹¤lYD9
+ÝÒ[„ø³Q%uYxá‰
+—¨±T^ÒÞ*Nsr¼Wv
+½í
+t•WVYè\ÇÙÊñÝZÇ[Œ�kü@Ô´žò*Îè…²ì‹%T�",(;i	ˆÆ&N³$Z¼ŽÓ,gŽÅ©Uº¡—5Û˜b}�V}!„‡†kÑ°“P¥À>‹×	Ñb"Ô†@ qÇ@’‰–QËYqŸ-ÍkéÉ>Cw“ØwÎeqY³>Ê2Ú�.ñaOBKh¡H«h˜vkI÷³¤V{‹£I@@L� t
+¹'� Ó,oAäªVfk,Ð|KfDËÆFÔëQ¥6™�ÉÈSÙÏ—
ò]JÝ•˜7<‡2³è5ÙTÀ„àº)gu1Û�㼞ãê˜RW TgF¤T»ˆ´^¹šÏcL\ÔµåeÕV;Ð+ÒiO‚4C„…õm±ÏáB‚€²ÐRG.bº'25«ZSÒëí¾¤H<]r[Í‹Õ¨^¶šçÔccGðšU@²mV ¤gÀ`Jôòa>.2bÎm"Ä–ÕFˆÚF Ôé¶J`‘obZ:vRº™šÀÆZ†V¥¼–yÄ24¶Ú¸RƒËòüd’”¥MlÐ
fP#vÝ¿ŽF_ˆ²%	z&³8Ï“3’Šê-�ñ–éÝÌ¡g¹ldX
+Ç\nÇ\}!vߥ+¡´e’À"œB*0‘ð®!ÃüÒ@ ºd�|”bP†]„%µsrÀî:ƒ	ðÔ…~kÏÈ;«ÄË�Ýu–z=gA·èð”ŠXè‹hËSáÓ<ž¸§j^ËMµ6¯–s [ø~Ôá)á3­ÜV<u1ÍKÞíŸaã‘íõŇëÜLp»EoÁY»ë œ-m_+K½v—Æ0ÀAw Ê%Ó:T5Nïã)¢ò/{t…zøllWy¹Z,ŠeEûX›ZPgËæSÇq€·�y]À_/„e¤™T~ðsÀ%pGR4eatsõñù(ÛÑOÁ±¥ãÉâ¨&µé(¯RG,
+SÃ@¼ Àèg%‚¶®'›BÅpÿÕ�gbÊ�Z‰àE‘™æë8K§›ï!›P­¿¾´Aß
 endobj
-1474 0 obj <<
+1557 0 obj <<
 /Type /Page
-/Contents 1475 0 R
-/Resources 1473 0 R
+/Contents 1558 0 R
+/Resources 1556 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1445 0 R
+/Parent 1547 0 R
 >> endobj
-1476 0 obj <<
-/D [1474 0 R /XYZ 85.0394 794.5015 null]
+1559 0 obj <<
+/D [1557 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1473 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R >>
+534 0 obj <<
+/D [1557 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+1252 0 obj <<
+/D [1557 0 R /XYZ 85.0394 752.4444 null]
+>> endobj
+538 0 obj <<
+/D [1557 0 R /XYZ 85.0394 549.5629 null]
+>> endobj
+1560 0 obj <<
+/D [1557 0 R /XYZ 85.0394 524.9842 null]
+>> endobj
+542 0 obj <<
+/D [1557 0 R /XYZ 85.0394 417.5407 null]
+>> endobj
+1561 0 obj <<
+/D [1557 0 R /XYZ 85.0394 395.2295 null]
+>> endobj
+1562 0 obj <<
+/D [1557 0 R /XYZ 85.0394 395.2295 null]
+>> endobj
+1563 0 obj <<
+/D [1557 0 R /XYZ 85.0394 383.2743 null]
+>> endobj
+1556 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1479 0 obj <<
+1566 0 obj <<
+/Length 2456      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ[[sâ8~ϯàÑ©´º_Ó¹Ì25�tf«kfç�`gâ©Û$�ýõ{dÉF€Á�ÐSTWµ…Ðåè;ß¹è8�†¤'$’†šž2	LDoòt‚{Áw?Ÿ?¦_ꇣ>�NþuÅTÏ #©ì�4ÂZ“Þ(þ#’ˆ£SX
GŸ×æ´OŽnG§ŠGgö¿Ñàv48¿=í£itþï³/£Ë¡%ƒ‰®ÇO?¿¹¾üüÛÐ/psíº‡—W—ÃËëóËÓ?G¿œ\Žš„‡$˜YéŸOþø÷b8ë/'1£Eï>`DŒ¡½§.œ±ºçñäöäk³`ðm5µ
4Î5`ÈôFœ�Í»º0ìê›”!cå\Þ´/	RŒÁ‚Šs„
^¨�’@
RÃ!�ê)a�d”Ujøš¿
“û$ÏÇ�˜Â‚)D�Õpا<Oò4)NûŒó(?%:JŠùc™Ä®'�†ßøE«žñ´xMr««:âÑCê—™d¹_i–MãÂ
+
»õ	AFZm[fN�åCâe�EâZ
+/b¾ù0L"*
+59$Ôš#F¸ê€Z+d0iBÁÕÍð3X¢…D*@ø,èPûµ·
+7±ãb>{L'ãÒ*›2
¡cÞBL­yk›kl£æªm�Ë2yš¹ÐbÇdî¹`«Ÿs7/]#N‹~o&™OÆìR²‰ñÔ=“ïiQ¦Ó¿Ü§ç¹½¹O.µ­J8Û(ÆO¾5øâŠcOÞ⧶�gY^þÂ1^­þfÓY
.ª>MaAÿuù6KÜ·ckJöÛÉã¸(|ߣÛf¿¹ïî’JlÛt”Íúm†;
Á’lNUÛœj³9åð­žíV^_J©¼"ãFÿ-f©äÚÕË®
æãÒa#¶Wçe´i|
­?f(?Ôö@Z£Ýn|B
+à
$w«&^¼Az‘Nvó
+ Ò³
H8¹îÀP@ta\.cøîˆáB¸cæ!§HÚ…!‡0«0&wC8…üÝ•v7ÂèÒª-03ŽrO¦dŽ�¹8‘«7gû˜âÏáßZt8Ä@²c¶e¢‘Ñ´+SŠ„4$pS~€�dÇÌ@¬¦ª+Œ$a.Ÿ}»“ç½(h笕ä¶p ×ÃW½wT´# £‘Z-Á·
÷†/”ë˜áÓZÒtÀ§á^ˆ!µ­@yû{ÃÈuÄÞ�(WZÒ†‰X¸æKðíþýáä:fö	ƒ(–Ñ—HŠ”aÍ«�ÛùÄþD'~¿¯½ÊÙôN¢°+&ñVDQ�Q®„w *0ÒL×€n(V¾Í
µË”NƃæÝ«f?¢äŽ
+1àÙº™ TíR7«^ê+¸ec¶½n¦9¢2øÙ
A̗͆I‘=¾ÔšØµRÖÔã€Ì]WeĽNnîú›šÅ¯Œ@íL‡…¶ô3_L¬¥²§ÕzMvȃ(“´Møÿmlºendstream
+endobj
+1565 0 obj <<
+/Type /Page
+/Contents 1566 0 R
+/Resources 1564 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1547 0 R
+>> endobj
+1567 0 obj <<
+/D [1565 0 R /XYZ 56.6929 794.5015 null]
+>> endobj
+546 0 obj <<
+/D [1565 0 R /XYZ 56.6929 352.0981 null]
+>> endobj
+1568 0 obj <<
+/D [1565 0 R /XYZ 56.6929 326.9775 null]
+>> endobj
+1569 0 obj <<
+/D [1565 0 R /XYZ 56.6929 326.9775 null]
+>> endobj
+1570 0 obj <<
+/D [1565 0 R /XYZ 56.6929 315.0223 null]
+>> endobj
+550 0 obj <<
+/D [1565 0 R /XYZ 56.6929 102.2008 null]
+>> endobj
+1571 0 obj <<
+/D [1565 0 R /XYZ 56.6929 77.0802 null]
+>> endobj
+1572 0 obj <<
+/D [1565 0 R /XYZ 56.6929 77.0802 null]
+>> endobj
+1564 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F39 885 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1575 0 obj <<
+/Length 2081      
+/Filter /FlateDecode
+>>
+stream
+xÚÍšÝoâHÀßóWðÒÒ×ß�ÙfYí$àV+íîƒ�‰µ€lå¿¿j·mÚl¸äNh¤	6U]å_WWUÓ&ÿHG„™áe8˜ˆÎly…;ßá»/W¤�é—BýPêçéÕ¿†Lu2’ÊÎô)K#¬5éLçvo~¹þ6Œ{}*pW¢^_HÜýytwëïÿçæþn8úòïñuOñîttço�ÃÁxpw3èõ�Ñôy0B¡;™:¥Bs2ÝLzO½L«’`æ¼ÿqõç߸3‡gýõ
+#f´è¼ÂFÄÚY^qÁ�àŒ•wW“«‡jÀàÛ\õ4Î5°¢ªÓgi	cœb–3Ä%­[ý¯”J?p§O2B4Ø÷z†*>–õ¡úüBp…¤Rd&ˆ“$$é(A• .
+&oËÇdÑëKnh>wº˜»â>£œvom:ÛÄë,NVû3(C„3Ñ	mìa5,aÈÏçÃR”˜Š%‡ø0ƒŽÏÃÖnÞ^8Ķ�²;¾ÎPe�*ÑB
+çJ£oNÃaü
ê±MýEjW:0pîs
’ÏHRRê€T!&
+ã¢;†ëvœ;¥3ø¾]l4*�—¤…ŸŒå0h�~ö„è^�~ƒ šwÇÃ(^´ƒtÚ Ú®ÏrÚg
+»¼™nåê5¸¹]Øï‘ÛbŸG2ðòRI
+C¦¥Œ#�æRmzæR_Žrþ„=ãÃ.[ztÙn㸶›§d³l:y± 5¨bÞRÐ…fHâú—ÅÖ-äA·dŠñîdò–žõÆÝÄÿ�æóbÁTŸÜ¸%âxõ’üÓØ;ÑÛsH�ˆqÓRâ…‚A˜¤{€åÙ€å眿XÀB‚*o©þBÀ½âgê €Ok¤N
Ü]cÕ5pøb¡rŽ83-õ_p�0z?jO¦*?‘jàñ¥¶û°GG\ó–ú/˜DXa_ÿÏ»ªhq�ev¹ÎÚ©BÏ?Üxf/Ñ"žç
@Á×Òˆ1pñbƒ“b$¨n+þ”#B„¨a¼ÿçcÓílfí¼‘`àÝg¤rVo[j&)I¢ÛŠ¡ˆHÌjïì÷s *nj@ÌÿÂýUÞ�¾X7^¹~*Ö}ghw¬åÓwÛ„÷1Zÿ»†%[zÖR´¸ÖÐ@ÖðŸ–Z›B¸-‘†®}VüîŽNÿÿ‡¢6†m
+VìV±Vá	\†%ÒÔIsÁ”ê#%°<fæ”@Ù)wd
—½>Áwo’å¸?Æ‹8+v¯qöìg6%ÁìQ…\tûÉËÌý‡©F° e!Tœ©Þ$ÛUf7é��èè3
+hs“uဋ¯òË<C»ÏÉ“»öªá¸ðrMA­ôűŠ6õ"ùmæñêû!'%ˆ3UŒ¥‡ž– i$i~XȦÒeÓZ>šÇó#G:Ú	M°h9—€©†˜+¥ò˜»þcø>Úˆ�„y³ÙJê€ÝZ´A
+eœ¨ºáésœÖm±Ëõ
½bšÆy®Ü[¤þÃh5K–n–ò«‡ú{	3GaRM‘¡T6Ã¥ŽÃ¬¤r˜£‡w(1ä>,e³ÑJê€ÕJÈÝaoÍìç¢Û[›f§²Ч0®ZXR
,K©œåý:Kß&„’pMg“ÙJê€ÝMÀ€½n¸…fUB‚üç.òŸ„þRuNJ0eݲûfgµŠ”ÁÑ·¢®ƒ_­ßÍõ_ÓMZ¨¬ÑÌŸZêºZÿOÃÔR
S[Jùsrˆ¹¿NŒä¼Ùj%uÀìþ:1\¨ºÝ#3‹jlËõÂ.-ÈÌ*¾)1¿‹ƒ7»èØ{•L ÷2ä�'Ã�Ö]Ò©ï\îÞBåÐIjM#ªšõ©¼™÷;èœ5U\ÿðçœendstream
+endobj
+1574 0 obj <<
+/Type /Page
+/Contents 1575 0 R
+/Resources 1573 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1547 0 R
+>> endobj
+1576 0 obj <<
+/D [1574 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1577 0 obj <<
+/D [1574 0 R /XYZ 85.0394 769.5949 null]
+>> endobj
+554 0 obj <<
+/D [1574 0 R /XYZ 85.0394 439.3709 null]
+>> endobj
+1581 0 obj <<
+/D [1574 0 R /XYZ 85.0394 411.7795 null]
+>> endobj
+1573 0 obj <<
+/Font << /F37 791 0 R /F39 885 0 R /F21 702 0 R /F23 726 0 R /F65 1580 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1584 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1478 0 obj <<
+1583 0 obj <<
 /Type /Page
-/Contents 1479 0 R
-/Resources 1477 0 R
+/Contents 1584 0 R
+/Resources 1582 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1445 0 R
+/Parent 1547 0 R
 >> endobj
-1480 0 obj <<
-/D [1478 0 R /XYZ 56.6929 794.5015 null]
+1585 0 obj <<
+/D [1583 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1477 0 obj <<
+1582 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1483 0 obj <<
-/Length 1368      
+1588 0 obj <<
+/Length 1324      
 /Filter /FlateDecode
 >>
 stream
-xÚ•]oÛ6ð=¿ÂÈ“Ä)ês}jÓvëPCã>­{ eÚ*‰šD%͆þ÷ñx¤,Ǫ·À0t<ïŽ÷M¶ æÇYL(Ï£EšG$¦,^õ]ìÍÞÏWÌÑD1'qĹYÌì®bž‘8ÓÅjÊäÍúêö}È!%IÆ‹õn”•¤)ÉÒ8_¬·wÑjÙ-WaLƒtùçúW<‘4K£FDB²(Ïì�7~{‹Ô9~îe1t¥~ÂÕ�júr+;¡K�üXDx”„Ž_‘Œå¨@JØrÅ(¥Áë¢�}?²Ñ�ªpñ±ìµgÅ9É“0qœ8%!��Óñ|Œç—,�Gäxؽ/4¦¯ï>öæËn
-Ñ ÐK·5´Žg³E )‹¯�¨�¨�ê�n7èaªÃÐ; lFž\œ1’Çqh/.ªJ=®¥ËÝÓŒ™Œ÷¢(MÍ) ¾™á‘<cÜ ·¿ÙÍ2‹�#Cö2f„Hob†aÊÏXòn*Q|=¨JΰŠLX…ì…Õ�hú�É€s~&LY–U³Á(uA€ÖÄ	£Inœ‘‘<7‚�ìs_6{Cš˜€6A†�å`Œh…߃x�}¡4ll2&,(Ô’Ó(68õ€»4x<¸Ós Ç?Êpt.ÖÔËN§‘½IƒÇRÔ ›jЦ€îp¹g†a<ò5P¡Ðv�+
-ôU”N|æ$LŒ/ÐW{¥¶îÌVŠ¹Pa$ËSÆà	 ¶Y
-ýM#
+xÚ•WKoã6¾çW99@D‹¤DIÍi7ÛmS,Š¢ëžº=Ð2m‘EU�dÝbÿ{9R¶lÁÛÀ08¿΋�…æGgiLBžE³$‹HÒx–ïoÂÙÖ¬ýtC�LsGœ›ÉÄjó”Ä)KfÁ)ÈûåÍâ#£3!X<[n]"Iå,�-×Îw²îTs°8œ'w-ÁmI҄¶ШHHœ±Ìnxÿôë”Îpø¬ò¾)ºÎuÕkÕÈ®0Ô€G#Â#ÁžˆI,¸…3¦Ü4Ãù»<Wm; t�.qò©h;�ÄgɈS™ÉïçÌí¿£é0€�–üÆá»ÇO­é½añt.­¬Âu¹^ãÔƒíe—ï�,�0ÝNvHt�D.+$Zå–úÚaVk$ª"®äÞ©Úè:ßô]jCß*80‘R’Å1³G,ªÁ¡G7��SfdAD–¥~
*ݛÄÏbA¢(Iœðý\DÒXŒÀþîU3‰›˜²·Cºš@KBÂÒ8ûÜ €x
ä^[LšÜH©x“}Þ´�©0éGÿrUÊüy§K5�AFß›A¥™˜"w™A­D×Ȫݘ:¾TÅcQqTekJu9A<¿ÐŒ$<Â"ÿ£-ª­‘¦,M© e­p´Íy :�ãN¾(¤¾„!«lGtž?Òù±�§_p5œ¿îÜn[9V‡o¨ÃÉaÅ
+ŽÛýâþá-ñ�Õa|ìkç›üÌYˆ2K›éœòá=4v{Ix
¬°7L ÉsaM
 endobj
-1482 0 obj <<
+1587 0 obj <<
 /Type /Page
-/Contents 1483 0 R
-/Resources 1481 0 R
+/Contents 1588 0 R
+/Resources 1586 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1487 0 R
+/Parent 1592 0 R
 >> endobj
-1484 0 obj <<
-/D [1482 0 R /XYZ 85.0394 794.5015 null]
+1589 0 obj <<
+/D [1587 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-526 0 obj <<
-/D [1482 0 R /XYZ 85.0394 769.5949 null]
+558 0 obj <<
+/D [1587 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1485 0 obj <<
-/D [1482 0 R /XYZ 85.0394 574.5824 null]
+1590 0 obj <<
+/D [1587 0 R /XYZ 85.0394 573.0962 null]
 >> endobj
-530 0 obj <<
-/D [1482 0 R /XYZ 85.0394 574.5824 null]
+562 0 obj <<
+/D [1587 0 R /XYZ 85.0394 573.0962 null]
 >> endobj
-1486 0 obj <<
-/D [1482 0 R /XYZ 85.0394 544.7049 null]
+1591 0 obj <<
+/D [1587 0 R /XYZ 85.0394 542.127 null]
 >> endobj
-1481 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R /F47 879 0 R /F39 863 0 R >>
+1586 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R /F39 885 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1490 0 obj <<
-/Length 3343      
+1595 0 obj <<
+/Length 3437      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Z[oÛV~÷¯ÐÛÒ€Eñ\x+¸�Óº»Hº‰ŒÝ¢íEKÜP¤BRVÕ_¿3gæP”D7
Š æáp8ç2·o†³
-¬$ ƒU‚3åGax‘~_3b™úI§£ˆ…†Kï؀•N8)á¨6h8²Æ
W0Jì1¡ê˜|î¯̾µÉxTÖyµ/LÇÌ�7Žý†²*ܳëƒ8œ±;Ÿ’üÉGÛÓÞ[Nk´s·—³ôŠÂþ†A5M
®•v-`|65
é¥4ŒÍSG8&NRñ5± ‚ÌÆ.n–<aœ
-ð9«
-ìË
]³âû®¿˜ï%«ö¦f³§#"+�îÏì‚°RçPÇ'3];OÛ”‘;°^¶ÜëApŽ“'FÅ	
-€M)_ÄQr
\	ÿtŽf¹®±ðÇŽßréùg
-ñÍ7-?†bBÊS@ÛC	8‘œAQQà‚è¾J%aa‚ÛR¾ÉêµqtA-â£é:®˜l+ˆÛ¦(‘)Ïú¡NCmv®ê‡”`jJ_fŠöOŒ”ªTÕ¦´£¤ŸÊH]í‡ë2ן´B³Î`?·¢5çÁeÁ=	7µo3,‹m\ý4TÞ8�–¹„rê£ümÙS!4Õ.U
-QØ´£³À›ÐÉ^Å‚³É
-€è­=B	Áb+Ë|nD�u•£àÔ±±þ5ûGO:8ÀéãÃ_óαK	‚lƒK�µªŸÀJ­9Ï)ÎroŽ`JeN¡åiWd½qÍjî;~±]}Ï
^	Åý×WÒ+œ|¤îY>ŽŸ³œ/Þu›f_4^ñ« qPvŶ‰Úšƒ«Úš©`ÆN€!`Æ+æѪàY]§pØÁ¶Tq]£½¢áû
US`ï¶7¤UÖQ¤(¾§Ú•RÊ{ü‰YQFíø%*º”ãÔÞ¦¡²I&5Ÿ¡bbX9f£“»cÿâEVåÀª©U÷ÊÔ;¥¬…^ÖSç@†P™Þ
-\Tü·”Ã'ºm¶†É«üØ×qêðÀöæ0gUOÖ¨I2ı?¸ƒœœÚåJ…Ü.GòÖô›¦àe0
Š4N×

-@µÜœÖh¹»†X܃s]àŒ®$�Áý"pó³Š�å$ƒÑâøé
žnˆ-”üáƒdX–ɺÒ20~¦fÐÚ,väï«®áoúa©™ñ|¶ø˜´x¾hÃÓØó¥6lB¦ðªfTª|)høÍÌö‰Ú¦±�$Û1¡Z,ÎOÖÊñ
]º*{aÖáÃ
-ìÍ´phÛŽ0<PyÇEØHêRð†vc¿Œ)qZÒ6ƒz¬�2üœzÚfdN‹�m.A�œõ=궠‡+¦vC5:7ÕÈ44Ã3ç²@°»¾£ñ€ñÔðuE�÷H�è[Ë„(Þ
¿o›!~¼ðl2\½`Ï `›
-.
júl?Qëœ&=aÏl7úReQnï¾�›îù†b:óÄ'ž·�ÍÉÖ|:‹�b}Y±C¦}CL˜õmÿnmóÀÀ‹
|c›ÜVA¨ÁèfÅÒóö¸ë›u›í6®×€�³=¬ ÆöCoXЊçØš¬ž>[4A
+xÚ¥Zm�£Fþ>¿ÂßÎ#�1ý4Ñé¤É¾\&íæv=º‹’|ÀÀØÜbp
+Êú`ZFs‚ÄîXËpþT7DŸ²˜@§âUƒ
;P}n¼J²È�—;ÖÍ¢p”ÝçMy¢gEå$¡	IÓé¡LXÒŒ¸ð¶À§`€ê7À®s7±X‰é!ƒU‚3å…Ap‘~_2b@?ÆDñ b¡!Gk
+÷ìúÀWlÇK’?yh{zþžÓíÜíeä7ÈìoTãàZae
㳩	HÏE~ÄØ<uÄ€c –_BÈìAäâfÁëÆñ1Êž#²[›R~ñ}Yæ„=`g`ËO(ª
+€©À¾\Ó5Éþwh»‹õž“ò�·ýjötDˆa%ÆÇCX©u¨ãK>];OÛ”¡;°^¶Ü‰ÚNA¶]ÀŨ8
@cO�m_d:ˆ)w¼Ð„1.IÓúPqàxr2RËÙJD¢ÅE²z¬x›€ŽE·%$‘'MYþ±8¦åSÑl*@EKº£¡u‹XNû‚eyrü@Qð^ƒø±pòW“GÀœ¨O'¬h@ŠÅåZ	d`.3ÉuDSqßÛ.醒Wuãà<¢]`¹

ÛáE*Ú&¶PÂÓøºIšÂœAÈb#1>!7h·G¢8O@\›ùwõ14LQ|ŸWÁ˜oŸé[H�ð
+²Smã3b¿£B‡ôÔ]r¢Ù|ŽÆ‚Ë2.­rÂÜ÷æSmÚK/—&�B„K¸Ë,^þ‘7õBP^÷m±©£•é!«|…Úeˆ	 Ä(ý35dVÖ›ú.Ò�ÎÀÅÕʸXÜcžy—:èŠÝ”›…nê6ìM
°)å‰(4=0p%üãÍr]cá�¿çÒóÏ
+õë ç<pK
+aµÉd(Iå:B¶k䪯?óü•ówW]Xéù‘Œ (ã�aéÙo3áù:ŽMŒí^Ïg`	ˇ�œ½­aG³Á¦ãÅ�³ÝÄž�@+¬o`#
í©î,HÒŽÂ{(DaÓG�×ÐÉ^Å‚Ñb̤ËQ,`î-]ÁZEÐǤ$ö‰"Ô÷XìÛIçŠß’ÑúÁþP°Ôj(ì`�3ðñ!ó(¥Æœ¬o%$5ô©ˆ
+€è­æ„ÁbËË|nD�ºÊapêÐXÿšý£§
àüeæ¯yçØ¥ N×g—µªÝ<飑Ɗóœâ,÷ö¦T¤Z÷YÒå®YÍ}ÇWÛÕ÷à•PÜop}U!ç™ã�ÔóÇñS’ràÅ»v[ÊŒÆk~4Ê.y†íE¢¶શæFj˜ñ…3`ÆG˜ñÊ€y <«ÊÓT‡îh
[¬¸®Ñó¬æû-US`ï¶7¤uÒR¤(¾ÇÚ•Rjþð#’,#ŒÚòKTt)7SÏ·5•MŠ0iþTL+‡ÓèäîØ¿XȲè§jjÕ½°ô⤬…^ÖQç@P™Þ
+*þ[Êá¿Ý6[ób0ŠÞØ^¬êÉÕ˜>ŽýÁdsn—+p»É»¼ÛÖ‹Á4(Ð8û�àèPÊçgí춦)îÁX¸¢+I#p¿*—‘)0Ó-ŽßâéØBI¿>0½XyÒ¶��ñ5ƒ6Ö`±#_¶5ŸxÝõ¢&ŽÅÓHøˆ´8:çeìùRÖ�)¼¨+Oʾ¢™E?}¢6‡el#ÉvL膄…Áød�`­Ð¥-“gžÚÀŽìH�½å
~Dn‰
+ä¤ëP·=\3µí«ÁÀ¹y ¦¡ž9—‚Ýõ�{Œ§ú¯+z¸GzDßZ&Xñnø}Û,ð3`;Ãô€9€Ï6å_:ÔôÉa¢Ö9/zÆžÉ~ð¥Ê¢ÜÎ}37=ð
Å0tæ‰O<ö'Ê·æÓZqèKZˆÝâ0íç4	³¾íßmlèçb?·Mnˉ To
t³fîisÚwõ¦Iö[×kÀÇÉ
$¨°ýÐåÌhÍkìò¤š>[4A
 endobj
-1489 0 obj <<
+1594 0 obj <<
 /Type /Page
-/Contents 1490 0 R
-/Resources 1488 0 R
+/Contents 1595 0 R
+/Resources 1593 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1487 0 R
-/Annots [ 1495 0 R ]
+/Parent 1592 0 R
+/Annots [ 1600 0 R ]
 >> endobj
-1495 0 obj <<
+1600 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
-/Rect [63.4454 757.0719 452.088 767.2337]
+/Rect [63.4454 738.9144 452.088 749.0762]
 /Subtype/Link/A<</Type/Action/S/URI/URI(ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos)>>
 >> endobj
-1491 0 obj <<
-/D [1489 0 R /XYZ 56.6929 794.5015 null]
+1596 0 obj <<
+/D [1594 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-534 0 obj <<
-/D [1489 0 R /XYZ 56.6929 739.5018 null]
+566 0 obj <<
+/D [1594 0 R /XYZ 56.6929 723.0302 null]
 >> endobj
-1496 0 obj <<
-/D [1489 0 R /XYZ 56.6929 704.7645 null]
+1601 0 obj <<
+/D [1594 0 R /XYZ 56.6929 689.3491 null]
 >> endobj
-538 0 obj <<
-/D [1489 0 R /XYZ 56.6929 563.5308 null]
+570 0 obj <<
+/D [1594 0 R /XYZ 56.6929 552.677 null]
 >> endobj
-1497 0 obj <<
-/D [1489 0 R /XYZ 56.6929 535.7626 null]
+1602 0 obj <<
+/D [1594 0 R /XYZ 56.6929 525.9649 null]
 >> endobj
-542 0 obj <<
-/D [1489 0 R /XYZ 56.6929 418.2412 null]
+574 0 obj <<
+/D [1594 0 R /XYZ 56.6929 411.5673 null]
 >> endobj
-1498 0 obj <<
-/D [1489 0 R /XYZ 56.6929 389.5504 null]
+1603 0 obj <<
+/D [1594 0 R /XYZ 56.6929 383.9327 null]
 >> endobj
-546 0 obj <<
-/D [1489 0 R /XYZ 56.6929 228.1296 null]
+578 0 obj <<
+/D [1594 0 R /XYZ 56.6929 225.6356 null]
 >> endobj
-1241 0 obj <<
-/D [1489 0 R /XYZ 56.6929 194.8993 null]
+1299 0 obj <<
+/D [1594 0 R /XYZ 56.6929 193.4614 null]
 >> endobj
-1488 0 obj <<
-/Font << /F37 747 0 R /F67 1494 0 R /F11 1304 0 R /F39 863 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R /F53 962 0 R /F48 885 0 R /F62 995 0 R /F63 998 0 R >>
-/XObject << /Im2 984 0 R >>
+1593 0 obj <<
+/Font << /F37 791 0 R /F69 1599 0 R /F23 726 0 R /F39 885 0 R /F11 1367 0 R /F41 925 0 R /F21 702 0 R /F53 1017 0 R /F48 940 0 R /F62 1050 0 R /F63 1053 0 R >>
+/XObject << /Im2 1039 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1501 0 obj <<
+1606 0 obj <<
 /Length 533       
 /Filter /FlateDecode
 >>
 stream
-xÚ¥TM�›0½ó+|©¸6Æ`³IÚ²RÓ4a«ÕxT‚Ó@6Úýõµ3·¶ôTEóÆoÞ|x€"b~	Ž	“1JeŒ9¡•[� µ9ûêQÇ	Ϥð–u—{Ÿ¿°I,“(AùË�–ÀDŠòêÉÍóé"#Nü!Oˆ—Í&à‘ðXNÇ‹,4þ1[f“éb¤±Ÿga,ˆ0ñÌ)Lg£ïÙøó	P§Ôžó{oš_¹m–f»øí==T™žï=‚™
 ˜J¡­s†yÌØÙÓxKïçEðæô:4<Îæ"J¦±¡éq‰fŽìô–z«lO‰ßÕ½êÀ,7ZwÎÝkûäþ/¥và)šŒê­-¶uið[xØUE¯*8˜ØyžE_€U· ã`wXUz[€×H¶.²R�Z!—{Sô7üÐŽÛôRŠ%çÑ©
'ÂTÊä)…��Ú{�2è]·ÊÜ,#‰Ÿoê˜Çâ- ”úŸŒ‰I§Àßë]بWÕ\cÁ*uÛ›|u»vx_÷v
+xÚ¥TM�›0½ó+|©¸6Æ`³IÚ²RÓ4a«ÕxT‚Ó@6Úýõµ3·¶ôTEóÆoÞ|x€"b~	Ž	“1JeŒ9¡•[� µ9ûêQÇ	Ϥð–u—{Ÿ¿°I,“(AùË�–ÀDŠòêÉÍóé"#Nü!Oˆ—Í&à‘ðXNÇ‹,4þ1[f“éb¤±Ÿga,ˆ0ñÌ)Lg£ïÙøó	P§Ôžó{oš_¹m–f»øí==T™žï=‚™
 ˜J¡­s†yÌØÙÓxKïçEðæô:4<Îæ"J¦±¡éq‰fŽìô–z«lO‰ßÕ½êÀ,7ZwÎÝkûäþ/¥và)šŒê­-¶uið[xØUE¯*8˜ØyžE_€U· ã`wXUz[€×H¶.²R�Z!—{Sô7üÐŽÛôRŠ%çÑ©
'ÂTÊä)…��Ú{�2è]·ÊÜ,#‰Ÿoê˜Çâ- ”úŸŒ‰I§Àßë]بWÕ\cÁ*uÛ›|u»vx_÷v
 endobj
-1500 0 obj <<
+1605 0 obj <<
 /Type /Page
-/Contents 1501 0 R
-/Resources 1499 0 R
+/Contents 1606 0 R
+/Resources 1604 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1487 0 R
+/Parent 1592 0 R
 >> endobj
-1502 0 obj <<
-/D [1500 0 R /XYZ 85.0394 794.5015 null]
+1607 0 obj <<
+/D [1605 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1499 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R >>
+1604 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1505 0 obj <<
+1610 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1504 0 obj <<
+1609 0 obj <<
 /Type /Page
-/Contents 1505 0 R
-/Resources 1503 0 R
+/Contents 1610 0 R
+/Resources 1608 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1487 0 R
+/Parent 1592 0 R
 >> endobj
-1506 0 obj <<
-/D [1504 0 R /XYZ 56.6929 794.5015 null]
+1611 0 obj <<
+/D [1609 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1503 0 obj <<
+1608 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1509 0 obj <<
+1614 0 obj <<
 /Length 1964      
 /Filter /FlateDecode
 >>
@@ -6602,86 +7134,87 @@ i	·¥Ý3éÀ–yíˆùðŠ&�Â8K<æc�ø¡›‚hïCû™<»úÐŒ­êhüýÔï Æס\@�•‰ó÷w= vV
 ýf3GÕ51b‘æi‘diNŒ�‘Œâ�±ˆ±0·"ð0àâÄßZÕ7’\sÂw
"ó‡&0ÍåþF
—?$cRÍZº”í(õåŠ:é�H^�04g¢°û(½ÀÙWáÓ
7�˜¿S,[>°úŒ¹…;î3`ô¦'b�ÕÀ¤Ö^ïöEy˜]¹œ­Þv‹íçÞa¯Úák@n@þzh|ÇütÓOÓ0J¿mºã—¿ÞeÚâš(°ÁiÇEðá
êÍ�âÀz҃ѣm§žæˆ§çOŒ$ 
 ­è×ØÚ:‰óÎÐÃBYn?z·XdÌqâd¾©Üä¤ÚNí:ørðï»QÕaáƒL·CÕMucVìâªV.Wª�4 Û8Hü»Uoy)”@»Zìo+B)ˆ×­©ôD9ƒ©;B.ÊõTyåvÂ)Î6™îZds§¡ÁÓÏMí­µ°r=¶ö�ä&vÓž®é^/yr€�¡¶¯ÓP;«y Â1{9B€FãŸà{ËוÂM>p\×-ž‘7>å	èWˆÌ¨W
 ¥Ìrcø-Š¼ûãËü
-“¤%œ¡i±Iæ² —â~ÚøÑŸ/¯6³Âv¡ám’rá÷Î.zïá°ú‹EØûÛxà8KQ”×ñܼÍBw1\­ýÎÆð»•s^ÀÍQŠ’säjMkç/Ú,ÜÚmR¡ÈEz�ís³ã¾‡ê
+“¤%œ¡i±Iæ² —â~ÚøÑŸ/¯6³Âv¡ámÒ¥ß;»è½‡CÀê/aïoã�ã<,EQ^Çsór4ÝÅpµö;[ÃïVÎy
7G)JΑOü©5­�¿|hW°hpk·IQ„"é5¶ÏÍŽûª‡]Ù)C™‹_Ú‘Âõ%KÄQXDñ¯oʬ±]ªÜïʽe×SX{üâññ|>‡¼+�¾,}�w¸ÉÀUßÄx³Q³Ô}\Wù¸·ö߶
+ߣ«�ª]qöü´Þíâ³äZÄ^d{‘¡Éep
…E\æÞ†RÊ[oóûæ½»ÿ
 endobj
-1508 0 obj <<
+1613 0 obj <<
 /Type /Page
-/Contents 1509 0 R
-/Resources 1507 0 R
+/Contents 1614 0 R
+/Resources 1612 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1487 0 R
-/Annots [ 1516 0 R 1517 0 R ]
+/Parent 1592 0 R
+/Annots [ 1621 0 R 1622 0 R ]
 >> endobj
-1516 0 obj <<
+1621 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [348.3486 128.9523 463.9152 141.0119]
 /Subtype/Link/A<</Type/Action/S/URI/URI(mailto:info@isc.org)>>
 >> endobj
-1517 0 obj <<
+1622 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [147.3629 116.9971 364.5484 129.0567]
 /Subtype/Link/A<</Type/Action/S/URI/URI(http://www.isc.org/services/support/)>>
 >> endobj
-1510 0 obj <<
-/D [1508 0 R /XYZ 85.0394 794.5015 null]
+1615 0 obj <<
+/D [1613 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-550 0 obj <<
-/D [1508 0 R /XYZ 85.0394 769.5949 null]
+582 0 obj <<
+/D [1613 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1511 0 obj <<
-/D [1508 0 R /XYZ 85.0394 576.7004 null]
+1616 0 obj <<
+/D [1613 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-554 0 obj <<
-/D [1508 0 R /XYZ 85.0394 576.7004 null]
+586 0 obj <<
+/D [1613 0 R /XYZ 85.0394 576.7004 null]
 >> endobj
-1512 0 obj <<
-/D [1508 0 R /XYZ 85.0394 548.3785 null]
+1617 0 obj <<
+/D [1613 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
-558 0 obj <<
-/D [1508 0 R /XYZ 85.0394 548.3785 null]
+590 0 obj <<
+/D [1613 0 R /XYZ 85.0394 548.3785 null]
 >> endobj
-1513 0 obj <<
-/D [1508 0 R /XYZ 85.0394 518.5228 null]
+1618 0 obj <<
+/D [1613 0 R /XYZ 85.0394 518.5228 null]
 >> endobj
-562 0 obj <<
-/D [1508 0 R /XYZ 85.0394 460.6968 null]
+594 0 obj <<
+/D [1613 0 R /XYZ 85.0394 460.6968 null]
 >> endobj
-1514 0 obj <<
-/D [1508 0 R /XYZ 85.0394 425.0333 null]
+1619 0 obj <<
+/D [1613 0 R /XYZ 85.0394 425.0333 null]
 >> endobj
-566 0 obj <<
-/D [1508 0 R /XYZ 85.0394 260.2468 null]
+598 0 obj <<
+/D [1613 0 R /XYZ 85.0394 260.2468 null]
 >> endobj
-1515 0 obj <<
-/D [1508 0 R /XYZ 85.0394 224.698 null]
+1620 0 obj <<
+/D [1613 0 R /XYZ 85.0394 224.698 null]
 >> endobj
-1507 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R /F11 1304 0 R /F39 863 0 R >>
+1612 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R /F11 1367 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1520 0 obj <<
+1625 0 obj <<
 /Length 69        
 /Filter /FlateDecode
 >>
 stream
 xÚ3T0
 endobj
-1519 0 obj <<
+1624 0 obj <<
 /Type /Page
-/Contents 1520 0 R
-/Resources 1518 0 R
+/Contents 1625 0 R
+/Resources 1623 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1487 0 R
+/Parent 1592 0 R
 >> endobj
-1521 0 obj <<
-/D [1519 0 R /XYZ 56.6929 794.5015 null]
+1626 0 obj <<
+/D [1624 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1518 0 obj <<
+1623 0 obj <<
 /ProcSet [ /PDF ]
 >> endobj
-1524 0 obj <<
+1629 0 obj <<
 /Length 2543      
 /Filter /FlateDecode
 >>
@@ -6694,41 +7227,41 @@ RÜŠ1ÏuL~”6�`l�¿‚~ZѨ¢<ÓCƒÚ̓
 ’
r�”OœBç=Á	1j"«¢ºÑpQɧUäzý"GöÄÙ	G,ØÝfS6äÐBdz˜€z²Ó„Q™DÏ
B0q
 �ã”U#7Cã@Q²€.ÿ¾ô
 ÝD‘øñðñ^=:\è±æí
-®o¬ƒñ+ñ'E\2}8Ç’;i%Ò‡ï&ª°Wõ\~jÀaÛÍ{³˜¢GË!zeoA
_�^†NmÞxš^Xð”Ð;’ù‚Ïr{z8Ø'"Hóȃ…×UØNÑô�
+®o¬ƒñ+ñ'E\2}8Ç’;i%Ò‡ï&ª°Wõ\~jÀaÛÍ{³˜¢GË!zeoA
_�^†NmÞxš^Xð”Ð;’ù‚Ïr{z8Ø'"Hóȃ…×UØNÑô�
 endobj
-1523 0 obj <<
+1628 0 obj <<
 /Type /Page
-/Contents 1524 0 R
-/Resources 1522 0 R
+/Contents 1629 0 R
+/Resources 1627 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1529 0 R
+/Parent 1634 0 R
 >> endobj
-1525 0 obj <<
-/D [1523 0 R /XYZ 85.0394 794.5015 null]
+1630 0 obj <<
+/D [1628 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-570 0 obj <<
-/D [1523 0 R /XYZ 85.0394 769.5949 null]
+602 0 obj <<
+/D [1628 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1526 0 obj <<
-/D [1523 0 R /XYZ 85.0394 573.5449 null]
+1631 0 obj <<
+/D [1628 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
-574 0 obj <<
-/D [1523 0 R /XYZ 85.0394 573.5449 null]
+606 0 obj <<
+/D [1628 0 R /XYZ 85.0394 573.5449 null]
 >> endobj
-1527 0 obj <<
-/D [1523 0 R /XYZ 85.0394 539.0037 null]
+1632 0 obj <<
+/D [1628 0 R /XYZ 85.0394 539.0037 null]
 >> endobj
-578 0 obj <<
-/D [1523 0 R /XYZ 85.0394 539.0037 null]
+610 0 obj <<
+/D [1628 0 R /XYZ 85.0394 539.0037 null]
 >> endobj
-1528 0 obj <<
-/D [1523 0 R /XYZ 85.0394 510.2426 null]
+1633 0 obj <<
+/D [1628 0 R /XYZ 85.0394 510.2426 null]
 >> endobj
-1522 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R >>
+1627 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1532 0 obj <<
+1637 0 obj <<
 /Length 2893      
 /Filter /FlateDecode
 >>
@@ -6737,880 +7270,877 @@ xÚ­ksã¸í{~…¿Õ™‰IÔ3ÛéL.›ls×Ë¥‰;íÌíÍ”–h[]Yò‰r²¹__€
 'é<%Ø«Ô4hνd®J%µÊ‰¢¨ó¬ö­Ú­TCSßu]"�UN ‚yH‚ïäêfÈõµ)ZE¸zMˆJɦ|ãeeÉõ^e-3³”í–—ª\~4
 hfáyN†¾9fùVT²"ŸFÒÐg[Ø>k$ŒÓ­%ya4P’~¯$œø#Ìùp
 "
‡Ï®ëgýFÐ\í‰s&[ÔÂŒjp`‹1ãÄ.}Qe½ß©ª%€Ý)«+]ðq‰§
-~H¿°OQ­4Áæ:“¥$o…Ù=ŠR©–fì-DM¸û"�çËm/Èá¤ÝÒÌNßöæ@1t$ê÷Š,s¸b,Â)PøTE&u;aBá9±èèðV$ÑÜ\{؆,CfáCƒUP9'°ÐßHI"ð掉z�Û›äÄ”‰ïˆDø¼ùuõöž�è‚��"FHÜm,$BŒëàæV4P}#¡ô
-±AiÏK:·úCÛÅÂñCa×R¾_~à‰�-³¤üœö
-É‘
9R �P)�0¦†Œi‚4`(M§6ó'óÃ^S(Wr7dg51™hïŸÏ=¨m/̹?5YŽ¥ÚlË7“ìÌ(Ø… ¾È5o]÷"L¸6xc0¡q²m
-©—´¦5õÃD 	œ$ŒlH„r«å&Âçݳ5º?¾·hdµÁk+ §/-UçI0>
+~H¿°OQ­4Áæ:“¥$o…Ù=ŠR©–fì-DM¸û"�çËm/Èá¤ÝÒÌNßöæ@1t$ê÷Š,ví-#‚Ø
ˆp
+þU‘IÝN˜PxN,::¼I47׶!Ë�YøÐ`TÎBÄ	,ôÆ·R’¼¹†c¢Dàö&ù0!eâ;">o~]½½'¤
+æíœH¸>ø8þzduÖ+ž™ ‰èMY¯0† Ð:„™¼‰(5Dò�â=@¶«‡›}´ÁãBnÑŠw|º»!&ñÅÔeúìûÁ'ãL'Ž©‡â àÎläࢩìÒG¯Ã�Íq�Iôo£´œ²<Ô‰PÓlÏÍ@ÔÁUæÄG» y¿Nxø¸ë=ãÝ=}ÊSK¨+Š˜5†þsºC:¡'¼£ªÜ¦ÂCìDPÚó’έþÐv±püPص”ï�8AâÇcË,)?§½Er¤@@Žh T
+$Œ©!cš 
JÓ©ÍüÉü°×Ê•Ü
Ù™E
AL&
ÚûçÇsjÛsîOM–c©6ÛòÍ$;³
+v!¨/rÍ[×½®
ÞLh܇l›„´¦5õÃD 	œ$ŒlH„r«å&Âçݳ5º?¾·hdµÁk+ §/-UçI0>
 è¾ÏÝG$”uf,Õ­DC¡Æüx¾;˜t
-(–
"—ÜYi4¹B™º¦qfèY'ÉíŽÑ–�\z
¬nÌ\³&ÊKŸ	‰•v(Äð1“‘㣓Æ|ÒØŠž«�ˈ�p}µ6eè£[SWöj›ŸMñ¢Âú`K@®Ö j]¼©VP%Û
-·KÊÿóWÞþCw;"Iüé¸~œ8
Ô¥V(<AêŸHn?ŸŠþ_a52…endstream
+(–
"—ÜYi4¹B™º¦qfèY'ÉíŽÑ–�\z
¬nÌ\³&ÊKŸ	‰•v(Äð1“‘㣓Æ|ÒØŠž«�ˈ�p}µ6eè£[SWöj›ŸMñ¢Âú`K@®Ö j]¼©VP%Û
 endobj
-1531 0 obj <<
+1636 0 obj <<
 /Type /Page
-/Contents 1532 0 R
-/Resources 1530 0 R
+/Contents 1637 0 R
+/Resources 1635 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1529 0 R
-/Annots [ 1536 0 R 1537 0 R ]
+/Parent 1634 0 R
+/Annots [ 1641 0 R 1642 0 R ]
 >> endobj
-1536 0 obj <<
+1641 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [253.7995 146.8976 417.685 158.9572]
 /Subtype/Link/A<</Type/Action/S/URI/URI(ftp://www.isi.edu/in-notes/)>>
 >> endobj
-1537 0 obj <<
+1642 0 obj <<
 /Type /Annot
 /Border[0 0 0]/H/I/C[0 1 1]
 /Rect [63.4454 108.9117 208.8999 119.0735]
 /Subtype/Link/A<</Type/Action/S/URI/URI(http://www.ietf.org/rfc/)>>
 >> endobj
-1533 0 obj <<
-/D [1531 0 R /XYZ 56.6929 794.5015 null]
+1638 0 obj <<
+/D [1636 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-582 0 obj <<
-/D [1531 0 R /XYZ 56.6929 652.1213 null]
+614 0 obj <<
+/D [1636 0 R /XYZ 56.6929 652.1213 null]
 >> endobj
-1534 0 obj <<
-/D [1531 0 R /XYZ 56.6929 614.8935 null]
+1639 0 obj <<
+/D [1636 0 R /XYZ 56.6929 614.8935 null]
 >> endobj
-586 0 obj <<
-/D [1531 0 R /XYZ 56.6929 614.8935 null]
+618 0 obj <<
+/D [1636 0 R /XYZ 56.6929 614.8935 null]
 >> endobj
-1072 0 obj <<
-/D [1531 0 R /XYZ 56.6929 584.5024 null]
+1127 0 obj <<
+/D [1636 0 R /XYZ 56.6929 584.5024 null]
 >> endobj
-590 0 obj <<
-/D [1531 0 R /XYZ 56.6929 289.5256 null]
+622 0 obj <<
+/D [1636 0 R /XYZ 56.6929 289.5256 null]
 >> endobj
-1535 0 obj <<
-/D [1531 0 R /XYZ 56.6929 251.3901 null]
+1640 0 obj <<
+/D [1636 0 R /XYZ 56.6929 251.3901 null]
 >> endobj
-594 0 obj <<
-/D [1531 0 R /XYZ 56.6929 251.3901 null]
+626 0 obj <<
+/D [1636 0 R /XYZ 56.6929 251.3901 null]
 >> endobj
-900 0 obj <<
-/D [1531 0 R /XYZ 56.6929 222.7156 null]
+955 0 obj <<
+/D [1636 0 R /XYZ 56.6929 222.7156 null]
 >> endobj
-1538 0 obj <<
-/D [1531 0 R /XYZ 56.6929 53.7852 null]
+1643 0 obj <<
+/D [1636 0 R /XYZ 56.6929 53.7852 null]
 >> endobj
-1539 0 obj <<
-/D [1531 0 R /XYZ 56.6929 53.7852 null]
+1644 0 obj <<
+/D [1636 0 R /XYZ 56.6929 53.7852 null]
 >> endobj
-1530 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F21 658 0 R /F47 879 0 R /F53 962 0 R /F11 1304 0 R /F39 863 0 R >>
+1635 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F39 885 0 R /F53 1017 0 R /F11 1367 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1542 0 obj <<
+1647 0 obj <<
 /Length 2824      
 /Filter /FlateDecode
 >>
 stream
-xÚµZ]{£6¾Ï¯ð¥ý<-’ KÇö¤É4™4v·Û�α›g0¸g&ýõ{„>äζûä" ôâóžO	<òà�"†<ÊýQÈ}Ä<ÌFëý•7ÚÂÜíV2×ZèÚ–ºY]ýó
Gñ€£Õgk­yQ„G«ÍÇñôéiñ8¿û÷äš0o<E“kæyzt¶XN®Ã€‹	*¦o|swóã݇Ûçéӿʇ~ó˜7}œË›åÏ··‹åj¡nŸÓùÝã-ˆàɧÕýÕbe^ÛþiØ£â�¿úøÉmàÞ_yˆòˆ�¾Â�‡0çd´¿òȨT�dWË«ŸÌ‚ÖlýhŸª�‹HØ£+‚G#Îi)‹qPBke-«8ßÄÇM9ø[¨�(c—h²¤$4í£IK	ä�Ïïf $ÿS3EÞÝ	m¤Î±}ÛD0c(
-)kƒÏ‹}œæ’ÐÇxŸ”ŠwBBy5+òur¨Ô8èH^¼‹×i–ViRë«ó3qè!„¼ Àø‡|äi‚	£Érì¡X‰IuLK%õX¼&û—ä(ï0�B4ÈÀVüKŒXRF´”Ås0₶éb0bƒ_dänÈ’}’Wq•y‡—å!Y§¿yYËÙsr&@¿ö’#oþ>Š�(½@‘-5L‘‘ÒñÐá3N䆡3è~†ZØqš©Xœª4ßv8¨v‰¼°©\¾•U²ïs1Òç¼ÍÇLiÿ)>‚æ7ÛD�ßÇù)>¾ÕH-ÙŠpׄøˆG Z*~€O꥟ŽÅ¡(m)—^@Eäw–”ƒ;-eÜ‹s‡{9¡-òºØäÙàwùú8ÁÑXz�âñ?E®([M0Æãcœ—Ÿµ�kç�Ë>ú|Œp
-�ªèf1ˆ{²¶À,@^C-·{FæBþ¿9•;yµÈþЉ픽ý&A$¢ä–”ƒ	-e˜ ^ä`Âm1ÑÅ`ÂL¶ ÒWÕâõÎT:è~:%Ç�²›r„I@úSÑ4ßÈÄ÷U×qq=°Þ½GÃz‡¦
CP½ wKÊ¡w-eô„.pA[zïbèÝ_|«’¼4	Æ$§²“�ŒòE?¼€;Ow½g�F¡€ùŸóŽÃô1|‰KÊA�–²( 
-\Ð]ì

-lðÇ"¿–EWrܧ¹®ÈŒÆe‚©£G²I¥¯ÃC$d´ß
fÇø«`VØôëžêÞ^"ˆ|nÝÛRú7RF÷‘洞�Ð�îÏ°ûuß_&ª* lü>y“M¯UýEÐ䄼JMM’ÒEàBÂEVË»Û
!„"/bØâj<nÀCüq:Ácå$”�?¨©ÛÓfé»”E
¡Ñx®fqY]˼o Zy?‹¿h—£-#0}Û�2”_&œŒ“,ƒ\Iœ:XªôD<(›í$QQ~ÁN,)‡�h)c'œz;qA[vÒÅ°¼e' i'"}—Uü’¥åN4S®˜¹z¿P;ŠÏÏC¡3âÈçAgÓh®8ô2¸L•µ#áfÈçˆr‰!KÊÁ�–²r$2'´ÅP{€!Ü(û9ùý”è�f,»ÇŸ…ÚÒmW'ImÙ�%�׫s\9äÆÔ”ðÿ7[#àKlYR¶´”f‹z^è`Ëm±ÕÅ`ËRZ?ß'jò�j¨-ÀqM†|D·kâF¶k½Á#ƃ6IÎ0×ÞÛssƒ)�è7–”ƒ-e¸	œ9ÑmqÓÅàÆ¿Mr¨¯…bÃP•V"Ú…
Ü_Óu"§¦Ù¶€©Ý^ÎÉ°'ib%ÜËX	=>(–éæT{-éÕp!è¿].e~ót^“§<®\Ë�ÏüN9´Tô¿ÿç}õé­ì
-¶º/ÓÃi&·hÞêß¡fÔ_¦/Å«=sß²²~e|–pu?øCœejîú*ló£ýû›<€æ©»¿Ù4ª
mõÖÒwm{RßCKqšµ-5lÖFʘ5!³vB7f}†ÝoÖ-ð»|SÛ˜n+Ÿ“²È^µ¢—§Ã¡8Vgçr1ëËÔ
ƒØ±þØ?+ò£¡zž¬Ûá†
-±ŠSzIï–”CïZÊè=¢Ô¡w´¥÷.ö€ÞmðÕNFƒ”/
]xœ½•i)Źµfk
®ÕÖ\éL ®íLÐð©p’f¯M¬Šxõ%Í´Ü-ƒ‹g=	�P’Š�àã@wFªžV‹¶êi Ó$“pŒ"^Ø#µ¥†É4RšLßs‘é„nÈ<Ãî'³^Ìí¼€y¾U
É|\lN*²‹ÑZÁBX”disæлsùбØÅ”ÕĈç§òYèzº†11ú FŒ�ª;òdw$^æ!.ËDGn¹9ª [œ6LjHp•IÿnÐφé0
-=|a¿Ô–rЯ¥,ú1Ô	mÑßÅ ßWgU±.Ä.øÌC±él FD¥oíÕbD&&áÈMb‚;¹û}nýlŸ3C¯îs;s,“&,Ú63a;²}PâÚ,”G«•[ìëÞ2–Îñò_´¨‚™èÌÝvaI9ìBK5vá;΃�Ж]t±ì¹TÖó¢8„È#ëB”õMm”F*ÊSU׉‹ÆÄ�Ù�ì5,>}ñ­}ʸÞ´#š‰È21ú ÄMŒƒsu\bZFñ÷ÃY
‚©À²¸ ¡£ùÈ

-’Xï*
+xÚµZ]{£6¾Ï¯È¥ý<-’ KÇö¤É4™4v·Û�α›glH
ÎLúë÷} 0’;Ûî“‹€tЋÏ{>%ðe
+’_.×G“ÇÇùÃìößã+‚Ñ�¯XèÑé|1¾Š#.&¨˜Š‚Ñõíõ�·nž&�?ü*ú-`Áäa&o?ßÜÌ˹º}šOf·7 ‚ÇŸ–wó¥ymû§á€Šwþýâã§àr
¿ðî"@”'ìò+ÜsN.÷!£ˆ…”ê‘ÝÅââ'³ 5Û<:¤*FÄèŠàKŒgŒt”Å8Š(¡�²uZ¬Óúrþ"ÊØ9š,)	M‡hÒRùãÓ»)()üÔGÆ,@	‡w÷B©SlÊ-lÌJbʺà³rŸæ…$ô!Ýg•â��X^MËb•½Ôjt$/Þ¥«|—×yÖè«÷3q Å	¼ Àø‡|äqŒ	¡Érì¾\}I_²ú�WJê¡|ÍöÏÙAÞažÄÈÉŽÀVÂsŒXRF´”Åó0⃶éc;±ÁÏ2r»Ùeû¬¨Ó:/‹/‹—l•ÿd%gOÉ!˜
+¨¯…bãX•×"ÚÅÜ^óU&§&»M	SÛ½œ“aO>ÒÆJ¸—±$|P,ÓÏ©öZÒ«áBгXÈüè¼&Oy|¹–¡�…½rh¡èÿ5-†êÓÙlt_¦‡ó�Ü¢yk~‡šýQ;|•?—¯öÌ]ÇÊ*ø•éIÂÕýàén§æ>¬êÒ6?:¼¿É#hžúû›m£ÚÒÖl-}׶'
ð0ö›µ-å6k#eÌš�Y{¡[³>Á6ëøm±nlL·•OYUî^µ¢Ç——òPŸtœ‹ùt(SGb†cÿ´,†êY¶ê†ì'b§ôœÞ-)�Þµ”Ñ{B©Gï>hKï}l‡ÞmðåVFƒ”/
]xº{«òJÞ	U‹ÿrk
.ÌÖ\«­5¸Ò™@\Û™`8àSá$í^›X)ðúK^(h¹[Oz:¡,!!Ä‘îŒT=­íÔÓ@fè$“pŒŸÙ#µ¥Üd)MføÈôB·dž`“Ù
oæv^À<
ߪ�d>*×GÙÅh£`!,J²¼=sܹIBèXìb*HbÄóù,t=ý	ؽW£?¦Õ²;/sŸVU¦#·ÜU�NÛcD¤¸ªlx·ègnú#Œâ
+-©ôfªò·¸híEÜ™]§Áƒ,>q­þ˜2.�”öl¡�H,[£÷JÜØ‚œ©mqƒÐ¡¾c!½3å¿hPú2ÑŽû�Á’òƒ–²ŒÁ“P½Ð–1ô±Æ`ƒ««º\•bË
+è}¹îí¦'DÕr:Ä‹Y¥ˆ¨ÞV)p'�bŒG.» 1JBnsË
+
+íÆ3aGu1z¯Äµ]¨ð®Vî؃Nç�]œp1èž
+´¸ ¤ƒùÈ

+’Tï*
+µ�9Te>#ôá¶6Ø6Ay2¾b$´ÌHÜ)³|Þ‰zA4lY3ª#Óò`ï§6c¿ŒI0‚¶Æ¾[g;µú,{Ù•oúùFÿÍ+”Ÿë¯’ù
Ø.…‚1¦‘•ß‹WñÈÌvìï&}•/\u˜sê8˜$Ðk“3�©-å¡ZKY\{h½ÐÙ}lÛ6ø´Üïå®+Ö›­ßÁä\²Z*)#ý&ÇÍ:±¦‚ñwù·á£s£˜cû‰†Íçƒb‘÷Ç}ªO]žkÓçÁj�%¬¼SƒS5ø��´‰3zÝÏ�Þs–äWœ¹Ïw;sâû}&ÁDÂ(ò[„%ä6-Ô~P‘xN|¸­9ô�‡­ÁF^d‡\•<ÛkÒlIdu¾ª2!³ðôtÖÅ:Úsq\û½I$�Ø‚?Sÿ[Bn…k¡6ãû>ûòá¶
+ï+ÜF6Þuþ}^=gÛô5Õ Œ@õµ�®­ÑLKç„}RÛˆÈB
 endobj
-1541 0 obj <<
+1646 0 obj <<
 /Type /Page
-/Contents 1542 0 R
-/Resources 1540 0 R
+/Contents 1647 0 R
+/Resources 1645 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1529 0 R
+/Parent 1634 0 R
 >> endobj
-1543 0 obj <<
-/D [1541 0 R /XYZ 85.0394 794.5015 null]
+1648 0 obj <<
+/D [1646 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1544 0 obj <<
-/D [1541 0 R /XYZ 85.0394 752.3015 null]
+1649 0 obj <<
+/D [1646 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
-1545 0 obj <<
-/D [1541 0 R /XYZ 85.0394 752.3015 null]
+1650 0 obj <<
+/D [1646 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
-1546 0 obj <<
-/D [1541 0 R /XYZ 85.0394 752.3015 null]
+1651 0 obj <<
+/D [1646 0 R /XYZ 85.0394 752.3015 null]
 >> endobj
-1547 0 obj <<
-/D [1541 0 R /XYZ 85.0394 746.3107 null]
+1652 0 obj <<
+/D [1646 0 R /XYZ 85.0394 746.3107 null]
 >> endobj
-1548 0 obj <<
-/D [1541 0 R /XYZ 85.0394 731.5461 null]
+1653 0 obj <<
+/D [1646 0 R /XYZ 85.0394 731.5461 null]
 >> endobj
-1549 0 obj <<
-/D [1541 0 R /XYZ 85.0394 728.1497 null]
+1654 0 obj <<
+/D [1646 0 R /XYZ 85.0394 728.1497 null]
 >> endobj
-1550 0 obj <<
-/D [1541 0 R /XYZ 85.0394 713.3851 null]
+1655 0 obj <<
+/D [1646 0 R /XYZ 85.0394 713.3851 null]
 >> endobj
-1551 0 obj <<
-/D [1541 0 R /XYZ 85.0394 709.9887 null]
+1656 0 obj <<
+/D [1646 0 R /XYZ 85.0394 709.9887 null]
 >> endobj
-1552 0 obj <<
-/D [1541 0 R /XYZ 85.0394 651.9592 null]
+1657 0 obj <<
+/D [1646 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
-1016 0 obj <<
-/D [1541 0 R /XYZ 85.0394 651.9592 null]
+1071 0 obj <<
+/D [1646 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
-1553 0 obj <<
-/D [1541 0 R /XYZ 85.0394 651.9592 null]
+1658 0 obj <<
+/D [1646 0 R /XYZ 85.0394 651.9592 null]
 >> endobj
-1554 0 obj <<
-/D [1541 0 R /XYZ 85.0394 648.8377 null]
+1659 0 obj <<
+/D [1646 0 R /XYZ 85.0394 648.8377 null]
 >> endobj
-1555 0 obj <<
-/D [1541 0 R /XYZ 85.0394 634.0731 null]
+1660 0 obj <<
+/D [1646 0 R /XYZ 85.0394 634.0731 null]
 >> endobj
-1556 0 obj <<
-/D [1541 0 R /XYZ 85.0394 630.6767 null]
+1661 0 obj <<
+/D [1646 0 R /XYZ 85.0394 630.6767 null]
 >> endobj
-1557 0 obj <<
-/D [1541 0 R /XYZ 85.0394 615.9121 null]
+1662 0 obj <<
+/D [1646 0 R /XYZ 85.0394 615.9121 null]
 >> endobj
-1558 0 obj <<
-/D [1541 0 R /XYZ 85.0394 612.5156 null]
+1663 0 obj <<
+/D [1646 0 R /XYZ 85.0394 612.5156 null]
 >> endobj
-1559 0 obj <<
-/D [1541 0 R /XYZ 85.0394 585.7959 null]
+1664 0 obj <<
+/D [1646 0 R /XYZ 85.0394 585.7959 null]
 >> endobj
-1560 0 obj <<
-/D [1541 0 R /XYZ 85.0394 582.3994 null]
+1665 0 obj <<
+/D [1646 0 R /XYZ 85.0394 582.3994 null]
 >> endobj
-1561 0 obj <<
-/D [1541 0 R /XYZ 85.0394 567.6349 null]
+1666 0 obj <<
+/D [1646 0 R /XYZ 85.0394 567.6349 null]
 >> endobj
-1562 0 obj <<
-/D [1541 0 R /XYZ 85.0394 564.2384 null]
+1667 0 obj <<
+/D [1646 0 R /XYZ 85.0394 564.2384 null]
 >> endobj
-1563 0 obj <<
-/D [1541 0 R /XYZ 85.0394 549.5337 null]
+1668 0 obj <<
+/D [1646 0 R /XYZ 85.0394 549.5337 null]
 >> endobj
-1564 0 obj <<
-/D [1541 0 R /XYZ 85.0394 546.0774 null]
+1669 0 obj <<
+/D [1646 0 R /XYZ 85.0394 546.0774 null]
 >> endobj
-1565 0 obj <<
-/D [1541 0 R /XYZ 85.0394 531.3128 null]
+1670 0 obj <<
+/D [1646 0 R /XYZ 85.0394 531.3128 null]
 >> endobj
-1566 0 obj <<
-/D [1541 0 R /XYZ 85.0394 527.9163 null]
+1671 0 obj <<
+/D [1646 0 R /XYZ 85.0394 527.9163 null]
 >> endobj
-1567 0 obj <<
-/D [1541 0 R /XYZ 85.0394 513.1518 null]
+1672 0 obj <<
+/D [1646 0 R /XYZ 85.0394 513.1518 null]
 >> endobj
-1568 0 obj <<
-/D [1541 0 R /XYZ 85.0394 509.7553 null]
+1673 0 obj <<
+/D [1646 0 R /XYZ 85.0394 509.7553 null]
 >> endobj
-1569 0 obj <<
-/D [1541 0 R /XYZ 85.0394 483.0356 null]
+1674 0 obj <<
+/D [1646 0 R /XYZ 85.0394 483.0356 null]
 >> endobj
-1570 0 obj <<
-/D [1541 0 R /XYZ 85.0394 479.6391 null]
+1675 0 obj <<
+/D [1646 0 R /XYZ 85.0394 479.6391 null]
 >> endobj
-1571 0 obj <<
-/D [1541 0 R /XYZ 85.0394 464.8745 null]
+1676 0 obj <<
+/D [1646 0 R /XYZ 85.0394 464.8745 null]
 >> endobj
-1572 0 obj <<
-/D [1541 0 R /XYZ 85.0394 461.4781 null]
+1677 0 obj <<
+/D [1646 0 R /XYZ 85.0394 461.4781 null]
 >> endobj
-1573 0 obj <<
-/D [1541 0 R /XYZ 85.0394 446.7135 null]
+1678 0 obj <<
+/D [1646 0 R /XYZ 85.0394 446.7135 null]
 >> endobj
-1574 0 obj <<
-/D [1541 0 R /XYZ 85.0394 443.3171 null]
+1679 0 obj <<
+/D [1646 0 R /XYZ 85.0394 443.3171 null]
 >> endobj
-1575 0 obj <<
-/D [1541 0 R /XYZ 85.0394 428.5525 null]
+1680 0 obj <<
+/D [1646 0 R /XYZ 85.0394 428.5525 null]
 >> endobj
-1576 0 obj <<
-/D [1541 0 R /XYZ 85.0394 425.156 null]
+1681 0 obj <<
+/D [1646 0 R /XYZ 85.0394 425.156 null]
 >> endobj
-1577 0 obj <<
-/D [1541 0 R /XYZ 85.0394 355.0758 null]
+1682 0 obj <<
+/D [1646 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
-1578 0 obj <<
-/D [1541 0 R /XYZ 85.0394 355.0758 null]
+1683 0 obj <<
+/D [1646 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
-1579 0 obj <<
-/D [1541 0 R /XYZ 85.0394 355.0758 null]
+1684 0 obj <<
+/D [1646 0 R /XYZ 85.0394 355.0758 null]
 >> endobj
-1580 0 obj <<
-/D [1541 0 R /XYZ 85.0394 352.0499 null]
+1685 0 obj <<
+/D [1646 0 R /XYZ 85.0394 352.0499 null]
 >> endobj
-1581 0 obj <<
-/D [1541 0 R /XYZ 85.0394 337.3452 null]
+1686 0 obj <<
+/D [1646 0 R /XYZ 85.0394 337.3452 null]
 >> endobj
-1582 0 obj <<
-/D [1541 0 R /XYZ 85.0394 333.8889 null]
+1687 0 obj <<
+/D [1646 0 R /XYZ 85.0394 333.8889 null]
 >> endobj
-1583 0 obj <<
-/D [1541 0 R /XYZ 85.0394 309.8192 null]
+1688 0 obj <<
+/D [1646 0 R /XYZ 85.0394 309.8192 null]
 >> endobj
-1584 0 obj <<
-/D [1541 0 R /XYZ 85.0394 303.7727 null]
+1689 0 obj <<
+/D [1646 0 R /XYZ 85.0394 303.7727 null]
 >> endobj
-1585 0 obj <<
-/D [1541 0 R /XYZ 85.0394 278.3282 null]
+1690 0 obj <<
+/D [1646 0 R /XYZ 85.0394 278.3282 null]
 >> endobj
-1586 0 obj <<
-/D [1541 0 R /XYZ 85.0394 273.6565 null]
+1691 0 obj <<
+/D [1646 0 R /XYZ 85.0394 273.6565 null]
 >> endobj
-1587 0 obj <<
-/D [1541 0 R /XYZ 85.0394 246.9367 null]
+1692 0 obj <<
+/D [1646 0 R /XYZ 85.0394 246.9367 null]
 >> endobj
-1588 0 obj <<
-/D [1541 0 R /XYZ 85.0394 243.5403 null]
+1693 0 obj <<
+/D [1646 0 R /XYZ 85.0394 243.5403 null]
 >> endobj
-1589 0 obj <<
-/D [1541 0 R /XYZ 85.0394 173.5556 null]
+1694 0 obj <<
+/D [1646 0 R /XYZ 85.0394 173.5556 null]
 >> endobj
-1590 0 obj <<
-/D [1541 0 R /XYZ 85.0394 173.5556 null]
+1695 0 obj <<
+/D [1646 0 R /XYZ 85.0394 173.5556 null]
 >> endobj
-1591 0 obj <<
-/D [1541 0 R /XYZ 85.0394 173.5556 null]
+1696 0 obj <<
+/D [1646 0 R /XYZ 85.0394 173.5556 null]
 >> endobj
-1592 0 obj <<
-/D [1541 0 R /XYZ 85.0394 170.4341 null]
+1697 0 obj <<
+/D [1646 0 R /XYZ 85.0394 170.4341 null]
 >> endobj
-1593 0 obj <<
-/D [1541 0 R /XYZ 85.0394 144.9896 null]
+1698 0 obj <<
+/D [1646 0 R /XYZ 85.0394 144.9896 null]
 >> endobj
-1594 0 obj <<
-/D [1541 0 R /XYZ 85.0394 140.3179 null]
+1699 0 obj <<
+/D [1646 0 R /XYZ 85.0394 140.3179 null]
 >> endobj
-1595 0 obj <<
-/D [1541 0 R /XYZ 85.0394 113.5982 null]
+1700 0 obj <<
+/D [1646 0 R /XYZ 85.0394 113.5982 null]
 >> endobj
-1596 0 obj <<
-/D [1541 0 R /XYZ 85.0394 110.2017 null]
+1701 0 obj <<
+/D [1646 0 R /XYZ 85.0394 110.2017 null]
 >> endobj
-1597 0 obj <<
-/D [1541 0 R /XYZ 85.0394 95.4372 null]
+1702 0 obj <<
+/D [1646 0 R /XYZ 85.0394 95.4372 null]
 >> endobj
-1598 0 obj <<
-/D [1541 0 R /XYZ 85.0394 92.0407 null]
+1703 0 obj <<
+/D [1646 0 R /XYZ 85.0394 92.0407 null]
 >> endobj
-1540 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R >>
+1645 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1601 0 obj <<
+1706 0 obj <<
 /Length 2889      
 /Filter /FlateDecode
 >>
 stream
-xÚµš[w›º€ßó+üh¯Õh£·G»‰ÛÄͱ“ž½WwˆMV0¤·Í¿?#tA`Ý笳ò�
֧͌ÀþðÄõ�’pâ‡¹v'Ûý™3ù}WgXÊœ+¡sSêâþì�÷ÔŸ„(ôˆ7¹2Æ
-�xr¿û2�E3Á™^,/n–Ÿ®ÖÑÝõ_³sâ:Ó¿׉Vsq³y¸ºZlîòv½ˆæËÕˆàÙ¹ï…Î4º»[¬æË?EÄGutëåb3ûzÿálq¯_ÛüiØ¡ü�¿Ÿ}ùêLvð?œ9ˆ†�;ù	7ÂaH&û3æRä2JUKv¶9û—Ðè­í�*ì B=Ò3WO0F¡ë’Öd¹!ò(¡õd­“²8¶‰œ‚d[vâú~3ðöš”ƒ¿’bä»
-vL+õà%ø@ïà)âL/ÑûYH¦HŒ±ø‘f8˜>LJªÀÓÙÕÿÉô6ÞÇ/E){ײ÷!ËöqžËAã|'šïf˜„jðÛbû¿&Õ!…§áý`&Ô+�‹e ìãÓ¶*á=jÊ°è4DØCxl„°)5LXKi¾ã
¶ªnŸèî%ÜÒ-ÀÂO_m¢;µì¹p0mCèÅºýÐ
Ì �Äÿ[€”æßÄ�ÀÄG“½—E–dY,Ÿér`Ã|ÐO±?ÂÁ�²pPRšCàÛ8ØTººû9˜º#¾–ýémƒ9Á¥7}*¢mñ뵦‘”¥˜Lè¼)¶17=!±ÌAx¯¼i*;ªçD\Ì‹}œÊÎU¼—­›·²Jö=X©ƒ‘˽hƒ•b°^9Xü#-e[csÐñyæºÓôWšH‹ÓÃœkÇ£ÝÏ|6Eï:«b)WÅ<ݾ¤yYäRàCœãÛ^Þðº`°í1:fŸ†”e]()µ.ˆã˺°©6ÖEWwÿº0uú ØfJ1«ý/o¨W¿Ø¼&Ûôé­^ü¾FÎ%›%›‹')ž~¤Û¤D=Ô‰"L‰A�aîŠù“WÇìñ
-jt¼G¯
~c¬�úqe×õ‚ÐZÂN{»îH`dJY¨*)M{–}ÕªÚ ÚÕÝOÕÔý ,fBò‚‹e^%‡<©Ä�
-
-
-þC§)vŽ¶á‘�·‘±02Š ÅØâ^-J
~m­ýô­<ÐÝ\GçX`Èl„ÈP—Â%D‹L^àJj±ªÞ£z‹uõ7®G¶Ë
-<¢8´3„†�)!
Ì
-¥
›ÞXWq/0S±¨¡þª’¼¬O*avDMþ—Ç××âP	¡å�hü‘JQ6‡F¯¯2ãcäx¡±2âN7H<qÿ\ìE¾À[/eëõ1[�eëg]0‡®�ešÇy%»D
-ͪ§µµ�iqLË2í«ÿ
-w,!0¥,””Në(¶ìZVÕ†®î~¦îË,.ËL‡‚ËÕy4Ÿ¯Q´Þ%ú�é†åw&ûZUUÒ]ž('t%w’æU=÷EQu¿Âèx¶æ(¿Ùð¹.†ìÎÁÁȱ½)eA¦¤4²€X¢I«jYWw?2S÷2ºP[/Q$ÛçÜS¦>gÚs'÷¡îaÓCž~?&Ý`ôn:®ç·Á¶�e$Q@XÙ±Ô‹"îTÐ~§rÀÏƾ²0„†i)¡¦lB,•j›Þ†UWq/*S±öq,P>Ž…ÜÇÍ ­®Ý;UL�\F«H\]B®�î’C<ô}#/iz¤uú#Ö)5<n¦ÔÐl¤Ô¼S
-]Ô…­<Ažÿ»¶¶,Kã½úbQ+iÅþÚX;ŸÙ
š–:‹‹ø÷´=“ïè˜ôþlרŠûˆÁ@ðBü
+xÚµšKsÛ8Çïþ:JU1>�´¥ØJlÅ+ÙÙ™Êä@KtÌ2E:"•Äß~ă E‚™ÝÚòÁÐÄ_ÂÝ@7I&þÈÄõ�Òpâ‡r1q'Ûýž|ƒ¾«3"mΕѹiuqöÇ{æOBzÔ›Ü?c
™Üï¾L#ÄÐFÀÓ‹åÅÍòÓÕ:º»þkvN]<ý»8ZÍŇÍÃÕÕbs¿�׋h¾\]�	™�û^ˆ§ÑÝÝb5_þ)ú#>*Ö­—‹Íìëý‡³Å½þÚæO#˜ñïüýìËW<ÙÁ/üp†wò>`DÂ�NögŽË�ë0¦Z²³ÍÙ¿ô€Fo}kïTŒ(óhÏ\Q2!…®K[“å†Èc”Õ“µNÊâxØ&r
+’mq؉ëûÌÀÛkRþJF�ï;@ÃJ|)ÖPYñïôeýþ’�€}í*Ja:\ß.­­NµYhhê#—úmíUò~>aÓùj#.ÖkÙ�ü�1ÍÓ*-òzN:?…`¦•yð%ø@ïà.Š§—èý,¤S$ÆXüH3LŸãCU�é�ìŠêÿtzïã—¢”½kÙû�eû8Ïå q¾Íw3BC5øm±}‰_“ê�ÂÝðý`&ÔW:Ë@øǧmU<Â÷¨)âÃhˆ°†(ðœ¦Õ0am¥	ûØ&l•nŸh÷ni°ðÓW›èN-{îLÛz1ƒ¶ú¡�ì/�ø�Òü›ø 0ñÑdïe‘%YË{ºœa>è3â�p0¬,”•æø66iƒCW»Ÿƒ©ñµìOo“Ü	.½éSqm‹_¯5�¤,ÅdBçM±�¹ë	‹eÆ{ÝàMSÙQ='âb^ìãTv®â½lݼ•U²ïÁÊ0A.�¢
VFÀ{å`ñ�´”m�ÏAÇç™ëNÓ_i"=Ns®/Œv?ó�)z×YK¹*æéö%ÍË"—âüÞôºð†×…ÛžÃÆüÓ°²¬e¥ÖÅ.µ¬›´±.ºÚýëÂÔ†uÁˆ+Ü”§Ž¿¼¡^übóšlÓ§·zeðÏ5rnÙ,Þ\<Ióäð#Ý&%ê¡Nqˆ£u„y(æw^³Çà*“\Ôèx�^üƒ±êÛ•_×B+´„�*ñqÝ‘ƒ‘ie¡ª¬4UâYöU«´Aµ«ÝOÕÔ~ž3!yÁÅ2¯’CžTâ“
+†•…‚²Ò`¯·P°IºÚýLíù&?ýã⯲s¬Ø,¯dSšwç]ù?ý
+?â7?Òù1Щsàží’9(ô½6¡¹$´ˆË*‹_ÙÌjGß½Sçbá÷ÏšX8LŒÀÌ6 
+1eeó-ÄlÒ±®v?1S{½‰þ¸�»°³øŠó‰<QøŠ¿â€ø±M‚�¢ÆµúI�_�PóBä;80v9_`ã£ØlbãŸlâ0£Fjå“V˜N€‘“n‡iZ
ÃÔVLËng•n`žh÷ÂlioªâPïR$dÓËä ¶08|&%osj†¼¯fÈCÞ(ò+Å�[Œ0¤H;†ü~Î�ßkºvCaS¯0~ñI_wû#jåáF�ÜbÚDÚ⹜ã}æÓ؆•¶²2`‡Ø6ivW»¶©ÍaÇbŸĹÆ
álúTŸZί“º2#zas,E*[dè
ŒÐêС7[
+°I+ «Ý¿Lí{Ôqî‹5eÇaÓèX=ö[½‰®»"ååÑÇ¡®¢»ûµðOÞ_3æ}í¬“wÉä¤?Èz®Óð†hÁSÃú.•®‘Wä‘ÊïlEÕMò
+ñC§)vŽ¶á‘#occa(lAFˆ%¼ZD
~mÕ~z�*?èn®£s"`Èl„Ê£.¥”[ˆ™¼À•(ÔU½¥Fõ–èê-i2\�l—
ðÀŒ˜cˆˆ¿´uæåE\#þò‚tü&™ª1ZP�"¦}ÔÇ�‘…£4j@RKÝΦk�ì÷£4„£&]ÉøZ?¤üÑ`'¿¿IËJ¦ž"öâv1Ž7܉�üðô+)�‡²w7JcðìLÚ[ªz!¯*¶Ï'5+0ˆ8ˆ‘ÐÌ0¦Œ407´”lº
°®p/0SXÔP8þª’¼¬ŸTÂŒEMþ—Ç××âP	£å�hü‘JQ6‡F¯¯2ㄽÐØêN7HÜqÿ\ìE¾À[/eëõ1_�eëg]0‡®�ešÇy%»D
+ͪ§ÕÚÁ´8¦e™öÕ€0&Ì‹·�!6¬,Œ••
ÙRM°J”»Úý˜Mík˜´L?gTÎö�¿äÅϼë´7ß“.×rí²·üC�㇌¤ó]Ë*~*›ÌñtûcêL뽈KV0£ü �LHû9­®lé:–~p0ÀòYÈqðH6­†™k«æÍL†™[¥æ'Ú½Ì[Úz>ù¶Ø�À_%ÕÏâðÒä0ݺà'˜¾Ão@Æ
¢Ø,aö³ù¡õÖ�X¯‡4SÉK0œ¼7D
«˜VJʪ¡dÛ/­Ò¥®v?%S{�|?¦b�Û'¹ÚõÙ<ò⟮½až«¹{ÍÒ­QHoʺ2r÷¹¥É“Ó)œ_â]2P.·Aaðcg¤^gZY (+
Å
m®c“6 tµû¡˜Úãéý¦:·•“Igæ�g=[cè"ÏgN{ò?Hç¸À<GHì‡ßø $ܱ„À´²`PV:­cIJkY¥
]í~¦öe—e¦�‚ËÕy4Ÿ¯Q´Ñ%ú�é†åw&ûZUUÒ]ž¨ t%w’æU=÷EQußÂèD¶æQ~?²á纲;L‚‘Çö¦•™²ÒÈj9MZ¥
d]í~d¦ö2ºP[/Q$ÛçÂS¦^gÚó'÷¡îæ‡<ý~Lº‡ лéP¸žßÛ–‘D
ÇÊŽ§^q§‚ö;•“
 endobj
-1600 0 obj <<
+1705 0 obj <<
 /Type /Page
-/Contents 1601 0 R
-/Resources 1599 0 R
+/Contents 1706 0 R
+/Resources 1704 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1529 0 R
+/Parent 1634 0 R
 >> endobj
-1602 0 obj <<
-/D [1600 0 R /XYZ 56.6929 794.5015 null]
+1707 0 obj <<
+/D [1705 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1603 0 obj <<
-/D [1600 0 R /XYZ 56.6929 748.5056 null]
+1708 0 obj <<
+/D [1705 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
-1604 0 obj <<
-/D [1600 0 R /XYZ 56.6929 748.5056 null]
+1709 0 obj <<
+/D [1705 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
-1605 0 obj <<
-/D [1600 0 R /XYZ 56.6929 748.5056 null]
+1710 0 obj <<
+/D [1705 0 R /XYZ 56.6929 748.5056 null]
 >> endobj
-1606 0 obj <<
-/D [1600 0 R /XYZ 56.6929 743.7078 null]
+1711 0 obj <<
+/D [1705 0 R /XYZ 56.6929 743.7078 null]
 >> endobj
-1607 0 obj <<
-/D [1600 0 R /XYZ 56.6929 719.6381 null]
+1712 0 obj <<
+/D [1705 0 R /XYZ 56.6929 719.6381 null]
 >> endobj
-1608 0 obj <<
-/D [1600 0 R /XYZ 56.6929 711.8197 null]
+1713 0 obj <<
+/D [1705 0 R /XYZ 56.6929 711.8197 null]
 >> endobj
-1609 0 obj <<
-/D [1600 0 R /XYZ 56.6929 697.0552 null]
+1714 0 obj <<
+/D [1705 0 R /XYZ 56.6929 697.0552 null]
 >> endobj
-1610 0 obj <<
-/D [1600 0 R /XYZ 56.6929 691.8868 null]
+1715 0 obj <<
+/D [1705 0 R /XYZ 56.6929 691.8868 null]
 >> endobj
-1611 0 obj <<
-/D [1600 0 R /XYZ 56.6929 665.1671 null]
+1716 0 obj <<
+/D [1705 0 R /XYZ 56.6929 665.1671 null]
 >> endobj
-1612 0 obj <<
-/D [1600 0 R /XYZ 56.6929 659.9987 null]
+1717 0 obj <<
+/D [1705 0 R /XYZ 56.6929 659.9987 null]
 >> endobj
-1613 0 obj <<
-/D [1600 0 R /XYZ 56.6929 635.929 null]
+1718 0 obj <<
+/D [1705 0 R /XYZ 56.6929 635.929 null]
 >> endobj
-1614 0 obj <<
-/D [1600 0 R /XYZ 56.6929 628.1106 null]
+1719 0 obj <<
+/D [1705 0 R /XYZ 56.6929 628.1106 null]
 >> endobj
-1615 0 obj <<
-/D [1600 0 R /XYZ 56.6929 601.3909 null]
+1720 0 obj <<
+/D [1705 0 R /XYZ 56.6929 601.3909 null]
 >> endobj
-1616 0 obj <<
-/D [1600 0 R /XYZ 56.6929 596.2225 null]
+1721 0 obj <<
+/D [1705 0 R /XYZ 56.6929 596.2225 null]
 >> endobj
-1617 0 obj <<
-/D [1600 0 R /XYZ 56.6929 569.5028 null]
+1722 0 obj <<
+/D [1705 0 R /XYZ 56.6929 569.5028 null]
 >> endobj
-1618 0 obj <<
-/D [1600 0 R /XYZ 56.6929 564.3344 null]
+1723 0 obj <<
+/D [1705 0 R /XYZ 56.6929 564.3344 null]
 >> endobj
-1619 0 obj <<
-/D [1600 0 R /XYZ 56.6929 549.6297 null]
+1724 0 obj <<
+/D [1705 0 R /XYZ 56.6929 549.6297 null]
 >> endobj
-1620 0 obj <<
-/D [1600 0 R /XYZ 56.6929 544.4015 null]
+1725 0 obj <<
+/D [1705 0 R /XYZ 56.6929 544.4015 null]
 >> endobj
-1621 0 obj <<
-/D [1600 0 R /XYZ 56.6929 529.6968 null]
+1726 0 obj <<
+/D [1705 0 R /XYZ 56.6929 529.6968 null]
 >> endobj
-1622 0 obj <<
-/D [1600 0 R /XYZ 56.6929 524.4686 null]
+1727 0 obj <<
+/D [1705 0 R /XYZ 56.6929 524.4686 null]
 >> endobj
-1623 0 obj <<
-/D [1600 0 R /XYZ 56.6929 500.3989 null]
+1728 0 obj <<
+/D [1705 0 R /XYZ 56.6929 500.3989 null]
 >> endobj
-1624 0 obj <<
-/D [1600 0 R /XYZ 56.6929 492.5805 null]
+1729 0 obj <<
+/D [1705 0 R /XYZ 56.6929 492.5805 null]
 >> endobj
-1625 0 obj <<
-/D [1600 0 R /XYZ 56.6929 467.136 null]
+1730 0 obj <<
+/D [1705 0 R /XYZ 56.6929 467.136 null]
 >> endobj
-1626 0 obj <<
-/D [1600 0 R /XYZ 56.6929 460.6924 null]
+1731 0 obj <<
+/D [1705 0 R /XYZ 56.6929 460.6924 null]
 >> endobj
-1627 0 obj <<
-/D [1600 0 R /XYZ 56.6929 436.6227 null]
+1732 0 obj <<
+/D [1705 0 R /XYZ 56.6929 436.6227 null]
 >> endobj
-1628 0 obj <<
-/D [1600 0 R /XYZ 56.6929 428.8043 null]
+1733 0 obj <<
+/D [1705 0 R /XYZ 56.6929 428.8043 null]
 >> endobj
-1629 0 obj <<
-/D [1600 0 R /XYZ 56.6929 414.0996 null]
+1734 0 obj <<
+/D [1705 0 R /XYZ 56.6929 414.0996 null]
 >> endobj
-1630 0 obj <<
-/D [1600 0 R /XYZ 56.6929 408.8714 null]
+1735 0 obj <<
+/D [1705 0 R /XYZ 56.6929 408.8714 null]
 >> endobj
-1631 0 obj <<
-/D [1600 0 R /XYZ 56.6929 382.1516 null]
+1736 0 obj <<
+/D [1705 0 R /XYZ 56.6929 382.1516 null]
 >> endobj
-1632 0 obj <<
-/D [1600 0 R /XYZ 56.6929 376.9833 null]
+1737 0 obj <<
+/D [1705 0 R /XYZ 56.6929 376.9833 null]
 >> endobj
-1633 0 obj <<
-/D [1600 0 R /XYZ 56.6929 350.2636 null]
+1738 0 obj <<
+/D [1705 0 R /XYZ 56.6929 350.2636 null]
 >> endobj
-1634 0 obj <<
-/D [1600 0 R /XYZ 56.6929 345.0952 null]
+1739 0 obj <<
+/D [1705 0 R /XYZ 56.6929 345.0952 null]
 >> endobj
-1635 0 obj <<
-/D [1600 0 R /XYZ 56.6929 321.0255 null]
+1740 0 obj <<
+/D [1705 0 R /XYZ 56.6929 321.0255 null]
 >> endobj
-1636 0 obj <<
-/D [1600 0 R /XYZ 56.6929 313.2071 null]
+1741 0 obj <<
+/D [1705 0 R /XYZ 56.6929 313.2071 null]
 >> endobj
-1637 0 obj <<
-/D [1600 0 R /XYZ 56.6929 298.5024 null]
+1742 0 obj <<
+/D [1705 0 R /XYZ 56.6929 298.5024 null]
 >> endobj
-1638 0 obj <<
-/D [1600 0 R /XYZ 56.6929 293.2742 null]
+1743 0 obj <<
+/D [1705 0 R /XYZ 56.6929 293.2742 null]
 >> endobj
-1639 0 obj <<
-/D [1600 0 R /XYZ 56.6929 267.8297 null]
+1744 0 obj <<
+/D [1705 0 R /XYZ 56.6929 267.8297 null]
 >> endobj
-1640 0 obj <<
-/D [1600 0 R /XYZ 56.6929 261.3861 null]
+1745 0 obj <<
+/D [1705 0 R /XYZ 56.6929 261.3861 null]
 >> endobj
-1641 0 obj <<
-/D [1600 0 R /XYZ 56.6929 199.468 null]
+1746 0 obj <<
+/D [1705 0 R /XYZ 56.6929 199.468 null]
 >> endobj
-1642 0 obj <<
-/D [1600 0 R /XYZ 56.6929 199.468 null]
+1747 0 obj <<
+/D [1705 0 R /XYZ 56.6929 199.468 null]
 >> endobj
-1643 0 obj <<
-/D [1600 0 R /XYZ 56.6929 199.468 null]
+1748 0 obj <<
+/D [1705 0 R /XYZ 56.6929 199.468 null]
 >> endobj
-1644 0 obj <<
-/D [1600 0 R /XYZ 56.6929 191.7053 null]
+1749 0 obj <<
+/D [1705 0 R /XYZ 56.6929 191.7053 null]
 >> endobj
-1645 0 obj <<
-/D [1600 0 R /XYZ 56.6929 176.9408 null]
+1750 0 obj <<
+/D [1705 0 R /XYZ 56.6929 176.9408 null]
 >> endobj
-1646 0 obj <<
-/D [1600 0 R /XYZ 56.6929 171.7724 null]
+1751 0 obj <<
+/D [1705 0 R /XYZ 56.6929 171.7724 null]
 >> endobj
-1647 0 obj <<
-/D [1600 0 R /XYZ 56.6929 157.0677 null]
+1752 0 obj <<
+/D [1705 0 R /XYZ 56.6929 157.0677 null]
 >> endobj
-1648 0 obj <<
-/D [1600 0 R /XYZ 56.6929 151.8395 null]
+1753 0 obj <<
+/D [1705 0 R /XYZ 56.6929 151.8395 null]
 >> endobj
-1649 0 obj <<
-/D [1600 0 R /XYZ 56.6929 137.1348 null]
+1754 0 obj <<
+/D [1705 0 R /XYZ 56.6929 137.1348 null]
 >> endobj
-1650 0 obj <<
-/D [1600 0 R /XYZ 56.6929 131.9066 null]
+1755 0 obj <<
+/D [1705 0 R /XYZ 56.6929 131.9066 null]
 >> endobj
-1651 0 obj <<
-/D [1600 0 R /XYZ 56.6929 117.2018 null]
+1756 0 obj <<
+/D [1705 0 R /XYZ 56.6929 117.2018 null]
 >> endobj
-1652 0 obj <<
-/D [1600 0 R /XYZ 56.6929 111.9736 null]
+1757 0 obj <<
+/D [1705 0 R /XYZ 56.6929 111.9736 null]
 >> endobj
-1653 0 obj <<
-/D [1600 0 R /XYZ 56.6929 97.2091 null]
+1758 0 obj <<
+/D [1705 0 R /XYZ 56.6929 97.2091 null]
 >> endobj
-1654 0 obj <<
-/D [1600 0 R /XYZ 56.6929 92.0407 null]
+1759 0 obj <<
+/D [1705 0 R /XYZ 56.6929 92.0407 null]
 >> endobj
-1599 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R >>
+1704 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1657 0 obj <<
-/Length 2544      
+1762 0 obj <<
+/Length 2542      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZKs㸾ûWè(U�€ øÈM¶l�&3¶#y²IÍî�–`™ŠTHʳ³¿>
âA�" É¦|0	4ñýu7º›ÂxS‘$˜DIàQ„éd{¸B“=ÌÝ_a)3WBsSêúùê/w$š$^úáäùÕX+öPãÉóîÛtñôtû°\ýs6÷)š.¼Ùœ"¤Fon7³y&|‚ð©M¯WןW�÷ëÅÓlj‡~E-–âfóõþþvó|+o×·‹åêáDðì·çOW·ÏúµÍ­aDø;ÿçêÛoh²ƒ~ºBIb:ù7ÈÃIâOW
%
Q#ùÕæêïzAc¶}tLU”Ä�ýhDW>ž`ì%”ú=eÑĉOZe-6b[�GV¥MVµuWÃ[\ Kˈ cd	Žþm}wŠ"¿
11E^œÀû;@µÌ50MSêÅ¡&ì²<¤Y!ö�îY‘Õ
l¾¬j1Vvºhï÷§lÇ<þŽƒ-á�zAÆðB|ÝBü‹'þ.Xsjâ¡|g‡V‰;œÄ‘gU6çKr¨Û�r(\Ii•S9Tî‚6”>Ķ¨Ý¿)‡R*^[Þ2mRqu—åL\ݔůùû“àAÞVÕÇSNÓ Ì HŸŠ§ö“©äãš±ªa‡TÎ=n›Ò #!V2ÂúªL);ZJ“‘`ßN†º#ã{œŒø(:¤¹ô�b÷g)ñ1õÂ8öû”,ieúÆ{©fñô”V?4#¡�‘vNQ|�CÊÁˆ’RŒø##.hƒ‘!¶…üLù7UÖ°*“îñZJc]—e##Jz�³aÕ;«êÑ(Åà‚qØçáZòð%-Š¬ØØî9Î?f”N³ß3fñO �0Âhê„,I!M’�I\ƒ£
°…"ùk-Õ]¾g‘giÍê
S¬ù^Vÿî(ʶlœ£0ö"?ÆO’�é!Ëåtš¤µœþ…ûQ•íßA‘‚ì%sŸ$¥�WÌ߃V¸*Àæ
-i‡ÙL‚™‡&7;kž@£Ä‹¾�)˜RvÖµ”¦=ö©�v'tÇûö8ñ=ðì<§Ï3Œ10°Ï[½„(ßGSöò×ÙœþtUקÖ
-`¦µxf…ã‡âR+¦[%òñHQ
-ͳ�pUÉç[BX#îŽ"â6å¶ÌÇ¢.ñ¡Ä<
`µ¸ëj¤uk“¹–ŸÓ†¾L3Ø¢2ÃTÆd!dõuD^FhK!E:	G@vᜀ-”È?1’ÐŽCHGh‡Å�.ŽÇ<ÛêôFx5±Z>,TÉ0<&	`&„ÁC]
-/¦”�O-ÕñIÉ£ºãó{œÏøB÷FßYѵEï”Kɬ`à|*û㽜ÚÑ]9+áU}ŒÖÛtÙî&6Fãà/��ƒ)¤Sz9j8®AÊ
-§ý©n4‰•%ˆtÓ`ÙYPBÝ'©ÈQG»p;†Àã˜ÈÂÉb
§áY…Hvà¾)ù³¸†A•áÊ8åÀ~/öê»~¬¼VY³âÄ-}¼'`(ŠÌ¦Gœºâ>]ݲòÜ”öÜêF}î<eÆï4>�òŸùüÄÓ
-2jëHøÿûYF2òHlë¹B¦žDê¥øæ:|sýË­óWÿ/ÿ÷Ãendstream
+xÚ¥Z[w£º~ϯð£½Ö˜Jqé›'Og’ÔÎô´kÎy ¶â°ŠÁœ9s~}·Ð�‘<=]yH>Øß¾c<Að‡'1õI‚I”E˜N¶‡+4ÙÃÞý–2s%47¥®Ÿ¯þrG¢Iâ%¡Nž_�{ÅŠc<yÞ}›.žžn–«Îæ>EÓ…7›S„ÔêÍíf6�„o¾¢éõêúóêñ~½xúø/qѯˆ¢ÅÃRœl¾Þßßnžoåéúv±\=܃žýöüéêöY?¶ùjþÌÿ¹úöšìà
?]!�$1�|‡äá$ñ'‡«€�„¨•üjsõw}Cc·½tLU”Ä�ýhDW>ž`ì%”ú=eÑĉOZe-6âµ�¬J›¬,jë[Oq�.-#€Œ‘%d8ú·õÝ
(Šü6ÄÄyqÏï
+ÔÆCùÎ/¬g8‰#Ϫl Η6äP·!åP¸’Ò*§$r¨Üm(}ˆmQ»	~S¥T¼¶¼eÚ¤âè.Ë™8º)‹_ò÷'ÁƒX¼­ªŽ§œ¦*@™A�>O3ì'SÉÇ5cUéÜ{Ü6¥AFB¬d„	†t!T™Rv2´”&#Á¾�'tGÆö8=ðQ2tHséÅîÏRâcê…qì÷)Y*6ÒÊô�;öRÍâé)­~hFB;#¼9EñF)#JJ1â#ŒŒ¸ 
F†ØFLð3åßTYêLºÇk)�u]–�Œ(éAz̆UשׁG£TƒÆaŸ‡kÉ×´(²b?`»ç8ÿ˜Q:Í~ϘÅs<�>Â_ ©r°$…4I>N$9p
ŽÀŠ䯵Twù:pœEž¥5«L=°æ{Yý»£(Û²qŽÂØ‹ü Ï$ÓC–7Êé4Ik¹ý÷£*Û¿5‚"Ù+æ>I<J¡®˜¾"¬pU€ÍÒ³?˜3“&7;k�@£Ä‹¾P)˜RvÖµ”¦=ö©�v'tÇûö8ñ=ð¼yNŸgc``Ÿ·z	#P¾�¦ì寳9	ü骮O­ÀNk#pÍ
+ÇÄ¡V"l·Jäë‘¢š7&vᨒ׷„°FœEÄmÊm™�E]â'B‰™
`µ¸÷ÕHëÖ&&s-?¦!}™fðŠÊS“}„�Õ×iya] ½r°.…é$H
Ù…kp>
+�‘gDDvXýZdüR±(’>¬Ž%PØ×q#êâ,«%7æ-y¨��^ôB0�WD¡õˈ…§JøŸrö³:
û ¸ÊY'ˆŒ¨2”¨‚æËÓF@¨µ> ‡ÐÈ¿P˜R3RRº›‚ÐaF.hÃŒ†Ø32Á¿Ö­uˆ]Vçê(�•:_Ýü
+”vйQ`Å­cCÊ¡d%Õi9q¸ŠÚPóÛ¢g\ëss:˪¨ûs™îÔˆ€'+‹¾Ià…1Ì{žy'¤UVo•ÒÇ*˵Ʃ]ã~ì¡(¾0ê1¥WR]Ï8êX'´¡ñ!¶Eã&øBj–íÕdá:­³3;txª±ÍKQÎŽŽÓ>	�zl�øÓô´Eé˜éÛ EðÂñ…v”r¡¤4$pt‘Nhƒˆ!¶…\g„P×
+9±ôI�Œ»©Òï¯bF²SÁà´?Õ�æ!±ò
 endobj
-1656 0 obj <<
+1761 0 obj <<
 /Type /Page
-/Contents 1657 0 R
-/Resources 1655 0 R
+/Contents 1762 0 R
+/Resources 1760 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1529 0 R
+/Parent 1634 0 R
 >> endobj
-1658 0 obj <<
-/D [1656 0 R /XYZ 85.0394 794.5015 null]
+1763 0 obj <<
+/D [1761 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1659 0 obj <<
-/D [1656 0 R /XYZ 85.0394 748.4854 null]
+1764 0 obj <<
+/D [1761 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
-1660 0 obj <<
-/D [1656 0 R /XYZ 85.0394 748.4854 null]
+1765 0 obj <<
+/D [1761 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
-1661 0 obj <<
-/D [1656 0 R /XYZ 85.0394 748.4854 null]
+1766 0 obj <<
+/D [1761 0 R /XYZ 85.0394 748.4854 null]
 >> endobj
-1662 0 obj <<
-/D [1656 0 R /XYZ 85.0394 743.3452 null]
+1767 0 obj <<
+/D [1761 0 R /XYZ 85.0394 743.3452 null]
 >> endobj
-1663 0 obj <<
-/D [1656 0 R /XYZ 85.0394 728.6405 null]
+1768 0 obj <<
+/D [1761 0 R /XYZ 85.0394 728.6405 null]
 >> endobj
-1664 0 obj <<
-/D [1656 0 R /XYZ 85.0394 723.1655 null]
+1769 0 obj <<
+/D [1761 0 R /XYZ 85.0394 723.1655 null]
 >> endobj
-1665 0 obj <<
-/D [1656 0 R /XYZ 85.0394 708.4607 null]
+1770 0 obj <<
+/D [1761 0 R /XYZ 85.0394 708.4607 null]
 >> endobj
-1666 0 obj <<
-/D [1656 0 R /XYZ 85.0394 702.9857 null]
+1771 0 obj <<
+/D [1761 0 R /XYZ 85.0394 702.9857 null]
 >> endobj
-1667 0 obj <<
-/D [1656 0 R /XYZ 85.0394 688.2211 null]
+1772 0 obj <<
+/D [1761 0 R /XYZ 85.0394 688.2211 null]
 >> endobj
-1668 0 obj <<
-/D [1656 0 R /XYZ 85.0394 682.8059 null]
+1773 0 obj <<
+/D [1761 0 R /XYZ 85.0394 682.8059 null]
 >> endobj
-1669 0 obj <<
-/D [1656 0 R /XYZ 85.0394 668.0414 null]
+1774 0 obj <<
+/D [1761 0 R /XYZ 85.0394 668.0414 null]
 >> endobj
-1670 0 obj <<
-/D [1656 0 R /XYZ 85.0394 662.6262 null]
+1775 0 obj <<
+/D [1761 0 R /XYZ 85.0394 662.6262 null]
 >> endobj
-1671 0 obj <<
-/D [1656 0 R /XYZ 85.0394 599.7666 null]
+1776 0 obj <<
+/D [1761 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
-1672 0 obj <<
-/D [1656 0 R /XYZ 85.0394 599.7666 null]
+1777 0 obj <<
+/D [1761 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
-1673 0 obj <<
-/D [1656 0 R /XYZ 85.0394 599.7666 null]
+1778 0 obj <<
+/D [1761 0 R /XYZ 85.0394 599.7666 null]
 >> endobj
-1674 0 obj <<
-/D [1656 0 R /XYZ 85.0394 591.7571 null]
+1779 0 obj <<
+/D [1761 0 R /XYZ 85.0394 591.7571 null]
 >> endobj
-1675 0 obj <<
-/D [1656 0 R /XYZ 85.0394 565.0374 null]
+1780 0 obj <<
+/D [1761 0 R /XYZ 85.0394 565.0374 null]
 >> endobj
-1676 0 obj <<
-/D [1656 0 R /XYZ 85.0394 559.6222 null]
+1781 0 obj <<
+/D [1761 0 R /XYZ 85.0394 559.6222 null]
 >> endobj
-1677 0 obj <<
-/D [1656 0 R /XYZ 85.0394 534.1777 null]
+1782 0 obj <<
+/D [1761 0 R /XYZ 85.0394 534.1777 null]
 >> endobj
-1678 0 obj <<
-/D [1656 0 R /XYZ 85.0394 527.4872 null]
+1783 0 obj <<
+/D [1761 0 R /XYZ 85.0394 527.4872 null]
 >> endobj
-1679 0 obj <<
-/D [1656 0 R /XYZ 85.0394 502.0427 null]
+1784 0 obj <<
+/D [1761 0 R /XYZ 85.0394 502.0427 null]
 >> endobj
-1680 0 obj <<
-/D [1656 0 R /XYZ 85.0394 495.3523 null]
+1785 0 obj <<
+/D [1761 0 R /XYZ 85.0394 495.3523 null]
 >> endobj
-1681 0 obj <<
-/D [1656 0 R /XYZ 85.0394 420.5376 null]
+1786 0 obj <<
+/D [1761 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
-1682 0 obj <<
-/D [1656 0 R /XYZ 85.0394 420.5376 null]
+1787 0 obj <<
+/D [1761 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
-1683 0 obj <<
-/D [1656 0 R /XYZ 85.0394 420.5376 null]
+1788 0 obj <<
+/D [1761 0 R /XYZ 85.0394 420.5376 null]
 >> endobj
-1684 0 obj <<
-/D [1656 0 R /XYZ 85.0394 412.5281 null]
+1789 0 obj <<
+/D [1761 0 R /XYZ 85.0394 412.5281 null]
 >> endobj
-1685 0 obj <<
-/D [1656 0 R /XYZ 85.0394 388.4584 null]
+1790 0 obj <<
+/D [1761 0 R /XYZ 85.0394 388.4584 null]
 >> endobj
-1686 0 obj <<
-/D [1656 0 R /XYZ 85.0394 380.3932 null]
+1791 0 obj <<
+/D [1761 0 R /XYZ 85.0394 380.3932 null]
 >> endobj
-1687 0 obj <<
-/D [1656 0 R /XYZ 85.0394 365.6884 null]
+1792 0 obj <<
+/D [1761 0 R /XYZ 85.0394 365.6884 null]
 >> endobj
-1688 0 obj <<
-/D [1656 0 R /XYZ 85.0394 360.2134 null]
+1793 0 obj <<
+/D [1761 0 R /XYZ 85.0394 360.2134 null]
 >> endobj
-1689 0 obj <<
-/D [1656 0 R /XYZ 85.0394 345.4488 null]
+1794 0 obj <<
+/D [1761 0 R /XYZ 85.0394 345.4488 null]
 >> endobj
-1690 0 obj <<
-/D [1656 0 R /XYZ 85.0394 340.0336 null]
+1795 0 obj <<
+/D [1761 0 R /XYZ 85.0394 340.0336 null]
 >> endobj
-1691 0 obj <<
-/D [1656 0 R /XYZ 85.0394 325.269 null]
+1796 0 obj <<
+/D [1761 0 R /XYZ 85.0394 325.269 null]
 >> endobj
-1692 0 obj <<
-/D [1656 0 R /XYZ 85.0394 319.8539 null]
+1797 0 obj <<
+/D [1761 0 R /XYZ 85.0394 319.8539 null]
 >> endobj
-1693 0 obj <<
-/D [1656 0 R /XYZ 85.0394 295.7842 null]
+1798 0 obj <<
+/D [1761 0 R /XYZ 85.0394 295.7842 null]
 >> endobj
-1694 0 obj <<
-/D [1656 0 R /XYZ 85.0394 287.7189 null]
+1799 0 obj <<
+/D [1761 0 R /XYZ 85.0394 287.7189 null]
 >> endobj
-1695 0 obj <<
-/D [1656 0 R /XYZ 85.0394 272.9543 null]
+1800 0 obj <<
+/D [1761 0 R /XYZ 85.0394 272.9543 null]
 >> endobj
-1696 0 obj <<
-/D [1656 0 R /XYZ 85.0394 267.5392 null]
+1801 0 obj <<
+/D [1761 0 R /XYZ 85.0394 267.5392 null]
 >> endobj
-1697 0 obj <<
-/D [1656 0 R /XYZ 85.0394 252.7746 null]
+1802 0 obj <<
+/D [1761 0 R /XYZ 85.0394 252.7746 null]
 >> endobj
-1698 0 obj <<
-/D [1656 0 R /XYZ 85.0394 247.3594 null]
+1803 0 obj <<
+/D [1761 0 R /XYZ 85.0394 247.3594 null]
 >> endobj
-1699 0 obj <<
-/D [1656 0 R /XYZ 85.0394 223.2897 null]
+1804 0 obj <<
+/D [1761 0 R /XYZ 85.0394 223.2897 null]
 >> endobj
-1700 0 obj <<
-/D [1656 0 R /XYZ 85.0394 215.2245 null]
+1805 0 obj <<
+/D [1761 0 R /XYZ 85.0394 215.2245 null]
 >> endobj
-1701 0 obj <<
-/D [1656 0 R /XYZ 85.0394 149.4956 null]
+1806 0 obj <<
+/D [1761 0 R /XYZ 85.0394 149.4956 null]
 >> endobj
-1702 0 obj <<
-/D [1656 0 R /XYZ 85.0394 149.4956 null]
+1807 0 obj <<
+/D [1761 0 R /XYZ 85.0394 149.4956 null]
 >> endobj
-1703 0 obj <<
-/D [1656 0 R /XYZ 85.0394 149.4956 null]
+1808 0 obj <<
+/D [1761 0 R /XYZ 85.0394 149.4956 null]
 >> endobj
-1704 0 obj <<
-/D [1656 0 R /XYZ 85.0394 144.3554 null]
+1809 0 obj <<
+/D [1761 0 R /XYZ 85.0394 144.3554 null]
 >> endobj
-1705 0 obj <<
-/D [1656 0 R /XYZ 85.0394 120.2857 null]
+1810 0 obj <<
+/D [1761 0 R /XYZ 85.0394 120.2857 null]
 >> endobj
-1706 0 obj <<
-/D [1656 0 R /XYZ 85.0394 112.2205 null]
+1811 0 obj <<
+/D [1761 0 R /XYZ 85.0394 112.2205 null]
 >> endobj
-1707 0 obj <<
-/D [1656 0 R /XYZ 85.0394 97.4559 null]
+1812 0 obj <<
+/D [1761 0 R /XYZ 85.0394 97.4559 null]
 >> endobj
-1708 0 obj <<
-/D [1656 0 R /XYZ 85.0394 92.0407 null]
+1813 0 obj <<
+/D [1761 0 R /XYZ 85.0394 92.0407 null]
 >> endobj
-1655 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R >>
+1760 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1711 0 obj <<
-/Length 2122      
+1816 0 obj <<
+/Length 2121      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥YKs㸾ûWèª*Bðà37ÙÒ8žñÚŽå­d33š‚%–)R+RžÑþú4Ð J$µ•”�n ?ôQø±‘ç?âÑ(ˆ\âQæ�’Í­`ìöŠžIÍ4±¹®_®þöI£ˆD>÷G/o–¬�Ð0d£—åWgJƒê\ß]ßß=Þ>OŸþñÛxÂ=ê|£�>Ì°³øõöv¾x™›îó|:»{¸6ž~D�éÓÓüav÷oŸ*©´¡ÞÌãï/Ÿ¯æ/Ͳí­1*Ôš¿úú�Ž–°ÃÏW”ˆ(ôF? C	‹">Ú\¹ž ž+DMÉ®WÿlZ£zj§©%\ø¼ÃVœ�#‘çñ–±¼ˆø‚m¬ÇײÈd%—¸ÇÙÃÂØF&û]ZŒi>Ý”½›.4ht
G‹×&ºp¬¹ÔÒ¾‚VN}ïû©fÆ9XņU7\çº]û1�mݳb§ùxârê<Ä©ZÌYÊJn�z4�™ÿ¬d^¦E®Ít²;R„�ëR²ÿ
-S|á̈™—U¿Ë1Ã×»1�%ê‰sÓ¸1ü_âýÛ&Î�”Ïq¾�w¥¶\+š4°ƒ>8W
éE�º$Ä£:
-‰"ïÀà—Xw“uƒCÔ�ƒ’Hò’Í5€CÍUã (
pRmápª»[w�ƒCƒƒjÕ8èvƒƒ�'!,æ7˜5GºÊÓ|…�é¾Zšÿ'î3HW‘î8w®	Nü×8âŽÌ2�T:Šqá<ró*wÆêù­(Æ)¥ý˜‰ˆP7º„™Å5€YÍuÄ,¢˜
©¶0;ÕÝ�™­»'7.‚Ý›,Þ¥ß(åI\5ÄúûŸ"¯]®Š«}—Sqð°íUsãU÷òGZv;
-p¹™Ll«ežúï…ÔƒÈyx¡Î³¹ú!m¸H}o
-ÌWP%ºQ�…A=-Í@Rà:Mb;4ظýØp�¸`ÂØX\ØÔ\6—¥AÕ6§º»±±u7õ¹[×…ªÕÔçÐÖL5LI}ãE@;ñ"M1^df/B±öåúó¼Ú°ùT¤yuœµ˜?§}ÊâUÎ.»|±
ZÇĆڊ‰µs~)²w¼;«ÞgC]$ëìPµŽ„Ž¾}…�u£<1PÈ/¼t“°¹úOLÃÕœ˜p¨T}<1gº;OLKwOUzzaÐ>ù³BëB®øZ\ϳéØóœå™S$}*v›¸3�ú°ò�»mçÀqº_íËê«Ó‡±‰€�á2ª!áA¹Gýæ‘�'.Î]rsi$Ívñ[ÕULSHÊ.Dæj	֬ЫgA¾»Yi¬
-ë˜èÊÿ€\åºØg†ªµªÆ«ÄïïûßU�Qg5 %©!¹Ú>Zcn„½©SŸ!Ñƺû<3þ$)6“.|¶qžjéŒ:¯ü≀Æ2-“,N7:‡ê�¸jXóñBçç®:s%võrá‹(+d-K¢øp��uüa„ÄøÉÒ7YÂò°§O+|Ëô'66E^­Í\8ïõ¬S¸lvlԬسW�¥´^²“©¶~Ö3¯f*IM=ëÇŒ²38Ðó  LPxuµbá¥ÂÎk±7±âúîav”ëB±ê7r)‰X}y“;åF½Ïì<„RïÂõËæ:O&°lâ(LgÖŸGµóÈ™ÚÎ<ÒÒŠy„zÆ­¨o[Ê^´
5Vć9Oñ>ÃIÓ.\œHº�Sá¤É»ŽпO÷j"s¡âÜvéj­“ˈ!lÀ
Õß+Ô¼ '¸ˆàÇ%L8	üöiñ}£ÌëºpØbXWŸ,ŠB\ÛB¾ÆeUlM ÈÞLÿŽ#�y†‚43OøÜSºN®tM52…kE’ÂY.{‹8¬ê£¼hs¬ÿïÿ¥¬ê% "컊p°¯‚³(µ—È?[yýÖùÒÿš¸�¥endstream
+xÚ¥YIs㸾ûWèª*B°pÍM¶ÔŽ»=¶cy*™t÷�¦`‰eŠÔˆ”»5¿>x J$5•”Äòà}x 6¢ðc#Ï'~Ä£Q¹Ä£Ì%›+:ZÁÜí34“šhbS]¿\ýí“F‰|î�^Þ,Y!¡aÈF/˯Δ2	Ô¹¾»¾¿{¼}ž>ýã·ñ„{ÔùF=:}˜agñëíí|ñ27Ýçùtv÷p$l<	üˆ:Ó§§ùÃìîß8?URi3z3_Œ¿¿|¾š¿4˶·Æ¨Pkþýêëw:ZÂ?_Q"¢Ðý€%,Šøhsåz‚x®õHvµ¸úg#Кլ�¦b”páó[q6bŒDžÇ[Æò"â.´±_Ë"“•\âgc™ìwiu0¦ùtSönV¸Ð Ñ-*\›è±¦RKû
+Z9õ½ï§šç`/VÝP�ë‘¥›ñ€x<hëž›8ÍÇ—Sç!ÞHÕbÎâPVrƒ£G©™ùÏJæeZäÚL'»c!%Aø°.%û¯ÀâgFk\VYü.Çg\GìÆ,t–¨'ÎMãÆЉ÷o›87R>Çù>Þ”VØr­hÒÀúà\¤=ê’�ê
+›ª‹†ª
Ã~4¨úˆÆ™îN8Zº/Û¿h†ý($Š¼ÿ
ƒ_bÝMÖ
Q?~H"\ÈK6Õ
+¸÷‹Š{Jð/qYÊŽéZA/‰E©¢
+\§Il‡·îLx
‹j
+aÜo汆ÆÙ3¨¢sõd¥Ë*^ÉÛXxùÎR~ȬتýÁŠüˆ9w›m&U¿Øé�½cïU¢Àâ,pò¢2ª‹ö6°L@ÎU\¿²q8.€6býN}×I?âL�¥°Ž	�®üHU®‹}fFµVÕx•øý}_à»*ê¬cIj†\m­17ÂÞÔ©ÏpÐƺû<3ú$)6“.|¶qžjéŒ:¯ü≀Æ2-“,N7:‡ê‰¸jHññBçç®:s%võrá‹(+$-K¢èp
+��uüa„ÄøÉÒ7YÂò°§O+|Ëô'66E^­
/œ÷z‰?Ö)\6;6jVìÙ+†ÎRZ/Ù�ÉT[?뙉WÃ
+BRSOÄú1£ìô<(AD]­Xx©°óZìM¬¸¾{˜åºP¬ú�\J"VßCÞäN¹Qï3;�¡Ô»pý²©Î“	ì‚
+ÓÙ„õç‘A­Ç<r¦¶3�´´b¡žq+êÛ–²íC@
…ñ�ç)ÞgÈ4ÍàÂõlj¤8Nš¼ëøýût¯™çö°KWk�\F,an¨þ^¡æ9Á%@?.aÂIàG°O‹îe^×å€ÃúúdQâÚò5.«b[èhAöfúwœyüË3¤™yÂçžÒur¥kª‘)\+’ÎrÙ[tÀaUuàE›cýÿ/eU/
aßU„
f¿^”6	ågK¯ÿÁ:_û
øp�Úendstream
 endobj
-1710 0 obj <<
+1815 0 obj <<
 /Type /Page
-/Contents 1711 0 R
-/Resources 1709 0 R
+/Contents 1816 0 R
+/Resources 1814 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1529 0 R
+/Parent 1634 0 R
 >> endobj
-1712 0 obj <<
-/D [1710 0 R /XYZ 56.6929 794.5015 null]
+1817 0 obj <<
+/D [1815 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1713 0 obj <<
-/D [1710 0 R /XYZ 56.6929 749.4437 null]
+1818 0 obj <<
+/D [1815 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
-1714 0 obj <<
-/D [1710 0 R /XYZ 56.6929 749.4437 null]
+1819 0 obj <<
+/D [1815 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
-1715 0 obj <<
-/D [1710 0 R /XYZ 56.6929 749.4437 null]
+1820 0 obj <<
+/D [1815 0 R /XYZ 56.6929 749.4437 null]
 >> endobj
-1716 0 obj <<
-/D [1710 0 R /XYZ 56.6929 746.6461 null]
+1821 0 obj <<
+/D [1815 0 R /XYZ 56.6929 746.6461 null]
 >> endobj
-1717 0 obj <<
-/D [1710 0 R /XYZ 56.6929 722.5763 null]
+1822 0 obj <<
+/D [1815 0 R /XYZ 56.6929 722.5763 null]
 >> endobj
-1718 0 obj <<
-/D [1710 0 R /XYZ 56.6929 716.7581 null]
+1823 0 obj <<
+/D [1815 0 R /XYZ 56.6929 716.7581 null]
 >> endobj
-1719 0 obj <<
-/D [1710 0 R /XYZ 56.6929 701.9936 null]
+1824 0 obj <<
+/D [1815 0 R /XYZ 56.6929 701.9936 null]
 >> endobj
-1720 0 obj <<
-/D [1710 0 R /XYZ 56.6929 698.8254 null]
+1825 0 obj <<
+/D [1815 0 R /XYZ 56.6929 698.8254 null]
 >> endobj
-1721 0 obj <<
-/D [1710 0 R /XYZ 56.6929 684.1207 null]
+1826 0 obj <<
+/D [1815 0 R /XYZ 56.6929 684.1207 null]
 >> endobj
-1722 0 obj <<
-/D [1710 0 R /XYZ 56.6929 680.8926 null]
+1827 0 obj <<
+/D [1815 0 R /XYZ 56.6929 680.8926 null]
 >> endobj
-1723 0 obj <<
-/D [1710 0 R /XYZ 56.6929 656.8229 null]
+1828 0 obj <<
+/D [1815 0 R /XYZ 56.6929 656.8229 null]
 >> endobj
-1724 0 obj <<
-/D [1710 0 R /XYZ 56.6929 651.0047 null]
+1829 0 obj <<
+/D [1815 0 R /XYZ 56.6929 651.0047 null]
 >> endobj
-1725 0 obj <<
-/D [1710 0 R /XYZ 56.6929 636.3 null]
+1830 0 obj <<
+/D [1815 0 R /XYZ 56.6929 636.3 null]
 >> endobj
-1726 0 obj <<
-/D [1710 0 R /XYZ 56.6929 633.072 null]
+1831 0 obj <<
+/D [1815 0 R /XYZ 56.6929 633.072 null]
 >> endobj
-1727 0 obj <<
-/D [1710 0 R /XYZ 56.6929 609.0023 null]
+1832 0 obj <<
+/D [1815 0 R /XYZ 56.6929 609.0023 null]
 >> endobj
-1728 0 obj <<
-/D [1710 0 R /XYZ 56.6929 603.184 null]
+1833 0 obj <<
+/D [1815 0 R /XYZ 56.6929 603.184 null]
 >> endobj
-1729 0 obj <<
-/D [1710 0 R /XYZ 56.6929 579.1143 null]
+1834 0 obj <<
+/D [1815 0 R /XYZ 56.6929 579.1143 null]
 >> endobj
-1730 0 obj <<
-/D [1710 0 R /XYZ 56.6929 573.2961 null]
+1835 0 obj <<
+/D [1815 0 R /XYZ 56.6929 573.2961 null]
 >> endobj
-1731 0 obj <<
-/D [1710 0 R /XYZ 56.6929 558.5914 null]
+1836 0 obj <<
+/D [1815 0 R /XYZ 56.6929 558.5914 null]
 >> endobj
-1732 0 obj <<
-/D [1710 0 R /XYZ 56.6929 555.3634 null]
+1837 0 obj <<
+/D [1815 0 R /XYZ 56.6929 555.3634 null]
 >> endobj
-1733 0 obj <<
-/D [1710 0 R /XYZ 56.6929 540.5988 null]
+1838 0 obj <<
+/D [1815 0 R /XYZ 56.6929 540.5988 null]
 >> endobj
-1734 0 obj <<
-/D [1710 0 R /XYZ 56.6929 537.4306 null]
+1839 0 obj <<
+/D [1815 0 R /XYZ 56.6929 537.4306 null]
 >> endobj
-1735 0 obj <<
-/D [1710 0 R /XYZ 56.6929 510.7109 null]
+1840 0 obj <<
+/D [1815 0 R /XYZ 56.6929 510.7109 null]
 >> endobj
-1736 0 obj <<
-/D [1710 0 R /XYZ 56.6929 507.5427 null]
+1841 0 obj <<
+/D [1815 0 R /XYZ 56.6929 507.5427 null]
 >> endobj
-598 0 obj <<
-/D [1710 0 R /XYZ 56.6929 477.5928 null]
+630 0 obj <<
+/D [1815 0 R /XYZ 56.6929 477.5928 null]
 >> endobj
-1737 0 obj <<
-/D [1710 0 R /XYZ 56.6929 453.2532 null]
+1842 0 obj <<
+/D [1815 0 R /XYZ 56.6929 453.2532 null]
 >> endobj
-602 0 obj <<
-/D [1710 0 R /XYZ 56.6929 369.7201 null]
+634 0 obj <<
+/D [1815 0 R /XYZ 56.6929 369.7201 null]
 >> endobj
-1738 0 obj <<
-/D [1710 0 R /XYZ 56.6929 345.3805 null]
+1843 0 obj <<
+/D [1815 0 R /XYZ 56.6929 345.3805 null]
 >> endobj
-1739 0 obj <<
-/D [1710 0 R /XYZ 56.6929 310.6805 null]
+1844 0 obj <<
+/D [1815 0 R /XYZ 56.6929 310.6805 null]
 >> endobj
-1740 0 obj <<
-/D [1710 0 R /XYZ 56.6929 310.6805 null]
+1845 0 obj <<
+/D [1815 0 R /XYZ 56.6929 310.6805 null]
 >> endobj
-1741 0 obj <<
-/D [1710 0 R /XYZ 56.6929 310.6805 null]
+1846 0 obj <<
+/D [1815 0 R /XYZ 56.6929 310.6805 null]
 >> endobj
-1742 0 obj <<
-/D [1710 0 R /XYZ 56.6929 310.6805 null]
+1847 0 obj <<
+/D [1815 0 R /XYZ 56.6929 310.6805 null]
 >> endobj
-1709 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R /F14 685 0 R >>
+1814 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F39 885 0 R /F14 729 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1745 0 obj <<
-/Length 1944      
+1850 0 obj <<
+/Length 1945      
 /Filter /FlateDecode
 >>
 stream
-xÚµX[�Ûº~ϯ0Ð>h�#†wQ穹µÙdS4[ô!Ù­MÛBdI‘äÝEÿ{‡R¶¼ò1Šƒb�9~œÎ�f
-la¡"—‹,—DQ¦ËÝ+ºØÀÚß^±À#• J
-
“™ÕT	C”áÙ"=y{ÿêõ_9[pJ´æjq¿ÏÒYFh¾¸_}MÞ´­­WåÏ›”+š¼½y¸ÿ
wI’™Œ¹]NȈJûŸŠz_TÈßÛ�{˜$BjöhE4UÆïyKØMÊ(¥ÉªÜ8~Ç 2"´F1îŠ�
8b‘“\s`#€̎Ëmöç~ã<ÃÑû»/8¨šæû¾Åñ~(«r8c$W*
-&ᆡ2_uÓö¥×áÕ‡ûѦš&À¢’iÂT.æìÎ@N®ä…K1”€öÌw„ðw"ò
ã•Œ\£ž¬õõ/½ížl÷¦é#ê¤N�ÄhFT®œë6«Ugûp+“³@q#|#ærS(b´Š�˪˜ä91&ËÏ
×W
×eeëñʧBfÄpš�c~ÿ?`îÆQ;ƒž
-çõʘE:úìn›nøÓ%[˜ó#~\û‚È\�œQqŽ7\Åíÿ€÷ó*žs§9<I¸~qó‡«p_·»bùëƒÓú×ïö0ƒœS"sªÏ¡å8Ò>ƒ¤�sAùô~¾:èÈëŒÇÞ‰ãäÇÞv‡¦!—b_dœÈŒý‘Ø?…¸û#×4öÓíeÑ':ÙíâwD‹\SÑ6UóXTéÄŠ)ã£e£Y¯dß÷¾¼ûÇíßïo?ß�Ü“äÏ]²còY!A£#~£Š®š]QÖP$MÊzÝt»b(Gy²én˜IšÖvÀÊS�kN¿Q*ìÏò±²Hš¦ÂÀŠ°ƒíiàõ9±Áº�iOÂôÝ“›TÐ,¹�
-Ç;¹zävÛ¼CG]&þŒu
Xë¸+£}[‡@¶ÉEÝ?Ãq‘Za›—5ðàxØwµ]áòUÙ��¡Ž„Z8ãöh6·|„‡##>Ìœ”v*+˜}jú!üSµ¼­„f�_ve]Þ°¤ºbh¼ð@Þ÷vÆ%@è|¬8\º!¡c¶PÉ=Ük¿m'º¦G1Z\†Õ]�K�vY8)ür³Æo9„Õè%Øh€\É/°`À
-Åùž
-ÔÞ¶û‘*A‡K+». Àz\wÂÍô™†2Æä5»hšG»<•Åœ?�
-Yô¦?ÿûãçOþóš
-ž{äÅ\Äî6]^ªŠ\Lªb(‡Óòúp,¿8p¿øõà0Íê¢Wõr½f9$
5Jöã¢d1|ÆsO¤GêøHƒ±³~�¢	E;H#|ú¸½‹	VÆú@¨ÂÙYíß}ŒüàŽ¡	5»-÷a;zs»icŸì½Ä
ƒ—�ówøñyLÜϲ³íÀ’yðÙÉo#TÃó,9òìü´ñ÷Ý—ÇýóUžéendstream
+xÚµX[�Ûº~ϯ0Ð>x�#†wI穹µÙdS4[ô!Ù­MÛBdI±äÝEÿ{g8¤lyåcÅ+r8ü83œ-fþÄ,3Œ«\ÏÒ\3Ã…™-¶¯øl
k{%�6Š­L&V£2f2™Î’S�·÷¯^ÿUŠ™äÌZif÷«á,›¦Œç³ûå×ù›¶uõ²üy“HÃçooî£]š¥Y*p‡Rf•±~ǧ¢Þñ·ÅÚuá™ÒV†=Ö0ËMæ÷¼eâ&œóù²\#?2¨”)kIŒ»b뎚å,·Ò%˜Ê@fäÂÍþÜoR¦4z÷…UÓ|ß·4Þ÷eUö‡£`‚åÆDÁ´`2¤Ì—CÝ´]éuxõá~°©åL(°¨–	“«)»�S}áR2Î@{�Ç!ü�hq¢a¼’�kÐÓ‚µ¾þ¥s»'·{Óä‘t2§F<e&·ÎÅÍÅr¹s]¸•ÑY x¦•|æbS–Y!U1	(s–ei~¸º
+¸*+WW>2e™äé9æ÷ÿævµè‰B¯7Y6Kÿ�Ým³ëÿtÉÙù?®Š}Ad©X.¸:Çë¯âõ‡öÀûyÝi
+O3i_Üüá*Ü×ͶXüú€ZÿúÝ&�sÎtÎí9´FöÁg�D
r®¸ßÏW„Ž¼hŒ8öN'?önwhÚž1öp)öU*™NʼnýSˆË±?p�c?Ù\ÍHfs•þÑN ~G´È5m]5�E•Œ¬˜9X6šõJö}ÿáË»ÜþýþöóÝÀ=Jþ#P“ÿË
+! ˆ(ñ7|Ùl‹²†B ù¼¬WÍn[ôeƒ•Ï×»‘Í›Öí€U¦ŽÖ
+š~ã\¹ŸåcåˆÜ7ME+€a{·#¤5€×kâ¤Zë>¦=‰ÒwÇnÅÓùmOT8åꈷy‡ŽºŒü™ê°*
"ÖKH,£][‡@î7ŽÈEÝ=Ãq‘Zôa›—5ðиßïj·¤å©²=#-�DZ q;2.ááȈ3t€Ò-Ae³OM×Ç‚ª–·•²ò˶¬Ë1ïú]Ñ7^x ï;7á l>Tœ.
Ý�²1Û÷

ö¤äîµÛ4
ŠnùQŒ––auÛÑÒ£[(…_nVô-û°½„
�kþ,d`…â|O
+³‰1éï\³\«XûXÌΚeyn@Çœ¥iJÿ¦ê7Í~½™8Jè8•ºvµ2eàÁÀUJÎkŒñª:àÌ›{Iôç²ßmÑl·`ý¤*kGkëýÖÕ}‡Wg$\.qU×צè‰æ�E¿�Ûf ü=ãšR�7€Õ�B¹»ý�B(bŠ%%}r¡�h©ëCŽ8†(ÎŽ™JVÎç;C´Gˆ½
»=(½;Ф	DïÀxÆØ$õÔ$�ä½	··¨X7$̉ˆnw˜‘ßêùóÆÕ4Âtò²È§9Âêp‘ÉfÚ«Lfc@¤OØð]—O®Fõ�šÿ³®ÊïŽè®ØU¥˜`úEÑÁiJÙMZ3{{÷ž8ò€ºm!øA÷âxR³šŒ	x�‰¡�¾X—Lj¢7ƒw6ÏdµDãÓ*züÛ}Õ—måN£»GòcX,»nïB”Ÿø…âÀ.7€Á
³áÆN‚lF)A‘ïK¥B1”phµ$Š?(¾°© J׺E‰N¸ y,{*Œ›TCV|i@ÉsïyÍ€^5�繬ª XŠ2 —Ô«�‚QÕ%jUvä–¨e=á‹Â&¤ˆêk×/^ê©žb*Ëàá$@º‘¿/šz5!÷¸Ñ‘82ÿ¿(Fd	¿éɵ
1&ŒÎH>�ÀŽc\|a“ŽIëë³É®Z_Èll}@
�^ñ}Ûßè!0\E
᥮þ#:ötM0!ßmzì)¢¡,<ƒyfÇ–ò}“ÍBà§ðëºÐ 
Õ;(P;ØZêG¨;ZZºU

ÖÑ:
+7Ñ[¤ʘÐ×ìbyíòTSþ*¤Ñ›þüï�Ÿ?}øÏkx»Åb¦˜Í¬ü:5¿ßDU)ÇŸªŸ
µƒ8Èa€\Ô¢�7…r$sÍ´�gõȇ½á'®ƒ“¶…ü¹ŒYÍu\¼œcN‘‚³N¦�{ß`Bɺ½£/uµ0x÷‘¾ô{ƒo™1§tDm ¦«¢¥I¨í0ê¯ÂõMK`•{rÑè•�ý!`z�fó%5YH§Î-œ1ñ³¼eL–ÅBç£ëMÓÙ+5´‚çžy1W±»M—ª¢T£ªÊ!Å�¢´¼:Ë/
ðw
¿F“™C]ôª^®×"‡¤aÉ~\”,†Ïpî‰4êHi0Fë)šP´ƒ4ʧ�Û»˜@`eè¡¡„*œžõÐÈøîcäw�H¨©Ômá/„íàÍ]tì¦�}²÷/açïðãó˜áϲ“íÀ’yèÙÑo#\Ó/U€:q~ÜðïËóþÐažƒendstream
 endobj
-1744 0 obj <<
+1849 0 obj <<
 /Type /Page
-/Contents 1745 0 R
-/Resources 1743 0 R
+/Contents 1850 0 R
+/Resources 1848 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1752 0 R
+/Parent 1857 0 R
 >> endobj
-1746 0 obj <<
-/D [1744 0 R /XYZ 85.0394 794.5015 null]
+1851 0 obj <<
+/D [1849 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-606 0 obj <<
-/D [1744 0 R /XYZ 85.0394 769.5949 null]
+638 0 obj <<
+/D [1849 0 R /XYZ 85.0394 769.5949 null]
 >> endobj
-1747 0 obj <<
-/D [1744 0 R /XYZ 85.0394 573.0107 null]
+1852 0 obj <<
+/D [1849 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
-610 0 obj <<
-/D [1744 0 R /XYZ 85.0394 573.0107 null]
+642 0 obj <<
+/D [1849 0 R /XYZ 85.0394 573.0107 null]
 >> endobj
-1748 0 obj <<
-/D [1744 0 R /XYZ 85.0394 538.4209 null]
+1853 0 obj <<
+/D [1849 0 R /XYZ 85.0394 538.4209 null]
 >> endobj
-1749 0 obj <<
-/D [1744 0 R /XYZ 85.0394 504.6118 null]
+1854 0 obj <<
+/D [1849 0 R /XYZ 85.0394 504.6118 null]
 >> endobj
-1750 0 obj <<
-/D [1744 0 R /XYZ 85.0394 432.7569 null]
+1855 0 obj <<
+/D [1849 0 R /XYZ 85.0394 432.7569 null]
 >> endobj
-1751 0 obj <<
-/D [1744 0 R /XYZ 85.0394 303.3232 null]
+1856 0 obj <<
+/D [1849 0 R /XYZ 85.0394 303.3232 null]
 >> endobj
-1743 0 obj <<
-/Font << /F21 658 0 R /F23 682 0 R /F39 863 0 R /F53 962 0 R >>
+1848 0 obj <<
+/Font << /F21 702 0 R /F23 726 0 R /F41 925 0 R /F53 1017 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1755 0 obj <<
-/Length 3825      
+1860 0 obj <<
+/Length 3824      
 /Filter /FlateDecode
 >>
 stream
 xÚÍZÝoã6Ï_ õk•)‘ê}à²ÝMÑM÷6)®EÛÙVbamÉkÉ›¦ýÍp†´$KÉ÷rÑCŠçã7CÉs
ò<I£4‹³s“é(29_nÏÄùô½9“<fîÍ»£^Üœ}ó�2çY”¥qz~sÛ™ËFÂZy~³úuö"’Ñ3˜AÌ^]¾y6�ÓDij‹÷ï__½ºü~'†À
-…œ|:ûõwq¾¾¿?‘Êlr~?D$³,>ßžéDE‰VÊS6g×gÿvzÝ«£�"ŠU�H –çRFY’Ä=$Y”ªX9\_¾{ÿÃkÚ×O×°)ܼ©:²çÐcS÷Ê�nvå2ßÐ�²ú\/ó¶¬+ú]ßò<²3ˆ$¦nžUy7²˜4‘V:á1›ºþØД›òcñ-½ ²Îs)u¤�Ý\ZØlÂìóNî_M±ÿ\ìéG•oj
ûÅÈòó$ÊŒIý\´ãû5¼/íŒÖï�¸ŒŒ”éyš¦pBbê„hм;Ê�¶#*FáÒÌü`Ù,Ž’ÄêÇ—õƒN—íí83Q¢2Ó_¶D¡[�ÒÄ›Œ‡¤zOÏË÷Ô“¯V$œ†ß�³Ÿz×RÛšhŸÅþá™”r¦¦²lv³ö«/óŠÆ.ø}÷Û­ýYO¬^ò�UݶÅjŽ’ƒÃ„SÕ5Ä›jH±,·N�­šUuëÕ~ѯ§p½”)ýõ¯§fËzSWóU±)·%,ÜŸv¦E6ûϺàÑ$h4‡ÝnSÂx§ŠI÷`”1‘ÍŒdS8jÂà
-÷íãö¨¤[ô(êá¢ã²î.ZV+À:­3�LpR‚–ãƵœÐáIáÌ5KN‚þt(©±"êoql°PòêÿžSÇ?ßýÌ�ëË7ÜûŽÆÜ[F'…wÐ&N#+…öNÅÅ6˜sÁÈ+fûs¾)WÝÍ8ÃVð: ƒ´oظԗ8`
¨[fêIµ�=ç;«|Èu®6²ÚÊ¿€0ïË
cØ]±‡(´íDÔöÃŽ�UÍŽ(g�{1fGQઽç1 �Td =e@Q|sùãÕõcˆ;	îóÔ÷Ëp?LEû˜/ƶŠ	AæãH½ó
-vr€Ä~T½=QÑgâÓÙô¹˜)>@Š€P픿W2J”õ[›ïÆwŸe
šoVÖ°Ùb5
 ˜(Ñ
£_�€,Žm'
-Öop}èzîÇì­“»ZH5ˆ“GYa4­zÅ©Z»Üƒä‚ý$WØêÔôq6Y8ǹ¨ÂÄÉP…¥ò¥·åxT0dB,™Œª"•Þ:œ
´u…UlÁaQƒÊ¶Øb\§$ø´}^5¸,’ºòïèMŒ±*ø¨ôÿw‹)û8H*³}=©’ènü¯ 'e¤çuÞNaÓӜϟó郪8âëPÊ0b<‡D
ÔyªÆ
-+µÌ;ÁPÞó�ýó˜	KÈU³là*�^Þº0ƒHM
¶q15Ž»hÖe¢Øõ@].E½¥Â=Òs"“(‘àÐ1P.~þîCD$ºA¢_¨¬–´–~\b�Ži×ÝgÏ¥‚0e}îõf,Öàž�©
-\ƒj3DÖÒ߇(ŸðÍ\w Nó5GÉë/¦«Ò÷y3q©‰º?Š1‰òe®()}
-bÎDü…îR
-ïóæŸÆíWéd
!ËôîVû룻UÇ»•)w˜‘GŽ	Ü©»ƃ(˜ùð5óö°¡Ÿ«šŸ€YÀFe³>ò7Æ‚…Œ:
-”®DXð9I;܉
-ô½¿ù@„0È•œåñú¹X¶åçbã?^¡€™	À°õW¶ÖƒMw›gÂW%fèÂphðRØ.]¡Ã‰h¾,¤ª\,6<ÏËe³8´Z9ÿký�¾ÅEÓèâ}ÂÆLÁ©—îÀS7ØQóëEÚP8d½¡é“löá»—)Rú±-Ú5˜³Àe’ù¸Ÿ9.¯nè­NmÆ�ÇácÕyW­	µãrâÖK…zº÷¿
-"BV˜ñ�I§ë†¾xÀfHÏqàÛw/çï^%cÁ8`–Y(bOud)ú	O¨&y¢álD
 ×Tˆc÷Âà)†Ì‰HÉ´õ0QÉÓÁù âþ“I‘r5Æ|Äï4K‹0AN�EÞóTS_Q-ëÁ'ïÑþ´ôŸõnx’»¢ÂK2œvE”'0«
-‚ÕrœÀ4d‹VM}­°¢Æ¾ÌáK‰ÿù{éã×àÚDÊÚ‰o|bc#mafʆìé§Lüaõ)ëÿÜÈûendstream
+…œ|:ûõwq¾¾¿?‘Êlr~?D$³,>ßžéDE‰VÊS6g×gÿvzÝ«£�"ŠU�H –çRFY’Ä=$Y”ªX9\_¾{ÿÃkÚ×O×°)ܼ©:²çÐcS÷Ê�nvå2ßÐ�²ú\/ó¶¬+ú]ßò<²3ˆ$¦nžUy7²˜4‘V:á1›ºþØД›òcñ-½ »³Î¥Ô‘N@vsiaÿ±	³ÏS8¹5Åþs±§U¾-¨ì#ËÏ“(3&õsÑŽï×ð¾´3Z¿wâ22R¦çišÂ	‰©¢Aóî(w@ÚŽ¨h…K3óƒe³8J«_Ö:]¶·ãÌD‰ÊLÙ…nAJkWl2’ê==/ßSO¾Z‘p~Î~ê]Hmk¢}:û‡gRʘšÊ²ÙÍÚ¯¾Ì+»à÷Ýo·ög=±zÉCVuÛ«9JNUÔo¨!ŲÜ:¶jVÕ­W_øE{T¼žÂõR¦ô×S¼žš-ëM]ÍWŦܖ°pVØ™Ùì?ë‚G“l Ñv»M	ã�*&݃QÆD63’Má¨	ƒT6J­ÎxXîØã}k™F‰
û&¯wwØUËvËÆ•Óc]7-žÖóQë562{Úz•g™%Uo>¼N»ÎyeV
+hÁáÊÙmMƒ‰ät¢¬î¦_bií´F‚JÜò�zD”1¸<ÇñˆR%`”O‹2î‹R[%<wî­ús¹*VcrÌdd?)F™¦<fYWÍaÓ6#Î6èûià7E»üfïÁK·#3Cøé(¯VÄ4
+¼,x¤œ:.�HbÜ¿)ÒpK‘˜b�F2–²/§›5�Ýmèç-ÉjëϹ˜8æ�°^íêjÕôõxU6»MþP¬¢)O�X”@ü¸£îšöÓ~nÐq<XÑŠ(»[Ñ�9Y±wh6
ÕÓioŲ™Z};èòvxp�e�º$Ã[
e毃•R†ˆ\ðèÃnZ̉‰RTóÇåÜõˆ ý(Ü·�Û£’~lÑ£¨‡‹ŽËº»hY­
+mý
+´
+¶üV°
ñ‹öÇP/À"j{d0„O7¯Zó¼+{MÞT?~Yeaí£æ¢(X¿Áõ¡ë¹;³·NZìj!Õ Ne…Ñ´êe§jír’ö“\\a«PÓÇ
Ødáçz< 
+'C–Ê—Þ–ãQÀ�	±d2ªŠTzëp6ÓÖVy°‡E
*Ûb‹q�’àÓöyÕàþ±HêÊ¿£;41ƪà£Òÿß-¦ìã0 ©Ìöõ0¤J¢»ñ¿‚œ”‘ž×y;…MOs>#|Îg¤ªâˆ¯C)ÈñqP穼ù:"
+˜ù²¥¸œÏµ$ãK@Wvÿ‘£ûuIAxŒU
+÷HωL¢D‚CÇ@¹øù»‘èN‰~¡²ZÒXúq‰1t:¦]wŸ=—
+Âl”õ¹×›±<xXƒ{>V¤T‹ä	
­:–TJÆíMÑd?R¥7ÀH¸9)ÿ¸Ýÿãj$X%I:ÆÞ¬C‚2Y,*îŠèʱEÈ�“›ÖO¶\çÕ]ÑøŒÊç9”—ujô&&é­ê¢(pUªÍYK/¢|Â7sÝ�8Í×%¯¼˜®JßçÍÄ¥$êþ(Æ$Ê—¹^ ¤ô)ˆ9ñº[H)¼Ï›·_¥“!4„,Ó»[íw¬�îVïV¦Ü-`B@D9N$p§îV¢`æÃ3ÔÌÛÆ~®j~f
=”ÍúÈß2ê
+.ÜXÛmP”>–�Å7Äò¼d¸Msá”`bÈÏ‚r
+£L¨¸Â›2Ž¤Šà˜ÊjŽŠåû]>ê|“(ÑÆô®³av½Ò»^q¬$C“¡�Ç|qYðw)Ð÷þæ Wr–ÇëçbÙ–Ÿ‹�ÿx…f&@
+Žx»k¹|t’†ó
+�Giß\_¾AQ?çM@#`£JU¤7ÏøJg]­T;Tˆ�8I§r3
À-KBnöq\‘¬ºIËlö‹;—­@‰-Úñ¦©‰ÔÙ†¿(êÓeÛ›["’¨Ò£±r™—¨\ë
›ã+‚òŸ^ŒÕPð«ÔP%z˜¸vé^�àŽÿ6u±•øȱÞæËqè"™’ð)ˆYaÆw&�®úâ
›!=Ç�oß]¼œ¿{•ŒãX€Yf¡ˆ=Ô‘¥pè'<Q šä‰ZxtüI„³5€\S!ŒÝƒ§2'"%Ó.ÔÃD!$`LçS€ˆøO&EÊÕó¿Ó,-Â9=ySÌSM}Eµ¬WŸ¼/DûÓÒÖ»áIîŠ
+/ÉpÚQœÀ¬*VË9pcÐ�-Zq4õM´ÂRˆû2G„/%þçï¥�_ƒk)k'¾ñ‰
$†´™)‡:„>ý–‰¿¬>åý¿�
 endobj
-1754 0 obj <<
+1859 0 obj <<
 /Type /Page
-/Contents 1755 0 R
-/Resources 1753 0 R
+/Contents 1860 0 R
+/Resources 1858 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1752 0 R
+/Parent 1857 0 R
 >> endobj
-1756 0 obj <<
-/D [1754 0 R /XYZ 56.6929 794.5015 null]
+1861 0 obj <<
+/D [1859 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1757 0 obj <<
-/D [1754 0 R /XYZ 56.6929 752.1413 null]
+1862 0 obj <<
+/D [1859 0 R /XYZ 56.6929 752.1413 null]
 >> endobj
-1758 0 obj <<
-/D [1754 0 R /XYZ 56.6929 501.191 null]
+1863 0 obj <<
+/D [1859 0 R /XYZ 56.6929 501.191 null]
 >> endobj
-1753 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F48 885 0 R /F53 962 0 R /F11 1304 0 R >>
+1858 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F48 940 0 R /F53 1017 0 R /F11 1367 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1761 0 obj <<
-/Length 2980      
+1866 0 obj <<
+/Length 2981      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Zmoã6þž_áoç µJŠ¤$ÐÙͶHÑnÓ&‹ëa›Š%ÇBl)µääüïo†CR/–”ÃÝa�5EŽ8Çç…
-_0ølj
-˜Ðrk(ÆÕb½¿`‹'ûñ‚[™•Zu¥>Ü_|÷ƒˆ:ÐQ-î7�¹’€%	_Üg_—W··Ÿ>_ßüq¹
-[~.WŠ±å/WŸ¿\ýL}·—:\^ýøé#ÅBâ(±åõÍ�—÷?]|º÷Æt
æL %]|}`‹ìþé‚B'jñ,àZ‡‹ý…T"PR׳»¸»øÍOØ5¯Ž
 D¨$ŒGÅJ‘€!DàczlŠª¼\	/ëmuÜeÔ~Ìé·IŸs;ü¶u­c]”Ov|›#
-€¶îèâ‰’„)°µ¬N$Ó³‡ƒ=\p+R½´v¸ßýq׫c�¬}§ºÉ÷5=¤uk€i<ç'lDËuZö×ðZÔÅãÎ>%Ú²X
ÚA¢E-h¥Bc†™-ŒÅ²:6/ÇÛr¹9\òdYíiä¥þ“
Ê𷢃™Í³Ÿ£Þæ»ÝßjzØuSN$ú'cá."‰„-ÿapE‹+6ïï€^Fvšb�B8úV4[)ï@*tH‘„Ó¬xÃ]„¬Ì·8¡nm.Ó}N
-¶L_lçË¡H›|uÎX ­-¢¸¢ÔuÀt"¬.vd";õùT\EEN¬
«ö@�šì%~Îcj&í+¸ÇY°®ÊÍÈìàbpV4ðfzl«Pƒ?ŠpºB2–±‘ýí˧ß/•Zþ“ùõöþæ×Ïw#ëÐÃ(HT¬çh<ä±µ£Ý˜×É�&ø“,ËãþѺª
õ!
O¶Ë¸ûÊÛ¶¸äËõÖN°Á)7ùº¡g¢$t½¥öes ±c[¸—vUõ||q&£ì[û4Ëm·a2OÜŒzIr5¸³Ú:»¸ÞÙÊŠúe—žˆÑàÇîª=¾/Z˜0¾®¶]uÞر�Y®<ŒHŸ¨ýXrˆ˜V$œe¢…
-ƶ9¬àp	��dËÚëÏò&?ì‹Ò>:<à¥à³
-€[ELÛ�
-6D¼{&ÜaB'"—*@£Î	ôÇ"Â4¤v"ý‚nRÜìþ{°y;Û¦u�xˆ�C2ª¥+"»XQ3	YÜ^FÍèjæ/6d[ý’¯}æm¬UéHq¹P“*HyúII×Ö~5�2Ò‘¿2±©jS˜ì*âãµ’à…+Õ¿Ë›õw‡¼®v¯Seµ†]Á<¡]hb+E\ÀCT ¯¿3¼³3ÖE®!D“{‡Ñ>V¼½�SýÛ‡$€ZÀÙû
êXoG̳ W<»óñ¼{®ž
-Sz¸þ|w÷é#µ_Ó]‘¥m!Rmzùqy’
-:¢K§Y&t„¦‰à„Zì&¯ç´¶·ƒCµã—ƒ]½×ô­p*-´Ÿ¡ôãÏWwwî*6/;à|zèemVä?†LÀ
-ÁD„ïÜ™´2Ó Z™öB±�Í>ƒUÊ á@˜­^f¨vðGŽ_¤ºzÿ;Lïïþ?!ê*à_üŒ¬�ù�ðÿóµ6%ñ¯<’‰j>;†:vF!LZ-÷�tnú¿
1W@endstream
+xÚ­Zmsã¶þî_¡o•' 
+ázvw¿ú	;£æÕ1
+ÈXÆFöׯŸ»TjùO2ä—Ûû›_¾Ü�¬@£ Q±ž£ið�ÇÖŽvcr\'šàO²,�ûGCHèª6Ô‡4<Ù.ãVì+oÛâ’/×[;Á§Üä놞‰’Ðõ–Ú—Í�ÆŽmá^ÚUÕóñÅ™`Œ²oíÓ,·Ý†É<q3ê%ÉÕàÎjë|ìâzg++ê—]z"Fƒ»«öø¾HhaÂøºÚvÕycÇ4fu¸nð0"}¢öcaÈ!bZ‘p–‰*Ûæ°‚Ã%x<>’-k¯?Ë›ü°/Jûèð€—j€ÏìíL\Pž®´¬ßÈy°å“1p¬Ê&Ͼ·§�¼
+c §‘]×/HDëágp	YÆqÞÇ%­i?
µåkº;¢Ë\ðÏ;%ìÜÏ9uS&ƒ
ÇkÇÓq€YÀ©c„ùDÛôuøâ¦:ìÇÈã N´K¾£ud?ÛFàLD%QèC€SLzéœØ��ûW²Ì[Ÿ‹Ç’¶þ¯g©2˜‚4\É8C%£¹½Zu¥Lf+“‘ÌÖK™U~+«‡fý2TÌP9bïhöRçªÌ‹á`ð�î¯x¬þ[†[.!ªê�Œå�Z÷ŸniÌæÕÐe ¥ÔßÁTÌôS*
+ªŽû-q6`¦4®Òˆ�Ê&ýµëmU/ÿ”	>
í´aHâAÈ´+ñ
+ë4eÈÅ…êS¯“áÙ@¾q|{L×Ïoi¸Iö/P=»¢9]rÎÑM	Îèp Äa(_×ø¿Ë C¨3¡âÐÓ��·0jÖÇ¢Á±I¾ĮE¨çùÖ•šæ›—òhBô¨ùçb&óʽԹöAù­ Ñ—¼¯þ5»¬–

—Pe•®ö„¢™3#Ob:lÎð>ß$ç<œþ4£qŠ²�ÄÌÆ_Fe¬‘AóPã.âÀÇu[‡n„;Ñ™	’:K)$a2Ã~!˜f挎3.DBR'Ãæ·´#5³¥NÊliVíÓ¢ü
óiW^÷ö&�Ï[à¥ÎMèï+ØAðî™p‡	�ˆ\ª
+Sz¸þrw÷ùµ_Ó]‘¥m!Rmzùqy’
+:¢K§Y&t„¦‰à„Zì&¯ç´¶·ƒCµã—ƒ]½×ô­p*-´Ÿ¡ôÓÏWwwî*6/;à|zèemVä?†LÀ
+ÁD„ïÜ™´2Ó Z™öB±�Í>ƒUÊ á@˜­^f¨vðGŽ_¤ºzÿ;Lïïþ?!ê*à_üŒ¬�ù�ðÿóµ6%ñ¯<’‰*˜„ÐÜ…0q¦†¦û?A:·ýßh @endstream
 endobj
-1760 0 obj <<
+1865 0 obj <<
 /Type /Page
-/Contents 1761 0 R
-/Resources 1759 0 R
+/Contents 1866 0 R
+/Resources 1864 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1752 0 R
+/Parent 1857 0 R
 >> endobj
-1762 0 obj <<
-/D [1760 0 R /XYZ 85.0394 794.5015 null]
+1867 0 obj <<
+/D [1865 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1763 0 obj <<
-/D [1760 0 R /XYZ 85.0394 674.4719 null]
+1868 0 obj <<
+/D [1865 0 R /XYZ 85.0394 674.4719 null]
 >> endobj
-1759 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F48 885 0 R /F53 962 0 R >>
+1864 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F41 925 0 R /F21 702 0 R /F48 940 0 R /F53 1017 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1766 0 obj <<
+1871 0 obj <<
 /Length 2837      
 /Filter /FlateDecode
 >>
@@ -7625,904 +8155,1196 @@ lhïëÁ4êvÂîûYž^®1Æ	€"C,¹}ªûéG¶D3Ý¿(•iäˆg œ–¨VVɇòÜ¯�“äù©Þ?
ÄŠ"9ȲíÕ‡  (
 @ãâ]0ƒ±î½±½&Óè�‰wç<ÐE0…lõKžLQ–	¹ìÉ>ÊoÒ:`=È“wÓÜå»t¡Fà8^»ö|B­{ô]£¿%ÌêF¬¡e=Q�z•A·QEÉÇÁ>×P44�yy蚦{™<ÈÓ©lz;<Ú<ÓÀæ@d-­Ò8ƒÔÿÔ={A\¤ñŽi*OÈîÏÎwG�§C+ôï1<—ý˜‰ì`†«£Èë•:”Vüž‘f$Û~R­û½§ò~¿?T3¯GP«cz�³§š³ŽáÙ…lÂ{ôz¥0aCMŽ§ºLІn
 ”]H¹!Õ†aÕh{Ö;ßM0”Ò¬ÀÛü=Õ\€Ø6PfS�X,ÁhælÃœmXdæOŠQ2Š¬_GóИ‡ó°%ó Ìš‡…æaÖ<Ìš‡E§ËÛæ�`E1»°ë©6Ìã¨FóTU­VW6sûu×’mà©æÄö
I)Íc	ógáÌ#"ódÎ<"	DÖï£}˜°öÆ>bÉ>…³�í#¬}„µOæí£ƒ©(Ҍ擊hÃh¸ )b]@´n2G4Z¬iVç¶ØŽgsS¾ËGs!ãOÒÆW¶íYÚ¦’go¾"DËÇõ*
u
 ®’ñÌÜß.äPŸøÛPðƒ®­ú8‘äF&+¶ˆ'	7�øû·­Ö\ëy9-é° 0(Žd0‰ÝdYpØK¹SQ—°2
-Óš8³tüÌÕÿoœ'xL:´U�œnþëvßœ«éᢾŠsPÿ~µòÇ;à«þ-·€´sÎõÿ)oüË!Ë cædO$ã)|,œPJ¡¹ã ”PH»sÙÿm˜þŸendstream
+Óš8³tüÌÕÿoœ'xL:´U�œnþëvßœ«éᢾŠsPÿ~µòÇ;à«þ-·€´sÎõÿ)oüË!Ë cædO$ã)|,œPJ‰¹ã ”PH»sÙÿn þ¥endstream
 endobj
-1765 0 obj <<
+1870 0 obj <<
 /Type /Page
-/Contents 1766 0 R
-/Resources 1764 0 R
+/Contents 1871 0 R
+/Resources 1869 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1752 0 R
+/Parent 1857 0 R
 >> endobj
-1767 0 obj <<
-/D [1765 0 R /XYZ 56.6929 794.5015 null]
+1872 0 obj <<
+/D [1870 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1764 0 obj <<
-/Font << /F37 747 0 R /F48 885 0 R /F23 682 0 R /F21 658 0 R /F53 962 0 R >>
+1869 0 obj <<
+/Font << /F37 791 0 R /F48 940 0 R /F23 726 0 R /F21 702 0 R /F53 1017 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1770 0 obj <<
-/Length 3317      
+1875 0 obj <<
+/Length 3266      
 /Filter /FlateDecode
 >>
 stream
-xÚ­]sÛFîÝ¿B3}¡§Õ†ûÅ�›ÉƒS;9·iâÖNïnÚ>P"ms*‘ªH9qý
,EŠ”|Ó^2	w—Øß
-hGôU¶.j@«Š…Š"É@pþø ©Dh4C\Nœ‘
-­•a€ûÚÕöiŽ‚ßaYWM™Ã½e9ßgÑÔ«][<}6WI$”’Èr)Rk•;ùÎñÍ�Šûl·jiò”­v¼^6ôdÎ9È_ÃPU
LwM	\«<齃é0lÚ¬-ÖEÅû=cuÚgYb„Ýâ¿*Úå«m
xp·û)YéYø
œ�˜Àñ	pHF…
-`£ ª‰:NA‰àê0©*µŽT¸
S‹+%¿ÙÀ2°7PGx
vnŒ	>€
-0Èç²}Ä‘	î‹Ï¨ƒ¸èÏ6¨X(>¶j‹í†VZd¥ƒàƒhy•µåSAoª=–¬bèÏåjEK§„À	¾¹¯¦ ŒËGw>¸+§F8
-
-¸Þ¥¸8AÇj bCÄù†¯KE¶|¤Åá�h
Í¡2šb`#Ä*À»@"jtÚ{Ÿ-Aš˜
-q•”áÚm‚,_<
¨#‹R¸W¬‡ŠâIu1÷±Deu™ï´«CwV•ªBKcWÝ´»E³bø¢€*¹í‡ÛUCÔÖžV�>ÔqÕé :ÕYP‹ÜƒkhG
-ð`ú:¨1Öâ
-{;$ᢅÂuƒÉpDžBEàFÊf³ÊžyÑ1PH´ètÆqV9]nhæ…É^LF¨l…ίÈ�þ°ÇÂ�þà¤lØBÊ®;Ô	J�R¹4¯£&ŽÉUõis\¤ uQÇ/ˆ´uB¤ª)„î¦XŽÄiC¨DTry5Æ>'¤5qläýO$
ÊHBÕ
ÿöê[�‚—¤²Ú=×p+Ï~…s%œ88<ðã÷¼£ä­¿†6¼üÿKšcd”i´ßýñænŠ’¹±"Q‰F¾QŸåyÙBêÒÙ6u5Ž(½DŒRþ#Š ÓP@M~R
ö0Ç•€a:hʇåcÖLä8JÄpÂ	¼äïPüPCÆ*Õ}Äß:„s9…”RX³>TY»ëÌQaÃ{!h‹°Qg¸ËÐÐk·nàÒV…Í·õ¦\9ãêRÍ/'šÀ&Q¤ÚôîøRXAHK’éð¼;ï$CH UŸ!·×ï¾ýçÅíÕqéCÚ
aé%ù÷ Nh€‡r:ÐnwØbšÿ^<¿þ
-þŒô ‰Dd}š„jLÃPR)"�FC"\í…�Ì™»«Tð�K«‚ÆèÔAØÔÁv¶çI°£îÎ�~ÞŒþŸÞ¹k<ŒÓ‡‰†§6¦]ëìë¾IÐo!í…¤¦kFÍ{å’TD
-F“~JÅèBM:ªñrúo{ªîÄyÿȱ¹*p-±Ôñóÿä­T!?J_HZúPǽUÕE¬¶Þ¸ÆÙ(k‰ ÏÍiìÔýAØ’"¶2âÿ*æ\¹N~Æ¢L÷A^1éƒ�7ÅÓ?šd´.4çV tí¢2ÏZ×ö
-°¸¦ÌfÅ„aŠX:@*Z$_Øg¡V·Iêãà3Ý’‰ÆŒ”}¦äi"õÐ×Ñýt¨©,�§ÏQäÖ§¿<…,:ôás>õG‘Æ©çÍ"k1b"
-Pç2À[â´Þ ˜šã7½XrlEäî2€´�®m…KOp}™1õ‹bOýªtßFa•ô×]Pu'~®Ò}º&Ä ‰P¥…Ъ³‡æÉŽÔÆ—qù¨¥Ê
-hÈ�ð×Φ[Θž²Ê˧2ß¹²E«î:î•'¹`ŠIç¸mˆ+Í3˜ÉçE³Ü–þ2—!Di>yg‹ú©À_i€ScI«�¾ »ÚgNî¿ä<÷WO8hZ #óÂv²Á×N68ØËoÿ3Xv¿ kÚ¾à9æ:oÞmxŸS3åÅ›­¦>ôôëÏ›â@G–«¬9Ôw»iê¾ôpÒ<Ö»U>Ì'2¯êý^þ~ËA}y¨�¤w«zA‚�É$ÿpŸ�&Dž.§­i×IÁMž2þ9>÷”ño%Ü¢Ë&ùT°`>jIjˆï›švøc¼1»Rеe\	LõD—IÖØ)î¿.ßÖ®ÓÌÝļ W¤ðýÒ–À`u·Yñ:y!å”B'�QÚnh{\Â=݃©d¨Ž’×�O6¦™—Æp°>˜~°\'ÀYIpáT
-…²‘Ü»w&9ãK,øà¶Û2Ï‹Ê÷\AM£$š×âyðAËÝeÞÕ;Kßqi‡Ý–)×쾯¾õßc‹/Fûûµ˜†Ê]멼2ìÒ“¿ýK²ýïäL,4~}ŸL› n	àŽôD!_ ’n1+IT<Aû
œÓ4endstream
+xÚ­ZÝsÛ6÷_¡™¾ÐÓŠÁ'?òàÔnÎmš¤µÓ»›¶”HÙœR¤*’NÝ¿þv±
+Ì™DI~¿øùW¶ÈAîo/X(ÓD/>C‡…<MÅb{¡´µ’Ò�Tw?øoÍÔ9(�„Z¨h±âX¦|^M,d¶½ŒãH(¯&•Ì©ÉQ¡š¾¬ó¦k__o—K&ã‹ášΞjÊZÈ
k.ã0Qüˆ÷]Ñ].¥Œƒî± FÝoWÅÛQÐlhåsd™�ð˜=Ù]CÏl·+.y�í©[Ö¸¡Wßè¡‚¥a”(
²#û:ÛD5’UÄ¡ˆ"n‰`ýéB\„LIKq=³FJ	›$‚Mã„ê†2GÁÊîaÝÔm™Ã¾y¹ÝϪmª¾+B\}±I
+ÁQå<Lµfå{£7
:*6Y_uÔyʪގ—-=­æå/Œ‰Ú°�nß– µúÁ‘ÙyµU:4Û.ëŠmQÛùN±ŠU–¨P
+
 £ nH2N
D°u«²s+ªHµvc¥Å‘Ò¾ÙÁ0¨7#-¼;WJï
–äsÙ=bK›â3bÝÚ
+�…§c—­»b¿£‘Ui(ìB4\e]ùTЛúÀ%«-õ粪hhe@šm[Çõ£YÜ•�6àÌÓœ6òf›•uK�ªl;7eH9=5'aÂcSä¸~œ9+™„pÎj@Š™¥8¸
íV"yN®äL+/IUk«)xº¸!�dôwÁN<¹u—Q¬Bóô¼OR�ö©žÊøÔU¿iË?‹×o&^U)P9ñYÞžjÊ|ìUUÆi¤ÇÜ�WΚ±ñéú#5
+_пÉdÌú QnŒ6gl‰×U€µeSÛ÷
=½sãè+w^engú£Kh�/&´¶€ÑwÖHÏÊBÁ
+Ww[¬'Ç©d""9ÏÜSM¹��š8V|ÌþÇ‚�ψCÖþÝÍ×Ôž\^œÒjólM1ÀŒ<»+aÇ@àxÁßÙ¥�úÓìúüÏ©�7#O£Ãìïçd¡3WÜZrT»™dñYž—„.Þ¶1áhêé�2Ä(ä?
™ÂE“0qCªÓ@ðTmù°~ÌÚ™HG„1¬q–»#šr
²ÉX¤rÌþkÃv) ¾p‡&æ¯uÖõÞ4O°.‚v	—7âÇVZz�W¯i˜V`!n»++ch>ŒÁÖòz¦ ¬ªTªÑN_*	‹0M’d¾ ¼ô+¾ §´b¬–»Û·_ÿëêîæ4@éÂï<Tgðà¨º}�E§åoÅóë/àÏIÔ‰</‚§šÊ0FEÊÃH¦ÑX“�am³0Àä.øÀ¡ª 6ºy@„5~°¦ýeôT/Ã>Èo'£GÆçÊÎì[GcP1S•*Ô©/¦}94�#ù±”Ÿ&‡òÔRÀ²7&lE€éïnþëJžp,I*ç‚æC`k.	ØÆ8s®£ì\À•0Ò
}1Z”&fá[ô2©
nø·Ö+5ŸdS¬IË—Y—ù¹’gTMó1ØÌ–ui¹ÏMÅo
+¬Ò ¥�r»«Ìw¿ÌÆÌÊ|˜ÞY¨Z	þbõ…§îEÛïv�¶ĩ¥ª/i¸˜BØ®²‚¡BJcb(@Mƒt[À
+�Y€½M0
J~tùÓþ$“TŠ`ÊÉg$2ãó_ûÐûjæ”å܇3®Â4N�nVY‡1	²Àà’¸Kì6;”Ó!üŽs½ sóÕHºGS*Ä!¯_gVúUq�¾*Í÷h%ƒã&l1+~®-¥ù¹
 endobj
-1769 0 obj <<
+1874 0 obj <<
 /Type /Page
-/Contents 1770 0 R
-/Resources 1768 0 R
+/Contents 1875 0 R
+/Resources 1873 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1752 0 R
+/Parent 1857 0 R
 >> endobj
-1771 0 obj <<
-/D [1769 0 R /XYZ 85.0394 794.5015 null]
+1876 0 obj <<
+/D [1874 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1772 0 obj <<
-/D [1769 0 R /XYZ 85.0394 204.5196 null]
+1877 0 obj <<
+/D [1874 0 R /XYZ 85.0394 179.5067 null]
 >> endobj
-1768 0 obj <<
-/Font << /F37 747 0 R /F48 885 0 R /F23 682 0 R /F53 962 0 R /F39 863 0 R /F21 658 0 R >>
+1873 0 obj <<
+/Font << /F37 791 0 R /F48 940 0 R /F23 726 0 R /F53 1017 0 R /F41 925 0 R /F21 702 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1775 0 obj <<
-/Length 2180      
+1880 0 obj <<
+/Length 1912      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ÛrÛÊíÝ_¡‡Î”š­÷Æ[ßœØÉÑ™Û�”9í$y IÊâ„E¤ì£vúï»4%Ñ£t:| ‹Åb
,.+&>1ñÄ2ž„±f>þ$­.øäæ>\K3sD³!ÕÛåÅå{Nb2˜,W^ãQ$&Ëì‹÷–I6Üûõn±œÎ¤Hî]ÝßßÜ^Ïÿ�c4@Á¹÷ûÕíç«�„»ŸÆÒ»úp³˜~[þvq³ì¥J,¸BQ~\|ùÆ'þÛg*ŽüÉ38q,'Õ…öóµRS^,.þÞ3Ìš¥£œIÈ1Äc*Ð!Â�T��ÓY
-C¦#Xs ºfÓ
˜Gñ¨É?Ø	$âÎ…~u])ÀE/31K6›²È3T¹”^Û¶['݈3G’ùQœWœâ“�ŽÆÞâ™PÔEW˜“ÃÀYñý«$³”d+
-	WÎèTBøõC:(ñ†Ü‚·	ÿ'·	‘ãQÜJk.ÿçÛä4Ö˱™¤f2ÂÈ£|‹XÚùõ-	°ø|÷iêûÞr<¸KŸÉ8hÕjÄ(1ÿóñ\E±39y›¼‡©€À[ÛÁ®(QÇÚ£ukB’˜€úÊ}fË·u‚N˜”Å¿L
-ÔeBž�_Zig±í4òvuûJ¸
r…Û÷ó�Ô[éû(¾^æ]z¹ÍÛ¦|bpÅW½FL„°?Òüåß¿Þý~óŸK¢nÓ1¸Û›,nnH
Wwçcüºi;Œ¶ãèZ‰ñ"Cd4@fuÛæéì{¾ÌëÁ¤ÙA[5@-¦{ý}zÿZ)¬4ˆXè÷tã
-–Duê÷íç‹óGßs±�6Ì>€í	Ó5

•é—r•
€T
�@3¥g
-Tú˜¨Æ{X
-�7tÀâõ¶§z9(6�_fÉ»¬¬·íòùé›C¥c¥§Â&A»Ôš–IÛŽö)ÌICÔ3¼aZŠß¹b�5Ý«üÂø˜á§ówÕC>Ú@LJ-Ž9vg9vûÍX¶‘
-¬Íõ1¿?Îò{NŠîU~ªçG-ZzŽË£/³jd—C�Veò8¶‹f:ŒN´ {(°U2G¥Á·Ñ *Lâ0h\ß,Þ}šß/çw·#ya$,Ž·�JGÃÒ/–4øk‹jƒéHÄQ'Í„©%Øä[€+S¬áØ\gì;$MC®ìëø×°&)KË�CÂzÿ¶<¤�M9z8?¿·rfÅ@ˆä­-tí�,IÕ1”OOEj1|~HL
¦¼?¨Klmk@
-­�;,Z[ymíŸç�ΰ½Çâ)¯ßŒ˜BB”àÚw>óš)$„Jß]nÓå¹]lí¸6e†
wU•˜Pû6¶„,½{<"…„ø¾xÜ1Û'¥>‹¼QF]'IÂ?Ší”Õɽêñ
+xÚ¥X[sÛº~ׯÐCgJ͉`Üx;oJlçøLŽãFÊ´Ç4	YœP„BRVÔNÿ{X�¦$jt:=
+?6öÄ<‡±$>eþ8]�èøæ>Ž˜[3mMû«Þ/FW·"Ç$x0^,{º"B£ˆ�Ù£÷žp2

Ôûíó|1™r?àÔ›=<ÜÜ_ßýÃŒ)¬�”zÌî¿Î>¡ìasoöñf>yZü>ºYtÖô-fTS~ŒŸè8ÃQ"âÈï`@	‹c>^�¤/ˆ/…h%Åh>ú[§°7kÿ:ˆ
+ãÑöõJïLÀBéAÏ­ï›yH)�ìÆÚS�,$A(Ú¦z[d¨ÒÚm­œdYMXäé5Ž0ãÂ~ÆÁÀdœ›×Ø®“ï­de(7,´þ¾ÝÔ¿ü~äÙ
+h´éK›RFÖ©Z,̼Óá1]ãˆ�²àÉý¼¿Qªm›Õݧ.$ŒƒØÙûgý2ŒOâv-	˜]Ð><haHdÿ9€Ï	ÒHk’°XD;L]Î Yg3*K6–Éäœ{µFi³Jš�dŽ8ñ£Î�3ÉBj׸ó�:vò2orë9ÚÈyƒí:ÉÜJŒtT’®°‡Á$e$½ª=Ã6å¡J&|"ÀœL<´«ÄYa³Ã4…N-‹·Œ²ƒÜö‡ gÖÕ–QÏ°go'd•OŒÎµJJgÇ9¸!£�.qÏ UŸΑR7ØÙTyÙ´Û(ìt8ry·RÖaac�ÐèïÎH8rS.Câ‡"8LPÔ
ÔmN“iON“³¤•””ÿϧ©E¬³c	6qIxd˜GJ‚WõÝõ=î>ÿúððùËÄ÷½Å0³s`³0Ä?-Æ/s¹ˆâ6ܘi2ðž'H·tƒm^4xÝîòf…B´Ò]ü2U•‰IÀ¤Èÿ…•Fàez�äî¢.“µjïïÀ«·›�®šw8²Ñƒ¶»Õ“´-$¯«L²¼ÞÉ¥¥.§.¾
�ÊÈ?<2³ù‡»;s¼Dg„ ÜQ“
¤ª€¬¹„UÐ6¿�‰ðrƒŒMUìq»T—ÀýM�¦«¤JR
+ aW�š½�
+Ná¸Æ~<ö¹$
+ÙF¬šDÞ¶¬ÏP- HeˆTËã8¶¹½û„ï»Óº½G¯WªI¯*Uëâ•À	_¶iÇ0ˆìŠ¿üû·ÏÜü犀�U:d
+nþ�ó{×mEÑÖý¦¿mò"oöçÓ1›ïK½©á|ÑŽ`$Œà1FPQ@å1ðy€�‘Ü7—Óð·0šÁ©ìi8å˜îË�[ôæ¢yb>N“YQVõb÷úÔŠÒ¡BS˜'�l/Ó´HêzðUB,-ÚE�Âû
…Â'Qà·	Xfº9«/Œ�~¹¬p»~VƒÏÅ€p.Ù±Ææ¢Æf¿üú!H̨<Ö÷÷‹úvIÞœÕ':}ø ‹
‡à­ Â0>N×»´,’—¡]$‘at‚‚ìz�ëaíbeX<�ûnÞ™�]™J»£ñS{ûd(M‘ñáÏe<ô	ü9h�2N2�˜Þ~};µý¿p"5endstream
 endobj
-1774 0 obj <<
+1879 0 obj <<
 /Type /Page
-/Contents 1775 0 R
-/Resources 1773 0 R
+/Contents 1880 0 R
+/Resources 1878 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1752 0 R
->> endobj
-1776 0 obj <<
-/D [1774 0 R /XYZ 56.6929 794.5015 null]
+/Parent 1857 0 R
 >> endobj
-1777 0 obj <<
-/D [1774 0 R /XYZ 56.6929 626.4701 null]
+1881 0 obj <<
+/D [1879 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1778 0 obj <<
-/D [1774 0 R /XYZ 56.6929 517.4334 null]
+1882 0 obj <<
+/D [1879 0 R /XYZ 56.6929 581.7741 null]
 >> endobj
-1779 0 obj <<
-/D [1774 0 R /XYZ 56.6929 438.0429 null]
+1883 0 obj <<
+/D [1879 0 R /XYZ 56.6929 460.6765 null]
 >> endobj
-1780 0 obj <<
-/D [1774 0 R /XYZ 56.6929 376.8269 null]
+1884 0 obj <<
+/D [1879 0 R /XYZ 56.6929 366.7195 null]
 >> endobj
-614 0 obj <<
-/D [1774 0 R /XYZ 56.6929 339.1376 null]
+1885 0 obj <<
+/D [1879 0 R /XYZ 56.6929 293.4426 null]
 >> endobj
-1781 0 obj <<
-/D [1774 0 R /XYZ 56.6929 306.6767 null]
+646 0 obj <<
+/D [1879 0 R /XYZ 56.6929 247.3727 null]
 >> endobj
-1782 0 obj <<
-/D [1774 0 R /XYZ 56.6929 271.6646 null]
+1886 0 obj <<
+/D [1879 0 R /XYZ 56.6929 211.2315 null]
 >> endobj
-1783 0 obj <<
-/D [1774 0 R /XYZ 56.6929 207.5268 null]
+1887 0 obj <<
+/D [1879 0 R /XYZ 56.6929 172.539 null]
 >> endobj
-1784 0 obj <<
-/D [1774 0 R /XYZ 56.6929 137.3205 null]
+1888 0 obj <<
+/D [1879 0 R /XYZ 56.6929 96.3402 null]
 >> endobj
-1773 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F53 962 0 R /F47 879 0 R >>
+1878 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F41 925 0 R /F21 702 0 R /F53 1017 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1787 0 obj <<
-/Length 4062      
-/Filter /FlateDecode
->>
-stream
-xÚÍ[Ísã6²¿û¯ðíÉU#>ܪ=8“™¬wgÞØÙÍÖf”DY¬H¤F$í8ýëF7@R¢¢™ÝË›9j‚@£Ñ¿nÀòZÀymM$t_§Y!Íõrw%®ŸàÝwW’ûÌ}§ù°×7�Wo?èô:‹²D%×�ëÁX6ÖÊëÇÕ¿f·?¾¿ÿöî盹2böMt37BÌ~¸½ÿéö{¢}¼ÉÔìö»÷ø3QØIa·DÌþòãÃãÍ¿ÿzõþ1p3äX
-�¬|¾ú׿Åõ
-ÿ땈tfÍõü‘Ì2u½»Š�ŽL¬µ§l¯®þ78xë>�’€Ñ62V¥"0zJ&‹­´ASž‹®ãí5ì­³HÊTÁØ­lnæZ%³¼Âg:«÷mYWù–©‡igOÝ®¨Z¢¼lÊ冺úO‹²ÝÀLŽ-"VùŽ[5¿ºûÈc®VnÔ¢áïëõÙoyü:oy9r´X½±¯gS7íĢ籆�K�ª”QfŒ"!mên»"�ø܇Wj–UÓ9Ó‘=|:ö°á™r/CZC?¶%|¾òC7:p£t¥:ó{ð¶h—oESoŸ£e]­'ø‡E&±ÔüA„=®çZ«H[a®ç
-iJºÿ|žN)aדÔKižOÌ!ã(Ž�å.¿#òí’—ê4ƒWÅ+->wås¾uÚádT{q´mY=õ‚›`(
eaIóç‹
È+–oÞüŠ�ê…U‘ÔRý±Z(Y“ú	<÷»üWÞêüD5‚6¼î¹Ïíý?o¤”aS`Ì$ÎìxSþ±)ÐÀ¤>#�8��Tž‘ù»)a€ž§2>éž]S¬ÞLˆ$-”–D¡¢ØƾÓK¹ÝÒ yÛ»}ËÌ×øT³UÙì·ùk¿"×xøñ–dßËÚ=WÌÝÚ9hü^W,3f@F â)sàœÀ›)¬%x¯µ›¡Þ1«žg–1X½€1aíÞêi3¼}jÏò®ÝÔ‡²ÍÛò¹ ’w?¦·j$ÿÐpŽÈµp%4´vVçh88}M~­/�GîÓÌVÅ/B¨Ê3´xõ³ðG÷ÔïX¨¸@1vgÄ™S\êM?ÖuçÍeíVðf´ì‹üH–z-™/§õTÅÙ±šjé¼êáÆκe‹K×ä.ð
Rr"|ë

´¼9{¥_N¢ð\nó¦™R!)¢·›&tëPY|!n Q°Ü’¹ZæÌð¢ 'ÚÕ˜ám]ÿÚí‰ö—¢)ë3x ½S©‰¬j¼=ï6yÝToqçšëÎ5–Å�6<BݤhøzU¬ón{:˜÷Íw÷ôDG~WµÅ
fFo~´ÙŽ³¿;VuãFеû®¥6�˜ÎžŠª8äÚRÔÔS_#
^“Ê‹~7S68çqÈ3ÎQG	„¯t«éHadâ•î0¥¸0¥6É…pƒÈ“pÓK
-ü½H0Hõ†Ä(§³MŽÎHÅtÐÉh{òuÏåÊm
-á p³½�f[Éd…ÜŽzÏåØ
-h«ºïæ°-Ð(9Æj.xŸÕ
xÅZ]Äï:ô!H�ãµ<UM¿<5dÃ
Ä;Úò½Ë�(w­Þ™ôRQ‚Ê+Ðûãâ÷ä1¸ÃÝ€ÏÜ6
‰!3´8;t
ùק FE‚ÂfCAe7ÜdšoÒ(N•ùOÓü7ä�w…)%=Ê5MYÕÓLÍY‘�Ž$ ±±&3ÇÊr ²4œÀ|zv;Ç/�ßr­uñBîÞ²¶`«98 bL�Y¾$ò–³,¤Tý,äwÝtν)Kž
-žMAs0b@Fꃟ�¦ðÉÞQ.D¶>]‘9®çø9Æ5ï-\»d‡Ë8[Ù
°B¤ÿmesáX�ú°
-´dÅ]ŸK6š3Ø=K¢4µ¡rw8£ý§ÐÝX;{ðuRš dvúƹ÷ÄôÖ{€Oßá@ÝD,ÒçT
-’''
±)C<UBòJˆÙÃ0’œ×~Ÿ„êM:
-âæ,öILjò0Ù®È+93ÇL	®«!)TäE
-À€†Š'öž�/ad‘4}ÌQC ©>DL|F
-ŠРórm&Ö§
—E°_¹ž4�æb¹Mõ‰7�p&tÊš`!ÂÖ|ڶ˙]ò«®ÓèžpéÙ^Ö[
-LÇ_“F&ÉÌ—³,÷ÜQ_"!>ƒÿºÛp´CZÓ]�‰êœYšpj�½§=Ž
-¹j¶W9»3&›.;
h,œ�}ѨäÇôl˾ÉÕ*j
\vþÓÛ&�úu¹õ3ù:†i
-~M×;Üþ
²ÏÜó.­ÏBM¤cmÿHIæq,#ƒ×TG> 9	£€ôüm.É$¹ì+•:r–8x±F«YS›�@ê-Ó&ÜTMa‚ë“ÓïÞTùJA,36zèÄFýí9½áh°+áo<—)£¹ÄmŒó›™ˆ
-�?œr0òP�Ñœœ
-.é€xkêR�6‘Mb}31RŠN’ˆ•‰aPjA�C¼£ã,Ò&õ#¹‹Cç.ÚáÑÛÔ��ÇÚzꆾ¸öŠö_ÿ=@ÿçq
-¾ÎªpÕ¼v
ɌΤg
-—B³þrà”÷ÿúž¹øendstream
+1891 0 obj <<
+/Length 4197      
+/Filter /FlateDecode
+>>
+stream
+xÚÍ[[s㸱~÷¯ðÛ‘«F\\x
OU¼3³'Yïdìœl*›Z¢,ÖJ¤F¤ìx}ú�¢¨ÕlååÌ<j‚@£Ñýõ°¾Vð__»$R6�¯³<Ž¥“ëÅöJ]?ûﯴô™ûNóa¯o¯¾ùÎf×y”§&½~\
Ær‘rN_?.ÿ9»ýôéãý‡»Ÿnæ&Q³o£›y¢Ôì‡Ûû¿Ýþ…iŸnr3»ýþãþL
v2Ø-U³?þøðxó¯Ç?]}|Ü9ÖÊ"+_®þù/u½Æÿt¥"›»äú~¨Hç¹¹Þ^ʼn�’ØZOÙ\=\ý58xKŸNI ±.JœÉ&D`ôµÖQž$æHI¥ÖX’Á‡�ï?ß}z¼ûñWCßôbS×s“EF©Œ:¯›¶“^vÐËèÈÆ:cŸª½™ÃJf?Új»Û”Øv³CWmªî�_¬š=7våÚÛª~æßiš_»ämr;»ëx?~
ß›�ŒvhË%·º†Ÿ‹¦~)÷òQ]lËöøýÝ'ás¹Üßh7+ÛºÀâ`ɼžy�,«¨a|“ºÙKµ(¥UîÛ¸³©�ý}]ÖL­~4êóa[Ö]Ë$\1=w]ÕÔí°
™Íž«—²~7± }‘Š“X„|n#ìpâwb·¯ÂÔ?Úuƒ"¡æa»-öo<o³bbåû/xKfydh4Úx‰°õlªºd+/I$.hÈZ#æ6±ÇÊ¥ó(ÎD¹p�¦ÖWÉ@¹ŒV³n]rcÙl‹
+%¯5 ¯‹Ž[჆û<IÔ-Ôlv¤b©EÍ�bÓŽ¾+ü´]W.çËrQ�2íîÓKÌ�*ůhãû¯ͦ©ç"[^Þ‘®-ËMµ­:äÏêN±•~kg¸v|óº®kî¾(ÚrBƒtf¢Øä(ÑÆKûµÚlx̧7žfY®ŠÃ¦c¢.ÿ(¸³‡–Q2��˜ÛdòØàý­hJE@Aâ(�õH@m¹‡)&ø·y¤u¦Úb
ð†B2™è"îQZË/Dèê?-+Pµ=ÓHé�ÈŠ†­F^!˜Ð˜Ã�§«³ßÊ"äuÑMì™Í
²“{6�-x›,ÕÇæ	¦~؈~9”déЬê¶+oœ+~²9AÃóD/÷CšØõ¦jI/y(æ&>*›F™GÆ<Sv‹oöeÛl^"@äÕÿ°Æ4ÖV>ˆØ,¬5‘udŽ^>®Ë‰)¡‡N3/¥y11‡Ž£8Àø³J¸xè!Hɪd¥å—CõRlH9HF�Gב¯ò‚›`(«Â’æ/92 ³hÁ‰NÕ™H[m.˜²Ž\’ù	<÷ÛâÚ'ª´ám'}nïÿq£
Ðü¦À˜iœ»cÜf×gµ=#�8…�„ðD„ñ~J æ™ŽGÂÀ!Éá‰þ}Ê/‚¤•±æ"ªÅ.Ö#T³³@|»ë„ùŸf¶¬ÚݦxëWD�‡o¹Áæ½hè¹îØììצ.'`Ì€à@ŽÎyºÖ’ùµ¬h†f+¬zžEÆ`õ
+Æ„µ#£·OkâYqèÀÝW]ÑATÁ$�>IoÕHfþ¡!À-\	Fºàc×ò5Î_3¬õãÅÇã1z¢»øY)S{†È‹Ð,òFzØo,T\ :†3qé!Ú
]5o.+X
Íx
~°¯Á‘<øŽùbZOMœ�ÕÔjBÕý
D¸€¬e¸À7lpH)˜@á-6Ðònôì�‘Dá¹Øm;¥BZEn7O>èv¬Cyä\ÀBÜÀÄÀr+áŠ"œæ©ä'ÇÍC†ƒÃÚ˶j–ÂàÞƒIä´ƒï×EÓÖ¥lsGMq‡Í�‹rH
ŽA4ÄE�~ãB˜1ÌcóÝ=?Èïê®ÜÃ̈æ£Íf|ú?‚°rÿÔ´4<Ä
‡nwè¸ÍCBä]Öå¾ß–¡ªN„P^$IP‘óÀ›Іƒ$;‡Ž6JÁ_x­[N»ŠD§^ëöSšSÚ$½ào`}âoz	 *D¼×²Àók#")üX`6ð“â%
+G•vœœá$¢A""ëí7·ð�q•ˆw+~‚ý=UäÕñèüzÊ’2TF“^ËMòŠqÎrDaÛ“sQŠÕ°#ô$ºM¢A$›pgü>—ô†UM1
+ûgÕ8ZÇÊR»+F9¡¾D�
+¾:Ê…‘ -þ�ŸëP˜Ý#å¸Å£K'%.&Ò.cãîSÝÝ?ò_	¡š–|ÞÇ_¿G‰³Ù±vU’v|þî½v`L¿åŠ½ÿõÙÄÁ
+rrû™«¥¿CòFE*f9¿Ÿ¹l–œÄ\±ÅD£šØÇ“@ªÛ'J©�H
ЖMß�‚[ ±"ún>É >­EðI‡<ã|
+*o@ïÇ.Äï
È|ð
w>£m’ÄÌÐâØáÐ2vPŸ’5
+›-¤%—Eh¸É<?É`wC©èwçùï	]aJÍ�jÅSRu‚))šÙÄF¢±cqÇƉ£r>h)8�ùììžÁø’p‹Z«ò•áÞ‰¶`«rp@2e4q|leø’ÉI³�R÷³0îÒtoÆ1RÁ³-y‰�‘fïçã)|¶7J†ØÖ§K2ã‚ŽŸã¸¨ê¦Ø®pe
gK;`�þËÒ&ñ9Å°
+îï½ð�T�ÛËß:æ™Õ)I!Mããm «çµøcq,„‰Fêp¢—Ål…¹Ÿ*ç ŠPŠCaa
Ý«àÏ}©;È9‡(O8mÇ÷¬_UP"<‚ïÞÉÁ��¨EÎøô5•“b_‚‘*ïíOß}îÏëü<eÛµ¿'ÑÏ!—	Ú<ž®H¤‰>©íegR{mT¤mª/ßÎHÃôd-V$QÖ&óÙ4�ä&AÖŸÎ
‘d²kö”ÉdæÜé@,”Ãæéÿã5¦>¶1xY*�PìPõ+ÿ=[�Ä.:vÓbp&=9�u’>:'‡#Æ1~"…Í�Ûìy�¬"ímWNÅþ:K#•…*(�°N^uÉœö(÷Pœä‹SÉ7æÆ×ÇžëêWæð„‰ÿE4ÏfïïoøøŽÉXd$�Lâ¢Q,üðã-u4³‡»ï¥õç�|þK?õ�PÞ@î‡x¢óÉNÚáX1þ(ÙIM(}½lò<Trwêuû˜a[4íSËSÂ_±“c†Ý¾‚”J„‘Û(NM>­}¸õ´¥ó²òo…4ÈQA:±¸×r“ÓxxÇÍgXG•&× ñÃOÜgTìÄny>{:È°Tqù¹ã
+GV÷æþþŒžŸO8ä+0€¹uF{d—[y¤“Þç’6•SÄÔgÖ_ñ�˜Ûdb}6‘²ö«V“æ¢ð #¹Xn3}âÍGœ|	ãZHc\¥NG÷t€KÏ6_Í^À²é
+Ķ+öq*º9PÂ_Ÿ@_ÏS™þXØ0,Q¡:?0y! ÆYÖËpæ¿'_lüùþfÓ¼Ž¿ë+]�I	7+ÿá0ÇX¢Œž¥Ê=—tåðmlœ¤™;{�Ì5
+SqEZ
?_‚
+W)°QðCj&Lð“b¹ÚL„¦î•6|Vg1fÊáy-ÓLgN‰‰²4ä8ó¿Ÿ9aqý	ËäÁ"ޟʳpPózn˜ôCèÐT`Úÿ&Y”¤yòõ¬`‚åž;êK5øÇ`ð_{Ž5‘w¯L®üz2ªødyÄÞÓˆcB®Ú‚íÕdwI’O—�ÑX8ûªQÇìl#ØDEµš[.~zÛR¿.ªQ¿0ÖÙ0L[Êk¾ßAcø7Ⱦp/—¸¬=[M"[÷[J2�c%x¹þÈ]ô.'•( ;�ËE:M/c¥1#°ÄÁËZÍŠëØ	dÞ2]êƒÛ’«)B >ÿîMU®Ä:£‡NbôÐ�ƒÁñÐÔ(ø�xƒX‰|ã¹Ì$šKic7sA¨6NŸKÿf5Q��?ƒ�k¹?!÷(ÊÿiýmÀWÛÃVnÈ
Òð*•‡aÔ­g?=@rÝõ7/Îü
„Å3;õ*üQÂý÷ýŸÄHÑ™þOŽŒ[A˜dsí™B	k•�YIqÊû
 endobj
-1786 0 obj <<
+1890 0 obj <<
 /Type /Page
-/Contents 1787 0 R
-/Resources 1785 0 R
+/Contents 1891 0 R
+/Resources 1889 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1789 0 R
+/Parent 1894 0 R
 >> endobj
-1788 0 obj <<
-/D [1786 0 R /XYZ 85.0394 794.5015 null]
+1892 0 obj <<
+/D [1890 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1785 0 obj <<
-/Font << /F37 747 0 R /F53 962 0 R /F23 682 0 R /F21 658 0 R /F39 863 0 R /F47 879 0 R >>
+1893 0 obj <<
+/D [1890 0 R /XYZ 85.0394 751.6872 null]
+>> endobj
+1889 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F53 1017 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1792 0 obj <<
-/Length 2137      
+1897 0 obj <<
+/Length 1971      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥X_sÛ8ϧðÛ)3Ë?¢$î›Û¸­÷Ú4Wygî&ÛE¦MeÉkÉîæ>ý�¥H“tæÆ) àÀlFáÇf2&±âj–¨ˆHÊä¬Ø]ÐÙÞ}¼`Ž'ì™Â1×»ÕÅÛ"™)¢bÏV›‘¬”Ð4e³Õú6xG¹	4¸ºÎ²ÅûðŸ‹ÿ|\\_†L¥Ró››ÅõÕòß—!—˜�•ÒàËüú�ùgÜ»¹T<˜\d—ßW¿_,VƒZcÕF§¿.n¿ÓÙ,øý‚
7Ì~‚¦Ÿí.")ˆŒ„èwª‹ìâ_ƒÀÑ[{Ôë
-F	1÷ø‚³cDIÉ'Î�ŠÄ‚ëŒåÕ5•ýqsóõÛ¥”Áʘ‡ÅÈ‘tò˜¤Œ)<µq<lÄ“’4¢)°Žû¦í<r8#RÖ3å-\Î’àNëÚPipw,«7–Ý=n¢’°õ'•´¬;}¨ó®lê¼*ÿ«×øjÝìòÒ	©ó�V†oÚã~ߺ7°âQP:éEî˜ó¢Ð{·™×½´²ÝWùƒ×Ô¡±e
-ø‰€°Ü
-V̳÷Ë%p&ìQ	 �-ñø‰QJT$^ó'4NÇ”ï÷‡KP¥ÙʼÓÕÞQ4õIºÖ­îóC^€wp©ë¢Y—õWÍƯ"RwzÓØܺյ=j­f\Ê ®œÙ˜F9pÆ*ÀSuÛáFטgj’7Z}8Y�€nÜÓùaÁ·&òöÖBXnÐì�“}¯Q¸“™D
䧈‘öÅCsüÇ™«ò‡«Ïã¡F6ðˆÝL¤*gFek>�~mã§PppQcœ'8w*çmSCŒ	
ÖAôQ^ë9�|û�!rFaÀ¡	—î›»Ïà„Óˆp%Õ,V1(©_
NTš¦~8	‰áX$âæX7NÂÓ(y¼Ù¨xµÌæï>/<ÁIB£ˆ;St}*ñ³Õ;]wè„S‘{Wiƒ§�†«{ç<ësëOçs»([|qb­Ýîw�CáÃ(	PO¿Pâš‘dž­î�øyXãA/
-€ž	ÄÄ�®ÙûoË›Õò뵧0�÷9ÔžAj¬
-¸âÁ±uïÜð
-3ñº±¹—¨€ýfæ.3;åî`�ˆbÔJio¾±½x‚£<À€µ©ˆÈj§4õÛWËÜ(+±ŸÑÍ=Ù|$ ME³§ƒê×zm‡ÑàC\²÷ž›Î
�JBG¼äƒ¿¡ø©(�¿©Ù8v0…we‘WÕÃÙx‚áDø£G-*ò-y3 dP¨^ÁŒ×˜ÑsMšÅ	fÀ
-'8
åÑ£àÉKCàSÿ
åÉݱêJ
+xÚ½XKsÛ8¾ëWè6RÕÁƒ �£ËYÍdl¯¥líV&Z„$ÖP¤†¤œñüúm
+ðäæn¹œn–·�÷¿ý:ÿÏ4 ±Àr2{x˜ßÝ,þ=
(Ç ÚO~›Ý}ž}2²‡©¤“ÙÇùrúuõËh¾ê<ë{O0Óný9úò�SØÄ/#Œ˜|ü
^0"RÒñ~r†xȘ“ä£åèŸ�ÁÞlû©7#Ê"ê	e¾pp‰"S:«�Ò›xw’ž*‹a(Á¾Ö	j£2°F8â”
+«Rš¬,¦
ãbÒ¨<w_ô�ÂV¤‘ýbWÖ�Qb²¿2E’…ÎlQ6¾¥#$Â8¶:Mi–­U‘Z`OíàÏ£ª^¬¬ÌÉI¡þjŒ¨HöªVÕ³ªÌ{¶1Ϥxq–O“Õ”ˆ‰ªe‘ÖFò-kvöíë8 T"΄€A’sÚº¹œ?N9Ÿüëv‡“ÙÂVÒÉ\­~6¢o»l½3ì6ÏÖé“:8S[A¹1Ï¢¬öInÆus|X/óÖ}-yR»ä9++íjÝÅà¦@Yz¥ˆD$Š»zØû’¢0ä.që¤pšç±V©ÝLiÝTÍÙîöj_ê|ýdkÅ©z:n·Y±5¯¿cÌ’­-0Þw�²j2r…Q©uY¥WG"âܪýì±B¥fŒ+3±¸«ç¤H=† pŒÇÎRS%kŸ%(!\èP×:]ùlÆ
“E„@»Ã&C†M÷.nîLP–ŸîÛ[yìCŽ)‡7l p±ñt§€žÂâ¢9‡~(lFœR¢Ë“Ä�c¥³
µötÌòÆM[h¡qD¿cŽ³¢QU‘h´Hòìï¶(`*-÷If�è~UbfêãáPV�nN2kÝÔ('ëµ:X¡N�±–Õ‡<y±æÊ"0�É
+!*uð¥Öå¤.¨1Æ`wP}˜ª6š�¡gqLˆèµÏ¸
+‰‘ˆH4,L·Òðì‹o;Àz
¥!ômø¼;Ū©˜‹Ú·€´(Œq<„ÛÛÅ'ÃùÎ~†¯ïT³~Wµç.‚ßøVÀCËËùÜìoöiyÿ6‚§ÙVƒ)Ñ0iiƒFƒT…öv"FnÍ�".wL(/n›u­ÖAZoªrÿ‡zq�eó¨Õ¾Óhãwb/…ñëdÈ4¾6fNmJc32´ÛŽ—æùøhž[U¨*1TÒp…2ÿžè½å¡ÎêódÁ
Íà	}@ü—	˜’”ëÚÏ­õ‡P¢}—ç¨u§uˆbý%xöñªé´tD!Ž—ûx¹&
+]uI7¢Ý(ñ¬¢û-ìxM’o}À&à
+�£áàý&ËÕ«ñÅ.X�šˆoÏÄ•ø:­×ã—•kqÒÝðaÿ÷(	ÖsC¶ºÎ“ºþþÊHß4˜Ø{ý£’„�9ßE!´à°!
Å	†0J�HvëÍ|ùáqñ°ZÜßy�üé<ÐtA‚#(0ÇJËcs8¶œŠrË
h4¹Q¹Ú:`�‰e¶-ZVc
š7KË8A×ÝšŽí`­Œ–‘®
ÏJO_>>:†O»®£V¯el0ýxûÁXÄ…ÙkÃ8p»Ðó

+n1{wïäø¤§6É1oήéew×µ—ß²Ù]®Y¤'åQ—*o€Ê
gáo$ §u%
N«M
+{AÈf†¬ë‰ç$?Úa¹ñ‚>dICß/ÿK<Aîþè–~²î”Åi�öéꆺ�à•XÀÕÚ•�@*˜>Ýåð|T‹ý¸kàeXoЕV»E[QIw%†—uâT²®ÇuÖ
 endobj
-1791 0 obj <<
+1896 0 obj <<
 /Type /Page
-/Contents 1792 0 R
-/Resources 1790 0 R
+/Contents 1897 0 R
+/Resources 1895 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1789 0 R
+/Parent 1894 0 R
 >> endobj
-1793 0 obj <<
-/D [1791 0 R /XYZ 56.6929 794.5015 null]
+1898 0 obj <<
+/D [1896 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1794 0 obj <<
-/D [1791 0 R /XYZ 56.6929 751.8114 null]
+1899 0 obj <<
+/D [1896 0 R /XYZ 56.6929 684.0716 null]
 >> endobj
-1795 0 obj <<
-/D [1791 0 R /XYZ 56.6929 637.809 null]
+1900 0 obj <<
+/D [1896 0 R /XYZ 56.6929 572.8605 null]
 >> endobj
-1796 0 obj <<
-/D [1791 0 R /XYZ 56.6929 571.6272 null]
+1901 0 obj <<
+/D [1896 0 R /XYZ 56.6929 509.4701 null]
 >> endobj
-618 0 obj <<
-/D [1791 0 R /XYZ 56.6929 530.4875 null]
+650 0 obj <<
+/D [1896 0 R /XYZ 56.6929 470.2699 null]
 >> endobj
-1797 0 obj <<
-/D [1791 0 R /XYZ 56.6929 492.9536 null]
+1902 0 obj <<
+/D [1896 0 R /XYZ 56.6929 433.5878 null]
 >> endobj
-1798 0 obj <<
-/D [1791 0 R /XYZ 56.6929 459.984 null]
+1903 0 obj <<
+/D [1896 0 R /XYZ 56.6929 401.47 null]
 >> endobj
-1799 0 obj <<
-/D [1791 0 R /XYZ 56.6929 390.8804 null]
+1904 0 obj <<
+/D [1896 0 R /XYZ 56.6929 335.1577 null]
 >> endobj
-1800 0 obj <<
-/D [1791 0 R /XYZ 56.6929 303.7532 null]
+1905 0 obj <<
+/D [1896 0 R /XYZ 56.6929 244.1508 null]
 >> endobj
-1801 0 obj <<
-/D [1791 0 R /XYZ 56.6929 225.6163 null]
+1906 0 obj <<
+/D [1896 0 R /XYZ 56.6929 168.8052 null]
 >> endobj
-1790 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F53 962 0 R /F55 970 0 R >>
+1895 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F41 925 0 R /F21 702 0 R /F39 885 0 R /F53 1017 0 R /F55 1025 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1804 0 obj <<
-/Length 2916      
+1909 0 obj <<
+/Length 1658      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Z[sÛ6~÷¯Ð£<�\y™}rçÒ´v6Rf·Ûö�–(›ŠTEÊÞô×ï98
-Y\!O^ýöŸ¬`?]q¦`µÉ<p&ÒTN6WÚ(f´R~¤¼š_ý³[0˜µ¯‰B›„©£ÉÀšGé°À8ã0‹µ`<¸˜Có(جÂ�¾~gL€‚%©
Î,¤Ê6yû}›KDhÍbc‚‡˜ëPÜ©�¦NY¬¢¸ÏÞ|›/‹ß9—yÇ%Óö)§NýRå;ì¦SË
®�Pßòï×Bˆ)œ°ŠÌtAãéô9+÷‡w¬Tp#EÌDlÄ€Žø6œéTiÜì›––Í`bGýGõ?÷w·4ò;7|]»é—�Ì�™6 '3�jŒ´+’RÔö¯ºÂ•Ra÷e‡p!PØ×
-Rúb‚>Ý;IWffB¥ðR2•èähSGœÈˆ	nú
-5⛿R-Ú£HÓ”lì[·P’%ÉX
-Š±—šê_*û{#oÜ÷{ ñ4yȨ°ƒÑºr¯ÛTæ,ç~–ÛPb&#Åb.Gü4CQ
•¿J±ÔV!¡7vÅ鱸·û‡Ò«òÑGL—ÜŸ$‹ c¡ƒÁÆž15:eKhÌt7Õcì¸÷{üŒ‹2Y4 ¸¼Kþï0ÌNÇ�&'r8s�Z�)’qLá&!_>fÝ@¥dÃ)ïÿ6™&Èendstream
+xÚ¥X[wÚ8~çWð'±ª»å¾™„´i“4èžîiûà`A}jì,†¤Ù_¿#KœÐ=›<X¶G3ŸæòÍÒÇðOúJ Ì"Þ#Ž&¢?[öp
ïÞõˆ“	¼PДM{o.XØ�P$©ìOç
]
+a¥Hš~Ä··ã›óË/À
+<¡a 0\Ç7Ÿã+ûìvÑAün<D(%Aˆ1‰ç7“Éø,ø8þëâîÓõU<_
¿O?ôÆÓ-¸æ
fÙß½¯ßq?…s|èaÄ"%úOpƒ‰"Ú_ö¸`HpÆü“¼7éý±UØx[oír
+	Êe?`•cÕí6Œ°
+)˜¥¯çDCèå”ðBuF̺ª#Ê€ÃlÍò¤ª«H ÃE¯ÂÚ
+âj×6AZÀ&z–÷ëýRª£iX½ü†Nõ<Ùäkç\÷âò^‘S{³©ô|“¿gÀ'Àñ�0ŽB*Ø‘˜4¤^	Š—ª£’vs›Š„ç¶4[éÙº\=DF`9¿
+Îu€kEFÎÚè®Êò'”–ƒy¹²@yóH(1‚B±@�7k±–r¦PD€%¬˜­´Êê…�ªeÀBDŠ®óïi).C'™8¥–`
[
e¸í„�AÍ)�	‹¢´¯R+ùôCvU”ë-´¶¶Ýùú
%	艞#l*os¨ýöÍä9Š°„&Ã"$”%Ìñ—øúöjÜq,$lpsÃÔL¥IS2¸ßdyj–Ô§1LÞÇp•öéùÄ>¼»³÷óúœåÒ>5{¬ÃU3úR!…¡bÇä¿’å°á¬\¢ŒÙ	¶Ç@!ª(RQ´Ë
+Áà"ö<š©­Ï§r“»å½ö¥_mtú¶ã@à@A[j«S¨¨*=Òj¾*—
+¦×ã)]»Ž‘VÊÀí,1ͨ�1<HuÅjÊÔÜÝ?Û뺱Ý.²¦‚º�ÌÓ™;hÄ�ÜóÊÇþÐI’$'™ùë
+‘
+Uزo“Ÿ“É0Tí‘c‡
™sâS‘Pªý™ÜZèB¯’µöÕ⺟+Ц�*Ó0
+O“çj­—ŽÎà{©\­³ÍrgêŽKŸP…!§¶ãŒäÁ¸É[¦{çɽýÒ¯ÓIBù0KV7ÝUh¤ È¸ÜË"ÏNVŸ¯„pûá1ŸmëªE«¦·Øô/Ëü¥_`€"ÌÏ&9Þºúÿ:³û-Š‡ˆ)õÂGÆÜ"âA?À(¼]À”.
;°ÿ\y™bendstream
 endobj
-1803 0 obj <<
+1908 0 obj <<
 /Type /Page
-/Contents 1804 0 R
-/Resources 1802 0 R
+/Contents 1909 0 R
+/Resources 1907 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1789 0 R
+/Parent 1894 0 R
 >> endobj
-1805 0 obj <<
-/D [1803 0 R /XYZ 85.0394 794.5015 null]
+1910 0 obj <<
+/D [1908 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1806 0 obj <<
-/D [1803 0 R /XYZ 85.0394 181.7045 null]
+1911 0 obj <<
+/D [1908 0 R /XYZ 85.0394 575.4191 null]
 >> endobj
-1802 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F55 970 0 R /F23 682 0 R /F39 863 0 R /F14 685 0 R >>
+1912 0 obj <<
+/D [1908 0 R /XYZ 85.0394 427.1073 null]
+>> endobj
+1913 0 obj <<
+/D [1908 0 R /XYZ 85.0394 329.3834 null]
+>> endobj
+1914 0 obj <<
+/D [1908 0 R /XYZ 85.0394 262.8864 null]
+>> endobj
+1915 0 obj <<
+/D [1908 0 R /XYZ 85.0394 196.3893 null]
+>> endobj
+654 0 obj <<
+/D [1908 0 R /XYZ 85.0394 155.0304 null]
+>> endobj
+1916 0 obj <<
+/D [1908 0 R /XYZ 85.0394 117.4002 null]
+>> endobj
+1917 0 obj <<
+/D [1908 0 R /XYZ 85.0394 84.3344 null]
+>> endobj
+1907 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F55 1025 0 R /F23 726 0 R /F41 925 0 R /F48 940 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1809 0 obj <<
-/Length 1934      
+1920 0 obj <<
+/Length 2406      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥X[wâ8~çWð°äL[#Y[ûF't3’
ô93Û�ðŒ/6ée~ý–,ÉÁD„žÝÃR©\*}Uª‹ÈÃ�¹@B†rI†8&|¸,x¸†µ�byÇs½_~ü@£¡DR„b¸XÉŠŽc2\¤_FïCW 
�nfóùä:˜O?Îþ}7›\$ŽH4ßßOf7Ó_¯‚�c`fŒG·ãÙçñ'C»¿’áhüq2¿z\ü<˜,:ÅŽ•'˜j­þ|yÄÃÎðó
-©=h„Ô‡—HPXÒh,6J€“G¬D¢(Œb�¯yÐê`˜zòB
C,-ÓWŒÃ\]‹Ñ²*›$+k3Kô_¤Ñ6ó_&¿™ÁîŠÄ#µ¬ÚÿÔКMÒX!IiOÊ
-i¥ì÷eÕÀ"Ð7¤Ø&yV¯µ*Õ.ÉÍÄn“šÙV튬®³ªôâø¾#y€dˆðõ·}4B‚I‡vR¦~‹ÌÅwY„s)zÑ(D|”˜鉰G5ž
-k«wÔ‡¢PÍ.[š©*—»Ã¶�c›Ï:CZ™õ~¹±Ò-å§ÛñµuOÇ' VíÛþÎ@ªžUiFͦگ7nl�±Ý?åZ
=Ö ¢=x;Ñpšew²VìŸ{àÉÁë‘Ň;VÚp#I9kÕ™ü:¾½ÿ4ñ 	Œ`&¥a\èx
-·9¤Ä�wEÚ=��˜¿HÄÁSÖè	DîùØP�š@iAÖsF ¤U
—Äl×èØÞD_Afí¨þ“Û\¡eUx4Eœ:^�.en»æyõ-+×fKQ8aí[µÏSC²ìàä{•þÓ£S
-�âh=×OËîg
-ÈCAbþ[Z“ù€,Áršœ¦GoѶZc¿œ&î4ÆOÊÆ:‡‹…;ƒ
Œ«Õ‰¯�e
-ß‘O¶ýåHIôÆô‡P�/ë;mÓw�
-3wÜw�‹¾|1Ä0
­9ûðzŒCº¿´Q«i/}»£2ºPð:¶@PÄDº uæŒgb lË7ƒ !q—„»
L� ò8ã'1ùdóóñŽPxXte€ïÊSïêÏ'6MŽ?Íï.
-Ue4Yá«ÆYYG§2W™

cÄetÒTûf»o‚U–ûä÷ˇNþºmºÑž=áê	ÖÝæ.Mô3@[téÄå—±>*�zûl�Äì¢ÄL_ögW¿è©h�Ê#Ò·Ä
-oq†j"iü™6¢¯œã÷‹:ÿž5 ´�Â�…§g%ÖU@§š%ùym	Ô ‚įnHuQ:´ë¿cµ;/Âœ"LO›5çÊg!ŽP„ãWž¶íF;Ï^ý°ƒ*¦*Rõ|æ~cþ
-ðú2àM²kÎÝp%PÔ•�Ô¦=ŸUÚÉÏ¡›Ê¿?Êýõh«¯XB6“²²Žµm°0Üp§B�ÞÌ-žÄPŠô’ÉÍd~ý0½_LïfžúöíºÊ“Á¦4dî^jF��kK{hÿõgª\NFÓÆ�\{kg&K‚i€ôð0Ÿ~4´þ�“m)´š\¥û¥êo«QVÚ³ÚÕm“¬ª•}m°z÷°5=‡Œ�ÖŒÛÎHé: ±<XB“4úDÐv-@KU®Ö‰îÉíÂÊhX˜ånƒN? Úâ
-ے
ŽšqWÞ–Uûe&™-®RÕèW£$ÌŸ§O
+xÚ¥YÝoÛ8Ï_aà^ fù!RÒ½¥MÚdÛ:¹Úv¯ÛÅ–!²ä³äÙ¿~‡RmÚ^ààRä�3CÎ'i6 ðc©ˆJy:ˆÓˆHÊä`¶º ƒ%Ì}¾`3r Qõazñþ“ˆ)IWƒé¢G+!4IØ`:ÿ9ü@"r	èðz<™Ü|}¹ùãÓ÷ûo_¯>Ü|½1™$jxõðp3¾¾ûýrÄ%…%°€Òá·«ñ�«¯8öp™òáÕç›Éå¯éo7ÓN¸þZ²ÿ]üüEsØÇo”ˆ4‘ƒWø „¥)¬.")ˆŒ„p#åÅäâ?ÁÞ¬Y<F	ŠN„³
c$•’{G"S¢æH&oU½nŠf+‚‘8QbJ¤d,ÄšÁqs	‘‹ÄŒ)«Gˆ±�¢JK5¯š&Ÿ�žó·Å¦^•Ùc^^Ž¨a”iAß®;LÄ$J¢øêÅY¹¬7Eû´B¨Ï͈Ì-rT†¨Å$<±ä}HHH’()-êçh ÄIµ fVfM ÄS’$qjQ¿pŸ?G‹
+ß&µJÛˆÎé,Ø´08¹½ÒÆ(D<¼ž\½Ãñ1˜°èO&8ŸÀõ-¶šÃu±Ðv®
9ÇÑÛ¼,WY¥ùê:FàÌ;	§¶ÍMFцŠâbúÌúþ2ËšÜ9E“WMÑ‚ç·ŒƒIššeãºÕÈ8²•‚6³G´Ïšº§ö¾¤Û>Î
¶6 ÷<këÍBuô0¨ÕºÌWyeévŠ4cë�š�>©Ž,À=ÍêÕÈß2j(Îóù©mé  ·ÅðÐM(ضõ*k‹YV–o8Ô˜è©{hÉÐ=»`DE¶$ÇÜ?‚*DÄ2:íþ}Ôq÷ïP^•Òwÿ”0.ãý"¥/W*IL•<-—äòüžRˆÔñž`“u>+Œµî™­Øt×8´˜Œú±¹C»ä¢û‡ÉÅå�‡/'ÿbÌ…û—b–£_Ó�ˆR©8£�ê„>Êè£
+…cF »R£_7yј)Ñ$=-\‡
+HçGc×Ê}ñ|­¨Äž3tê×*×^¬[‡ƒ•Ÿ!CÚfŒ
uœVÒÆi˜2§[
+Ò1aqW^ûÕ££¡ÚL…ðc4�Í! Œ	Ækàúßûñ
Žh3À@™
ØR‘Lù‘"njaÀOm9¢‡4!¸û½4ÚŒ\I
¨ÛûÉa†´7ãéÝôœÝÉ
+æÇPØ@*b_²»jé§5'	—pM/Ç(Cwx—
+�:ÍS½--ú){É=6]´põ9Øín�cUm…2hÔ¬N±,�˜o±HÉÖæx¤¦{7¶±ß~ƒEÎ�š
ø‰ ðœ6ƒ>ê¸t(c‹`&U‰P{wjÏÀN•œË�byW5	õsÂ|±&¹)†ìåLw|­ÄÌÖºÏ1öÑ»I¼hå¥]eb{¹‹yHÊ7)­õXØp¯—W¦*‚žÃ-«â¯ HX†Ž˜€<”(ßé¿L¾ì²ø—ÜZ“biÍ>`Ô%¼ài
1
3‘H‘8–g’{uÂDʘÈÓ>Ke¼õK
+°ì«?f„­Ígù°)*Wtf¶
+}ª7­ínW«lóæS]éT¯Û¢®š½›-ÆååV—Ù®4«¯
<J	çÜ•‘»×†e^’6l2•‰˜ÇuÃ"BádÏ覇:¡‡2ºy>ª›S,wº9`ÔMŸåçJ¦ÌÝÐo$Ýó{Ä€ÃÚÅ((«<k-;z‚,�ÂN‰3'ØG?ÁeNp}¶tí?ÏKדÂíJ×Cé‚¥«'ÞŸ®XjŸ©à’»Æ×(ÉLÙ"TOšŠÈƒ/­¾æ8þ¼+d%³aª:1é™?«íê1·WôǼ}ÍÍ[LPWÃò3…¤®Nú�Ki2(µ±”3¸°,²mÙâ‡É‚Ð
+ÝPWrAÁêJ.˜»·ÆÝuÝ4Åci)u˜;
 endobj
-1808 0 obj <<
+1919 0 obj <<
 /Type /Page
-/Contents 1809 0 R
-/Resources 1807 0 R
+/Contents 1920 0 R
+/Resources 1918 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1789 0 R
+/Parent 1894 0 R
 >> endobj
-1810 0 obj <<
-/D [1808 0 R /XYZ 56.6929 794.5015 null]
+1921 0 obj <<
+/D [1919 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1811 0 obj <<
-/D [1808 0 R /XYZ 56.6929 635.5323 null]
+1922 0 obj <<
+/D [1919 0 R /XYZ 56.6929 748.122 null]
 >> endobj
-1812 0 obj <<
-/D [1808 0 R /XYZ 56.6929 476.3563 null]
+1923 0 obj <<
+/D [1919 0 R /XYZ 56.6929 665.5133 null]
 >> endobj
-1813 0 obj <<
-/D [1808 0 R /XYZ 56.6929 407.9215 null]
+1924 0 obj <<
+/D [1919 0 R /XYZ 56.6929 579.9397 null]
 >> endobj
-622 0 obj <<
-/D [1808 0 R /XYZ 56.6929 365.2162 null]
+1918 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F41 925 0 R /F53 1017 0 R /F23 726 0 R /F55 1025 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1814 0 obj <<
-/D [1808 0 R /XYZ 56.6929 326.9947 null]
+1927 0 obj <<
+/Length 2100      
+/Filter /FlateDecode
+>>
+stream
+xÚ­Y_“Ú8ŸOÁÃ=˜Ú³V²$[~$ÉÌnBr©Û«Ù<x@€k�Ía3©ÙO¿­Æ
Ùº›y°,·ZÝ­î_w2ÀðO‚#LS6HR†8&|°ØÞáÁ¾}¸#–&tDa—êÝüîç÷4¤(�£x0_ux	„… ƒùò9}ù2™Ž†ÇÁ;49ÆÁ§Ñôë裙û2L£`ôa2†$<"®ÈbŒ§³Ùä>üuòŸ“éðÛü—»É¼«+:ÁTÉôß»çox°
~¹Ãˆ·ÁwxÁˆ¤i4ØÞ1Ng”º™ânv÷¯–aç«^ê3§q%[Dd@J9�zÆà)ŠiDµ1@‹ÉÓHé;ŸŒ�ö ›¼ü&
+¤Ú�¼dµƒ‰I`Ü#vÚ&ÖåÒÌÐC>Øæ�rE’\€m½D!5 tÄXª•Ao9ú¢ïÍËÓ³Ø^
+çíŠ�ËK¾—9IC.I	ʾ‚=Ò—GÉ
qìúž<V÷(%pÜ1é÷|#}R¦(‰Zc¢Šal°�!uÒ�ËpÜ‘N½eꑨÊɼëúB
Œ×,*—Õ\³ÉËDå?5x‘†
0”{í
+j¼¢êð�ƒ?«ÒnßEEÄ2·;5P9hV*FÔWã�&ÿxœ†Æ\,F±€ ìyÊýǯãI›Î¹•�ðRuÑmÓ‚[á8vÁ}åÄ�kDÚœÔêÄp×¼¬ƒ›ê•õN.L±`>kx(–µª_ÔtZu «^^!êòêPÛurq
+xè±Tm<NO•Ø´£?ÚÑγQ
+QƈSg·¯šjá‚Às‚ñé>{Oˆ\sw	±‡2®Ú.å«_ø·Ö2­o2…ü Ë5”·\­åÙxx†T©o*ºîŃßïúgÒ2~½)l!_eñƒîW‘î°
Hy‚YŠÆ“ÙýÓã—ùã穧=¹’À=`§ˆGiÔw9ÓbÙfdoJDQ…®gªüÑYºýî*xËìò¥TÅOiÚ
5¨yš¼	ÈIÜ®(—'ß Ý1u×Cyðؘ)UâêàrÒ÷2+êªMÓ&€úäÞçPÛo®ÃÂÁ|öøáØ·)V¾\g‹c˜AÁ“5VíºUîz¨§.¶êb§Öe”jŸõÏÎÚz›/DŠ"JèõœÒ!rW›ç)Åi”véƒ÷ÒJDÊ}Ù£×û³ÅQr]´–è\¶^bÐ(!xO¸™, QVfÌvo0XìßvMµÞg»�î)aªs)ý‰Ð=|àÁ+Ô�$8Ø·jåP@ì”ÆÄŸ+û½F²µ¨³=Ô�ÙþÅJ¦[+=X™
Ÿf£Ocn›j(D”Ò¾÷*¯*åUæžVûªÐKg#íj)Ƴ‘¾ÇeÁâ‘ö?ê)GÁƒñƒy*Öã|¥ÜVw7föAÅ6+�Ãr·ãçÑ}â»4-'q]š°éÁ]•fG0€†+s$ª-ë¼É_/ß|ª+{�Ïà6Fþç_Ž÷]�1¨è\ìõ¯’0°4%N(¥1!ôTôö7„sÙÿ(l7wendstream
+endobj
+1926 0 obj <<
+/Type /Page
+/Contents 1927 0 R
+/Resources 1925 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1894 0 R
 >> endobj
-1815 0 obj <<
-/D [1808 0 R /XYZ 56.6929 293.3376 null]
+1928 0 obj <<
+/D [1926 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1816 0 obj <<
-/D [1808 0 R /XYZ 56.6929 221.9809 null]
+1929 0 obj <<
+/D [1926 0 R /XYZ 85.0394 752.0811 null]
 >> endobj
-1817 0 obj <<
-/D [1808 0 R /XYZ 56.6929 108.6903 null]
+1930 0 obj <<
+/D [1926 0 R /XYZ 85.0394 529.0618 null]
 >> endobj
-1807 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F48 885 0 R /F47 879 0 R /F53 962 0 R >>
+1931 0 obj <<
+/D [1926 0 R /XYZ 85.0394 453.6936 null]
+>> endobj
+658 0 obj <<
+/D [1926 0 R /XYZ 85.0394 414.4777 null]
+>> endobj
+1932 0 obj <<
+/D [1926 0 R /XYZ 85.0394 377.7886 null]
+>> endobj
+1933 0 obj <<
+/D [1926 0 R /XYZ 85.0394 345.6639 null]
+>> endobj
+1934 0 obj <<
+/D [1926 0 R /XYZ 85.0394 279.329 null]
+>> endobj
+1935 0 obj <<
+/D [1926 0 R /XYZ 85.0394 194.9705 null]
+>> endobj
+1936 0 obj <<
+/D [1926 0 R /XYZ 85.0394 119.6023 null]
+>> endobj
+1925 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F14 729 0 R /F39 885 0 R /F53 1017 0 R /F55 1025 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1820 0 obj <<
-/Length 3191      
+1939 0 obj <<
+/Length 2835      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Z[wÛ6~÷¯ð#}Z±¸’D÷)mÜ4mâdk·»Ý¦´DÛl$Ò©8Þ_¿3˜
o¢¤œ³öƒÀÁ
-iÏ—›3q~}¯Î$ó,ÓbÈõÝÍÙ7?èôÜÅ.QÉùÍÝ`®,Y&ÏoVD/Þ¿¿¼zùúßeEô]|±°BDo_\ýúâ
ÑÞ_8½xuy}±�Y*S`2È–ˆèåÕõõå÷‹ëׯ®þóîêòâÏ›ŸÎ.o:Á†ÂK¡Qª¿ÏþøSœ¯`?�‰X»Ìž?Áƒˆ¥sê|sf¬Ž­Ñ:PÖg×gÿì&ôú¡sÊ°:‹m¦Òm(y.eì¬U#uX'Zi¯Žwïo^¿»ºÞÛ‰ˆ…�¥JÄN¥jÞÌ´r……g̸pÝE>]ÒéXëL_20Í,©K‚Áµtv¼äoRʨؖwÏdè|½¦Æ}QÛ¼-VôØ”÷UÞî¶2‹Š&>¤›$sq& qT7C®Ãºé¸¼n–¸ä7?X;à”"Vl+<Ër�7ÍT0©l,m–—¬ãšm¨C©Á%��cÙ®‹eùAU4¤¬ö¡ Ä5H6߬ï&Lÿ­«â°BmÃb§:à:¢ÐÀåúqN¡2ΜլÐ�Åóž:¥‰³$µÇåê¸f©S‚
g(ÙÍ…9ZÞ^,´’QÓixEÍ7ò†Gtåýµ¬î'Ü@¬·9¯ž'ý°„ÎïD6¥£›‡’g¯Û²®¨½Éy‰Ûb_8Pdì„ÊP
Œ3°©ÍnÝ–�k6y[nŽ‘´q"�;aó
×›.oóõŒÍ]ÞŸ²ÉWõ&/«=«ƒÛ-’ã’u\3¢�ƒdÓ�e{Åx
-JšS%6zùÏ�߈Ö-QA@bZ­J²RÛš¨WÐðVÅžÂ
-ˆÄŸ/‡–ä±ÕŠ—¸îfG»k‹v/¨�µáûÑ�–?>Õ*˜pC$Ö�mí%Fx•oŠÁO~¾¬ýïê°OØTÁ©'Òã>1ä:ì—÷‰ÕIX•ÛbÙÖÛ}4°"Ná$>*\`šnäÖÆ©4z,Ý›ºþHŠºyAµŒ2€Ç©ëñ
-}Äs�æ†l@ÛD2†ê:@59ûdV-ã<tnû“™m«,äSü‡¡dß9íu¦526J&'L;à:bÚÀåM{?“Od.9±d`šYr’Odi:YrÅxü]Ï:yoP:Êõª?
-C·g®7ôĦõm¶«Ñåç²i=¤Ÿ\ñ©ÉÍí(ú6õ§bu8ò ËÐBÙæp1OàòæiN¦4M›oÛžû¡Sš$=.^Ç5#ß(ø؇n¶Ëk|b(¬BcEæš1ûÊ
w>=Õˆ_�I ÿòT
-ÔÜ7o�°á¡Ÿòu	†Y(gù0FŽe^Va
-îÝKÈèEEÌá†ìÒóRË˧ðxZ•Ĥ=åö™×§Ÿj·¹
¢•<ÿïð÷öíË…ß‘Ÿ'/üñíÛëkô÷4ªê6ÇCïxVÉH	ø³ ©1P³!¨²
-<²‰èw<
bÍ9©†-&&ù'µ.NS›1+{¤Ñ
-S|=R�‰
-’Uc3�®è±G 
PÅ…sÈA×�Æ¿)ס¾œ€¬´/ì®'“�Ã>L0ƒ�¾â4j¸;m$ï;ªúé««˜ÚnØ;n*n&Φ^#c8Šì
-Yw9ÔαK[é§>qA2ä:Œ]—Ç®»Ùb9ÉtÐT½kwíâ®\ï£$T&Môqñ:®ùÆé™��MÓ±€¾LÕ2‰ªÿ!£
4˜†…&þ’M IX"úºç…Xh¡Î¥{`mÃÄx‰â�Dº¥‚\+ífÛƒ·/®XÓ3Ês€–¤±4P9�cF)¥b¨¤åØú,Á¡’Nñ{wYùÍöå–à‡}H¸X›ìÄ…Ë�ëˆ.ïC{ø¸1'–L3KŽ*0Î`'K¾ß–Uˇ~ÎÁC½ee4»Í&ß>¸Œ k®0¸â¢,÷A~¿ÛÝÄ-ÎHÊ8ÀÕ]%U
Àì-ˆ¾3cÃÔĉs#?˜³ŽJ3˜×�ÈN†\‡­Óqy딧®Ã@•Åª�ýä|4¶£²u\3Â�““Ú©K÷¯.ÓÈéç‘N�Oe½kÖÏ‹œØåì[%'�yÓ„Þœi>(ðlj>5ñW›Ø¸-†	­ÄÙ
-ÿLLƒí�2fFo“Í.t»5 óQ ‡ÖqRÝL3ýçå:”a	ÿ”3gÎS€kƒäwtg0©\„g5Méæ‹jaÒ]V£:k_Y¨®²ÈižP×e¬Û¹¦Ï
Qîàû®õar!h„Íf²Û,/ƒ½·LæÑ4b¸7“�ºçV¿OeS»iÊUA#W¼rM¿·¼ª—’®Và©©ëÊOæ<4Ìå.íñ{–Çu¾ä*Ä…PK´ëÏ2	‰Rw¤H§‚�Þ›Û?5ÄÀn¯£¿w�q ñ
q
{ÛnÒ’Ü�·[-™~[´OEÙ€{ôª‹H*T]vˆÍþ2ª�k%
âÞÑrÅ—ûñc- …Ô_�«	<B†?{'Š¸/.jCÈæa¿(ð´¬� ©O[Œür Oc­º´)ÔK
¯5z³îðó–Ëi	…›R“rºV§tK„Í„ëa aªŠLUÑi�sâ	ñ”
˜@‡?�
-…<põ	:*¯-ýjØäJæ_+á°¢¿šr
+xÚ¥Z_sã6ϧð£3³VHJ”ÄÞSº›Ý¤’½Ú�¹^ÛÅ–ÍÊ’kÉIÓO 
J¤-Ë7;;¤È
@€Ÿ0øÇ'2b%Ô$QQ —“åöŠM60÷åŠffA3õýâêæs˜LT bOk‡V°4å“Åê÷é÷�®�›~zœÏï>Î~¼ûíËÝãõŒ«Tªéíׯw�Ÿþs=’
 ŒM¾}üõö'ûz­ÄôöËÝüúÏÅWw‹N,WtÎB-Ó_W¿ÿÉ&+ØÁW,�Ãä
>XÀ•“íU$Ã@FahGÊ«ùÕ¿;‚άY:¨
+ÎÆb@"tt‘ò@*%'‰TA”ÖÅcÝæ°©DMùw׳0VÓö%kqd]ﱃjú
+#;P\å+8Ÿ�³ég#,Îbþðåvï¾ý8ûù“Ä/CÚ^HÎù4°”…X+W+
+¿ß`;Épà¥Æ(Ó‰ÐóöÙ¯ó»_ôf…»sä
+
r��¸Æט[$Äý?œ°Ÿ÷.§^-
‚49v�
4ÄSüXfRTM^
&
Mѯ¹
Wù:ƒèA1À¤+ÐÒiCom“
+û›lîúº:ëø =})Œû½:ïöd¼~9äõ:ùƒ”ÍxYÂIK¥b !¢Q©,æT*Ïݯ ÃvÅz¨V�÷´æD¢Ðæ�¦—c´§;¢ËçL»ÂÉe]µYQÕæhtš—úPú%{Í=œ˜6]´±µô	³tú°Æ±ª&¡-c&tÎqß@�e�¨OÓ}xôÓH¼âÏ
+.á0d[ó‰Ò(×´ÈR4à[¹%vwûb›cwmä©·¸ø—ÏqXÈPaï­(Kì=Ó×^¬‰^Ý4Ås™ÿK{„:?|+ÂkWHœV˜Zøw†8k¾aœŠEŠ~uÞ|;”1ß—“#˜J.°´ 
–®IBÐbIzÄò뾨lNE
®ð=é¢9l·Ùž|ÞÖgÝI½Ó‰UsTnÑuqÐoH}²†9½—ýG
+LJ$ä—«ªiòål¬i €M*™ÚÜéüÙè?Ž¦�œ�ÌÁ|;{0#üús9æ7x,¿/èP¤ç.›õ>)pX™£±½›-;«;¡T�^(€{ÌyÍÆ(nw±øÝíë¶^ÖåÙâwD¬¾ô=–k°ðuƒ[Û¼)z+:™øƒÂ˜)*`õ¤©.<8=€¸rŸ±$�Yœ§Šáƒ!|v/fÂyÇÐŒ`àXXº*ÈçYâ‡`!¥ÉžéáLîD3ø0ÑÚP7Ì–kPìÚr
æžÈ€ kÃ'~uÅ›U€ÄÛF÷\OwGhuy­Ùc™©%©°5�]w °KZF[<*ÿ
+?šÃr™CÕº±ÝŠä’õ:¨ûµ(cÁûKYçį·«üõ4£€š%‰’qá:Ô€t¾Ë€ËؗΈeöå“A¥UÌa˜'T†Ù¤nQÚ*7UWKÌIú•€Üõ¹‰&ôg¸Å©Umù˜MO“}¿+Zž
¼ô„`¥\	ëò7 ¬kÔi�DiêŸ<
+9p€°0±wú$Ü_‡lÕ˜¡ö _,s�s„Ò¾«Þ/ôO=<¥få¨Ç‹¦sïç:³µ°™©v¬‚Ž7BÆÇX:dGÛ�%¢tÒ{÷ðO5²gš72ÂóÄÔšåK¶Ï–­	$€C
r�­&XÒ˜[Èk<)ÜÌ­²–ˆêGÝ>wJ·`¤¨À(²•/ÊxvEÏ8›=˜Mf%~`¤=Õ¥þùAòî‰�Na5üDrn-¬pÞ9ð^l»b×9G“ïésì2|¼pž–GŸx"�Çœs>âÆÄ›æâÃQÓîójÓ¾œÞ˜øh}D¬s"—ÿ«Ü5"Ž\ÁŽB�ýÍ: �	ûF&3b/NF?ݸh÷÷žØþÞ3H¥ F6ÝEÉÜ‹>ÁLí.µëóй:Ó
+2å{Ùò°'Ž­ýð%#ƒ©èyq•ëW9Åî°‡2·†Ó¥ZpŸž·¨Y,.</¹¨;±(c)íàÍ÷„��C¿)¤údS5.–
ˆå½‡€-éŸÎ=±Ü'Fa«¸äñ]IPÑϸ1
 endobj
-1819 0 obj <<
+1938 0 obj <<
 /Type /Page
-/Contents 1820 0 R
-/Resources 1818 0 R
+/Contents 1939 0 R
+/Resources 1937 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1789 0 R
+/Parent 1894 0 R
 >> endobj
-1821 0 obj <<
-/D [1819 0 R /XYZ 85.0394 794.5015 null]
+1940 0 obj <<
+/D [1938 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1822 0 obj <<
-/D [1819 0 R /XYZ 85.0394 751.8312 null]
+1937 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F55 1025 0 R /F41 925 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1818 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F55 970 0 R /F39 863 0 R >>
+1943 0 obj <<
+/Length 2184      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥YM{Û¸¾ûWèЃüd‰
½ÉŽ’x+i¤<Ý6ñ�a‹»©){½¿¾ (	½­} gï|Sd„៌C˜ÊhË1LØh¹¾À£Gxöþ‚XšÀ]ª«ÅÅßßÑx$‘ä!-:¼ÂB�Ñ"ý>ž|ù2�½½ùå2_¡Ë€a<¾�̾M>™½/—2OÞOç—
1‰�ˆk2ŽÇogóùô:˜ß¼Ÿýçólzy·øùbºhë*O0ÕZý~ñý�R8ÃÏQ)Øèn0"R†£õEÄ(b¥n'¿˜_ü³eØyÚ¼êƒQ�˜c!‚$cá
L"NCÚÀñ~:›~�è/¦oÍù?Nÿ=×'ƒ÷iM<‚§($Òàø¯•*,éP…Â8Pk¢´¨*µ~S/�-u—'—(Ž¨%^–ëM®jU�±W»åRUÕÃ.Ï_.	!ãŸ`_Äã¬ÖW<Þl³¢¶´‰ÙªjØ{4[åƒÙ«WÊl<”ÛµQ!:P˜bXKb•øXÀz“$É›Lÿy”oŠB&íuiØk9@;
+¢P �Q>
+Zì�¬ª“"M¶—DŒSs¹«7»‹<^¬²Êl»kRØûTuöãp™ÔYiwÛ“Âf樰
+`‘¬U/T\pˆ‡(:U—ªª–jª³R÷P�ˆõBu œÞ‡w
{ *vkµÍ–æ¦ñoµ1—
+·ã²M@vßLòÇr›Õ«u?À·5ÎÜ¡:°£øœÔÀÇbý
+—ÊÝãêLÞÒ¨ø³‡yìŽÖ°ý}49¸ý¾htÆ°eM›®µ™þ2¹ýòi:<,ôL¡{cJx—D$×°Pf?1—˜‹à¾iU)ŒXó‰Ù5ÊR×ßÂŽ9)ì¤åbÅš]˜�èHtÍŠú#Ñ#‚ÉÂ7|À©XÛØhŒ]=ÒÂÊ</ŸM“
"�ÅÚ€
+ÏžË]žšý{K¾¾Sé?<:!çH„°w¦ì†Ð 1ׂfãÞ\
 »a)›á³Y�?¢'{5&ߟnÜi˜�©¬‹œ'œ©|G>û±£$zƒ1}rÂñ°¾7Mµ`._áÈ÷'OwGÐÑSòúÉÆíØÛÕ4•è2ÂiŠ�܈‰t¹ªçŒ=)ŒpPºª³9
+¶Äm-n˜\A¥�9îh„Ÿi=(ä=Ì]%ò~ÐÙ`{>µÕròiþy8XCTÙc¡«¹®ÝB—WkB*»l’9¥®nfö‹„´ÓuVdà‘IízÞ¯êAÛKë”·I±ƒšäsÎyð§
+@'Ú:þõݵáÓ¼ôð‹ 8jüev"bÿ;»è˜8=dç70•‰ˆÄ~òmñáó×aÃÞ@»¾-”Mó—
+Z'Û»^C«Qnël·Þ‹…ÊqWP"h[¥Я‡²€!—¹Šë(œÞmˆg0Lô¨&à\±×ç쨆±Y™¯xf½®©ÛTW—e>\ç/E¹©²êx”„Ð#’�SǘžIRGwÈ´5½Ã-t”L4ѽgq:eº¸¥òž^׉ïArçVKs2v8‹HÑý˜—'•/é…	»œÔrL=
'Á™Ë�ЯC¯^n_<LY„xغjËT
2UEÔÙÚ×’G1Ô\ó|ðð(ø“q|˜KÍ÷¹à!Ë}ü›‡–ÿc»Zµ«ß<2!ðxÔÆr[$ó¿
+…asœ
r¬Ê$€q5Kò~m	t œˆ“)¹ÃœðøW¬öÙ‹0£�Ž'6çʽÇ�=ĉ§mÚÕÖ#ë0¶ÐÔëT=õÄ7f'€WÀ×ɶî‹p
PÜ6-׺]=õ*íøç0Qå¯ÏrÞÙÞKH(fòhNûP�À�"I°C©JòÚû„&¢Çò>Çe­‡R˜6«×4±+]šäfö!!„îú>Å‚\ý;”§Vá¶>þß?wí¿éBV¡Bì¿ó~.m¾ïCb•ÒÇ#„«Þþ0vªû
<¥ø¾endstream
+endobj
+1942 0 obj <<
+/Type /Page
+/Contents 1943 0 R
+/Resources 1941 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1952 0 R
+>> endobj
+1944 0 obj <<
+/D [1942 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+1945 0 obj <<
+/D [1942 0 R /XYZ 85.0394 752.3199 null]
+>> endobj
+1946 0 obj <<
+/D [1942 0 R /XYZ 85.0394 504.8188 null]
+>> endobj
+1947 0 obj <<
+/D [1942 0 R /XYZ 85.0394 359.3246 null]
+>> endobj
+1948 0 obj <<
+/D [1942 0 R /XYZ 85.0394 298.3625 null]
+>> endobj
+662 0 obj <<
+/D [1942 0 R /XYZ 85.0394 260.8495 null]
+>> endobj
+1949 0 obj <<
+/D [1942 0 R /XYZ 85.0394 224.9084 null]
+>> endobj
+1950 0 obj <<
+/D [1942 0 R /XYZ 85.0394 193.5316 null]
+>> endobj
+1951 0 obj <<
+/D [1942 0 R /XYZ 85.0394 129.6476 null]
+>> endobj
+1941 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F14 729 0 R /F48 940 0 R /F39 885 0 R /F53 1017 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1825 0 obj <<
-/Length 2975      
-/Filter /FlateDecode
->>
-stream
-xÚ¥ZÝsÛ6÷_¡·ÊÓÁI
-3wÅ·<Lö�º¸/Óæx¸f鎵X™˜›„`6†RšÝäD‹üxå›ÇšZõž iV”÷ÔU”kêÛåe“n=®·©ë¢ö}^懔x‚½Õ#ž<ìÇ}3L&I컬Ùå¶Ø䈧_�22Ët[WÔÛøo]\þµ
©}t (šš~?¦Û"K›êPûuÊÌOÏ@¢GÝ=ûÎ
 «:ú•×éšÔÇ�cÈ`wtÇVµ,*œ‚…Š
õlS·î½c™\–ÇÝí
cÕ†:?†kêû²ªü®¡î¾øÔ2mèëô
-ε=Ð(´d‘0vžÈ5BeOÌZ³äÙ'Ø*âzyóñ
-É’H¢Î jl#ïÅÉt?QòømÂhÈQN¸Æ7+ˆ]ðûU]wÛ¼]V¨éGzò4Ž®,øΓ¾ÿ�2ú+Ï÷øs§àÈ-œ�¸û�¹W5hŠW#»DÜ4¼]=”óN[Ć)Ó
--ÿùªÂ2kÕYõX_ѼL-Ê™…HËO8ÓT
Ú%Œ\ÀÙ€ÜÈŽ*A
-駎fØ–p¦¹’/°­ƒša[@MêK�w
-.œ±É<	-j„†ï@[#ÍmŸˆwÝ�êp̵�uš}þñjk¤÷›‡¢yØA𴮧™«8/’˜ÛAÍ07 ¦®MŸ·¢vÍSТFHèñ–d û4Üäÿ˜£!igt«M˜
OÂdP!�Í÷ÕúaÒQA>Å$0jÞQuQÓŽªE9GU�‡ *Òmjr(î‹òL7X›yÒZÔmý(Ä0¹dŸ¸ÛÀÈo.Ppltĸp˜/ßm¶ã”9e¯†²hc½ ‰æ|uœºõíÂË(­ëãng†0¶]#Ð5!?¸»Œ+#çå×EM˯E9ù}|)Ѐ„cl¦‚ŒÈà‰ç	lQ#ö¤¹7Ü$Ó'ÑIQiîÝ?¶…ŽÚ3D&µƒ·¥I‹²€èÍvµsBÐ�mt$0~
-:N»Ö4u&èÐwsut4�N8oiDã1‡×žÑ(!¶LÛÓDXü�>Mí¡™@C: ´8“ˆè
ë f4, œ†í‡[&	ãV¿°e
-U×ëì$Mé±°!Љ=¾úUSÿ_ùó]Eúžù‘|;¬r©¤S�Áq@ä3
-½\÷øýb,ö…+Q`É3ruZø¬ÒCº¦R-àˆy oëáî=	YµæǼµã¾¤ß;¿»/ìBOQ‚R¤YŸ”fX[¤«ëùîã§6¾r‡LOU¶ãX][ˆ˜Å"žÈK!Ïid…X”Y±N›¼në{>ZëË‘jÄ.p$=TÇmÖ�¶ðÌÓV‡k–Dò…«‹š±:
å¬ÎYÔ”(¦¤¶ó[ÐÈ–]^%†)nUËO‡"$tu÷¿Æ<¬_Ð\W»ý6G¿1ɉ5ÉãyŽtQÓiQŽ#�/&
Ûü1ßžÕ-5–\ä<a
4BX?c��Y@æØ£²¶z™gùÝñþ¾ÍuaÓ,‹ ڲ慂`5ò€r,ûv¦D³V˜ù-hdËžAS+ÑßòÝ}YuVÞß¼o³•zv„ª;ÜEjø0Á1LØÎ&
-ÊÒ A¦y) J¿p!»¨^ƒo@‡
-&Y’h;¿u
-
e nYÝ_Ö“ëT=]èO�bžÁƒ]
-×Ä‘«8½RHiñ±üýõ¿©“HXÓ}tÕ
-¿öˆÖšÑX
9ø*øå�fCbDk7•ùGÅuSž/…ËS
æ4¹öÓ=[®�ZÄ?G€NÖæÏ-Ï7hÁú'¨'LJM_ÿvõë§_®G"8„ì�Ã%�kœà“Òv[=7 þ§º#&Âî_S³	ý‘”;$oŸP
À%³õh´Œ~Þ$
4²Ø¢y Í›@ÔÛ›+j�Q††
§ãóòÈËú
-c­ß!+kÈ_W°L
wáŽÆ&¼–aã}ç$ì{pß
ž‹˜OCN%C7å;Œ�j!K}ö?vǺ!È�‡¢áHæî(wí6
+1955 0 obj <<
+/Length 3093      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥MwãÆíî_¡#ý±óIrÒ““u7N²Þmì¤M“h‰²ùV"‘ZÇùõŠ¤(i_k8Ä`|c(9ð/g6‰§Ü,u&¶BÚÙbs!f�0÷öB2Î< ÍûX_ß_üí:�¹Ø%*™Ý¯z{e±È29»_þ}'ñ%ì ¢7·ww×ßÌïnÞÞþçýíõå\f©L£«®oßÜüûr®¬
+X¸%œ6ð³x*×Kævhš“ÜüYE8$ùƒ?
+|J§±RÖú�ß{ç8ôu§R&³D›8ÂñMBš÷±‚kªéÎó1IŒs2;M2 M�ìK/�aªå�äÏ—«Ø–+Ök¾^Ó 8)Ë
Ìœ••�
+¨…­€6«�~.Jî’F{~>4õzçÙW–:ØXCŸö© žÍKÈèª"äþRCzÙãÒÈó§0?-Kè|f€øvIQZƒGµÛ<ÖJÞÿø{÷îÍ|تQn|óí·ïÞÝÝ¡½§ØŸùŽòïÔM+
à‡Ò+¢€(@B?B|i¾2ö«0õÓ=pö
�}Eï|E
+|`ÑO¼@Àš²Q­¡\6Éç©uqº¿Aa‹4Za‰¯‡>êC"Ä�^\³ª³FɆ#ž%/ãpÕE&„…Èä³Å¸�Ðý–£8‹äjÆyb”W+÷Vž1gŒ9MÒóTÄAÅqhÐ-½îƒ
+Àúwr!m
8°âºt`Œð‡r]Ðw]ò¸ô-(œt<ĪG{½?ì3A}ãiTÿ�ÚH>$NTõË·1�1Äáìdˆ“FÇ*Ù„»��º1el/Âáæƒ7×Ð	iA3Ëü•qöD6üiýR’ ‡yyùñH4—3$'s•ÎÄ&ƒöp �e±Ê¡…>ÂT*¡HÏôG}¬ã!¬Ãò!l5Ù3'™YïÚç];_•ëà æ]ϹÓìuXü
‹´4–Rª!ƒ¾[Õ2á.=»L„�&àY$`¸0E8xA.݈À{ö
+Ò8þ«»
+ZDh£åPçÌın.´gívYùÃî[”ÌqËQYœ@|<c9=¬–°¼å<t_I,\z†d@š 9è¾À �I~Ø–UÛ„+v*žê-£Ùm6ùöõÈMÝq…Å7dô
áq·)º�Ûz⃑‚¼ª”êî‘Î02 2gúv0¥‰ŸðœÒ§µÓÇ:®�Ëk§<w¢,¶Ð�V&��µÓ§yë°&˜8µý)‘¹ûWWfäôàï+ŸÊz׬_çÁ?qŠ>á¨äJâ9oš0›3Ì;&F¡¦ë¯‰ƒ‡¢_½%.UÐù'|tï”1rv®³$vd>pôp½:¬¨›q•ÿºX‡¶"�ðo9c漘6p¾¢û‚Q×€Ý œ4žlh„wY
z¬ª}W¡º®"§}BO�¡l§
+˜}
ˆ|g�
+å×É”ÜC:ž‘’OÈ7ç
+mŸÂæ ù
YÈ°ÒÎb) ®<Å\‡tÈ�µL"˲
{÷¡–fú06\hÛ}¡Í¥'ÎQZF ¡¾~6чºiÊ*À
oÖpѼ·‚ƒê*Áï£Ý÷èÓÚâÏŸ.§@jÝý
+æ1¬t+ä)…Ú|èÚØUhÓ#²Í_ŽÑÀV$Sã2>�â~ä¯|oëì>Í;Ø󶄚´\¿2œÑ]óoÔ?'d�ðN=#ŽÈÙa°|…â¾\ÐËþg4vÿ#
 endobj
-1824 0 obj <<
+1954 0 obj <<
 /Type /Page
-/Contents 1825 0 R
-/Resources 1823 0 R
+/Contents 1955 0 R
+/Resources 1953 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1789 0 R
+/Parent 1952 0 R
 >> endobj
-1826 0 obj <<
-/D [1824 0 R /XYZ 56.6929 794.5015 null]
+1956 0 obj <<
+/D [1954 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1827 0 obj <<
-/D [1824 0 R /XYZ 56.6929 119.3275 null]
+1957 0 obj <<
+/D [1954 0 R /XYZ 56.6929 752.112 null]
 >> endobj
-1823 0 obj <<
-/Font << /F37 747 0 R /F23 682 0 R /F39 863 0 R /F21 658 0 R /F55 970 0 R /F48 885 0 R >>
+1958 0 obj <<
+/D [1954 0 R /XYZ 56.6929 665.106 null]
+>> endobj
+1953 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F55 1025 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1830 0 obj <<
-/Length 1542      
+1961 0 obj <<
+/Length 2978      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Xm“šHþî¯ðËUi%Læøh\7Ù$ëýÀ**	 ‰ùõ×038š½ºÚª†¦»çé§_ÒÇðGúž@˜ù¼ïú	LD±íáþž½ë-ã!§)õvÞ{sÍܾ�|Ie¾jèòö<ÒŸ/¿F÷÷“éÕÍßC‡
-<x‹†ŽÀxp;š~}Rk÷CŸFï&³¡C\É8‰RLâÁtt;¹rÆï'ã�ã»éõðqþ¡7™×Ž5�'˜•^ýÓûòˆûKØÇFÌ÷DÿÜ`D|Ÿö·=.œ1³÷f½?k…�§Õ«60ó�ð¨kC÷¡!|$e	Û_&y.œ<Z'¿Ò$T‹ÎZÿ¦ê7ülŸã-Ò­~ë	�¬}%Œ—°€o!È‚V†>6$Ñ+ŒÙ+âRîÚDÛjQéT¸lí<,¾¹†­wYŠxHz®¨DnÓb–d<¥û!è;mçµVDŠ|âqPXùÔ
èÔ°ëB
-J~‘
‰7ƒ"Ì[
-�gAè˜%T A}¦_ž2BóM”·ÌU×ù&ÝÅKµó§Ê…¾Ã¤‹0a¤åý*T¿É"\*
‘†3P?Š+•ê¶º
“¢+wºO"€ˆ¾ô´ÇI°
—°ÇdeÙ�¤ˆJ)´¨ÚRŽSâ"&!5Zñ6¯C[ÞP½Ÿ*|úq <«'û(ÝåñA=ÒXW×f‡tð#*6jm®‚]\hA(Â,¯ çà�æÖsí
%ö=<ÃÊ¢Zò|·í’[… H„OaÒšH‹]¦Ã£A_Fê~Q¤ÙaH€È'At
X<ÛRÚÐΖí—/“Kš¿ ÐV= ýzµÚ/s¡à	Uðf“‰Bkôivg¯T"e´™÷¾u˜|…eþ]/x«Ùı)oo¦WÊŒ¯­-·QåE@pÔÒC3¿ÔÒm�ì‚Ø–åÒ+Ajõ6ûù1eàáz¬4r̘E'ˆrAê¢aÁÍ¡¾@žï¶á}ž¿¿{ø=n7	¤DjfÎ9T]‘Æi’§Yí¶G³1.M¸8E®•·	èÂxRÕ	g±	ßM±¨b+�+…[	OAäŒk~©òXozT•¤ÔUWÕc�`iRVœõ‚¥‰¥ž’"ø©…K…Q²ÖIš¦ñKÈxHÒç*VgŽ�00hCkg
-DœcÙvÿCÅѱ]ÃŒ©”è„?£âl
+xÚ¥ZK“Û6¾Ï¯Ðm9U�AGÇv¼N6c¯gRÙÚ8J¤FL$R©�ýv£
Š HªR[:l|
+)˜J¹?íÚ¬*êSÓ³T�6„ õ`¬Ý?�Œ¡¥¬Ö4Ù¾€s²ƒñ†Lç
+°Híð�ªhzÊv%”úØØyªÜ/ŽÀ¢E­^,q  CÃÆ:[oG
ÌØl݈Uºó•¢ì23ªÓ~EkCŸ	N@4ŽÊÒòºúGKd_}’|<Ég
+Ò‚C'­_¨Ö8SÃÀ*â0
+;Q©œÞ|úeZ³
+2Û4ÕW4ÛCÍhÖ¡ŒfïÆ4‹‰·K™š:[‚Ï(³ÝÒ¦¯caƒ!Ì2Ù¡F¸ì+Y0&QûlšÔ6bIpÿñ56â€X"¢Ó4¶]Š�Ô:ÒZ7Ú%؉	
¨<�ÜàSÝ4åjWôghè%;‡™�8—‚Ãt°ï6¾ýY|ŽÅR¨-4sgæSÌš4ùw#«Dbtê‚/ΊáÉ„¦‰%TÊ´ÓºýËY!I•ÈÞ¬§ªüŠ¾ejRjº 
fÊYÐ(
\B
5^cu¨evi¨®ÆêPc‚õ–)±HÅW–w¨‘å=7%!±ö×[»Z§sÔy¹:jcžT&‘yš!dž�*N.J¨<Á¼àú°iÁu¨I›ñxˆÁ�e|…áÀ“]”'‘χ~Fõ7$fÚ§¦ËÌ>ÿð†\§Â†Í#ÔK{È�ÖÍŒp#j®ô5áö`3Âu¨©£ãËä¡¢ô
+5‚']R‚ðy¸/þ¶L]Ò�èwÖ72žÜåÉ`B[êõv2RE\„Qþ{6RõQÓ‘ªC™HU�ç 2êY},Ë겺!$�bžµ5›Ÿ„$PÔKå3÷àiY£aÆäÃŒ
+Þ¾÷8—NùwC]tÉžÓD{9{wå¤lÉŒg
*úý0Ñtyl7‡ãkB2å üDÎë¯�šÖ_‡2úûx-Ó€Šêí‰,ƒ'�$ÂØYþh„?O‡ÐçHúÊ„u)„L8%Ž‰«¶¡ALRÛ)
�ö:ï–Æ]!©ãÒlÛ´#†þsÚq^µ¡¡3iG‚i7¤^¯'·Р7>žuXÛÍ”†
+ˆ4†¤&M‚–xóÁ¢s-Ã-¿™åve·Dq)hHqþÝ&B…ªùÁGÓÎr*g9ȇWgKkZÉ7I÷YÐYdwÈ­ˆ�gDOÿK"
çó+’8ƒfþ#aAÆ"ÿy­
+‡”™>ê]~ÍQi¨…³¬u KÞü«,Ð#“±Çܯ“âËÆ…×Éß	Ù©hŸU/.Rwû&]n×W.g,œúGähÑxFÎΈþï+�ÿ—%¡LÓ‰ ¹8\ÍS(?Γ!ëÝÿš.yÿgH,endstream
 endobj
-1829 0 obj <<
+1960 0 obj <<
 /Type /Page
-/Contents 1830 0 R
-/Resources 1828 0 R
+/Contents 1961 0 R
+/Resources 1959 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1839 0 R
+/Parent 1952 0 R
 >> endobj
-1831 0 obj <<
-/D [1829 0 R /XYZ 85.0394 794.5015 null]
+1962 0 obj <<
+/D [1960 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1832 0 obj <<
-/D [1829 0 R /XYZ 85.0394 562.7154 null]
+1959 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F21 702 0 R /F55 1025 0 R /F41 925 0 R /F53 1017 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1833 0 obj <<
-/D [1829 0 R /XYZ 85.0394 499.03 null]
+1965 0 obj <<
+/Length 1813      
+/Filter /FlateDecode
+>>
+stream
+xÚ¥XKsÛ6¾ëWðÒ©4	Q¼ˆÇQ±•ÄMb»‘2M'É�–(‹�Dº&åDùõ]
+‰¤ ,ê
+¨ôL
•¬£RR$9�=•n²b3ªÇ·Y‘ݧu^ÜÚ÷Ô>.ç³3fÉå&Ís•Õ–¨7™%®®¢ÆWïöý#Æ,u¢J·+ÝnBïÍ®lY6ÏUå‹•%V¥}eݳ23@E
+©DF1!H'	müq’Mô$›Å5¼6D^TÙroyìÊ*Ûf·
+¦»Å— Ž}©xvqynÕh§mÃl^ÕÐü$ö¶›[véMZìÓm(ÃaÒ�$N|H¿Tˆ/
oŸŸY‰3�Ç	¢<!mÁƒ:AJŸƒÓw‹—Wo8^�EæÂr~€¡dçŠÑÜnËû:ßïŽZ9‚®Ùž3ÿ3$'1Á&M‰ˆ—›lùÙ×	Ã̸­„½yKØ2F ¾‘c©éȱ’Ri©æs{
5Åævï—A)=À
õ«c6�wÕ²ÜþL,Šò®²“S÷òæJ%X$Rá¿‚ 5MÌi?~—m4·J¼ÉZž 6&??Ä›Ožzh©¿[Ê�eIrŠ5¢Pã}Ëï]I£„#AÛHtR×ù63Æxß>}ïÿ7– ó§Y
+endobj
+1964 0 obj <<
+/Type /Page
+/Contents 1965 0 R
+/Resources 1963 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1952 0 R
 >> endobj
-626 0 obj <<
-/D [1829 0 R /XYZ 85.0394 459.6249 null]
+1966 0 obj <<
+/D [1964 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1834 0 obj <<
-/D [1829 0 R /XYZ 85.0394 426.4105 null]
+1967 0 obj <<
+/D [1964 0 R /XYZ 56.6929 612.518 null]
 >> endobj
-1835 0 obj <<
-/D [1829 0 R /XYZ 85.0394 390.6449 null]
+1968 0 obj <<
+/D [1964 0 R /XYZ 56.6929 335.1485 null]
 >> endobj
-1836 0 obj <<
-/D [1829 0 R /XYZ 85.0394 324.0377 null]
+1969 0 obj <<
+/D [1964 0 R /XYZ 56.6929 267.4555 null]
 >> endobj
-1837 0 obj <<
-/D [1829 0 R /XYZ 85.0394 263.3171 null]
+666 0 obj <<
+/D [1964 0 R /XYZ 56.6929 225.2657 null]
 >> endobj
-1838 0 obj <<
-/D [1829 0 R /XYZ 85.0394 199.6317 null]
+1970 0 obj <<
+/D [1964 0 R /XYZ 56.6929 190.8284 null]
 >> endobj
-1828 0 obj <<
-/Font << /F37 747 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F47 879 0 R /F53 962 0 R /F55 970 0 R >>
+1971 0 obj <<
+/D [1964 0 R /XYZ 56.6929 153.8399 null]
+>> endobj
+1972 0 obj <<
+/D [1964 0 R /XYZ 56.6929 83.2251 null]
+>> endobj
+1963 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F48 940 0 R /F41 925 0 R /F39 885 0 R /F53 1017 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1842 0 obj <<
-/Length 1880      
+1975 0 obj <<
+/Length 1710      
 /Filter /FlateDecode
 >>
 stream
-xÚíY[sÛ¶~ׯÐ#5S!¸’à£b«­{;µ•¶Ó$´Ù<¡HE¤âª¿¾‹ER”�LÜNÏÌϘ °Ü;>`WdŒá�ŒEˆÂ˜Æã(æH`"ÆËõ�ï`í‡q4SO4mS½\Œ^|Ï¢qŒâ�†ãŪÅK",%/ÒwÁK¢	pÀÁåìõü|zöãüì?¿_]Î'S…”³7oæ—ç¿M¦T` bŒƒ×³Ë·³WvîÍ$¦Áì‡ùÍäÃâ§Ñ|Ñ(ÖVž`¦µú4z÷
�S°á§F,–bü
-ŒxÉ \Ù™úÞM,ËB«x·Û&uVvÕ*m	êÒÎÝúîÕò£J!²‹àbeg‹²¶dÕF-3ý½J¿ƒŽƒ¬¶$©Z%»¼®œ¥öä\Ü2ƒqˆ	µõZÿª^¾Ðºƒ4 OY¨ƒ�‚b!¨!V–YÇ'”¡˜`îx!GAÆͧ+¿D’DÀX Œ
åõ|ñöúÒ&ë/Bã`öê­M×^Àñˆ™ýÐh:5þ9¡’¤(¢�§V¥í„È@Õ»mQYiIaŸêã3UuRïܪ	<‰}dîUm
ŸrëÈ”åkßRU«e­R/À
°c	i°}È*5ì¯nÇ=7ó¹ýxöêæjÀÆ!§¼ÇKøG¾³Ÿ¶<õgY¨Ö²áÇÛ8D '#>Ž//.Ï-“Ø©‘®³"«jÈßrk§®ÕÊ9¡X:?¼NŠ]’¨KB‰h†�¦	ƒË®#fo?^]?í�‹¢VÛB¹ˆÞì«Z­]¬ÎÊ¢*·u¶[ÄrÄxHŽ
ÁˆðØ(‹ñ‘ûÌÞ
-Nò,Íê½}3L³âÎ%š‹ì‹Ï
-öóuYæCÇÞÕv‡ßì‹rSeUB
-8‡ö6{ÆÐÞP
xo2
!6ï¦é?úo3úÔŒ>7£¥5\t1+ÖgŸOöežTÕ
-=×gP[¨Ë&oÀ�´ƒ
-ÔZµ'(Ý÷Ný�Zz·Ã-'欇—®ñe[c¾6f8×۹ľ¶šdvÞ«:£(˜¥PFge‘äù~BÑf1k“Í&ÏtzVõ6[Ö;³d\erõYå•�¾ÝÛ§kÁi~TGôGô‚ñ„þJ{Ç÷Ú–•»z£½Êìª,ÏíH÷õ²;µ£¤rÏÂ=—µî»˜±õ²5®!vgú¯o÷)A

)Ä`À0ŠcvèãL¦Á¯
-cØ¡Qø”—â’7ÂQó·ééœh„aª2ˆ»�°+s^7ôÝ5^cAß<zÕo�î¬{"-tšöåA¤p=.ÏÓËk{)‚ë~$»òæEr›7]ÕÛÝÝ@,:e3\!àH|ÜäÍi‹�1øÓ)ƒÖØÛ6dnKØÏ»Ìw,ÍýÇŒ¦ýöô²Y*‡UèÔÏ:L_wØ�’¸I±oþÉçðãÜ}Í¥jÐ`
-‡9|z¥´Å„àã`bDYHtÿÏå®oendstream
+xÚíYßsÛ6~÷_áGû®bùC”ÈG7qÛt�“Åκ[ÚÕ–µ–”JrÒô¯(’²$Ëö’f»ín—»„¢!
+Þ¿‡Œˆ”´÷\Îw³;«Þ´÷k¥°öiùjœ	Äõ;Р¤O’œÓ\"�QVÂq<ž]œœÏNÎ&ê4å;qß¡.’¾ï•ÂI‡g~οÎÓdi^`uÈ)ò)—ò¥d®Q-nB½È’"øþB?|^z‘¤E[.Œƒ¤ˆæ¹M—úo`^P¾è%øòcz½Î‚"J½©vV!ªU±^:ŒêL'ÆY	Ât+¦a¹ãyq*dwB!§.eC°��•”²ëÜ´MB]×=`Ò
+u˜¬DJäRÞ2yžEIîu\[ä×qdîÄ ~�
+´F‘G<v
+u˜lTž€Xú-“]•wfyE[–åÔ§Û|Mª{&AËÇ&¶×Y?¦¸¡ó!Áá¿Ú¿*ÑÿÑ�>c‚îµge¶íµ°gDò†½ó0[¦YÜÈÌ"ÌM4Vi°hõ™ÕJ/â /ÂL¯¤Ih™®-zQÒQõªsà‰Z¬ÐŽ0AGö¡-ÑÝ�`IÊø�HÔ¤ö„ÂJ•±ø²‚<ßu÷›´B&Ñð�Ç�Õ&?Ü„Éú(¹nFál)J³‹b(¢ªt¾¤ë,	VM&ŠŠ*§ó"ß
&†ø| ¡×¥ö€i¥ÔÉ´ß*Þ[	†)‰¹ßv%Õa¼Ñ‘¨„,g´i}VbÃü2áÔJ茆
llLði7@+÷>ÛÅ(Š†Á'K½«g6ËoÃy¤ÞjXsM@d.ƒõªÈ�]Ý‘¹0ã�˜ä󗛆
+‰2$	vë…´5ý¹@ÌÄ·Ã_)x1ž]^LtÚü6`£÷—ãéóOÄ:�ÈÚÜ2ð†€M·,‚b�7¹ˆ43<Ì4‘gFì>´\=-ÂfÛ[+ŠÇF%dAvå��§ã±~yô~zÖqÆ.P>bŽü"/j=^#¥‹»ú¸ÔÇd=³]ÅòĆñÕÉäX+‘Æ�E%PÜ�¾©!æ‹pi@Hæ‡Ó Y7l»K<�¨çy{³„Á—¢‘&£ËÙÛ³‹Ã
+KúE©¿áãú½ÊL.Á*ZDE5×�ÒŠÈm` ,`À)ªý"MW]€ãVÊ=$émåm
+…†”çhpt":gz§Ww¼ŸÚë*Jvu»¨½’ê@oèx›+gñÉ®nªÕ—jõ­ZÝU«¹¹Õ4¸ÒRJb†ù*Èó®¹BúvV¨4.;4 :¯UÓOPt1pC¬Òøúù4–Dî¹�ÛM"¿r¢.,J·PÄé"ìB¢Aö•ß_ú½Wkë‹Nß–§Ïì_òÌúÒÃq�6óMû®ë#A±ßÖ™wèt˜�¡´0m&D^<¬Â¿ž÷ÓgŽNqP_ëßPÊ�,('m¥÷‡Òãjõ¡C½Ç‘Ï™û³Ùèªñ‰le@=«;¯
+~:;×4ì&g+Tãæzk³ó8™«KœàOãä£gÎ͆ã&|Ä]ÏoÖåcUGÏ|ø;­ÿwi˜u?'� añ?kîdÍòi?Zâ‚c¨¯u:WCñO{´ùžÒ�	A»ÿ�À°úƒ$Ö)u(BdÛõê{¦mßÿÅl”–endstream
 endobj
-1841 0 obj <<
+1974 0 obj <<
 /Type /Page
-/Contents 1842 0 R
-/Resources 1840 0 R
+/Contents 1975 0 R
+/Resources 1973 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1839 0 R
+/Parent 1952 0 R
 >> endobj
-1843 0 obj <<
-/D [1841 0 R /XYZ 56.6929 794.5015 null]
+1976 0 obj <<
+/D [1974 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1844 0 obj <<
-/D [1841 0 R /XYZ 56.6929 687.0104 null]
+1977 0 obj <<
+/D [1974 0 R /XYZ 85.0394 752.397 null]
 >> endobj
-1845 0 obj <<
-/D [1841 0 R /XYZ 56.6929 626.5588 null]
+1978 0 obj <<
+/D [1974 0 R /XYZ 85.0394 692.2263 null]
 >> endobj
-1846 0 obj <<
-/D [1841 0 R /XYZ 56.6929 566.1072 null]
+1979 0 obj <<
+/D [1974 0 R /XYZ 85.0394 446.6274 null]
 >> endobj
-630 0 obj <<
-/D [1841 0 R /XYZ 56.6929 528.949 null]
+1980 0 obj <<
+/D [1974 0 R /XYZ 85.0394 386.4567 null]
 >> endobj
-1847 0 obj <<
-/D [1841 0 R /XYZ 56.6929 496.7215 null]
+1981 0 obj <<
+/D [1974 0 R /XYZ 85.0394 326.2861 null]
 >> endobj
-1848 0 obj <<
-/D [1841 0 R /XYZ 56.6929 461.9427 null]
+670 0 obj <<
+/D [1974 0 R /XYZ 85.0394 289.3231 null]
 >> endobj
-1849 0 obj <<
-/D [1841 0 R /XYZ 56.6929 398.5692 null]
+1982 0 obj <<
+/D [1974 0 R /XYZ 85.0394 257.1813 null]
 >> endobj
-1850 0 obj <<
-/D [1841 0 R /XYZ 56.6929 263.2909 null]
+1983 0 obj <<
+/D [1974 0 R /XYZ 85.0394 222.4882 null]
 >> endobj
-1851 0 obj <<
-/D [1841 0 R /XYZ 56.6929 125.0477 null]
+1984 0 obj <<
+/D [1974 0 R /XYZ 85.0394 159.3957 null]
 >> endobj
-1840 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F47 879 0 R /F53 962 0 R >>
+1973 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F55 1025 0 R /F41 925 0 R /F39 885 0 R /F53 1017 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1854 0 obj <<
-/Length 2946      
+1987 0 obj <<
+/Length 2836      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZY“·~ß_ÁGn•ˆà>ײìȉÖr´‰U±ý0KÎ.Ç&9kÎP²òëÓ8çr#U*m•ˆÁô
-ûÔŒŒ±²p¨pPˆ),"|
8 lpÖ¯kÿ.ÛU¥o%;€v°h=îNa”l³ñÌV�hhÐYâî3ºlØØgµÅ€[ViXH=ê¢ÊÝ&ŠèÀú~¦m‹Ýæ¾R\‘gá›ÌâÛküC;Äš‘6À
ÊrŸGÔ¤¤­‘øI~?¾¢N¯§&äѶHìÆÜ#ÉÔ±“?D¾#i³–èÛ
qÔ×EÎs¬žqD5çç¢¢9y~øBeŠ~7E•¹’2¶Ú…ÊXƒè½?Õ¾3Ƙ®ì5?~,ªð�®„ë)²j,®#ÚC†n†qݼÛ¡Ÿ€]î惡CjSr0	–|±¦6ûç—ê�’Kc@Èé¸&]¥Tó÷ÁÿDÅaŒÏ¤P-¢é*¹êa4�’šÅÀÚf1`hý
-ÒOÈRù,[‰hÈW7•HH£:Œ�g²�™éT¶]Z®´É£šbÞ:�IA®ÃqǬëü�z³f<“j*AÃi æ…¬Ú³�S“(DHÑ4N0ƒ=‚œ©æµ©f�©T¾«{ĸbg°B`€³¬%ªÞºhQœ�è2—àÂ4´f	.¶ÓÂÅö…—.
y:Õ¾3Ö¢l«ê
RàZ™x´òÄÓ‚
-µ¹Ì\
Z\p~®ÄË>Ït.ÒÈó
-ѨôÌÑi›jš‘ÊAóðYÁÑ,_):ò5uk²MÆœç½&Kç|í³+‘16R"c49_Kpª!ÉùºjIóP5qçØŒç;(¶ô�/â�²è|;_Ž_`�ÚÕ2úµ—t+d¸øÁÅ—
-ŠÌ3<»0ÿÿQÑ
-I†ÏÜiSM[f¢r–YžOîA£VJëäQpñóÌ%ªî:öÉmÙS«.{?^+¾<õ Ë‹I|¨I»50ӳǯbd
½‰¹¿�nþ„œø.%®ñwêÎêòøiZö1ÿ¹MLë_HÄ$;ã™ÛT3ú�TNÿÕÙK-Uýi—O^j™å¬¹Ô2dmôRK‡·Æ9k2}ƒ;®ÏUÛïleÀù_èXѦ©
-rnW€—÷^5ŽWyʹt“øKO—Áñ,#N;Ó¨ó°™»2í�ä˜ï2[¯ž˜È—b²{É \«èî
+xÚÍZ[wÛ¸~÷¯Ð£|N„Å•½‰³Í¶q¼·ÝÓÍ>ÐmsC‘ŽHÅq}gpáE¼HÞí9m|NDC`ðÍ7ÀÌ�lAá�-TD"ÃÍ"6’(ÊÔb½=£‹{èûáŒy™UZu¥¾¿9ûî­ˆ†˜ˆG‹›»ÎXšP­Ùâfóëò{¢É9Œ@—Wï/߬^ÿåòõ_ÿõáêò|Å∳åÅõõåÕ›w¿œ¯¸¢ ”.ß_\ýýâo®íúÜðåÅ—Ï»ùñìò¦Q¬«<£µúröëot±�5üxF‰0Z-žà†f_lϤDI!BK~öñì§fÀN¯}tF	Aƒ³cÄ(Å{p(C"Á……ãÍåÇ×?¿»¾y÷á
+WcŸi¤X0‰©PV¸H¶éfµ~Hןÿ]©@tÐ’HKxå­d… ‰eý�â…\VÏE�|s�I±q�YQ§÷»¬~víå�ïw½v2Ûð‰Rž§`
–zW»ÆÇtwW‰@[×Ôê!—I5²N!4aVBÛuŽ¬n%9{˜x±r¸:JmÊ×rùô�î*/“MVÜã�[†vË
+íU¿†Ûå™^úÎuY`ÿý
+ç>D”Hɸ›nç†ï
+ŒZº«ÄýÞ"tY¥»¯éî<–K2N;¦‰T¬G»rû˜åéÄê�"œE̯Þ�ÓdÛ,OìêÙ”N¥$Ñ\šÓQ†ES®¼ü+Y/o÷µ›/«ÝTIþ”<{6ûí£¿tÔ„þ
+œ”Á&=~Z:™UG(œ•ÃÈ!ᤫÍá|`)jâùù‚Ìp¾.J1#4Öýù.‹ä6÷¶Ù¤·ûû{ØbÉäš%±q1ÇÌ¢;R3«RvÙ“Ëž›²]÷`ÊÑ…w§¼†Ã¤n¹g/öUrˆºßn“ݳ'ráÙš~Ëêit8PZDGÐéHÍ ¤,:_&Ñ™›²Eg0å(:Ý)Úg©Gg[n<&«wµnºÊÂïê“èH
SÆGü¥#4�M²Ð|@£0xšŸ/Èçë
C‰´?ßk ƨš}Æ•SûÄë×Ðè%ñ–0"D�6d*ïwÉö%Ä„�¨ø˜Ûv¥fÀRýßè"xlæ§B#Sv×ið‹þ”î쳇Püv�¢xÚÇxíBÍds ü{¹ßx�Û“È[.� ­êjTn‹Žy{WjÔ eA];(Õ#¤_,Dë<©ªCÅœ]ŒËyłЈb¢7,
+
™ÝÔ‚Ý"æÚÌ«„FÔê%�naŽßSëÚe¢
+lV1?ݨæ°ê"$æY˜ •ÞÿâZ�Ö.ÅßTÝÆ;›Õ�,¦¡Ø|ánË�¿…cƒ8)¤Ò-¤5N"+V�ðÊ�…v¤}½*ïVáD…=
+ÒI›2Ú¶N¿Õs¼eã¹T[yë¡Q]7ß%OSsÄÂÞM%F©‚)—1úU:R3T	R–*oÇŠŒÙ8ãW1TéyÕ©Ýúl�0QÃ1ØS®a‹ÐÒŸÑZ4lÁFd¶ùNÙ¾YÒ¢}/¤{¯h€@
+ÃÏŽùI+4ã&^ÈzÉçq/ÑF‰™Šî|FÏ+d†JõêQ1‘±é+ÊQ#U kÌ…t±Æ]¹°zœ=1èÁØa–©Ùò)³ŸæÁÉØÁûNh¸K²|âl@4ÐϨìùkj^0Ü\ÍKëîp†	ÍW6 ¾8JZwkΈ±Íb‰¾+ÌŒ
 endobj
-1853 0 obj <<
+1986 0 obj <<
 /Type /Page
-/Contents 1854 0 R
-/Resources 1852 0 R
+/Contents 1987 0 R
+/Resources 1985 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1839 0 R
+/Parent 1952 0 R
 >> endobj
-1855 0 obj <<
-/D [1853 0 R /XYZ 85.0394 794.5015 null]
+1988 0 obj <<
+/D [1986 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1852 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F55 970 0 R /F39 863 0 R >>
+1989 0 obj <<
+/D [1986 0 R /XYZ 56.6929 752.1653 null]
+>> endobj
+1990 0 obj <<
+/D [1986 0 R /XYZ 56.6929 611.3886 null]
+>> endobj
+1985 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F55 1025 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1858 0 obj <<
-/Length 2056      
+1993 0 obj <<
+/Length 2490      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥Y[oÛ¸~ϯ0°çÁb–w‰�iìîÉ¢usbg»@ÛE–m¡ºduIšýõ;)Y²i»ÀA4¢G3Ùo.dÈÃ	‰¤¢jä)Ž&b¦Wx´…ß~¿"–gÚ2Mû\ïWWï>0o¤�’TŽV›ž,aß'£Õúëø=òÐ$àñâæÓ|6™RΙßÜßϳ»¿à]``ŒÇŸn�7ÍÚýDÑñÍïóåäûê�«ùª3§o2ÁLÛò÷Õ×ïx´Ëÿ¸Âˆ)_Œ^á#¢¥W\0$8cíJrµ¼ú_'°÷kó©Ë\øHP.Áa!O8Š �`ò8AœïýD‰ËO–I»iZém¾û D�Q!B…¢5Ç:.¢°Ê‹·C¢�$r/ÏeYÇtlëi$¬|:°ívWLˆ?Îój2eX�«ÜØÊTïK.�ð¥t{ ¶ï{·œen…î+>Τ^GæiÝ ,~‰JË0!ã¬ýÊò…yö
cº­‹ Šsû«^I,C`䘗g³¡0*Ëh­MÁ¸l<…”¼Ai°o̳˜øã:3ôÓ›yæQÆiœEbWÃÎg  YÉ‚4Z£#0[ÄH¥ãÞXõ¹Nãªãj€õê
-âëÚqݼ�§ôÔû¹‘ǽÁ`í†øÊ:ÍÔGíÌ„C=pSÞU —@Ð#mÍy·˜yÊîj
m&.+8´äv|ˆ6Ö§YhÝú)ÈjèEÇê	DTv‡.·_¡{B-&jèØ›ÇÕ??œó¨©öwôÂ,²Y¾ÁdœÚØßæY™U\§{½C.©•Þ!D´·
-_C™òjhݦf‹¥™�õ‚-`‡>3e?Ee~ÒÍZ?Ím¦ÑhJ™ÇZ7™ø©¶wc°²1�Üj»[Þ"C}hNK@¤ù~º÷ØÝ²&Î̹ڴøì`2‚\·õ×.AO-»¦Ê®;’_Œ
ºç¢îS­ïµ_vQ£G_¾ä?L?ðáüSíòº2¿˜£É¶N£¬*¯Q$ÂCÌ÷dÿ8îŠ"CÂÃ-XሕùÆ7�Um÷«Æöäb^Žî$5«½w8F+ñ0⬫
ï¢*|wöòÆWHJæ÷‡}OM YRo˜&}kµ‡ßÚ{�¸ŠÛÛŽuP‡!H
+xÚµZ[wÛ6~÷¯ÐÃ>PçT(®$ðèØJënìdm§íéå�‘¨ˆ§éåe]ï¯ßÁ…)�”ÛdOŽ†À`ðÍÌ7ˆÉÃ?2“a¦ø,Q	LÄlµ¿À³ÏðÛwÄé,:¥E_ëÍãÅ·oY2SHÅ4ž=nzsI„¥$³Çõ¯Ñå‡˻뛟ç*pôÍãèöòîãå;+û0W4ºünù0_�$¦”¤V‹qtwy»¼^\}¿¼úç/ïï–ó߸X>zÃúÆÌ´Uÿ¾øõw<[Ã~¸Àˆ))fÏð‚QŠÎö\0$8c�dwñpñ/?aïWóiÈ\H$(�gÁ‘"J†]†à‚E‚Aâ]FIÈe�–vÙâVoôÛ·Bô4‰@I‚%Ì®Uöå:;ö¡%‹YÉüVÀ2Ö_�*”`¢†¦]m³Õóã,Ê7ö™ê�n¶¯ÕœÈ([•æ¹îË6YUÛ÷¦ì}Ê¢+}ÌÈNó¡¬ëüÓ.³¿èmºoR;‰õÌÀ‡TRÄ™Œ�k~£”oÒ|§ŸN»¿/*‡#vÊßæ‹a‰èÍöœVÅÈl,F€ØN¼Î6i»k`HœÝÅ:°Æ‚%qœ08‚”Ô¯–.Ê*!†ig=:	‡ºX	°Ÿ�f_kš^Ë@³A“ ©›„&F’‹i»:¥€]C`
+$i|dØÃS¶Ê7/�Q‹ž·Y3'Ñ6«ìû݃}±Yk!�êmÙîÖVáSfe+
óÌ	5Z�b–Y�F¾4ÛÌ-Ø�ÓˆÓõÚ¾ÖuVkXcуµÖp°î€D¼”˜Ÿ"d
+Ý	R\œâÑfÚ
ìüt!A
SŒº�ŠtŸ­«rÿ”ï²ÿ–EXEAÀQ*Ë�PID•T¯Œ#8J%ÔW0\ŸÜˆÙüˆiÏ;ÄÎQ€‰E?|•ÈÅB©3‘ÙÓšˆÌNËDfŽLƓΨ
œ¨öÒItrŽ(Nø´q^+`Ý >¹BDÊdhÞOó„GUÞèÄÎHdNF8*Ûæ©m¬´q{àýݪÉ„ÒÀŽæ	äœøX@ÌD7›À”¢D€ÏN	; Dtù=¯CsA'¾\,BÑ‚hB:hCÎ(ìfŸ;o`[AT7
+ž}­qxz-Ï&
+Å¡.
Ì»ÚÚ‚¢c˜af©\ !㠽ǜRóY¿3�šÌ¤ÛÔMŸ«]»ÎìLd±¯«Gí ÑÝWNRŸæŸ[(ayé~µ¬ÂŽ}‡ª_z2[Û„¨A<&Cä¤õ0ßUs	iÙŽ?¹Ä˜ÚG�ïó]Zíœtå}fÈŽN�º€Œc0¨Ä¹‹¾Ö¶:-ƒ­çPêÓ×…ç±åÑ0eœ×
+X7Ä`�ÆCëV[}À@‡øª€ãJúPI„)§=P™9
¨ôhHB´Ä‚CŸJ­pgاu“U}%;þÇÍÝÕ»�×KûvL‡!Hs2>ªªÏeõ‡NÄ»¦_l\q,�ÊêaßϬvŽ;èIŠ€Ë(†Ã¥¾ß²°ƒðØ„¼¦P’ˆ³M
S)y®«ék�ƒÓkp^/	Í®áð“KvJ�%ˆÃаd¸ä50(ë=Ç›`Ô�²ó©õsZ”…¦Ë}R3zŒéî9}qcÀÔÚõTû	T1ÆØß¾r?ª·@LUOkâ¨:-sT?}Ù�ü¤a‡;ùSË‚wòÓ|ªI¯¾ú4÷žúÅp"x®ÍR‰ë
+@Ç»€8ßç…>cói¾[¯ÜíƒæÐ	—ÑÝ´–j,�îLƒf˜+ ¾†E¥Ã
+§.ÒyÇðj{áï¦oæ†Íé‡æ^­¿cå–íég[¬�
6¦/LØ7ÓJ
 endobj
-1857 0 obj <<
+1992 0 obj <<
 /Type /Page
-/Contents 1858 0 R
-/Resources 1856 0 R
+/Contents 1993 0 R
+/Resources 1991 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1839 0 R
+/Parent 1998 0 R
 >> endobj
-1859 0 obj <<
-/D [1857 0 R /XYZ 56.6929 794.5015 null]
+1994 0 obj <<
+/D [1992 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1860 0 obj <<
-/D [1857 0 R /XYZ 56.6929 499.6076 null]
+1995 0 obj <<
+/D [1992 0 R /XYZ 85.0394 225.6507 null]
 >> endobj
-1861 0 obj <<
-/D [1857 0 R /XYZ 56.6929 438.3307 null]
+1996 0 obj <<
+/D [1992 0 R /XYZ 85.0394 155.4035 null]
 >> endobj
-1862 0 obj <<
-/D [1857 0 R /XYZ 56.6929 377.0537 null]
+1997 0 obj <<
+/D [1992 0 R /XYZ 85.0394 85.1564 null]
 >> endobj
-634 0 obj <<
-/D [1857 0 R /XYZ 56.6929 339.322 null]
+1991 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F55 1025 0 R /F23 726 0 R /F41 925 0 R /F39 885 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1863 0 obj <<
-/D [1857 0 R /XYZ 56.6929 306.8426 null]
+2001 0 obj <<
+/Length 2597      
+/Filter /FlateDecode
+>>
+stream
+xÚÝËnÛHòî¯0‡‘
«Ã~²X,�ØN ÁÄã‰��
’h‰’ˆH¤F$g¿~«_M)ÀÎ^69°Ô,VUW×»�'üÇ.�PDMbÅ�0Ÿ,vÑd
ïÞ]`‡3óH³6֛NjWoi<QH	"&�«-‰")ñäqùiú)t	¢éÝë÷·7—3ÂÓ×÷÷·w7ó?á7�
+¯„ËŽ`‡y²K—zG@vF9Šá;ƒr/ô:У-�Q(æ±Õ¦ýÜèç3!±…æy•ò´²¿–Å.Érkt•éá9=8 0FŠsâ8ÐqÁ¤áðð=/öeVöµN1Š¥ AA‹�–0ÈM8èqD…(ÖÎÚ$ŒXQƒÕÚ·
+Çuu¸ÄrZ8nó‡kd¡·ÅÁ»Â`¤î´Ün:Þ”å«â°K,Q|ýÓ¢
ØÁ•�ËnéÃÛëÒB�ÓèU2&ù²YãÈg,‘‚¶lRÃG�
+TB}¸²çÄ ùDœôª-­ÖðwdyVeÉÖ¥Ó¤JúG°³IÝ™®´ahà¯:=di‰~ Çþf|hXظÉ BˆÑZÌgÑ6–¯C†Y´ÁÒ|g¬ÏR0¤–§Yz¤
+¸œ#%cÁ­zÂcíÈMæÐ'0E…(�©'#FÉx¿H\¨°û¨«:Ù6[Ylë2{NјPÉ2Vê´´±Æ­ Á:
+²‚“,+²YA‡eÛ
+ÄÿÞ
+Øÿ‘
+ì$=c-¬Vౌà¾bæmÁu“ƒy¸`n‹‡)A"ŽÕiù¬€€}Apú²Ž„Úh†•‰€¤”c5}ß…ä¾*Jt­¡¸+&"ýÖ%"g9Äy�4¶©&ÚŸ»¤v²5,€&-_ä(¬)馣‘„f‹fopP�HÁ¦�º;..gŒòiš—µ·1ý»Ú$•†˜KpÛ"YfùÚ¿tXƒÝëE¿{ý1 TY^§¥ûÐqûV¾Z„d}g�ª+Ç¼IJ»]¿ƒNI»Ø$ùZ)”BÅR•ÐÔ�¬úTåf¶2·Kuj
-Nû™ØǾ(Ëì)XIh(U‰pÉßQ9A8nêøbïÌCêžÖ
+h šÑ‹V�W¡ŒH‰¢XàáÑŸ°c‰c>r•PÎm]%ò”úÒÄ=ŸÊb[WnuŸTmv£Ñ…(� $’ÓÑ¥�5],]–¡è‚‘Tœ†ûæntÑóhÜOÊ×`ìFˆØ°ÒðÁŒK”;H
,“tWä?—΂VÄ…æŒ-0f`Q…ÇÆ
d¼—_f<žÞèOÖÆê�D‡d¡�N3lÚ‘@¥Ž¡“W‚ž¯Ô!ûxù”Î\AŒ9Š`¹g…~\Ôt9æxôSáSxRö’´W•.Œ­ªl½påuéŠâ 
BsM;S궱N Ç2¸9B.äö“,=R€eÏ!¥€R¢ÃòCÝoó|0´úè½\9¯í×¾¹Ðn†RÝwb=Ís“¼Â�÷Œ™fÿNu<®W¹"&gŠÇ6Ö	½z,£×õ@¯q¦Î°ôH
–m½B¯ÇiÔcù7éµéÞÂÂÛóÖYì¶ðNÈ�žÞ+!¡‹<ÎwÊj™!ŸëŒ�F	C‰‡x¦¶kc�RƒeiŠ¾Ð•	¦z£Ä¶\Š#"$>-—G
+ÈÕ	Š”’L±®`PµDÓú`f-tjg.lº‹6ùÖê2Y§\âƂœJ“u©o
+€È½ÏóÕ½³?’〦_;BA¢ˆf>§y
+®ÎÔ3”Ŭ!câõù£T )˳Æt–N	¡a´ˆd½©ÑŸŠnhºžn’ët=»Eõò#•ªŽ`�›Ô§Ø¡=›r_xo¬Šžÿήû†©Ã¬€VKð?µÓ\ùhö´öC>3OpÖ¦84bu �±<2Öûzû~  ¤ˆüwJè)žQ
+DpwE¼¹}óñÝŸðϧç6]—‹Cö䯑²<Ôã2ª…ó6õ�¬\¼/E›ŽÖ4ç£�‹Ï¥ú6Ö‰hç±L´ËÏÖšÍýF'ÜI !ÈiÁ<R@°n¸£Ððż+Ùµ«€ªP0Òj˜Å}	‡å[„#ßÂêîH'>Š)8Œ_긇™í„ô‹äkjW’ås’W6 ÂÓÁÂs]k¶ß:¤ëû�¥»~�;Slèwå>]dº™I—¡a1Å:6Ò�• Ð-ƒ1ÚëyÜÔ"v¥£¿

+s?6
+�åÎÎ{ôòÆ
y½{2‰ŸÙÝh\-¿]Ù»à’æ•]°)€Åñ Ì7Å‘rk¬Ixê@YÜùÊ®dŽhæ¸Õ¹›=1æª3�ou¸í]´#\³‹ÖÔJïÂ�™]‘™Ï϶ü¹[2ݱµ¾›Áãn—£Þi\Aø?íŒ-¤q_ôHÆ÷g]Ñßv<‘ ¦äi¡<ÎP¨Î}iÞ§ºBýzbZß½Ÿ9ÞZöî‘™Ž±dp·y"úä7_õÊ÷ŽGõû¨æ’ä8â4ÌÄéèaB¦Ÿ¹topÆ�Òᘓ,CbF¡c<ÁÌ£˜õ†rÐ|â6³?ôõÝ!óc_jØÕƒFuURÁQf‹òD‰®›qÁȱB×W_�°*¡œÍŸú’UhìÏM Ó#ØwÔ\õü׊rüS¦ïáäÈHƒÄ`ß
+`'”Þ&dhî�V†²ÿ�Šfendstream
+endobj
+2000 0 obj <<
+/Type /Page
+/Contents 2001 0 R
+/Resources 1999 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1998 0 R
 >> endobj
-1864 0 obj <<
-/D [1857 0 R /XYZ 56.6929 271.8119 null]
+2002 0 obj <<
+/D [2000 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1865 0 obj <<
-/D [1857 0 R /XYZ 56.6929 207.6131 null]
+674 0 obj <<
+/D [2000 0 R /XYZ 56.6929 769.5949 null]
 >> endobj
-1866 0 obj <<
-/D [1857 0 R /XYZ 56.6929 125.3906 null]
+2003 0 obj <<
+/D [2000 0 R /XYZ 56.6929 747.9385 null]
 >> endobj
-1856 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F55 970 0 R /F23 682 0 R /F39 863 0 R /F47 879 0 R /F53 962 0 R >>
+2004 0 obj <<
+/D [2000 0 R /XYZ 56.6929 712.2038 null]
+>> endobj
+2005 0 obj <<
+/D [2000 0 R /XYZ 56.6929 645.6981 null]
+>> endobj
+2006 0 obj <<
+/D [2000 0 R /XYZ 56.6929 561.1687 null]
+>> endobj
+2007 0 obj <<
+/D [2000 0 R /XYZ 56.6929 455.008 null]
+>> endobj
+1999 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F41 925 0 R /F53 1017 0 R /F55 1025 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1869 0 obj <<
-/Length 3024      
+2010 0 obj <<
+/Length 2569      
 /Filter /FlateDecode
 >>
 stream
-xÚÝZÝ�ÛÆ¿¿B@J
Öz¿—Šgûj\_®ñ
�ä�'Q'Ö)‹¤Ïî_ß™ý HŠ’\ÄyiXËåpvv>~3³{lFá6‹¡"‘3“H¢(S³åöŠÎžàÝÛ+æi�hѧzõpõòÂÌ’h®g믘Ð8f³‡Õ¯ÑõýýÍÝ›Û_æ®hôŠÌŠÒèÝõ݇ëÝÜý<áÑõÛ›÷ð(¥Ð@d�LÓèîúÝÍ›ùï?\Ý<tâôEfT ,Ÿ®~ý�ÎV ùW”ˆ$V³gx „%	Ÿm¯¤DI!ÂLqõþêŸÃÞ[ûé”
-”ˆ‰Š¹™Ð
g3ÆH¢(A%D.¬~º¸ýéîýÑN(¡
-ôd8'LédZùžhѧ
-O(?Páº9^2Dˆ˜Ÿ_2M,)zK‚™KÔpÉuæÌz{ÿYºQU_Ý(ûœ•n”¯Ýo³ñ䛪nÜh›.7yé§óÚý.Ó]úXøÉjÝ-¡	î1é	Æ•"Ilp?-Œ„g’H©bO’–«	>,!BØèËlösG^ÊmÛ´iÑmý˲hëüsFNy�N‰�:ï=¢Ó>ˆRO¹À¹õ:8ZoÊ
úëõí¯ÿ|ûËÿ#ûkFT".Øÿ@tÆþžÈJ½tR+Õ—š.
-:EâÙI#Ið6
�tÞH}ªÓFꨬ‘¶Sø+
e@‚u‘Y’A¦ÖLêó‚uT’
p‘Ccœ¨d(T.4j÷˜)¥ˆlÆ”2Ú‚OÛsm�>en¸: #RA^éS�G
-.¸Õßòzù•lþþ
•Í)ÈS”Hj.äû>ÕÈTòÊ‹%ç_–»¶>Æ<Mbäg%ë¨&D„ˆ€éH´×¾j¦
-/l'¿[è^ó]á‰^ߨýì­'°%¾«wÙ2Ǧ&[½˜¨DÑK©¦—*Qèš¡—bÔû<ç6ÿj7˜
ì ²¾à¤Ðan݉Noü l·�6ýK·¤EùÝÌÎãKV6nÂ%~,†°ßTÎA‰žEà\‰£½]»™Ü3ÍýjméOŸ¤ô5¨a
-wñ—%¾Ô�ìN·‚Ý›žÈø.eLh
-»]�G‘h(dAгáا:Ž•
ÇÝÅpÜUûæ8)‰¡R8+W š�kX@Úäz$Ø�yÝ„£F,íàS›í󬇒¾}öò�³ `-?Äâ�êr¼]�jùA`�›*{¼4<ë´‹Ùô'm
-PœÁ/Ø´GuƦ�ÊÚ´žh©Lª8»d šXrÔRÍôpÉÍ�Œöy8Ñe"Ž}™hÕؤ
˜5_ÖgjwlÓµä‡Ò½j§'b(rtèæƒ/d_òæHáŒÂgP
¡\Ks)Ý‹ØÞ€�Hø€O+ô™»+÷^~¾ÕA:�_CNjï]K1zá��ÇÃZíÂ䮧¥%ógÃJð�âš/4ƒr~¡yts¤`*¸ŠgÜ@âL¸
ÑÙ§¬ “D8ªÞØîö ;ñòvËgo*ØÓ¬¿­ÀyÑgm÷¥yßÜЪ%1	b˜d¾•|ظP2Ý©ŽÝœŽ¶iî/$ŒGdxWzgîÂøJÕD¯nïÞ¸o7±Êæ‚FŸç\á�+ä¿Œo:
ðF‚¯î#Ñ*þm5gÊ·f
¢L|8/ÅÛóÂoê~ÖmÓî37Þgž¸ ×#‡•˜€¸Šw	öǽLÄ0ŸàáîáŠô�ÅÀÂ7M�Q‰ òÜ­-3lÔ.ÜztTÅÞ_.·é—E]-?W‹ 8èžõ>NP�jB¾áÑ$å±d(àuQTÏeèÅzÒ3ç}2–a'¡³jCûÕî†9Hm
-4.º>s¨…q¹Ï	׺;
ª¬©O"$§s¦þ.ÉDB¤áòpÞî“S©)1x«y
"´‚1Õ±ÏM	ýšá¡cº¶àø³ý÷ÎÂåm7æÑÛ“ ‰°´ò I
¿¤t@ÙŸ
-OÛôßH
¨•7ö3�ÀÈ´F4µx¶�TâaB÷b1±}XÔçöV‰÷np pRã°Ù¥#|ÌÜ›MjÃh»n7ó˜-SDHæoD¿~snSEëßw �_Ùå¾,¦D^fÈ@2ÏZBóUäÛ¼	Wsðw%™t½ÊœÆŠ¯îzÞÖ_¡ºÝ:‚ëû[âfoç,jÜUâ×ÙgÞ0~Å:küR˜'™ç
êIRí…€ÁÊñp•*NîÃæPðùñª¯vc§‰
ÌÞÛýÑÞ¤å^/½Sìšjï¿ö‡Sc:£@ŒaöíOÑ~l 9cçûªÜÚÆ)­ÀË�¥ÍÂÏ¥›¶4L×ín‡N)iä?èÖhK\Ñ7tVˆõ”Œ€“(ÆGüðÒ;5”½Ñ]ÕX3@ÅPÔxÕÊâp‘sÞèðr‰9àÆ
-+­¦%WãZïÈúNµ—Ê,—UØwHTF™%IBµ>&*ÚeÁ?ü§t‡?”†€h'º@¨ø Ižy#/4
cb¬âî�î<YOöÿ�O•ªendstream
+xÚÅZ_oÜ6÷§p•�®Êÿ"qOÎ%¸hÝ\ãÞÐöAÞ¥m%Zi»’âäÛß‡Òjwåu{N°Èáp8ÎüfÈ
Oüã‰Õ“N%¹S™f\'ËõKî`ìõ�<‹�i1åzq}öÝ?ež¸Ìa’ëÛ‰,›1kyr½ú5½xóæÕÕËËÿž/„fé‹ì|¡K¼¸úå⢽9w"½xýê-t•’˜²–^]üøêåùï×ߟ½ºÕ™ªÌ™D]þ8ûõw–¬@óïÏX&�ÕÉtXÆ�ÉúLi™i%å@©ÎÞžýk8
SçL „ÍŒ49´l&8ÈøËJaç—e`Ï<3ÆœØÍc +6‡û¢œÁ1(“,Œ
=¹HÈ„óÌi-ð„8×™*Or)3†48¡+4pàt™6ŠF–i)GŽŸÎ†§×ðW¤¯�eJ¡mb`·Ž[\:ù#áSÎIbš´ÃVw&„ï.×"yÙÀ†’éžÁ‹‰ä°)#&^Ç5ìÏ2›ä
+”F•¯ïËÝ+O›MW65µ‰fÒuQÖÕ§8~ÇêÎo}ÛQ¯kèûâòê%ÍqDXùsÉÒçB§¾j6~—)ê5Ö2|¢I7žˆ[¿nιŽóVhC<ÿñh@ãf¬¹M—÷E}çWÔ)kúô¹í»~멽õ•/Z�R³Ã3Q.Go•ÉÄžç`ÒÝA´-vAò<÷_—á ØÜC‰yäaà¦è
Jfœvç×|xF.´çâ-ùµÖSgá™uZF¿þÛºø¸h›åûöÈ©µÉrÎL2]øH»‘kF?9]Õp0wû
+^TUócoº°Knsu¬‹5ùË�L`eÕ°rW–ö­��
}a€¬0�«U&%ØeÎ
+Ë‘	cVäò]{äoüÀ�\J~päÒe*‡xþóÎ;NyUÎ3�f{5�ÔtNÿ™ÃGžé,Df¹Èøsø{°òrl‹ôõ£ˆ©…ÉÀD„L §Áä´ýdÊS�9}3u®ÀNN1ÓÙfB»½oújEí
+ÔñãÀ,`Â<)%¬„jK)Fµ‘º$­±9Aìšq8r�
+½…`yf•ÍÜ'øW(¦F¸ÂB«k‡Š«ódÆàSH꟪²¦Yå™™ê+×YJi°Ùôþ0Wg�\¡Îêfê,—q({ãA®Ê­_‚Ý?%B•Ã(‡¦ËWY׌v{>¦$yÈò{êýã@2Zƒ	H˜ù‚Ê2'场k@ÁÇZ:p·ä+ vC«`R –
+¡#,×kº@§*ë@†Ø	sîzªö[ IžÞôQÏÛ„ñ(ƒÚÅ
+¥÷æJ`W3舅ß ‹áþÃbÄ<Z¾)¸A)ãÜg)ß\(PÝ_ˆ‰aÆcÅ›„€Ž!qªvš#¾pñ&¨-Å—(Þ¦¢OoÒ@<Z!öŠ·É…×™Iñ–Çâ-G8‹”2r�¯¼ëëå0-OÊîžZèOÁ‚jïŠ" lt£	ý–sVàÃ)õ-Â9‡j�„/ï·—£GÀDqèÐ�Á$-›mˆ-êÐCB
)Å0â\Bq³j|[ÓÙ×�Ï–ž:­_ö“I¡h„ïºiã*°Ú¿cIÇ+¦ùL±ô›1`*ËE4
+q˜òX:ä‚g¹ÕOæCk§Øç}ìå�{ Tø¯½SÑ'²Ÿ€bÅrž“Òàʤ?”t9úøíÌ%D�ëJcŸºƒèLë|-‰¦;!4èVï¾úæ\)ò
+j½Ëåto�ÒøÙ×mE*ì]¨-½Žc#<>Ь&ÞÓ¸EÜÑæð©Óþ÷À¦ßböV2§÷’áF
H”þR�9\¯¯‹ÎÃõ—3–Ð(Hoô@„“×¾¨£Ôxé–æ±Ç@T0{ºÄ�e‚ï•8$s|ZÁ<nÊn¡á²ÂÞãq
+GÏ.Ç^e�âN=íµÒ
+;)PäP(aÏR•Ô¦A‘‰Œ[b@Å�Vˆî:œe¤Ïp 
+âÏL_¹Tr •öt¥40…�úph¨
­3<™ˆ:Znà9^o4Îf6Ï÷×ûÙcÂ�?‹×ä~ÛŽ×ã:>ªa;þž~÷±ìŽÎ�6̓I‹Ÿ°4v<'~¹"ž`–™Åd
 endobj
-1868 0 obj <<
+2009 0 obj <<
 /Type /Page
-/Contents 1869 0 R
-/Resources 1867 0 R
+/Contents 2010 0 R
+/Resources 2008 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1839 0 R
+/Parent 1998 0 R
 >> endobj
-1870 0 obj <<
-/D [1868 0 R /XYZ 85.0394 794.5015 null]
+2011 0 obj <<
+/D [2009 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1871 0 obj <<
-/D [1868 0 R /XYZ 85.0394 752.2237 null]
->> endobj
-1867 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F55 970 0 R /F53 962 0 R /F62 995 0 R /F63 998 0 R >>
-/XObject << /Im2 984 0 R /Im3 1108 0 R >>
+2008 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F62 1050 0 R /F21 702 0 R /F55 1025 0 R /F53 1017 0 R /F63 1053 0 R /F41 925 0 R >>
+/XObject << /Im2 1039 0 R /Im3 1162 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1874 0 obj <<
-/Length 2332      
+2014 0 obj <<
+/Length 1639      
 /Filter /FlateDecode
 >>
 stream
-xÚÅYÝ�Û6ß¿Bo•�˜á‡ø…>m.›ÜÉ6—lÐm´6½VcK[KÊfÿûr(Y²e§‡¤8ˆIj8gæ73Ë
-ÿX"Q–ÛDÛŒHÊd²Ø^Ðä¾½¾`‘fÞ͇T/n/ž¿:±Ä*®’ÛÕ€—!Ô–Ü.K_MfÀ�¦7—o¯^Îæ<Ë„J/ß½»ºyyý+Ì%" ¡4}{yóñò
®½›Yž^¾¾ú0ûãö§‹«Û^œ¡ÈŒ
-/Ë_¿ýA“%HþÓ%™<„f-O¶™DfBt+›‹ÿ龆­S*Ȥ!’g*(.pBQŒhÆ€HP�Ú뉳)=E"¯¦yã¯ùü•”BK—X{Še±s‹¦Ú=êƒ1KS{~S’õDÇ¢‰Á‰ŒÃ[ÃG²ýk½›1“VU/ÃUÚTQÖáÎL+àRÂœ
ק™é(óUãvÈ÷
�Y¸º.ÊûxÖÚá`Qm·y¹Äɦ(òLó°ç¾Ýº²©ŸÁš`é]½s«*|�<pœ/=w�´’qb
ͼ~ˆ•’‘ðL0ÁEUþN)¿owyST%.ú•�#‡¯`(ÎÊDY67ýf)Lp3m–4™[A2“ÙÓ¼p^qØí³šwÒÍ¥ÕDS­‡Ïßß}•M¸†çWÈ<’×Ç/ƒG”*cÁP€¡æ�m^Î抧ïÃÿ7ð?K¯û1O_éJÞ›(n‰‘2¸pòhÁ2�h8·ßk%,<¿ÞŠäewL†×ŒŒçCÎᚊ�¬\%€»’�çÇkÞ®‹žØê´zˆÏmUZ¯«v³Äõ;‡¿míâJ©ÀRþlËE·M§�E³Æ‘·¦ ?a"pp4îÍ8o‘f,fJ`Y$A¡ÀÄei%]¬wà–½=sa	?4ç¶0
Þ<'àqL¦mYGó+y÷%¸¹`<]V®.hpÙ•ë¼\8œÔnÑ"‡¢yÂ%oÿ»­ê¸£~ª·­„™ �¼Q£lˆ�3`’Ï€àiJI”PªyT
--Ž
+Þ
ÇæÅæ(Œd
-^ÐX“õÛ|_€S+@9ßãÛ·E¦¹÷.£
L¸†»b€:
†î¤U&ΣaO5ô‡‚>�•">/8áîP{–“Ì•O<’«#š�kS ÿLÛ¹>¸¦-‚ïó0ȉî2°æŠfõ
K
-ðÒ2r/Ñ€�$ð¦vlÀ#Q
-)‘‚w1úç€}·
õ®N¡^&½�ŒEÔc�
Y‹H7Ÿ@=~õ†œÏ ^¤@ƒþÙÇíL¥o
-I¤Ôzoú5²é”|šqšS—ié6?ÌÀŒ"
DÏü®Ø œÀ|ë€7E½õS¬_^îªAÇAˆ§h¶ì!“‡f{µá�à|Y¸‡ç(¡²é^¿ZM@`"ë0é®(—ç)�ì!<\8çø3–m‰"€_ÍÀ:Ó(ZHyý vM·«šÇìÕø`#ÕRÅ|�µsuÕî<hgBƒ§oð8Š-?éÇråõÐ�×–yã6O`4…è’
ª5!#ò›·./#WŒ8šÌl¸5ç3ðNÊÙ(³AžU¹yŠ¹ŒöQ’êñ{>z+­PqŸüsr›>®]9aµ¾Pc6ûºÕ
-ÃÍ gð,»üÈÏ&7°z`Àø‘N˜A/˜_Ûä>¤Ë H0–~}‚�P:ÙùÃÎ	¼9T†r>¾x`
™ßˆ5Õ)”J!-£-‚a.ª¶FâƒóâêÒ#˜ßP†Tϧ“]N„Óc§�Å`¼°éÎá|çš¼YUà@ìØò½:àçÙNmMò§ó£a
-lü¨£¯Æ%áYñzª	ùF=
!BX5ðM•G-ó&ÇÑ
- Û‰¼^DéLMŠ~pž‚ã”ênY”¡F¾YØ�ÃjuðméVy»‰¯ü¹p�¾w2Í QH+ôwIó´†,ãéuÄ
§R<îõn²¯µ: |'šÿ³�.9‘Féïßèr>“òqp|Å4:„Ü7:üxò¿P½Ã¡AbÏÃÿúž‡ïÒ¸rüÔsñ˜�£UüR8ä…E²_}q}óG–ˆW3@'·ñµM=îÄÒ9D(˜·±Q&¡¿;·
Ð…\"¥K,·óò¾[½mºR|Õ6í®g²qyí09:…8C{ú&ýðf`ô�<0‚A¨}+™É‡\‹Úë×7—o>L„x	AáÒÁ×å �ZµMìª}];°uq_æ>Ýðû�f…­Yü�­4[)¡Ñ[6xÀ÷ô-`ŸÂAA
�óc”u±†÷‰žº+—‹©ÒRfˆŽ‘h/Ú±DÞŠ¡6Η'Á‹q
-&ÕçÁkHu¼zªø ÿþø¡	õÅÝÙc;¢‰cG˜D9¡êÖѹ¯°[¾ˆXQ	
-›¯Ž0ßd¦³ô¤ª ^�ñŠóš�VTGõt}sëêJ·Wïßá9
-ÇÄŒkïtþôjZŠ0."Q[ö½Qrê¯lPù?�MhŒö�å›ÿ·ÿc¦!E7|Z÷ 5¨”`…òzƒêúØè f	ˆ�Dzÿbƒ¼žendstream
+xÚÅXKoÛ8¾ûWè(÷HìÉmu‘ºÙØÁ.Ðö Zt"¬-e-9iö×ïP¤Ù’Ý]`aÀ¢ÈáÌð›'E?‰¤¦:ˆ5G,7#ÜÃÚÕˆxš¨!ŠºTo£³KiIe°Xux)„•"Á"ý¾E£1°Àál~ws>Ç<\\Œ#J9“áäææbv>ýÞb Ä8ü8™ÝM®ÝÜÍXÓpru1]|],Zµºª̬N�>ÅA
+'ø0ˆi%‚gxÁˆhMƒÍˆ†g¬™Y�æ£ß[†�Õzë\($(—
+CŒ*6A1!@s‚HÌh%C€5T°è»=èÙ¥JÀ0VZ
+î©×R
èǺRE”i¹¯àu‘¤Î4iR%n´ÚŽ‰
+‹�W½Ë$ÆHÆ
+ͬ?°àùôj6¹ž$°�†¹¨	§A*C—¨vU–7am—XWzevŸ'ëÒ-–Ånmm@½[ÙÉo~§u+7ª<—E^9
k·Çe'XÉ“�)ÍöÉlóºv
ƒ„SÅ}¤nót9p"J�H6™ôUµ¾FÖ‹ËÊ$iÏ#šÊ$˜•|O–¯.ÕñòÕRyƒ¼¿»9«c„5!§Å6Db÷ª¦Ç”ï˽,jà—¾øºTÏA|6«W5œMlOr*#†�ô¯Pu¨N@ÕPy¨¦³…-Soœ20±¸¸ýØ+êò¼ŠùiMZª
Uöà�¶%Dã¾.;_:Óâ9?
XŠCÐ…¸ÐħfÓ½l‹qziò4Ëï½�ò¿
+b¶ž 
=+½Ö¢gžh—§æÆ47ÎÕs$
&‘Š�†ï>Í.§Ww·‹ùbúiöã´aÕ�W¢Áœ�V]$ÚØNX1Ž0‘´é|ŠÜjz¿sÙªf¡�YÛ*…¹+I0W…,‹ÍãÚ|w«•ŸLM¹Üfßš=y3[%ÙÚ�-œÖ
 endobj
-1873 0 obj <<
+2013 0 obj <<
 /Type /Page
-/Contents 1874 0 R
-/Resources 1872 0 R
+/Contents 2014 0 R
+/Resources 2012 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1839 0 R
+/Parent 1998 0 R
 >> endobj
-1875 0 obj <<
-/D [1873 0 R /XYZ 56.6929 794.5015 null]
+2015 0 obj <<
+/D [2013 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1876 0 obj <<
-/D [1873 0 R /XYZ 56.6929 175.2854 null]
+2016 0 obj <<
+/D [2013 0 R /XYZ 56.6929 586.3808 null]
 >> endobj
-1872 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F55 970 0 R /F23 682 0 R /F53 962 0 R /F62 995 0 R /F39 863 0 R /F63 998 0 R >>
-/XObject << /Im3 1108 0 R /Im2 984 0 R >>
+2017 0 obj <<
+/D [2013 0 R /XYZ 56.6929 444.5078 null]
+>> endobj
+2018 0 obj <<
+/D [2013 0 R /XYZ 56.6929 369.9671 null]
+>> endobj
+2019 0 obj <<
+/D [2013 0 R /XYZ 56.6929 265.0122 null]
+>> endobj
+2020 0 obj <<
+/D [2013 0 R /XYZ 56.6929 190.4715 null]
+>> endobj
+678 0 obj <<
+/D [2013 0 R /XYZ 56.6929 151.8306 null]
+>> endobj
+2021 0 obj <<
+/D [2013 0 R /XYZ 56.6929 115.5088 null]
+>> endobj
+2022 0 obj <<
+/D [2013 0 R /XYZ 56.6929 83.5219 null]
+>> endobj
+2012 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F55 1025 0 R /F23 726 0 R /F53 1017 0 R /F62 1050 0 R /F39 885 0 R /F48 940 0 R >>
+/XObject << /Im3 1162 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1879 0 obj <<
-/Length 1937      
+2025 0 obj <<
+/Length 3855      
 /Filter /FlateDecode
 >>
 stream
-xÚÅX[oÛ8~ϯðÛ:Àˆå]⣛¤Ú4›¸‹:}P$9*K]’ñþú=¼É’¬&Ìyxxxxø�I~d	„™â‹Pq$0‹d�O0öñ‚8žÀ3C®÷›‹wX¸PHI*›í@V„p‘Å&ý¶\ÝÝÝÜ^¯ÿ}P�—ïÑe 0^~^Ý~]}²´»KE—«�7ºó�)Òl/ïo¯¯.¿o~»¸ÙôÚ5&˜iUþ¸øö/RPü·Œ˜ŠÄâ:¥èbÁC‚3æ)ÅÅÃÅ?{�ƒQ3u΂EHD4œ1
%B�‚Žl ’Œ2cƒ«/·Ö¿Þ¯ôN7ë/·zO0“
Œ‡

QD±4S6»Ì1‘

¡JEÀ¬yÊxŸ¥3¢G˜H긒ªücúÔÕq›WåeÀ0[jJ‘é6_æ�¥µUeIµ?ÙŸv´uÄ4k’:ôsJOmã¼°í]V_’h™ÁÙñ/W–Ó
-k³¡”ÃI»8_ÌÜ*ÐÛÑæF!‘‹ 7,ìã9Oa·1zuým½‘ø†B .	sÛ¿¾½¶ÜÊ~Vé>/ó¦sTµ%Ýg[§{™d–ô9.»¸˜1.‘¢RJ'õ§4
-Ûéú$ä(Äì
z®s
ÆÖ	
¡c4˜�UÓlwEk;gÀÔDLôS+a‰„l¿n¥
×+Vò\ÆJÏqý®îJg©CžžJQðh¡^סç:Wbl("IB:ÖbÞPÎ7’¬i‚<=³Óú¡H„a4FßÃÍ�s€O_fÜf€î?\]Ânðb,›ñŽ‘äÒ‡¢_fê8ɈcŠãÿ[qâ/ˆ(¦6^É.K~hOøÁ9þOUfÓáºL“)­x±a£Ig…!¿Œ°#ç›
-ÃHq9‰uÿ— Õ3�`³úºùõËýÛ	k]¶Y]f²ǦÍö�í\UeSÕmÞíOërĸ¤N—("�ÖÌÖQ'‹¡FÐ7é
-/
IΠú°œÖÚÀ•tµ+ŽZ;Ú70Â�ðÔÿ  ÐHò71̱ôF­Ñ=ýÍK:Ô}ª�ƒ«Ò«ÏÁŽÅѶ†(S#ãéxäW"ÉÞ|¶LŠ‹§ªîA´tmøþúyu|¾zEE–/»<ÙÙ‘®ÉOl?ÍÎbP¯múYbû­í›;<|³Ø‹ÈJÃÊMˆÔ‹)ÉzŒT%œ˜ä
-®:^£A�j|½7ÄÁæaý1hÚ£y¯�ÑÔ†¶Õ€ÉÐ/�†îXµÿ貦u2üHÏï@/ÃôÆÿÑç7À�~Þ�°ÃUQŒšU½±ðÓîÞ—›}@Hv1ØÄÕœû®qœ�>¼
-¡¤€
-î•PÈ«¿Ÿú½À` ñü«“†Â\õëºÄoõ,«ÿTSMv?Ì•ç¤S“-Ñ\Œ‹ÞHä*R¾N³‡ÛHlc½ s¯
§g0Í`54OZY½·yÈ»êÅÒí¸ÔÆIëˆ;Çæ¯lpµ >®k¡	ÀÛ¶_lžÖý‹Z?vÛ»±O
úÐíë—
-d¯®pƒ]3ófânPìêòiæš�ûBëo?¢žÞˆ¡‡ÿ“g†áâqÇ+¥wHˆ˜ªÞ?·žëþ_'x—êendstream
+xÚ¥]sÛ6òÝ¿Âo•§ƒ$ûæÆI›ë%õÅÎô®i(‘¶9‘HW¤ìº½þ÷ÛÅ.@‚¦gn4#‚øX,ö{”Ç~ò8K"¡óø8Íã(29^o�Äñ5Œýp$yÎÒMZŽg}yôü•N�ó(7Ê_^�`e‘È2y|Y~XœžŸ¿|{öúß'K•ˆÅ÷ÑÉ2bñæôíûÓRßùI®§?¼¼€Wk“¤ÀyF,Þ^¼??;=IãÅåË“�—ÿ8zyéÑ£.…Fœ~?úðQ—p‚‰HçYr|/"’y®Ž·Gq¢£$ÖÚõlŽ.Žþå
ŽFíÒ9R$:‹’L¥3´PòXÊ(O#É#£•¶Ä¸xhÚÛ®î¦G1€� ©ÖQj
+�;�†ÌáÕ�ˆ
án³Þ=°~ã{±¹nwàÁ·ø/®�ËØ鶴­GÃç�oN_,ßœ%�dqS¯o£äÂvóÀTj@ÛsÉÅÏͺ¢[8ÉnNŽ=fh-Ó±ÓNƒ­pÌ¢�ýˆö3ž¦vmmGGƒ÷õfCcME+5ù|è©€}ã

+[|L�ž§"�
•ÊÐE¤Aª6^Få¹Ë¼#Q*ž»Ñ
+÷6˜Áh«íx6@€’+¾‚w�r9ñQè_´RN¨mŒ´�«ŽC²žå΂üô‚ÿ;úV&iôí_TVÿ;_y7OL™æ‘½EY&Êp ›BžöKJôÎÔî@ºP8c1à7¦\¨ì±Š2™Æs(2
Ò$Êtœ†Ðgw>µ…x�JG`ÉÓètwƒQ•»ÌYŠ
++E˜™‰xñEh™< ×2‘‘^Ù¹4ÑÓ¤aÚâì�	%�)–Ö�âH�‡Ž'Ko€JZëå“Êš±µåI¨±æîU"-=;í�Øêö^k¸¦ù”ðF�c‹6€«OçÝ¥Jrt!ac()‡j[(™Û8mF%ämJ9
ßóxè›ê«¢«LL��UµËÀ{�t‚uO±
+ìPÖݺÝïŠk+,1Ö˜¹­]�{7‡&pSL^–Mkb*ÑÃàºÝn)Ñ€¾MÝpÚšg`6ÀÊ…Ï‚¿Þo)V)Elð\oª#|•-úê�Þ–]•+»Âø¶x ÑÕ‰´¾
+šwuWÛ¤gˆØ�vßßÚ!˜9²å0rÛaÄ*9bÅ©»1ŒÌ†šðJ¶í�^Øz12µ½ß±
ï+ÆÍåì�£nØ
+1B’ö¬×àTÍÄÔ‘Þ°ôøå“R•û‰\[ÂÉÈOê¼|ÁË8VNjé¾ÜŠ‰> "
+\J*¹›×==­�Ã6kà22¹ÖOâ¬ÖF¬
èá9[S­)_çk-åY–N
+¡^ØI‘Gw„¨\A °rWÒTL²ÂÍ“‹~Íw“Ö�¾¶îB-ÁË�¯3KÊ×}–ý
³$ÌÔS
³@@íæÚ¸Â��Ýÿ¨·û-÷Ö[î.xÅ`>ÌD° cífõÀJj­ª«áöÞkžj«¼(ª)[ŸK‡Å�Kù¹f¡…Œ“ž~Gn³mJkÇ Tøµ"g3ù$Àq�íçèþœõÀLoÓøËœ¯`G†A�H÷óìBÄSvˆÄ±C8v@i148$°ŽP`�¥ãRl"*µáĘp8©£§và…T–þŠzÿdJÙ`.vv;\Wã
+<!â
+~�ÓÐw4’¿91#[âwsŠh|õÒØò±S™LéIòúÕ–Ff¾†0÷±˜„P¿OœýX, 4ä”�ä�nBÕ(x訣àþàëÅB¡x—|«Õü”H˜¸{}œi/¼ù²
+þn<|V�n–©áKb=ùHë\:¤�þR%SÔý‡É�qÿ&ãQendstream
 endobj
-1878 0 obj <<
+2024 0 obj <<
 /Type /Page
-/Contents 1879 0 R
-/Resources 1877 0 R
+/Contents 2025 0 R
+/Resources 2023 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1889 0 R
+/Parent 1998 0 R
 >> endobj
-1880 0 obj <<
-/D [1878 0 R /XYZ 85.0394 794.5015 null]
+2026 0 obj <<
+/D [2024 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1881 0 obj <<
-/D [1878 0 R /XYZ 85.0394 751.4893 null]
+2027 0 obj <<
+/D [2024 0 R /XYZ 85.0394 749.1471 null]
 >> endobj
-1882 0 obj <<
-/D [1878 0 R /XYZ 85.0394 670.0469 null]
+2028 0 obj <<
+/D [2024 0 R /XYZ 85.0394 677.0612 null]
 >> endobj
-1883 0 obj <<
-/D [1878 0 R /XYZ 85.0394 556.7566 null]
+2023 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F41 925 0 R /F53 1017 0 R /F23 726 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1884 0 obj <<
-/D [1878 0 R /XYZ 85.0394 475.3142 null]
+2031 0 obj <<
+/Length 3132      
+/Filter /FlateDecode
+>>
+stream
+xÚÅ]sã¶ñÝ¿Bo•gÎ>I oÎÄÉ\§ç\Ͼig’{ $êÌž$*"uç×w€ EÉ—¤ÓŽgLp±X,ö{Añƒ?>Óy–[ag…U™f\Ï–Û+6ûs?\q�s�nR¬o¯¾ù^3›Ù\ä³ÇuBËdÌ>{\ý4ÿ6ã,»l~ÿðþíw·×…š?Þ]ß¡d>¿}ûöîþ»×ÿ‚wÍ
+w×BÏ8ˆƒúÝ[z#vÝŸ¯ñ$ºÚÖ»ºíeWöëöÇþiQ¹Ž 3„7ÝSuh‰@BMÌ«ghì•æÙÂ×f~\¢ñµî lhSŽÎç{¢Gÿ9Ömíˆp6_>UËO-a¡°ðÙ=…Éf×U».L¯GÓ¿� á
+-î©j+šN)¶U)­jbÓÓ(;�Bg#´Ó¡_>u*`DäÒ›fÛÝ`‰JÍ•‡.²Ÿ–Pfš½{ô`À	ÄêÆ¿‚’ZZßxXí—–‹d@sÑäÝŒ¼ $ø BÓ3ãûöØz2�±­:¿×š&�âàÀdˆ°,BX­
+›µì\‚ÃÂ'wP`T¶ô¤”ƒïž!ÖKÿrÿ@ƒèð0:<–
+ž:±¨C ¥�à?X\N:×cXÑgRx
¯Þ–�g,B�z} á¶*w¤TDˆ�)9κqÿדê”gç9<Uf„gªIBºI±¨˜äÅdÄ"E»'‡ï…ñÓ¾9tÆ,ñ¼È¤É‹Ë<E¬	¦R‹âØ]n†L=TT&@MXbÀÅÁ*è_¢wÃ8Q¯[£È½a†ò.|¢Ä•Ž{Z€	(â´â*ÚÅ©@1^ÚxTôÄBÏÿ	ˆ,ZZ�eã¨ZÝ!SÂD�»q§ØRDT‘áÓ‡¥ÏõªZ½šðU®L¦°g`/V¦:“‚N){.JÃèÒ¾tžG¶eÛEfƩг="D>;_Z™˜!D.•{W²ùüÍýí›;ê\œuýÀ]Ñbuh=
+iÞ@×”+32ÿx@æåÀÒÜúj‘WÕº„önÕƒ¼Ø€œ3xj9$O�癀ª¤Îr­ŠË
5Å:P#tÓ,]KŽÁ}µ:Tm{1˜*™é<W—ù‰XÉQ`€ÉbÈ‘�¦¢`MEÁíI²,øXû8ëë‘Â72£CNDQ�Œám/`"0ñÌ(Éû*�¼¡n#gUqr±òÆGX	&®¡–NH¹¢@Êå‹�ÔˆLqûUa”Å0ŠÂ6>Šr™DQ®‚ÀpXîhAå_&V4 “Fœå4¹;‚.ž	æ;GØêÖv*¹Ë=. Î‡#bÈÒ1Çs®Ï
+¹î-_úÒ‘›´7×`«ÁLÈ5€â;-$‡òD„ž#ÄØ
(Y‘„íSPîRÐm›Á›�žv­BuÔccŒÆI;44—[ U})²€Î¹ˆÝÔå»C+cÙé
6(;`fßÑ˪‚jeë»9Z+;¨ºÀ[â4ôŒ±Æ‹²¥ÌÒ5_Jʇ'OÇ¥T?MI�ñŒéQN÷×|ç\‡ËŒ©^p�ë‚ë,¸6eHªnxÖyDa/s±&Ø8qfÅ�ç>®´<[¹8þ2º­{íË”IsåRfÖê`¯tÄSkÁ¼W˜|PO~}•®n'™€V\ë`Œ¯ï'8úžxFùÂ@‚—:¿¬üë¼ò#–»è6¡YŲöDñr5ã—HÏÊ ‘Ѐƒ^í¡ÅÄA/h„Ö[vnÏ�»ÍÆ�Ôbľ5½vMð~=äæäëIuò©góŒêÓûîLÈÓ ?17@r¹©ÊÙ#ù’ËBŸ>®êAçM@B1*ÅvŠuÁ–ÿ†uzm³<ÐÕ÷0ØŒ[ö+k‚—¡w(¨ùˆ™a5,äPŠmÃ’jÒëão¢Œ¿ç‚çãÃën°2¡8Ý߆õ÷vC�k�	ÈÆKVÀK/˜ñi  ÁB¾/ëäÖëF1–ÏFUÖãäÍ!ñå…é˜Ú
ÈY#‡÷†¾ú‚Fö
+í¿}œ×¾
+8xÁú¾øï¹ÿߺ‚É ä„"Öÿ^DûÄÉ30YýÿwŒp¿¡3üÅà„µ±XFþé&ö?ÀTømölr/ EÄÞž)<;ù©OûŸ0žòþ
+¦ˆæendstream
+endobj
+2030 0 obj <<
+/Type /Page
+/Contents 2031 0 R
+/Resources 2029 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 1998 0 R
 >> endobj
-638 0 obj <<
-/D [1878 0 R /XYZ 85.0394 431.8777 null]
+2032 0 obj <<
+/D [2030 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1885 0 obj <<
-/D [1878 0 R /XYZ 85.0394 396.8929 null]
+2033 0 obj <<
+/D [2030 0 R /XYZ 56.6929 699.775 null]
 >> endobj
-1886 0 obj <<
-/D [1878 0 R /XYZ 85.0394 359.3568 null]
+2029 0 obj <<
+/Font << /F37 791 0 R /F23 726 0 R /F41 925 0 R /F21 702 0 R /F53 1017 0 R >>
+/ProcSet [ /PDF /Text ]
 >> endobj
-1887 0 obj <<
-/D [1878 0 R /XYZ 85.0394 286.9477 null]
+2036 0 obj <<
+/Length 2472      
+/Filter /FlateDecode
+>>
+stream
+xÚ­YQoã8~ï¯p—
+À7W
úËà€²ŒÑë\éìš²ÞJ>Xëa²”Bʾáà8@ª�ûƬu(Ñ™Õ"Ѷ^†ÛÈØÂ,Q7òŸŸ†Ð²^]Øê1‰÷[}xs²”°øb鳂¼­¦XEœ¹ÊV½äK½|gH
+³™ÅÏA'Îö#‹0Àmæ¨íôBB^.ôA*"ƒ8½2¹á‘M—ËÓ±c¦è^@ŠÓ™Ø9&ìÆ1麱ƒ½Ë”8«20ëìÆöu
+³m¥÷ ÔA)úÛ`f'p@p�(ðÙ=MP^²"𛣊¥›Ú…
6è‡�Ç"+¿ã°€ÓÍI'‹22J.ì�6×i7.ÜÛõ’©ïi
+{›ñój×€ÞnÚ)¢( uGñ|]æn[ú*î»n0ç2Æ5‹œ“$†ön
+ý�2Pn>ýYã|ø¨�¹†•¦•kµ^狪ðâ§"ìÖ� u¯±èð´â Þ¸Ç
Æ8M.t7Ʋëßf_o¿\ßTjê0áî/i,
+Âñz½)ìzTë�',’[¢ƒô^8™ˆLÿç`Y»FãX5X:½jW,Q…í>AÁ®ÖŽb7.Pò²ÖÛiè„#0�õø@·¬‡k$«ÁÃ/S	œ
+&HᨮúÊ3ä~Æ%î6vi´[Sl9sù–°í¤Y�3m­oüÞ IÌøÒî%}5Ôut®¬¡˜i×:M싧†.¹åv—ç‚u“Ú£$N•]Ñß&ÐIÒNÊõýdñ›±O3®ŠåªªÒ	·™˜u…±SÂl'm�ÐûaI*”z¡öÁ’‚„vÆb_„�·oÛ³Ò^ˆq#Ú<ŽŸÓ½kfWk&·}Ôo/s”±
KÇS¶4EÇ
6LEƒÎ0ýù6LÜŽvù×òU§Òc紇ɥ÷ÅÛÔNµsó`¤¡­|j;hfþ`ãŽoó¹û)âw*©æ+l×e
TöMMÅoÙ_ñ@æÞòÅw³_:nü³i9$£Ÿ—ïof_¯]ÚUk}º¿š¥ós
t€Âeîîô�é¦ßÅ;ä0ðç‘ÃLW®Ç_éÅwÿE’º™½ýRº
+H8T¶Hë<`ﱬ&wÔwŽƒ35è}“´\˜‹&`I;6ÂÎFs4‰„ªàª>àªñŒÚŠ•N¬r¿sXâÂ:*íi•ûÔÞŒ;e„É0�f¸*{Ð]ÊZ
ê°e¾'W¦ç®wιHpq�Ñ~¥»—¿!�ÄÚ3š
+*Y‰¶›qUÂÑŠç/›.E7ÁÐp=Oí½²)¨‘ÚNÀ·…½€T¶Z³4ß}|Ï(HD«
9CúÓð·	K«�õ'Ò²Ú}†·žP–m¨-­�KV‘½c1³ù“³§-´îIÅWë6‚cƒWv§¡†ÖÂä
,þQÛ0pæÒË
+endobj
+2035 0 obj <<
+/Type /Page
+/Contents 2036 0 R
+/Resources 2034 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2039 0 R
 >> endobj
-1888 0 obj <<
-/D [1878 0 R /XYZ 85.0394 208.4702 null]
+2037 0 obj <<
+/D [2035 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1877 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F47 879 0 R /F48 885 0 R /F39 863 0 R /F53 962 0 R >>
+2038 0 obj <<
+/D [2035 0 R /XYZ 85.0394 372.4169 null]
+>> endobj
+2034 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F23 726 0 R /F53 1017 0 R /F41 925 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1892 0 obj <<
-/Length 2634      
+2042 0 obj <<
+/Length 2188      
 /Filter /FlateDecode
 >>
 stream
-xÚ­Z[oÛ:~ϯðÛ:@ÌòNñ1mÓ³9h“lã.8=Š-ÇBm)kÉÉæßï/ºYvzpŠ5EŽ†Ã¹~C…M(üc¥‰¶ÜNŒ•DQ¦&‹í�<ÂÚog,ÐÌ"ѬKõ~~öî“0K¬æz2_ux%„&	›Ì—LßKÎÿœÿþî“ZΈæ‰þHôõæãòáö擧ìqå	¶ŠÒË»»«›�×ÿ9ŸqE�ûùLQ:ýryóíò³Ÿ»;·|zùÛÕ=2;»š7çèž•Q�‡øïÙÒÉŽüû%Â&jò”0kùd{&• J
-g6g÷gÿjvVÝ«£ºc”p¡ùˆò8›0F¬‚³uµ§,Ñ‚wÚÛ»ùõíÍáI1Œé‰áœFÍ‘�=ѬK7±Z¤Â}gÁfªC	Â&¬è
Q•ûÝ"›¥Ëå.«ª¡„LqÂ�”§El¨FdìzS†p¥L_ÈoU6æY”H©ÕQ)¬CDœ=yZ�Ï„aÓz�ျ÷ÏY2]d~
á32s«rç)Ã+lº(‹"[ÔyY^倠ÊvÏÙîÜÈ©‹PC"ˆLPCã Ë—ý¦ÎŸ6™÷꼨ê´Xd•L½þá)ÛmóºÎ–þ7t4›Mùâ‡UV×yñèÊ•ÿ}(ëuxc8]ß=Ëðr±l¦t`ÒÑ…#iu‘Uä˜�êbÇ$ü´�v©ŽûhCå|t1æ£m,ZL±Êg«|“8¨€´bŒ=-_C5"`ÏA…!ZA‚èI8î ,!ZS;. ¶ÚÈŽw2<	ðòwJùã~—zÃIœÙôš,]ú´;³¢}}™­Rp²‹�um/Š(¡†E)ßeõâÝ®X.Ê;F‚èDÇ$}Ü°¥ì
_h‰N¸B ržðãÍlõ#{w¦‰¤‰=)YCt(ZÏ°PÔ„¥¼'ÛQ°Fòá<‘“4¶ã
-�`5ëïúÍ™N‡|�ƒ€õbMIÐ%UÇuÉ£þ…ºŒGtÙÙœÐæ˜2‡�´aöʇôvpüì“>«“Ñ„wÖWŒ€®1¡â×)&2|C1`.
-ðÇÂC²:<×»p¡¡B±—߀béñ€òW38di5Ý°KÃŽÏé&_6uZ…;ì‹‹òLp�‡pðС©ÀP¦9?nj	Ü‚j¥†‡TöwMÝ0œu8š*0á	c;G-
ÐÒg¾g‡õ(@¦§l‘£³gË‹�IÀ2®ß
-Y¦ªÂM0‡0¢XÙ„-çÞ×>¹·d¼†�î¾âi“9/%j?íL�ÃÂ,vi
-þc¡kÇ….@Jǵ¤³æ`îèä(+àÔ!v"ÉágnJiŽÎÅC8É ‰ÂÔ0‰ÂT›D‡vÖ`­u÷ÍA®’Š"‘í+óòÛüŸ·_OiÑç§ë¢ÎvEL6÷¯€Ÿ`Õ€? óäûm»/v�:O2¼>6ñ/‚~’.8¾6²‹0»ß¢zg‘vu„†�q7XëCa	£RŒòýëž4³ð�sÓzIstôÞïÈ#`¥b¬}§�mþö*´Á!ñs÷±¯˜Ü(/ë(“1}xeþ¤áPöÿ-pUbendstream
+xÚíY[oÛ:~ϯðÛ:85Ë»¨Ç´I»>Û¦Ù&],ÐöA±e[¨,ùXR‚üûrHY’e§Ày]o£ápøÍ�f
+l¢4Ñ1�'Q,‰¢LMÛ:YÃÚÇæif�hÖ¥z÷pñöƒˆ&1‰5ד‡U‡—!Ô6yX~Ÿ¾#Œ‘K`A§_o¯ß_θ4±œ^ÝÝÝÜ^ÏÿcE�((�~¾ºývõ	çî.c>½úxsùóáÏ‹›‡Vœ®ÈŒ
++Ë_ßÒÉ$ÿó‚5y†
%,Žùd{!• J
+fò‹û‹·;«îÓQ0J¸Ð|DœMàˆ±R¼§-¸pJø0ÿ4rF"Æô$âŒhÅ͉}‘hÖ¥rÛJ3¦ú@ew}›Ö‹·û´*ó'²(‹ÕP
+tªƒBðõ
QaÃH³³æŠ
/g5˜-yò”dyò˜§!ÄùÔ™�L½³�q�[4è8>«r8kj+dSdH#`k)¯pÛs’ŠH{@Û©)m¿l{	6ïï�,§HuÙMY€Ö%�àËó\KyP�û¼�� ^_¸Ä¡ç…ì!/@AN—Ù:« c�)[IÈ3$¥˜Î¤DmÕ¢Ù#EQã
+H_À(ÃCû‡À�–¯bXRÚõZ]HL§¢ZŽ°”ÄqëVu_‚1Õ”=”Å=åYä
Wi3Žžú’|]îA…[`­…³6Û†ZÃîiä3ä|\iªÔÓ$ØT›¤ÍrÝ8õI�cëm›&�EZ8Ré\¤�@LA'`¤,àÆ´Œ}þk—:Nªêç±hp69ŸUõKîX™¡
+ÜœËj…ŽÂ†æà6ì
+$qñŽ…¸ÊÝ÷˜‹,#t,ž½XÄÃ'¬ã6=¯r@0°!o¬ÆȾýÜäu¶ËÛz½ª“b‘VÝLïí,òëzøÄžä9Z�5Ûº>z2},]°îš÷üîIÒ˜ÒžIGŽä ÿV0öûÔm¶¹|ÚBþoÿvsømJÚû4ü„ß‹Dp[ó PVÍŒ›cÃò¿òËþ?ƒü¨Jendstream
 endobj
-1891 0 obj <<
+2041 0 obj <<
 /Type /Page
-/Contents 1892 0 R
-/Resources 1890 0 R
+/Contents 2042 0 R
+/Resources 2040 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1889 0 R
+/Parent 2039 0 R
 >> endobj
-1893 0 obj <<
-/D [1891 0 R /XYZ 56.6929 794.5015 null]
+2043 0 obj <<
+/D [2041 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1894 0 obj <<
-/D [1891 0 R /XYZ 56.6929 752.2728 null]
+2044 0 obj <<
+/D [2041 0 R /XYZ 56.6929 752.0628 null]
 >> endobj
-1895 0 obj <<
-/D [1891 0 R /XYZ 56.6929 348.0801 null]
+2045 0 obj <<
+/D [2041 0 R /XYZ 56.6929 615.2568 null]
 >> endobj
-1896 0 obj <<
-/D [1891 0 R /XYZ 56.6929 250.1909 null]
+2046 0 obj <<
+/D [2041 0 R /XYZ 56.6929 551.6561 null]
 >> endobj
-1897 0 obj <<
-/D [1891 0 R /XYZ 56.6929 188.746 null]
+682 0 obj <<
+/D [2041 0 R /XYZ 56.6929 500.3546 null]
 >> endobj
-642 0 obj <<
-/D [1891 0 R /XYZ 56.6929 150.8976 null]
+2047 0 obj <<
+/D [2041 0 R /XYZ 56.6929 467.1661 null]
 >> endobj
-1898 0 obj <<
-/D [1891 0 R /XYZ 56.6929 118.3669 null]
+2048 0 obj <<
+/D [2041 0 R /XYZ 56.6929 431.4263 null]
 >> endobj
-1899 0 obj <<
-/D [1891 0 R /XYZ 56.6929 83.2849 null]
+2049 0 obj <<
+/D [2041 0 R /XYZ 56.6929 364.9038 null]
 >> endobj
-1890 0 obj <<
-/Font << /F37 747 0 R /F53 962 0 R /F21 658 0 R /F55 970 0 R /F23 682 0 R /F39 863 0 R /F47 879 0 R /F48 885 0 R >>
+2050 0 obj <<
+/D [2041 0 R /XYZ 56.6929 292.3128 null]
+>> endobj
+2051 0 obj <<
+/D [2041 0 R /XYZ 56.6929 107.6861 null]
+>> endobj
+2040 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F48 940 0 R /F23 726 0 R /F14 729 0 R /F41 925 0 R /F53 1017 0 R /F55 1025 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1902 0 obj <<
-/Length 2930      
+2054 0 obj <<
+/Length 2477      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥]oÜ6òÝ¿b�{¨Üz~ˆ™<9ŽÓsѸ¹Æ
-ôú ìʶP­ä®´v�Ãý÷›á�ZI«uRü°Ô�šÎ÷Œ,þÄÂjÆ•K™K™æB/V›¾¸ƒ½ïOD8³Œ‡–ÃSooN^½WÙÂ1g¤YÜÜpYÆ­‹›õoÉùÇ�—×ï®~=]JÍ“·ìt©9O>œ_ÿrþ#Á>ž:™œù	¥Ërìô÷›^½×j€^9DzT#Wˆøçëwìâ§ë÷xôäò¦gwx%ÁòúçÉo¿óÅnöÃ	gÊY½x‚΄sr±9Iµb:U*Bª“O'ÿêvý«s"ÒÊ2me6##)B0§µ	I;f”Tþ.Ÿžëæ¡-ÛéUð£
-›4m*»çS!DÖo„Lnîé^|À¹Hîó
- Ý=©4lì­ê5½ž×t®yÀÕNN�Ñftr°‡T11ŒPHúáEzÌ£Äsúù£xžœcs¶�Wšñ¸½êÝ?ò{(¥4eŽË˜yAHõ//ñžø„"{,Ây#z�ÇX0)d(£îuq›ïªn$pÈŠ5XÈpœ(µ2ppÛTUóä#	<}~¦_Šã°ðaÛË^	ÍÒ”OdßøØ
-ñ`½&5·-
ÐÄýý„ð/1
-�ŠÄ³›¥>0JC<ìÞ7mG«§²ªhõ9¼¹Ñöî‹:àmð—�ð‡ôëˆõ®|Œ/ä
”ÇgÏöÝ.h 1ö�R"畯I‰x·TQ¤Ì˜Í¤�èÍó«qŒKm¦J”6ÜÏ
•P¯Dé‚
…ã‚V,iÅ’; üé¾Ä�1ÄY®A"%èo>w'˜ÈLdrþ"R@U“º¡c,ɸ Šb™–nl\äŸKcLr…Œ‹ú>$AêPµ§]®g¨C±¦µÓÃZɸä�Ê�Ǭrío
-@_*™(A ëõíA˜¹(ã7V>Άäf9”"c×Ù—Äcxª¦zœÄ¬=ï"_ Ò$<nònu„	:bÖ;fYßÍh>d¯‘caDAõ�uñ$¢ÁÕS¡@Jž?+¢Ó—åÑ“mðdÛ{²¥Ôˆ�|²{[
j‚�ìáHthß:A	á‰D'))@ill&&õà„lŠ±YvÄ5�ÀV#�¸&–3’ÉR̈¾ÉM°z`M°:X“x¼~Õ�6´„$Q«oèo”<ÖØ
-n« 2`½0„2,å‹ð>Å�ø´
-¸èÃîW±ºW”dÂ]¤SsÚñÎ5ï?˜1
-
$„ø² mÑ€¯Taqõñ1¥=*	dÂñ†úÃU8<(mŠ6¸Säm¤ôpê
<ê�*6±3õåùm·/Ê甓
-–aðúR\¶Ð§ÛtŸUžÏÄú,ÖÞ±êŽ%ò°¶¦ÇúÎݺ…wú†n‹öîAQØ©íŒ/–kv|	(ŒŠA„1ƒ°©õA{Š^«5
-_Pj1üΠ˜†Wh
--!£IÍM„R<ÃU½Û|öv‰¸Àq¨Þl'XâùàÒ
-DÐo!KaÀ›YKq��ØðÑÝSÛD–™tbÐqlr(,¶¬Šf™WwÍn³™Ÿ£¡ú9Ú¾õÅü¢B(RJâ”vûë\ØØ#õ�Gæé”L¶ïŸŽ
 ¤ïùjNùræ
Öui²ÚmÉ2ê®z¦Í¦¦•Lþùáübùá�s2§¡úRr){›ý µàÑNÖŸØ÷,Åž¡9=¶ÅŠøè܇DX÷µÂpÐ…¡b
+xÚ­Y[oÛ:~ϯðÛ:@Äò.ò1mÓ³9hÓnã.8=Š-ÇBm)kÉÉæßïŒHên»§SÃ9œë7›Qøc3£VÎb+‰¢LÍ–»:{„¹ß.˜ç‰SÔåz»¸xóAÄ3K¬æz¶XwÖ2„Ãf‹Õóë/_nîÞßþç2âŠÎß’ËHQ:ÿt}÷íú££}¹´|~ýÛÍ=<rk`bœ\þ¹øýÍ%:ëkI,Š…+½{ÿŽ¼û|÷
Y/n�¼Ý31*PØÿ^üñ'�­àh¿_P"¬Q³x „YËg»©QRˆ@Ù^Ü_ü«Y°3[¿:¥#©Q\êYÌÔ0=­IJ¨ÍD±dDÂV�&9›ÒdàÂóFK¯Õád”p
q*Yù:{ŒÖÙ6*…iF(—bÖÝy$_Ã5!`×LkB©Šû~+Ó	³1C´¦vZÄÁº:ÞXzÞ¤¼Œ8GµIÝ
+ä
+sÌ{r�k @àËdû5+Ž1
 
ÕýCd«qZb4ã§×pMh®_Q%+Wý]¿ÕÆÓ>eã Áa½hS´IÕqmr
+x‘	õë´Ù¬8¡Í^ˆ:‰)œuB�#O”Õ
o¯]Xï
+§v ºÔN&ó'‚Ùø¸j4‘Ð>È_§šfÅ3ªÚÚ2]5»Öm<øCp‹¼xñºÀú͵%I/YµiÕXu„ȱ
Ù{ø¦tHL©y²},öðÚÎ?ºj 
+%Ñ(iYhºùÈuÛðb€­ïý­j¹[
+Qø¥4DÆN3¿š:Ì�M‚Iß
+¿ËÃÞ{Pµ}u¤:ÃïKâ	•'¸Œ[<g«z‘�Ì`¦—�¸í£xv©™ã•ÎÄ¥¹²€0•>ñ�Ò«fБHaü@<¿bÔ]²®ú=Ù
+Bo-Ú�OA<ÞôËmDÀ¡¥ƒXܶ§ v`ðËÔxjƒ¥ïëŸÛ¤˜:Û…�ö!TOlrn¸#YnSo§ýe,瓱FûAvsãÞ½þxÿyâÔáUìøNUð�ùö'"œ€¬Žs¦3W#ÝIâäR°R‡¹IØ®?I˜†éÜ@ø“)�†‰Hm"}´sh­»mF	K*ŠL¶¯Ìëo‹~þz^‹·y•îó�qî_KÀ?Þªï
+’¬…VÆg¾
+À¸õdÂe@ŸcÙÿ9Īendstream
 endobj
-1901 0 obj <<
+2053 0 obj <<
 /Type /Page
-/Contents 1902 0 R
-/Resources 1900 0 R
+/Contents 2054 0 R
+/Resources 2052 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1889 0 R
+/Parent 2039 0 R
 >> endobj
-1903 0 obj <<
-/D [1901 0 R /XYZ 85.0394 794.5015 null]
+2055 0 obj <<
+/D [2053 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-1904 0 obj <<
-/D [1901 0 R /XYZ 85.0394 749.0409 null]
+2056 0 obj <<
+/D [2053 0 R /XYZ 85.0394 409.4177 null]
 >> endobj
-1905 0 obj <<
-/D [1901 0 R /XYZ 85.0394 687.8191 null]
+2057 0 obj <<
+/D [2053 0 R /XYZ 85.0394 311.5951 null]
 >> endobj
-1906 0 obj <<
-/D [1901 0 R /XYZ 85.0394 186.4649 null]
+2058 0 obj <<
+/D [2053 0 R /XYZ 85.0394 250.1972 null]
 >> endobj
-1900 0 obj <<
-/Font << /F37 747 0 R /F53 962 0 R /F21 658 0 R /F39 863 0 R /F23 682 0 R >>
+686 0 obj <<
+/D [2053 0 R /XYZ 85.0394 212.3815 null]
+>> endobj
+2059 0 obj <<
+/D [2053 0 R /XYZ 85.0394 179.9082 null]
+>> endobj
+2060 0 obj <<
+/D [2053 0 R /XYZ 85.0394 144.7976 null]
+>> endobj
+2061 0 obj <<
+/D [2053 0 R /XYZ 85.0394 80.4778 null]
+>> endobj
+2052 0 obj <<
+/Font << /F37 791 0 R /F53 1017 0 R /F21 702 0 R /F55 1025 0 R /F23 726 0 R /F41 925 0 R /F39 885 0 R /F48 940 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1909 0 obj <<
-/Length 1762      
+2064 0 obj <<
+/Length 2904      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥XÝsÓ8Ï_‘éË9sXX’eKÇðJÚB†�×VZŽ]b‡ÐÞÝÿ~+­ì:©Ka?XZ­Vû¡ýíÚtÀCÇ""‘bj«�ˆ€ŠqºãsX{6¢ŽÇo™ü>דÙèá>�ÇŠ¨ˆEãÙ¼'K’@J:že½'D‘ÉçÙ‹‡û‚÷x%“
-䦓£§»d÷øh97¤2É@¬`ŽuúúõÞÑÓƒ÷Ÿ‰
-NDÈyK)F§£7�ÀÞªÝ:è;Æ#6ä<Õ3S1"„DZP$âŒ[cÿ{dl
-%Ó:/
-”{v…Gezž¬
-4Õ[ÕN
Ô(í·Z9®Þ¥4äO
d‹I
-£Ú
½3
-*Q?Y!¨ç‹8ë”ÛIK"Cîöæ5î\¡zÜÞ¯ràD’8ä÷ãCÇ[ø
-ê8I
-û´�/eµ.]ÿ[$Æäï®	6n¶ƒÄu³¶kÛÁÉ¿øÚRŽv½!æ]È	Œ&pæÑôpí>Ý;™@U~/;7ŸHÏÞžL�7gÇGw$±$‚Kìél�å4rE™SÑ¡§¡baFgnõ¦ôÛd¸jÓÞIšêË9±xªièjÇVfÈÓîCaiu^æ×N!ÌDà±l(õ¥Nssx{j^ÕH×Æl§LD”id‹€“Æ·°ˆ3ÕVNy«Çì3ê›´”^§b¦y9¨Ü"!&Éà‹*_«9 M¨”wªõ–uÏÃÜ–½vy‡(‰yß ~3˜lö!½f¬×x`Ù4ÞGOq¤ð5Íy™×
$¶ÉC:Ñs�q/S·í0)WIqNØÍh訊šü05„UëtÏeÆôÕéñ.¿ê.�ù*�ækà�+ν¸½Öæ¨ý’@:Eÿ�M)c-&þž#n[@#i 7ênÀS|ÂçtÑ›¸1};{~|r?$
+xÚ¥]oÜFîÝ¿b�{¨Üf'ó¡�’''qz.š4׸@�^ä]Ùª•Ü•Ö®q¸ÿ~ä�£•vå8ÅÁqF$‡ßäZ-$ü©…uÂå:_dy*¬Tv±ÚœÈÅ
ì}¢øÌ2ZŽO½¹<yùÞd‹\äN»Ååõ—Ò{µ¸\ÿ–¼J‹Óß/xùÞšÑa
‡•Ô@
+±êN—ƪ¤¿-q!øêßRê›Ý¶è«¶¡]„Ô|àºÝ2Ö1J§Âé-20C[K‘f†Ï¼
+~S-WmÝ6ÀOjÒäm]ì:Ä®Áµ�"ž
+*D@7â7nÃKݵ|lÀÊßÌ1•Ëˆp×튚­Ú
bf¾úÇ:r‰àmä�.wwwíð¾v½p)ÊvßR”¸^�X”L^~K°o_N?Èèƒï¾›ùä%Áú–ž%Ší5=ëª)ç°ýÒT£ûÇWb;
+ï‰o(²û’wÈÑk¼zŠ—
+i�eÜëòºØÕý’%pÌŠw"KmÌÇD�¨UÌÁu[×íCˆ$ðvõHOŠã°a;ÈÞ(+ÒTªihiCl…x°^“š»Ž
+ñ=°}³c

$Æ~}è’#“ûš”ˆwKíŠÔ™ð™özDó<Æêr!µu‡JÔžï—�•РD�³
…“³V<iÅ“; üá¶Â�1ÆY­A"è!Þbî>¹*s‘Éù‹h%´Ló±c,ɸR
¾e±K™üséœK.�qçQßÇÄ!Bgö´«õuU�Íí¸VryrGåÇ}V¹7`(•\” �
ú Ì\”ˆ
Œñ+ŸÜsr†³jÕ®´Ùsâq25‡zœÄ¬=ï"™P 8Ò$¼nŠ~uËÂ	zjÕÜÌ(êõ ‘§Âˆ�ÚÕú£ˆWO•
)þ¼ŠvL/d\^FOöìÉ~ðdO©!Åd
ö¶Ô!ÙÑèÐ.¾a:¬~#ÑÃIŠ@,(��ÏSÅ„lŠ±Yö„k:……zzàšXzÌH&K1#ù¦t`í$À:°6X—¼aÕƒ¶´„$Ñ”«oé“`”2ÖØ
+¤)4CÊ.ãñgüdœ]ðÈ��Xù7òÈ™]B/•ê/÷ZH™ûãE*Ñ4o„×a¶e¾f‚j¯C‚@
+ãAnpÅ
+ñç°µrÎ÷µÐ^Æ"z$¦Ã?u MûÐ0{ÝMéEjÒˆjS}�¨ÊD_°ˆ­
+¹©™“èWCˇ*‡ò±è2šuãñÁìݨ ‡ýkºâ†vâ¥ÂLén׋™‹ig…ö—e™Â:ö”-•r8ë‰vw[݈®ÈDq7gÎw}œ9{!s=Ç0uÞU]>ÃÀ¦hâ�ÿ
+ªMÇñàsY$êó_Ï>|úñœcº�8‚‡h�? ÐzOÄŸnºƒÃ%Ôb{ñ�~†�
•Eê-ý¢éÎd,è$öG{Ž<�üÒ°tR&ÿ	’‰¸ç»k®•†óu»*jlÓ^Ï…ÐñࢃŒ†÷×ÜêÎQúï€2²å[E²nLõY¦åÌ?OY}eÓýøý9Ò:å�"á¹-
 endobj
-1908 0 obj <<
+2063 0 obj <<
 /Type /Page
-/Contents 1909 0 R
-/Resources 1907 0 R
+/Contents 2064 0 R
+/Resources 2062 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1889 0 R
+/Parent 2039 0 R
 >> endobj
-1910 0 obj <<
-/D [1908 0 R /XYZ 56.6929 794.5015 null]
+2065 0 obj <<
+/D [2063 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1911 0 obj <<
-/D [1908 0 R /XYZ 56.6929 253.0811 null]
+2066 0 obj <<
+/D [2063 0 R /XYZ 56.6929 752.0756 null]
 >> endobj
-1912 0 obj <<
-/D [1908 0 R /XYZ 56.6929 157.3292 null]
+2067 0 obj <<
+/D [2063 0 R /XYZ 56.6929 252.6303 null]
 >> endobj
-1913 0 obj <<
-/D [1908 0 R /XYZ 56.6929 85.4876 null]
->> endobj
-1907 0 obj <<
-/Font << /F37 747 0 R /F53 962 0 R /F39 863 0 R /F23 682 0 R /F21 658 0 R /F48 885 0 R /F47 879 0 R >>
+2062 0 obj <<
+/Font << /F37 791 0 R /F53 1017 0 R /F21 702 0 R /F41 925 0 R /F23 726 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1916 0 obj <<
-/Length 2868      
+2070 0 obj <<
+/Length 1788      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥ZKoãF¾ûWè(QO¿ÙÄž&™I0ÁÆ3›q€’d‘¶ˆH¢"Qvœ_¿_?ER-ÉÁ¶šÅêꪯ^ÝfŠ?61ŠPQÊIQJ¢(S“Åú†Nžðî‡hf‘hÖ§úöþæÝ÷¢˜”¤Ô\Oî{¼¡Æ°É}õëôý—/ï>|úïíŒ+:ý–ÜÎ¥ÓŸÞßýòþß~îËmɧïøøõvÆJYH1jé4�þ|÷á»ÙwŸï¾ÿáãÝíï÷?Þ|¼ObõEgTX™þ¼ùõw:©°ƒo(¥Q“ü „•%Ÿ¬o¤DI!âÌêæëÍÃÞ[÷iNJ¢/2ºàlÂ$Ró�2TI¸)¸S†ÝvI¡�ݦZÌíæñ©ÞØ��ýL(bX©éÝ|]Ûyð=ƒŠ—ÄHÏoÀÄ)ó7Î?²ïüè�úÕ@Uïæ]Óâ®mWa
ÈÎH©‹ˆ‚*˜ðëë¦Ýî›ýØ
-€kÌ~UÜyUíêýþí讲\,wmÛUÍ.''âŠÒå˜éá*ÓþÎñã’ð»ŒãÍãAfè>~ýîçO_î?}¾K
#‚F\‘ìÔ-N㇄S!B½G<0åŸýF):¤ �I;³Š�í.#“‚ñ”&2KsJdA…ø.y1ýÔ…•çaµ‡Ú?¡ÂÊ�æaéy’ñ¹Þ4õ&|9_uõnyŸÃ—]ëŸ/»¦›¹È:CL$ÂH=Äh³ye©§Ý2‡R
'pÉ í‰Xµf6¦4)$�xöúòœáv ÜnfÑîv·ÌLëý¶ÝTV„Œ:¡)®Êˆ¬ÚíÚÕ>³²(‰ÔE„½]-Ã
é‚1~"> �V"Ÿ}H¬¡á½—¹ÙdÔ£áq¥‰lm`ªÎéGsRðN^=×%Ä%Þ>ÒæÍR–Ñ>¡r8ZvõzË›~ƒ/%䱦—2€F*LìnÍôæ^šnég“y‡jQ†0#‹ ÕlžS%…PQðvœÜÈÀ{_w~â°õóŒª
-CJÊXIy3(k÷‚��öH–ÿsÛTA†eØö¦®Ã”uϳb0®ˆ*Š�Aÿøˆ^règ¬‰`#)ˈjÂËhu#BP¨ûM�¦¨*ÆPœW]ûTcã»[Ô‰$B5D
-01Ôo泟_OjÈP€HÉ›‘@.V)}ªXò�V)‰êˆ«þ’È—B@ª‹KF¢Ì’}e¡Ð¬TÃ%?¸
-	Aó7ù….hÌ®Ùp(™°ý®îy躇]E�¿@È—%ä~ÎfmT+F¨¨…ýëÞúE*ø°Òu
-E¥æìŠé9‘,E¾3‰{¥¦ìg€œ?sRÕ׆m¯wÝaKl*à
-+øBŸíº¾sÐtºn½výd½š?´¶÷ñ?O[L"ÔG�ç[¦Ê¿xxÍù—D‡[z‡>DËó5E�K« õ2ÿyhü ²6Ñ<Bûøk¾Þ®b
-Û®ÛC’Ë°éQ]€M¤r°Ù^…M¼`†Sb÷wQ®H”‘KŒ$Ñá�fíp<ï©e¯·oœ¤nôb{MWågüš¢„ãZ\ë{%)Eê“VèeêMÅUÝ^,¾AÆŠóè;¹u®ïÔ^ÏÈv;RHÏE&3‰²†r&ßPÀ|çÁÄa’]©úTÀ©˜v0•D‘<ap!8@”B’(�¹,]¢Êˆ7ÀŠi(Ê7Ä”²çãx¨é¾=8»-j?íªA<½´ž¦šws?ë­�A¼G·-®%ñµl¥Ú]ów<!Õ\¸.Ô¾D
-É)~ìm[%$fí_�ºµoõªÖÅNÍÐ~w~jëÑöÜTµŸÈž÷£éé]U?¿ûÊ$1�êtÂêzKpµm'B¦?~Çú`Ñ,j×�Æë+_‚!Húµ/]HÇÓ¯¼	··¶O×6[ŒÎ«b
-Ù!g7G£å:o´(wþy¼q1¢CŠ	!zzT¾Mª%"íÈ�Ь]•©©Ï^øŽ0Ól€‹y姽ncÙãìã,A|«á³–Ū;«
ìy¨³—Óýe¿�·¨ò§ñð«tN±©Ü1d€èñ ddC¼s6ç5¨taÄõá@ÁƱ‡�ríÞɹýŠØ+ÚLÀ éNèÿþ· ã¿?I{�lÎd3AÑXÛƒz¡ì†+Ç¢§ :•ýÚ
5½endstream
+xÚ¥XKsÓH¾ûW¸rY¹
š‡4ÒRLp‚�8�ŠâqP¤q¢E–‚%c»ÿ}{¦G²ìˆM(ÊÍô´zúùuËtèÁ�CŸx<C	â{Ô&Ë�7¼„³ã
µ<nÃäv¹žÌ�¸F$
+X0œ/:²Bâ…!ÎÓÎøÕ«ÉìéôÝÈe¾ç<!#×÷<çd<{3~‰´W£ˆ9ããÉùÈ¥‘�˜(×|�çœÍžº‡§³£ãÉlôiþ|0™·juU§×:}|øä
S°àùÀ#<
+ýá6¡QĆË�ð9ñç
%œ^·;§æÕ>Wø<$~Èd�/íø‚rFÂÀ£CéG$àŒgÄiºRU¥ª‘€~à#/“8¿*«·×åÊ®|îóG¸ü÷‘6èRJ"ßgÛ…k½¡+hÇCý¬nðÝ*^^çªÝþ0̽‚âü²\eõÕr’€õj'î2õ[ù]æJ%+…šzÎApt²ø[ðÓê»Èo.˜8�*–O¾Gù‚æùóÓ?óïý6ÐûØP«ªþE‚ûÀ„6àŒ?›†¯‚'/6Ñûͻ͌¿}ÿbýúñã{hýðâ»�½Ë}ˆ½ïÃÂ#
ƒLÒ¬ÓÂÜäÔW
+<râ‹ò«BšúfBôÀ
+ë&Ô’¤T€îZȪH“ž$›ù–i“å9ʽ¸Á«Rµˆ×9šê¬+«
+…1æÔ¥}š[ÝÑè­
pd­*Ú}­S	šÞÜù@o¥³¹Ê’+<Y®Q4…„ªìåVHª>z+Œm@Ίí%;IFm’¡j€khk¤t’²Ð.׫¸ÎJýºMÉ2l �q…šÃ1hn‹v…Îׇ�È#:ªÖÞ4�_Y4U³Ôq­–ª¨‘ži–
+fm�‹‰°	wè<;º'O}ÜÅùˆ:m
ŠÑYm_Ý*‹û$�1Pz]uœ†Sn/¹ˆ+å7ªHÊ4+.qW.~¦ÐO
+¾½:ˆÊËÊv&�ðLËõ…‰¬¿¬Kpi……$�…M=Õ’úB·X¡¨ãj‹83(fâvË�„‚Ûw³
+ß\£zÜäWÑs£/ˆün|�RîáH*©í%·h@“�|·Þ€[”>Ð-ªÑƒÂ›zšÚÂ7V8"Aà®»­õ*vȹJtþ¥*”ˆ
EŒ�dT¹Äõ~<MÝÜv¡îŬã#,_\¶íú*€îFXæ¿�C„]|g^DhNßQý¹Þ.÷*UJ–ºÞje¯Ù‰¬O±ƒüDKïíKÀTŸZNDÀ4
ÎÎ Å×X.ú:Z7B±.ó$4ÎN‘±�Z¦Œ>Ð(¨Ÿ(òE±eW<,
+•e+RäiÞCaIyYdß­BX‰Àc XSªk•dúòæÖ¬èë‘vŒÙ/™€D<ˆîƒEÀIå-,â,j:§¼Q�cõiõuJgRÑÛ¬èU*ÓïSdðù�¯Ñ�FD‘s®ÔžUÇÃÜ´½æ¸‡(‘\È»
ÄžO$ƒÍîÒÆ:ƒ¶Mý•<�=ÅU„�qºÌŠ¬ª¡°u5hÒ™Z(Œ{‘Ø×Nâbç[pÂiFÁD•ãsGiœOleŒ_žŸÞ�ü:ôgA¨?ØîÜé�ûgM‘šO	¤›;xÔõ­Ô½Œ5 ø{ž¸m
B�¹A›=^q¹€ï7£w½3~3vzv·[¦€]«¢
×ó›
+Bm;Æ!$LNÙz¹½WÀ4Ñ€O_)àãȘ@?r©þ¸ÞŸ,Là ±„°˜¦Ñ§_1Èþ@²Ûó‰Ñç#|õlã†+Ù¶�?Ptv–eþ³¿`@=Éõüaⵞýí¿g¶C	Ix²öŸ—«¹.åm”Ò¦SN÷Uoÿȹ­û`&ã±endstream
 endobj
-1915 0 obj <<
+2069 0 obj <<
 /Type /Page
-/Contents 1916 0 R
-/Resources 1914 0 R
+/Contents 2070 0 R
+/Resources 2068 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1889 0 R
+/Parent 2039 0 R
 >> endobj
-1917 0 obj <<
-/D [1915 0 R /XYZ 85.0394 794.5015 null]
+2071 0 obj <<
+/D [2069 0 R /XYZ 85.0394 794.5015 null]
 >> endobj
-646 0 obj <<
-/D [1915 0 R /XYZ 85.0394 769.5949 null]
+2072 0 obj <<
+/D [2069 0 R /XYZ 85.0394 343.1761 null]
 >> endobj
-1918 0 obj <<
-/D [1915 0 R /XYZ 85.0394 744.3535 null]
+2073 0 obj <<
+/D [2069 0 R /XYZ 85.0394 255.6488 null]
 >> endobj
-1919 0 obj <<
-/D [1915 0 R /XYZ 85.0394 712.0918 null]
+2074 0 obj <<
+/D [2069 0 R /XYZ 85.0394 192.0319 null]
 >> endobj
-1920 0 obj <<
-/D [1915 0 R /XYZ 85.0394 645.3077 null]
+690 0 obj <<
+/D [2069 0 R /XYZ 85.0394 152.6743 null]
 >> endobj
-1921 0 obj <<
-/D [1915 0 R /XYZ 85.0394 572.4552 null]
+2075 0 obj <<
+/D [2069 0 R /XYZ 85.0394 115.923 null]
 >> endobj
-1922 0 obj <<
-/D [1915 0 R /XYZ 85.0394 472.7274 null]
+2076 0 obj <<
+/D [2069 0 R /XYZ 85.0394 83.7361 null]
 >> endobj
-1914 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F23 682 0 R /F39 863 0 R /F53 962 0 R /F55 970 0 R >>
+2068 0 obj <<
+/Font << /F37 791 0 R /F41 925 0 R /F23 726 0 R /F21 702 0 R /F48 940 0 R /F39 885 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1925 0 obj <<
-/Length 1422      
+2079 0 obj <<
+/Length 3192      
 /Filter /FlateDecode
 >>
 stream
-xÚ¥WMoÛ8½ûWè(k–ß"�nëvS´I¶q�mŠ%'BeÉ+Ékäßw(’Šd3ñaaÀ¢ÈçÍÌ›’D~$IMu”hŽ&"Úìf8z€µ�3âd^h1–z»ž½ùÀ’H#-©ŒÖÛÑ^
-a¥H´Î~ÄoÁh[àøëõûw‹w7×>®®ç¢yÂãåííêúýÕ÷ù‚
- ‰qüeyýmùÙÎÝÎ5�—Wwó_ëO³Õz€5†N03˜þ�ýø…£,ø4Èi%¢#¼`D´¦ÑnÆC‚3ægÊÙÝìŸaÃÑjÿiÈ\($(—àŠ¦a”2	'€Q?û‹’�¿¼”ñ×¢5v¾ù ÄH\H¸÷"i–5yÛžúƒ`…™ˆh¬õÛ 
-ï[››ˆk‹îÑŽŒWÏ+RLùZ¤�¨Bàh"}èë½aŒÛ²¶ÏÖ°ûd_RóP±±ÜkÓÕ�[y•ñB#L8¹Ìx�ꤎEYÚ­›¹Šx¾çqÝåÔM.d¼tKi¶°¬d�ÅX+5¥eVÛR³§d�{\Ò¸ÞÚ™Á…L�0)…¤Jè(5Ðïü)
-à»@'P.õ	.—º}´úÔ•ü¥Ôå(Iy5uÁÉ”èÓÔ˜Äã6ïž¹Ýêc•7n¸=Ñ?á=a=ë¿À{Î<!L—,�®‡t¥6O0ëj°3p¶Âþs_y§žDÀV�Ħ‹Ó²õFÝ9séÕF0|’þuU>�t 
¬iOÕÉâs¸eS1µo�©kSEçÞ³Â6âc¶7wÀ±�PÒ5–‰�‰Á²·ú¾ürûÙžöN¬ÇöNlñ_›ƒaí •e}ø”C×dš\hç†CÜ:·å½³þ`‰
-#GTUNN‡¾ŒŠþ˜a¼øp€@ýþ²³®`÷J¹)]H8Ô`jB“ Í`à.`§íƒ)ŽŽÂA¾cÿU2ñÃ2Þ7EÕÙajmºÛ—Á‚NczÌk£9Dl‰€Ÿòº×`*ªlêÆ�Yöu•ÕC¨õa†ÎV «kê²
ÕL`mB}y2J»Á�HßÐÃ	iÎ"ñ
-Û2p—W†¦sç<vÁ4©aÞŠÊ·PJÌÁîäd%³ó¼
+xÚ¥ZYoãF~÷¯Ð£D=}اIf8Øxf3°@6´HÛÄH¢"Rvœ_¿Õ'5%?°Ý,U«¾:I²ÀðGB"i¨Y(ÑÀD,ÖÛ+¼x„{?]‘@³ŠD«!Õ÷wWï~dja�‘T.î¼4ÂZ“Å]ùûò{Dºxùëí‡V?|ºýñ§�·×+b¸âË÷Ÿ?¼ýpóßëˆ�ãå/ïo{ÿo¿÷ùÚÐåûŸ>~¹þãîç«�wI¬¡è3+ÓŸW¿ÿ�%<ÁÏW1£ÅâþÁˆCÛ+.œ±¸³¹úrõŸÄpp×ý4«
+‚e’ftAÉ‚d„ #eƒ$£Ì)ãËë®Ù·u;}F�Ò’-c+ªsGP4 ÜŒ\H"A¬
''9E*+ÕaW®Wëf÷ðXí®Wôÿûªø#®î­°ï~„“{6X8Û2øZ½¶õß•'�Ç	Òœ‘@—x®3<™@Z
+ѳ|¨7ßÀò)­¾f˜K�”`¼g¾+¶ßÀ|QÞ}sè2ü(CÆbsÂï�á·bàG9@+ÁȧؕÍvF€-¥„ž²o/Š[”å¡jÛ·k »Èrýthš®¬99ÁCE‚Kbz¼ÈôØV9~”#:`çÆî·b„‚3kXh¤ŒðÁèÃÇ/?üzóùîæÓmúQÏ/VT"!Œ8uO=‚CÓ) ©EWµ´´YÂÏþ‡1}<Â^Ýìü¦ÝÙDŠ‡æ��p††È„“™£)F\EPAÈäT-oºprN»¯üTXúUŽ.’ŒÏÕ®®vá—Ŧ«;�÷9ü²küõåPw++è‡*Ä4—cŒÖ»G 4rÙ=åP
+±Æ¸°šž	Yµf“â4âÙëËs/°áŽp;ëæp¸&zYµûfWZ2êMQa"RàÔîÐlÚÌÉÌ .U„½=-ÃÍ MíƒH†ЀV"Ÿ¶HlAí—¹ÞeÔ#Á㌎lm`*çô#)R4…“ûWÏõ	ÄEÞ>œpÈ]ÜŒíó¾·ìæõš²ü~ÉAkzÎh¸ð ��õ^ÃÞKÝ=ùÝdÞ±Z„FDs¤Z9µ`¤˜ˆ‚7ûàÀÝ�x·Uç7Ž{¿QdT¥42˜�!’òfÖîŠN�ì=�,ÿç¦.ƒOá±wU¶¬{ΊA¨@B©‘Aÿð!zñ¨q—³&ŽÉTF(y¼Œv‘Q7Dê~¤1at
+ÅÀyÓ5�<øáª0”
¡kÄ01ԃ铟§ÕX(@‡¸«•<_¥©bñtZ¥$ªWÃ#%GÆ}þÈH”9räY°T�öFG~p
‚ϱk¶à>ëŒ9À%µ‚€x>`3ÄhŠk“ä`8ı»§ºõÇ­}\‹ÙDú€-#D2xä‚doò©pÌ®ÙpÉ™ßUÝ:�\%qï^;w
_ž@ìçlÒ†bE3cqûÚZ·Hõ×BRC€õØ�^l#�Ú}µ®­:¬»Ú�xãåÉ–°võýÍ퇰oÞëMÂÿo¢º6dY‚ ÷ÀÓ†Wwm þ�ž
+¨)%%,O')ðÍäxV¬Í0
äÜ™"Ó«¯	�	n}èŽ{d3
åàauI¥<�VÐå@¾Õzœ-f›‘IÈ­0_–•ýoçÀŠ…«Û}(Ž›Îÿ³n¶[Ô€`
ùjWmü�´>vM–`>p³X3Á¶Æn6ÍK>Ë35#7â¢%6Ñ\.íÉŽ;{dtÙŒQ%Æ:q90ƒ
ÈÇœóK–cˆCM=°œ�À>éÀbÓ¬‹�_>5mˆÏ!éÂj×øëÃñàµûç$„8Ù!nB”Q :„~ƽè¿w»¼Þ ÔÇ‚š�Úú.²g>“+(P™Š`rVi=¹÷8*äÒø�<Ú5Ùøó
3¬‡Æ†®:
þ¡¤µG„³KçºÍ~UÙ½+ï7Å:Õ_ðCŸÕ²ª¥Ž…-GXˉ+ÌÖ�L¤ú;ÿ
+5©à-?ÂÝcTá[»;œÂ“Û¤W-}KWHuJ=É'ù©OòoGœ¯¸X"Ñ\qå:à"ìÙâvH5_Ü&*§ò8ec•k“>²
E#
+ÇWÙ(|V¶>
+Ÿ
+—�Â#éFQØV³ÁF24I°p¢¹•·ã€Æ×,v5
Ì‘ƒ­L�OÜa
7¶Gß‘ÈT|þò\lÜø–e³-ê]/
:„ï"®¦Ñ8Ó¶ÚILj®tþ‘GSÁ ƒÆ<zHu6‘ÊÁf6ñõÐP.C7ú‚\‘(#×PF!®ÌD®qÚãy·Hý83ƒ~ÜÞq‚ºÕ‹m6]™Ÿqk5M§ÙÆ—ƒ0©QÚ@3Sí‚(®ìö¢Àáëc¬8¾•Ûæ/†Á#H¼áíd¸8±åE˜þ†Ò
+e‡øvÂ眧²ÿ¯îŒ—endstream
 endobj
-1924 0 obj <<
+2078 0 obj <<
 /Type /Page
-/Contents 1925 0 R
-/Resources 1923 0 R
+/Contents 2079 0 R
+/Resources 2077 0 R
 /MediaBox [0 0 595.2756 841.8898]
-/Parent 1889 0 R
+/Parent 2039 0 R
 >> endobj
-1926 0 obj <<
-/D [1924 0 R /XYZ 56.6929 794.5015 null]
+2080 0 obj <<
+/D [2078 0 R /XYZ 56.6929 794.5015 null]
 >> endobj
-1927 0 obj <<
-/D [1924 0 R /XYZ 56.6929 591.7686 null]
+2081 0 obj <<
+/D [2078 0 R /XYZ 56.6929 748.9271 null]
 >> endobj
-1928 0 obj <<
-/D [1924 0 R /XYZ 56.6929 465.9632 null]
+2082 0 obj <<
+/D [2078 0 R /XYZ 56.6929 674.5821 null]
 >> endobj
-1929 0 obj <<
-/D [1924 0 R /XYZ 56.6929 405.9112 null]
+2083 0 obj <<
+/D [2078 0 R /XYZ 56.6929 573.362 null]
 >> endobj
-1923 0 obj <<
-/Font << /F37 747 0 R /F21 658 0 R /F55 970 0 R /F23 682 0 R /F39 863 0 R /F48 885 0 R /F47 879 0 R >>
+2077 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F41 925 0 R /F53 1017 0 R /F23 726 0 R /F55 1025 0 R >>
 /ProcSet [ /PDF /Text ]
 >> endobj
-1134 0 obj
-[650 0 R /Fit]
+2086 0 obj <<
+/Length 965       
+/Filter /FlateDecode
+>>
+stream
+xÚ¥VMoÛ8½ûWè(+–ß"�NâdS$N6v€mª-;ÂÊ”×’äßïP$]Ùa›CÀJ�3o†oF$	†?’(�0Ó<É5G‘,·#œlàÝ͈xL@Ùu±}ºfy¢‘–T&‹õÀ—BX)’,V_ÓÉããtvuûeœQ�Ó4ÎÆéýdö<¹sÏÇš¦“›é|œÍs Â,Nâôivu™]>Ì®o¦³ñ÷ÅçÑtq¤5¤N0³œþ}ýŽ“dðy„ÓJ$¯°ÀˆhM“툆g,<©GóÑ?G‡ƒ·ýÖX)¸PHP.“LP¤0�×#, ÿ,çI­Ö‹’X½ÊÖ+;Ø<?]1@‚”@¬‡Úr^B1R\$ÈïxP„F£)*ψ=·å
+L²ôµê^¬ÅÓî¥tlOò’å¹ žmVxÈIŒ4%ÚCš]W5Æ9ïçº-;ÿ
+E=¢j�ó¢nC–»rYÙ¸P[Øœ@,�‚º™úÍ5‹«G²`Wæìåòe?&*mšÎ­‹~YnõR´~_ç�PÚ~ka66í�î‘Ç:É(GKii"B sKnúerÿxíû>{ì¶pÂ{äÂvzã)Õuó©)‡ÖdšÎ.â—R0aö8Pç]þðÙœRÁòJËx̶0‡¢ö©6ÆVqs€ƒýýåžîÇ*=/+5šIs†*8šiFó#Ã<­A1ãLÂl‹
+‡]ê¤Ët·¯LçÌÂýk‹í®Ž)[Ä؉®m䘰%4ú¹®ûfåŒe³w¢hw�YUf9˜ªHæÄêöMÝFâ1PmN¹Ú o`)<&Þ�€‘"~Ú:p[+S˹óûá“q‡i[î*“ù¢ne:ì!š]쉔—kÄqnŠ-´Á¯ê«íˆ'ñ¡rÖˆäZÿF:‘vç}6ŸN]œÉÝüáãf³Þ¿a�ü�À0Hƾƒ}²tï”68NQ"hêâvvå¶jOjµ­LÕvÐK�%Oåºt3Kßš÷®ý"/¢R†Y?>¾¾§u™</þ~xú¸ ·¦+÷¦ô#qþÖ‚¶üü»lLÛì»ê°ýÕ%Ú›Aä«Š�ÿøòó¢ÅsÄ”¢ñï3ÃÜŽ
HÙä KÏ©WZ{Ïýyb´endstream
 endobj
-1930 0 obj <<
+2085 0 obj <<
+/Type /Page
+/Contents 2086 0 R
+/Resources 2084 0 R
+/MediaBox [0 0 595.2756 841.8898]
+/Parent 2091 0 R
+>> endobj
+2087 0 obj <<
+/D [2085 0 R /XYZ 85.0394 794.5015 null]
+>> endobj
+2088 0 obj <<
+/D [2085 0 R /XYZ 85.0394 687.41 null]
+>> endobj
+2089 0 obj <<
+/D [2085 0 R /XYZ 85.0394 561.6045 null]
+>> endobj
+2090 0 obj <<
+/D [2085 0 R /XYZ 85.0394 501.5525 null]
+>> endobj
+2084 0 obj <<
+/Font << /F37 791 0 R /F21 702 0 R /F55 1025 0 R /F23 726 0 R /F41 925 0 R /F48 940 0 R /F39 885 0 R >>
+/ProcSet [ /PDF /Text ]
+>> endobj
+1187 0 obj
+[694 0 R /Fit]
+endobj
+2092 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 1/dotaccent/fi/fl/fraction/hungarumlaut/Lslash/lslash/ogonek/ring 10/.notdef 11/breve/minus 13/.notdef 14/Zcaron/zcaron/caron/dotlessi/dotlessj/ff/ffi/ffl/notequal/infinity/lessequal/greaterequal/partialdiff/summation/product/pi/grave/quotesingle/space/exclam/quotedbl/numbersign/dollar/percent/ampersand/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/asciicircum/underscore/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright/asciitilde 127/.notdef 128/Euro/integral/quotesinglbase/florin/quotedblbase/ellipsis/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE/Omega/radical/approxequal 144/.notdef 147/quotedblleft/quotedblright/bullet/endash/emdash/tilde/trademark/scaron/guilsinglright/oe/Delta/lozenge/Ydieresis 160/.notdef 161/exclamdown/cent/sterling/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute/ucircumflex/udieresis/yacute/thorn/ydieresis]
 >> endobj
-1493 0 obj <<
+1598 0 obj <<
 /Length1 1628
 /Length2 8040
 /Length3 532
@@ -8532,7 +9354,7 @@ endobj
 stream
 xÚíte\Ôí¶6Ò ˆtÃÐÝÝÝÝ¡Ä000Ì ÝÝÝÝ’‚R"‚´t	ÒÈ‹>ïÞûüž³?�³?½¿w¾Ìÿ^×Z׺î7�¶‡Œ5Ü
 ¬‡¹rðpr‹t�´�P(ÐWç�…C­
�f
L9g0ЇÉ]Á¢
-Äü{fXE
+Äü{fXE
 0Üú÷äè¹aÖ�ÃöOÃoäæìüØã?ûÿxýœÿŒ=ì	a.ÌÁAb¡ö™9Y®
Ä£ò/z{x�Âœ*Þè—ÖÁ»2#×Dj,ïêÃ8›ÇEµyÍî;Ýoª²n
öA™ºÓÁß‹(üèX>ã.3v±ms™W`gÅúϨ¯"›
 rn­�êèš—ß¡RŽwð9£_²Ò¹Ð_8=óe4%v>oFÀk(Ù?`LÙ½¼`êú4ð±ûåÃ&9[~ƒ˜;26cLà«|r)Sƒj…×Íl(ßÛ
 b¬Å7ÎßÊçÏVð™h9�Žù,¢I‚°RÊ• e®äß·RÆ%=²ìÙ
êt›œ(†Ì%³LÇ�î)®Ž>1Ù¥‘„µ…^Ñ2¼éˆO£Ý	%õ‰>•pjÕr{2–Âw�Í<–g¬™-j—!3cäáakIè,AŒ$ÁLˆÇÆ‹J¯³nöùU»Ïm›Þ‰D3
@@ -8555,85 +9377,146 @@ $O�íœàÅ€DÈ
 t�‡Í=žÝbóÆÃwî6ß"£“˵?�”JËOP2RÐoQo+†â1)©w†¦ÜèådîI½ÈZ¿VÍ�­(e÷åû È
"QÔüFØs(úF�$'‘qL ®/¶!õÔ
¤HvkÖ‰Œh¼È‰¬ê؉á¶o?Ùa:Šÿ±qêcŒ°gã!_QÇ~ÏWê¡1üaœ¯UÝGmã§Yñmn%ìRãr9÷¬ß0qˆ5†/‚E…(êÚ“�†,W‚˜$Ù½ï¶åçLxËÎÔ|ú奕£w†Z|ÂV€ãž÷,éOd
 ÞyŠGÝ
 ŽÎ¨Ý3lÍ4©¿Î\×T2Zª½Ag—.7Ù#ÏPæï™v¼eŦQLÞ»±Oþ¼Ô\’	¬ÿĵJÅñ¾(š3Ç].Å*,MÎ>ÛBx�(ÃSÃó|D³uû‚Þ¡ï†{:Ò‘Á¨2G9¡Cê{É•<|?�ÒK áéá@F)Ø,êw÷ó?�È ¸¢Ëa„Çh%Ù±o^Œñ{‹6™Ý@¥-«ä%
Å~jÉwXjz1�îi´·î¬%uÕ3^¿±g�¸`d+ÎK[ŽDe—„]âò†Yè�ÖýÇ?Ï>£³HjË,èkѸÍhÔ8Š”™v_Å
[ªJÖ®²9m=·�âú?\‹k>¼à¬‡¤*³Ñ³ž,Y
ê<‹ý¹uÓZ/ZV$S·é#ƒmNOš¨5M@¿§rãÝ0Hõ7¬&7[àçŽAØñêOõƧÈêÚ5±pE6~d»Ž^.x¨T1¬µ¤$£Í7¿ÿ4òÆêüj§‹G1¬èípoóÌ3³QýÐZ:œNÍÆéç,0½‹Š‡Zg‹ðâ£à)‹Q©¯³‹X""œÛÆ0�ÏÁ¾äBvFA‚)Y9(ÎYÖý…ì¬S…|¸Ôü¾“qbæÇN.LÔX§…_�ï‚¿œ%�%½¥åŒìé|°
D>W²7}C–Í#—ZR¸
­$º`bÛGο…a¿9gÝS%\”Á/œîñ�hC|�?s§Ø…šg¯ÎÙÈ)ª¬m}ÐvÖËk†Ÿ.bÉ&O
 üõí+uqfº`Îa‡„°£â,I§ã¯½/‘�˜÷�ÇÝ›Á¤'P6ߢH‚
Ú?÷›½šÙ¹˜Žà9¦ŠmHr7:pMRYŸ#£ 'æW¥¿ðKCß|-¡mWÝ躖nᲶË0–«ÞÐ3äÛÙ=j’
¸Ë-,n–³e±€¢üb½iÙ;‘˜Hâ°l<)žL.ßÐYÖÿ°Ú·)�wL=(‚Œ£± L|�)=å'ÀÆ-Å@²öò¾µ<ÃNrä³6îµEôʃ3±d¶kÓ»¬ÿ‹%ôµøü·(kD~ô(¬_yñ‡Í;¯åä²fùOî{&*‰äyÒ¯9Û�B±T¨d>è.<Sâ¢éX3p7«Á~ª"럽Ÿ“lË´ÍÔDQÿfŒ°Ì
-*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
+*s"}Y
;Ò‰¢ú{YÌÝÇí]p¶Òݯ€Ž¶Xo³êÙ}
 endobj
-1494 0 obj <<
+1599 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1930 0 R
+/Encoding 2092 0 R
 /FirstChar 67
 /LastChar 85
-/Widths 1931 0 R
-/BaseFont /AUEZLU+URWPalladioL-Bold-Slant_167
-/FontDescriptor 1492 0 R
+/Widths 2093 0 R
+/BaseFont /ZIFUNW+URWPalladioL-Bold-Slant_167
+/FontDescriptor 1597 0 R
 >> endobj
-1492 0 obj <<
+1597 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /AUEZLU+URWPalladioL-Bold-Slant_167
+/FontName /ZIFUNW+URWPalladioL-Bold-Slant_167
 /ItalicAngle -9
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
 /CharSet (/C/D/E/H/I/O/R/S/T/U)
-/FontFile 1493 0 R
+/FontFile 1598 0 R
 >> endobj
-1931 0 obj
+2093 0 obj
 [722 833 611 0 0 833 389 0 0 0 0 0 833 0 0 722 611 667 778 ]
 endobj
-1303 0 obj <<
+1579 0 obj <<
+/Length1 1630
+/Length2 6133
+/Length3 532
+/Length 6981      
+/Filter /FlateDecode
+>>
+stream
+xÚíVuTÔí¶VA�!¤†”ºQº¤»{€!f€J¤SJº	�!¤‘RBpé–NI%‰‹~÷;ßYß=ÝsþºëÎZ3ë÷îgïg?;~ïFZu-Ik¸%DCrpsr‰€t4õÔ--¬¡pe)¸£µ"ÒÂtñ¥]!H(&c�„ˆ€ô Ö ˆˆ‡Ä-,,`IÃ�½\¡¶vHó
û_–_. K¯?‘›HÔbºyp‡8Â�� 0ä
Åÿ:P
!í  ¨#$­¦n ¨*b–WÕ
ÉC`×›"ÔÝ,¡V e¨†€°€là® Ç? +8Ìú«4ç
—$d
B8C¬ 7aO+ˆó/ˆäqu‚"7Ï (dëj
CÞô
+ý-Ã

…Ùþ¥€ä
+±µpµv„ 747Ü¿ºóW� ªÞÂÙÙÑëw4ü·×?4@‘ˆ£
'€›ç&§ò&·-
+âàæâú¦mµr€ýj?ÿfýwí7ƒú­¬£©¡¨,Éö¯o×ß¾ê7[€Ôör†€þ;‘ž
+Üú‡_LRRpO�7· ˆƒ÷F7— /H˜—ßç_dýMÄý×YÅé
+õqqrqqƒn~ÿüþu2ù�,Ì
+nýko´�0ë›Uû‡álåæêz3áßoÿMáž/=â	±LOÀ­DƒíS3Ò�Uä9=ý2F:¸1zBœ‹k´_çûWÀÛýRÃ…ËÌ/*C8kE®š¼Æ·�/W•X×z;È·'Cöò¨|èYÞçÍ3½d[›ã§}Õ‹òÞS^À4àÒ][ê×Ð4-º¸|Ç늽ÊâOïžïOÊpâLàk•òöÕƒÂÚ[ÄUÛ_™6OOwõ}ìén?¼û~•’-û£¨;&>S¤¿K6åSC�RÙò·ª·ãòŽ�X�Xðð+yÏ—×ro1
XçFèÅR61žêDž�eâ§Á	×^‰mùkT³ïT¥ØÜKCvá)µKö±éû�¬l´¾úï.ú¹üA¢IὬ}‹xp—ÆÌ:…x÷dlt×VEæ�¹®ëºB4ߢé:°h`M$z¯=Ä*óù?7l &?QäÔ…ÚvÆ<=yÊÙûÃ㎣²=÷'ºçä�ÄAŸßÊ}gw‡U¸'b%6—=\5�Æ„�¶O€X)Ô| 
6*�˜Ö}ØŒôDVs§Up
ˆíbëÞ­×…+Ïo_MX`êÁWÉC.Âß6¼|í½ÏÊ)¥2ÉP0–b®G+kGõýZŠÿåÆ~+`çÑáËé
+Žòêˆ
+âÜy­@/èqú‘�³	v&¹
+Õ8àñ´ZÕHƒ»k|鵑dèC<g¨7¢µ?Ó¥›-;ë
+'´æ«:C\›ë¨úÙñ}ž¥•ý)4
?BºÈQ1­®ÑZUy!/”´�C.pûÁ¹1>(ŒžJAÿÝëáæ…\™�F{3dk*ƒ
+ù£ÜÛõŒÚGa¾Tµ
˵µ;¥¬W~òn+–lO­4o¥ø!=ËMS¸âØ(kb¡,D
ZÆ8T'p—.ø;2S•cf‘¦>dÇvË%·*­7}Åçj£&ã—6Y”<P£-µdšûpÊͱá4xÜÃÍÀªNIÙžG�Ôi®ZyˆJNœ¦‹Âƒü´ÉP»£U?ÐçKÕ¡Â$±åîU¾¨•¯î�´¤Ä�6Œù°Ï÷b0Ol&‚3ûh.R²ÔEµ6�¿PDÌsXykdìnq¡9¬[–º4$4´vŒwäú¾e'1	PEêA„÷ƒ?´ó2k¡†ãÌ2ž"šüœ÷‘
R´«Årg�?Òûü°ºÍ(çóˆÇxemL Ïç&¯�Ë0ú¼B»=0Ò\3$Kr¶êó„ÒÛ+©/fÃl»,{„ÉŠSÕÇúߥÛÌûzTÉߥ\ç›
+j2
ri ÐÔaSïC§[Ev„�¦6”¸£N�Ú±ݸü}Šuò{´’Ú0G/P4t‡!ïLÖöÙ�9ºj>«Dd��¥�×VÑà›lh`2ç
ˆ™0#·êZ=4�í%牵7h%Å	Y$Zü¬ˆv±?‘©‡É=áមð;Ïcc„—÷:IêÖá°5ž’”ö×yÇUµD2>ÃÙ}ÐŽvk2š>2òQ×
›yôASLPkQ¡âZõ>×_À
+ZŒvR¸pdÎ&QºÒàî�¯E¦âx|E&ù'Ar0Ëèh"
’çÏvÙý½Ï»ÓçêßV¤0²iRÂyO„jßÌé&šH¹£(Âμ4™
+V1-S8`_3D	ÝËúÅ7BëbØr¨Ãt©aÊÓêغ0‰¼•�5ï´ñïâ¨Î)9É@[gbL¦')Ä?Ê„ãÐ÷*éT“꟱Eê+ãIõ_â‚R§—«·>noߢiŒ!L½<©35¢$2MIÝs™ôäu¢¨bâ8ûVÇÌšDT£ä¶"Q TFÉ…Cóuø9�dcÝI¥Z’f@A
+»<¶ÚL�9’00#†ô}à…ê¬ëè¾>€à)†fbˆù†7sÑ¿×ÀÅ}ä׊³ÒgÍ¿?FІæNP�˜ké÷2è´à2|Ö§™¥£[¶WDMåtè3?èù:28¢È;Xf1S§³E�Š$´×å0Ä0d—5ŤÐ4|ybæ)OÄ|˜léË@Èu±}µ\"üSÀd5ŒÃkùpü3ʇ×Î
++˜^p€&9I‘òÝÂcJ-Ù.Eâ.ÂÄSL”�
+”kx±saóÝÒ÷ÁÜ÷Kk ]ö¾ô�3	·/*ÉmÌKgƒwõÇ–ˆýIô‰ù¤ŽòŒ¿Ù=a
£ïe€üvû#	}Llb9_ÚEƒˆÓFHRòæ›=ë�­GýTùH:ñ9ˆe¬ù6PÃ%BÒ§4�ž£Ò.n+¿ƒª°ÿ9ÌèÙïc‚4Ã_gÇÓ¶ú‰s+>�傹»˜‡¬9,Épª½è!׉·ïhuFÒiU2Æâ-A6L;iY­"Û±+hô3…RÝOïi¦¹Í —Š‹ä©ˆÏHžn�5÷ò”JD
ýÉ›³¯pôÝÞó4ÇÃøJ~t‰•|§›19äÚ¸N±)¸}> ˜5.¶�5Œ¥¿þ“<ö¨õëGš±×1{!•Å²ê3‚A-üMÉcÂ[ ×%Üû/¾¶�°½9oØPO;fiv±}½•@ÃœJ#(G9j>2š?¤Æñ?~ªÑWåïBç¡ÛµO±B¥™Ÿ†ñúÃ&e“v”3†­ÉÞ&™<)��ïÈxbý'.¼Ï\Ì_³Ÿ±‡Ý'0þààõªckêUPe¤cne„žÁVó“�pÜ Ê½ö>ÄÐ
+½c–î3Ó5¬´0ÏÚEdÊŒƒH(‘©,ðÉôä‚<Iµ±¾»ê»	:�—Ò´
Ä!ܼ^ÞXÒ›/¾5obÿd¬ë¥KºÃ{�ƒø‰Õ˜ÞMG0C&ÂØjãž;áÔ+5ó¸Ç›“°äFÀ.³†ÎDú²À}]lÃúÙ²f�“_¼²v-úHÞœ_qØ*ñ	yžNÂŒ°dŠß³Ó¤¨Jµ¼½·8òý·äæ/›Ü&Õ
+yn£­ŽZ°Ü_N@%3&“µÀeÑ¢ÓnEoÍ“Óm’~XvK”¸8­é3-�äëýð
³ú
+¼0ʪœw�(îø7¼ûVdÖ‰o›áÞÇâ-ã±®3Å(·ˆ˜·gy„Mª/‰Ã¼–Ô÷€(sq%£Êª$¦Ì±lvá3_‡ìäÁU�GÑ8[ÃDUOÓ7¿éç=åÕU�cQQZ¨cÞ­(§ó†64†0\LT\�Æn^·¸’ÃÎéŒââ�›Ñˆh\}Cëõv…ì=^ÞQ¡7°ç¹‹].Fè‡!–‹5·�›\ƒj+Ø3Š7B‚äÔή˜ °w>Nnád¥
+ecŽ¡ñ³b2•ßÃÄœ¯ît¸�âËA".0mÕjÛ;÷$èÓ#Ó“]Q;
Ò­vü‘‡¦ýO¢Â{'ˆÈ‚1N;$�F_<tïy �ã.“yw`¸`�[ÀÉ¥½¢‘öâÈwxúÎÂ-çsy¬û³B£¼!ç?7p>Õ~@
+ÈÃñô�ß[Æ�¤7œàÀfIŸŠ¿iÍPŽêbFDt¨%Sc<ØCÞ±‰¤_¥}#툎~áß\°ÕÃjC¾35𮾌ŠãÖEf˜ä÷q}ÔUp¬$Ú¿�•×çyD*û*ݷ÷î@òQŒÞ7¬â¢¾yçã,£êìª%É0®š¹î³È6�¸½}ˆŸ^½÷s®Ã´ÔøÛܪ{‚€79»#¼¸ùߣf²sË©W½ørÄ(€Db�^Ð*A|üÙÀø乪“ÐzÜÙ™N>uêתͲ, ¤Õè/‡üî¥IM€©*õO	ÀgÆC”kìþ‡•
+5Y_£cóclNŒf•@Uï '¯jwåB
^…gzrÖ¤º|`ÿ!	Î~û¦ã­t¤w¹>îη¯Œ_‰_Tó¾
+Ÿ�ó/°Kê¼-œ	[—¿çÃq-øz~Ii‡³®>ë
GGÈF¶Üšqˆ‹¢À¤^Ý
µºÜzœòŽLy*Ø!$ëȯ²È¿Äø
+Òí¸Fúï�šyË«mn£°MWÑl‡ög2w™SçäSCþ¹A¡‰
+endobj
+1580 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2092 0 R
+/FirstChar 66
+/LastChar 78
+/Widths 2094 0 R
+/BaseFont /URQILA+URWPalladioL-BoldItal
+/FontDescriptor 1578 0 R
+>> endobj
+1578 0 obj <<
+/Ascent 728
+/CapHeight 669
+/Descent -256
+/FontName /URQILA+URWPalladioL-BoldItal
+/ItalicAngle -9.9
+/StemV 114
+/XHeight 469
+/FontBBox [-170 -300 1073 935]
+/Flags 4
+/CharSet (/B/D/I/N)
+/FontFile 1579 0 R
+>> endobj
+2094 0 obj
+[667 0 778 0 0 0 0 389 0 0 0 0 778 ]
+endobj
+1366 0 obj <<
 /Length1 771
 /Length2 1151
 /Length3 532
-/Length 1712      
+/Length 1711      
 /Filter /FlateDecode
 >>
 stream
-xÚíRiTSבª¡¬2©¤j=,Œyn4„„H
-¯€iá
Ëg‘ªUpêëê*ýÙþzë�óçìogïï|g3\Âå,1Œo@¤8F² 6$þ2Y0Äԙ˥1þ¢ QP�ˆ@B¡X­Ó
-Àˆø+D|
�
üñT�&«IàæÏœ$	€X‹¨R�
™‚T#Zª†R¡
r\‰"¤�
Ä
X;y#
¬EÒ"�Ù40ª$Á$ÅhœIMÁ˜
-‚70¬K}›JGˆ4Jp›’É”HÇ4
-G0xºÊ¿)œPÿ@™4Ìý÷¯�J†+PŒŒ0¤"€û{*†þˆ)“Tâ¸l.¢ˆÔ~{J˜ÖL‚)qÅ’
�ï
¡0Ш!¢">È„
-‘ý2{ ‹)p)y·;8/»8(:8rtÁÑ
-eÍ�w`5Ý©o]×¢õÁ.äÖ¯ÉsH©ïäyA©�{k“Æ_2~]²cæ“„çÏ{Ÿ½6Ò[(3],œ�ψv÷Üï›îæ>ÌlçÒ­¯~fr‰U¨¿¸KŠ}ƒzmVÛ´ÿöíÏj“�áõ\§G>s5óh÷DãÚ½åÿ’­sÿºÉ´;^¢·Æ^Ä>ì¯|øóÅã~^¢Ô?®7éLÄM÷Kµ
ç«kóg&˜š¤Òª%M³ñž
¿ù.>Ž½æÚ‰ã#€z§ùB·¾ð¾úl–b|Ñ1‘Ç�î^C?GšG{,ʱÚ¼ e'û~ÄòLÏ_¬Î…Ô&:=kO˜¾Ÿ·l/‘ÅZ³7åXMHÍ6­á‘pΞ£Âú‡�UyÖÙ'â¦ïTeD!¨sÙøt9³�±þrí#Ò®0üye›ˆõ=ÓÒŠØàññÌtÞ™�Öó½â“_uû^{°:s×Æ�n®\´}=MdÓß3 ¤§J>-Îy½e´'Pgc/ij�3cw�–Üþ¾l>{Ð^çêóÕRŸzÝùÿŒ­ZÃâÙ«"2¹šX÷Ëþ	Ü\©­ubÀNƒ—üÉnfg“ÌñÛà'Θ©9Õ¸MJ2½<QUÅÉìYuÒÃ…«aò¥Á§4Ë-fÜž9ö¸Øyð)±éÀÕ ACùNØ÷VEøºÑŠ	ï;]º\ÇË#?�^!SÉ^ÇÉ÷$ÍWeô�ó2šºJØ•ëýYn[N”ù9ï‹SÆÆMóˆ°àpøKuû¶kŽW‚¢lµÐæh¡ž÷ìHLGžÕ»Ù«éôO0ãÒº1ý¾º ÒÁ¾#;.fD¾Ÿoºãå\*)~eU7ÔnYˆ'rhT6Öw_¨,²ý0JãO”Fä)Ûn%n^=,«k8¾Ëf;tP�UÔ57¿yÖ›~tz´,]^ñå:Ÿs‚¼ô¨³R~Ÿïœo]ªI81ûÄP¡¤ú@ò]IOPÖ3ßïރ߱]ò8úLIAþóAuïiÏò¢àáË�â›­»µ]š¦êÒüݲ¹5ëß	´;Ô~YtÕÎ{W{Q;ÿ“¶qú2òÅ«¸“Ë�¾6$B
ÝƇ�-¡0v¸°
ëmthóeçæŠKýº®ïQ'6t\+Ëý	‹”7Ð'ÚªöÍ�"s9>m³ˆÅB«Y÷>¸ûé7IÕ‚�±ó’–„«=Ÿ�®Ù!xaNà0
-Y
-rU7žyÓŒðCyUôÚ~îß\´ÿøŸ( Ô 
-‵
-"…ö#FŒ‡endstream
+xÚíRiTSבª¡¬2©¤j=,ŒiF
!¡€
D¢a”Abî
¹%¹—^n )ƒˆ•TeYÄF—Œ¢¢TXUê€RK¬B8‘VJXÖ"U«"àÔÖÕUúó½_o½sþœýíïìý�ïlš[„Œ!‚°
p0†“#�R©„Ãä™Í¦Ðh�8,'
’°p/°R«Üe€Íò–	y|
+
bizIQÀ#�>Aâ‘Æ…R9¡‚5d
…\
d˜�	=ˆÔj°vâF:X§Ãx1)€
6À)JaMh’ JðßÀ�6ím*ÆÓIQÀcR&�"!Uë
+)¬pŒì“Zþ²¦ÖªÕárÍDùI§þ•—kµþ/¦IÓ0¤ãèTjüFœ†­fjVBÈÕˆB„¦¨aÀà,g²—¿Á‘ô`DC¡P
¥\�Oâ0
+MUBú7©ƒµZíù××N&#äJDêÓ`Àþ›=sþŽI“pDâÙL6›CÉýö”8¥™U`‚¦
+Á:
+-ŽÃ(19>¤Aoc%Bz
+Ã:XA1ßÀ>[>Þ{j[M®¸ªó¨-=}¾ñð–ös[O}˜C½>N×ðÆ#áþpÜêø1rÌ¡d8ì+¤äõQO‰²MY2ÖÖG“½½bŸlÆÅPBÒ´Kem­ïil¿k^hIkô|ð“ûÓ;çlëVÝãð+©Ã…ÓknÞxù87ucGŸÙîKÈ}°„’XvzÕ8ú×;EWÆï‡`U˜¹úÒÜ„}O�_™©­·»SoÙ†2©Íu£ï‹YlºNÙßAáìO]hŽ-¬”	gÎ÷º]nVïûºcýš›Â¤¿Ïè¢ÜŒïvKòsJBc$Q#óŽV8)jæ©}Cª©Öp}ëº�z¡ÀR¿&ß)µ¾“ë[ÌIkÜC[›<ö’öÇ¢ÓŸ$>Þûìµ�Úò@‘åfåz|ZŒ§÷~ÿÏ!z;›j{õ3“[œ\õÅ]BäÚk·ÂЦùÁ¿?»yT
+b×ó\nùÌÝ̥܎iö–(]çùu“iw‚Xg%ˆ»ˆ~Ô_ùð·‹-†ýܤàÀøÞä3‘7=/Õ6œ¯
+r®-˜žhj
+®ZÔ4ë˜ëæç<ßg¶ƒ(Á	T;ͺuE÷Ug³�xãcŽ	½t¿ðü±$ÊÔ8|ØkA®íàæy©;™÷#—fyÿns.¬6Yßé]{Âôýœ%{¡ÈlÆš½©ÇjÂj¶iô�³öÔ?äØ”gŸ}"júNY†�:�°�O—ÒÛhë/×>"Š"žW&3ñ8ÿ3-­(ŽZŽ�eepϬ^ÏóIHyÕíwxíÁê¬]<º¹|Áöõ¡]Ï€€š&þ´$÷õ–‘ž­�£¸©=ÞŒÞ=j¼ý}"Ø|ö £ÖÝ7ö«Å~-Ժ󿌮XÃà:*#³Øê8ÏBëþqÔ\©©u¡A.–K
ò³«Iêü­ä‰+jjN3l&h‡^ž¨*‰fåZzVœôr#V�V
+QÙbÉ)õR«i·§�>.qµ<Å7¸Êo(ß	ùߪˆX7R1î{§k\›ç|y¸°ãçÓˤJéëxÙžä¹ÊL½®sNfSWé<‡r] ÃcËéÕYŸs¿8ehÜd5—D@ßX«Ú·]s¾m¯álŽè¸ÏŽÄväÛ¼›S¸’Jý5,®Õí«-µôÙq13êýÓ�h×RqÉ+ë¸èºÁv버C\¡S£¢±Þ°ûBe±ýGÑê@¼42_Ñv+ióÊ!i]Ãñ]vÛ9UÙÅ]³šgÌß±é'—GK2d_®ó;ÇÏψ>ÌëóŸõ­ûÂ"
%åœ,WH¹+î	Í~æÿÝ{Ð;¶A#‹Çœ1<·¨zO{—K†.wŠn¶î¦Õv©›ªKvKg×8­'ÄáPûeáUß]íÅí¼OÚƨKˆ¯âO.uùZŸ\Ä	ê6<iY•	¡‡[° ûðÞF§6f^ž¨4 ëúÎaURCǵ²¼ŸÑ(Yu¼­jß,NT˯m¾P`3ãÞWâ>ý&¹š?0z^Ü’xµçó‘5;ø/̉,zbCN¬èæÍ1ox’q(¿ŠZÛÏþåÿþ'
+(Ô°'0�O¥ü	ÛGŒŸendstream
 endobj
-1304 0 obj <<
+1367 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1932 0 R
+/Encoding 2095 0 R
 /FirstChar 60
 /LastChar 62
-/Widths 1933 0 R
-/BaseFont /LCGMFN+CMMI10
-/FontDescriptor 1302 0 R
+/Widths 2096 0 R
+/BaseFont /OICPNV+CMMI10
+/FontDescriptor 1365 0 R
 >> endobj
-1302 0 obj <<
+1365 0 obj <<
 /Ascent 694
 /CapHeight 683
 /Descent -194
-/FontName /LCGMFN+CMMI10
+/FontName /OICPNV+CMMI10
 /ItalicAngle -14.04
 /StemV 72
 /XHeight 431
 /FontBBox [-32 -250 1048 750]
 /Flags 4
 /CharSet (/less/greater)
-/FontFile 1303 0 R
+/FontFile 1366 0 R
 >> endobj
-1933 0 obj
+2096 0 obj
 [778 0 778 ]
 endobj
-1932 0 obj <<
+2095 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 60/less 61/.notdef 62/greater 63/.notdef]
 >> endobj
-997 0 obj <<
+1052 0 obj <<
 /Length1 1608
 /Length2 7939
 /Length3 532
@@ -8644,7 +9527,7 @@ stream
 xÚívgPTݶ-HPPÉ™&çÐÉ™–œƒº�–††î&K�(HÎQÉH�’sÎ 9#$ˆ€øÐïžsn}ïüº÷üzõvÕ®ÚkιÆsŽ¹VmVF-]^Yª„p@óùž4`ö–Î(]°ƒ¯
ÜEXYå‘P0†pP
 G8ÚCзÿã�ºP(
 �²BÂÑ€Û¬Z
-JñDÛ‚Ñ¿s£`·n
+JñDÛ‚Ñ¿s£`·n
 uƒZ|™BX‰¼LLIB—Qdt
(<ok
bu:æ}Ò{ŸíûÑ쓼,Vôâº4�¯rèéM�ûäŽãÏõg\=-äpöæxèA­3gkö£¶Qî
~ó<¤]ÃpÏÃ	µ%l“Ç+Ú:æ¹×w醄�x‡ß9}™]²}IYΉ¼­*"ÉVb—åìì²Å|ý~ÎÞÑÛÝÕÙ|ŒÓºNÃ�‰Ï*î‚MÈæë”N#m¢_äa™ŒéøÛÔªÏ!´0sL^µ$0ÙÂÿTh5ë¹[­Fúù{ª\™ÏíßÉúÐâ¦Ùé%üföC ~–fí*!Î:‰E�výÔzð­´÷Û6гßÕ•Ü 곺£�Âgü«e‰;}ƒv©b]ùßÖÒï6”�‡ùÚ}sø.Gj¢T«$Kñ£•I
âQ–®‹Â~ÒìEÛ1w.ì*Çbr|¬½}$oÖ‡·Gs]> Ã?V1ñŸx£+w¿³^õ9’e‡Ð†ŠÚ¥ÍäÊu””7œœ¸äN­Ñ÷ˆ¨/ùŠõ.‹ú…'Ð)á0äPùÝÚ…ke
 ¸éÛR§ö
 ]8sô&sß±­|*åŸî#>cÕ¯‡‹úœ‚œEëÑymeê÷AÆ€>8m„1œ4¬jõõr¦XÜâd8„²³¤¿V>M¼çÀ7ÁÜ&N\€*ÄJÒÜOµøï8•^Ýçôáö¼J%qõ‡  ‘®.µ&у;ìXBÒ0ÊÚcVKŸ0-SÛ·ߌG?óí·Eƒòñ(€(§¸Ëš’=´øô•ú
+y\J6.æꔋ‚œÞ»ó^eúÞ‚·V„(õb*$Ã=AÁžéÌmEé�ïa9žoñ€Rý3™ÙÑS×!÷8ÎãÒ9‹ÅÕçÜrƒÅ£‘C™Äù\‹-ÕÕ²k±ò¡øáÃÍ�8
@@ -8676,452 +9559,353 @@ QH;ǘ¢&šùŸe“ô¿žUÙ|µ°S�c0R2YE]¨
 �‡á{__bçâ.°ßþ
 LóÃI8GU–¿Bã¡\‚–Ÿˆ{éõ´Sû›7M‹Š–…;ûÛ䃵h¹0GQœ&÷

<‹"œ_ý¼ÈAze‰ÀN2ÿPÜJ"u]©¶ÕLòs.}æQùü‰iõHö5¨ñ‹‚‘öqLðëƒýUj[’
	=Á®…1Ñè²YÆHOŠåoq ’„!¿‡RÒ¯¸ð%ê«~u¯³¿0Š×·6î;>nE=m½a�Ô\{\ÄcïQq”&T/bµ^þü‹}m“¹ò
A’ü陈×O/ÍI>c×b%ÒÌ&ìýºªú· ¶mJ;û7žb{ª6eC‰Æô_è<@ÀbW’+Q'‘šäçÚU›‚ݧ/ˆ+ƒË°a
 <¤þdÑ
_IÒõ.˜ê¢Ï\9¾§é-xÚÖ-9?›
ìÐv_wóý}¾éH`…Ñ'>Êß4¬�>äŽT‹¬ÌÛúGäµGÔà…$Í	ï‚7LI›u`žUJ2ì„΃79ç¯~f´lá­ÊΚìïW5�?|¸':U—.ûrJoÇÓlÔË5áAÜçxE ³º×ا‰3Ç•ÚTñ#åKþtâ•.iKW@ö/É›ÔÑ÷ û�j&Q �¦Œ²È˜¥t°Èð§Äh-ؤ1íý b?e¾™F	Š– ÉXrÙ/&Šjz©�¨rAÁM°re.�2Òe%ÉÍ£™6"�5[¹(H4:\mdb“™[i:ýP½2“�¿Ýä÷ö0JÑ»pÕh¯QšQ¨ý±�Q�ó_»Ã7;mþã«÷Aú^ÁÐ;Óèvñ¡Õñ¥ã«*’Hóß�¹,QëtT½�}…ÁbWý€�g”ùxÔ$Ó¬GÞ×™®'}¡uÞói õ´’D§ùõ; ¼xðÞÔ¡Æ°~.
°öâ%ÅÅ4O”˜»ª¡Þ»Bï­\ÿÆÈæ 
-†ìvm…$t§³ÎLd?莑ˆ+í–«I&VñZ"-¿35MGöÊìä§7À Ñ4‰>ÅauA×W¯½r‚…`Hã×W{Ûw1Û®­¹E¥^["W¬%BŽ… >«íÜMÑ#nNCuy‹¼Hû%Tž,TÜþ0]4.�ïdîžk0œPañœ„5ðYÓë�F–?ª
U'?Õ‹«žäfü¸Š·Ö¤qCr®až1j,†º¿÷2Ó“=²õáÿ¶D4ÏØeÊÀ¿I
Üóv¼vþ´
b„dîÿ¼ø)xý)\+"oÜ´¦ÜD1å�[|�)h$úØûeGUeŸ?õ¾†Ó<å�ízznKB†Éd–¬ö…Àÿò!øÿ
+†ìvm…$t§³ÎLd?莑ˆ+í–«I&VñZ"-¿35MGöÊìä§7À Ñ4‰>ÅauA×W¯½r‚…`Hã×W{Ûw1Û®­¹E¥^["W¬%BŽ… >«íÜMÑ#nNCuy‹¼Hû%Tž,TÜþ0]4.�ïdîžk0œPañœ„5ðYÓë�F–?ª
U'?Õ‹«žäfü¸Š·Ö¤qCr®až1j,†º¿÷2Ó“=²õáÿ¶D4ÏØeÊÀ¿I
Üóv¼vþ´
b„dîÿ¼ø)xý)\+"oÜ´¦ÜD1å�[|�)h$úØûeGUeŸ?õ¾†Ó<å�ízznKB†Éd–¬ö…Àÿò!øÿ
 endobj
-998 0 obj <<
+1053 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1930 0 R
+/Encoding 2092 0 R
 /FirstChar 36
 /LastChar 121
-/Widths 1934 0 R
-/BaseFont /NHCECU+NimbusSanL-Bold
-/FontDescriptor 996 0 R
+/Widths 2097 0 R
+/BaseFont /ZKLPWP+NimbusSanL-Bold
+/FontDescriptor 1051 0 R
 >> endobj
-996 0 obj <<
+1051 0 obj <<
 /Ascent 722
 /CapHeight 722
 /Descent -217
-/FontName /NHCECU+NimbusSanL-Bold
+/FontName /ZKLPWP+NimbusSanL-Bold
 /ItalicAngle 0
 /StemV 141
 /XHeight 532
 /FontBBox [-173 -307 1003 949]
 /Flags 4
 /CharSet (/dollar/hyphen/semicolon/C/D/E/F/G/I/L/N/O/R/T/U/Y/a/c/d/e/f/g/h/i/l/m/n/o/p/q/r/s/t/u/w/y)
-/FontFile 997 0 R
+/FontFile 1052 0 R
 >> endobj
-1934 0 obj
+2097 0 obj
 [556 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 722 722 667 611 778 0 278 0 0 611 0 722 778 0 0 722 0 611 722 0 0 0 667 0 0 0 0 0 0 0 556 0 556 611 556 333 611 611 278 0 0 278 889 611 611 611 611 389 556 333 611 0 778 0 556 ]
 endobj
-994 0 obj <<
+1049 0 obj <<
 /Length1 1166
-/Length2 8264
+/Length2 8309
 /Length3 544
-/Length 9079      
-/Filter /FlateDecode
->>
-stream
-xÚízUX\[Ö-4�Á½p'hpw×*(¤€*Ü!‚»înÁ]ƒ»kÜÝ/çôºoŸîûtßîw«öZcÌ=æœcÍýíz(*r%U&3[ÐG[¨+3� 
-në3Áù
-|ØGè´£ÇÀNâ¨Ð×	éÛb®=R‡äEÚTBbCøª
¶DÞ¤W:›[öŠ¨$dEY%Š[Ót¼/oü¥¬½”ùP'û[Ä�–~�	X2­µc×42:Xµ{—%ÍøFSÓ]¢8œÞ“
’˜•G&$ÚÜ|-C­l7…�à›ò~»,Nv}»Æî,@HíŒÅfMè\ƒ•jLw~˜,r
ÿMüF]_©
-ýÍ8¶öOáÏoëÓ‚úïLîÓ¼¿œ+è¶kÎ6ÙA
Ý$=43Žºoô°Jü¨rOwVsr¶Ê¬ðšz¾Ž~ÿ²ºþëÁ‹êËõ-!蔄Wd=R9‹ò”l:VŽhÔïÀ³¼Lô
Ãaìtþ8QIVæy
U&Á¡û�«ü\žj_E‘{<ó�éYàôDËæúløa½ê£D–Îîç„xô�?¹é$Ì|’"Xûü"rø—Xu[ÊÚ6·èNâ÷�AŒ»®qmƒ½É�ý¢¹Hx7žMxÃ
_Õ[±½z
-¼*K«™Zú¹úÕ°×Wý¢Øø¹.ÔR¯�æESúLkéDÐ?«áäv%.
-šI-b´zŸŒU íÑ—þDÅyMß\…‹ÙCó«ïÓÖSätRR˜…$ùÛˆFy/Áê}äYeOÈZñ¸ÕÏ«¥¬øïc}͹ü<	ÂåŠ^úRX¿T[ÅgÝñF/yo\ky“Wb“Ë·Ú{že”Ã_¥b1‰¯ç(17•®LsT/“ks¸àýÄR–Ê8à׆h0ƒÄcsâð]€¡í"Z°p¬Ì¥`ÓTÚÕ¼��V£ˆ™×Þš¥”¾Îé;»WžÄi%(¶ØÄ5œ™,—»ì>N*�Yƒ?åïyÚóíʈfüλ�»²ɽø7ãáFWqÊZS>M…ùdT„Ǫ;£Qס3˱_‹§ÙL_¥Ÿ€(U}Üh-²CöF;5œ}ó�.T²¶/0žyÖ]±!3f\CÕ1�WR|#¯o‚Ǧ?}Fq?¯Óf�Ï ‰²¾
RŒ2Á	œðäÞ"#
-hŠÚ?åðP‘­�||èuæsSQ2¨•PbHRóŠêÐ8ꎜ¹MS^MýÜÝ´Ó›û¶ÈnØU´]IÜl(óš–ªÉô˜ÔpXò,Î%0Œ1µky„Òæ®qú§°Ä	ßÉ`hˆ	Y›½	goû[rð`jϾªN¸tÇ\®»–ü»bIBj¬÷¯Âµ^‘•H�Ý{”é·ÄÞê
-Ô
+¸'º]÷ñ@f̼ÀÜGgìdô—éËùêÛðFÔ!k£«Ã*.$|™/mßFàŽùyAO&—2Ö…Õªõ¾1Ù«<Žø+vˆý–­Dce�”­µEx`Iµ5úÐçK:™¢¦ïÝO�Ütó‡ž.erƧbÛ,H/«äíuåí™RrŠò–WW“OF3³gÃ)‡¬Då"\ßžâj��èßÓ”võVسïuÔt2C
«Æh]W*é„g̯%ä"‡È@Šr¤Bqf„�•4†Fóó<ÐP+]°¹Ng…8à„q/•ãȼ¹b–Òdù&Ê´ºdVNšùÞÕç6bÎN�é?ï…çPÒZWïn›�vÊ
-bší‘v\aۺΤ:×}¸½ø�Ú"¤#"tl~–ŠÂó5‚ws¬@ö|KéêyÏ’4%Óù|ô}É=ƒ-RK¨Ö{Öˆ“¤‹xwwa@­â©Ûæí‰ûÂŽKˆ0�oýwËŠµºÕ6©M8�³q¡ºïˆoâ³·àßYF¤i{#ØHjî˜/„†HP,9;]D»¢ôc¢bÓ*ÃzøüÆísüe¹ÔÊâ°?»ÔÎTùw}ãΗÊâÜšTÆýjy¡<w¹ï…ʼOŽ  âéMÉwï¿ÆUQ8øx¬È¬¿àñÆ3…}ð^ëaÑÄà|Ý’¯¼~¢Zw�(í
-kA,Èž¼ÃR*(^?�X5ðÙä,|í0&æ)q��¡3�5QýQ�”>1(`ãóŸ©3;çó~•�…jffl¯©È{>ë²SÕ†¬[ZÆ€ñí^m5
-îlúôü4 
}
-¸iÛ¬[
-AEÂiæ·Ü¾^Ápš¡¶²S�‹q”)ä—®}ÀÈ™’X¦‘Ñê	½ž¹I|&åYöd§œçI»Á~hÜ%i}ºZùñf�ǤXÂx,¯ðçÝÀŠÆTÀ;=ÝJi×î^‡É¦Öèz,€h?R9Ìó;@Öÿj—þY) Ƀp9:•Iß­¸ù�G«
-gwoÔЇ¼V}ŽCsg@ˆÑÕ†šÒm
^©‰iÙ;4
-ú‹�®fºÐ61^Ô˜±õƒøåiBž•1•ƒ—ÛÉŽ¸ïõ+üèªicöe	3+âòÖÛ'˜–ÍN¥ê“�7ðÉi˜ì§ï´½~2¤bêó²ãò½õþ•`×Êê¯áÞØC?¹ÕÔÌ=u¤ÛˆU¸…Í"â#øŽ\f�£N2ú
-wŸè’¡µ¸§¶”¬Õ¾Ï®HÁ=ˆÒT“³šÌ6X’>�3¡6º­1•üVŽ mjƒ3/7¯=Íôþ
&!nIy<<QDð"'É[nt”;D[sZæZÿÄŽ¥¾v™•8`±ÝÆfF—ÚsÔ|¯ï7G 9Î+
�?Iæ†]KkÛdìÓ½çÓô+(–¶ÿ5ß(äþCT°‚\ÚŸ§l±npOhÃíÜ@tþ¹�3´6PäUi·�QñGŸð*íwõÌx¿©1)mvj"§f6¦F0±ÎýèªêµÌY™i	õÞK÷òUQNÉ
g_;;C4‹±o­%bTèŠÍ†d^âFG
ÐÛk—W·>`e%aŠ{ƒ#0SÌ=²\:×Ñòz¤ØGàU%˜YM�çËá.žÜ�Ã_bÔõ~¬›Öw�ŸXöçÏ×�{7¨‡¬MÅ6ê£BÊæz‘×´‡ïÝpä÷¹QØì‡G2n2ªDö.×hE#£“	Z½¼Y‘ñ&ÐëE
\(ÃES¥cùlgK„ŽT@â91D±èc™×Àj…¤�Ði�ÞÚDÅëÁ»ÂЯ0Tµµ£bÅ$㪌íéyÑdö¸Ì
„ý�n&¢›\ ‹Hè^¶ÙôX\JÆÇH?!Ê
-F‘PÖçhé!ÍFµù„複ì‚4�ãE¢Q¢ªÈŒêË¿$Æ£}IÅD0I>àÅlPól&ÕFXÞáÅâ‹×Ž^ì÷êÑ!W‹ é·qV`ç¥Óz"!׌_j¯Ñò«E’µeä—QúŸŠGÌå«P•['ïkÈôZðÛ5%K…š�†Â¸ª¾àÛ㼿°è/©äGZ­�Ö¸µ²¤Ë›w� f§þĺ#7^•Ÿ?<Žàa¶Úñ9"	ç*‹æz]à•Öˆ·Ñôv–ý £-ÉTqÿ.åó%‚8Þkeÿ3¿[M£6ò¢@Gò‰ƒXúÞ¥çˆS&2ØŸjF[fzØ.½„ø'eCL`KI
-g.£Êù5õ\Ïc¯ªO]ffå,§m¾¼@+¬—q[¹ ,<¸¡ÎIPŸ©if8§”MIe({—Jœ~À$:­`š‘-éé;±‘¬y~�`²ŸâÑjr+Ö-±˜…>IEƒf�çl±¢ZV­®ô
ÛûUM½5
ßOÇRòˆœ�N@Èd£èF_ó³òÌu³Gö–l0êYiQ¶ˆrœÔÑeY$î9Ù
q+SÊbÁ9+²ÀYƒŒá—)mdA(Å”µˆm;ÞUÓ
ŠÊˆm-Œ/=ŠÉ?ˆ)CHÙrS¶Ô-“×ìª0Kƒk}öW­jõ‰9‡ý@F#iÍKû½D;¦$*µ±¯ˆ:vÍuš
- ¢6G4ÚWó�÷mq£Mo’¾íü0zt™žà[ΛÙóïÄ3ÕÝZsÆÈP:dVÔ/fyŨV�³Œ§²·ÞŽ%ŸðG5¤ÆA«ÀÞ«§hÏ}Kœ¤=ª4¢a3¨˜– xMPn”ªÇ#qp´ų́çxk lƒ<¶ä¥ùÁãÊ¿�aLÆòË+&ç0q�wl$^dnÜðy(ÙBÓ¶ûo‘#@¹×M±®@S#8±CjQðç}
ékŠ»*lí,¡�µ=êï�Θexí¬„¢h‹®•ëö¥°gЇ™N¬/U
tùM-w*Û¼¿<ý\ɽ~,($ۥDzÁÏ5dèrР®Êº=¸’+•"‹~tó%Ê�"â…,iãä,
-û
-àÑè.šoÏx­g6åëÚ†ÇËVDU±N…;ZÆÒ5oùOhú­—Ð>IîÌ:h^�$¼Ôlz×ÚÁÓT	@ÿ}&YƒHõEŒ(=‹qåö6õÙ¨ôW=wš’xsDs‰¼:ŒëöÊ-¶¿{´1öFi”"}±FêÃLf_ÜÅÅ;FO5æøþ|y~U¦Î ‡ëÄCš�¢Õ„’+ê´Èø–u{Ó&d¹¿*¯’E牊ô‡Mâ‰t/&%Ï©H6ÛÒ¥Š‡¬GJ×:Ìøö•¿ÒÒ•ß:–”eˆº	—ýq«É(LdOÅ"^$·u1§&j¶ÀZ¬
-Ú=;ˆðá:ØÓÏäÁÏ/én¼¡,*¢`\ÜäK}["ÊHTÆÞˆo`ÝÙýz„N¢&j¸'µ2ó‹|K×c6Qén)'	üÖœëv?.ßüê´–®PÌ£§åZ]GOŸIªvIbŒµ³ÉЄH\Ô‡óÉ}vÆé¾°å1ù{'¾ógâ݇ûmœ‡½*œ‰VákÑJÃÙ9ÿ¾�<§µÈ
i¥ßg
CL⦇X
±rX¯=Gó‹Ûìö.BÒÓ	oû~o‡´~8:_ª˜WzåHTº{‚,×d?u-ôR,ýá²ÍþcQk®‰î•üâŒ'ÄݹQì�ª¡³¾§�Æç‰g\&ÚQ„#J©Yð#Õ²á[ƒ�ËEßE(@˵¸x†üœ³/ö®:g]!$…US	](%v¨	åÑÜ팼`‰jî&^Ûœ?-ó@öùàjÙ÷<³ï�lY?XRr$Š™£-ÑTù†~ŠÇ/0‰ÌB¯7Ù×ìYSB{@&A^UEs	$DH@
-٦ϭÓ%"Òð9Ó
--ý¸Bç
hµ0ÊnnL¿ñE~„éMÇv¡“LYd< gñÕ¾ìQ±í�Å EþoÉ|Ľ„\cvê´
-Y	

É4j"¼ÒÜçÞ»6ð¯ø»(~7qBËb“½L*&=¤ö4P'©ð·@Xáѧ†÷§€R§ ÙiîÌ#k]3§&M<~èêÆŽ¬y×–=¶÷.Ö}ìh�"rr
²Ë«À±æ<³$wt•°CnEÕ@�¸*ùwN.߆Z r™LŽ:øõŒªOâTãPêŽ".!ÉMù?dð<Ÿ½h·Õð¯=B­›B]	oº×dûJèoÛ°Æ°­TFØQêP¢úC@qSÁÅùÖ÷¥7_±�¸Ôˆ²»ÞÌ3å�³_Ž¾«š’ñ #¼Ì‚�
¸~sOsÔ|ùƱ-J?§>8�_@1.æXIg5ßRic¹Rc
+/Length 9124      
+/Filter /FlateDecode
+>>
+stream
+xÚízeTÛÖ-–
+Ìj +às�Û@C£
†Ù�þ~Ä�A¦0°DÂöŒkX»
+r¶Cž!	s{¦îâèhY¨� .Îæ (ÐòyeÿY(îàèá¶²†
é4Õ´é™þaçååšyü…
+²spü£Ò3…4r~^´Å¹*–¦’`Øíé¬a0G>VVGKSÐsŒjÉ
ÁXéŸ*	±w°ÿƒ
+øC3	°3Èü¹)Ö¿ëfqpƒxýGØ±ø³%GVMØÉ$+ñ?ÉÏ!À¿bV �›�ƒ�—�r‚ÜÍ­Yÿ(©ááúdÿ#l
+±ðörtpZšÚAAÞ`KÐó
à5u
aÎ. o¯ÿø÷€�h
6‡
Í@VÏÛð/öç0ÈòsES˜3بÏÆÂÆÆdûãÿÏ‘áó†Z8@ì<þ•®dj²Š*ȨÈ)2þ½÷f‰‰9<S2³¿ã2s¼ç~vÊ3#/7çßÿ©Å_:üU1ÿÏ:ÙþE)±t
+ÝØ)[7q\ä딬Ÿâ}2Ç”¥Wº4BâÃ8êÁø¾d7z»{NÊ/IÈKsËQ•÷fèy	eì|Tù^N
~“`³	IA“k¯¿¥•ÓC«?¸Æ-oÃ1™žéÃàö�
+–ÀªOÌHt‹ßñ}n縳.i±¼«tÌå–ã4t\dêÍFÔÏZïÖEη2Úú`¿Lè-Š²FsŽ]Ä!JÞlø*@�çìwÓ>ׇ&ª©æˆy²¥@¥]kU>=­rEÞ-çŠÇ™°V£¨ÙaQmL1!h²R%^×àj¸Öl;Ó�Ûì^R‹
+8ÆßÆûOv�j(øÏñTÔ¤\¥+Ö#2\…¿n5;ÿH¯i}¤ß®£Ñå~º9$m`Ƶ'4É)ù6b›•½.†�e
C[•+ÚËG}*”µ>A¼­dÏGæjøf¬%€Ê4ìªÉ�$›�ŠÛwÃPoÄd‰÷ú´ÊÈÓƒ8~Gžõ‘÷<Yqðæ3z©ÞÆ 2[¢ÉIJIH>Èe¦_h‘Q¤Ç�‹×g\<©‡3Ñ
¾¯òJ­’ûÁ«‘e‚gìºN¦bŽO+ÞÀ“îS­™c­Hœ�4ÞCØKH÷²m:§dÔ’�ÆC»t½€!…Âæ©.—IóÉ^!Øæ¾Ô�D’ZÐZ¢˜ÝËMïQ•¦ùÜ�ȇ®CÄTÄZÅ‚zŽz­‹Ä#EÄ7ÏLm}.éF
?:�ÃÓ¬v­Ä3*ŸH“¾˜sLfZž�Ó$Vf‹B4�®»%DÚ”6òÛì!Ó7ôRI¿S{ŽØ¸Õü	ØKÒG;ë¢Od€V@Sp¾¿–_
+eÀ_±2äÀéŠê×Ü÷qóºÄÃfhÙzÇð#e6Pw=3vd[¼¶#mýç;±ýO�߇P÷LèLI
Š `ßy·b�gh¶£ûô•À|ª¿2Õ1äÔ@ßXˆãàç¹ÒH_Li¹=YK/0¯§E	ÒÀ(èù\²ÈÖ«:˜ðCÃkX[ÐBf	µÝ÷l¼
+¥ô€áëÖKŒ×m5X€>Úí�À½æØ™Ô
„(QjiVJÒ˜˜¢�`ßÛCÄ9UoðzÙ„íÖ�ðWvªD+ž
+VËkþy…Šä]WzÃ�È”}ÑDE\Mó�½}ºŸ	záuÙ Ë
+�Ec'b£cƒâºb+�"±¡ežê±3<}MëMÖM6À–è¿ùùn¬¹˜¶´30ÿ=
ùƨÔc¿¯¸§šŠQ½¤
+cª†O\—aðIoìì}¦êZzPoë
+Û¸Áü—%N㞺°Åøjâ6c¹×tÔ¶­æ§dÆ#Ò�ÎIî!QLé=+£oì·Ìl‰Hžñ�
EF˜‘gr8™!söw’RZ¥÷ªëEËpÍxé(R”Iã½E£"ŒÖ!$ÿŠ+3þà\aø-ñ^Ønàêdb{QÉ°n«D75¡¤Ý`:4ä¾é-TËu—6"Ä;ü¶·M9—sïôñ«£#ÚO1èÒ{
!Ìá8„‚_Ü2ähh.‚LjÚq�ÍŒè• hê1€RàZlƒ‰N?Lä&ÍÀ÷Ý
Û@Tý¾‘VÒb\0í¡ë0ÿª…É0N‚%»î•+1¶•Ì1ÁÙ7Lûêš_Ô>X–ÙG]td�1KâƒÑŠQ¶SF$‰·U¥8:ï¾Ó5Ÿ½OÜÇ'vp¦3gGp|wã›À„J÷Wó¯c¶LLËFÊY7pŠäh·nK.q ¥'Œ/®Â9bŽ‡±Ïw9_2ÇÐfÊê¶VWdÞ·�¸áË™
w7‰œ"Óù}R4T˾jVø?âó~:Ãí1~uÊæ|*€Ó”ʱŒ«HÂ@pÎúNšú	7¹á8[³?p~¨y4Ñ5r€»ö£õ5C6Œæѵ,âM˜“�Õ�QÓ8®‚ùÐùU7
¬Ûþ§>S+zâŸ[VÑUŠ<¥<
s²Ê&:Nð )ÎI�JÀÃTãÃX×ò
+ÓsñŸ¬5ŠN!úŠNÌJiJ¥…+kkŸÏÆròæ¢ßÛŠ)Äx�žcé\Œ>Ð~í.í¯râ<èªëf�׌Óy¬VÑ‹ÌYÝn§ FÈ�KRd"1f…U´†ÇŠŠ”> ¿¬öH‰Bç9Ÿâ‚â%¨„$‘ûò$,gÊóMV0êôÈ­ž·ñQÔ‡‡´
+åƒb�3èu¯ÃízSHø”Ç!=ÐSV«ènÞèõÐ`åÍ’ª;qg?Ìj†o+ÌÊ€/F;=!`ž· ÀË!¢Ëþiú)�*z‘�ñÄïø.ëœØ½ 8Òà4AgÉ—õ:fÞv\JÞ�
+L^e°ls›Näº�Ô§ßýšR6úù¤Û°éµÁkkùéÓü½I°±U-«a¾r�BïñØ;e9Ïx¡‹K€q("�Ãßj¯mµW.~ØÛüÔÚuf«ù)ýûU=¼?R‹ï7éÙ5ĺºWéŽò¹ÊaÉ[Ð4Œ@Çr�ß�g|óy¢X–%}ƒ	_l3÷ó*CÈz:â0ÂÈ(PóÇŽZÝô†vÌ£1Í5KUFêçöóÉ„¨Bß¹DóV¿ý\öâ•GþÐò$uI“!š›*«±5í1
ÀÌD(©u›P¹©üò®¤Ãóãõ�€2^DõÚTnÀo—£AÜžÈ77lŽ×�¿2+ó33£‚…VØsùÜÁ&ùK
+
+	×�yLˆßº§(Pœ(4Ä3dBmÝkÇ–?v7‹]çì£PܹïÏ›ËèÓ}
+ð(8ôðY&Ò”}„yäÖ5ð±KêÑ&Ek)Oá†x°ñîs=BˆFÆðïDœxѯÁÛìÍ㓶‹]Õ¼ô½ÓlIÃÏ6<<*°OÖehÞÁ»GÝ�„1S¯¿–Z
+4;�
ÃkÊZTwïG¶¾htû»Ï4êªÖR¡Þ'­ DIn>˜Qâܤ¹*'_I¦äÆ6¦æ>»\<º¿UQ,‘baà&�#ç
^ËmÛÝ[oâù$Ç©e�$ò�Ô�qµ=¿=jYÄPs˜³ûD<‰™*Jß–¡£fo,_mSBºØɾzªS Q_øi¼ÔR@¯KFÀ®+µ™øìiåÁMwš”¶µ<ñiÒ^ìjg–Öëã~f쇬òÑK§kY¤Ó
+
+j¤¹‹4;X£O<eïc¯¿ð�K’s…]�䆎sÇï#ó Th�äP•©îyÙú¼Ø¤×	‰"i§¿wç}¨Þ‡�øÛ¾yI¨A¤ÚáTŸÑ8{Z/|&jêãõ®Ý>]ãPò÷2×EQà{‚°rëáÞ8,~;;ÁWâŒ�įFõ9ŠCá•
+j[ÕeÀUoóOõe¹#´M7îL°”XËzÛƒñ…Œ‚´Wvû¼‰¼†Æ«<¶eªhYÃ<ÀæþÆêè²o¦ B‹Ï¯¢:YAW󹄛é_³óöÛЛë7.ï.¹m{(Az>oɧÊé^˜ë@Zc—‰7*wÈê
+›»WVö]°dÙ®ã\öý™fÛµ‰t9¶¤V}îñ�ìÝØì¾Vᱸ¨Ô3Z(-ógWÎÃ	iÔ“g±Âî1µúnG¿Õi/Ö®aª\z6wH5VkÃÂXŒYgtýSH}vˆqé-ÂY/Dbø¼ýdyP8s
+$RÇÌvé…h'w$K´|†·í…§™;Y¸ñç?óg�›+HGÓðF~pQD=YwW´äL;v£ˆ§&Ì3p}OG_½¼¯2y¼¢@Õï·URåo<õ4"¶ÐþÁ€àþ2½öÝCI;¥ €)ª¤ÿéì¼Íµ¾ZnùˆÛ„œß�~‹øŒþ—¢@™ðÔ6!†%ÿKu9Èš¸ØA`ŸÊŒa¦	±¾!¿¯yÙ´FmîLRÂöqu8�.ó
‹j5Žó®Ö?ÍžÉÎÅ¿ïÅ4‡ôc…g96·¼oìŽ~¬ðBGÆY6-¹ª…M6õÐêY
Z`–ÄR:´t‰¡¼JÆB	ÂP™\µ�ÔäœöF-<u¯Âû]ÍÞ¨6ÆÚÚ”u0ÜôæN;q3ŒN³Pq]Øw�'�çjªóMõÜA0”‰R‡Àâ=ù
é.Ùèí'wÜÒÛD†äúŸu®ûÍ£\y6EGíŽC¾ô/èÆbIÝ72Š#ÜrnTözêñ k7Ó�b’Q|{wy™ÉsŠBd‰êqzðõåñ·D‹�,j1^U‰pðá—‚[v�žgVD#vR…ôz¤uí3íë œ¬ûvªÈ¤©³q.ÑA	øƒ„£Â«|Ìon<oÌa�J‚P4„¶@“
�bIðò)R!%|rÏOì6&Ö¡‡Í
+s–¬7ôäP"sÌœ9|p]\ÉlfÏ'ªv7K¶iÍÕ$¸Áî}S[ÜVK cب0D×”ê0Ø5ò«¤gitËZhg7ñí­¢•dÞÚÇ_ê¶~XD¦pô§Æ%
=Ñ*F꟱–⯹ߟþžª+ ýê»\~d+GÏ�¼%OÙU2ª©³g(÷|˜KÞ8åº~ý=M¿¨U�;µ
+ëAv4>ÂâÉb[&èëÛXåõ‡ R'䄉¥ü"Üñý"É)¥F{WqÜj³‡h!YNéðˆ~~ò"ÙÐ5Œ©»Xçà ‡‹-Ýxä%ñqÉ>ÿó1¹rP*#7
+¶²çìÞê’ñ¬Õ(àmÆÊÞš±	~µ�nH�
¤a0³•JT�½6‹’¾eËŒL£õ•ÃSóM <zÉÞ7B“Ü¿‡Ì�/ñd=£TªÂ÷!
Ö«7#�.lG‘e‚ª'6;?3n*Ì�ö{<^iÿyŸÇ5½ÆL
ž›4Ûã6P_††
+Ëȯúô$šü=Z¤ïs£öjïM ­�È"±óBc!¤d³£©Ëb”ű‰„g²@›€³y‹u
+¢ï
,Ý™Š£°ƒûüµ±ÒI‡c&”ü¼ün®'ñ°~ÅH¿ßýø ‡é+RúŸRû��#Ì»’ŒŒ[È1Z‚«„äî<úüEþ„þ'¢DEPˆ¨½|”‘s¼j#U(�»1é�·–½,ÝÓ4Ešç×ÜWŸuÓ‚S{:D¦àæ	}ª¯ÏB%Ö^‰$—Y–Œ8Ǹ	%³šc&h˜!ç¹ÙG£ÀŽ–+([;3ˆý¡ŸA`´ž°ç£G°øªlV˜SÞRÿS”W~V'¦—,É*ZÊÿ�ëH™­>FþrRZ§³¹™ª$@!È¿�Æf'%N¯Íqg'á4¤ÄÛeù+¡D
‚A¿x0J1»ôÖ©Cøp:©¡Ý69‡Ñr;�âš>ã|º‹Úˆ²;h“Ùé gÖÐŒíõÒ½Ó’iH)è¿iŸö&Iû RKÈÜ-‹Åx°VÅEc°ÖH·1ÁïX™hF¸íµnQtCç¬``*<L5f¾ž‹•3®h¥ÞÞÃI‡€Ú;¿ ñXú¡}JlZaÒÝO—˜‹�s1ä¥gH—Mî\åœàdH
+_„á}<É!‹à¨'…K^y‚ë:­C†j½Åê%½2šI‚£DÏ�µé¼H
+Å2ÑÈùðîì”í
êzTóM¥ŸýØc¶ªáq_Ø™
 endobj
-995 0 obj <<
+1050 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1930 0 R
+/Encoding 2092 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 1935 0 R
-/BaseFont /GNUWIN+NimbusSanL-Regu
-/FontDescriptor 993 0 R
+/Widths 2098 0 R
+/BaseFont /ALHPJM+NimbusSanL-Regu
+/FontDescriptor 1048 0 R
 >> endobj
-993 0 obj <<
+1048 0 obj <<
 /Ascent 712
 /CapHeight 712
 /Descent -213
-/FontName /GNUWIN+NimbusSanL-Regu
+/FontName /ALHPJM+NimbusSanL-Regu
 /ItalicAngle 0
 /StemV 85
 /XHeight 523
 /FontBBox [-174 -285 1001 953]
 /Flags 4
-/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/two/three/five/eight/nine/semicolon/A/B/C/D/F/I/L/N/O/P/R/S/T/U/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
-/FontFile 994 0 R
+/CharSet (/fi/quoteright/parenleft/parenright/comma/hyphen/period/zero/one/two/three/five/eight/nine/semicolon/A/B/C/D/F/I/L/N/O/P/R/S/T/U/Y/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/endash/emdash)
+/FontFile 1049 0 R
 >> endobj
-1935 0 obj
-[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 556 556 0 556 0 0 556 556 0 278 0 0 0 0 0 667 667 722 722 0 611 0 0 278 0 0 556 0 722 778 667 0 722 667 611 722 0 0 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 1000 ]
+2098 0 obj
+[500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 222 333 333 0 0 278 333 278 0 556 556 556 556 0 556 0 0 556 556 0 278 0 0 0 0 0 667 667 722 722 0 611 0 0 278 0 0 556 0 722 778 667 0 722 667 611 722 0 0 0 667 0 0 0 0 0 0 222 556 556 500 556 556 278 556 556 222 222 500 222 833 556 556 556 556 333 500 278 556 500 722 500 500 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 556 1000 ]
 endobj
-969 0 obj <<
+1024 0 obj <<
 /Length1 1624
 /Length2 8579
 /Length3 532
-/Length 9443      
-/Filter /FlateDecode
->>
-stream
-xÚíwePœë–.îîNCpwM‚»Üh ±†¦qw'H°à’àAîî48A“
-‹ß5á\�ãb�­Þsß]v”Ùv»I™»Ò@§Tþ/X¿â¯1µ³ï†p›•`géÇùžÍªn 	ñèín�ji›}ü�B=ÞÎE;»e
záQDÄpã‚`•^ÿ–¸¯Ž ¶èûSÊÁí
sßÐ×�þ®ä/;”ì¹oÑÅ=�°™bƒ\s)%Œt+|£^Ë
�àcš¤H�Ó¯øbD{ˆÂÓ®hå_ãO•Ñ8V§%Ål¢¾Æ3Ö`éT¤¼‚cØÄÍùÉDF͸
wvÎ%™îåH%ãc×ÊÎrYÓÀfhجØ
³_Ë7åCüUœB>þ¾o¤
²:ØÏ Ô÷¾î}'CL!Ôk‡»Pôë*/Ìò[!
­â‚Y?ËSR]¸
½ní΄Ê~ŜŽ#DiþqõÒ�i!�Oï
-ùÊaº5B
Osö;5¤²nÛ®”‡1?ß×!¶Õ¼Fä›`¾EïÎf%¥üÍNJ]Ë`|
ü^VÒ#5“Ù>U¶,lT*$A�6	/WÍo¿D)9A[ßÞE�»¯oOäÁçeˆbAÔ²²O,m£a’ «>+^¾1AU«Ôsi¦l›sÚ(,ÜØV¹ZùF§­#â=Õþ§‚[Fª½Ph7Æ�M&âCo#ù»¤ø²ù2y=�õ)êilºGôÙO=?-íw¡ë#Ž'a²—¥¦
4#¶š™5-+3>S¯áŒÌͱæEÆÛÚ?W«EAì/6sRI~ߟ¯òÒË
-g©ùX½—ÿˆN|)ãÆs"•AàÂøžÉ&?®}߳ݚÀG¦ãkx%cqµˆ*Ê„þs#Ñ öàH_líÛòþЭDò.SÍò2µ¸‚¶cô~r×Ý&¼¶aËnàbAˆëàö‘·hàm|¢MæHvsºhkõ«Õ‚%ÍÍsu¢©¤¡Ÿ“=l¤´É¡¾4Ë_œœÅ¨””Ò8n“9�1Vh½#àÛµ-ÞTöw?Y¢Ô§¾LÑÜõÐop+–¹?µ­ªEzƒïê'&é�µ'	´™öZ�2VõzIÁ¿Ò$¼yíîRÿ}�LÎáP<D°çœqAì%ÿ'…Ÿl¿Þ�wF'N,µ…¿Ï™—}å’cý)á)nc´qNhªlâ%eR=ZøvF"ãÆ|‡é�Ìsr
-ª:ÚÉú/Iâr·?UP›…Â…ÆŸv]NVûsm72ðVó›ÂÞIš*c1+³žrwS1&‰÷©�j¸·ÇšB—ëïÔÒ®K…ØŸ±ci7úRëY‹Õ¶GKÇ�TàÙ¼Á,L
ïTü© –B�7ÓFCÕýºPñòÐgûjœ­È6¢Ð3Ǥç+$سÁãäÖ½oИUFµfÌW·jæÇ5UrâŽ_•1ЙÈÓMm²OÁâË‚ÑN†~öò¯_¯³ö ió%O·­ŒKÐL°@D¼žºÕãöNº}lÚCèp�h¥ÑXÍw1çéJ2²¸ífþò'ÝÌ�p’ØA:ªöÉÀX�ræô{ïA{êg*PZ‡Yt¿ŽÝZ?ÙõúPÚ«p¸ýEªÇ¹þ©ðå˜ ]	dîôŒxf ^GQÞWFNsµÞý¶	
¬8uIÔ¢0Ÿ®µômºwʼn«¿jD‰ó>Š3”×/”})WCÄç^<"Ô¾±®ïÚáÆHýôbºY‘)ù O1€öúÊø½:†æ‡t�У+ÕÖ7v
-\F	P2ç´¢•ácƒÑ‹Ù‘…rò‹'ŽÔZOê�Þ£ÐËT5ù„–ämýÂÆ¡\ƒO¬nÎhY¯ÊT£˜(3‚'Iáq&ÝàL‹x¸8'`‹r›—¸]k�ãï²—8x¯ô6»ŠÝw‹®A3‘3hÉÂä'O,˜G9¹5j v@Í�¥×b*’ÅI
œOb?¬ÐÔP
M%gxWªIVÈ!ñhÅÒø['¯¼¿.:°ÅλÒ6ù€@š<.œ»M=b¢³G<Éžb©ÎV逖4–Hº·ïK¤ŒS»7àâĺq›™ª�””Óx`�Ð@[{ù®Hš€@8ÅïÏSAø²�ýäʲ½e#óòœ‡)P'dÖŒno¸”]`ú›Ð/ý»„ª6.˜²;NVßn81—hL°g/#³†õ½T5N•È&œ#kX�Ò·Z‰[¦ZO¦íVñ¨ÖŒ[ŸÓƒá~‰ò¼/×èa¶î^"’]d³¨ˆU?c«<œ)´ NGWŸÓJª"Z!ÉÜžo½¥I´¼½g:>:ªk{ˆëçÈ	Žœ}ÊÌbÒ¡}Åó~@ó±F|íƒ-˜(��2.°p{¶šIĨËq�
þ"AßEðI ý¼Ë¢oÒE±ã‡¢÷§Ðú0r¿¡þ�â°åÅKŒh—W‡ÃégäË�C²},7Øzíå¶[D“ð§Ý÷3ð­beÖz«ë{çòCŒⲯÍ-kÛÓ~µ‘ñQÔ;¹F׌~Z¯r[Ÿ¾ÖcOSô•Üše
 O4CwT(„¨]§kfž—zëd̹:E.g3G5Õ_üIA…nµ>Ĉe! ªÐ½×~sýücê{�?ê…s’.âÈÑ¢8é+û3FX©wvÝ*—n~	,!PÁzc³ÐMÕÁ—=®“@
®±&Ó/C¦ì>š�#ö¥X÷Þ•ß|/"rÈÏÞJð‚WXhÕö13/¾¼v"sõ]8«{¢5¬•n/ÁîÄÌÖZñÛÕêÇDßõÓ'R
-­)ýHF	º6Y~Ûé»n{0òiSÖ^q _±ð¦ÀO¦îEþ‘”8¢±7_'š-CØ¢bùu]<ÉeA$o4�¬ÒÌ)¦hÔ?úõt’†:öª^m™]IçoÅÙY�?¿î(g‡$
ÀOÆs[ìKÍ÷\!�xóI‘s/}©¥¸{•Äb’Ó½ä>‘b;’|†_};ËÈá—´nT
-ƒPÒ€m\ûVO~LDiåÍå¿Làæñº[{Ú2ÛÊ«ÃÔM–�7P)‘�uJl¹!{øXq£‚ʵ3f+ò¢,˲�“§eg·î+lê
šÂãEfqrqv±ç|ý{�EMË
5ƒ,IËrévÅä›ß‘¿öoX�H°íxBâ‚Æð’ESyŠˆ»O‰Ú0r¨Ð¾/�é¹Kš9+¶“Ò/J½[Snø¸›°F]Sç?…)Vž�›r3WKn'Â�S¢Bp?o‰ËÅ„¶DkŸxͦ;é›!dœ\Ø)ª+þ�AáÓý¼�+I§…Ÿ Â1/ÒØO±}¦L�hoañf¢yÉYnÙó7XîÙu®DBÈ_ÞI‰^nù¤úóÓÝ2«�Áé
-hãÓ‡¦øªB“ÞÉ�,
-M…ߎ9_³œü§Ó©7\y9Làbf
Lý”Bãôžå˦fð(iÚB5ö±¬r/Ö@¦•
-/ôÙ°úQw�.#EœêhüYУ„%UÛ96‘iYÆ·ŒÌï\]”¬®)”ÏâõŽê£p¯ª, ¹ESIªfs èLü„Ü#€˜ð�5õ
|ºóX�ŠÜ´Ñ;1*ýó$]˜o4^|œÖarAG–´@îõ´\ph®«`�­
-ãDáð£ìÆU¦1*]	ÓýQ„dl¯}ߨ¨7(cKqÞ9–ã¨[k�wOŽÌ|ö$·¨íŸí«æ|sŠR¿
-�ÞgÔ h¥%Ñî›!«RèPêé]å’qh”ö$Õk<©6–ìùŒ“=Ý°ãs8Ëqçsïï>®ê
še{Þ1#ìgŠ²8egç~¤’+J˜gÑ“¯©�²j>�-Z’µ×v�i™4/CTÊ´Š]±‡|ë‰
-)¯…=ղŻ†â	&И2Ù‘)„j‘^êK¡„4
-uHöó¾¤Ç|X(ÂÎiá—0åÁ¯ýîׇ%ɸìÚƒ]~2¦ˆ8­¢3¤PBþã^äK,l<0�‰”¡ÄºwRÃÃRù‰Ú—ÉÂ	I³OFAãÃI•�B„íŒ	Lõ¾
b­*ÒW{pͦa¦öùŸÙÞâdW-Ë'ŸÜH£û´Í`7$^¤©W‘8�z.êЋü;*Ö&>0A̼I™µØú‘‚ø3àU$NõŽoíeá—·©E¥¥Ë°‹c¸3¦)fõwÖ.=£5f–MmB]7{¾ùP5/‚–Žè';n¬·ÍýòøŽ—D¤ë"‚ÙV+Œ)r‹U˜5ZV
%En‰y\kºsóL£¸;s2¹c:ÅeCÜ�ñ—D³Ùyò뵊²:ä¹iKg(Ç3æxb6^<§a’
êÂ¥\9$Ä>Ša(Íâä£mˆ#ô}ˆµ˜±®uS%aéA²çÉF<ôÄt0côz¸
ô(é²Oè=wÈF£>yN¬F0‚®w9¹ê	Ñ!ŒüâUȲ­Áô7ø÷ó\â‡[äÝ,—PÞ\]Qé÷·¨ÈŽëªxŠ¢é‘t¾£ã‰£ò;:�2öø²x‹�{e@
-ø6Uu^˜ç|�:¥ÔËíäð%X8ä—@Ö�ONÙ™¿°
-S
Ò±H�]^åí?ÒS”:j>ù^±$•MËÔ°Ö~�¨ù®Ó›¨òëŠÖhé¸Zêî @­!5“Ößꦶüþyö{¶=êÇ{§	9¶$â[Ùo„5òѨÛç³-ïoGóù/.	ÈR+¿”Ûû²W}˜x÷�aî¶bK‚+52gõK䯰’Oß󅤧d0ð¨3”âK9ìºXÃø¹Ê'=ñÜdÇY–µBø
Üc‰­’Þ�RNªzcÐØ2•¼eཙüœ/ŒB+‚YK°>]3çÚàÔô‰é(±œÌ×
üq]ÔÒ•h»¦éyù>¬oG{åM\4Ù™§©	ÌÔîå«îTäfo¢d¥SʆuÓµ‘´F”T�/¤*ÜÄ"Úé‚&‘v”gHæ�ÅBY+*z âÛ“kȺªñŒ¯W¾q ¶Nr1=æÁ{F³N·>©)‡kêøW}À{×.¬´;UBòœ•$‡3/ï�twG¤òt$qËoGćâ·éçë][
-‘mv¿`€÷˜¶”¬d檥—ˆT®•¨U~Ì:¼dLTФo*`›ð=Csì„	:Ó‚$G£C‹*zÒÛüªˆ�ÇzY]R?Ž§iÊ­6&ldr¹á}Ö¢�ç2D’©cŽ–RŽ½4õ1@@Üzå©jF
¿Ê%™RQݤóvš•7Vi4(Á¦�¿ o-ÎË C�
-È<S
-ò`]Ÿš¶ü]c”¡S½‰Be­])Àžm''Îk¨%æ:™F•øô3Ñ‹*UÃzçF¬›�0Þ‡ÉůÐæÎ"³‡l„nû³OÚëV”<ûÇtJr!˜ò&b,Ê\Ø°–=“QXåâã�ÓÄQ(ãÌ0½ŸÀ‚5®&ÉáÁcLçÏWá]¾N”jŠ¢Ñ¯+#„‘J¡š¸FÐüÙÌàþ	jîòCYLƒ�5”h"‹ThîÖå
-Ɉ¦/�Ž5C]K‚š¾&ÆëZ~c‰ŒÑÎ Œ/«ÙyE <Yô$ÔÿMðúÿPhÉñ"¢–O߀KvÅ
	†
MQ…¢f`�÷væú±BÝ#NA»é`7aÌý钲Ɣ K•{=‚0ê]=	v…;ŽT³wz{b×ôqÑ	™‚NûbîE?Z½ ‚˸¯ƒÉ˜2\qÄ‘ž2_ŸhÀ(7„÷7Æçm
-÷ÅžA>Œ./–ûš¡�`¥ßV¬åÅù=uë�sôŠæò‚~ÃñQß‹?{Ù*.z{ö­`!ŒOÍžE¡â‹ù'™Ï<LõêoŠz–»lfvùt®ï¶6•�@!	éÚñ´}›¾z8õpƧ¤˜<|Ø¡
-c.8=ƒ¹-ýؽ`硈‚Œ/>mQ5%ä,fÝOýjïøÖî—_e^Š¬
-ÒÆ°9QðÙsý‚v�9êÎu12g‰j=I^Û¸å<¦¶±q;~?”,
-:Ö¯}‰÷v,}çx>¯‡j+’¼ ¨XRÔi q8;­‘½–„¿¬Ÿ6mF\©%šÆžéƒàÉÒ�i?6‡/9ÒiHö^Å’ÕÃ&y{&Ìe$66Úr‘oMí’ÉÉ*Ëû†±	õR¡ð•Á¯k7Î[ì…$"+•zSàCz¥ØöUP‹µ;«3ËP:1Ž�.ÿ
Û{‘q.ŸI´¬o^Ã{ßH¼÷ê£LMëV¢Z@eð»¾Ô•w^6'þƒ¼¾
-ˆÒ�—³AÕ÷Üì4*‡
ËGFO„’P°Áñd‡�œ¾×vu¼v£¬}  J6J(c�8'Nj×mÕ‰kݸBgdî?PPÐuȈŒG/ýTø›!ž|¹$dKX]ò6ÃÑb~þÝäÄðå²W/]\î¢ã¸;cùb•zÿÔ�9¿ßÊÍ^Ð`ö¶¨«QíÛ$
ÂÐ2Òn«Ã­+³Çø/Bîr/–YÖmí‘×…¯ñ™I"Wâ}-è¨>¢×6n#°Öӧ˿ÏT‹YeFÚ@ìT‰¨Ç¶&TGŒN·p/SòÖŽgzaN»zµú8#Xáü=ö6Œ¬ªˆ§)xû#YÄ)´9pÍd™"üF‚š¯€ÉŽ÷Ó±ü—j" F!m:™­•0./1S¿À
þ4×<¼ý@(°tÈ£^ž<bâfvßf£ZÏùÌ6�G%2À1-øu"
gŸü55KS½©¥ÛX'ó”±ÜIlÛbßÖ.’Vð*£Ð´Ëk,nñIl�ìØî­ƒ|4xn¸·"‹p,€˜,©VÞFôkÍ÷™Ÿ0¦ûÛ~ĵ·_"muFÛF�,V¬+×)ö³1|¡n”"Ü3÷QÑjªßõ…°^rÚŠ
.áÓ®ÓÅY¹YD§HÚ
-ćPí�ˆb}Õö#çù_~0þ?ÁÿVŽ  qB0þa
*endstream
+/Length 9445      
+/Filter /FlateDecode
+>>
+stream
+xÚíwePœë–.Npwkîî	îNpo �Fº¡iÜ‚	\Ü!Áîî4¸CÈ�½ï™3uîüš9¿nÝ®ê®ï]ÏZÏÒw}ÕLôÚ¯¸dl¡Ö E(ÎÅÇÍ+лX{¸k@!ê\²Pg[-kg0à	Âdb’ƒ�€p0"„ƒÄ
† [€<ÈÀÏàÃdÈA]}``{8€U_×��ƒƒóŸ’?*
+ÿ†‡;bÿÏ8
0�=fërw¢yâþS�æ	ø/Ù]]�}þ²†þ¥õŸ1€áî g;nL>þ'Ÿ6ð'ßö`&ÏŸaQ�ØA
|¼Ëm=\ÿ�y‚`ˆõÏÌ°=
´…Bœ}
+«_5Ü�câ�->³ß]¶UÙwºH�Y:Ó@'Ô
ÏÙ¾¬2·‰pì„òX”àdÆù�Ψ¯£˜óìlŽèèZ|ø…F3Ö&
+�qh<ë/=íq|ÜÞ>“f¾WV “Ž�]m(;ÍeJ[<ÃaÃlœùb\¾¡ æúžè×}#-�#ÈÉq©¾çeÏ[9Já¼ù¢_¸ØWaøáÖß
+ié”ç-ÚX'ÕE1xãÕ^r%LSõ)çœ+眛 Ë
+<Hh–~H{
úýÖ¨�¿®_#ø{Öq»†ŒRÞ}Ë�êàáõ�wuÈ­5/�‘ùfXo0º²ÙȨ~q�ÑÔ2š^¿—•tËLg¶M–-‰—
+K1<›@T¨p\¤’‹¤«oë¤Á‰Ý3´Ž'öä÷6Ƶ"n^Þ#‘µÓ‰4K�ל‘�(_§.‹Ué¾°PµÏ9iil­\	«|¥Wñ¬=ò7>õÞÇÂ[&Zêy#ƒ0Xæ�]&òCO#ÅÛ¤ø²¹2E�í	úIlºgÌéÝ·akÃÎÇáòû¥Næ
´ÃöÚ™5ÍËÓV¾“/M,-±çDÇZÛ>Wk˜DCÏ7rRIÝŸ’¬ð1È‹diøÚ¿Sü€Ar%çÎ{*“AèÊôŽÙ.… ®mÏ«Í–ÐW®ýkD-ca¥ˆ:ÚŒás#ñ€îÀpolí›ò¾°ÍDŠNsíò2�¸‚Ö#Œe

+·�&üÖ!Bë}àBA¨ÛÀΡ�XÐm|¢]æpvKºXKõ‹•‚Eí�3MâɤáÝìdtÉa~´K_\ â4HÎý**iœ·É\Ìe:ŸHÄ6]«W•}]¿­ÑêS%S´w<
Ü‹åîOìkkQ^¸ù‹Kû`ïJí¦¼W&MÕ½%)–›D6Bc<\ë¿ï’+8H„
+uŸ1Í‹K
+|TúÁ.øó-x{dœñØZWäû¬eÙ—n¶R^v&ëgD& Ê&>2P&õ£±•_aG*Þëýï°`�eNNAU{yßÅi\îÓÇê#‹0x�ðØï†×c¥•¾\ûõL$ü•ü¦ð·ÒæªØ,ªl'<]ÔLI½à†ž­Ñ¦°¥ú_Ûµtk2aÁŽ§ØÚC�~4¶âµm1²¯I+ðí^a¤Ft(†VPÉ Ç[è>C×ÿ:_!yà»uµÎVfVúôz–ÙÀOX¨{�ëµW°{מQcVõª)ÝŠ…?÷dɱ8~EÎHo<O?µÉ1Q›?N7öÙ; ~­Î6Ä“´Õ�"ݾ2.A;Á
+ùzòÖ€Ç'éö±i©Ým¼…Vk%ßÕ’·3ÉÄ궋åË+Üt¢	'ÙèÚßF¦TÓ'ß{öÛR?SƒÒÚ-búpVûȯ×Ó^D .P?ÎöMF,½Ö—BåIψWc
â·å}eâ²ÔèÙ7lÄŽÓ$•F/
+Wòí\Mߢ[œ¸ò³FŒ$¯áƒc9Iý|Ù—r
d	ž…C"ÝÛúÎmÌÔ�ϧ>)3'ï÷*Ò]_™¾ÓÄÔ~Ÿ®vx¥ÞòÊ¡
+wøvÄ�ü¸61vø'6çlò=n¡íˆc–¾Å[확;ýQ3Z¦Á„äô™Ò+~Yq"§÷p1_—Ï<!Õí;âæ§né©	6×ÞË!ôÝ*?Ö‚/Ø\ò`r*ËšúÑtØ´Yó&×NŸ·d0êë„«�’k{%Ø!£ÖŒ¯ª=�~
s‹úŒÍc|Ÿóç}¶wý>.pÔáò[ ¥`«Ë„‰ä9“2Cƒ‘i‡“žÆáWö.—6Æ™ÖE(}Ruã̱«˜10Ë
_S0-ÏkH“¢JéG³ÂÌV³ßz/gѺÇ;Öö#ejö¨0Øt5¤^yE½mqÝ(X q(Ú2”*n#œ³tWtV¡èžã`Yõ±Á±º l/W¢Ù©kü:e·´\úö†K+=à7éë¥ý7§B´ÌY�UÄØŒbTáœü"¡		o�–ãú£ùwhrU
‡¾á%y›?qp©V«?e4¯UeiPŽ—YFüF$Má…�­s¥E>œŸ²G»ˆÏIÝ®6‰"t:Jí¿Sy“]Åá·Iß �ȼhåiÖ�'«šÜ�Ý_Û¯
Abí±šŒbuQç“:)õ
+ýL?ë´ê�pUn¿TöùVnEÁê?Ø×_¾´p�ãúâ`(ý”b	z@¾‡ínüºSw©õÙ,"ÃeçÝ4b‹x™-R†ÁÊÚî™â “”„üKKëšÄ¶´Ÿ­äü”Fõ.Ÿ1´c~¯U¹¯M]p¤)ûIoΰ2$Z`8+B5®Óµ³ÎJ}ô²?ä\� –³[¢›.ü ¤Æ°Yd¶SêZDh»¹áYºœü€~IÒG>\� {áxÊ/õÉ®[ávÅË/¡‡')Ù®oº«;ùqÄuj 4Ö„bùàgÈ•ÝçOñsÆJŠwí^ùÏõ £†þè©ÿj/(x�ý¬Úñõôó//]ÈÝÅüæOë~Ó×ʶ•àt`e/ûïè
ãûcOû)…WU/“Ñ‚¯Í–Þ´Gù­ÙïÜ�wTîÏW.¼)ð—«{žÿE4%ŽxôÕ×ñO‰Ö¡ìѱüBú®^?² Ò7Ú‡6i–”“´šü»;ÈÂœ{Ô¯6-®dó7
+DŽãlÀŸ_¶—s@“Mú§„ây¬ödæº/ŠP‡}øe(x¿ÔR^�¾ŠÎæ
+5ËéZôO±N>%¨ˆ¹�aâôOZ3)€å}íÖN¤§fQrÍ›d²~©d›Ã«°]µmä_—–õo‡öé´6š·§¯t`0ˆ'¬bXšz˜g­âA;Ìƺ‡:ÄŽ/0´³’YÍ“Ó^O¬œ.~èÿé“1 m«ð(¦Ìÿ#~+ÿÄ@è…†–1‡¬üþÖZš‡ÑÏMŽc…#ë,�…põ«—½ãQ›q„~ݶDwRÉ�­±­ðç}ˆãê�ЀlqâÂmƒéN¡òºât�»ÉÒy•qÝGŽó©6ƒïXd,7DýiF}/JáP*Z°ýƒ[ïÊñåx´NÞl¾d¯÷ÝêèïM‹Í¼:,ýdÅx#µÅøÇ—ÄæÂч7jèÜÛÓáöâ¡Ï˲¬¸x›·wê¾Â'_=Sz<Ï,NîË!É.öš«çY¢¬-j=-¨¦a”%m].'Û¦œ|ó+êçÞ
Û!)Žoh\ð(~r£hc*o±q×	q+fõ³ïóäÒå62†™·«ª
vVij^×Lb‰—'ä¦ÜÌÖR8ˆ
+à–¨ÞÏÙCãr±`Í1º'�Þ3©$.GæEHÇçʚʗrhüúŸ·Òb¥éuž!&¨qΉ6öQn�ªÒ$:ZC}˜i%¹Ê­»ßàÅË]¡;�J¤ü¥íÄáÈ¡¥æ�ê?^0ß-±9�,ƒÖ?¾oŠ¯*4ë™XÏ¢ÔVúåœó5Ë%`*�fÝ��Óáõ€¹�Jx¬ŸÁ«|ÉÜ-MW¸Æ1–Máù*ȼRé¹!;vúŽËE”¨Km
+ÓD‘ˆy“ìÆæQj})ó½¤dï=¿èèWh£‹q>9Öžc蛫�w¿�YøIoÇÑÛ>;V;Íúå¥~$»Ï¨AÒIK(¢Û³@Õ0¦Ô£20¸Ê
)$çÔ*í>Lª×5z(Ro,ÙõÝ#ÿ}Ã�Â	QàÉçÙÛy\1°Èöºc.FÚËcuÉÎÎý D­P”0Çj XS;ióé,¶hqPÞQ×I®y²Y%Ó&tÅú­;ôþþ ¹„ÙsQdÐ+-\yª×¹L&¯Ÿc݇)ùÈ69ëzTê|øÚÞo–ÖÕwÙ�Y\9C
+¹oú•ÿ™„WÀ ßóÇÓ�NV]UÅw¥Uf]F�}å'Æ~’Ò›X�œ#Ëçž¾cvB¯W/¤™�iÐÂò:Èû°?¥Zï³ÚÜt!r¨±w(P¶¨^á	ô	Û}3e/¹N \J¡ñ¢ufý\˜‘ãLT(�1„™YÍdãºIé;o¤äú9oÒ>ÒçMªá8rCŒuÁÀ߉DL6¦ëÕŸ¦D¹í�[v¿8½£ÉICxY'ž%¸�)4ãl¤Ã!þ"2J)/E¼4²%º㉜Ɵ1gr P
+×¢<Ð;’Am
+b&c,±í™Ðò´6@ýMãÇlå‚¢Ý+§¤õþŠ´JX)Ò~Ú®~_òŒ`|µ*ÊOw`à™]ÃtíÓ?³Ý…‰ÎZÖ�z¾xï¥<QFöè>�ÝQøP&_DFáî?¸jÂÎóï¨Ùšø•À„¯çäHËlÅוäÀŸ
/¢p«·ýj/
+¿¼I-*-]‚×X![0O²h¾µuí©±°njî¼Ùõˇix6·ÇüvàÁ~ó©O‘�Àù‚˜lMT(Ûf™)Ea¡
+«f\‡Ð¦¡$ƒ±È=Ñ3�{UvŽyo{VîÏë	ù P`üñŒT¶Ve¤âZ­²<§EnÚâ)ÚQû´%¾ ¦¸�7ïI¸tƒæ¹H)w)I¿¯r8Ú'‰uŠ‘VäaÊ^äZ¬Øy·ºÉ’ðô`ù³d^z¸)Æ6Â:F´lÙGNŒî;T“Aß<68açÛœ\Í„˜P&
-‰*Tù–†‚û9n‰ƒMŠ.Ö_®¾˜ì»[tTç5u|e±ô(z¿‘1­ÄE¤m½9FGyü…Çݲýu %b«º&Ü“k®[“Jf—õvbè,úS0ëò£KvæOìÂT€l,Jc§wyÛezŠJ{ÍG¿+Ö¤²)¹¶Ú¯ã5ßõzÕ~^Ñ™,UËÜíj4¤fÒØÜÔ–Ÿ"^£Î|ÏvDÿpï2®ÀžDrng/ÿ�¨F1}ël†±ùÝ/àíÀÈ/þ€%À!yjå—rG?v’ŠÁ÷ão¿1ÎÞVlJq§FÅã®|‰ú^òñ{¾°ì¤&>M†J|)§C'[¸@wÑ„¾»üë’N¨€‘ÇA,‰MÒ[PÊqu RÏëgìN™*>rˆÞÌþ�s“°Š¶ì�×,¹v¸5½âz*¬Çsu€yÂ
+wñÈ6úà	”mÕé²ÂþYTñ0¶ŠŠn˜ÄVûÄ*ª¾“z<ÓËåoœÈ-ÜÌ�€9ð®Éü̸˭ojÊÁª&ÁU/ðޭ목;íN�ˆ"ç}%éÁ´ä}£‹>òΰLžž4^ùÂí°Ä`üÃ\½[s!ªÝÎLð.ó¦Š�Ülµò"±Úu�
+�Ú匓$S¢’ 6CS
ûT ßé3çDIЩ49VTÑ�Þê_Eb:ÚÃæšúa,M[a¥1a=“Ûÿ³6]<·1Š\KŒŒjì…¹¯ònð/uÄn锊ê&½7Slx±*#Á	ÆxpC‚yC[	>F=ÂT@Dæ©F ¨j`ŒT-Fbj×t0ÿJ"Ã.c0@mY{PJ 5¤Ì'¶WŠô(æ
+w:©ÿrŠ®­|¢©Â¸¦z�$:�S÷5ýe!�Óné³úÇÈ‚®¥kîciqç`“&"Œ»ñ¯[’¿Â
+Þ^aæ’�W~Þ¸‡ï¼¾L¥�	[þ¼RB ¶¸¦ÓP?¸O/Kch™iÆìɶ69eý«Æñ0C¯z�ÚV»\€3ÓF6F’×PK(Â}<….õñG¢7uª–íö�x?Q:¢/³«¡Ý�Uf7ù0ýÖgß´—-hyŽ�éT¤ÂpÕ
äX´Ùð!Gf“$~°Úù‡A—ñÃ0¦é!Áy[<mÒƒýÇ×?^Dtú¹Pi(‹Å¼¬ŒfB)…iã™Àòfr°.Á}ã4<åòXFj¨ž‰.<P?ó°-—RJF6Žr¤•ææ\’è¬ìÔô51^ßúkÔkÝ¢ø²ÊáuÑ„ªE¿…û¾	]+9Z@ÖñííwÍ®¸!Å4¢mee&®PÖªñÙÊ\;ÒAª{Ä-h'æ!z}²¨ª5)äZ呆π$‚~WÏOLŠSá�+óÉ'½-±sꨙø˜\I¯m!÷�²ïY½�’똟“Ù¨*Bqä¡�*¯¨ß$7”ïæç]J�…î
%~ÌNoÖûšÁþ•_6låÅùÝukA³Ê–‚ŠBûþCñÑß‹?{šØ+/øxõš/c#�MÎE
¢ˆ$YN?Œönˆy•»ndvúv¬í´4•
à	éºñt½~¸õ¦'dFX¼ü8a
+É]g¤ÌÒìÃ<¥)7‚�Ñì¦aìnd0² ã‹ï»¡.{tm)«�ÿÚ;�ðÅû¥™¢ËÀOû&*‘8$�nÎ
¢7ï A
+/TÍ®vi�6Ð9¸Í>4â�|ßï½@G_C
)$œôÀÁ¡S霿<+sK…¦–s5KÃóøêÄ寶Pþ}JýHgëeC÷ÁUf2‹�ïU¦�(^9g­5Þ’‡®?�¯¸ËÎïPrtAFžÕŸþzo…‡“Œ:¾æ$žýf¾ÙéÝ›S”¦]¾‘õÉŒ·‡¶3­×žÂBR­Ì]þ
+诮ñqÂmdàÔ`7nƒ¨RWºÓE[œ–™Ù6‘9¶?`ƒ=p®ç3Lã,oئDLß÷˜¯ÙTýŽ§Ý¯eW‘öîònQÆ—a)ähF%ö¤5ÙÍqXÒÜâD�ÍPá±S)ô|ÒÞôÔŽUYïÃÛ›ær¬f~0?rén#º«�mH¼Ÿú„Âl#¦u¬…85ˆ#FìEeU§¼¹Ô_k<ÿ
k¦°ÙbA%R7@"ÿÔ÷»Â2aë}ñó±
Í„½![/©¬‡D�pÙn/Éo	´=ý!"o×Ï¢ðœoâ}Nó’Ïúýk'´$ó ’�;ŠTÅã�8æWÌuTš+Èó
+^õ,mÝ>µsªÇÍó�Q™“™:…&ÚÞ0Å(ÛHj…`ÌðSòèí$¬=Ý3UÊõú”ûµ̒yæMŸ"¦*lÊKÓã)¯ý¼ð^lØb$vÖˆ�H0癥l{<
+�ø_Ê'Œ.ÌGöª‹é–Q}é•.t(f2‰ûj�éŲ¼[Õ
+§m#dì^Àz#ÎHc3ŒÕA›Þ@�4ýÆaù ÃM¸gGs´+l®ºhXÉ¿N5ÙbHË5toï<Ÿ¶¤UxÑ£(½¶§b^j
+Ûó–ÊŠEVÛ*l‘(¯;Ä¢føqOóÊE½WÇçT(ÝkEfAó¼žýÂ
+rW²tˆjêÏé
+¼õ¥¦Ø[?°qI„Kõ⬟5~•)ž¢7Stû�Œ•_ÑባûŒÒO�Lû-ˆè•ÕóåÉú¹@¡dÉE’]_VJDù»ýõW……¿].²dt~ˆ˜ˆ ëM„í[z:ð1¼meãðÎW
&If°
ânË5èŒqJ ùHçq$?HÒàºN÷œ³ÄtÉÕ¶øhÎ=ø�i2Ó1\‡>ÆQ�ºO€Iep3ó¡5_€lª§~—å�6í×ðnþ4Ã�
;h·M±VH½r4­ÊvV & ¯Ž¼ ml߇K�€#×?xÇ”³îL3sÆ™¸Ö‹ô¥�{Îcj+;�ó÷ˆ™�¢à#ÃZIü7£aÛG+ˆñøÝÔ›QEíÀ’¢#­ƒ™)­ìÕ¼`¤øÍíø´)’J±4ŽL_$/Ö.,ÇÑYéácòwjÖlžvÉ[ÓáþhÉðþð‘æó|[×L.6y¾WLMèJÕ€¯ŒþØ;©>âÏ
 ‘Y‰è4‚ïÓ+Å·®‚›m=Ø”°YXÓIp}å°ñ	YÙ߉ŽqûN<Ëúæ=´û�Ôg·>ÚܼŽq9ºT†¸ÃèGSyçm÷p0ðÞû[  ‡s‰³3Éî%ø¥/ÝðúµnAi•wÖ,[é5SõˆcÜÕ°Öº×èÏÕÇFÍ,Œ;nòAï-´´€Ä߬ug�¬À!ˆ <*’Ïã´ñ—Ü›£D•îÔO/
ý-?*¹Ww×%sUc‚ö6�a	u¤´ƒ·¶ªVq«ù|4F;2¤
¬«šßh1Î2éj˜ô÷8æºÚÀ¤¨Ä•½š:q‘—
8roBÎJìÞÉK<<æÓ?6tð4)=Oö¹nÝúy33ç4ç«"s_ʯrXZœ´¿�":¿y€Ø`eóúþèÇi™f*õÀdP[SÚ^D$24³ªSpÙçr«u	+¯X£ð\½àá)™—�Úùìû.¹ò‰¬vY·S‹È¸w´þÓÄœŸ£ãì/âìœb†Î#aÂ]ôG1ë-ñÒ8;iµ�¡ø	LÃ,c¥&]#¨£V¥¨wʈտ™f_ŒWi—²]Šã—â¬3—ÄGBßèòQB]Pö½!FUßs³Ó¨�ú­™¼‘JÂÀFGíÂ
+†Þ[Õñº�òŽABjÙhaLMô\¸©�·UÇ2lucJQ¹ô@!5@ç
;*>ƒìïâ _\Hñà‹Ea{¢ê’7ÎV[ˆso'Ƈ.–¼{èãrœÇ<˜Ê¢©5û&/gý©~ò†…p´F7Û,‹™éÞ&	ƒ–PvZœÆé<ÙX<Ç~ÚñDRx›±Î°mé¿,œÏxIÀBµüïgE/Hý
£öÓçVB[�1úüû¼
�×+,(ëÈj‘õ8¶DšÈ1éV%á*>ºÑÌÏ-ÉbW®V§…* ßcoÃÉ«Šx›B¶>�GžÀ>­š-QFÜHÑÃâ•°8ð8—ÿTO¼VJ›Jfo!ŠËKÌ4,pB@<ɵŒhÛ*ô¬W¤ˆ¿™Ù³[¯6€œÚ§óªE:§…¼L¤åê•B¼¦aíe®7·víÀe™4U8Žm]èÝÜA±ÁYažr}‰Í#1�ã™Ûµ*j”ÿÑŒá�è+àu–L_#Ƶö»Ìñ�˜S}­�—qmm(›1öÑÃkªuÊ}$ìL„_h�H÷,½ÔtÚšw½á�lœADöâ‹Ctkôq¶ÁîV1)Òö" Ô»gFbØ_
p(xÿ—ÌÿOðÿ��3ƒC]€0'Ìÿ
 endobj
-970 0 obj <<
+1025 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1930 0 R
+/Encoding 2092 0 R
 /FirstChar 35
 /LastChar 122
-/Widths 1936 0 R
-/BaseFont /FEIHRQ+NimbusMonL-BoldObli
-/FontDescriptor 968 0 R
+/Widths 2099 0 R
+/BaseFont /EETKYY+NimbusMonL-BoldObli
+/FontDescriptor 1023 0 R
 >> endobj
-968 0 obj <<
+1023 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /FEIHRQ+NimbusMonL-BoldObli
+/FontName /EETKYY+NimbusMonL-BoldObli
 /ItalicAngle -12
 /StemV 103
 /XHeight 439
 /FontBBox [-61 -278 840 871]
 /Flags 4
 /CharSet (/numbersign/hyphen/period/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/r/s/t/u/v/w/x/y/z)
-/FontFile 969 0 R
+/FontFile 1024 0 R
 >> endobj
-1936 0 obj
+2099 0 obj
 [600 0 0 0 0 0 0 0 0 0 600 600 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 ]
 endobj
-961 0 obj <<
+1016 0 obj <<
 /Length1 1630
-/Length2 10420
+/Length2 10814
 /Length3 532
-/Length 11287     
-/Filter /FlateDecode
->>
-stream
-xÚíteTœí’-îîNÜ%¸{‚»k
4ÒXãîîÜ� Áƒ÷
-t
-rvuzñp|Á^ÈÔ�Ü n–®`g(à%«º¬üßuBm�Ð?¹ÝÀ/0ÀÉúÅÓÊÉÒýOKa/4/(†¸
  /èŸ\ €ØÍÙ
èý’û…ÌÙüWîn`ˆÍ?+`¸‚l€®V 7·šî?·óÏ>
ÿ¥{ ³³ƒ÷_ÑNyýg
`¨ÈÁš�›ç%§%ô%·
‚ÆùgX ÖN
-:‚¼ÿ›ÀuÔý]ìðý+¬
-äê
-°|טHØ…Óƒ×PrxÄ�ºsÍ8862<ÔsŽØ÷�œ5?•^Ä
“!6È%Ÿ\ÂP§Æ7šuîÃ.uB_J
?ÏúTþ.=Œh28s¾ºPÃQGû‚? +ß/WI
-;‚Ÿ­û¬’»SU*rUO(|ðþï~«m¯ÿÊk�ûõ”ódS
ê܉5I&Ù‘­J
z &WÒpŸø
ºÇÿÈ+�cr¾Mo»À8„<¶o˜:b;ö!ÖöãUÿá UìœÓÞ7=ïQ”|ôh‡Š�xÓaŸœS…~v¢Ñ>ɼ{,O뢹Ž‡D¯ÈõM·*_Ö}¢õ$&ˆ\¤h…*Úe�[gÈ}üæ#K'ÙY•§Ì¾©l•+‚â‹ãº�<WŸ^ð}ÕÍsÖŒ^0L�ùª©f'T
-Ý2<Y±A‡nÉã§fHç·Pòè=Þ¯%˜)2w¥³3›ôh®™¿[÷%u9Ž&â>I›"¨8®¢iñH]® .â³IgË$ ÌÞìè¨Á±•Ìˆ×3F$èóþ±:ˆžGÚ¹,nÖû¹4‹Šx9€Š?Í‚ÉH}½áwskŒ$Ê=�ü1ïfòw…�¸…3
-#®Ð‚K½!ß…—-ÿ—Z³.•ˆzdÉ~ÖÓ�0&·fžïMQ_ò‘½{JM¹]ÁÚ7bþ~”Á.«sB4g
-Ë“›V2báJÄíŽÃá4k£„kܽx:exÆ墖¤ß>$æ¥×¾ÿž³gѲC‘6)õ
|{ýn÷ô~ú®��áë”$%žEw­¿‚áLxÒÊ�<¿¨7åAð�£?Œy¶\«Ì´³qwß}¼}¼Ziév�63;íªÔWc~ûô Dqz˜´ˆ
ÏrÔ´N²¥Šêsßa)QØ
-Æ=�Ûw…gúѺà6"€«ØXiø-ðgE:
-A["Ïb—�#='%}BY4óK`5·GßmD.•ÿarI/iT,Þ,[Z©}k“^M"‡'*øÆðú�åŠQòП_ÕWf/O¨úO^;zåô5¡qž.,Ù)úm—#É;=ØÜKIé·…s¯Æ‚w7ÍÙ€IÍ�­ÂÊ÷;ØÅ~žÒ³×Ÿ}b¿P`žÚUÅÑ	Ú,?œP<%F}v«ik>6Í’D¬Ÿ‰ÿåÄݨé<pOÇ•¢j7†>ì§CœˆÁy֓Ŭî’kŽÇbÌ=s´½w-+çùÚâ:
7{\h#¦Ú`¬ç¿4©��‰Ñµ�ê^�ÿ±×ï½Xøw¾l~ÉwÃüË|[DxÚóªZ7�¥ÇÍO©ì©zí¨ŸjVVcÈ-XÐõ‘Ê•ÓõL…X5=€švÔ9qZA]·àÇùR„!�¯ç'ø›“dYªõöÑà‰¶[$uÅz³-.*óÃ2”XmÍÙSÎ~" lœÂƃXfÎ%C킲!¤æ³åQv_EŒar¬é'µòSÙ®.ÜÁ±üZqž2óã¹»qÍÝò±aT‡Ëï[3íížBÙ1Õì*{<£Í´q.‹êŒÉ`jÛ�P’õ
R°¦Çk‰UK+ú�Ó@pWjaÝVçoC×õ:„÷-dr¬M³
-…š)ZP~§‘²GÆw¶:è6‹%ïHkxš*òšç$z¥‚²'Ku†Y<Z(Ý0c\1ÎWmNæ'Ÿ_Ñ9±þZÄf¬ïÖ7ã>ê7꣇®ÁÂY€kìÁ˜¬®·V'£9Àt#úGB-6�ûÉ7š‡FÈbfd½ß´‘Ϩ[¹ØUóàçÃ{k8
§¼9ùò>dDî"^W/艞hq«¼ŽD$j³Ȱ#²§Ýâ_‡£u¼á$=Wx„i\/O/b“íªíPœõ.§K©¯Š³Ö
-vèfÆŒ²§²V	äLÕu £=«µÆ0åQ
h0ÞÆjâKw¿Œi
-ÕÈo‰‹™ãÚ“Vt+%Æê
Ò0jtƒŠ!H”œæi†BôwíqßÌŠÛt5ÇYeC¤ùÉ¡ëYVPu9¹u6rOSåº÷”¥ÆÞŒð™ºøe‹b»oð¢1j¾SÑØ”×i!#a�®MÒ:4Fô–la4¬ªûïÑÚ"RwV~_ÈxΣGì?~(ú²oU
-ùÌÉg¼¿Ž>º§
V‘ŒéÙèðýö…5”ÌËíîFöÀƒLáÎdº6g‡­ï.üÎ2Á5¥7¹T§¯hj„þÎù¹Ó>"ÆÈeûÛ’õ
"Î3‰Ý}1¸áb“šÅ-‡â�EŽÑAOÑ>Οdo	e¥¿´vÖ”œú­µ‰,ƒ/Dr£á…©ôRx_=ÜàµíŒ
Cöo-P¡“dà˜‡S:’%ÎŒ¾6Ÿ‡'ð¿µq
-³ßk9ø‡jÕÖ—'è Á̹5�Ü�ue§wº—ÚWÚü#FÁ²°h»U�Ú¯ÈDçC²¯LX£	#VKÔââ•å:Ã$ßÞx!jCZJ`6¥æå6íÔì|h1e§,p¶Ý«GRñ™¯­7î`­T„c�XŠ„³ŒK�«o
|sg>â>uªp¹™Z¬¿ïÏÃ+Çío@<´En�…sÓf…ë~›¤â*ÿ
;ÐSsÇô}=3ûpãzö,¨”VYqI0ÙûÝs¦â[m† ìi6ÕhC9m7Ÿš�I»‹ñÓéïgEOöDVûêwYj%ÖQu4´ñ=ˆ\|ãUWìÕ›F1a)^�BûKÁJxȤå8ï#çç–½RZQÏ~ÁDøLAZA<Mg‹O÷EiÇ
×ǹ0�Äx…&®I³”÷å
ÀxfN/<	²
-
-CÍŠHV†*t2GÂØþG³ìŠ
mÜ
ZxGe·bîBáÙãÃù»‹çRבb�’Œh¤9W¸–øTgR¸Ì(”ø¡5kºà›É¤¹µùÛ�bþï¶-Ê~˜;”7ÑmÆ
^T˜‹vÐí­&•3özÑ/JÁŽˆ¹ËM6¼�ÑH*­›Š=Hœ¶CPHÅÔª’.UJòûõÆP©ãËŒ
-+ìöù[Õ2š
-ÒñW:N<YÖ]k!+1vÄDÞQ÷):âïn#þn-‘zªÞ´Yª½åS<¸úp"Tíª˜òÁY(×!WÊ‘Üç�´åXÑåbÏ�QŸïPb
v¦]ŽÖÁ\¨+=cÄâ~ê¤}·‘í"²O†ÕoS—™×Š£6îHNdΣJõøœßébž»…í§¶E€>F1R„§ŽÎ)}ß0
-í>Ö‰†­õçl?ë&ú]Æ�Ù-Á'†â¤ª?…²Ò0$¸	iú]÷
·ñ‘™ì-Ëö’]
ç¼w¹8Óœ¦aé•«S¼Û¦;èò#.	ãm^kZ_
�†Žg#(¢X¥ò“º�·ŸA¬Ö›"ÓŠ‚Kæ³buëK¿ªwöVåÞ#§-÷Ü�@VM<˜ÖÊi7´Â£„-v'�È,ÜbtL%!5--IŽ»W¾l‹ºbÂÝ{dÞ™áð0Œ¤\ÏR׳?½z�}:CZÏÒþG÷ä­¬þ±Ï›pÈ:§lÈ8ÕQµ1íåðaòj/‰±m¡HMlê—ç,Ú#cl•ãZÀ„´]äI~›]O踑ơ|Gàjz“šÊ,ûckÇ$±	ZäÐù+†´Í?‘Ja#ñü/ÛùÁ|ìJ§Ü.̤pPë&ƒã—)¼Ái¤UøJÛÁöSùOq†eT¨
-=èŽ
íóÀ„>zß�¹‚¶ìüœNžé¸i+h:“¶’IðWþjQæMýò©†4�#{µ8�<Ô2Ì^þ¯™ZçóF—o£ã¤[¯Ÿ&l´-æ„ÆÉ„l^»ì#K,yaÂÓŠ	ô-®�k‰<�+ꩯïƒ,ƒÅSÂÊ°&£�²¹í�jXºEéÆŠ™8?%ùŠ4<7K[_"Ú•vŽ³Fk“¨ÝÏaMY§!‘ÉšS·“7¤4,­,ï2Í¿¾pæ×rGð?òåi%h¬ÒÉ´UÐ5ñýq5Ò8¦ »=¬óÙWÑù0YL \-síaœ3;Ù„%ñÐwæœ~ðbE†dUÁ&ö	½D"ë}‹ëI§«‡AªS‰<ç'Âo'rX.®!oö>QÇp~R¡/~™©�Ü\?ý-3³Àö„¾¥ãÙaÙ0�Ú“5ÅpÎ1¥¬¦¢1Ú®¾S$Ë5&fy¦´vZC_p|ÐÒä
-P€{�åN¢4­DŸÌ5ßv‹ ë
+ãR×uÓëM>«YVB°éHŠdŽÈÙf?+ð6±§}1º,B-¤Ylùö®sJÏwŠ:—(Ëë·‚ÁÑ!
-™P9ʃ�ëu²‡2†F
ƒbtnh–!jTV>Ì×A}ŸÁt=Lo–Ä¢Ë9þòVôª_eá½ÌP~Îà_V©Ë°?SâßõWx¥J}Ûw�ÿæ‚[Ì)"óó
-ðÈÅžŒ
/)÷±^&·Ò�L#0¢8yX¼ÀI¤¦žX½;ys1iUü3/ç
-ʊО=ô
-k…H8M)¯‰fXý|:i¹²»&Œœû#Ñ“‚6~´”ªF5eûÎ+qbYß­	.-椨š÷9
>ú+ÙÒ‘c¬õ`ÎÐâšStz£q)

Ó7šW7ØŸâÓ4è’¨�ëHUÓ×}PÏÚÒ�%§S¨7Û.êOò¼ÑöŽ:Ñáݨ؅jé¼übs±åma¡}î'yŸ?ÿ†‹häEúÝǵÊ™}Qƒ~¸'ªÜñ–¼cuG N=óæ]õ2ú
׫Bó¼0®Ó©M]oA'ÓÙÔÇÌÝ]Ì“Ðk�U
y‹tÚ½³7–pБ ²5‘#•¦§e÷µ..ØBeïç
eÒÛ -Cµ<ª§yC½ñúã
¸òZ·ùu�½1Ê$ÿ†HLõRæf‘Y½2ëëÐôYמ6j›Ï¤~6îEĤ88=wšêWVgéó;Ýó!k¯c`f8�ýQqñJà½Æ;Ë—øn,Ò;n$}÷­·Le¸Íq½iYˆvè-™Íe †§2Ç4`¿DìÅBÓ@¢”Õ‡o´ˆKÄP1ùƒƒ†×‘àLÒ$5œæj—ð$‹Uë%&¼;¸û?åH£€h Š*{df”÷xuFYãîVÌ’‰Å0L´§Ë1]�*EBìYT=ò¶ˆRZ†Â
-|)Ž¯âðœl\H˜ÝIC>–ù‡»…R©-/	ã–‡%Ü©Ù̺žÖ{ªûN�{o6]”½óÚ#X1P™f`EŽ²=Ã(H¬ûO=CšÛw“ÑKÖß”s÷Ó“Ú�7ª‰]ì„k+óJçmô/Ö
³ôCû™)¸¦ñç‡ÝL*ØúÃ/:;<±á4Ó$Bo:€+?ÅÂìd/\:¢N/ØDR�“à~«�ù²¹á5LÑí©ÆÏÞw9‡ù¡þ Pz«×jQ
-s½vI½6Få½=QZ&Iª r¬­¿˜¬Î=6yþ•.Ä÷’¦Ô¾Œt›x}Zp–F¤]ùuãôÚ�77ª/°¶‰ž –áiX6EöúY2«.̸§Aá{ÏƧ`-cß×zV¶À•¤f¿ëª±”
ÿ°IØ%?´˜7SsJY¶Äs}ÑŸ<'<±¬rù„ƒ³3í¶ÚÌ¡!›öˆÁP7KûC:A�iz¤öö˜ýSñð~ºrúsÏQY¾ƒ‚Š/ýthÊÕÔ±8‚Q-_:¥¶L+€6*£Ý0r’¡œ±ëDäª:✇'à
g‚Ç×T[‘–m\ù„|-9ÝÙ%¯e?µ�•Ñ¸;ªø·•âìO¤»Ÿõèó<êÈ|ô¡¹ÛÛ6b•œšÄjijÇP`÷f›¯zcÙŸMÛ¼Ê	À‘[Œ}_|.ýÐä‡O•_‡Ìc–¼ûUݹ
‚oŸ–?‡@2u_{¶¢j¤ÉÊÂäk
!"¿{&ŒÍ•©ê6Æ›¢sgŸeœ™øjº=‹Èp³ªCigæõ”õˆ®Æ³?Ú¸z
ãûQïÓ\µêžëc{Ï( [ZHº¬‹éÎgð-ÆÅ
ïâ+ë¶æªõÜäï|õœJý�Èm£ÐJ
Uiª1„
-ßvÏ:¯†„6
-ÍDãw§¸°:Mý
²qù.ûþGõ&‹F:ê1΃Ю,%†·¯(µL{vf‚¦ç¹(�@´šdqˆ2onnôþ�7ëc©�„¿cì•î®úŽ¢Z^ÿ)Óax3'�µ¹Ÿ‚e>u¿mðs§¤ü牥+
-ª³èì:œD^U3Œ»º÷ÅðRîfE$¥¤…~;,º-YvÎ$àu™‘·¬Áú[“l �°Â°a7ÛÙ%w¬Û‚ÕWnî<Øíl¥»õ"YA~FÚå	âDëþôa’–H��¸‚óU
-@üY¬öÌ_{½õN‡Ù$åÇ7ѯVxàK9>:t|3QëØñ¦É?ð?ÍÌà\6ú³_+¿¥§ÀÆ4…çf¼lŠl”0Ât|Lòâ÷0ÌA«œ�ê–¹¢D fhtV",µÊK3óÅ
.IÄÕ x0>›µ@²åliØd‘žqÔö5£3=@ß2œï’XÏ·‹|B
•ÃT«õÄ8×AþwbCƒÙlÕÏ¿‘*>Œ¸¼—Ôb_i'TOHÙûÝéÊɆ}3®Ñôn×…wÍ…Dˆa@FÐz<ýkd?]‰ ¤Ë‚h8à[b�úÖIî£åƒ0
!Öú¶UŒßëÓö:vtÏê<­'ºb²/gH¯Æp3.Þ¯.µÐõPµ�ê>µ¼ˆÅ½®zò-Ù2#Êle°<Z¿–0†CšbƒxoàFÄÁ£�Ý^–Gž¼!÷›¾ñRhb»pÛC«¶6ò�¼)P‹)Nö¤Øß^�a¦rüH€þ3ü˜|j›Æ­¹<rÅ{zRSŨ ¼¥ð­_NO�Á
¿�Õ°Ã×sÚ稭…[?K4a9J)&´ÈðÔ>§æK‘�­t‰tîîÉõ½3cc‚	-s²µäéEô¤³Ÿñ nhR¡×¨a/ŸÎü{
-À/6ñü>pF‡)Ö“‡Q÷Ïõ·om1ùÞ^Nˆ–­Žz±�5Ÿ~ÜÉzŸŸ¨»~^ªì®�—Ö7\JTÂS!õÎ<e2TéýY3#ÍnW›_}	AGC›?Ù.Ã.UÂBÓQ:Г4¡©UZÎB²QÁ}c…G Å?ÿˆ:s\ŒY‚5IìH<Œ�vt%mîë&*ÔÁ�{ø�·r¤k&Ë$PïíÕZâY{dA«°Z<•@÷Ï>ßh^êG—×;(��”;7Y¾¢™$ë±Ý+ÉÊ_`åuPèýQYð·õâE¼sÎ	[‡71Jš³VjÆ-ýô
ÕæÓ°QñdNk{VßH–œyåv	ŽÁØ›MÖ)3Û†þžÔ+wݘY­’Á¦>K;m¼kxó¡øxdGò�{çDþ•Ox§WJ½(ÎçöÏŸ°Îáu3ÊäkŽ›¤ÞÓ¨öUŒ1‡å
�ÜçcŒà¸ò UÀ/ˆ�¶Têëµ±¹ˆÈ5W×±#àìJªÕ–Þ
-Tßl_µ›ëb+eÊ¡ýºž�MDÁ¸ß7 ”¶cœå¸X®7�ݽ›™7t¤Ý«‹Ù“ãS+I4f=Öçâ\™Fƒœ^­‹ñòðIö˜B¡é÷VýµXõÔ’8~ Vš±¨á‚±ûSDZ~’»�Ág3÷Îó°—Us†C[Ù¢œW Ä“šHThôb£«ÎoŠrJ!KŒéðK££8ò²7t
ÍÍé{ÛÚZQW¥o^å«®x+"ácˆ#dÿkå¦Øåõ}ŸÎ©! ‹_
-�”°+ÊØöÿ�`ûS�KhÖϤfÊúw ¼0ݲR�ŽXU§­b»£=á{_{X®/L$šÍv…0.=o3_5ý
-ÕçaΗŒ3SxÃïéšßOs:û~�NBÜÜ.%Qò¡Æ[즉}’åÉôÐéŒ,IÚ„f�@úÚ˜ð­�þ»X¤ì]ñÆ·‚:þhŸ´se»§gB„¾�û.¹Öøâ•#’A_­+§X•ÑoI[Rh½ãô4E³¸­JLðïDuõÝ™ìEs«Ì—už7:èTÛ˜òÞ+êñ/¾4»üå{†–åt™Sy€ŠÚ{¯Úµ1ÇëóÈ ×ðÑVI#p
k51»i¬¯Ž>ìÊ4k,½}2årPky+HÝòöSÕwn»ª}¶¸°5­U¯¢é’L ðöÜžw
K®aACsQ�Òœ,…ýê\–„å:
f®©
0—Lœe³m\gSÅrm1aç÷6âóJ’Ýqj§ÅzÃó|8ýÆÐðo©h<�TL¸—¢››}죡­Úê{iî¼¥Ìèì…Ûš”\ÿËÚÿ'ø‚ÀÒ
t…:9]íÑþ†w–}endstream
+/Length 11687     
+/Filter /FlateDecode
+>>
+stream
+xÚíteT\ë–-w‚-Ü	®ÁÝ]A(\
+ww‡à…;AÁÝ!¸÷à—Ç9·»o�ûúWwÿzãÕ»ÆþÖ\k.™kÔä*êÌ¢fö&@){;03+?@	dkââ¬ho§À¬´pQ6±

Þ
+tøb8
+¯Æíwu»d±Ý‰¹ÜÆXæ§R÷)Áxã
i³åyª¶š—ܾí9ÞYò<0�”jûˆ�/²­pÛ2	D¯"k<û¶¨ó¼ˆ­pΛlxEv'Ê%Ëž…¹`|R_•·–ñÿd{÷ç9óÙ¢Ü߶e�@°-Q–äÿˆO$¯ê2Á³|ÀnåäÉ4¸Ø¢¶œ£íG>ÐK´®‹²üE{ÝsÔGµ÷Î~ï—¶Gí'Ä”›’V¬Éà‡$¾}¿6?dÊ—|ñÔ'Hr;ùMŒ]IJd÷d“ÂUu�?¥¾q¬Àe¢z�œUú…	~Æ¡dë/O	*‘¶²læ
³,
D/L§­„Ÿ5)¹;+În3†Ô¼Á¼ô×
ÃXؘA¢(¦!	rµšT®çj�m¿‚ˆ"ê:=8„é‰ÓvÅÒýÒ´ÉoèwÌ»ã¿ÛŽû«h»‚¬Î.zµŒ4�Í$‚Ÿ!‹8s»wè«©}ÌT8-TCšP×í±¿Ò‡š…ß¾*hÔ>_˜A‚»êEžä>A£%»Y÷¾�¼Ó‡—
+bEh;m&¶2q@¤}Ï7ëX£ÇuénÉ=µLiØ®Z#‹ ÒÃxLçÜȾÓ>•ƒàÑYô…Í	¤qk#è3‡ãMà¸ò“�üLvq|ìD\0D¿Åv „|uw•­K³KòÉôﺸ씪Ê�Ì=½Ðz ¢˜A‘'¨÷GêîéÃä}-.ÍÒ!˜ 1†Akµ§„öŒÜ̆(;¿+ñ‘7ÕÖÊ(C²I|ÒAÿG÷CŒuŒrQÑV…=3åŠè’>·uŠ?œ5Trh¯©ŽòÒ^¢HNåç4	’/Sîˆë‘~_Ë.ÿôa÷rû»õPãôdìo0gùš²þ›</½‚Wõƒ�'…‡Ý|é䨳 eçK[¯-8(VÅï>D"îbHèœé–š”¢‘:æ]jx6Ϥ0õ!5½‹%CDAçK*Ë3W'Á¤='€.I5p4¬›#CF¢NóÕ`Âv'F.ÛB|Ê]ÞOŠá€íú
#&ãøÆ6“¦P~…‡mŒo7±™›1Ϩ)b´S«ü²h*^‹ÅÇâçü¸ð1~çŠæÆß_ÒEàj¦cþسի9ôžÆP±&*Y
£xkâÇ¡r_�u¦Ó«8¦Ca1è³M/FìÝHHºq˜ÜÂb¿Ïá[�l
×êkû¬ú�ËƦ¡¶¯F$¹äÆÇ´vyW
+†üdË‘È)ÜÑ˹ʱ„ƒ¡¼(«BuV�•ÚèHbNÒnAÂé¨X^‰$2a€ÕóEÑ�‡(¤hÉãcTsë5V»´"ËŒV÷o¿=ÍÊ~€íçÙ7¡èûÉ;ÊÝ/ÁP®}€ƒ·õMDK°+Ãä²4'ø«<£¥sâáÙ9,ìú)t�aúBD.ÈÊ?ÃîƒÑ$ÜjIàsT¦9õ¸zNÓõ%�(ªÎ»é}ìsZ^NÛ�÷FÎ9PJ�‡¦4k[«ç f4e«’ùN·C
Ì«üj}B¨ª–^xÄ€(4ì—ß«qeË:m“®Æ ö¤¼êͶW=§µjØÊo„’Œ
3²8yj‰ê`nûÁâ'YÚTKM”‹ùÂÔì
%�Ù�³¹Â]¢þãEš®ßHœÑ"�P/V,N~Î�¿P�óÙ3ãþ™Ç ­ù¡cÈeü¤S¯ƒ´
+ýÏTa%ª£3»Ùª]�`Á
Q
êó}³x:HX¿U;úŒ hHØõKጬ‰•Y)f.¤«â£Þ„ÇG8îàôº¯a»p7åsÚBc£µ�Î¥7apx
X&_­ð¬)wMÔY„«9y™ÁŸ�e�!Ë×÷*$“ §E¿jéŒ)f?ÂwJ×ÓŽRIßU±($
{û‹xÜ©ÎMYÈÅäJõÅc?—Þ^�Ì:yðý¡_nA7üÕ©Ô–?Ài¤kðÉPHRòÎzçiÞY­Ýû+Öäˆ2…tzW3¦Ž­�à:]q¨¢–½¾:µ;›ôšÿL±î\ì{¯�1üÛüë]¥ôî•ÀJªÏªœûÄøø¾z$A)ŽöNÏÊþû>ϾЇ�Ñu—ßR±Â ö’ºÛua{Ø°¨ï•›)�wËÜ%ÒUùœ×“ǘy‰–wè–š7ô¹ÇÑöˆøoµÃî:5Nö˜~ø§•ûß¾ËPéä—b@3¢€iÓ,m¥däg	àø¤'�®/}"Lø¡-”ÉP&kB;…}ü§D7×±0œ^þ +ú)[¾ž¤.ª×VYzd,Ò#áx]RÁÜõ�]òe&`”2Ÿé3WÀâ•ZŽ°X…Eµ®ÙßWÌ
¿vAJ|,„$={Kýë§Ò/Ð0�Ñ4ͨÙEiÜ.äîOîþŸmÏ)¶9ÜÂOq?¸ ííë[ï]ÄtŽþF™]ðL7
+—ÑÅW%HkÂE©(ˆö6i°¶&b°Þ¨ïnwÓ÷߀MÙð#îVbjXèÿÞ«[k‹ÄA³±8Õ
7j/I$Êý¥í¼ž;‘zJ�FžÀÊÓÔµFÑÌ®mÆ"F̶�ƒ�°‰¢2­`Ÿ¨3pCQŽf�©:ÇvlÔÁþZ[zCºåçš8ÓîŠu¤ì5í¶rÅŸßÛ¾25ùŠ†ÒVÔgó°Õ_Γæ@ÒïÅ™…Á)DWÐ6+Þ­ë
‡ñß¼©MüâÆaªƒi>_ªóCËLD
�CP]ÐúÂL½\=ö›ŠLE Ñ:Ç¡õ>_ç¾”ÕÓDÀ`h{#oÜ1§ÌT«®X²é¦nh¿,ÿá2ž’‰ˆFÙ`TMN>ÜïO?èdÚg>|Y×ð²,"ë•ÊWBJ°‰ëÊw ª7¹·�DþAG—/Øi¬�\¤C§õ�œ.óbƒAÆ.Iµ +
ËÁúŸõ#¤½ü?PÝuØ¡™BŽTÜksmuçÛÇ¢,3ÔZ
+rÍå…Œ†ê#	Rßò,"l�êþ¨¨T�"Â�‚è:‰¹'\â­CrÞ×z,Õ¸
§A:æ‹Ïg<¬>Ú'dPîÐÿ¡1ŸibT,­L”¡ïéd¢º6[*1½[)R«¢x
úJ6Ž°ÉÊlÅß
ùЇº¾“¾%ß6%€ÌZ€ÿ@ ×/Û:œŒ�œPœLö'½<Òpk\yOO6ÒÐÆÈÔ©B"ÑitÚ>€Bµ8o)vç�ùêµFÕ¬�$¾üESúÀŸüY=ÁÂýŠŽëWÝÏ¿6nhϽ±ý;]¢f%�(ÞŸèA¸Ž‡yÛ$o/Aûv	sÙzOÖÆ�’±È^d¡›_Û"Õ3ôܱS+­¸Œâz»ö­‡?5Šž:¡ô´Ä)lI_%�Š¨ªÂý»6}ê™;Ç]CË‹/—øMÊ›md>&ö3¾OÝÑzÙ¢²ÛbÒ¿'•?OäºÈ"`ùÌθrÌJâ˜ô튓yðYtè»;íA�ýºû);†1åO¯º2¶€ér´¥Ró˜”LÓÁ©^šv¤öŸ‡G/„ß_ú±Ø«'.‰ªÔM“k—K26é÷ÿôW�SºÛ§¯÷ŸšN×V¦KÃã|³DZ£…C3¿åB”‰…³[ÏY *J“›Ûä—a�ñüïM–͇»‡[R»³Ÿ"ýŽ‚fç¹8¬™<G×JÃÍ™Úx˜¢#Ïúdç/û#]o¥LÒ( ª–Êô}.X¯²þ“²{ïC\Ò§;ûè~&^,rÂEÀÚÒGØÅž`bhUh×5çAÇú{ÊEkõ¼3ùÁ¼íXÙ¨®ê6~•jË?è[d­{4qó*Šçv¡ŒÌïßì›ê‰ð~�é™Je
ll[Ñ·!²qšï²¼à>^}
µö:›QòbSpìØcø±gÊX?KÀð~íó‡6ÞOX¸:âZôÍ 
++Ë,¶öyL,Z&1ÝÍz*ÐßeÑIå²�ONçÓ‡õ™Í#ùÝ1Éq…•-eÀh‡ÛQ$ß
n:pEä®Àì]05‰°=5˜®‡¶­2P‰5eÃí+–
+aÉÁ_¹5wCs�̲ÕûÖþŸjÆà��ùØ÷–¯ž™‘ÌJþ¯swQ⢃³F‘1b˜üÒ|ëFžøßIµç+x-Jï)#ÌÙªëÃn¾(ýpð»*tYÜÇÎ}Å›Ço¸Æ³jÞÒ±ko{!dhÖ-\˜`[Kþ)pLžXlø ÈÖQø~‚¸×Çl7¬S¹þ›¥*¼”>§Â.öÝìþñÃd
i‘;`‰‚j#–•µß¯XB`ZdHnh“¿èI¤Ž$Ì‚Õvz!Œ^ !�+NypÛÈŸVͧÁ`f–fU®äi l'Nªw!]Åú�ŸÑ|È'Žb&‘$US —ŸÞF`
'CŠ‡r(¾Kª‰;Æf+e�Z´X‹�+�öÿ说oÃ�
+®0QU?Åtv¤T1_¼Yp¯ÏÑn1×’äê'ŒWÔZB¾y¶¦}Âw’ë°È‹G¤Î�
+f‡dúë‘|3ÝÖ¬9»pï°h1ûó¸í•½ÈW©”qn‘9¤pÙ²Q@ýDîã6Ó>ëo\�,«m÷º·óSP¼ÕÆé‹cŠ˜/»f€�¾-Ïxˆ®;SëP´JáŒU'â#VúÝ](ëeQb}�–¡˜hïá\¢°»­ŸÓ¢aKY3Ê´R°ÝĦŽTWòã?É�ç4ÙÚ¼~p�ÕôÉs;.“=@K?ò°ÞŸmG¢«Óg‘n1»€˜ótÆ[;ËæW{¼«ó¼¶¤êqáãï876}
ÎÆEòY‚i›XëzPD}ÕÓq>ÌÖ=�¨[ÓeÚÚÛ-DuoãáTç+ÄGQ½Ma.Ù¹êÜ×,r„U16W Ý¡UPÎQâ	sªÞûÛT—ž´Þ>UtB%®Q?™†o\?‡c
©ãàò
DíDÞÌÁ<¨‘‘å±cW'}¿ü%)yõ(¶Lz,£›Ú÷=Á‹º“Ûˆƒ„ªk_mÖø'\ÿ�g:óÈm§j³.”ŽÑ}½�³‘šÞJAàÈ<X¶ûUõP=ÊþŒ¬ÄPC_*rËTs×çñ™¿l® ˆôòݽݵJ^‡Yn½Þë”iõ�ùÖ(@.ùÆéWšG>¶¨â>ÓÇBt^¿æt8Lyäån¨ðª�~ÛÓœ�„×RD"Ÿ"nN4�U¨·áì�Dz
+�#ª5¶ãƒýŠŒ[ônjŸÛ\vù$/ãRÖyÕ\-¨üKŽà|B8x“AíÁ.O_JŸqD×=®_ž~:? ³7—2⊦Ý|�jèÚ~e“hŒ¬Ò`2Æ`PzwL˜,Á”‚Ó­à¸=] {¸â>uD-‡UÙð�›Ãí÷Qri|&
+Ô>ÏíFŒòóGL2Õ×i#yûyNÕÓSá�Ä.ì(¢ ê—´®u߃]bùž<hŽˆpÎ<Ûê/Qmé‰ñ3¡
+úÎŽq¼E{¾	fáñ$¯}’škªÇqŒi†ik›�ÈV+Rê°ƒØÆDK'æ—{áß
Ó~±ªßÂ�5í±”»±ÐNû†c¼�«PèR)r°s½e¾ÉQ­‡‹ö®â߈T~7`ù½¤w~( Ú/פöHóe®B'?/ÇÃ0SÏ)X&Þ‹“f•mhUöN áîË…;<§�­ŒLÏYì‘û�Aߪ»=øþ�Î~eY�á€37¬àq�Ê„ÄJóWmÚ;
+ò<e{œBÄ4è6X~S…ÕÓ´¤mF¼§k­¿üJ‡­"fÒ탽tâ#ð<ŽNÕ½¨)­“o¹ßÖ^ÿˆŠ�A«-|o¬÷é&ÍS&Tí––
+ñ]X}UÐDÇgS_x&W_d;½´Ö‘tˆ-…%eC˜Ww:�.{ñOÎþ˜­¢¡t¨_Døiņ@×}Ýò‰ÃÐ1ÊÇ$¶g¤	¥&·á)^D ´¢¥Îô…ë‡ÔïŒC¬‡“Ba¥†øêLÜþ®‰nfÂhš*ë(¥=àëڤ̋>¹Tè²ÕV YŸ(uAyFìT½ª7?‰ã[×4¯#ã:ªÞš|1¥·cÿÂÄ=SŸ¶Q,hÛñðh�]©¤ßûàzÑ÷ùÝQywÚë\ç£V}—À&}nJÎ_#2ž½+¢û%Ì°Ë=NIW™H9ถÃM”†òó?¹>HÛÀh[�ÃdýÀ#þñøV¸°ÏjT̆Š½Úß'9Q£•ðD
+ƒ¥=Ûe!sdê)‚.l4lóþE¿‹'@ÑN“Œ
+�žKXø4¼]íywbZâü™rœ¤ÂQ-<µÏ¬�À¯
´)"‡£]·ˆçÚ\¹çyy/Àbý‚	.G¢×.èßY÷®!	É>a'c6CU¢y{nÞ#‹MÝ¢UüišB|!#	V­}'­5®Ð±äNÆ ]túPÑ:/­ò¦X˜f9Žó¦ž�Wv·Ô•©:N"õ³g²N î‡íæV¾–HYÈ.J°M¼FWÁq
�AéoÑxJ!�&Wðˆâ­Tþ“$(®mXïe{Ì××Ð8]/^¾g«Äo�‰M·9}SO‹ý‹³n£zbÏ<3³�ºÍö½9dÏD�y6ÔDPM:�Žð˜S“ wh…µ„cK´Äã‹{:Qö¦Ò-‘þh[N½œ;M7 !ìX¶lç
+ûÆnÅOøÙ/šåvýÑ;Á¿Š(æÀêzÑÊ–>ì9¬Ç”°n÷ùv®Û·Y^+ùå+ÔÅKl—‰æÀ+gbïç6Å”E”v�Õ8÷¸Ü¯¸.ÔF,ÜcjÇqx"3¦Ò™L•*×5FžÅVÝMçï©Év%¿ã´Þ'£N·ò6�iM¯È-ËÅ8ò̉Xµ3<³ƒE´p“®Rºçèg
+®	v'ö½Î�ln;mÿ�FN•
+/Ÿ3Áô�1êˆõí‰~4HFz>5#Ε{}mBl+ï� Èà+S>îϵ³3™ýžYZÍ?º°ü|(ø«8EÛN¼-<g~£PØp*Ÿ<Á3—æé6ah/Ä°l;�¢,,r_T¯Ý�XƲÉ%Ï™Óßæc†�¿¾g–µÚÃw°QY>Zr^’3©ÒÓ83ÅX£n Õ¤îc„Ô#gAGŒT3$�kÿu‰mßêÃ0¦ô%BV¾®”ÍXK
ƒ²ÿ )¦|¶
+«÷îõç‡k¥¨9îx]RÉé
!lŸàk�<“�™H�ÏÕ2Ú3'Ð_}Á±n
wYíÖP¤z�™$z¸ˆå¬uBZö˜ò,ïД‰ˆ6”E׋8'<
óٔ᭦ó'îôÇÇ)§Óˆ%£‰[LgPÌùÃ[VëÁçµü÷=iˆçv¸#¨�<¼‚¿ÏûN¶Ë9·©\qwqVb§E9¤»çóÆØ';<G\ò�p›Ýk¸ì1Â\©øÓˆK
+ÈÂcR *7Jô1B-[Å\‰Ë^áÖ:	QÌ�DIB–-Èsì.¯õqþeÖÄ*Úzá[L&y@5�þC5
+wóÔ
+Áéãå)«#sLW�M>†0€z!1q*L»_E³%)dª8„qb�"Béãkë}™`_ölz?d(dð	º¢¼ùŠú·nöM|Îëv�
N–È1@´é}Þ…gðvÉ–ßoµµRj¸Mk5"YŸ~bÐW¯ÔÛǦ¤}wQ1øA³x/ÆP/3Þ‘,¼#[¹3'Ì™^4ªýJw“çM›vŠ%Y37ÚZ-í!�ÚZ„¯Nêý÷ÆA@U/#ÀJG4½øˆ®Lš„(Ûq¤—ZDÉŒf%)1[1$EβU?ç]ùÅÏ÷àº|/»çº86
+ÏÆ^é(t{äg^Ì)¾^Äyo�ߊ“8E˜‰YjÚ é]ÁØ¥ÙDf’øiÌÌR¥®Û·‘•¿#ëÊቛ¯½ð“_“9>~"iú�
+M)Ã9Âp:Ä'°ÂyFJv5„yfù¾ZF|šÿ˜Œû�;àcêØBüß›©î¬ÃŽNÌtèÔd/O7ðŠëË–“Õ7ÑyD¿‹3<B¢
ažpøwâÎÁû~8J­_¾\÷ë\·^M­ùífƒ‚Xv\Vr€åÂÝñx4O?ï:±ªY¤xg$!ZÏ6ÄÂaé’±½òÚKvª|�R¼Æ”œ k½Ò°@·&¥1ú-lß0ox„Èæ»W`š¯{òø»�î•ÒÏâ~­E	§…[2–ÙÚ¹‡	h|^ÉV®ÈÍ/4^PJeë	?³cD\r´šdûhhç_é®êû¦U²SýªÛžhšúÔï:é#ù^¦¸%Wk`}Œ¶Ïá­ê�ÅEM3Ê+	`‡*
+G‘áRì
›¸5™UP®ÇÇ°H„×5Åã>½,TGè±8ñª4ô~È®š††,h»®ß z¿š
l–,hËÐ%ˆÁC}ìÜbÒŽy’Ÿ&þÕ
öZïtï|çil¸#é¹–8!}BÌ’ñé{‘ˤFX.K·¿ì�ܦ|ºgÀM¤ûÆ¢•Ü=ÿ=²X_S`ìÿ<ì)ú¸Ô#�»oøý–‹¿ˆ‰´ƒAF;ûû
�
+Ûwôd¡Üw÷xgXøÉ\›ôi3“ŒIDί¹N%àŒ±éï\á>Ø°tmÖ$¼ãÅ,ñ�á�…uÛæþCU˜Å6é*x
sÈé4矾½–çëO�f%,RKÁÖñ¦¤EÎL_2¾›Š‰iŸ¯œ±zÇÍÃÁs}~±
à)Ë~ת0üÈ»€ñ¹R.Ä•!/`9ºz\h­õx–jÖ‘þ:9OñÉÉjð‰¬”ÔÌ°–˜Þè.h1ýdftX*ÿ7=™q
FB1w)ÝúiC$ü9œsðàÒŽžQÔÄÚÂdÝ@BN~CªÝ©.ÉÊ¢^r’¹�º¨JªÂ˜
†C4|¡"‰j&m¤cYõ"¡
+#‡O/$v$�R®cià¤Çâ÷Û¹6AçU‘©�®¼n„¥Ä£Ïš��‘mÛ«ðáäwãëuÃ&µ!¿®êÐ0š{©Ld"Ö½þ¤´4¡æmTu{5v÷­õýT_ekp¤¹¾r§Ð~Q�4ËÍRK2'¿ÊÀRŽõ‹l9Ù‚
<£G�{{©ÅVØeÞ=þ½ãøkæÈr by&?Ý!`�@Ê‘Ъu
+5«€ßbÑdûClC‚eÑ3›i“É_É�>`"cGKó‚+îœÂ”SË%ëŽX½
úð±Å­¾ç2]p×9¢øõÛu“°WÙ8å{‘+cc"]•Á½[ˆ‹uÔ§Š®åëÜe\¾"Õ?M!©Ø‘5Yñ>>ƒg�™.faSçõ"VY%¨öôÒPâÀ}ç_~[Š3šXh¬Xâ&4ã‡4ó
ZòU‚õ(c˜äœMÈ>õ”D{Ê=ëÚ
+B4½0üÂå�Z8CÆzh¹Äõ ë­ÍÙ”™\ÛÑíÎ¥+ò—áE¢ì¹:BZ
+ï!ÖdÙÌ>‡·‰—´ß•D¿l,¸Y‡þl½P ºñé:®DÁUÃñî+k#/™P¼|±ÔTa=Õ*¥­T^훳ø®Q¶t°HKZ®Åœ~`LgÊ`ømq%['=§!Y§ù“%–±y
»�¾nrI
 endobj
-962 0 obj <<
+1017 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1930 0 R
+/Encoding 2092 0 R
 /FirstChar 34
 /LastChar 122
-/Widths 1937 0 R
-/BaseFont /VYFYRB+NimbusMonL-ReguObli
-/FontDescriptor 960 0 R
+/Widths 2100 0 R
+/BaseFont /TMDQVH+NimbusMonL-ReguObli
+/FontDescriptor 1015 0 R
 >> endobj
-960 0 obj <<
+1015 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /VYFYRB+NimbusMonL-ReguObli
+/FontName /TMDQVH+NimbusMonL-ReguObli
 /ItalicAngle -12
 /StemV 43
 /XHeight 426
 /FontBBox [-61 -237 774 811]
 /Flags 4
-/CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/colon/B/C/D/F/N/O/R/T/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
-/FontFile 961 0 R
+/CharSet (/quotedbl/numbersign/parenleft/parenright/plus/hyphen/period/four/six/colon/B/C/D/F/I/N/O/R/T/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z)
+/FontFile 1016 0 R
 >> endobj
-1937 0 obj
-[600 600 0 0 0 0 600 600 0 600 0 600 600 0 0 0 0 0 0 0 0 0 0 0 600 0 0 0 0 0 0 0 600 600 600 0 600 0 0 0 0 0 0 0 600 600 0 0 600 0 600 0 0 0 0 0 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
+2100 0 obj
+[600 600 0 0 0 0 600 600 0 600 0 600 600 0 0 0 0 0 600 0 600 0 0 0 600 0 0 0 0 0 0 0 600 600 600 0 600 0 0 600 0 0 0 0 600 600 0 0 600 0 600 0 0 0 0 0 0 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-884 0 obj <<
+939 0 obj <<
 /Length1 1606
-/Length2 16371
+/Length2 17112
 /Length3 532
-/Length 17252     
-/Filter /FlateDecode
->>
-stream
-xÚ¬¸c”å_“%œ¶í¼iÛª´mÛ¶³Ò6+mÛÎJÛ¶ÍJ[oýŸgº{V¿ói¦?ܵ~'"ÎŽ±ãœuÖ%#RP¦4±72³·s¡c¢gäÈYÚ¹:ËÚÛÉÐ	ÙÛ˜
-–WД”PŠË©ÄMíL�m
-®F6–Æ
-…$ØVW˃÷æ¹)Àõá}@Jš2»œœ$~P–D™ˆ‡…:Nq©ó#5ßì"	󧈼ˆÎQ僶J–©Èµôc“Êç؉/Wñýê›X²˜HO÷|¬®-“[ÿƒn2ç¡‚÷`Œà�
õÉùKH}&¢~t–ßêÆ“-µZ•÷�ÎäÒàMV]ÓYÚñ‰‘06Îó'ˬy?‚²9¼oºÝ²Ï—YzÉA€&s5õC`ýnXÙ°ðõɃ
í’D,÷gÚUÑ{MX8“Ž_ZœìÊø)“bz�lS âz/ˆPr m¤–ÕýŒø86
]¬
-+½ÄGL~Ö§æ0GW˜RS4Œ–¢V˜,ŠÈZzU¨âè(ŠcÆÀXÙˆ-jà±*ç+êJ"ÈhZåðIƒ ïŒ
œƒŠñ]Ñîç/µÜhà÷ šEh3ŸiqÌVHXn´Nx
-ÿQ9ƒ]ne£(‰ßU;<kµ˜\û·h8V)‡5ª#ñá»+[?C6õy‘®G‹gõ›ˆí¥¯vÂó†Ù�ÌHÝ—Q`£n(9åÉ‹Ôª†¢"ñéÛ>aXSû¦Ÿæ¿rçG.�môú¥»ÁÊ|a™
â¡^>#þ»ˆ^驵]M»qÁO>Z6Úl ¯=µ)¢_¬¾rÔ—!U;:±å$z2»?Ô?÷,|gP¨Ö:`Ì�G*p²Sí»Ï³œ.ÞJ;"8çÉK­�ñs·Ìúe”%±¶ Ü-.EÊ’JÿLئh·ý,hïY«M÷s<ùi“©Ò£úþÕ›j2�žE)m
œÀî;Ÿ¡å×)× ÄãÜùšë�_`ÂýÜ�ƒ4¨G³0 œ{¢zÀñ®yÑ C‰ÁŸèP!“2Ž¨Ÿ*§_‹Z夻'ªá¯›ò
=2ç#µõ-»Œ(…’jáô˜iÜS$J
-éèóQ.ž¾,Èv‹®Ç'Ÿ¤Îûz5+Éí.þÇÌHF.'_6®DWeN‡´¦j×I*92RÖ¾Ø.}ùÚu¯c†ß±©ŸoL¼`Åa\¯²ZÕãLƒÒË+-(þÍHUëO˵Íè|ºZÖe±šÜ.¢{sN"p6¨Wvg‘¨Ú�TzVóeÿºŠÉ�ßDbþ}fìkG�a<ÊaÆ#sSs&ÓçQ�‹Ö:“m€¦ý)®ý]ѺΈ¼ÂP€œ_—ÁJîY*ùEÇd@–NËoÀ*EëgšþÐ*Eì/5
-fe}®ÒTÌòl"kã&|]	‰Í0ìIâ8z}ÞàÒÛq­IIØ!R9/�žðb¦¢T$ý5—yYÀ;cÉÝb–Õ©¡á<GÄŠµä™UOäÅšT‹Ð	º¸jnm0±ˆ¾ô�#>xyÑu¢Ì{§›�û}ï<L	zcf
-—[W´³1fóÔ=;:[?ïAÚ¶€œ"§u°œ~ð:ÕÅÕ§A:‚¥¹Òãb	ìRœéÞÄJú�àÀÂT•º’8ȯ}j�@hjž¤v!äåõÊg>-L«YO×]1‰’œâÕ1•°ZÅ	ÿ*ý²o�ªìž²t
É�Èux^I'ön2*°5ÏY\]Øé½o
ËÃSÖ/CÂß 
-K1Pm™`)9öã*ïÀÀ˜9ójQc£º»5¨æñxkØk!>Ìa±dQÝÌ¢N–�ð§óΫÌÜ‹FÙó˜TKi•óLsè¯KÅÖ_T3’šy!—ägÀÑ&`pÆÆVRË
‹b¶ERÐ'Túv¦†\�
-^‹2÷p‰7ÿAäœQˆ‹¸&jÓC+Šînöhù=Ò,‚z]QX+dyÚ4lÞŽö
-�ÚNÝÑä0‹ø¯ñ$´lÓápàá˜7-ÎN*¡_~�}ÜviŠôŒSõ±ø<ÊqníêãâT2ª/ñ—Xà£Á•áºÜ§¥(’Ëæëya÷Ä6Ãé˜9ãVr¯°Z5l:¢�1Zuâ�Øó¶pÑß-ÖÚ¬æ¿ÂÇkëé|3! ëé}£?µ\RÈ(áÿÈù€>ƒ°šp~O»„¦jx¬ƒ qøf
-0Q1w+övæ”Nuê{„'®wäÕÒcɚΡë
lnm
-[1ȯ
@€ÂZ6Wj™Àtù'î,ž¹t$P} 'g"])²¡ÏãèæiØb¢Aù:5¹vòQüæøTzÿŸ^=�‚­².iXƒ×GéJµL«Šï’®ý#
¶†Ý:Ô»‚�u¼û.×'“Cãl¡Kè�m²¢4¸Ž“iašµ×B
É>íJò�j˜Û7¤&Å?ázKÂxYrY§EÛ^÷ò,,ne2üäέ†¬<Z¶×™øã‹?à¢
[c™«U¹NÀ¤ÊÉÙýHmaCsT|79O|f¬®‚’³i	ÉpÃ(ë*³’²!í:•ðt;Çün»L»÷Šæ?��öõ9ý2ÙbkÙ±!Y‡—çJb²Z?³Ÿ
-	Õƒcf„W
-*€Œ#Ç3&ìߣöbY�Ê_w‘&[þÜÈ_lˆèyIõÞqù&;è;ˆ¿/ÎÎ"Ëüè‚ð7Ñç–u’DŽzwÞŸ/é¼Õ†x³ëŠìb*]ü2)u§·O¨Wñ5òx‰1ò4˜•�3MäŠ`AÁøý4g<üÔâ‡?yi�ûÇ©¹$sç£ñs}7š
‹•†‰µê~
‡¥’ž·÷•ªm/�:N–lÀD t˜p
ÆÑùö5Æ„
¯ú9ø[ìœÍý�ßÖty37ѹ­øCËiqgõ Þdx‘Ó²¨„$¬Üá”1ëR• .Yú›ÊL�ûo›03´Â£X‹,‘ÖpŸ—;ôq¸ 5iÉɪf1`CÏ_®9^¥��u¢­­Ï¼%¹þêlóùŠèTžÅbàV0v¶?ž÷)mÌ?£B—ÎÞé
-àò0߬éwŸ³=ÛåËLX·AõfQÑ9]Ч
-sxX
‰Z–¸¤œ�!D°‚¶åßà½y¶õè’Ê«ÔùY-”¬Q>tkøH†•¶½@Sÿ6M¯çÆo퀱1“Z(}‡lš‹HñxŽ¤pOz’.t¸q(ò錣íB�.¸Ò™Å™ôÅ.ýX\Àª�ºö’¥«.ïÿ…ãÚ£È?¹¨®XH.
-Å׆ˆbïÜ÷ƒˆwêß
-n
-‹÷ƒ}öÜü\XGÔOCèÒ9®ÍŠ]Âdç šuFðê£ì§1œB'ÿ[©pT‘©#êìÊLT™µ+àaGØIF“FÆVåÑi²+®ñ^
-ÒÇý2¬‚�£Ó°ï�‘–£ïÐé… «’·éí«2ÒuÆû˜™‡ŠK¹‚™e
…þ’sêƒQµb•5<&—´‹è‚CK°%ɉ$ß…ÅJÄèè¯
-êRµù”C°†F¦)¸Ÿ5/7Õ²ai6Œ`U›�Úq‚¼]´nz€?öÉ
¿QŒ'éË‡c�MxiM
-Õ©Á<@J´¨ƒ¢	“ˆ{¥“o=‚K]—-x÷¹–’ð꧆)fè¾ZøÁ×.Ré*nßs¿š –apB üÒó´¸Ü
-4ù™ÅBj.B{J+–$hR¯*U)›–»À°ð!>PýuH€Oi·¬­x¥Æ·Ù€F0½Š“¬/!€k¶†.œº¼×tæ%ÝP"�˜®_cc_ÜV¸ë׌GÙõ¢àÄŽ_åk+ß6¢½J†ÿŽBhWˆ~ƒÍ«#b8Ý=¸åª
þ�œQÖ*È-"4íÙGZwò�¾P_q¯Bw±îÏ‚$ª$²u(ÈÙÆh?ZVÚÇ�´ƒ. «¶ïDæáæx£án¡Çò½Ã{Úmw.v~¯Q?óó°�%/%àÃÅðo‚/ƒ¬¸tëÛ¾ob¾»ëñ�XœòLšÅ©cx"Šsøy™á'n�²è3¶
Ÿ’YNuRŽ½}øªNµ©¡±`s‡¸ŠÕù¸¼È1FŽ:ÛW.Ÿ`1�´¬x€ùe€Ì$ïµ_ß |™þu*Ö~èîÕ¤©%•Ø©ü�Zf/ksWü0ÿÙG.öËÖPî±w¬¡¹s9™†£?<à2qŸ <˜¸Qþ·»
-,óa{¢ìÙÙù3†Õ}œI
	Ïà…u¾§	ΞОœ#“/!ZKóÑ�îe¸mX]†KjÆ—=P.G8­t
-C‡‘7MBñ®Þ’¨ÌÞB`Ô4Ü]òP~OăóOò^Æ_n+�¯ò݉ؖмprÅÝ<œJæ­³y¬l´ößÇ׎d6Vþ¸£ÈÙæÅ­X®üÍM#§f}ed‰J7Ò™ôT¬Ö©lÙ‰3·|¯¿Ì!U>„{ñWaa§¡VÔìùo'm
#K®™ Ú"åÄw4âïâÓ‚Äšóã
;üú­ŽÙGF!…Iå÷RòªÑ
-uŸÆŒ©“6Ô¯ùÙênñH0ûg›±së,)SÚŒxÝÃ/kzëð§ î#&ý!zçȳױ8“2jY‚G¤u¾˜â%ŸéÃóÉ7!Ißú&^úu*æöCP®»í½§	]Ö†¸Rða\ÓD!)�å1»ù”b$l1xZñ‰ LñûŽ/-
-4‹z�H8‘–	š‡‹ÔéA ‰‡A"Ðj�q&âGîè¿„‡­û•™ËË‚˜ÝKÖ�ÓÓdz——s;ä—¯ÜQ¿
-Ò×%¨•½xòª=å$«·å
-6¿Îá;8td.úÉÆj’1ƒmŠíyB>^bÐqÊåLà‰bƒ4h/mHÖ%B¯-¦/Â9€L:»¤Üó¡ÿ÷]mÎ|ùY.¨#+Ÿ8úT¹Ù9}FmOj
orn4ý
-Û…Ú²)•>PQÑSWüÂŽà8COÚ9Ì.½zQ”OÔ
B—F,ÇD“¸”Ãп€[Der-ãɉU`�øîìWr! ”‚ªsB‘–«f—¹¼Ñ€Õª.=K×$"Læ"òY-Ñ;N4·*r&þ†Ÿ+z
-α6
``…¾ÞïG0­o¸N'‘Ñ{-¢ŸîŠJf—Et~£vÍšAOÝÑ´m
­Ön7S¨D˜sªŽ’9F÷¤ûFš™%¤�[Âv¼˜d„žÌq£]‹ù„Á"•©!w67Ë?—ˆ«¦‡�š~Çt³‰=Èϵè|=WU�Œ	,Yª¢j»ª¶N!GÖ©ºCbtÍíÃþŒ=šhƒiu5Eé‘pºÐ”:ÍFAr4`›$ñ�?¯6¥·Õs•ÎлÉ,³¥f›LóÍ«ÕO“=Wþ…ëSrªAñ:½5­¤s“Ê"oxDöõ¨‡$8Ì�bµ*Ü9¡âë¤cvˆÚ(’ ÓƒìFÙ

÷N÷GÐ�sÎkÉhÕ»ù.C3
-;©4’¼ÄÿKýI·W|%½cøÅ]h…GœMùDîa&Ru�ãu>€�’-ÛSÝpÞ¶
-ŽW–%ÆÔ^葸Ú"¼E* 8
á	u8�üÙ•§Çì'Í
o�›u
-yDœ–NrešB#êè‰<2«DSµ¿pt†÷�-ªS9><o*vY\Wû^n"5ÁÞX2.dKÕ¸ûé:ƒ ‚˜Lö#„ÕT–E0Èôcó#¶ÏWº"÷ATÖ¥rlmÄ$£‘éYeg2B¾¥�[{á=ØܹDòF.Oû3íQpÇ�¢fÖBE(öo^;’S³§ßÎbf|…rˆ÷}Ž4F]žvB…„þ´ñ~M
U�PÙ^íâDaôXUùóžþ£Ð®`­{·Rª”@Â?
Y—º˜þ›Ï¶£Þ|aéeì€ÜùZmlô*ŒË×B‹àŠè]‰¸_ {%DOù¹‘nºµÇë÷ü3ó7O¾ŽÆ‡8ë›~žžWF¢p•&00oD³!ÙÕ~ÏÙéa­À3¿�wÍüüýw¿Œå/y�#(Ån:.PÜ™¼@Â+)ê˜Ü(Ä‹Å"‚Â]”t¶
"•C«î¬‰�>Ö
D’|ËP¼+Êë0yÊ»ô4ß{¥mÊ÷¸s ôIÊŽ$¶â$dÃ÷‡CîE½*ã
-g+�´sñ¤5ºT£ÃHÏ)æjAº1K
-ˆ`
-e_ÍQPš}IAÏžc°ß‹zá#P}ò †^eî~µhÎ,ò°Š˜€CøØùf
-}B$oÒ1>ÊóHM{PmÏårœQDç|Ù¼ð
:QS�v€šâ’ùP‡Ú6>t>Ë
-ã0Ï�Q®œã_%+­oHÞƒSm3ªþ¼øÚe'¾¥LmHdR§ù‚óÃ*�¦Ÿ? “M¡.ɼÄq4I¾8¥Ëø>ÀèzþÅ÷õ3ò
„_·eÝGnGky}žña“D9ä÷ô½ëjT‰à•ÿv«ý
Ù9ÅÝ77�½ÂIq)ÜÉì–Nâ�)	Þ‚ú!ÑçÌáeƒÉüý
-BÎ÷
IK ºÏ8V?Ò±ÞH;3¥YFjàQÚ;13+ܼ—/nIû†<Rt;˜v³s$*ØNþE�äNÎ>ñ{,Úü#0lËßJëšä(šYùXu“Ø£�gŸV<î‚<½°ÊyVˆMa[íSšYMJäÒwnÕ‚Q~dÈw€c¬h°œ§× ˆ]KŸé3é
-±„4GjïnŠŸ�Þ¹
­^v³ùÌZgØ}¶�*b«ªDýŠÍp�qP`Cκ,¸„då=œCΓʨrÂ\¬qc„ƒ>e-–$Éÿ…­¶FôÔÄŽ�QÐÑÔŽÛ„6}9E¡€­:¬v�°6ÈöŒxvý=\Ò›7ÞÙJÄ6ˆÚŒåHJŸÎ)½Jßj½˜_%½@l»,ÖÙký� ¡Û™Uf
-êáE'ÒõÕJUŠ•�la"í]©}Ë¡—ÅÅ`;¶f‰È<‰âÈÖ½ûAy�ãA6ÐîÚ±lì„S’ÜZdõ"àBk
-U}½òõÛ02y jp³K´=Í5eñnª“ÄJã^°É©ƒRÓ3Í’cÛT̯ÌÑ+�ik›=tcg�E†tÁ¶£Ë g§›0ý#å�“ÍÝ,½âI<©
Çñ9OAÁ÷XÉ�Uy¤”�ÝaN!
´ê§gÐI‚Û–
-nÈ” m+åÉcßd_µFt펆¯9�AFˆKÊùÓP/�` :òÔ0éîyÖ2É'†íÉ@¡C®�½SàT>…Ý4�™à�’†µÒšæ=*¹à’
-بïÇ‘ö"W,GÀÚgçà8Ó#þåiÁÜ,ÿ7äŽ\ñÆ‚âA}ñ</æö¾ÞA[q<XŠôâ/ÑH½!»èéü£RÙbÛÉétFÄ´ûuýˆüº‰©ÑÂy ±'©%âûÞ¹Hù*Ï$vRïÅ&©z
-`ÿ‡âÞ[
B´†Îìz%}”fM°–Û–BÆŒÒ�½Ô™)ì9R{ª+YËÛ.”ð†$Ž$ì–o�¹Æ>eûeç1T±NÀ°óZjbêTSØ�‘DSÂo¿Ÿê¶@v Ú•ôˆfP„2<ö4MÁ T`¿SvØÑÔ‡Ã\&ðHmøÆ
-E R^íÒ~áWžš';>�àð‰ä™ L€Ëÿf=ºMi)ÔH³w‰!ŠŠÉúæ´øjÑ <ˆ¸
ÒÂN³@Ñ6#;Q¨
-rcÅQH	ícûOÔ†ŽÕÌ|­�‘@WËO„]–ü½[@™}?ùãTuÆC“ˆ¡ªðÏ¡0å¯jAÇç%´�D0¥€iB�3‘à>!u㉽®Èßó’y1ÕwŠr;üoö)w‰¯öáJ¡„SЮ|ߍêZ‹%ªv8³¹¬Y2WQD[k`b‘¤àPx±¯lÓm¼µ{Çq&F|¥U~zZãÅ2m‘§§àwL€M:�«Þ‘¢:‚¡ˆh¢[Hò8¯ØÑ‘~ÜØ.®åŒ2»†ÍFW%°P¦]­lfÚH,´Rr„Äå<Hµ�ÏÄž&sÂd™±oGÜ}Éü±~ 
qŒ¢9‹´†H·:i÷.yñS>Qo«¼]µL÷c½ó89Ľ¼½~–RA²ª¡0ÒÛr’Ft¾‚_±<4ó�ìWîÝòiïÆEJÎŒCgy,7Ûĺi–O¾ÃÀÊ/Z‹ñu9X>±fOº:*Û› &ÔÁY.O?8K\{Râ¨jÈ7„K®îëlÛ²³ÉœËR;>Ôг2:œ…Žè¦ÿ`¶´ÑÈÆ2#ûûj²Á?<9€õÚ‚:Bî¡EQ@8á<kûÕ³ÝÍWóäcÃXeŽÌé.¤C�砄ʨ=±E%%²Älµ–	2õD¿&R»½qd¾9q—·}{´W*@—…Í©-O_nK,ûlT&~²²3gÂ{B€K$±6Nr_)¢LœP­�Ÿ£³zËN1¹,ÐA˜•¯W¡V*eØE1ƒºHÏ.z ˆ¯ÆGŸ5ÆA‘Ã{ÆY+�ì,l)ü�dÏåiKŠÝÕ&Ú2¼ž©Ïxaì2ç].åëVPÈý½.è\ssã%‡,“7{÷gåÃ
DȘuÃ'ð²—ä\=ßKϵ¨^f>ºŸIh™h7¹÷¢HNõ™
-Q?ôVïóTöIK¿òöÞM•|ieÚ‡Ÿ¹Dœ­2^B È…“	äOøD„ñ��Hñrø»ÌÞ¶á🺞[S§¨”OuáLïxÕt‘Àì×ÙÆ·Ùâ‡5�5ùweʾ?)•f<p·¯Ý­
-VCV^uNA	a÷¦BRj÷—Üs•“}”}Ú"zÁú»™9î`ÎT	ýld—>_¢’F|�·ßƒcè÷z):§Ù펰‰ÇÙîo¼{å[­Üûš”½yÂ.àB´�4
-Ø©U¢•¯‡º{YzEWY2e³ �º%½8ŸùßJ~±`„
-;Œ€ô3Ã%m1
Ýè?ÒmR�ºêc\žÅ
-Ì ¸¥õ£—»`4Œ­F™Ô¿ãR<sstB˜
Æ7/?+òŠ¯F:Ó]LîgÿéÃCÛS–Ú•Ó‹,}|` Þây÷8õ7�h›pG–JuÕ@,Ë�Š3TÙz uëqñ"�:<5}D?Í6Œ#Ú¼i1�²‚Ñ£›r>¾<Ì|£Š [ÝeRäßn@Ë\¿T�OØ€¦qZBQãc¥âäwÞ^%<tq\v^�Ôà…¾MtZ¡Wï¶ò �ó )ÍÁ8a{øV’Û˜Û‡8ì«îFâ´#•‡Wx½
-k1H�¤üô]–®$ÂþNeáŠ�t_?-{3h’úžû´ßñn¾ÚJíЭQ€”l(SêQŒ‘5­…Š²>¥­(ñƒZˆ¸Z…+Œ,îHÿͦ.—·Quç¥Gž™­½¯À+÷Ç×÷e¶ƒ(Å0®åÎJ掴9>ò‹qD~ßqÊlC¤þ.Á¼¦A€Xe
-D·nuWŽÎx(ȱ䒸W¬JÇ~‚¿‘º£eúT™aŸƒ^ï½–
Þ7ž§ç~hw™™_‡QÌ¢cñsÌÂå)H&^Æ1¼žC©g³¯®{‹DË
-Δ(47ö´@¿|¹­rƒË̓æ�U€ü;"H‘p�w›7l®è¢ÖÙ±_3 Ë²á	“x°÷�mŸa[­<�B5
-m©è—ðò–õáÇYêšstùá&%OŒ¶oëˆð•—ìO»Î[‹¡
¹:Ñœa#�âiîÓ`5ð½éÕ;)fñûqL˜\ Zž®°	@D~äõû«~ Ú¬u£¥,ºa+ט^¤.ïj±%šE–J�Ÿ5¨«ã_\A�á�Ž&©b´Hµ‘cïE&Ù‡¿²±~0·Ç2:y$¡0ËUÜ:Öã­”ðô
-Dղέñw¹Q‘Ƽ#Q›4Ž‡!¥VŠzÎEhϤŒ/RVÆLüˆ³MˆUÁj÷brkLP°…žz1ï/Qº™±€°šÑ@vbÍy¦,ÙQ«·/nÍáD'
-y“�(c¥‰´Á÷w„{n„Æ<iïDʲæ£aîþÊ`àðä=:ªH?Äçðâ€:n’TÚö:j>¥ZrÉO<xþ	¸� Û7:ôžPZ(´Pä%îB¡Ô$l®×Î�£UõCu6ÂwÆñxì§ç†ÑÐS­…Ã1@°UIÌ+KÏXŽë_`“BP'�oJÊðÅŠ¨Òq§¤3µv‘”_aè‡WUQŒˆ9H0݉P¯ù½gM9µ3ŸS£ã(-“ŽògPº@eãÛž°.µB…8ZQ•AÊÈ
-ö™…„-ì‰ÛïzD�Xy²®
-¿©²Ô
-r
_å~ŒÙsK=pÿëxoײ^�I'níça„SpÃ÷ëáòþ½ñ3|K0À¦
²=z,çÝ•âïcíñÌIér‹‘�¦
-Ѐ­)-E›Dë|8¤FH’=ÊÛÈã·pórHÚKG
-0öÞÛù®_3g(\¸ÜÁ¯úàòž–Ç
°¡³!}0}þ8ÁÀEþL†2Ì{
-WBˆuÀB="÷Mª†ß|j¤E˜&µ»“=W¸õNtéÁ¶5dPGŽj¿wj‡Sy®¾"‘Ê UW#¡4‚0‡©¸¿ô3‚´RÅÒ]ʽM§ù
�Z–T‹0ž0Å•$í£[É‹Ícãu1ÞeEpv¡„(�©šóˆí濸A·Â’ò·äûtô±(s¦“Fi2Åx\èE(×(9Å?UËÇ|O½¤2o{¸¯}a£ˆ²zŸ��–�δ€R"ô¥²¶‡ÀØßš)ë*m ô�Ds§úä}á·D
-À€èö}»!Xö&#’Qƒ÷ÄQo”Cþ¸G
FòñͳH³3ànGZ(ÎF_¯AYÔ%õˆøcŸ=ß0�ßpMv¨ú�¶Lbã1†ŽêÁ³†L	*öVt°Á�ëh-½m—œ(<ÊxSæN£X»œ$ÚÛع4›ŒbŸ…±´þÂÞ±Üã‹eõ”~ð�^•ËÄ·¹©ëPXƼŒð;ö2nµ *’ç#i¥¥ÈÇNÚÝü…+3÷3ÌÌ^ë�t]XW¨²¸DLèi[Ó8OÛþ>M6¬˜NJ3ÆzU1nç€6QÐ19‹—Û¥ŒPÖáZvõ'P¶—YãšUrAIîžÅÅ€1›MejùzV+ÕÖù7¤¯¼/E^;æ{/ZÀHgâ×j\œÿ+jÚ¹U7ÿ1œ6Þõ‡cuªæ®öèT8ÀõÅXý]¿0Ô¦‹Y‡½ZybÅvë$n§ýõ£±#ù2 [*ÃwÅYårÄ9V@»”d5ÙKˆÙ"ûº°yóv	ƒ®'XiH!ó á3wIykÿ#J÷lÒ<¦s(sUø®û¤Tð|á:/pœs§Ô ëP’–<ˆrÞbL|}ä’0ω´üûÿÛÏgÌ_ögk�=úÚú¥�¯®®‚_{íÜíÿíü®Ò§à1ñƽœ�[.I$Þhè
-¶�Ù½äÝîØðmŽR/´Ï8e°ûœ“|ñîëszC<’^'¬üš~xõ¹l­SÒ|úcä',ü~Ç+L`áƒm¡à¸Ô›;ΘÍfyüØb�Ïþ9%¼Wû^š¦ù¬ãFáuž©ªcMŸîVÿšW:áõd�ÝÂ}L“â��ÝK?ϼ|BóÂú–UvÞ•‹w|›&óyvÓê—šß²CÙvOË*|ð(-´zé>û‚Û\y–'$*·ñóÓÌ¿åÌoßoßîËÇ6Éý¯ÝI)–ö÷]³=ž+·ô»@siÿ–R¿‹Âs2š5ª¹rwö¤˜q	-¨
-�¸wëB€tIÉ>NÖÃïÚ&ÇÚ4ä†11>Ú"³OzÓúv«_§ö°÷ßâW�3ïý¿”é–7Òv(/z¼`ÖrËm_姷´—+vÙW²ÅÔfî�K0庡û×2,¾ÝÜùÞºsÞÙÕ÷ïíK;b÷Ž9]„m/—èϵÏê7~ùp&,kÚÖŽ óKâ>„(vú^K¿{uYMd«WT~Ë5�Û/Í}(ïÜnXªÃYÖðíÆ™þÙ�®%|´<þ¯ÁuJx´nÎ�Ö×Þqr%M=6åŠÚ3ÆY�·=4k<±;ä�ã­ÿ]ßµâÜÙ“ŽI¢Éÿ­C—̈0Ø¢•–óñ‹õáü.Óë�œùv%ÍÙÐ8³÷ eYU›ï&™·µg#žÝò¾ËuÉ5€Ã¤QÝ€BÀ5jÀ°0 9'5±¨$?7±(›
+/Length 18022     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬µct¦ÝÖ%ÛvîضY1+¶mÛ¶Y±mÛIŶm[õÕsNw¿=Î׿ºß×מsíµÉˆ”è„ŒíMÄìl�é˜è¹
r6†.N²v¶2tÂvÖÆ€¿J622Gg;[Qgn€š‰1@ÔÄÀÌ`âââ‚!ˆØÙ{8Z˜™;(U~ªQÑÐÐþ—怡Çÿ´ü=édaf ÿûãjbmgocbëüâÿú ’‰	ÀÙÜ`jam‘WÐ�”PŠË©
+.†ÖF
+¢bÿÎÓÙÜÀùŸØNÍ
+à gçü7$€òÿŽeúÿ>’ÿ(þo!ø¿…Þÿ7rÿ“£ÿíÿ¿Þçÿ„s±¶–3°ù;
+FzÆ+-œÄ,ÜMŒ,œ�Ì
¦Ö{ô/½Š­±‰£µ…­É_.ÿÕF
+Ð÷ª-
KCºæì¢]•ß@e›‡á±Í	R©e7ãÝ8æ¥X¼Ýú^¯bª¿fiWã¦Ç6hé("ôæ?�ü…$ØVS̓÷â¹-Àõæ}DJš2½œœ$~T’D™ˆ‡…:Nq®ó#5ßì"	󧈼ˆÎQჶL–­Èµðc“Êç؉/WöýîŸX2ŸÈÈðxª©-“[¿F7žsWÆ{4B
+pÇ€úâLV›‰¨ÛE�°¼õ`K«Vá½Öž\ºÍªk:K?>1ÁÆy9ãd™5@P2ƒ÷Í°]öþ6Í(9Ð`®¦ ~Ì¢ß
+¹9y´Æ¢]’ˆåþJ¿*ú¨	gÒöK�“]?e’CÌ(�m
+D\ïN¤�Ô´|˜Ǧ¡‹Uf¥—øŒÉïÀúÒáè
+ûÙ
£)�¨Ž&
‹"º–Qª86Æ…‡â�9x
V6jƒxlˆÊù†º’2–^ù
+|Ò Ä;c
g¯lt_´û•jP°–
¼ãT³mê=-ŽÙ
+	Ë�Ö	/¨é?&§ Ã­¤oø
+%Ñ]µÃ³V‹Éµ‡†#hižrX£2¾K±²Å?²©Ç‹t3V<«×üHl'}µ“œ7ÂnhJ권buKÉ)O^Œ Z5‰OßöÚÖ?ý<ÿ�s88z™l­; %ÔVæËŒõ”ð�ðßEôÌH«íjÚ�~öÖ´Öb}ë­MùñÍê+GÝq’Yµ£[N¢+C1¸Ë¯ö
+RÚ8�Ýw>SÓ¯S®A˜Ç©ó-×;%¾À˜úe
+ß$TAÂrü—ÇDUËx,¬mCFË„vh”V¬èæÝod%·Ýͼc‹ò¡R´©kð97Aa¸ö<ër Ñ¿�5{ßîRÖÀª—Öì
+(
ÙóŸAuÂ)¡¦HŸÞOØV";M¸�’…ܶRýd°2auÒ/3ߘ–�¿AjqBGÎÓÙ1\æ›+>€y¥&0•²jmÚqý[„ìÑL6Qb~´+¹PÄ-sÙø¿�µ$ÈÑ*ªï
¥ðÈOÓ…¦JûèY[éýSækŒ¹©[üm}ÿ
˜Ð6L÷èO³[²ò½¼ƒëÆÐNOp:„ùHïä7CĬ“ü]½yî´¶ïï�Ã>Õ“·aý'×M½®qêäîbà_w–
ž]4ðÚÀˆ²öÒøÞó¬n+: §	�Ìô 8û›cÑJ�R[2£mXÅw‹}y7ˆ×ÅLeD$ç,?Yh{³ÛÆBÅΙki¿ŽøК¿ Ø1ò°ºŸ;eó‚T›n|˜)94µ9uæÐ¥x´	ƒã½R
+>ç³]æoM%„£¬ÎG)³‘4°ký‡ïbZ~ø ¼`_[h�ã»8ë<¾4²}$.îÁ³Ö
+Œ(iýŽà-º 7~õSLcüýkÅ!.0Yü:7—
`hPêoˆÜä¦ójÂlƒG¥v‚j»8Ç«Á¨›ÕäÅÆ6nÂN'éú3ÑX®ÐH¨Ïü%›zl½ýƒ©´
+)‡¿ÕÖÏéÛNÄD]*¾ÔŸæ›õ·
�­‡.k
Ùõ£a ü�:ræ\e·ûá&ÈÉDŽ¿Œ™%_$$3}9šü• Š8�$½¬€È¢þàÎg×™„�¿ZuÎ�Ú8רË=~³a#›L]gŽyiðÎ+.ÐÇå‹6{™jšSksÀ›ø¥qéD¾~Èͯõ{Ó·Æm'¤v;?«A%qÐ7�ú"�úpM°!(ïx[„Ô]Ä,…u‹0~‘—Ý›°ùot…ÿ‘vm¸oŸÓÔ/˜àyÝSÝñ}Ó"‡ÍÿImñ@ü
+åÚ`qÈoa’:�Üà}ÒË’àóI¡	Å¡H±`í ¾‹¢R¯u²Í3}›’«˜Œ(-�ž� ŒßD<Akº
z³,¼u˜Kí mÇkûL”4iH!±¡wÅE•Ô›ß¶ÑËf½Ä¯Z8_‚vŸªÙÿMÞW'n%Õ‡óyï+ kpKx®˜XnÝÅçel\¶êaºÆ§#§ˆA³K
ES÷éüT¶�È
+Œ¾ˆeD;õ›‘æB,º„5µ³äé
+IEVx[i©ó•û� M�Cá–‚C÷=…ÐÈÏ ½~À
Õõó)Þ7ƒNòw8>Çîwëôêé‚t­»Ìt«Ã<EÀ ‚†Å5#²üd¡,º%¯BBç;¦é.lãWœ›ÜûÜÝ<’ÂÚ9a¨Äƒ.vKž
+q›ÅßZV¶�¸Œ&®äò®Å©ði¬Ÿa
•ÌF/wø†¤°•|ÒÎmyÒd`Í\º¯*ÚßDw§Ìw °)eG8ïÂ5´B¼Hc†µÙt¢ùš^¨3€6ŸoÈ:W¦ z´˜˜éÁéä’*ëÔ£Ÿ@îàâp¯_© ¥ì%Šcga>¯W�¹4#UâRwXPƯY“�4ìg·FRß vßû<ÔxP>†uÂËe&+
+Dì2Çüߢ¿¢‚IÔnèEYÒÒÇe)ü²:V ùUš>иɚúq:…mɲ¶þUñNžY±B§Ýêƒ&³Ã¼]Rý*ÃŽûý=*n…ѽKv„hf0ó;!ØÅ.&f«RÚ„ Ï‹ë&e¤ãe}|“x$Ó½ââ;£kg�ž=çyÅg©Þ+a…¶’û.Î)†Ú`NËiߜʼnW«Uäç*i¼/W6æø>±��§“ <?;dPy\Ÿêd汉ä»tóñ#+|þ­1qÕqVø‚¥Éh¢‹P³Á4>t6ó –p�2/ÉõÚzî„øÑ=h>±`
+n5TÁšëÑ”’ÐX"GEÉ.4–ú&µ¼ ØØ…'Àú|€PÜLêar	¾0N1fo÷í¼Á¶Uå"‹*0âù$]s¨>ÓΆ”'â�¾ÞÑØèÝf6qì�©)¡}mZ€šÍ�
ûIÄN§
+Îþ@PD #V{¿Ö%þVõ|3ùÈ”JE3)&Níð{_’ Êm3™Î1 oåñ S“•/bì~O«¸8/*™Œ²éëí�Zφä(.Pÿ§žÏdÔö¤¾X<é§îrî9YJÛ)E抰z6Ø/v0
¡ªD°¾T㹋˜€7ýP“Ú¡ûµ¿^¶û°iDØF…ṳ̈9Ô\ðØDˆ“Ï%Ë;¥Ø�—qëŒà2ß œNý.¶8bWÉI0Uy®ƒÎÈfPw³‘ Õ8ŒÌ"
Çsäs
+ZmØFÐÃʶÞïPhzI÷™ð€*qaBrÒ·Ø^ðƒMâÝàí-Õ¨ô¡À˜å�®™ÂÞžÑÉö>u¼‰Š�ÏãonŒ{óæâ<ŠéU¿˜f);›Íp±OË,¾†ª™ŸÔL~‡(ÂJšW
+`þ*
ÎŒÔÀh0±ì$�(]J+?!uR[LGÓOÁ
+>DGÓyØ}—(l
ø &‰åSß}fÄ	†ù©»7«ôÖÞ•ŸÑ;!)îüP_©cEìì_Ï“Á’TYj¥àê§ïS({	çÑd
+±
�éÇ¥µ¨ÿ‹0Ò±«ö¡`¢/³I	Ph¦€Z�h
tDįcÅxBkô¹õ¾z힢�Uˆ1áû-C^­î@\’ž¶Ê#f„†µ]òOÍÕ5Ñôh‚˜CGÚc(hƼ<@žðŒe/ºˆ¾]úyèŸãgT—–B„W�‹:ƒÅ‹"p+EŒŒûE|ë7p<*6~¾R—”{N f.]Æ&‡•è…M�ÀNsr'=d/UMzW¿¨8ûÎ=ªŽ´n¸ÚvDôÓM=×�ArY8sœ‹ªf(ú²"’å®êvj×;¥ôŠË7/“æÖö¹]Ë\Ù”7Ùë•azgòá¶gÌ)RàÞ%H}!³¡i°�Re<�Ñ 7¡%ý¿¹a¢d:£�gteµIˆ­¨*’
+‡–oü‘éO' °xd�"뙂T¯·3z^‡ø~LËÿ¡IÖBcP/giй.^ÿâ×úÔ¡/jƒX©ÛQÕ­€ÒÆ-Ô¦4Ê{Ù·hïgZ¼'ªF§ó.²$2ÈÙBÆúž07êÅÌJFØ“|Àmv®å·Ìù´"Ëæn0jª8xB¯QÎïïˆþ”âÞþÐßÙ«À|˜­jiu›¡lQæ5ý%ßzÅŒãÎv¥ú…>GïÀ•Nv.óY‹=Šð ðô"¦k
¿E)û›™,$i{;vÓSëœ†œSW¿BPPúËj…+ýá{ÛÏáûg¬ššLœ/

+�¹,6:üâƒ^ÔX'€å9U¿œ‹fkM6¼¿tî˜è^‚(Ò2g¡I›yÕ²˜RôÓ(.ãcÃÿBM¶SaÓv¨‚/uø¹!&jìdR¥*ÿ!´BSJ‡ã� !DË¢FT=B–žýÏm+›ä’…0Ñ
+
’¦ž~o8LÃć4»DÜ϶ÒlÊô‰'´:Y'ϵ:X–¹ȃKKÖr97…üdé2
+{¡„Fuœ·3žÍÇoÕ‹Ü2C7§jy¸-Í@Šæ,dL//¢„KàôÌ°FYîÊ„³Ýþ9Å™
+*–÷oz ×PýÚúŽÇä–G”30¢ò
¡€?Žê)^¿)’£Êw8:B-sìFDò±û¹Õ.¯ýaËmwñ¶ÀBUô�z8sš3&¥JÎ|ñ$¡9ê
+¿’ƒ½[žBš´¾™Kåd H*ž±yÈ"�ýƒßýzêXê>ªµÌWÕŽ“Ѥi$&N“yu°BIsŒŒÓoLª¸IòD·»ñŸ’ÆãÇ•ÑlèE)÷—¡OŠÌ�:˜¶O-h/_cÂ:u*	ý ‚(ÖÛõî9ç}y}F)ß×]>9]¾¬šæù%†­Ž8[pµŠ Úˆììˆ4eAäÙoÀ�ÄÜ#	Ò¹äY¼I©[ˆˆu÷Ìp•)ÁæDÚøõl¡ù})¼ºjoÌa %h1•l­õíP”Eöd¡‹#ò!Œí±Y‡q4NaB¢#@÷3ÁÜ´*ìåFÖ‡ù–[>¼üózëþ2‰ØMÌDn…ÞÜwKØ¢Y(i£X‹ßüƒd¤ú9ò ¯L,ÿì“^^ñëàö­ÂóY%)µ4ÙZ\ÔötôÕW¯ù­i
¢7,qK“ñâ”-Ç?ÑúE�@•àë#¼‰&+ƒÄ0¸Ø¡¸04ºœ5Ö–›ÿë“WåÔ/¶fLƉèß‹›¥0³<IíºÛ‹ÉÄ[t>Å¡u±yØ°Ðu:�¯Û{®[’ĸ2Ï}’ cu¶Þ÷²' )¦Z`‡`\… c¬—ÖÙ±{OÑØD°Çré ám;€¸LÐl}
JÜ„Ž6‘nþ‹‚>°§nºxŽPc=‰6pÊè)L[‡+»†%ª}'¿P°aŽ‘45¨lG½>(ÅûE&-#Èkií·jEüÅ×Ö	"ŸûmUó˜SvL„„§=ªA2Ÿ¶_5J¶Ôø¿ÒU‹‡_O·V°mîl=
+æ7ÒÁÒq3‚`¦	t.Ó„c‰Nä•×wíÝZKGº¦Ô›.(ðÔà^æÕ—w[.,ÕZåŒ
+cGM}!;4šÍCnœ®2'ÖÊï�ìù®? Œå¯@9ÖË'Ñ®æp]CÖ-C¼Dû]QPÓ-}yhÎ�ëzqã©Ýcô‚®ËÚ+›ß™A;t
ocšn’Éæ¤-O‹ÛÃWÓ•ºžÛóÛž:]‚é#Â_fbÈ°g‘øÌÇ
õPŠ€Ú†ÑPÅŽO£ªõdU “ï6dÍpŒ‹bçÆ©\¦�©Þ÷Œ­;£&�{"ÿÚé,–ŒO_»ÔÇÐ9V¼4�7M=ÍaÍ]:mÎïGA�ã›P.4”ªþ3€ãd�—&•É–è*HfÅ„÷‚¼M:ÞÌk(g
+4–·öÈZýjH
sóG··»�èV
üY).üjcPÌ�¥’»nÞÝtïw¼RÓTÔBÇ
+ŠéÑ:kÅÖ ›r}’õéŽVbbérªï�HÎ7Õã³ßêí¥‹_©¼“×2[ëAõ°çô­JCRz!»‘<ùq3mÔ¢W[M0hÒ VÊíaL¦3zb¥ÿÐCNãú?O“l��VŠšßÍÒ4Øë>Rj•·•ÛéD[÷87ž
+vÚÑKâåÅíÍÓ¿½Í~¬?קS§ÎªôÉžµè6.¤K±“H?R‡y�þn�v8Âax9™:¯¼&ýµêo<çßb%ðórÿDí;Ú%§1M–UΗUÈÁX�Ò6G«NJ"€Ùíì£â%Àì”w¶ðtý—_7×¾`!—
+;ÜÆŠF¸�*Cb&Znf]C¡ÈN‹×6Á.þÂÑ,	èW91£ðà«i�K;m+úbTèSpïGsÊuÊkÏ&ALH^Ö™FV{ð$	ÝkúÝMbx�áñå6ÿa˜ƒØÅYå�›a¹5°þ¦J0Ëšëö“©¾é™ý¡
+Ó†©"S—Ïz_¥¬Sþ@ÎlÀ£ì†�D�/®¨÷þ¹B­c0ˆb(	º
+ƒËsˆŸ.ÍÏxP£þþ\næèJµ�õN*·ƒ7A—^…¯f£èïnò˜Øc#ï|<ÐŒ¹a=íÂèœL¹Çt}N9@œí2ò“º¬ð;ŒÔ’`Ÿš瘓gÛ–»
“(kw“Hˆ«fz#
ü«T�U5aQW.;ì§øtÁTK!bñ6Û¨Ú±A2®Èü„è-£�þ|âáŒMÍU5j2~áúˆ^]i‘åe-·¨^žÿWeoÙ~äèžÞÊ„×Cô®ïw=	ý²{ì}Åï÷šNå)àÒ„½\Š*‹Jò|±WŽMí¡±Òøòo-	kÈ“èZ±Õ6"Ù™þ\W7ϧGÂ}VÁc§Úª4�ØXoM�7ùwÂá›P«cþÕ’Ûl{lY
B‰©Ù/šÌÝÖíü¾ì–­˜T¡ÁÜ?ï°êšš+‰¾Å’Ñs­êŠGô†äv5¶ÈÍÌ?ÈÖ§éBÄ<wsÕÆصŸ×ŒD�¦¤9	ߥKòã_Ý»›’�«á`Ž]}‰µñnÃáhDÜÀÂ\É&*NNk…¤û0œ†»™¥
›
ýÔº˜Å9}­Q}lêœD�ª0ŸœÛj2wü“¯µJ÷‹¡œéÃvµvz¬�,Æ}úè"öìijƒŠyñý›·î ’±¼cæOˆq¸Ìpãd:3ö¬Õ¹$c¿_W#ò4ºÑ1¬ç¥†Á	z,8ÚÈÕD-æ h•’ö5Cºͧáƒ_%wÒªu¿ â#¤Ç”g!]7¾ô/BŒ]eh©IKôŠ2¦WTŸu�ÊÊŒk84æÍ¥0Ç‚AÞÈ;b•1b°mÍH;í>nôÏ¢ÖRÂ	/#NìqHºà0gÚ…>tí°§Vûa¶ ˜/�æöŸñü|¥sçYà¨q³Ý,ÙŽÆ™(®”	¿œ^õÏ‚~¢­Ö>ʧÐÃw��Hv«;ø´þâÎMÌÿ$ìe™´´_ÚژтX–KµÆ
+Ú…W¨•fI•M@ï±–KÉ­7‹û)Cc¢ïS`…,8'Îl[stÂ<¡\nc<BU¿Q×ÓãäKüŸþ<¬ÍŽÙ»¯ÅƒúÉM€^ÆÃT»Ì«ÓË4	§¤Š1´\�Ï"µÒˆÊ®ˆéâ]xµŒ'ƃÙIÏKXPõ}BÎè‚YÓÝ2�Ä6å¶a«í™TÙÀ
ô&†’–Àiû‰Ÿº¾îpÆ4
+~[ØÝñ°Lå ¸¡©Ûa
�¨Ë=‘yÿn¬%YçYt½¿Ëú7R¬lN%mÄQ$:�	QŒ²›DµØ†È¨Ð¬)¦ÃºÊìH%Ûß	^>«¡T&8Ñew‹¹ƒã'}'ÅrW÷ ŸMì7#X1nfœ÷
~�¸ŒÓ2Û*¡U§%›ˆÁÇ:èDMÂ|Ò.Ž«ªˆàc:š®�)IË�ü*�ŠÎ¿žê³Â:
+ºâreA5n!Ñ…êì]Œ¨ÁºØ»‚õOWìõHƒ:Ô…—‡uÀÏk2Q:ú†É�df¬š¢µ‡$EÏÐï8f±æ™€âNØÔ@Gœ¹}\=ñõ°¨öˆ¨‹¼_W/nÀÄbÛíÿ¸¯ß0^8U¤>¾û=O?°g›¾U̧[aý;óþÓSX¦ä”gÚLÁ´·¹‹.võ@/Ò&ÿ”i:dÏk0G£u¨ð“rÏBž7gO‚w üúàü•–”À�‰KY&jøœ7¼r2–á°WNÎxëh“õÒ¿Í7§LŽ„×VC@]ÒÖóºÁ*óë-Å ÃA;}üvñïiCU…—.úZl¬ õå?²ŠcHÕ¸´Ôu½ö!» »†ó±œW‚
Ñ/ðó\Hvq•bf€úOÕy3¹;¾Ð¤ ² Ü
Œ°š'ÿˆê�IܯE|Ÿ¹
š­p:ÔC9èc
+gŽ}“ú£qÍòÛ¨ù›ÂN•¥•îÉ/­„¼Ÿ¿¨ÎwýéN­ъ”⃞êöÉ(ú˜i.ŽJÓY{Ê…ë߃ˆêo&ãX
+Ë|åT¬N!{¶ L•„«a` K=ETBÔSEÐATMb§œ
+Q‡Æ~ËJlQ‹Rü¶×ZB§©{g¯^x™‡¾m€ï¨LŽ1p%õïø×ké\¤~}ôO½Ü8Ûu·×çqÏÜV»ì*æGj¸ÙÛ9ýèO�â÷Ž<M×mÆô|UíZ0¥—¶µ™r'·>û’VuûtñCv.¯ÉÞ¯²�”ì U=Ú·rèöI3	Í¢¹ØO7(S~ãÈ”‡	«ÒÛšt”š®`½öÈl/ÅY¦37›„Û¦š ;ŠôÑ
à<‹ÆN–T‘Z.
�!`ßêã…”´I¼M%0,(`Y³¡mm¡ §<!È’WÏX®l‘«oÎ�Fž5Ô¥�Õ
ÂYe%13ð}‡yBjú$·¢³-71\4oà'!¿¾¡Þ­«’[É2@2´�F´‚ø„ö�€ñг…ǬÜÄ#ºÅ[i©R(|˜.Èm‚F
x¼HÃ>&ymr¦-åɽ.§æo�·œ¢ŒEŸ¼B91Œâƒ!ÈD4B\\ò.½Ÿ†‡b.ô¾=ƒq™“s,|Ö?¼�´~8£»»³­
+Ñÿž¶l ÷ö"•äjÓ`Zo…hbµÌ}åÏ0—ŸùoÎ*˯�µŸÞµöñæ/~úÕ'Kü@Tƒ¯k5{<‹i»ö—ROBz@-+µ�yÚª«1èûŒÂ·–µZë¿Ên�òEp7�âPi�«ú€pV¢;g
�.Oã­pÈTA3V.ÀÙòV…I’]UAÍÊ&¯æwú{¥,¿f
+ý’OP\h{†!Ë/:9*ÁþNª‘À„y†Ý¢›¼~¸®<rÍ¥Ø.k�¹á�R\ÄKÀõ=™Ê³ô¤µéšàš)É 
+�Ìó¬¤^©êzX-Ta’•éÔUÚjLØ–‡ÁPϲ‘ Ú€,j%‚‹Bè_|³yŒß]¶to7ɹ¿"Á¡ÒW¾7ÉÔ9NÙbdÌ÷Î2s—O‹D"—MêÓ†l›Ñc,Å=Æ/¿ÎWDk¿þ-ţø¬‰tF%ÿÐjwÕïS;ù^É£ñšo?ñ
+ÆQ'?ßœ†*×3;ùQhþà“R¿«A±FÌb<\gÜÝ@ƒ×oìfg,ÙS¿´íw*0=a{ æŽ!Ù5"OBŃð4ûbü[ïR«r‰2Ó'VìÖĵv\PjÐÝh«»Œd
­ªÌ'3çÜŸ
¬ô£uª�ü”.ø¡×cšÎO
+DSmÝ÷dU�«TòȨr7)z¡mYÅÀX˜Ä5ê¦[�Ø÷ËÅŸ"f ‰@êéqD„ç™Õ'~ñHA[€‹Vû¤“õ^C
+ݓ׀-xú€°š
Nce<Pdc–0`RôA˜‹¬ß”™…r8HXÞú§Ó•~«÷�®tOý08em_¦;nÒB0Õ
üYÂð-'y©_‰ôÛº@Á=¬È*ÃE\Ž�Kδ¿ÅÿØÙ½/™‰HíMâÑÁ�8g7m‘ÿ{<Q-u·´å´_;M;S1Dá[ñ7;žŒØ‚†ò”ÎD!m÷í¯`èh�pÚh16jä¬Ö’ØŸ¸*¿v/¯`%–ëekáÍ?LhÎ=”v‹…}éƒíý8�ÔµÑ89riL&òëcOý‰„iŽý†àÁ¸¬Go›‹Í²fÂɘz(¸—¡3
+ßÜ}º^hîëgŒÛ·S~¢Y 
+ÄSä–5“˜{'Ë¡esøücl\î½gˆî*š1ŽšÈõ¼3ª¶è:ÃegMvc¦‚Ê癚ËÖ¢&§�,€íIš®
Ø1¤¯à
+©*É&;jDú`ç�sÞ#)„Ê4s‡oEcà	&ßÙIÉ;qÝ#K¸n�›å¯ý´Y|”àŒmãø•6ŒÊÑ�é>Ÿ[å˥ߺŽ1
½é˜Ê®aYÝ«ÀF5PYåaÉ|3ãä¡ïbøM@©Nyav.åh­nî×ņ®ô²¡RŠÅ—ȬŒWyŸ¦Þtƒ7×ÔÀOkB¬œC@ƒž©êo´dÏ� “I¿ü“Z©þä}\žÅ’gÎBT…bM+5êõHzJžìfy<p!uš/ÃúZÇÉ vc&Bãž³'˜3{âC"Ã^z�|8�m§¥ØÛ#¦ÔjÞ¿øËú½:¡(Èn‡óÐ)˜âq—4Ù¶³dÑåÚ³;AúGòùVQ°!‡®´$ú>®âq
+C¸ÎÞ•¡‡›û/ìë aLãdU±Å,[g¯úWСÖX·V7~æQÈ¢%+ð?éצµ!ùUè³Êk5ãø&Z£Q‚É�
[äxŽ-b÷uP…#Ïñ¾†E@qI�À$ä;®ŽVçæ$#ÜíkôëtJ€\¶p5žr„�º‘¢€$|H{U¡øæòƒK]N}¬ò†Ÿ€E×D°
+FÏ-¶6© †Â	߸ŒçânVä^… ]šMg\Ô<C‰é>KÇ·ä 9·/£‡õü7o¼¾¾Ð¼­ÎÉSö'ž”Q®¬þ´òB†‡Òe|°ià”¸[‹_Ý‘†6ùŒë.'¸cä�½M½åÕr\S>‚K䃔t§C稶h5uREæ‹LU§­Ò�ƒ˜Oôz VÇ‹;¬¤'áS�™ÇOXñË€¿®›¦™;µWEƒeÔ #:0츜�BøUª,ØÞèb
+Òó…2pÈ^Ù†:0|&e¦Õ,?‚HFkJæU'ý!qÆYµwß³HžÿÔ«œ;…ª»ž–3ª[œé@—h�žÏuãrnL‘;®ˆ=b�ªy7¥�E>°áíîä=HøŠõzŒ³šâs|Ó�߶�ª`KA
+Œõ�_P-ç'„HS
+Л¨'ÁÚæãy¿�ˆ
Re†êi[‘¯²2Ê2ýQ%™ÒZâû®žm-c¢‰LPe³o“=ÒÜi:èÑ'Ðr^ùÑ­ßÔ{?z$É&aM%*Æð®iÞ	ïÚ‹š%4Üôí#6¼�±
+´!;h¾þGáÁj2Á|O¸D‡?ûµ“îw¹´`ªÓ¢¿¸‚’cçÅò¢†‰‡Î·¤ÌaŸŒÄÆ툗62A»wÆÕ(†“Øs/A'viÙ.Ü]Á‰µ‚7*‹4¥'O¢°vŒ�÷øF34§¡Æág¢O¿u¬�.t¼“®rõ–s}/
¸šä”ôÛºö˜#=ÕdrõÔ�VL­WVŒªÙÄKã‰éS.“ (Õ;ãh"’€}R>•lÏs¯ì³²Ô!¶‹lAËE:ßy&ôœh»Æ2©×Äë2+Ù®HѳÁŸ¨0�An´ë‡Lš@°ƒy‡ß[q8^:ZËÄc hjð-¦B_¦–¨ñº€ÛJT§ûš5j9È«>Ú)¢Û»�nSÑj=³ÕXër÷
Hl_—rß:¯0)]F:
”Ùtë,�,pQ£î÷s²•�õÒœúåx.Þ!ª±…» šMdÙŽ%󌥢À>­×בtÍýh;ÑN}ÅO™~�ìx[ôÒ[ ô)Ò`Ç™[z€Ð¥Ç;ÿµbä¸
ý·Z�Û�±ýW=mVùD×®9,«Ÿ³e,ëKj}Ü üïJ¼,®bðýÂò3�Þ2�¼ ­h=Á‰U,jï%
+ìé×¾
Ä92¯kƒG`µÕÂKþ{|*Œ”)ÎêÒˆÁÄRéAîCêD´Ó®ïÒ‰svѬµ>�cj
+6müÍpHr£\Ik[xi×$¼šÉH$S<ÂÐ]­H;"þÏ]…h!ÎKÙçwœÙƒaƒ!Wo§têQ‘21¸¦e}œDó—ýªM¢Ê&ëÅ"þçÍÜ1IpÅQè—{ØAÛ»kJ‡�³÷4°6ŒíîO«Ö*“YŒÝ*³A"Õ±«Ì
Õ	r¤eKãùŒ©$a^Hœ›Œ×ý‰ÞFïNûé)•7µ»‹i?¦:
¤®ý§"×ñ—á
+¦y¼5âéx
Î?8€†,ÄÙ%š¼ø*%q$GÐ]È%\íðÀ¸¯±ÆLÆø¤z*­Ë"7›U0ž$¥¨×”€ïøq*櫸×\~ghL[ü	¢rñY{âkây9‘ä¹_­-¡„­“ߣ|ÒœZ¿€�ë˜û.†zžÜbé�><ZwúµžËtÄw/*‘ê}5Tö4[Ï*ùaÅ6y¡W;åRÊØŸ7¦½jJAºjæ”ÅhÜU–Fî¦|ð¥Ûê:]Ù+ärå’ß±¯µíj�u:Ûdí>1a�NÓßø–à—ÒK!5hI¾?K3²<áŸ,ÞÅÁ¸²��Ü$j:=úzåmÈ_N4ƒ˜�F�äûq
+°’胱«T«þÃ5jíaƒ"¯‹¬Î×Эô'7kˆ]ú†A§òuSà‰epÀƒZ˜%ÆÅ…¹­Â¬¾=úð¤´~¸Pù*€üÕÝ+àŒVd˜¥ódqɈÎEX—dÓJHÁ+°:ƒÊ}Ð)#ôø@ײ!R»ÿ©€£ì–ù
+;\ùˆ¹¥e7ÍHÖx³¡l�½ [sÉHù[êƒáëXôËUNÑõ¢iX–Ø«c4ë7û�\Aº0«<�{ Evg]8xp[lZщ5õè¹r÷ûGâÈm�*Nêê:Q+|‡gµ
}ÁÞ\d„äO¾>hžDä¡GXnöº
+b¸¬óÇ;½<nõÄߺƶrEiO8võÞH•kö}aq²2ß5|LÇŽ´Fa
+ÐQk|/Û9¾ÑxÜÜúÙP7˜ªl©¼å©	敱<ý6œÍ¶Â=Ÿù	…3ñTI‡@TƒÌ07ƒI`5¼áô‡lcoƒ|áþü]¤ãÏ(^¡¥�µºÈÕ6ÿCÞŒ
Ú롾—lšÒÚ´ë÷aµ1Óþÿ×Îœÿ3¡
+šþˆ/KnèE�KØ(xÆÈìƒww¦\3¥kÔ!›ùÑÆlð›Qe8‚nÛh’8¯tãær|BUw•Q“)€gÏ£ŽWºè¥@Pñ„¥¾‡LZð7×(fÐlç9¬Œ bfr·Ñá·šPæ}p
+øš*›íßyýá“ãûB/�1;Aì2ÕÙ3ÕSs�±‘woÃñÕ“VÝÝíßv�¼¯å¹ÜÆ{¯’XcÇú9'*:ÞÒˆVÂ)BSzŠ�)Xý_ƒÓŠÖpm{§z¼¸—±u±)ôc¹ÿÕ)€+H2Qi·'Âڱ׉×b@akÊE¿¢vÉÃBakR‡å:›ñ†‡Fˆ~¨êÈ’Ì�m®g4šv~\œI©¸
+^ýì¶<��[7Û-ú%çq´Å5mââËÊž¶t“Bdc;|WÝÚú7–xSyåÈ4ØÇÖv´¦×ÅõQ«´�˜
„2ã¹Rwr�\Œ¨ÇÂCÀVD
+­`Ú5øy÷»é@k"¢™5)Ï1·ØRù-DÒHÖ»¼ÍDdM†o3w»5Gv`LÐ2î�ä¯uÈoêb—r›[ˆv^Ð^P€ó]üQ¨‹ÔS^?¨Ïóè
_û³£ 'C2T5ÍyÅ
[<;ËÛÜ}‹hL�é4mMmÖéҎ/À}"ÑçB0%’éVE�~µb(e’ ”峕Uò�ïiN“ýië€ëÜ„{X#Œ=dÓ[娽�	ÿÆOƒHð”£Vê
��ªë�vGJMGÚêåÄLX^9ymiZPpù˜B5«¬Âø#…sW+* ¨)¨OñD¾Ë_*Ïøy81¢ÎsY×/NI„8wÖ¦.¶v.rþ÷¥äïûˆÍžá¹ˆ“¤;éë7¤{®ÈE�ÕîÄìø‘VYƒÉïÌ|ÝWN`ÄþÅW‡Ù¾—›º‚ÔÂâsh™ËúÊIÆ(ˆxó^m¸ƒž²Ê+»O':Q�GrçÉ×æ[XFRž;j¸±·ùI•šà5A
 endobj
-885 0 obj <<
+940 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1930 0 R
+/Encoding 2092 0 R
 /FirstChar 34
 /LastChar 125
-/Widths 1938 0 R
-/BaseFont /TBYCOO+NimbusMonL-Bold
-/FontDescriptor 883 0 R
+/Widths 2101 0 R
+/BaseFont /VWNNCO+NimbusMonL-Bold
+/FontDescriptor 938 0 R
 >> endobj
-883 0 obj <<
+938 0 obj <<
 /Ascent 624
 /CapHeight 552
 /Descent -126
-/FontName /TBYCOO+NimbusMonL-Bold
+/FontName /VWNNCO+NimbusMonL-Bold
 /ItalicAngle 0
 /StemV 101
 /XHeight 439
 /FontBBox [-43 -278 681 871]
 /Flags 4
-/CharSet (/quotedbl/numbersign/plus/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/semicolon/equal/A/B/D/E/F/G/H/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 884 0 R
->> endobj
-1938 0 obj
-[600 600 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 0 0 600 0 600 0 0 0 600 600 0 600 600 600 600 600 0 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
-endobj
-878 0 obj <<
-/Length1 1620
-/Length2 20127
-/Length3 532
-/Length 21036     
-/Filter /FlateDecode
->>
-stream
-xÚ¬ºct¤]·.Ûv*I§cul'ÛFÅNÅFǶm۶͎í¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ú%ìí@,ŒÌ<
-ükì{ýÒÂv¹+
?j06Íðün÷X>wø<”¦=ëñ¡êM
^çùPÐô o}íä¤;
-dÒ/EN¿ÐˆòºY’Ý�Òæ`V?Ú›RRÖ/ù€!žédu‚»y¦ñ§p-ðÇúòä€âk’Ú‹Ý…Ö†QWx~ñ5ñôù‰jh|td¸÷ºÿ��.'ž’×
-ùk¤¿c¡ ¶Z…xUó«óö”ê&BÏØ>Ÿ¿ù‡PvE‘妷�‚ïÕàO͘ƒá†Àl
¬„ÔÈW"æþx² 
ãŽïIx%Q¼Kâf†Îo¿møWcwúŸò‚‘ßÄÎ׊�ü;L§Ö‘;æT°£6®ãGvíÌÓ.õ=n¾Õ.7èX¬JÌ[ÃZUýùbªÜÁ+_®›xF»-b¨À(¥ã©ƒw¸ÜÄ$ÌÓ…
(_,Ó	¡Ã4ŒS4r-Ù“©¾ˆ3‚2Ž‰Œ�Ž$¿ d­ô“„}¼Dä9%G¹<á¬;Ö6®£ÛA‘œ´Øpÿ(w�ßöìWŸ.S?62=ú0z‘ßãš@΀ƒë��ì˜ç3¹>9È%æÒðOÞ`zŒ—6"Aïܪ“³ÖSªÒ¼qRÉŒ!ÝMë–›Å/˜6 pöpò>ÙOB�ˆÁrêO<õlb­‚‡ˆà\jÑhŽ!··qè™•íº”…u=5±—ª——‡³ŸG
¿:×KÎ{òɵÅéKœJC·ÒBµ¾/)qpgŸ”­µí‚ ¨•ŠgœuºœÚ]_ÕÞ´c¸Cûô¿Y‹ü	n¿3ÇaÉ»ðSr
-o(:¨Ñ_‚å¤ñOFõØI)Q’l¤®‰Í;TÜ*kÀ2ñ´Ò(ÏË2+­Õ»ÐÝé¾›äAM�¾×Q­?A"tto¯�$ÏÊAœÇ;tÎB�¾ã¢ü1jþUx�q¨eÓÒäþtþcÉTI€�3!š@X芆eÎ^í'a‚†:U+�“òÀÅ$˜ ‹EÕùÆ
-a®;�?o®åü+L7O7¹uv¤ÓuÞ̸¶çŽNóæî™Éñ¢ÊÏC°¶ŠæЂÚ\�„P¼®ˆ™ß¢�’1âÊ¢Þ zO&�É·c튩È—©7•Á¼G}Žúäñʬ�!FŠd1‚_mÅ€th¬×Ÿ2°?X¶'9­1îî»�(RŒæËÜ�F1”P (Ê·úí¼eô<syôA$”¨…³Z‡j?¡»½¤`y×Ê ›¤»€–ä…@3éŒ2äaMÊà
T¬6¶†ÙÁÜßñÁ.ïs—f}ŠrõEKæË–4ÅJmþHž6î€ï^çÔt�V-O4ë"²$ì2ƒë†`zê%ž¦,"�þ¢ý_…Ù÷4Ô›øãö•÷ï¼f=hR àˆ¼®<|Ó$ddð£Ì…ÌËÖá‰ñq¸WœQÈ
GðdȾ×-&üäJ6fëÏurþq^KÐk\#º“4”ÿ8rÝäRlºQ
-Æ9vrQÚûaÞßïèóQÝiç·Äjí(^&+
MÌäkRÐ<7÷u¾!+o­¹
-}�iC¼HBb×*
1'O. Íþ~6'jïó˜ñ+gt5û¢PV4घ¿Ô ÚóÔR¨�s(S¡šq¹"yV‡ôîHvhp„3ëÜHG¹çòšu¼ÉÅQ›8Ô%âÛU†w>ðÛg�ã‘Ûˆ}�­H}öE÷2OöÑgí
-‚7I•{œP¾©3½¥Œ�/Ä[Ö[ªp«Cƒ’½f±cB8|*×vÞ’(2M´:G‹çeƒÀü‘H7þ5'is=½ó{LXwÜëiì>Aº„ï=Ëo?F—Aµb©�ÜħcL·¼ž…×›ÂY_‰g Ï¿¦©èe‘O5ÙÀܧâí/96]d±�ÊPàH]~+B†<�Ô•R–…€
õ\ͯ©sðÑþrOŒ…[’�½�¸m+þ¶ø¶ý©>þ½ØRkn„´VÁÁE.ÉYSssF‘kÿ©Tââ.ŸŸ3hÈŽxÒµ¦ö–Ñ9õd¨HÎ6
-á]ô
-ØI:ý}Ÿð…îŒr\Òv-`÷’¶­»j³œ³·í}
-]rSÓ|¬U]Iƒsuoé$½9¢c÷U¹“äx°Ð¶¾Ø¤Û‹«bÜIÅQ¶?³…á6.S¼à‡n|ÑG{×BõwK�¢»™(‡§òq°4N�qéåé»iÁ;í¶¹öU‘PÈœ¯æxÊ&ô•¤1S¶2�ó¥w\·+zê›DJ´�v¸$ÌLßòÈîk>^µ².L±¿²!ð4^¸“PÔ¿¦.¬äïŸ(¿'Ú¶£Pb¥i‘÷êzÝûDUoÀõQ
-0E†IÃZ^ŠÿŽ¦Ö‚0›2%“ýJ§^ˆVÄÉk"y
-4ÑÃ¥Ë2š=
¥«UkW3G­{—ð̪K¦¾(ÞØ–WŽÓÓ�üý®9’ã‘<džâö—ŠäÓ^Rƒÿ°PŠÊ·Zl—›Tj­5¾9.¢"¥³f>89ù�IÆvp3Ý�é9çáCDq
	€¯¹/�W4=¹¶dopso´�‘
‡À1¶¬´’møÚÉ6]ó|"쮘V»ÃJhO5‚°2ÓË�±‡7Nß¼hC;
-®@ê#^>«\×Ȳp‹Ç*,	A_Ó�ðtÅ
âqÙb1?&}=Ä2ãÒ]óð€ÆžoÑG¡PL.]Bª�¢E3ý7z®Æn¸c<®žepNwd¶\ñú"¯kÑ�;ïX¨‹ЀBgN}®²ûàóÃÌ�òhkrŸÀ¶Gâ{°l:&j‘ñ™û
^òÕPkNÉ«±L�Öñü«DÙj‹+Y9‚dÌœòÖ„Ê—6<€ôVcŠ§‹Íš‘Ýþ³¥SÕsiÚÚ¤Ûò>vü[Âë
-Ð"$©p@�zŸÖÐGƒ›‚·^_fñžtDPiÂñøËɘ.yÖÆÐó†·ÅDã^!¡¥ 1âóÜ,óšªiÖc.â4£÷LÛ}cN6\ÈÛ�Ð�C•Å?ÐÖÔØ5÷Ü tbgipO
‹¹shÛtƒt{J'uYÌ„ÕÑ’Z6è�¬wßù/NÐÈy0¬Ö‚;g‹ÖZ0….R;
-*Èí­´âT¸žfWÓ�3Õ'7)ÔYß=á!`ƒSé‰7ˆv¤U¿È!~{£Ø1�Çœj÷àºßŨ�žG]¬ßg•,½[
W,{ukRÿÔj•Å‚�èÒ<’…æp_íÖ©ÛRV·((þ22ߊvóÇÝl.ˆÏÜs/¬U¡¥&‚ko¾÷ñ@ÆÇÊ5V…jj¬a
`N}ÕÆêŽáOú
-–ÙýÉvuöù‹ª¥'NP
-SèÇ´FÞ¦…ÛÏÎ
š13±©É'æztƒÞm~ ¹Hº&¶Ñ~ñÍhŸŠ�pu¢�h^Âc0xÆ(ë7\×�[:‹¶q¢Íš-µj“’"z¾r§YJ÷-Ù6ÔïnnÔãõÍÌI·n ïS7ýö4¦¦ì¾•ôÈ@؈F9x&«sî|×`pu¡e
F`{i~¶ÙƒË!$jmJt†œ/üaâ\èÎÅNià"û*±z˜Ãt3¬Gs€µ/Yn ~³1&¾âÆ0tYœVáqð(ê™w†—V†Ÿ÷ :·ÉóÇ�otxøí…*˜®ñ§õ‘á#Ms9½C¨9ðtIL�³òXˆ×íŠçÝ€îWÞ«�Ê.­’Âå݇Ӝ,7§©Ù7‚ÆQƒÄéèd`³Ú³“t÷¾k
œM÷ûx}Pïïo\5�Ö÷ôC§Ÿ®Z*ïÏkm Rã̽oÙ°?1DêñeÄ'ŸÆ à6…©jb6LÒë¦Xšá|—?÷tKÒ:6™Ëühï;¬p€Gˆ*z µ-Ox—�
oÂܽš°¶çÈÝÔÆ	Ñb„,I­£±½é¸NiÉõÇ{^èd–PL[‘îc±Ø™Q¯dZÃÙ&ËŽA¯î/Ú;�!òùpÁBßÙs�ÝO‘΃3ײ³2¨%ÖuzøÄ[cé‘Ù§‰ÂïŠRfUÔgçúW·­ºì;§Øø8ÍLŠ¨ék˜"­¢¬tµ2¹ešòK¬ Á¾9c$rMe©€€Ô˜6T¡Ð‘1­QçTè{O–ÅË]Ñ’f³ÕÓ9�-©þR[0£Nk¾·ýµ�„ŽÏߨNïçÂ"?Gw~\“¬…XH”ã\�lã¼Å_¡’”*G�wQQBÁ9+§ªÁ¤�Â¥à(-n›_Òx3“mì‚gU‘wµé�íâߪv6ºÈ¯pÓ[óæ¢I´2Ö6ß ‡
×ÇëŸíI�Gûƒ—e<ªð1}xçªÀéž~ôá*@O€ô…¹É¶s—ê>‡Ú{#ØËz߈¹ç!žå<×Ó‹¦g=‘Ñ�GHö'²Ôe	ȱóŽõµ“:…Ÿ‚ëR,q@�õû´ùüqhŽN\VeÆdh�„ɘB™Ám*QZ!cJeåMj…Ïòá#éå8;¡H‚
-¾zT…¢gôOÿ’‹Óo0-šÎ०²Š˜hÈ�›9ÉÈ%m-ÜC7‚µ$©OãzAp9%mëƒf7ìÄîâºÞNÍíOKB¯Wˆà/°´e¡ìÔáo~f›]{ˆðEŠ˜*ƒ�ûN·G®²ÎÏ«Eô[‡ðQðu1ªÑÃ(X²ÁZû¨Âx5¤ 6™œ¹¯$ß's.1߬)Ç^r‘�au5nUG‘áŸÕÔ÷TÁzÀ½¦¬ÜÌ
lé�Ldi\”aÐZj(ô ¬õ\œñ,ôS–W2�ƒo³‡CÜ�`e­æí㦃F$êuÆ�z�{†ÂÎK!K#$
-bÉbðúuÙ9ðeÞWsS†ÚINñ­E$Œc�D3>ä:ÝÔ%žÐçIr<Û½;åµV}$1â°ðô£õmõ“¶)L£BòùP-PîÀ™ÑD|=ÜF—dã;õ…R^jºßsÒcþRÖ'šîϳH¥¹¼+jìF+ò˜ªB~ÈCgÙ5ûë	€UÓ(6û˜Ý#̼vÀ£Äòq¥þ…äž“ZrtjŠo�e|‚+ gÈb
�ÇXxÞÈÍGŸÆÜ/bøc§èüv+ø²òkbˆ BFÛ;l'a¡|E]éü×6téC¿×0q‚M™±I0êÇ`ÇsZ+£.ÌgŠÊ)ùcs³½-ãVé¨Ý³·††²¼&D̘ô”@¶Ý”ï³Oœöø]¥ÿ]ƒÒ˜,±Î
-qœ
-Çp\=Nü¬4··
-d;uÌ’‘ÜsÛ„÷_]e pxßÁÀ:Ïhâ�î|k±·¾ö'nTdÇ2å2fu·0¼e}XÇc*IÃoô}xFe6;acÑÈîXúúË¥áær,–êœh¤/º9;`©®GÅ–°
�,ÓH>%Oà"û|?éJ3iὓQ!Efb«èDCõñd±Mðhˆ–Xµæϸ­6ô#ñ†l»È…±ûsLóæßgél;µñÌ#%
-‘¼GøCAÌÑð}¾€¶6Ç¢³V»þ\ƒ	diKB´«Ù�Qïè.§~Þ‚´ÈÌ=ìäm’yS$ý-Ñ¥ªŽ¹P‚�´)keÅÓnM¡Gã¶Ëu·5%¬_ØEçMŠKÒcƒ†Œ8î5€Ã|5wìóµ Ô"öů£„²3ÇŸ�³’œVÉ÷
-žóø.Ѩ\éd¥(š˜>¯–LãPÚ Ôš3,¿Ô16še¬»Û²˜BG»O�åÜÏænP�ƵW‚®eoÁP×½'”�@çßÒKLýº-/ÞJ[ýŒxw]öG8förˆVƒÉsvÄþh;Ìšé£HÛF�Ïæ�8w&_a†¶j¡ã÷q´r©
Ý}~9ÃQ‡³¹Ã
ñQËöš‚¸¸ÅÒRŸv7Ý/샃ð+B­gN2ãâjÒz	ÂE‡`õfQ•8{Æ
Á9û»¨½qN5mc¯
gÀ<Åj½`ž@.vS;눂DÊknDÔš™˜�±ºO�ZÖµÜÑ–HJ”ää&¶[óX=
-<ÊîòÈYŸ­ØìZ
Ê£÷íé™ùÈ�TxÇSêhD¯Óe{Ð’ÖMÂÒé*�’­D#ôTtهͼÔ<~WêšÏ¯,Äѵ—úHLÆücœcyµ¼‡ÅÒîÇ<Ï	EÇvž¹t�ú“H;:±[æ¥�@B³CoјI3åÕŽ+´s«©Æ?™À“0�”VðÍíÉ ¾¹Ùì�ʃ¼ãA�œ'7¶ÆÁ&¢GL6öÝ¥
-Õ.¹YO¬êªœ©Û×™¥
o;å
-ˆçŒ¼™¬ï›»E|ÜÌÐðXuãý–üÂ˨µÎ¯ˆr ‰¯ûV™�ÆZù
-ÙòsøeìÕÙÂ1Y¤t�Yv~
-³L7,òH
-É_AWš…*QÙk4‹†ÊSgïë}“æý
ÝH>•b5?þ‘ÄœbÇ‘þ[½²%?QÃÔu­2NѼ5¯|F„=ktåÂnïìÈòæ‹ô'†<³Ç‡_Æn|Vœ	“mpéU÷YX ­|NHô¥kÊ rO6ágÌf
-SS˜K"
-Ï~~C®x®'ñ0yÉ#ñÚºƒ.UŠq/öÑŸ˜*Îö¥ýµ4Çï`àIm­Š´¦Ç”Ní.zßF6ù‰‘¡Dž³�¢,t°Í(¸™8é±%iXK{Ëlò\‘Vñ}g
x7wÏbðb¬½‰jÁ½`û'ü�Nf ÌB Ì´Ð¯1fBÈŒ+%¹7¾CäKvÇÑŽŠ¨'¶,³jvZÛÚ•¢lD¤È½Å‚…U?/rªìuGш¤59+òúøF´'Éûu£÷ÁO^C.¶ºó×?D¡ú
-Ë!«O$!*_—‘}	qufÖä­2¿ÐAQ”¤ÂâWH,‘Z8�gm­ÈÞ¨gA‘¸¶vaõÈ”YÖ¹›‘k (
-á�„%F<5Ÿ�¼K»ç´Åö Û3Ó΄ÕÁŠÂ~çD7/âšÅ	Œˆ¼êÇ™©E½ŽîûFí<gðSL2R\”˜um’|Ø¿I"-‘Ê�Q:‡‘w˜°ƒ„~U—ÒÛãäÚ"(ùy—k1WÀqr±·}§MNÉðÉ�†a0’~åBnJèÔ$¶\
áyq!~Y!Ê`Eõâïá$ìµòs¹íÒfØT\à\þL
-Pb”<pÂ*1oAjV±üVªñÖÃÚt”9oÕ H½”8OÝ#q‡æ€ÿ÷	ŒÚ‚€@·äV�̶xxOždhìQ[Îÿ_¨£òDà1Ös?õ~-e^¹Š‡ºêëé¢>3vŽ,€
-Ôù´6Š8ä­ÔÔs‡ÎCý—
ó<n!äö™…ãÖ…T«Ðùê“—J8R…’Ðæ(Qå|?Ç:¹6ê<™úÈüÙ:ò‹G8çü;k»Z[·É}ñ b¦ND‰)�Ÿ_ÚT jÄØ*à+5µÐ.‹j´aµ”n^@ì]•yE}±Ï» Ÿù¬w©…ò;ô'ÓÛéû#N䪦(…Yòg�v�ì™%c·ëµIˆÛÖ$J×E+¬ÂVbx*5uÃl}¦öKZ#Èóq%ñ­Ü72ŸÃ‹øiXu€á•©~Öá
œÑð\?"«§Ó-ªˆ„ƵKÑQˆÔÀMH@}ÎîkVÉP" ñZß4l§\Ê7w'œˆ£‹cÝj“Ô½?P…qƽ¯�ÝÑtךY{;¡8FÒ£N	ªÛÝè&~GýI¤ò’Á-M¦Qìb
pÚÀÒ”{»äüóMgyôجؒ/9…Áj(—¥x1ž}*Ú•ò£"jðr„-!…ÎÂÀ=ûð$eþš‰¢©c@“ Ÿi.��÷Ñ6*äl
BK±cn
-‡fð¦ZUiÎã0$¿Ü|MïШC¼ìí29†ÀeðOµY(FŒÔ�³ù-^¬–ŽŸ>Ó:2±èë5/•l†%†ÖhCÓ˜]¨w'hX6Í—¹Sº†U¬Òú|“L�AÒÁcçpÏ:i³ˆc¤ÖûúÆIX—m¥ù|(Ÿ:²�zS¶ÃÁ˜¦ß–ãòßÆîÖjb-�­
-ৗÛ"ÛX›?ÕSDâJªÌGú¬Ú‘o�°Ùð¤®÷ÐȳžñÏKv×F$-ã`÷5
-a�-‹Pšê�Êi^(5aò÷Þ8œÆ—†rmëÜ0Û™//UªŸÑbVPp©ûÉ`i.‰ –§Á’¤Þ¡áû	ÇÏ�º»ijì‘"f[ºtköÁŠ”È|^g†Í„ZÏš¥2ÝDÜyÓ—À>ü¶6•thâàoì\Á
-z¤ûŠâuÐyçøé›1irÝžã‘é£äX’Eßa›×ˆÕÇ“;˜/¼’>ì[ö±™³FcFÒªgãö‚á‹©G
-oL1MFr-ÍŒ™a=áÖVVF
ÎwÎ¥Xߪâs¿Ü”<¤Ómpö{g~ű
-Ϊ¶yY5Tl�´«œ+Ã2Ê$WÄ0�Ñ3˜K_Óm£âç¡^‚Ü<çëþ,�õ˲
šDÐ)ôà”2Ÿå\[EªâW&Ç'ÒN³…Í(JJÚØ~;Î×ÚÍ+噞¼ULJ;Œ¤3ä%…Óô
X¼©ê+ÎbTØ+E¸¸Ä	ßpzeÅ^÷.Ê“ îìÚA–£Ì‘lH¸“iM«™Àþ(ÊnS1¢e…•,vû©œ+½Ôä0euT¯w}Ý.8
-^ÝúãÝ9ÑF˜.ÛgÛ«q\V�ßr_g|œx[D&w—=€wÑ6ÊÐE�’tœ>-LEøbµ˜öbo…ç
m»7oÕ–7æWÀG»JáoÔbÐ5z^oDB°w\<à /r¸Š\רrRjþBõ�âÿÂ�èù!&†Žh„Ž6‹$˜WóˆB-3ã½ä�—K`­¼ò‡‰”zó°™ò‹N`zd åÇB™�£+sÕýN<‹-8�‡òŽ0;ë)Eµ&Ì.P¹$ݾM€ñ’@ݸ¦/Ã2HœQ…„IJEzïe‚q™ŸÑzÆ-tàQÍÔ¤rÆ‚}ô˜8kí±ÊäXë‚ël²iÀDâñJ”FR‡AÏŽ-H›2²ãXÒç+Ý"Ã�ð�ûÍÓšÿ+;Wó¸_G±.OÒxè"ƒ%u°¯“¿>Wû^ï.7 åòƒ  ž0ôuS¼2 ©'w²áÁ™ãi¨šFNù6ýUv“-«>]
xñÕ—*æ®çÅÔv‘?‡Ýâ–Ü©.M +0·dæ´ëžÿÇTcz¡JÍÜæŒ.5aö$¿¥Ê­°�D
ÜE…q3„f›ÊœÎ.lªdX±îÚûp}�˜•7M“ÈœÀÓªkQ4N5Åç­-…@²!G©¢6š
VœiˆR7\ÐMj„dcäî€doû4�~<”Òe6äm?Ð0I×�€ŒÔK›ÛS£ò£Ê%Šv¥Õï^+„¬Æ³ÒÛø!&à1:¥Çã‚'„D=ìà«&€©IãY
¯€äÂWƺ¥„RÒŠHw²ˆsë.üÙ­gäè÷mïyo�µ©ltx�ebmH÷fïêïo&Hì*âj]
¦Î¾kÒrX›0 —
ó=ø^‡,›�.Âõ˜/�Z—[’áXýõ~™?4ÒdÈÅ7�
€äñq´¤ª^JÙ[K™†OøDÊW÷ãº�ò"îf/’’u.3éªZšœ˜­9µÀµ”…”Û±†mùlË—‡Ï³'´4/Éu×µF�±‹gGŽ‚Ç;`Žøç:í·úGj¹ÃÊH‡Íi¤Î@É÷²ÇÖiFèÅžoºÃ‹…õXWAú�ŒF˜g	=çÇ$¥�¶¸i\üh¸Ôè¢ë9ÃËñüw<d;BvŠÄŸ„Œï6È™*cf[š—ÇImAÌžëIdM8R«DVUê‚ú�x×aÊÁ]Ÿ±þ%ܵ>¹UÇüv"¢îjÕiÐS+�4ã%⎩ñaoä{Zg=!$Î3å�õ1'Éê\ªWä¼sÖ†Ílâ4,N9Ã4¼�½þÄ‚;w ½'U‡z~”Š¡+É6ÉÎù¸©õ—õ€ðËÂT‡4çjôA¢ÞŒ Ó[‰ôïq�Wűd‰¶ÛŸ€¢Kªî1šÒÉ|Ö´øÐÉøKœ-`@XƲœ»Þj”§§¡øð©Öµ„ËÍñšüÀ¨ɯ¡žßÒ
#ZVöÏeÁr²lã[�cѽ·aײ‡xþѿnÊí"p¯½6Ö8wK
-†‚™!Y5ª¬h›Âø
-Ü`¹}ÊWÆÖý&_cWs£åÔlÓ¿›
-.«þvÐŽ–%u‰ ¯¤’¨]5�H4�Øe"›ƒhQ‰‰ôM“ªRM-D>í¡)rüˆ(Ëê­©è¥ÔYÇ9ÓQHŽÝ\(]
-Öð5,(x	J)ÜÀÞÁg0ý{wýçêŒx”
-Ô&‘#àfîÉ×kBq‚ÂõÅ{à1æˆè#žw­KH×\’Ëœ!w[‰‹Ë)ƒ?q[ø,YçÔYÿª²‡¶Ë•:Žè“tG½­3èÔ*þmèÊžÜ`m
-(¯-üü2ÉòFM:ãM¨sv¶Ä÷Эv"¥}
kædJî
-×cºŸËã+DoÇ–ãÉ­)ýe¯¶ôŒã¢—WÖ™eBdeìºf|íö˜-Œ‹Zw�4Vçvž&Ê=®ýÂ¥H‡,d|Làâ�3N‹'¹²,šK°#L„Ô]øm³)n-@Ü´¬N&…¬$ÿÈçÃíKðt|]Øl‡¢ËJ>h–
-’9„©²Í¦i=ÿ¨nuþò©­'x¾N»˜4Õ0
7<±–¹ûIíÓÏÕ=Î)iÇN{à$dQñãTË0¿§h¹kÝçµùÚÒ9äó
ÌèÍï ¢ËG¢�$éðf+vHÀÑ:ÓÝ&îûAoР`ž®³DGO?Ìd¨Î3ìŒ+Â̪Y¢ì'Y"-¨öíG3qŸZê…[|i<B‡{5mäš
i’ù%ù—	DqërŒh¤c碫Z´�BÁGE y"Ïž·Ü‰ü¼ tu¦…³´Ü¸ŒHþ›Zó-%bˆ9S‚®;…þŠG‹ŽÄÇ0¢æÑP±TôÕ••¿|P(×ïVŽ38áôQ�ülõâóüý÷}ΦPÔÃsM’È6¢±dRŒ<ÅBq´—áHW¡°XŽ0ÌQðê5e8ç tKÌÂÔ«UÑ\XîH£WƘŽ+úe@Ã\

-~º8Çùˆê¬ä{„W<:î9ëÏaùÉ
-–YæikQ9èúÞÍ…¬Ar¢$sCK¡¬+ÏHbw­ó¯n‘aÉ çÀ$.Š_ºœ0‡âÐ~jîI²Øˆ!<Ù3<í˜mÐ×µø}ãuÂgü>øb£HÇß·¿lè t#æh'¯¶ßk‘¿�
-ÎòÑÁÌûøjTL,
-gRH`\Âê‡%Aþ‚¸ÿ•LTa†ø¤6T:ùQè^·.¸Ê´DYAž£µ$À<ô{ÃiçŠKl¿XæŠÔÄ%ã»<ºr£²‰ÉÇI§ßðÒ÷®ó¥©XX;|¨‰êbuÊ	X‡jÂÕX£Ô†ØÒïI7Ù¡™
G;³*‡Òe÷ŽnInî‚(¿æ2ÞÅ¡æbE§4!0{šÕ?ÞñŠ”’nô0g™²ä}»O4,ä]Èhö3g"l˜\¡Ì±Óp•Í»6²Z“šÿêŠ/¦¶ƒûeÝ$³®"tÕ¤È:ôƒòõ
‰›îxÿœŒ¥?Àh[MND.ÇðL7|SɶtÑð„ö&øyDZÌû*Gmpr8\UÛ¬gTÀ­X
-h�†“Ì]�õ5ˆ%?»â'º˜M¾×ž/•[C2°‹ð}j…Ž.ˆ&•µ7ˆˆÁ�õÖ
ÿ‰r¸‰*½Æ¡rsC¥‡Áà¼qãl§ž_€Ôv¿vwŒSX�~K™�Ê”	Ç›¸´5"_¢»åz�W‰8L�B‡ôÚÄš+H*Ƃ߯@K„/ë·Á)¹²%Í%]Üå–=È«V,è
­{«RW‚:ik>•HŸSTÇÿÉ%6vô¾ö\áñ-R•@BêÔ“fÊø²øÕUrÇ–÷ëSv¾]õáåG:ƉÐì%*
-ÖäJ¶$÷A­B:{~PŒ­|ˆÊ
©¸/N˜¼wéàý‰ØaÊ9ÕÒ”®òM_u*u~0Ã׊éào‰èX0Êr‡ÖÁÙqh[ýl½®ØÑîáÃe7æMà€;æ,—"íFóTIû ¹²ÐŽ÷_â05#¸.cœY‰]j�˜ª:Ç¿ùö:Qqæ!å½¾iÀÁÈéo‹¡¾{£6jÆÑõ({öû^ÁèéWÝ{ƒHÈ%ŒéK!zþox
  µ˜˜¦°Ö�ûˆÄll¡Y:Ðÿ3ìvz6G0†Ç&QÚ	�äŠ�«‚n‚}uãaI#߃y>g—/¨`.n+/­Ð^q›‰t*+ˆ��âõa+uF¼ý} ˜Ž¥ï>à£jŽÄ˜;â¤ÏLUá�À˜ÍPÒ¬ü“žÖkm"
,Á(\~éGP»Oªt[‚ÜŽŽ6nxf³lTÆíØH�'ºSÍõw<²qs)‘‘Ç~*Ún¥
ÑBëRËÏ++¥È›!®)™øÄ•™þîêñþœCåaIyÃγ<–äxßsG²)¬•¢×®8zÅJäó`ãn©ÌsÌ™æEHœX-zoè=O!�å™B?Êóíwö»
-†�»·=z/¢ÇCï¥ä‡`RðÏ!¤Ù·)žíú!Œ·zÍáí;LZ|FÕGì%«¯ˆÅ�Ö¤H6}+8ã¹ðú¸°ÐÀÑ�/Žë)díˆz°W‚úXƒX¶¾m«Ø½•„»ù5gR›žF¹{‚$³*ú)u\=(Ñ-‚"Ð…÷±,â¢|]ǹý?9¿YÐOØ[L‹&ãÀŸrS*AØ�f­ši
-t)ÌXN9¥D±z¤‰-D0Œ8­àª;ÁEÎ+p“ùhJ½:–Éîföâ}©PýSücd?àó	<ÌÈ“|Šˆîç}®rw‚RÕ:Í�$å·=„~mÉ]]˜RòöÖ„½®íX((—€¶Ä?Éž¸‹e»¿èœ¬ÛXÄ
-Ü�¯*˜Œù¢V}ÒD¦ÿôð£ÎÈ
-}ˆ2àq=G/¦8õ1ÝüÍ/]Z?ó{P>yêU•œµú}éÇ2&@žÊå6Þä¡þ;TÆ
-Ý‚Æo
-©õŠÊ§üyž+¾û™’i†2£]Þá­•\÷¤Mçó:µš•wbÕ‘…Ùˆ×hg¢I��µ#ŒºÛà@ïuJ*³É<¸S!ÙÖdNPÂD )­×cÅkø2æòò›b«ë
-JÎtŒ.a½�AöB¿×n
8b¦”w»VŽn$øÍé�)4Üú¤÷VçËÌ�ŒµµèN‰R£ëÐŪ—Ãÿ×>Y¶5
(QD‰!%ÝH�îfà¨Ñ9º‘n	i’"]Ò-Ý1ºK�Ýݵ÷þ‡÷Û}îù
çÃyžã•�”4|œ"ïñ`Ûý]_€ßÿ¼�ݲí\£$«:ê¯{¶F†Æ»lìÏ3¢?ÑL$G@Öóå×vmôãŠ#Žª×°tή4ËFIñê\é±¹†òã–ÊcLÏBÙðn¶²e™i¤ÿs;<¶ ¼ÿñÏ7JŸ�¨ie/þ5÷“FàEZUuç!í¯îðœJMþ•³ŽôÓ�	}Ëß–~¸
-Âòé€z{JE‰FªM Û„�u–æG0iž³ÍÀ†�^µYkúzþ'ôÍòH¬n“È([ÒKFR}ÿ^÷ôdk
-±5b�$ßì}Cd%#vﱓ*š°ßÉ
‘ú°»­¥8hñÀÜ_Œ»Ð7¥U½2f
-b›oÒm÷ãÅY…½jãnQŒ˜�fýÊm½­�ªm&*þ8”Èç1|ñ˜a¬~– F‘«•¢ûÎòXQ;(_ÆSI0ü+p˜ý&�á¸$BF
-ý1ì_v#ZâÍ,µgªìVØ
-*‹š@i‰úû¿ž8ëäCî3luRŽn£ÒsbX‰É ýÚ�Nã0Lb£?yrK—Søƒ=Õˆ�áÜá@Æ	žÀlþ
 ¦Ã<˜
'•AÅ87gñU˜
-Üxäø›Š•XGŠyº'üá9vµ,Õ½OÓ
à¬KÏýØIC`­”¿¸9Âò§é¸ˆßcZ”Âh.RÕŒI�8¬_$òfIKmÌXró–€àÇêŸ%Ŭg”ÆÂüˆßY'ºVR, ¨B~
ÐÔAQäϲ¯u£s¢€Ý_˜Œ\@øt-ò©Ÿ’>ö‡Q÷FÉÎUŽ«l$Ô.ËW(¦8*³Ÿ{>B7@-7쑘ôy™Ù7º!„³¶QèÌL}*Ÿ$‚WVÉÉ®š±Èñ×´//2ZA$¼�§¥ªb;>~T6EÕ<Õ¿¿Vj3ps[‡Ú[ë�#.JìñåY¯ª0ûì©'™„±ŸµQÖ8}Q¥ÞÒš½.H�Òý¤ñ‘õ$=¨â¯oñöaZ]‹#6ž/¿¦Ðô¹e¸ÞZ‹ÇM{ªh=Hp¿œ¦-Õôš£åežÂúz‚€ÛÆ«ì(Onû�÷söQY²æ‰Ï&¡I(Ja]�U›-fø´Û[ˆÿÞóݦ6vº%š.[Íá§KpyJÖˆàêh2nösjJ,©VŽ&EͯU¨•x�9øW+0éOžÜX‰3„\
-‚¾¡ÉzŒ:s[­+ž:[´‚r7À«_ó熈ÑFÂ2Õ:¨Ù�˜-Aè
-œÆâO­Œ,Eß�÷�;XM«âU†æüìeçÎ&¾¸cë2“.D£T�«h8&Ëe7nV"ÎCøpÁ¨Ö#}&_ot-ç2ÃæX�L¦ºŠ�ðï"’‚Áf&ѭ탔w¤éʼŽE9Ãê¶Y|t\dà=_©Ÿiµª¯9ÅÝU5½<}âoCʬe±É·mQJ_”�–õx-�ºDïä»3¦Ÿëï"‚_
-{8þF�ÑÇæ–éì	é–sE�cø ôc/
¥Xne­£ß	Ip’XÌ,X§x©o�ÞC§C7}yñ8㟑KÓ•F<Ø—¶cÚùc§>É÷"ÊåæÔYxVì#³í³9y«bTjýé‰NÜáù„…ª�jŽ\«WÍX!Ì[Ê뺧b'ÞŒÆ)<$1ôÊÚ[,à§	ƒ@ŽWÃc3/—°WnY"¬Æ4áé[_Šüå–#xÎöf3I�¹[V¦;ñ²è2f’a_ÏãX;q)ö�&Öö4FØ…È÷Ÿ
-=X¤9�ƒ:Ø•ñÒ
-†*Nñ(ßc“À“
-ÎQÓp/6è~�
-ê™ã2ú»‚îY$óµÉ•­ßª2^IÑPYm3ïÜÚ×Juý¼=ÕùÌ~9Äÿ	2©”pmPkDÉ�	Ç¥)DcX¨Ù콘ûk*+ÇMCÆ{Ù´~­Íµ)²è5�¿¯ÅL|yÿ1ª5u‡Êë�ñ÷Òc9„ÍrU¶óBDøò3TyÈ嘙	SzH1ß+`Îð¶+§`½°W5Ó㎎²ÁÑÃiÁ™,÷ò}cýö3!§ïÒƒŒ‘PuaÛ›”Ë tòÍ|T\ÅL,p�ÈBHðì9çÑô)8H-ú�äjj*ê=êOŽ
-Œ†<\a/r¼ˆvÈxµfíÉCvP€ÕóuóföÈy§Åm4ÍÛÆajùlW¤JÕ4pñû
Z¢Aÿ6Ñ®–B�][¢µš×´B©®¦Ö
-å�UÔwUMõ»gÕ"&
-C•Á&ûA×"4ÂÌ]iÅÎ|,›ž(mÍ…pêÖ.‰ý³oRŽÕ]¸kŽ¬¢PÖ¡ZÛZŒŽT2Ê©‚pC¯–dô.Rn®f™7£žØær
ðk®–-!OõŽž1t¿9~‚ó–�‰æ·q¼mxYæó”9gK’}ÃÜÕè×å HéÏAf™\pCÊˬM‚._óBâÚjq
À¶]qL÷‡Âa¯¡n—ˆ›´¢('â¥&Cv­pñf–¿�‡OFÙ2ö
-# ð:øF(‰¥YäsäLèÆùxÂJßÓ%ÌgæÂîˆñe:‡¯#0®ÿëÊ»3¯‡óíLM¤\“wŒgßRkHäŽÅ_KØwÓªÂìni–ŠØ±
¨wŠlNþjsßÑ8v<o¸ÞâÖ²ãU8^ë|Wš�
-ÆúÁÿ%ž†ëÿ	öÿÿsK¨«»³#ÔÕûÿ
-endobj
-879 0 obj <<
-/Type /Font
-/Subtype /Type1
-/Encoding 1930 0 R
-/FirstChar 2
-/LastChar 151
-/Widths 1939 0 R
-/BaseFont /HZZZJN+URWPalladioL-Ital
-/FontDescriptor 877 0 R
->> endobj
-877 0 obj <<
-/Ascent 722
-/CapHeight 693
-/Descent -261
-/FontName /HZZZJN+URWPalladioL-Ital
-/ItalicAngle -9.5
-/StemV 78
-/XHeight 482
-/FontBBox [-170 -305 1010 941]
-/Flags 4
-/CharSet (/fi/fl/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
-/FontFile 878 0 R
+/CharSet (/quotedbl/numbersign/plus/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/semicolon/equal/at/A/B/C/D/E/F/G/H/I/K/M/N/O/R/S/T/W/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
+/FontFile 939 0 R
 >> endobj
-1939 0 obj
-[528 545 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 722 944 722 667 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
+2101 0 obj
+[600 600 0 0 0 0 0 0 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 0 0 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 0 0 600 600 600 0 0 600 0 0 600 600 0 600 0 0 0 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-862 0 obj <<
+924 0 obj <<
 /Length1 1612
 /Length2 18760
 /Length3 532
@@ -9130,7 +9914,7 @@ endobj
 >>
 stream
 xÚ¬·ctåßÖ&›£’Û¶mWœT²cÛ¶m§bÛ¶]±*¶­[ÿsºûíqnß/}ß{Œßšxæ3ç3×c“)ªÐ	ÛþŠÛÚ8Ñ1Ñ3räÍ­:;ÊÙÚÈÒ)M�
�lpdd"@C's[QC' 7@h
˜™
L\\\pd
-ŠšRò
+ŠšRò
 P7É;8hôJÓÏ4¢<¯e·!´ØÕv'•”õŠß¡¾Ow°8À\=Qù‘¸ø¡“>Ú!ù¥ÖÇbt¢4‚|«-<=#O<~z¤ê¹�ìÛǣɉ…%ãq�@$�ô³ÏÁÐR«ð§‚JoBÀ»i¿ú$ÔèöÔË##Å%�°–}U4Í_³i—}O‚LoàM”s�lݯü�y=?É+”8Í5—ûµîL&æˆÅÛ„?Ø;kI8“	]O0ü
 ôX‹ýv5�FMç|.òöZSª‡æâû÷eµo®ºG¦�|ß^£dìfÈ婯?ÿxñ¤}GðrçXQ†�•¥ïí«°nãÄ"‘ìv¢t³íg•×ÛudkàXþæš1­´¹û±¢þúgÔ\Ô®:è'&
 yY·ŽeFÞÜÉe$WemDGóÒaž@²§—ñqfS–ô6BÙßõȽÒU?ùÏ ž�RÀ=²ÜçqEË4|Y²Õ7˜Yàýe•çŠuóL*”ÅK	ãŸ	$HÙU&�Ä–ÒòÈõ×€®8ƒw}_þ×ïÝ�k0žGFÔÃó'€r¥wŽ—m�­ølËsöxRxÏ¢ªVæ±Y�D
@@ -9216,36 +10000,153 @@ eËè2R¼ÄûÛûyŸ?à	·Cžtж‰ä€¢rªØt°W¨ÂÃ^Ã>
 ŠwêˆVM¤¬Èôv£äG�Ótøu #£yå\x¦CžšƒÇŸÇ˜ZçU.æ�@ÈÄôÄe²˜=æ÷ÉáyÜuù^é"HÄÇ׬íôœ™Í ®h;@‰¦$ˆ;ï¼ã>ÛL‰†¸æVìP¤ýÄJÍÏD{¤>pV$QJ¬©ô=˜Ð9Úp€Õâ«ùD¤å0ù_‡b>éRêVtÃÖ ÄM
 Úð­,6äX€qÐ-}nJ®k^¨£ô@l€¼ÜI>Œ˜×TqÅOшتxín°úâ…õµ4JÌäÅV�kw¨Š‘þI’€¥¤\°^0Vò˘íep«%"h*
êm�QôB±Ýë“ÙÏXšEÿ¶Éµú0üöA•ÚªÏPbÑËöê6EL7‹:Æ6
 ϥ
-mŽ[A±Ræ¦ØíŸeµ1£¿YÝÒ~kð¢�|Xžë,|@î~èÒ<¦maöè“žÉGJPòíRWù˜ž‰P	ŠïMÏÜ£Ëÿx½qì’‡î“ü\Ÿ,³›}ÛÃë½E#û¼ÐÄ!áosA8G'Ñ´2›_ð‹¿Ào8�V  qqML2ÔËÜIVœ�má\©ü:’P -wÇrµ?
²T§‹ÏlKðKáJì}Z%=�|Ó˜~¹´ê¡¿QL-jÅ¿Vq†/¥ökåàM×±Û÷a”÷1•£Ôq/dWµ8Ã
UnˆÇrÉ•Ü	“6ŸùÙ¥»R̓AczCËSåã§
-endstream
+mŽ[A±Ræ¦ØíŸeµ1£¿YÝÒ~kð¢�|Xžë,|@î~èÒ<¦maöè“žÉGJPòíRWù˜ž‰P	ŠïMÏÜ£Ëÿx½qì’‡î“ü\Ÿ,³›}ÛÃë½E#û¼ÐÄ!áosA8G'Ñ´2›_ð‹¿Ào8�V  qqML2ÔËÜIVœ�má\©ü:’P -wÇrµ?
²T§‹ÏlKðKáJì}Z%=�|Ó˜~¹´ê¡¿QL-jÅ¿Vq†/¥ökåàM×±Û÷a”÷1•£Ôq/dWµ8Ã
UnˆÇrÉ•Ü	“6ŸùÙ¥»R̓AczCËSåã§
 endobj
-863 0 obj <<
+925 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1930 0 R
+/Encoding 2092 0 R
 /FirstChar 33
 /LastChar 125
-/Widths 1940 0 R
-/BaseFont /HXBZDR+NimbusMonL-Regu
-/FontDescriptor 861 0 R
+/Widths 2102 0 R
+/BaseFont /XFYNBR+NimbusMonL-Regu
+/FontDescriptor 923 0 R
 >> endobj
-861 0 obj <<
+923 0 obj <<
 /Ascent 625
 /CapHeight 557
 /Descent -147
-/FontName /HXBZDR+NimbusMonL-Regu
+/FontName /XFYNBR+NimbusMonL-Regu
 /ItalicAngle 0
 /StemV 41
 /XHeight 426
 /FontBBox [-12 -237 650 811]
 /Flags 4
 /CharSet (/exclam/quotedbl/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/less/equal/greater/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/backslash/bracketright/underscore/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/braceleft/bar/braceright)
-/FontFile 862 0 R
+/FontFile 924 0 R
 >> endobj
-1940 0 obj
+2102 0 obj
 [600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 0 600 0 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 600 ]
 endobj
-746 0 obj <<
+884 0 obj <<
+/Length1 1620
+/Length2 20127
+/Length3 532
+/Length 21036     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬ºct¤]·.Ûv*I§cul'[£b§bÛ¶mÛ¶­Ží¤cwý¼ï·÷>cŸóëœý£jÜk^s^×Zë5FQ’)ª0›Ø
%ìlA,ŒÌ<
+o(:¨Ñ_‚ä¤ñOFuØI)Q’¬¥®‰Í:T\+kÀ2ñ´Ò(ÏË2+­Ô»Ð]é¾çAM�¾×Q­?A"tto¯�$ÏÊAœÇÛwÎB�¼ã¢ü1lþUx�q¨eÝÒäöt¼d"�$ÀÇŒ‡™M ,tEÃ2g§ö“0AC�ª•ƒÇ“IyàbL�żê|c
+)/
úh½0HéZ=`|K›@?ôî3Ob¨cËL<Bß1d÷h•ß$™§”±ù¡î]C¶Y™�GOýú!‰�ëŠ.=÷«Ý¹½.oÇ°,½ƒšt­¯”3sƒÆÖ®·qbé§0ŠÅ°ÈDY~–iÃøu(Ò˾‰ªæ³?ž�
cŠÔbdS7sYð§>ádÍíìÉQûcz‹þú7¾cèü¹$	Æ>2Í%—¹ß°%F
+>@í£dJî'�¾T¨WÝ–
’ÆÑë«úþ®@Zl—,P* ï™7o6x©bäÀ×ZëíùOרc ‰^à°HY¹ê¶]¼„qGÝx-
$v·úyüJŠÑ‹lüwÝ„ze|5lÇ¢‰Û&^^Y†¯d¤å¸=眫Ø'ZðþžQ.,°#p¯ü°Éøù¨~j‡|i¯ÖÍ_)¢é<-ëqHb_Ò»S3‚4~«Ò/²Jú
+ó»kœAUyÑ®
D‰<aº/Q߆W}á{N·râ‹0¢ž¦¸2üuŠþK!Ìe§óç-õœ_…Éæé&·öŽtºö›)×öÜÑiÞÜ=39^TùyÖVÑúA`›Ë¯“Š×1³[´³Cr!F\YÔT¯É$0¹âv¬]1¹â2õ¦2˜÷¨ÏQï<^™2ÄH‘,Fð«­Ѐö

�ÕúSöËö$§f@ÂÝ}7EŠqÂl™ûÑ0†R
+CùV¿�·¬�žg&�>ˆ„’"µpVk_í+t·—$ïÒBh�tçß’¼`ª-�‘C†<l®I4@‚ŠÕÆ6Ã0;˜‚û;>Èù}îÒôƒ¡OQN¢¾hÉlÙ‚¦X©ÍÉÃÚ-ðÝ󜚮Ӳå‰f]D–„]fp`Ý
+‘ו‡ošDƒŒ¾”¹�yÙÚ<1Þö÷Š3
+9àÙ÷:Å„Ÿ\ÉFlý¹ŽNÁçµ±½F¥1¢{1I#�ù�#gÐM!Å&Ð!ùf¸¸<:â‘�[Ç‚êÞ
—dx²U�Ãü9‰Åm³{¦¨F�®Aº/b›ƒÞŸ&ŽiÊù0ÆÊ<É{–3Á—)t;¾
+I…ÆÄ8á J’«2ðÚÁF–û†t÷+àK‘D:rtËSα£³ÒFX°Y¿ƒw0¢ºãÎo‰Õ"Ú-P¼L>Vš˜ñפ2 Ynîë|CVÞZsZú Ó†x9�„ĶU&bNž\@š'üýlNÔÞû1ãWÎèjöE¡¬¨ÿI1©~´Ç)¨¥P#çP&¦B5ãrEò¬é&Ü�ìPÿgÖ©‘ŽrÏ3ä5ë(h“‹£66q¨	JÄ·­ï|à·Ë Ç#·û:[‘úìƒîi0žì­ÎÚoœ*3ö8¡|SgrJ_ˆ·¬»TáZ‡%{ÍbË„pøTþÃiK¢`È$Ñò-ž—
r
+g}%ž�¿<ÿš¦¢§y>ÕdsŸZˆ—ŸäØt‘ùB<*C�uù­
Xò4RWJY¾?Ôse4¿¦öÁGGøË=1nI6ö>â¶�dxøÛzÀÛö§úø÷^`K­™u ÒZ¹$gMÍÍE®Ý§R‰³› |~Π
;âIךÚCXFçÔ[ �"9Û
+%Všy¯Žç½wd`õ\¥
+?>Lîw\_¼__º‚+�úˆ—Ï*×5²,Üâ~‡
+ËGBÐ×4
$<]q…x\6_Ì�I_ϱȸtÓ<< ±ã[ôV(“K—�ê£hAÑLÿ�ž�ƒ«±î�«k”“Á™-H¼~„ÈëRtàÆ;ê¬ԧОSŸ«,Ä>x›ºQmMΠà¸ÀöH|’MÇD-2:s»ÁK¾jÍ)yu$–©Ó:ž•([mq!+G�Œ™SÞz‚PùÒ†�ÞjLñpö«Ys%²Ý¶p¬z.M[›t]Þ§ÀŽKxÀKPų½×ÕêL•ªçLý=à'd{ì-¥?Ö­�#†‚­¢E^+#6#–
ñ/–“õ­ñ¼ÍTñÖ<ínÀZ‰/”Ú8Y2ÓØ/gÓAÓ›øæ±,dx
+v]šÑØ}a(ôÉ:eÝX!±«AÏ�[–Ž×ÊÜ’ÀæƹƣÞ3a‘^£ãxR°šË\ì2ª<2€ÿŒÍmxÕîQžæ‘QáE‚ž�È¿¼=±HF,ÃØðªÊжÌ>Èü]¼¾Ø¨ÍqZ\Q0³“×-|/SS´æ;ª?
 [B�«˜jÜë&BØ’ÆIRòu“$€„ƒƒj°�i&ÝY³$——½å£
+ç
¨÷i
¼%0¸)xëõdïIG•&Ž¿œÃtɳ6†ž7|¸.&õ
+	-ΈŸçf™ÕÈPMC°3p§î¸eÚìq²áBÞæh‡~ò¨,þ�¶¢Æ®¹ÿã
+¥;Kƒ{jPÌ�CÛf¯¨“Ø£_:©Ãb*¬Ž–Ôº°AïhµûÞÈq‚F΃a¹¦Ô9›X´Öò€)t‘ÚQPAng©§âÏíÿ4»š†ü˜©>¹I¡Îúîá
+-5ù\;³½�2>V®±*T#
+
+@0‡cz´ëðcL"¸¶©ˆ1tQ mhž7OyÙK/=mŽ1Ü´iüŒÇŠ··ôŒÄŒ%¥”v=
\lB­×9Ɔ½‰ü‘“WŽÄõÝ©s;Ú¾†øðýa_ 7,Z±jg[À6¾bV¤ÊY—qá=›TLÀTæù4¸©ŒZä¹xæÇ©D
 S7Aof„ûoŽ¦¹¶†d¬Å(?#	Í”¡4÷Ú7©¯;˜Ác%$P„P|¹Ú“k½T˜d
�pR(áæÓþ;	@UÂŽåo.P
+·?å?«ì:º;rº¶;(œåÒHBÐUQ%Wy¯ÇûcEàÝÚóÌãÁÏbמgo@¦
ð­q´ÔDÖèÈ'
)øóÁ�«ÄhåHø*²ï›#™·ZÏYHá(%Òïg!›µß¿ûW{|êõhñGÆq¡ÄL»»o–DTèd·ºãú±‚e6D²]�}~Ç¢jé‰
+S(xÚ#oÓÜõçç‚
+¦cô)E}dðHÓœGNoj<]Sç¬<âu½âyקûU�7Áê­²‹E«¤py÷á8'ËÍibHö� qT?q::جöì(ݽïRgÝý>^ØûûWM€Õ}ýÐ駋–Ê{ÅóZˆÔ(sï[6ìÂO‘zü
+I³ÙêéÇ–T©-˜R§5߇›‡þÚ@ÂÇŒçoT§÷uf‘‚‚Ÿ£;?®IÖB,$ÊqªG¶vÚâ¯PIJ	•£Æ»¨(¡àœ•SÕ`RHáRp�·É/i¼™É6rƳ¬È»ÚôÊvökU;]äW¸é­�ysV†$Zk›o��ÀëãõK„ö Î£
æe�*|LÞ¹*p¼§}¸ò× }an²éÜ¥ºÏ¡öÚò´Ú7dîyˆg9ÏÅõð¤éFOdtã’ý‰,5FYrè¼c}í¤Ná§à:†KÐe
fŸvE#Ÿ?Íю˪̘í‘0S(Ó¿£ME J+dL©¬¼I­ð^>|$½g'IàŠ´?"týy0ïù4=:9W8ùÉÝ1Õ
+6AdQ›¹Í,>N)¥Ò©ðOã’ÛÍ·o}ŠÓ3U¢ªõ3“ÏŠC…}àp)Æó
¿a™FK›ó+	•W1{‘¨íœiNŒZ?¿~Ô<îZÛ
×Áˆô~ô}“IU?û
+^ºö*ÕÊ;â˜<\éæj�B† :æ‹ãk‡o™ùžËýta�A=« ÓÔ'ŸÔÐH•ÄN!z^“«ÿw¢ëKËÌ´«vߪý'ZÎØS³_-Ÿ!¡ÑÐ9†˜­yƒ±<`–ìÜkÚìƒ8˹‚®UF¡èýÒ¿äâôëO‹¦3xª©‡ì†°b$pãÀfN2rI[	÷Ð�`-IêѸ\\AIëÇz£AÅ
;²;»¬·Ó@sûÑ’Ðë"ø	,méG(;vø™�Ùd×"|‘"¦ŠÄ`྅Óé‘«¬óõlýÖ!|t]Œjø0Š–¬¿Ö¾ª0Z
)ˆM&çEî+
É÷ÉœGÌ7kʱ—Ed`X]ŒÚE•ÀQd¸À'D5õüDU°p¯)+7sZz Ce´–
+Ý)k=g<
+ýÀ”å•LâàÛìàwD#XY«yû¸é ‰z�p£^àž¡�°óRÈÒˆþ‰B
˜D²¼¾Ý_v|˜÷ÕìÆ”¡v’S|*B‰ã˜D#ÑŒ¹N7uˆ'ôx’ÎvïNEy-‡UI9̽Ç|iýB[}¥­Ó¨�ÜE>T”;pf4_·Ñ%ÙøN} T…—Äï÷uĘ¿”õ‰¦ûñ,Ri.ï
+„y„ÑŠ<¦ª�òÐYtÍþz`Õ4ŠMÇ>f·ÅH
3¯�ð(±…¼]¨!9‡çߤ–�šà›c�à
+è°ƒXC#Ä1ž7róѧƒ†1÷‹þØ*:½Ý
+¾¬üš"¨�ùᶓ°P
¾¢®tþkºô¡�ßs˜8ÁºÌÈ8õc°ã9­•Qæ3EåŠü±¹ÙΆq«¿tÔöÙËCCY
^"fDzJ 
+ÛnÂ÷Ù'Î{ü®ÒÿŒŒ®AiD–Xg‰¸N
+Ã2k}„‡�Œ°±hd7,
=½åÒp3{9uN4Ò�œ°T—£b؆F–i$ïó‹'p‘}¾Ÿt¥™´ð^ɨ�"3±Ut¢¡zx²ØÆx4D	K¬ZógÜ–z‘xC6‹]äÂØý9&yóï³t6�?ðÌ"%
+‘¼FøCAÌÑð}>€¶6‡¢ÓVÛþ\ý	diB´«Ù�Q¯è.Ç~Þ‚´ÈÌ=ìäm’6yS$ý-Ñ¥ª¶™)P‚�´)keÅÃvM¡Gã¶Ëe·5%¬_ØYûMŠKÒ}ƒ†Œ8îÕŸÃl5wìóµ Ô<öÅ·£„²3Ç��³’œVÉ÷
+žóø.Ñ°\éd¥(š˜>¯–LãPÊ Ôš3,¿Ô16še¤³Û²˜BG»O�åÔÏæ¦_�ƵW‚®e	oÎP×½'”�@ç×ÒKLýº-/ÞJ[ýŒxw]öG8förˆVƒÉcvÄþh;Ìšé£è‡µŸõ!qîL¾ÂmÕBÇïã@håR}ºûür†¢'rû⣖í5qq!Š¥¥¾Üt¿°wô¯µžQ8É@Œ‹«}Hë%‚Õ›E1TâìGäìï¢vF9Õ´�½Öœþó«õ‚y¦
+°YN0Û�æxôÞù¾•
·Z1#‘pÐG�)œïò±ž{+¿ÝªjwÒ±E©áš=P´Þ7±ÙÑ[7û¦“¸NYYÇU¸yd
+¢ˆÉd)$±¶Š¸[a# :‘�ÁÜ.‹ÍÉü�7LÓ„�(èòGÚyö é안øžwb�MŽÓüÇÞN�Ëe?ZÎÂfRc¯PÌeš²ªéQÚ"äI8�
+4Æg÷ÎüôL¬¾¾Ò?Âlœ�á6_±Â؈u‡ëî$àÝÌ;ÇDpBÝu¢Cbî›#13º;Ï
+*‡Kò·¶‡;¼-’"+ܦ˳-ý<ÎÈt_üöYëÎ’áBÁ‚¡$üé©Ò.&�>Ùe¸R¸¡3›Áÿ]u7üaÌõñ.R8‹zAµÓãvnXLûçpYTÓôª['ÒøUÒà=|¹üº*ÚÜO�AŒ/–*CØ
¿?CÞêh67÷
Wáïx,V½ªŽ_RÆò^/H–}èÈ;‡¨=+mä káÕÊuS®ÉẇNbnN’²‹Y)êctž-yá¬JHw‡d`‹£Mó®úí}KÕ4¬�«–!øWù…�sYÚá•MS
|•Ð§DNß"æµdYDé
+Á4õ5’KÄó}†#‘.§­¤‹R�‹«
+õS—¸­oïV‚•¦x{ì—?]Ž{øjA}øé{¶$õ†BÇÃh>/o†"U¹»ý´P‡SkwUçn0þ€8âàB¶ü¾F;u¶pL)#–�à
+}c6!„L¹âP’{ƒá;D¾dçqí¨ˆz`Ë2«f§µ­])ÊFDŠÜ›/˜[öÃð"§Ê^w�HZÁ‘³"¯�oD{�¼_7züä5àb«;ýS@$ú¡W °²ZðDò¢òuÙ
Ù‡W{fMÞ2ó¥I*,~…Ä©¹#xÖÖŠì�z‰KkVß�L™E�›)¹‚¢ÞIXbÄSóùÈ»´[N[lº3íLX¬˜
üçw^@dqór
+G%vA)ÁÃ
G¬³¤f‹o¥¿ñ`Ý­LF™óVõ‹ÔK‰óÔÝwø`ø?qŸàÁ¨Í	tj@®È<a‹÷
÷äIFÞµåüïñõñ
Ú1*Oîc=÷Sï×Rf•«xh¡«>Îê3cçÈ
+ž(—NÑÄåi¾%¦�Še¿€Ù?ó‡Ÿ›o†`ƒbîª0Ø– õÚ MR�¾
+Xá�…<§õ0ØC"ôñŸjè(–ŸÚŠeÂÑ_{Ú#‹p7ƒLìÙ5`:ì¥~Áì4«¼„?ãL®Ý8Qó\‡,OÇ™ÒÀ;ŒmhT Î§µVÄ! ¿h¥¦ž;t*ê¿ôŸçq
!·Ë,·*¤Z…ΟÐWŸ¼T‘*”„6C‰:(ç›ø9ÖɵQçQÈÔGæǦߑ_<Â9ç×YÛ­ÐÚºMîƒ3u"JL	üüÒ¦Q#ÆV
_©©…vYTóVKYðçæÄÞU™gÔ»ð¼òù‘Ïz‘Z(ßC?¢1Ý=�žâD®jŠR8€‘%öøg×Èži2v»n›„¸MM¢t
Qd�Â*l%–¿‡RS7ÌÖgj¿¤‚<ÿWßÊ}#ó9¼ˆ¯†eç
^™êgÞÀ
Ïõ#²z:Ý¢
+�Ha\»¤ÿE�H
Ü„Ôçì¾f•%bA
¯üIÃvÊ¥lPsw‰8º8Ö­æŽÚz1IÝûQgÜûØÍMw­©•—#ŠC$=ꤡ ºí=ŒjâwÔŸD*/ÜÒdêÅÎV
+�ž‘�õ÷¦ÝÔÆ.3±õƒ¤9ù]v\_17OnS{‡71¼ôtÝêÅËCgû!Ìõ’+
Ì\\j·Äž¸,1Èßß62–e€Æ§¥ì¶£þ&kL¿ÜêWÎc½aàJÚQà&AY¸Úãt�¼Å+«8•�õà�ZõÐ
³…V|Òœ½ÅÆú¡/½99t<�g¸`^B?h¸Ç0Àûµ©¢ûOÛâD¥¿¸ÆŽAôÅöŸÐˆ"&üÒÙGZ‘úáMŠ÷1Ó.Ø›ÉÕ
+}É6¡©†þÇÈE…<ÊP&öÌ>sDõbÛ_ÇÜÛWp	vµe�>‡ÿö²fßé(!‡°~i0bkzì¾ÕIä­ÖÙ²¥©@ œæ‰R&ï…Ãi$|i ׶Î
³�ùòR¥ñ-f	—ºŸæžæœby,I꾟pXðØ©»›¦Æ)bF°¡K·b¬H‰ÌçubØ<A¨õ¨Y*ÓIÄ�w7y	èÃokSI‡&úÆΤ Kʱ¯¨/ÞQ�wŽŸž±“&×í1™>JŽ%Yô¶y�X}<¹ƒùÂ3éîe›i0Û~4f$­z6n/¾˜z¤ðvÀÓx$×ÂìÀˆæÑnmeõaàtçTŠEð­*>÷ËMÉCJÁ0Ýg¿WæWk¡
0[(ÃL�(”ÂÁÒ/;í�:1JÛÙÞ¯£ùþŽŠ's
+†‚˜!Y5ª¬h›Âø
+’9„©²Íºi=ÿ¨nuþò©­'h¾N«˜4Õ 
7<±–¹ûIíÓö†�÷Õ=Î)iÇN{À$dQñãTË0¿‡h¹KÝçµÙÚÒ9äó
ÌèÍï@¢ËG¢�$éðfKvHÀÑ:ÓÝ&îûAoà `žŽ“DGO?Ìd¨ö3ìŒÂ̪i¢ì'Y"-°ö-¸™¸O-õÂ5¾4¡Ã­š6rMŸ4Éì’‰üË¢¸U9F4Ò±SÑU-ÚÆ
+¡à£"Ð,‘gÏKîD~^ººÓÜÉ/Zn\Æ$ÿM­Œù–1ÄŒ)Á×�BoÅ�£E[âcQóh¨X*úêÊÒO>0”�ëw+ÇœðaÚ¨F~¶zñyþþ{‡gS(êá9‡&IdÑX2)Fžb¡8ÚËp¤‹PX,Gæ(xõš2œS`º	faj�e‰ªh.,w¤á«7
+cLÇý2 Ža®
+L­ysŽ<q›é;u	%ý¡xCߤi67k]|Õ•ðÓ�*‰I
+Ñœ±îÙª
Zˆ¼¿›7Ã_ÆvN¹—Ks6Ù\£÷ˆ[�wåÝ4
+ÒÝzI6…®uê+¤S9ü$±ì
+³î^x½«nŸN)ýŠ‚Ÿƒ.Îq:¢:+ùá�Ž{ÎúsX~²‚e–yÚÊYTº¾ws!k�œ(IÛÌÀB(ëÊ#’ØMëü««}d˜D2è9 ‰‹â—'Ì¡ø´ïƒšÛE’,6bOöO;fôu-~_Çx�ð¿7¾ØÄ(Òñ÷í/Ú݈9?’WÛïµÈßFgùè`æ}ô}4*¦
+…3©	¤ô1.aõÂ’ AÜÿJ&ªƒ0E|R*�ü(ô¯[\eZ¢¬ ÏÑZõçú½á¸sÅ%¶_,sEjìœÌ.�®Ü¨llüqÒé;¼ô½ë|i*VÖŸ
+¸Kþ­Óp’¹«³>ú±ägWüD³É÷?æKåÖ�ôm#|žZ¡£¢Ieí"b0G`½t¢n¢J¯q¨ÜÜPé¢G08mÜ8Ùªç µÝ¯Ýã¤ßRf§2e±;$D/Æ&.m�È—(Ân¹\çU"S#�Ð!=7±æ
+’Š±à÷+ÐáËú­qJ®lHsIw¹eòªzDëÞªÔ• NÚšO%ÒçÕñr‰�½¯=W¸Ë„TF%��:uÀ䀙2º,~u‘\ıáýú”�oC}xù‘Žq"4{‰
+@ûÅ#\t£¼ó�¿º™/K®Ÿ±UgR¯H€d~È
+a«Ç|…Á|e¿g½¯
}ð”uT©ûa3s+³Ì¥•¿½ã1KÇ×1¼tþ~¸O`Ë’tyQ[ýÈ—M!›ªo®J¿¦½Á'‚K›ð⊿Sî|
ÿ˜û\W�Aƒ#‰Å9Žê2]2Z³lp‰Fûû–†ÜûO¯†O
&¤ ÜDpªV¦8ï…ñ™÷óìº
è™zgØùÝg¢‚5¹’-É}P«�†öž/£y+
¢rC*î‹#&ï]:x"v˜rNµ4¥‹|ÓWíJû`føZ1mü-msFYîÐ:8[Ž–?[¯+v~ôðá²›	ó&pÀs–K‘v£y¨¤}�Üšÿˆ÷[â01%¸.cœY‰]j�˜ª:Ç¿ùö:Qqæ!åµ¾©ÏÁÈégƒ¡¾{£6jÊÑõ({ö;¯`ôô«î½A$äÆä¥=ÿ7<‰†ÐZLLSXëFŠ}Db62×,èÿv;=›#˜‡Ãc�(íˆFrEƒÎUA7Á¾ºñ°¤‘ïμ	Ÿ³ËØ
0
+·‘—Vh/†¸MƒD:•ÄÇNñü°†•:#Þþ>PLÇÒwïÿQ5GbÄñ
Òû¦ªð@`	Ìz(iVþÉOëµ6‘
+³ãÆY§uïèœÙ+�èï°9¤- ˆíRUöMxöOþúíú¡ÅsC¨3‚Džú›„àyEà·£¸q›—Rôd}ŽO±æé[ÞÄ™G`c·§;[�‰^L–çÎ(Ön^v轈î½—’‚IA?‡�Zdߦx¶ë‡0Þê5/„·ï0iñUE°—,¿"7ZE�"Y÷­à ŒçÂëáÂBG¾8˜¯§�µ#êÂ^	êa¹bÙø´­b÷VîæלuHmzæî	
+P�̪è¥Ôqõ D·Š@ÞDzˆ‹òuçöÿäüfN?ag>-šŒÊM©a7šµjª)Ð¥0c1å˜Åêž&¶Á0®ï¸‚«n9¯ÀMæW )õêP&°C˜Ù‹÷¥J@eôOqðȾÿçx˜¡ù3ÜÏú\åušà$å·=„þ’»:0¥äí
¬	{]Û7°PPÎþm1ˆ’=pËvÑ18Zµ±ˆ
ÀºrG»%±6.«ßÌ¢8Î8П«woZKÉ9'çêí#úG—ïj²X+§ÃšP8†»Œݸ¼0J…®D“-ýf¸=_U0óA­ú¤‰Lÿé-àK�‘ú¥Ïã&zŽ^Lqêm²ù›_º´~æ9ö$ |òÔ«*9k+ôûÒ—eL€<•Ëu¼É]ý	v¨Œº�_rœ!¬ß§Ìèèn"X[,#ѬR;Ry\³¥»VXÀƒ±AA+w
+©õŠÊ»üyž+¾û™%’I†2£mÞá­¥\÷¤uçó:µš¥WbÕ‘¹éˆ×h'¢I��µCŒºÛ 
+JÎtŒa½µ~öB¿çn
8b¦”W»VŽn$èÍñ�)4Üê¤÷VûËÌ�Œ;µ•èN ‰R£ËÐŪ§ýÿ×>Y¶5
(QD‰!%ÝH�îfà¨Ñ9º‘n	i’"]Ò-Ý1ºK�Ýݵ÷þ‡÷Û}îù
çÃyžã•�”4|œ"ïñ`Ûý]_€ßÿ¼�ݲí\£$«:ê¯{¶F†Æ»lìÏ3¢?ÑL$G@Öóå×vmôãŠ#Žª×°tή4ËFIñê\é±¹†òã–ÊcLÏBÙðn¶²e™i¤ÿs;<¶ ¼ÿñÏ7JŸ�¨ie/þ5÷“FàEZUuç!í¯îðœJMþ•³ŽôÓ�	}Ëß–~¸
+Âòé€z{JE‰FªM Û„�u–æG0iž³ÍÀ†�^µYkúzþ'ôÍòH¬n“È([ÒKFR}ÿ^÷ôdk
+±5b�$ßì}Cd%#vﱓ*š°ßÉ
‘ú°»­¥8hñÀÜ_Œ»Ð7¥U½2f
+b›oÒm÷ãÅY…½jãnQŒ˜�fýÊm½­�ªm&*þ8”Èç1|ñ˜a¬~– F‘«•¢ûÎòXQ;(_ÆSI0ü+p˜ý&�á¸$BF
+ý1ì_v#ZâÍ,µgªìVØ
+*‹š@i‰úû¿ž8ëäCî3luRŽn£ÒsbX‰É ýÚ�Nã0Lb£?yrK—Søƒ=Õˆ�áÜá@Æ	žÀlþ
 ¦Ã<˜
'•AÅ87gñU˜
+Üxäø›Š•XGŠyº'üá9vµ,Õ½OÓ
à¬KÏýØIC`­”¿¸9Âò§é¸ˆßcZ”Âh.RÕŒI�8¬_$òfIKmÌXró–€àÇêŸ%Ŭg”ÆÂüˆßY'ºVR, ¨B~
ÐÔAQäϲ¯u£s¢€Ý_˜Œ\@øt-ò©Ÿ’>ö‡Q÷FÉÎUŽ«l$Ô.ËW(¦8*³Ÿ{>B7@-7쑘ôy™Ù7º!„³¶QèÌL}*Ÿ$‚WVÉÉ®š±Èñ×´//2ZA$¼�§¥ªb;>~T6EÕ<Õ¿¿Vj3ps[‡Ú[ë�#.JìñåY¯ª0ûì©'™„±ŸµQÖ8}Q¥ÞÒš½.H�Òý¤ñ‘õ$=¨â¯oñöaZ]‹#6ž/¿¦Ðô¹e¸ÞZ‹ÇM{ªh=Hp¿œ¦-Õôš£åežÂúz‚€ÛÆ«ì(Onû�÷söQY²æ‰Ï&¡I(Ja]�U›-fø´Û[ˆÿÞóݦ6vº%š.[Íá§KpyJÖˆàêh2nösjJ,©VŽ&EͯU¨•x�9øW+0éOžÜX‰3„\
+‚¾¡ÉzŒ:s[­+ž:[´‚r7À«_ó熈ÑFÂ2Õ:¨Ù�˜-Aè
+œÆâO­Œ,Eß�÷�;XM«âU†æüìeçÎ&¾¸cë2“.D£T�«h8&Ëe7nV"ÎCøpÁ¨Ö#}&_ot-ç2ÃæX�L¦ºŠ�ðï"’‚Áf&ѭ탔w¤éʼŽE9Ãê¶Y|t\dà=_©Ÿiµª¯9ÅÝU5½<}âoCʬe±É·mQJ_”�–õx-�ºDïä»3¦Ÿëï"‚_
+{8þF�ÑÇæ–éì	é–sE�cø ôc/
¥Xne­£ß	Ip’XÌ,X§x©o�ÞC§C7}yñ8㟑KÓ•F<Ø—¶cÚùc§>É÷"ÊåæÔYxVì#³í³9y«bTjýé‰NÜáù„…ª�jŽ\«WÍX!Ì[Ê뺧b'ÞŒÆ)<$1ôÊÚ[,à§	ƒ@ŽWÃc3/—°WnY"¬Æ4áé[_Šüå–#xÎöf3I�¹[V¦;ñ²è2f’a_ÏãX;q)ö�&Öö4FØ…È÷Ÿ
+=X¤9�ƒ:Ø•ñÒ
+†*Nñ(ßc“À“
+ÎQÓp/6è~�
+ê™ã2ú»‚îY$óµÉ•­ßª2^IÑPYm3ïÜÚ×Juý¼=ÕùÌ~9Äÿ	2©”pmPkDÉ�	Ç¥)DcX¨Ù콘ûk*+ÇMCÆ{Ù´~­Íµ)²è5�¿¯ÅL|yÿ1ª5u‡Êë�ñ÷Òc9„ÍrU¶óBDøò3TyÈ嘙	SzH1ß+`Îð¶+§`½°W5Ó㎎²ÁÑÃiÁ™,÷ò}cýö3!§ïÒƒŒ‘PuaÛ›”Ë tòÍ|T\ÅL,p�ÈBHðì9çÑô)8H-ú�äjj*ê=êOŽ
+Œ†<\a/r¼ˆvÈxµfíÉCvP€ÕóuóföÈy§Åm4ÍÛÆajùlW¤JÕ4pñû
Z¢Aÿ6Ñ®–B�][¢µš×´B©®¦Ö
+å�UÔwUMõ»gÕ"&
+C•Á&ûA×"4ÂÌ]iÅÎ|,›ž(mÍ…pêÖ.‰ý³oRŽÕ]¸kŽ¬¢PÖ¡ZÛZŒŽT2Ê©‚pC¯–dô.Rn®f™7£žØær
ðk®–-!OõŽž1t¿9~‚ó–�‰æ·q¼mxYæó”9gK’}ÃÜÕè×å HéÏAf™\pCÊˬM‚._óBâÚjq
À¶]qL÷‡Âa¯¡n—ˆ›´¢('â¥&Cv­pñf–¿�‡OFÙ2ö
+# ð:øF(‰¥YäsäLèÆùxÂJßÓ%ÌgæÂîˆñe:‡¯#0®ÿëÊ»3¯‡óíLM¤\“wŒgßRkHäŽÅ_KØwÓªÂìni–ŠØ±
¨wŠlNþjsßÑ8v<o¸ÞâÖ²ãU8^ë|Wš�
+ÆúÁÿ%ž†ëÿ	öÿÿsK¨«»³#ÔÕûÿ
+endobj
+885 0 obj <<
+/Type /Font
+/Subtype /Type1
+/Encoding 2092 0 R
+/FirstChar 2
+/LastChar 151
+/Widths 2103 0 R
+/BaseFont /NHNDXP+URWPalladioL-Ital
+/FontDescriptor 883 0 R
+>> endobj
+883 0 obj <<
+/Ascent 722
+/CapHeight 693
+/Descent -261
+/FontName /NHNDXP+URWPalladioL-Ital
+/ItalicAngle -9.5
+/StemV 78
+/XHeight 482
+/FontBBox [-170 -305 1010 941]
+/Flags 4
+/CharSet (/fi/fl/parenleft/parenright/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/a/b/c/d/e/f/g/h/i/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/emdash)
+/FontFile 884 0 R
+>> endobj
+2103 0 obj
+[528 545 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 333 333 0 0 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 0 0 0 0 0 0 722 611 667 778 611 556 722 778 333 0 667 556 944 778 778 611 778 667 556 611 778 722 944 722 667 667 0 0 0 0 0 0 444 463 407 500 389 278 500 500 278 0 444 278 778 556 444 500 463 389 389 333 556 500 722 500 500 444 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1000 ]
+endobj
+790 0 obj <<
 /Length1 1630
 /Length2 15892
 /Length3 532
@@ -9256,7 +10157,7 @@ stream
 xÚ¬¹cx¥]³-Ûv¯ØfǶm¯$+6:ìض“Žm;éØè°culãëç}ÏÞû\ûœ_çÛ¿Ö=kT�ªY£æ¼îûZ”¤ÊjŒ"æ¦@I{WFV&^€†ª–²‰­­‰9ÈAžQÕÁÎð×̉@I)æ4q9Ø‹›¸y
Z@s€8ÐÀÆ`ýúõ+%@ÌÁÑËdiå
  ùËAKOÏð_–\
 ø›UY\òßuºZ™¸þ“Ûô8Xüõ4w0sûgKÿÂþÒüE]M@ö.
-`abû·Wÿ²kØ›�mAöÀ¿šþ«�
+`abû·Wÿ²kØ›�mAöÀ¿šþ«�
 ™**À)—PHW£B¢ªU³m·W�ÛÔOrí]VÉ• $«ùqyĤ"õÂzŒf<0ëûë£Îðf}/Ÿí¤>bêFè,VØUd‹ÕƒæÔJlNÍo’©+¬O�XÏ1Ï-¼§c-NÂ1ipÝ›í\AÖ
 úêì`uvdé,RHžê$žkK‚>&Y	¤ºÛ”OØ&â„o™kâÆœm§Ù WëÙÉ
 ¨œ/û«Ð[BÒó´`Ûtä¯äÍN¿GfáĈHªýmVéDÇÏ“Ÿ�”Ä÷¦Y_kÉóÍ+èü1pÇÒ¨å�Á³ñÂjD•jÊ
@@ -9318,207 +10219,215 @@ MIª\ÂuTØjGI-gý�ÂÓ–GâydføæÅxÃÃ,�oÛ.رÌ*�_ùSÕúƒóØCkëÚ™­¨·>]ÙrÿÅ:K¥ÓS%œx
 ¿n$rÝ	Xð�D˜t
ÎõÓ…”2§—n„sÞmOÆ„
 ˆ;²ÃßshuåU9ñÖ�&;y-sõP~K*ªÅz4rnp´�}ª÷œõ)RB—+«å—>¢cI£Ž¹w×	éhz€Ì\mm £MúHþ×<×|Ìï­&‰� Ÿw³s£Üë+\?VË´<=yò‹ØH»M'²ñÑ67Cøoí+A5x5
½·x¯'_Ë
 c!vÜ~óÓ4¶bIpµP]ãH^ŒúÀnkLßYßÙ„æÀ,•‰)tCœrÀ‘Çi†Ï±m$�hýÈn.ÿ¶»öO¿ªWÂ[–{OFChÓ'ž
WùÆ*6L‡1±’g^H]u Ââa3ð¸g@—TÕL_1@d7¾ùÁ“†µ�‹Œ:…‘XF.ÿ§�Òfb1\ÄñSÙ£�Ö®TÁIS ÒŽã{9.´ v´ôPš_$ƒºÃ™.T€Áj”¤RÚ.z�àÂiXÎ^;-”ûkwå0HMKyÃûSc-‘tkâôk'a.*bí	Û¶4ŠdÇ&ž*qÉŸX‡ÒÝÓä"c°4	*+9‚3£
 cáE¢Lg%ãŸïÁó§KíÚï©=ëg‡~Q)œu‘Še7@ô`­¥¡c˜„s2¬ìe/ï´Ã÷
5ØI*·[ÔrH�îD4;"«hntRÉ´c¬¥ŸýÝ„u å{ÿÁØ}hë 
…
-¯41¶{ºQµÚâl·Pãg;‹($@
QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þK
+¯41¶{ºQµÚâl·Pãg;‹($@
QQ~:ú4¥ /麞e„¼æª't“Ê>~œÍÆTÂ={š÷ÈcW
ä­ë6Å͆ÇIjË‚¶{Al ¸¸
²œísè¹”Lª £ÈàýÞùqœöÇ=*Y€þK
 endobj
-747 0 obj <<
+791 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1930 0 R
+/Encoding 2092 0 R
 /FirstChar 40
 /LastChar 90
-/Widths 1941 0 R
-/BaseFont /VXUVES+URWPalladioL-Roma-Slant_167
-/FontDescriptor 745 0 R
+/Widths 2104 0 R
+/BaseFont /VZSVYR+URWPalladioL-Roma-Slant_167
+/FontDescriptor 789 0 R
 >> endobj
-745 0 obj <<
+789 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /VXUVES+URWPalladioL-Roma-Slant_167
+/FontName /VZSVYR+URWPalladioL-Roma-Slant_167
 /ItalicAngle -9
 /StemV 84
 /XHeight 469
 /FontBBox [-166 -283 1021 943]
 /Flags 4
 /CharSet (/parenleft/parenright/hyphen/period/zero/one/two/three/four/five/six/seven/eight/nine/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/X/Y/Z)
-/FontFile 746 0 R
+/FontFile 790 0 R
 >> endobj
-1941 0 obj
+2104 0 obj
 [333 333 0 0 0 333 250 0 500 500 500 500 500 500 500 500 500 500 0 0 0 0 0 0 0 778 611 709 774 611 556 763 832 337 0 726 611 946 831 786 604 786 668 525 613 778 722 0 667 667 667 ]
 endobj
-684 0 obj <<
+728 0 obj <<
 /Length1 862
 /Length2 1251
 /Length3 532
-/Length 1861      
+/Length 1860      
 /Filter /FlateDecode
 >>
 stream
 xÚíUkTgnõJÀ+Å€€¸
-æ2�@	Š&X4-."(R’		$˜$ \(PÁ Bå"Pi¥´^€ÊÅ`EÁS#BAn¬\uÝ
ôØ¥?wíÙ™?ó>Ïó½ß3Ïû�óY˜yúè$vEDHi€‹»Ï~�€D2ÎÂÂ…!	í‚$0

-àÀ\ÉÁö‚1'ÿ
SË›»JH¸Ð~1¥¿ð��/ˆz£@„áR	ŒîFEË¥~ð’9w˜Ã—
-—³L	$à³é¢
@;"Ù–ºDðÅ®|ÌñäKØ<€	Äð"‹8Ë­`ñ-!íbyøîñ±y3×EÒâ‹${£Âa€üN½Xƒïj,%”/ÈD2Ä„Øûö+pÙfŸ‰Ø‡/
-
(T{
-‡� ¬¢1 Àq`
-T©)s‘›ò¯5”ïØ—Ëlòi~àpdÝLãË$+õ7™•žæ+M‹zç‹+
-endobj
-685 0 obj <<
+æ2��%X4-wDP¤2$H20I0@¹,P ‚A…ÊE ÒJi½
+& X¹ê
+ºè±KîþÚ³3æ}žç{¿gž÷;ç33ñð&8²‘ ØŠ	 ¤N®ÞA2
+WJ}áes®0›'¬d™bˆÏc9
+ƒù0@
+Dƒ
+Z$eñaÖâÔÄ‹ì2AHAXæðŸ 2ÃPˆóaΟaë7ðòÐßᶡï
+ÿ®~çœ>#†øEõ©ƒOKëåÚÝõz î®»½N™/
+µÜ:4Ò(®’+³²Zîñ1~xܦ£ûöÞÒ‡ñ‚÷t¾ýÊ3 —á9¿ÒÈh<v-Œ¢e*뢙yà%suùZQ‰Å&QÉÅø±DzÿQ°êFgx_5žq8'–9ÉLÓË
¾š
+!üm94¡�ÜÜ—=7âjp¢ŒûLé^g_]flB쵧%õ„DàPYR»rÍü
ëÀÎCûîSŒÃ㲎„�™xh躗Ë.Ûk'$Ô\—-”…ÌîЉМV*¦…­FÔ�=2À5½[wì™üPûR�×ÈÉ?ª)–’Öokö³ïOWûlz�yàYC?÷£ÐèÎú©_†çÍVS¹Ëúä—pïç7J¿üñ·¡ÒÉðõùWoʯʉ΄։Öþ›E¶TÅÑ“Êk•×Ç$
7ìÍe$å-ŠOÂé,¶ižï…ÔË*‹GUM�=uó)�ƒ¢…0订êcú<Êyê<^a?YYêOÿÔ{߯qT1ç„ãó_N’^'v?רk••ù2ªR¦¦K´Z_oõÈjrÔ“ÍYY2(Õk$ûš	@šÝî~Ã{8sç—Úµ¬÷U$FÛéx7:á,?ÔyòÓ�æݯ¸ùO�iD§È‡‹øÄuþ÷T«TêSFaô{ò€Š1b]aÚù_Ýv*S’ç#¶ä]k¬Øu �ÙìÝò€vlÃlÓËDÕ7™U¦«�‹ûJ*
ƶábuÁÀ$ñö²
×p}Â(�5ñiQBCG¸ÇÀ\—$§!7!ÇM~9Šœù¸)ökµÑ)Ç÷D_uo€£ŒÚjnÿ=Õáh׺™;wáÔúBÙ˜‹jU´fŸ�î�Nç²QÝÖ…Zöî–[£!CŽWµ$Aü6ÍŸd‡š@Â!ß¼tÍ›
‰ˆINzÀxwÁv}ÃuÙF{I¾?>¬iÿ˜ú`v«ç íøT6Ý1¿é0S x}Î䇯£Ž¨Fü׆�þÜ×¢¯ª«;rª³+Ù7ÖÅt®]šrZ9µqg{7áø®l÷GÌ}Ÿ3\NkôÏɵV'•Ç²;Bêmиƒ’ž˜l/�^·`m`onç=òøàþßà¢
vuC¨@h(î_<þuendstream
+endobj
+729 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1942 0 R
+/Encoding 2105 0 R
 /FirstChar 13
 /LastChar 110
-/Widths 1943 0 R
-/BaseFont /DONUHS+CMSY10
-/FontDescriptor 683 0 R
+/Widths 2106 0 R
+/BaseFont /CWTQLU+CMSY10
+/FontDescriptor 727 0 R
 >> endobj
-683 0 obj <<
+727 0 obj <<
 /Ascent 750
 /CapHeight 683
 /Descent -194
-/FontName /DONUHS+CMSY10
+/FontName /CWTQLU+CMSY10
 /ItalicAngle -14.035
 /StemV 85
 /XHeight 431
 /FontBBox [-29 -960 1116 775]
 /Flags 4
 /CharSet (/circlecopyrt/bullet/braceleft/braceright/bar/backslash)
-/FontFile 684 0 R
+/FontFile 728 0 R
 >> endobj
-1943 0 obj
+2106 0 obj
 [1000 0 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 500 0 0 278 0 0 0 500 ]
 endobj
-1942 0 obj <<
+2105 0 obj <<
 /Type /Encoding
 /Differences [ 0 /.notdef 13/circlecopyrt 14/.notdef 15/bullet 16/.notdef 102/braceleft/braceright 104/.notdef 106/bar 107/.notdef 110/backslash 111/.notdef]
 >> endobj
-681 0 obj <<
+725 0 obj <<
 /Length1 1616
-/Length2 25291
+/Length2 25334
 /Length3 532
-/Length 26183     
-/Filter /FlateDecode
->>
-stream
-xÚ¬ºc”¤]°%\]èª.uÙȲmÛ¶]YV—mÛ¶mtÙ¶ºlÛÖ×ï{çÎ�ug~Í7?r­çDÄÙ±#ö9±Ö“™$òJ4ƶ†@Q[GZzN€Š¢š¼�••�±¹­4�¢­µ
௙š„DÈhàhnk#làä¨
�
Â@#
-
Ó¿rÐÓÒÿ‡ÑÜAÔÜh,oîhd01°úÛ§í*6Æ@{+sà_=ÿm%€†�žþ¿ù”ÍÌ�,mþi<˸€6Æÿ�û_‰þeN'«"%$«Fõ¿ÏÔãäÿjï¨ìf÷—Úÿ(EÆÖø.þA´uxÐ0°²hÙ™þ^9F
-4‚^ùckÄh‘š‘æX‹ž34!¬Õ×Ã
-¥$T³ØÄ^×âs:‰¿�„³Ó�t»©È i+3«0�€Ö~Z¦Ò‹Áº*ã¹®.òzbdÄhn“<£c¿§¯
-ë³ü>Ëä1os´˜™(ÏÂß_�Ø⟣
-Üiv^ëå‚áßcHdð8�âzî‡ù&v'ö@¹v
-Ý}�ÈâJK3�î„ÕžÖõlµüÁçÓDÓRfd‚ICÖFJ$GKó¾¯D˜ü‘·vŽ+À$kPSöc«¶U|R·Æ
‹‡hX'œQýSÁàØœ¸5£
-•LŒ{Œ›h1X+ðaÃ1©GÌ$“ñ¥l&HÝoÿÃ5Ÿ©qΧ©uAÑÇÁÛ9+�.ÅÌAK¯lrD‡2||ÀÞ�W™òqoÅU{´@ÎÜ^ËÜq�øHΧ6U½SN0}� ì Šz,sE¬˜¶a;<Z�t$N}Dzë³õPô:–šÕú.� Nž³¤Ftȥ͜hR=l>eŽE/Í:P–ÒÝH“OïQ\ÉŒm–Õ›ÝèIY湪
F'}P¡Éô”ÆiR¤ÞÑî	•¼Æ-D1dšMZa·ø»ooÄPe0™ù{à3X|ªÕ(Æ5rcˆí“ªCch³Áó€n']íõ%®$Á÷pÙC$äg´ž/qº–Q„¬{kÐÝy¡	»ä(örïZÔ”*"ILÎÑŒè¹ÐbG. /“!C¡U†�RmÊfB,@�²¼NïÊ;�ÉE–•@’O}64jÂ(æcŠ
-M
J9‚®»˜=¾EMì¥Ç§SëøüªæÊgg� æ·g˜èô\ %#B9%´®©b]cA=Ô
-‹“Û,o2ˆC½³Ò=ÙÖk•/ØØK‘ÕœƒjŸQªÊ„·¨Ãy
-@†Ä¿ØÜôH¢ì’×Z²øPAçGÆKX•©Èë7ÿŒQŒ±f´ý1ÜF-Ùw|¤$»\ÃD¿�‰x¼�	�È€Ñ"õ†t?oånŒFÖÙ»s¤‡V@•RÈ2Sx	�p]½ùö]¼¦ÊCRë
".zî¼å§ð©PGŠŠÔƒ H>öé%WÀD|rÀ©ñËE`…zôGfìí¢t•„9—šÏ¶3Í7„ ir6s¼ŸÏ‹¼Á†(»µ›œM•_Ï^–8%ÃÒÌh<TÏø<G‰& žÕsŠŒ�ï}x4ž"Ø`ñ ã?�70„029t3™aŒh ~Áع‹&ì*ÇcGí\¤Šn
<_‰HB÷nV ^?z^
6~pÈ“!Tþ(Q4Î×"‹>§Üs:�	žlwÇjèQ›–óž…-á’æØŽ¬£öI:(i>
·QÄJé|]ˆgZC—º’¢0'¡Üœó7Á¿�†pyfãÎCûâtˆí&ž?¨Ó[åÏè˜�šç>÷bE‰ÌiòK)¿Oµ…µËÃmžÒÃúÔˆÒÒ³ü}'ð–�ixiªûÂcá‰|^"íÆÅ�>p&Äñ�âüGÚ:[>´ŠX>µlºZ‹ÿZ9Ð[:ž}€Àe�‡Fk;èpO©¿=–�õySɱ¤T‰‚í)Üs<ZvkHJÉ=žEFék
Ê[} ´ÇHeˆ"y0OÍÁJzÍ
4M¬˜×Ír|L_hàüKå[ÃÔéê…ë˜Ùc™ØSF¶Ñ�ò]ö™c(Î=©à=�ñÁîEù©y†øÏ$¸«]K¶ç…­ðšµ¯Ô>m%¾äËï¨OZ¥8!'Ú7�6
ÅuþöÍqCS)	(Ág-˜¾"Ÿmå:�ºWV¶õÇ/ã|ÅÂY¿,F}ØÛu/Ÿˤ°�¨570]ç4�eCØ¢Yøí–²	ó—Z
-JëØ
-{Œ¥�«KqHM+~ÏBO¨Ÿ?oiµxÍ+«7g7[*‰F]4HxD½I·È-÷€ðÚѦîº-v€á*hûT°ž½ g$+ªíá?t�"+<äµ +zÒ´ÊßÇKÙ’«fÍ¡Ù”ø…È^fx—wÝ¡×Ú‘Q!·úwxm$,
ãûùyïìC8@„S+®dtóWÚ³æѶ9ÊN-*h³ÞºE¨‹@­åðòuAIÒØždé°&#t›ÿ	xªÅæQ§„
ó
-9µÝ.Ý
0{Z[Cdiî×É!âOø^)kUIÑh�ä�ëºCiµá{¾ç&KÚéçýoû›ÆîZ—‰ÜËlÓîÔù—6lÂKR:¶;y>ñuju¶�	M¯²á3Ú©*cð!¼cpäï ½¿§$+7æ,ÌŸ; o&ÁÈb�ÓZlÑ~ËwÔ»¤¶”Y¶ˆ~ÂÞÉ)X‡[u­çÌSX‰&©ìÈ-D rÄ-‘7Œ¿îV5Û—nþÙÓž­ÍÔÞš£÷âËì›tŽƒ‚õGQbE�ˆD�>¤*꯴Â[@ÁÖ5Ƥö*>›�9%§úýDHÔy	µff3@h?L;¬îFÂ�ð¡Íϸ/;*s ˆ¯cOåU®BÚ½/âAñ�.k�þÚ	sHFC®Ü¨¬J½¯1þFn^×áöƒ¿¢
WW�)ËNV¹ŸQO‘Âömœi}Ü8åÑñ¶;áî=Ÿ8;2{¶†^ÜóJE9£n(tòx~�˜Jþká)5þ–ÞBʨnŽ8Ʋ>>•m‹jS#®YR«—Í´…Á­‰�Ù\ñGkï¬1_d:mN;ªž‚˜"a’žq€‹©°Ê?ÌÐÄ#ìÕãÙ{½=#Ç™‰¢Òò�¢äè{¶Êl¯=¨çPÒDZÒ‹Ýlļ÷Ù-:ñeD8å=ü*$YTÔO½xÑÜúÜ]µ©ÑÚˆ”I5�ãþ±×©_)ºNÈ3¨6«äµõ«‰Nó"äD1¬ù „®ê0ö°7®<4ö(Ìuæ´SˆQÁ“pR/Á®E©`SŒ^ôÈÅÙ@D‚±ñ–§æxÌä}ú”:»º¶¥uÒpp—§QÿКÓ
-ÒÎ&rs¿:Ÿ°ôåÌ�ÄÜÏV
èy.<Ó!f•ÛËiQØg:0ÖáéãÍs_E©3dΑ¹Ÿ:A=Ë�×8‹´dÍAƒʽïêÛRØ-À×SÄÂ'ãBØ\eá~›"›ÙRrD|©}Ýÿd¯qyIÇð1ó6§µ(‹‚hQCÀÛ#÷œ—é[6ED€ó‹%±˜úÍ<ZL9ÉAÒê“sõ“7\wêm’’¹Ù·—¬˜9ðwב0Êpø¢Ày&NߧBm4D”SD"«4*Èwît�£&ˆÞWÄŠWÈžèHÌËKv3†;a�4¥QoÚ®ÓA.óÎ`L›&<v×2•M\ü;C‰ï!Uê›^e_Å Ú*Ù³ä�_ª¤Ø¶�•ð
-¢á`7
z´|„yð•Ý™íýî�kn:ð˜|—
ý
-ã;[Ȳœ]P¿“ؤ¸›äNßñÕ§Ü
ÿH¬Ù|.´=hÄÎdr †E#†UP�QE^}ÿv€ê¡þ˜(#û¢2ôVÌìôü“£
βÄÏcH®çy³>•q‘óýÁµÚi¦týL6OcG!,çj§eD
­=G83˜ø®eÁ鯑´^4ÒršXýŽ2Nä@È“mï†óD¼ <ÔýÙíŠÎ±6øpv\èÚž”%¦3+è¢W,K…�êÙœçEÛhÃï`vÐyù'5‰$ع$rñ‹’ŸÅ[
-Ý(~®$"·jJZ«ö0V;XÁÖ9àL[ö÷ŽÃ=ú\µ$ÔeKE²¦ë•*VÃ%TÚÓì—£ácÒ㢎¯ô­
�1 6`hÒÀ7>œm¸>/ÿge–‰—�sªè²àÔ2Vú¤yîpwí¡úÜkÆƱg¬¯Ð·ˆ½P…ÊÔÆöÐGWð%!ŽlsŒÒe��£•;‹8Ù1Ëk²àÚ>Ø?Fõ$é;wͺn­æœÌ�^Ü”/˜÷RºñTš„ŽzÇWÒU~WW›G0a–
@8§OQvˆk?UJ_xJ”³&ûˆ#p�;'+ÍUv˜á#9¾}¶Qý•þÇ%ë<"w9>O“d°FT´pü;í�&w°nð-gùo…�ÁŸÒ3íâDã»­;ÖC+Ò¸ïÅf@Ô
-Æ°
-á[xœŒ†÷\KQ}Þ£{ânUÃ{¨ƒÁÅð(¸ixJ
-/ÀÅÜÍôx¢Pt|‚£»ŽPûβJÿ´ÌΧ•Í[…†%®§íßW´¦ú‡Ñá´L±ŒZLys)5œb[vb§�¦ÖKÃB¬ÐüŽÛ|Å2Þ>‚µ¡XÉK©o[rHÔ\ñíq˜²?

�ßyæùíoædÏfN/ÊÎMB-£ÁPˆ,÷#”|¬7a•´“YE8n¤
Hõ¥ ¨ùIHÿD}ž†‘#×Àä:>ƒŒlØ)_Æ1}NšLŠýö]ùNp’›±=’“j	†/Gîr¶Ò£1,Â;c|�6Ž4Õ‘a	'ýq*v¥Ú³§ '|iú‚â®ìL5³ÇI"wè{À,•|XÐì¯/û(3Âö-4Ø—•0dT@N&‚†E|ð4þç.ùiÛÑœÈ1àü[Ò	pJÓT
†šžs;ícñU\�ÂKÁ/m¨@‘§M=ò]“’Jí‚%ë_JXñÒ¹Žìhuó{¨øy¬–z­¼ÍAWô{iaz¢˜š–mŽÜ󺳘;¨2¨/ˆþ/»ÄcÆѶˆäó?™Nû¸°Ü F`® ^å±Z§ô�v»ÜÃR�4êI¯d¸'|ß|ºÐzëÔ%†=-ÉjÅÐÕï¡ó-‡Õ´;ÌXåpMž8Ìæ-�<
-QPÓ-áê“&eÃÜÓªŠ^"q\SVÁkøD÷>©Ìp8ð=·[5<‚K‹	“óç/=¨^ï{"~jhõ^Z	×
-TSõ÷Ò‘òÍ?¡n¢‡	Ì�>bO³3ÙØÈ#wÈVßÊ[½6´Éû‰V˜5xy`ï’ÙFC±èëŠY &�³»ïÙXºÜR>Ñí.Žù’Bpe­Œ ¹Ž•®¶ºÁ¼�ž¾ÖM‡çÃ{‰(Lv¹%Û<ÃDì¼Ù ÑÄ@^m„ï�}
(}屩 A?N'´89�}�¡ãÕ°àahg›ò…NyF=Ø,¨E$ª=ˆ
-‡?wÔ]™{†]°á³Í4jÕâŠ”P)ssW;RëË„‘#•m“>®~F�í&û[¾
-�Êçx™>]ù‘³±”íìÕÄõ3OSF}óÞ�n+QýíPR»Š¦½Ý5­¨VÅÅ ç„þªeh—‡�ÇŠû�Fe]mÿ‚e¤e¤RÕƒÓI¤MQÈ›.·�—~#v‰XÇJ€Ë¦ïu»wgß´»Ù²
-^>íª$¡‚ªN³°jQtˆâ¡'§"»BKº-¯”¬ØfOUÎ51½D:e;…"YE­"^gŽLÖIÜ)Éæ#S|^o´¨/‘feý•á€•‰¶	4ê|¶%ýý
.–î´0¶&Û$LèÐÛýÏk¨MLèOöc«¨ðæ[›L3xÒZsýZ�”Óîd42)wàÐ!É5³ ­%aû+|ã=Ê�.ÜÓ¹3ÜÙ8Þ-	pˆh’•™ž^¿W¯ïEvÃhdBdwü¨øPy�>h†L r%@÷CøÆ#œ(|HD‰ñÝ ¾W6ÀG~ùç+¢m+ç®_#É€'[.ÕF­ öÔ9”f÷iõD
-ÇEE‹S9WM3×!ídòÔmAfoç�õÄmî¦Ð[Òd‘F$ØíRUJt·�äýÀ ÷
-0ê
-‚‚DqÓÚ»uJ‡$m¨Ëâ\5%�wËxƒ�ëá¤ÝŠc×Ãäçò‘ ¾¶Ï
·
-:âP ÉÜgú–ÁÏÛç-R^üÀ#¥w…÷n²Q1šû£ö2ü8
-ßU‰òãTç[Fèš�x],Z·Éðšsðð½Š+šž	ÈS&×9hÁôœp
4mYKØ…Ðl]ë³.)µ~g�RšŽ_•Ÿ(ºë÷˜te“c»¼x„Ÿ×ŽÆ¡â]ôî2xÂÂ4–ÙO®°¤ë梨áq.svÞ}µØüDváð -7—s‹fYn‘iÌŽR0Ö˜Áp§¡G~)!×R%e¼k/“‡£%A0Ê|&á8¬
ºàµo�Œ/t!„ÈÏ$»g¤—«â½Ú'x�Æý+ß=Fœ‘è¦y@õST~£Ì½´,Ò~”B”Ê¥¦µ�|ø2H‹%È_Øò'5Y�h
ÂE8i´ÞÅ ï…Ø)uô_ƒ¯	òÉ`XÇ˶b”ëÈó“Ëã$]TÖHõŒn0F’¯h-òðíìaÝ�ÛR�]ÐÉËæ½PÉ$¯	Ðêm<²ètL?Y=àGWr&`Ðñ°êà8Cº+Úš!xr(<:Ž¶Üº�±‚=6ûP.'…ºŸf
zh?9>^.~-죦ª îêê>.	ó¾_þAC鈮ëø:%cý6{L
™n&¾[™˜â¨†énC–rMÌÒ(	¿Zv›ptúˆ c2{d„q¡D|ýü¢ó䊇•©|„¦3Ì‹ÀŒ¶¹S(·’ÖÿÎV‰Ò‡CýîδÐCM*y]?œeàq1œ®=à¨Ì>xÞd?O-G¼®·²µñ¤ç¿�òºáåÞ¿ï¯ý _ŠS߃Ø#”ÍÝÈÞc³7—½û9˜X'!yf¿ÑìfÝ;ˆg3³Œ0¬`ÛemrG¨^²üzë ÓãÓÉ×e��I’ÚuÓV¨™Wk))5ü÷pÝ3`ÜŠŽâf~€)`â¸ÒÉê¦GñF¬&Ðœ�íçM�ÃD@«UJ¾k¶¦»Öê^ŠdÔ«©ÒmÞ~9OºðQ
†4Â>…£”ÈX>®è8#c
-ÿ^÷É
- ŽM·«*T$à&N_Òò,j5%
-œì_ØË\ŸŽdµíY|ï—ô(®iÙ˜ï÷_<{‚ßnSéÓ7T³®lpá/Å=[ü][Ë6S[ÑM�¹–3$`êMIuÀØR{,ÅWþ¤”µΖg-ÿqjòIý˜=ßôY÷idᜒÑtR˜)¸zéôªóe;ú�Ot+%«Àã†Ù²ÇÙWË7pž>\¦
ÅxÑÍŸ*L³bæüQÄ'QÛ\˜èõžx˜:S,Q@²úIyîÛIÿ�AË)i^í·’�ê#\>¡²ˆ×k¸ôpÀ/ðânoMe�™3²�ÌB¤ÿÆ]Ò§F¿"Ûà5~·±µÐÇVS´Öþ,&Tqx`•GYú®F/Í	â�å=TЉ�¦ê&Ô%³S¬À#¯]âëI–7•„
-öšû�DG¹_×
óæÕõôðªØtx˜†&ÍRueŠÖï:FŸ‚sy.!À\Ùs‡‡k¯EÁ€Ó•sö«x×CíÕ<©t¹KrgÆ/Y4Žö<KSUGYþúÌôJŠ>•V«‹§K¯€Kb1¸Ž†¤”,M1}}A­ÖW2Œ…á¤ÊùÛ8x¼3tã×Ã3Ï<º›©¼U³GüÖ†¤|D‘�‚ZÚD…ûú÷÷>Ìâ’¾ÃÁÊ:º�Ÿ
ømõA‘ÚõØ'º\ÝöH+Ì»tô¤H�¿€áÖN
ÛstàmœŽ'1LÞd˜Í8¿�Ê!©£l�Äö'`•,áO�›>ÖSÃâ<Ú…Ì¢î±D»Lôyº*mpÐœŸUžâ™Jš:‘¢`6Í؈÷+ÒÜ\ñ2¬aÃUÃ?wéöÛ<ÚÊë4'�ž’!lž¾T§brÖœ-1_/&âXcb®�ÓiÇD8ûæþŽu†åfmk7ÔõvüZ­ÏÅ¢ã|$bŒAnÕ·Íê…¸bQ&¢½ÁRîX[ÂÅѸ¶ ¿øE·Ë¬[oÙ¶žÚ[£Ê«ïÌw>w¦{3ÿD)¯Iÿ#Ó)°Ó'×J‡£ÀŒÏF™¡ã×ö£M÷ß4ÙËáZuT»Ø²n“€9DDt”¾ôb5Û1g8õ!2õ¬j<­è+Íy"
$¬ï¡1!‰ùœ«l_.‰‰´—k3q,7’•ˆ³F÷F¹¡ï_z=F¨ïœ:Gß¿q€*F 
yDÓ³–R�3¡ÞPaZ¥~CRœúsF]ñµ«†,
-áŠD(A~«ÌiðÔ–Eó—1+¥^¨„iyÖ¡dõgVs¥Ý_Çë t\û¥[Vƒ‹¢ ãŸž4Ž«EUwS¦€˜”Í�Æ�µßT÷Ün¯
°"@æs�÷‚Ù¡h B^#ÓÞ€Ý~aG&gta­LÉ	uò§p€ºf¦Î
-ë`H“@$ÕflÕ=nUúÕ5îÙù-�2?—+{žj•ð¡Òj�›W	b�>H°ÿØ…9ŠÌïh‹æv =f÷{fÕüVì:Ç1["rù”SêƒoÑõ¾Ç’€šlOÕ‘äÌ]ªãuƒ0êôXPðkµ»9Ð…Ø:ÿÖ‹\þ±Öãà–{áÍÜÒ#ú}B*Q½‘W¢¢´ž�…tZ…xœêÆ/*ÖV’^oá�?Z‘F
‰Ô�7”:ã
øcj¿?‰z�z1ÿÍ^yãývÍð¿\û0Æò±ŒÄ†]dqá=¤¿@‚Öº›3IoÝûÂ"Ãp™çMLò"–Îw»h=y|+Õ(¹2#g‰DÛkœþUhÉ«ýƒ�h+V2™¹,ÈÎ*MYcœ�´ð¬äOæ~‚ gï.ícfÛè�MM““!TêÕ6ƒ8 
.�ƒ)¡
éU¾ïmS‹"Œ§Ô°5”
L4ûöã¾:‘Oìc
³5hFWG8sË›æs-¡ëûç";÷\¬ã2•„ys8‹×ªlºP²XÎL|¹©‰ü4ÍÞ̯v9êNvsr‰…Â+xCü
>c¯Xç§Ë'��­}ֲ߱ß1TÝçu#ß2çÓ
-+¦É¿ìÚÖŠ^Ú®/\—sjÇOŒ¤+G4Õ–¬¨9
-,�Ù°U×g­·ù;ŸÐôl"•R’�uEc°VÁ2^ºBRA4MæÀQ‰ç‰¶·#ÂÊ€ó#Šh­5¾;•b‡§XæD””gX]åF¥"yM�…Y@ÅZ�éxaxÕ49ìÍ|ÑÞŒ>‹Šçââ�D’ü2¼C%4öÿ/ô»�ènÙt§ÄŠeýú2nš±t
=_
~ ¼}RÉ~>Ë »a0¬n.¿Î¥µ#M

HöíTiCÕNjŽØÃsûÖ‘ýaç_ÒÈ£�ÑxF‰“Ô
EG^Èn	Ý=†¨Œr&ª‡C0ŒwCÀ�“`>ÒUÜFæœØXîØ}6ø[·ìfÇ·fíŒz¼–ç‡ñVÉSçä‘¿Ôìi€ÐgoLúº¨6Ut�Y–S
ýS´,�ãþXppjIíWÀž8›‘ÊsÇÞwZ„EyB¦È˜Ê}°w9zÌ^Ù®(ÿ÷ô�ÈЩÛ<KäVÕø>Q/ÚÜ#ï×Ø·¢yû!«oø~Aòô­%“#¹ö÷ƒ¼BzÁ˜»ªŒï?_"’	ë‘Úë?w0
ºŠüvˆ_…¡"=%_U[Œˆ|ð<"á6ìZƒ UcèzA²¿¯5`¢\î~ê×Sù©å¡ïÕšPÄëŠó+™ë�
-1·ð€š2åªvÙz¥›Ž³AfW­æ›îs÷óK—i&ê¯Ózy¿ðƒþ#t°ZÚ)þƒÝ6Ö
-kÈä+>x‡ÅôŸåÞ„PÁ
EEo-B1ЦL¥ŠñãÝÖ›²Ö›ï{ƒÎûZq"Cöá±âši¨èbyÇû[&Èïd_†/
-ÁÑ™i-j´ã/¾fXØü€ßÙ(‡.V’+®¿
²
-½JTàÇÊcŒ†úJ$1³Ù«B«“HûS•°
î{ƒ)E˜ï@Ä|èÈö,›G|8fäUÜêg¾dÊÊSðõÀPÒ”¬^Ÿ¢õ±ûJ#„ÉòvÖœ¶2W¡ýâ­Vø~-…3RüzÌýÝ÷
-3Üdc
×›+°É'�©z8údÆÕù�ÛüÌ[Tòw@ÿŽ¦žÍ�…gM/Ù›ƒéFŽ]á,ˆø½Åžlx+d±‹
9²ðä~OêÌKC†«hMŒú%ÎvkøæþÒ(„¼MW{B%8T Ødaè
Ò…`[Ô¥�Ýy¬CCtt?èhîÑâðïä÷`ãß1>ëÕÙu•î$= ›gSg¸W‚Åw‚¾H�.Þ¬¬_ÕLz£x­÷þç…«ˆ9ú¼Q³:�²sðÖ9v®A%ý˲ùïß¡ãë’!CÒ¶è‰)YXP›Äî­é•1*A‹EöRSîŸùÆš¦ÿ8L?#ºOYI(¬c,F‡n¿ô¤@É«ïE6ÊPdw9^Öäv]
ô%cND·y§;£ÙP™äµQFaØ®›qF?Æh¿µÚëè-Å×›ÞË�#ôý<ë)%™<åàiÙFÏ
-{@[s0Ÿ"¥�²ŽÌdbÔǘ–´EVðMh^±i5q×B2¯^JO
^Ìê£oÜ'‹âØL¥ÆdýT<“ø­ê²fjí7Dµ•	1­X}2†7›€¤c½Bbá/?ãÒIxPp�%‡Œ©SíCÖ…“La2ì‹i½I[«E8Ššå
½¸çÌ Þ@Âî\ǸŸ29SQTw*ÑB1ï¼Ð�å+Uïh®¼Ä¡Ê/þ­‘Cå y[üAôŒŸ#2‰oLú*ÇÇUqQ½
-ó|,šZŠK§ -J˜UÀ·~SsÜ1Á¥Ã3ûtâ’”§ ¿�ømƒQDf"x~ˆîd÷ôM”pr�B!�4¥”N½Ëïb«@äÒë³q
§àάAÃêÕµh�Û„Œ°Ç³8vˆti¤E¥ÌU$ÕƒF#ãlˆè‹2Ž�55JÁÆû
-W—‰ÊGo#�Jܤ±ÐLê yNב]IïðÔfñ+ZMv‡ï7{ä¶Ãê‚øíXºžXäó�½Ý‹`*‹Ò‚
jpj÷´?+›
-|B@†-›&±í
ä5‰tkfÏ?B~½b:%Yñóà6uέ£þ˜”£LA®ªˆðÁëX‹ÀÌWÿªïÏ,Ñoðö»¶ƒ1´†Ö®ûM")ûŠ’8H_Q@)­ÃûÌßj”Yã*Fô&ù2ÙüB‘çÇ.Œ%nåÁ\Û†_ØO˜Aê;)çÓjÙ7 ÊíåÛsoÒ쪰1¯3Yjè@á³fæåE#ÚQÔYï”zpÒáš×,£»e‹\nÆnCþÙPÛöXC­ƒ
-Û .]¿1èf‹Þ$‰V™ÇŒ[óN<š?ÜY ætLçN¢“v} «˜&…yncú(Å:ÉZ£Ÿœî,Õ„wJo ØŸq”é»»2ÛÔŒR⩽(Òue†·¦³‰Â€D…%ô¿Á„Ä	a÷uZG“9ì4éÓ¤uy	Ù¡]&PžàfÌeAÔ>X	õ®pøN·¶±R`ÿläC‰ÚHlÐ$ðô²NæPh7»˜ è›LfŒ¨“ah¿Ïy8
¨ã	q˜ác )ÿ_~1iSÕˆC¢aH
”Ó‰k0zÉæ.@ÉÕ—Rû�“µl‚‘¿R
§´ù½Lý¥tû(Iðd˜î |ëm´ØÿSáB÷ÈVG�:ý†®§DÚƒ?s¼Úö˜ ÎTëýô?ÿ?ˆ¹×”-.��ûdÜ7”ˆì¾.îÐ
-q·
-<Š´yçö{e¯(×6鈔I»îbyö„•ZA„I³ªÙÆç`¼ÏÎS¼^™AáRup:ÓäGW@-!�Äø«ƒèÕßèËs=aË‹Ü'vÉRýl+}¦Á_�¾u0
-Öÿ“^)~ƒpàÕ²ô*²ÿ‰sY:ûyé×6Å€$ŒÝº½Å{‡êÑi×rL#¯(T‹PÆvœ·Qr†¤óVJôk�H0¥rÔIV€«´*$ã®/
-ëÙO³!õx
ÉRdíhÜ!]	úãUK+<7Öœjã�«/ªM;�Ë>ú‘ÕÃ}„ý甂ÜZV
-bù‰æ1�²y†#Ö6yéRØÙ`sßUJ öà‚Hø.ß°›GßôýMŒek�½„¾Ûº¦¥CŽšËž…l^§¿\<…‡6ÂK̹çø$‡’vçÏ
%hf¥Ëm°¥sô	|G'Æ[fûý/Ša¥¬3µrž®gS¬Ê~9^éÈŠSìꦘÏéNÐó	á¢M>À]àpÀ
-䀚Œ5åèÓíöRŠÙRÒ
-�Ì‚StRóùa¼âæøïŸm+ŽÞ¾µ¬¼/†m@”«†fDä)”y â­XDl_`p ˜3‰Õé"p£ ùÓ½r§à‡¬i3N€‚_ø+iÝ‚WQô¥ˆlò÷ÅK¯Ë.XÐ:îîÐ0ûvפ¹,aÑ;‰<e8“z Uö¯ùšÒø\j^íÂÖ"œ‰7	s.G쯸‘U,™Ç‘–ÚUõ
ê…¶,?àE	jÏ2
-K¼BPÒÇ�MÆÍ�Ö�ßx)<¨„Ó«à?j¨¨[âs£
-#!ÕŸ­ÝS‰¾¡Ú±á$j',göbõÓËÍÅ!:Ñi¼|ÓÜîÊûJpÙ‘ýéÞÇœ*ðáˆR7¢O�&½¶$nÄP$sn¢ä+ouu*„Û“A–�’
ã†ò/%£¸¾älÛñËÔk|*“š
HîÀ²äk|ß�m: ÕU¥�Õ6ØŸo£;§h™:Á„tè÷!©N|çÊ?÷`~Y`¶V­G?Ãça}4¨äIßž=6Î,ºJ¥ÀV9uÖ”!þÈjY
A‹¯ÏdJõ�æÕ…2–ÎÊ/«âÖV0ÙF­ì­Œù.}3}ä–Ü&q—ó?xúœ¾˜þsóp¿]×U‡|y
#çjr¶24°E_ôaà´�¢u¨‰C¡^¡Óå’&BŒ‹‚•M}ŽÀÙz) Ü…tMJXŧòŽ©:õCbX(—Ârj´¶45õèÚ{,3¶jòWó0_±Žª
-þ®£¥?]ÄýŽ<ꯞ'°á1ÛÃCÃæKtð(Õ‚Ã'%ÔŸ8“ÓM¼æcûÕz&CA3þ×E®rÒÝ,”BªyK¤åNÉ×%‘/);ÐÖS˧‡v!ï]Àÿ_›ÓdðŒ¶6ýCŠŸTÝçÌôûî*®¥e轜Ódv*LáOhfò�ÕúÓ€oMºÜ¸‡_õxB5(Ceõº%-n„ôVDÆ„ç�™6j®Ž\åoÕ”ƒºB¬çýû[ÝÌ›_œÿr¸HÔ�;6é×ÑðÀ¼�!Çrª¬
±£
-éNÀÐq
„Ê•GÄ`“Ïx]SJãõ_�ê»G1ÁmÃðé²]„5½R)%hÃ+Ñ]
-we:‰¢}‡”ëâ.ðUöÉ›±-ÏÒõwKP–ŒxÊÙl×Ê´	Õ®Hi¸®Àð”á6Ãìؼyn¼
-#"±91cÓ…†5BZÌ¡UQ}‚Û’á“ÓiþçáœBpØ÷�=:¸Œ=ĪÈÃýïVƒ®Ì¾‡¡¤ã<Å‘J*=
ó2",^†B;TË}Ç\å€S ´rV„-ã•£‘c?5ä圣9zL�’ž1dpAP³¡Ÿ63—ó[%Ò
MD´j&z\%djÕ2žS)Ü‚í:c�ExòCU}SÄ\ºáz&¶ð,GÂ{k�˳
Ô:•³D"¸
²„?.¤V5’0_‚Üö»Hñ´é¦Èݼ+ÙŽÚñ#ü™ëÊ°øm;•HP^vø+ˆoo|ú²®Ë7¨õ$0‚b…çþç<nhœBmWf¡Áy°+‘›¸Uë«Ð-‘�±ôwhÒýi‰
›õž+æ/Ã={W¬ÎZ�ð|,'‘¿ó#hQlÍüyïírT¶Ô‰ƒ"~1]¹²?::·ç3ÝÛ¨wÎC
-Òð�š¦}dÔF\•È]Œ9@òµñ…¿[¡Ô´]z›»•K½Ÿ³™µŸ Pù
-‚Ï€oD‚¯õ!ä]OZg*µ@D©(ú¢é¯NVÓX.ò_šï�¾Ü@Üú$4Ü"_=‚1«qÓTnÌhž¹ÈuÑRý
-Ç�‰
»•ª nÀC›žFåÔã€ë(RX¦ðròÚ…ïØÈzš¹]3èm8Y)HRï˜*w;6ü-$9Ô7ÈbVu|sÀùñ¯ªã°}¨$\ˆ%¼®ËDq–îÑAÃ÷Ð&8Ýß«ñ¨Âµ”(Æo™­;Z{ŠrA	y¤÷>[€Äß‘yO(³ÿ®™3hwr粂ˆ¢†;D¾J#Hù]øÝ/˜[>@çÆŒt.<‘I×S=RÌZ`Ï3Uó%ÖÑõ,Á>!ßÀÄt$9·žÒ›Q6óâ‚:ÕEðµ$î£?u&ÌIßIUŒûÍÛÜ¡½Àý—#û&y-
-tkR¦� ÍûÀVùŒ 
-+Eª0»¹§�“Í3M‡rN?ZeÜÔhSžK½c#B¯š`”Ž+ÞÁ?í@žâM¹ÓØ%qndzF¯ðIÏE8ú£ÖÚ¥dó½ëH’›Tz]¾7]37Ô—ãß?2œœÕ˜`‹Óý5ŒVY7Žâv‡ébŸ
-2ã$5nµD錥öI …5;£·‘³â¥œš½œ¹ÎœI—¼ŠP¶–z¬{çÙÏšÐQÅhÆ-	[/µ/þ%Á4¾Ù^—a‚ªßvè¨1�¡x™6LÚëI –œ©n¾4âzEÍçõ3ù¬�ßÇÖ%r—±(×Ù[!yŒk»¬Fy›˜µ›e5k
WâìŒ(¯(j¶Y9›oæÔjCBçO›ƒ±æä9?}0‹ÀÃÒéstQ Óútƒy QÆä*¥[	~R¨[E†¼Íx#è{¬=�6OKâ#s‚{oq“7�ë­[›¹<nÃœ!é“q’§€
%ã¼ ×$21Ó‚åûˆY£®ƒ;YÕjįb§E»iœs'hœüÓò
-xá¢,FÅ×V¢u=;”ZØn†•îµ"ÊÖÔêvÐ
¡Õ›¶õÝäa®r¿=Ia‰›qììY˜f ‚¤H¸¸ÃซqõÛ#ø¢tÞDײØ)b»„
-•±ÒAëågѪ‡Öö-Ñ©3	…
-iâwˆ]SwC''/ˆŽ‰~ðs
-
-ñ 8þ~|²oßÅ3ôv<*gÅײî_ÈŠZœ�ëÁ
-jf
«ÕIˆ7ÛÑt":¤Ê˜f÷ºá|¥Ýn«8ËiòÙºi=7"*ÆZ÷T…½ƒ Jœ[É©L~
¯ä÷úxô|×ôjƒsm #ƒ�Ymèu#Œì .¨lÝPXUòÑ,‹÷âÐysËÓJàläy¨›Èß¾gVmè|Yɺ™IÎo
ÆÙ¥Ã}xªhx R§ªœØD"áíñmóC/·Û]Ë#ìß’œ|rÝB>ý†›Ýe‚gظ%ÛâÂ�¥FK#¼Ü
-VKëÏ°@öMêhµÕ{í�Ó«k
-ýñWÖÍ�¸uòóɃ�É�‹,In“„È ÷úÏh¬Záßrž×wç3÷¡nã)8FÕ°=ÀËÈS¬�‡5÷*ÎoÕ`!Ú\:âÀÉGà�b¸ØÖ:*™°Wɬ)÷Ðõ�áñµ.Åzxï¶Q+u
-ßo�ÕüŠèg|)¢Ý”+媀B}lzr}/LŸè×Z
-	¸Ä¦~Vyg²åŒ¡°uÆJ°Ê×´fM-€8¥K¬Ÿ«äCËš,J½|šj_6R#/&]ää�æ|e@¸(óã#š'ò{�Ì¿’˜qå »|ð¹L¹¹j
-
-0ís¬¦¬×&0/¾Ét‹ÕŸóëå;”Û9t;ÎÑÛ¶niaóÀvñ~¶"‘_ŒNëÁÚGM]	Ñ#·8-z;aaZJpÙ ½k�š
-²°׳^Kè„…žåÖ#Ö »*0N” u ^8~=“²BÑóCŒüÛr/CÎà-À;0|ûÇ£‡gÊÒMNÄéa`œËßwª@É#—0ñŸ}Åà¦Åÿ“[Ž5^3H¸>x«0Ò"†„TÛp»
-ÓhÙ$ål$zQœ€ì=´ö‚1d–®�ÓÃû"sx(Ú*1¨ø¶z,ˆÒ'݇v!²§ðI1Õ�΃ñ�¦©»g [ÞC¡ç1Q1SÑÄl»Iz_TŸÊé–Éü¢Í«¹>Ð¥Gâ­�È…¬oa¦Ý—ÞëZ¼êɬÿDW•¸¼‹Uô‰ù;VtWí½ªŒä´p€4oUû¤I67Â]¯KÃ%µôN”ph»ÈØO{Viï‡
•ÂÔF�ìË¿ú°È‹!”éH8-“¨š
-:B‡ŒlŽgú‚2ºaÒ"¦¹?|  ÿ¢
t+�ë+ˆùR–~h
,“Ø‚_s
-h<…È™¸gßW ¯@Wç™áÜ;_y"ÙCü	:mM`¢= ã;òtçÊXÈê
~Ô“'–6Ç3mœÄAÛ�÷1­Á¦±ÙMæŽW‰¡Þ®jjÚÔ2ä,Êb¡¦³ÿÊ<)yh+oÕQÑv‘j—3¦‘„å&‰
-ÃGÖÏ:¾åîø§¡û­2M.ˆºD7–c ùWkx6Š„N+§Ls£ÙȶVaŽkŸÓÜ	ø�œy#‡-ôØ¢xofiRTÚ´µlQNí¸ÙÕULÓ‚Mæ&ò“2ç‚‹D‡u£®�#}J¡4×pÚ4e�mØ
-ÖVxæ]"ÊÕ=�¤¿Ëós÷ç~ÿ—41‚ó
�¸%ÊO:F§£43†Y\ô¹³*lT¶Š‚Tò3®�³¡Ž¨Å°¸n«¼AoœsíêrO¼±¶5åd­�1
¢~ìËQ¢¸¾»Æ)56(ù×ÖÂ<ìÖåZ‰G¬LQ„pyC¯gŠ÷�).è1 οy™ëßá�ÖO–‚\7ŒTQ|§uÎC†wv#†ææ¤MÊØrÌ\÷˜›d†À��¡f¤Æ1`ˆ×J8>ùÔ~ÐõÔ&­Ø`Y£Í˜¡cç?›2¡e‰ð D/Ô(–+ÉP×½L-Í�až
-Z¦Ûæûa„Ék6kUqèL£%hp—´rÛ° ÍèE–r:-ÃdÆÊHP:ì‡2;P®…ÓêF{Ư<Q,JšãÁ~	+¡h[ÅRN]~�¾…L„ÁßïüÉíä-—Ù¥ìŸ
-»áY€»}€cù‡Câˤêðq£þ¤ÂeSê]èûgÚò6\LÀž/*X«–Ü>ДÏ@ÏœüO©ªtºG©÷Ž’4Å%ü’Y×ÞöPðüid‘˃8LÖU/p�„h[×ÿ1õ˜åô×îE¥JP(òCˆ¤‚§t¢8ꜧÝÎQ‹‚j%U×¼±†ÙŸJXµ¿LF-.=5†Oí~Ñ
-\jË9gWØÅ."FˆmßÝÔÇ‘ÓßAÌõ|ˆWj
p7MÐ"Kc20ȧåOh]9J°F®×Ò‡õíTNì)mC\Rà‰æ8
èÄ�З|-	µÂ¸ÅæßËlÏB@\�ë®4Ʋó˜•k™_̦CÍö˜T!Ô½\!ƒÂD×$×&miÀ槻ÁLÝ¢»?a�|ÿ¤þë™ú*$÷¼66ÛëðÞºR¨p`N‹8¹Îs©2õóŸÉ×®aLç%¢)K–9CJN
-iÿót:ùÃûxxñÍš6ïÛ÷ÄKZ·ÏlŽ¸ŠŒbd|Oá±–kË¥þÎÏB�™E‹¤»
-èlLäšOnRZ~‡î&I°=w¦}æ‰l§b””Î÷g Å�TÍ‘ûûÁ{Ë1LxméÌ­�?b†‘Ü€±%Öé]¶çÛ'$5ˆç
}~Ü‹{Á47
ŒCS
+/Length 26225     
+/Filter /FlateDecode
+>>
+stream
+xÚ¬ºc”¤]°%\]î²�,Û¶mÛvuÙ¶mÛ¶m£ËU]¶í¯ß÷Î�;ëÎüšo~äZωˆ³cGìsb­'3Iä•hŒíMDíl�hhé9
*ŠjòÖÖÆvÒ4Šv6€¿f(!';[a'N€š‰1@ØÄÀÈ`ààà€"
ÙÙ»;X˜™;
ÈÿbPPQQÿ—埀¡ûzþît´0³�þ}p1±¶³·1±uúñ½QÉÄàdn0µ°6
ÉÉkHÈŠ
ÈÅdU
+üPˆŸìá|ŒRbQ»š€�ê
+ÏÎIOžŸÈ†ÆGG†{oÁú°©rb’p¹€Â’FúýÊÁæÓT©©jUmÛëÕb3ô]ÿ””sÂ
+Îl~^õ­H¹²çŸÈôÿbاÑÙ®ï岞ÒæNHÙ™C	½‰h1R�^�iC«ÙÂ{»AùÖˆqwÛÁxyÒWcÁ·ÿ¡y÷'‡—ÁOéTñ´šŸ­wôêuòÓsPMTUËçýNÀ(5±†Å
Ä ö¶‘�ÛMüc,‚�¨×]EI[™Y…	¸îˆ0�^ÆMÏm}™×Ë 3ž@óɪ�0öGƺ°>KÛy�E‡“åÜTh6þÁØŸøÐJ¢w¢§æ_[c
³ö�B8xÕ¾Vk”Ô‚—I¯¿ä„÷gÞk‰òŒ+(}‘²Å�+åýdä„P9Œ,U•ä�D¡&w("Z·´U¾D£|yÛ)Õ‚þ0ŽÖ)¹` Á6l¬NÒµ½žŒÍ&²˜ W	
+€gÍý¬ÌV” C†�û3æèºnMp»-˜…Z‘˜æj¤¯gÜ\}–ʈ}—}ÍšP«¤{}ò#U/ÉXÑ
…€¼ðk¬¾ëÜV­�Ð<´eÁºµýt�.<Á0œ7Íw©~‹A“1²Ù°¢%îßD?âÝjÑä¤[,È4ý©
+ÔI™Èüíç‘,ª!Û^ó&I|ú,~C¼ð O¯JëŽs/)'UgL—æªöÛ�'ŒŸKnõætÉËÁ!;ÙÜ\õýâÚõþ#ˆ%æÈMµB”j!ˆªÎŒ	o¢†PU�&ø’¿ß¹PÃ$Þ;Ž‘»w©*t!Šꌄ|Õj”1íw-¡LÕÙ—›ö‚ߎ…>ßË>#ÈQ�ƒ›a"¦´Ú×5ù“97Û
+Ïþu¿^ù5cÔÃ[î˜4mô–
CÌb^Ûe 
m¦Ýìž88ç}gõi.Ó	6Û�²¡{ÇÙº[·:±’‚~s¼r^®µ{×y"j¾À`UŠ2f5?+ún ¸	¼â@œî×�¿…@“�%5£shàî‚Œš¶{++¬#ÂЙH¼GH–�T
l™!Ñ+PH­ÞPË9­«·Ä[ZYIç�i\e�yr*–¨Ö{Gnðx*yçK ’„èD2JG
«L¸Vä±èG6<… †Žçð9‡X�¹;‹X‡ã$]Hñ8ÇR™¿}t%بêŸZ¥
+´êÄÐÓ
+Þkvßèå�à?`Hdò8Ÿáz„û%u•$õAºu™\<bxÂ0×í°–h¹ÚU\£ÑÈÖ{¥ß\«E²È²æx,3wר•Ù.$UÚr¸kÀrJ“»Ü$œ)»
+�'Þõ¹TÒktÊ1 ÊYµœóý–,‚Åw†Åáù.Ûå•OسÐ-Ž^ö�}ÃÊÔ§4¼°…ï¿•U;hŒIv@™È8Too?â.i¾NFNû²O	
*¿‹Ÿ9áäu7é8ã›
+|V뛚¢”ø±W’\úyëªb™=)ÎþWàöûI¢¥Í|ûBŸx§/i¾Úæ3“�"¬ì!óYº&4«?©eL:ˆ˜¨^lHëž|´XÁSº)7x}:Z=n¸Ö‚žäQÊü˜‚>›+Gr*|wݨWÔÐæ>zuÚÐÜHq…ȃŠ0?‰Ù“]¢¨=+ûfUˆb9T
V¶54ç,Te5®Åj
+–€íÖ—ݯU
Ûˆ¢¿ß$»�Zµg-SÃ]‚.(#º™‡`¿Ât
´Üæ	�6¿mà¯ò�™9M}§’ˆù'�WÃÙð´£ÜNæÜ‚é§$# ÁIÀq¯¹
+ýl…;œë‚$#¥Rј'ûBYâSö JLjN·—“\ð“ë�¨zå0y¥~Сª{úë#Òsa¢¸²ÆfÙà´ñéöªðc~ßâ} ]˜V42lï
+T ›+=Ý"N¸F{VwÜ«Ýê'O¼o3Mk¹‘)&
Y)‘-ÍÇ�aÊgþÆ®
+˜r]w9jr‡šØ[�O§ÎéåMÍ�ÏÞ@Í?éÀ0ÕíµDJF„rFhS[ͺ.ÆŠz¤9dR’XL
+fÎ$Ë\n�Þq�94e#q0r±MnJïù»1ç5Gö>
+ª *Aº\Õ@^¿>V1Ö†ÑîçhµäÀɱ~°ìj-ýflâÉL8D¼ÈV©§p¤‡Ekc4²îþÝc=´BªÔ"–¹² + „›šíwp	‹ÚjOI­{4°ؘ…‹VxáOR¡®TÈGA ì³+ ®À©„”À3ã×ËbÀõøϬ¸»eéj	.5ß?.4?‚w1¤ÉÙ,ðà_–yCQöê¶9›«¾_¼­pJ-G¥™Ñx¨^ð5xŽ“L�¼<k-Ÿ>ðh¼D°A€'áO¶0„0²8t³˜¡�hÀ~AÛ{ˆ&î)'`Gï^¦‰m�½\‹HBõoW"Þ<y]7}rÈ“!Vý,U4.Ð"‹¹ Üw9…	ÆžîôÀjìS›•ó™…)å’æøUOí›|XÚr
+j«ˆ•Úý¶”À´�.u-EaAB´=?`Š)/æúÂÆ=š�öÌé×K¼xX¯·ÎŸÙ5½È}áÍŠ•ÛìŸZñ�f6nŸ�Û2£‚õ¥­¥gÕv/ð^€axe¦÷Êcé…|Q*íÎÅ�>t.Äñ˜êò[Ê&G>¬šX>­|¶F‹ÿF9ÈG:�
+}ˆÀu‰‡FëOðѾÒ`g!ë˶’Si™Ûs„×dŒìΈ”’G‹ŒÒ÷¤�úPXŸ‘ÊX*òp¾š£µô†;pšX	¯»Õ䄾ÐÐÅ·.Ê�Æ™³õK·	ó§r±çÌg<¢åûœs§0œRÁãýËdò3‹Lqø%$ØDë=+¶X—¥�ˆÚ�Hï´
m%¾”+pÔg­2œÐSíÛ&ÛÆ’ú
+ˆ!Ýkk»†“×ÉÇ.¾á®ì6Ëq_6…áNÝ«—6™T¶Sµ–F¦›�–‰0;4Kÿ½26aþ2+Ai}
;
bŸÀ‰ŒIu)I£YÅï“y¨)õ‹—­VïEeõ–œ+e"ÑèËF	ÏèwéV¹Õ> ^;"ZÀÌ}¯å®I„
+Ú
ŒW?ð9ÉšjgÄO¤¨Ê£%Oy-¨Ê¾ÆÃt­Š�É2¶”êy(6eÅF~!²×9ÞÕ=¨�NdÔ_Èí
]Þ[‰+£øþþ>»`.‡`ÔŠk™½¼CæêU¬ùôÃÅN²3Ë
+Ú¬wî‘ê"�¹¼|=�’4v§Ù:¬)ÈÝ%¿Ÿë°yÔÅ)aÆÃ=Ax•qÊ�8úçUûƒ�òM[�iñÊŽBËE7ø·džŒ¿_SMé)7ç	\=aY„2Ǹ,DôÝØÌ¿ðÿtöÒãž¿â	K‚7Ö–ªëÏ«wV÷ž®a@¡ §¶¦Û£;4É™ÕÖYYøuzD�×/e£*)£‘ò9fS$ 6úÀ÷ÒlE;ûrðã`Û¸ËCë*‰{•mÖƒºàÊ–Mx¥PJÇn7ß7Á±^m©Þ®;±ùM6ÂqN;Me.”·k–ü¸¿mF²jkÁÒâ¥êv„,Î8½Õ­Mþk´«Á5­� ÜªUôæ^NÁ&ºg3w‘²X4YeWn)•#~…¼qòõh¯jH¨Åö¤Tpû÷ؾö|]–öÎ…¸�GxÖÀ´K<$L
+ÔUñ`•5Þ
+¶¾¨1&µwÉù|ì9UÛ39TQ÷䆹í| ¡Ã(=̨º;	GLâ§6ÿã�ì¸Ì¡"¾Ž•w…B|(iï�ˆ'Å'º¬ú[7ô
¹r+£²*iÌ�Æä;¹E}—ûOþÊF\]¦l{YåAF=AD
+»÷I¦aôIãÔ'§»ÞÄû�✨œùZzñ
+´a�fÓ´s!(ˆ)§é‡¸˜Š Â
Mí0Âß<_°7;3s]˜(ª¬Þ)J�ÁsTæû°€½F’§Ò“_íç#¹ÏïЉ¯"#(àÖ!È¢‹ù£áõDóòöÔfÆë"S§ÔtN'Þf~¥ê:#Ï¡Ú®“×5¬'9/Š�Ų
+1«¬Ù]͊¼Ð�°ŽÎžl_ø)J%r˜#sŽ-Àë÷­Ýà,Ó’µÿV¨ðyºoèLLe·rÝLû—‚f{��ûc†lî�	%Gä·Ú÷<{­ëk†¯¹�­ey4X«Þ>¹×¢ìØÀª"¬‰åLóp	å4I»{lî5<o„îÌû4%s‹_?Y	sP[ϱ0Êh5è²ÀEÎÀ—B]X´sd«3*8w†çñOSDŸkâHÅkd/t$æÕû9ÃÝpš®²èwm·Ù`×E¦mSû™ªf.þÝ‘¤�ÐjõmïòïË`m•œyò§oURl»î*8
+©~ó lP}E�H¦à%ÄM¼·¾t›t‡¥âÐ{cöÞBÑP,Ì6@�–�0®ª7ëSB¢sÐãiÃ]î“
+á¹×»­còh�¹ÂY!Ä÷­Kο™x�¤õb�VÑÄŠéw�‘q¢†BŸíú·\¦å!ÎïÖt–N´AGsƒaÃ6ö¥¬0%˜Y�—½ãX*íUϼ.;ÆëÚBØ�åŸÕ$’a’ÉÅ/KáKv2zQü	ÜIDîÔ”´Ö# ­w±Bl*sA™vœFûô¹êH¨ËWŠeÍ6«T¬GK¨´gÙ¯Æ#&¤'E�¶ÞèÛƒb�mAФMÞùpþÀx¼(³L½†^PÅ”‡¤•ã°Ò'_ÊsGÈxh�4ÒçÝ06�‰½`}‡­¹Gî‡)U¦5u†=¹‰€®qäXZ`”…*ƒ
}^­Ý›ZÆËYÝ�…Ô
ÀüF0j ÉؽoÑuo·àd¶lŠôæ¦|•À|�ÒM ÒÐ$<tÒ;¹–®ö¿¾Þ~<€·j4�uuþe»ñW¥”ñƒ£D9ovˆ<Õ¹çp¶Ö\g‡=–ã;`×_LtZ±É'ò�ãó2M
iBE‹À¿×jö
+rÂWf¯(¾ Ê.Tsûœ$rG~‡ÌR)G…-
ú²O2cl?ÂBüX	CÇäd"iXćÏà÷ÈÏ:ŽDN
+ä¶Ôñ{mƸM¯ýœîdßË
+‹¬)Ì Ÿž6Ö=
jÖdÃ�;í¡Ô¶„µ¼n:_>;y""¸ü,߸藵’ðȲd
Ëd¨Q T
ÇëìÙÚÏÜ­•ïØ`.ø|Mõíº�$õ´#É�*šö7 ´¢Z•—Ã^SúëVa=žBžk#UõuƒKVQVQJÕ�ÞL§Q¶Å¡ïºÜöÞÖøMØ¥b]k�®Û
ý7�>ݳd«,B?.ÿ@uÏD®3uçæM‰0).WòòÉÈhW'Vws˜‡×ˆ¢ƒ•\
+=;3؇ZÑíx§fÇu1{©‚qnˆé%Ñ)(Û+Ë*jóºpd±NãÎH¶›áóú E‹´Ø*ë_ªŒ®MuL¡Q°­èlq±ô¦‡³ý4ýCÂ4Š
+õgðeµ™	ýÙabÎbg›iÏRZkaPC+ˆrÖƒŒF&õ*4¥vè°½4ü`�o²O¹Û•{6oŽ;ǧ5M²*ËË»mýæAd/œvH&TvןŠ•×èë§fè"W"Ô ˜_©§D´ß-ê{IU#\Ôw€18_1mGwÃI&Ùj™6j%µ�Α4»o»R.*Z¼Ê…jº…i7“—n+2{'oœnó„É^*½mp`6id¢ýU•DoPþOz¯@@�W7Q!˜ã¯º|—qu
ËNƒò,ÖÆ8þÉòê’xÅ“œ-LÂæ“š¤Ö
�,Q‘ݾŠY]ò:ú©s¸÷8UsÞð„Œ)ü<²oD¹B2Â
+Q9ÁïÕ@[E£©ë|å»Þ¡–åq¡¢ pȫУá'¨h æl¥ËˆxKw,Š–Z�=S÷z ë‹TgÔèŸ)¸ yXɶÚj"�С~Ù·©y¾Wjǵ­
+)˜Y?þÄô‰H;§#ËaY‹zv,„krÇ)Æ-�¼›è™«Ÿg\�VÆAÜ®ô×f�-²”xéH9ØM±·‘úÕ¿)ÇDEðHÅ#Àë-WΈbe8Ôç˜y•ÛaÈÓ¶#„ŠB€s¨Ô[¿Ñ¬å=%*žÞ$�ŠÞµmu|6$)!¨z°ŸøÇ�¸ô†áîÊMÌ]Ê„hf⃕ðH!
+Z_!ÎØÏ™P°‚ž§TÙ
s§ÌÛ ˆ�o{V®!(H”4o|ؤvIÒ†¹./ÔPÒùä³L6ŠH±ÞNÛ¯9s=N­âkûrë¡¡ #Ž™.|eìÀ‡Ú½ì�ðâ+}(|ô’�‹Ñ<w–ãÇûpÌ'ä çEFeÆZ
+O>´
?�ˆw]°÷¨Ãæ'²�€n]*¼½ZX6Ïv�Jgv’‚¶Á�=£;–ðO
½‘*-ŸâÝx�>G(
†Væ3�ÀamÔ­{b|¥%D~!Ù;'½Xï×>Å{2\ôsA¢›å
ÖOUiCYxm]¦ý,+“+ÎLïûôc�K”¿´ãOn¶Ó†�2pÖh¿�EßµWê¼
݆a#’Á°I�mǨÐ5<,”ç'—ÇI$º¬ª�êßbŒ>"1^ÓZ-âáÛÝ-ƺ%·£¹¤“—Í¥’IÙ ÕÛzbÑéš}¶~Ä�©âLÄ6 ãaÕÁq�ðP2´6GðâPx,ro½sayjñ¥\Mó8Ë49öÑ~q|¾^þZ:@MSAÜÓÕ}$\æý¸ú�†
+ÔSßõ}FÆúcþ„"Ã\|¯*)ÕI
ÓÔ–,õ†˜¥I"
+n½ü.ñø*ì	AÆtþØãR‰øæåUçÙ
+KùMg”�m{·Hn-dðƒ­
+'´	‡úÃi©�šTâ¦a4ÛÀór4C{$ÐI™}ø¢Ù>a‘Z(žxSomgìY/àOêÛ–·Go<Ü�;œö£~NCbŸPT{ŸíþBÎÞ×pR½P¤ä¹ÃV‹»MÿpžíÜ*¨‚]�”Yè=¡zéêÛCœ£LŸ3t7_�>&IZoômG‘f~�•¤Ôóþ{àMß�q;:Š»Åu ¦€©ÓZOk˜ˆ<´Xm�ümŸãT`»u6J�+kŽ¦‡+Ö3ê~ªdô›™Ò]þAO†ðq
†Â
…“”ÈH
®è$#c*ÿ1^ïÉ’^‹ÍR¹aéc‚ç'JžÂF°úÝŽH18LVÙë`¨çòö«�;nQRGí\vß]"zÊ°�¼~Ë*¬‰@ÔàÀ°··¹K
+
ª`Ί‹šXN”ÀU?Ž¢®ºëÈ5ËXrB0n9½âà!§æ®»u*PSçoiyµÚÒLNöol�U®/'
²ºN�l¾�+
+z·ôÌ�‡oŠ%ž}Áwiô[ªÙ׶K�¸pWâ^­
níåÛiíèf.\«™CÐ
f¤: l©N}Vâk¿3Ê[‹æ+>C²W�97û&
Î_lûnú6±pÎÈè?9+Ì^?…ö	z×û±·ÝIÉ*ð¸ãEu…nÄsA´Ç×ñ�^dŒ–kC2^FvBñ§	Ó¬Yƒ¸†|óIÔµ%y$¥Í•Èƒ’¬¿BPÞƒúuÓ?fÒrJZÔø¯e¢ú
+WL©,ãõ®<ò¼z8Ø�AÚBeåŽýAf!Òç.P£MX“mtŠž¼ßZ‰^`«-Þè|‘ª<:´N†„¥,ûP£—ærÌö)ìÆFSuê‘Ù-Qà‘×®
+õó"KŒŸIF€¥%(³–_@k°„
+j-éù•_"R§‡7D.àúœµÁK`RŠcàÅR
Ó¶µËê‘V¡€Â‚�
¾±Ð
‡‰ŸV�':–ðê$íôÃDgènº¾Í·ìM‡k/‡&ŽNYúÞVÆ3‚tӾݭæ;["Û‰`Ëk•¬‡~bŒók-<ÓLÄHsH‡X®¡Ê%¨};É„ÞÌ“Äo·ç™HV²[]û:ûýã÷ön±Út‹©¯¼€ x-0å­¤ò3(×|–¤á#¸Úª$xœ£
“µ[=~©øwBˆ¢ÞЦîx´-«’Â@iaéLß
+–qÇÙ¶â(ŽÇwû',»_eßùÈvôÕÝU]wùd}ðy0=˜$IyO›ÍÈ€œ=»U9e~5ÉŒœ¼uo{´Ñä¬nEhÕkPía˺Oo
ÑQ2úˆ9Ôì&\`}ÕGÈÔ³ktð´bÖ¬5‰\5�°ÀÃbC“
+8×Ù¾]“’h·À¯6æâYn%«ç�Œò2Ã>¾õúŒP?$8uŽÁp
+ ™ðˆfd;®"¤¹dA¾£B·KµAP�ùsF_óuª†.áŠD*Aü¨ÊiðÔ•Çð—3+¥]ª„kyÕ£dfÕp¥ß†ÜŒ&è tÝøgXÕ€Š¢ ãŸ�6MªE×ôR¦™–/œÅOtÞÖôÝýÙbE€(àºè±GÑ@…¸A¦½¹ûÆŽJÉìÁÚ ˜‘êæ§p„¼a¦ÎïbH—@$ÕflÕ?îTù×7íÛ|¯œ1¿T({�i•ò¡Òj�[Tb�>J°ÿ܃>Ž.è
h‹æ
+v¡=åze׶)ö\à˜¯y€Š|É)
Àµêú<`I@Nw¦éŠHræ­Ôóºƒuy.)ø·Û‰Ýê‚í\üèG®øÜè8tÏ»ôanퟒJRo╨,ëE…cc!�U!ž¤ºõ�N�±“¤×[zç�Q¤QC"5ä
ã‚Ê|7ù9s0˜L½I½\ðî	§¼õq·aø‹_®sÅ$Ö꩜Ė]dyé=t°P‚Ö¦—3YoÝçÒ2Ëp•ç]Lò2†ÎïOñfÊäNªQJUfî‰8¶÷$ý›°‰¯öOv¢�8ÉæòLvViÊZã¬à¥Wf¥
+<”â×­Ò�ª�ܹ�çò3¼+çÓ2> $´‰G£éœ'¹’Ž¼ˆÔ
+ªwQå\T1‡`ï–*�!7Ñb¬§¤ƒÌ%©©Â+¨÷|¸M·äv×·vã„z²Žç§ñN4És÷ôq€ÔüY ÐW<o9tƦ7°6UL¡y¶s-ýsŒ,�ÓÁDHHZiÝwà¾8›5‘ÊK×>8­-²¼
+!STlÕ
ȇ=f¿lOtÀGF­FTØÌ]¾Žr»j€¨7mÞ±Ï[Üû)ѢÈõ|ÿ`yzŠöÒé±<‡‡a^!½Ì=UÆø×ÈÂúa¤Î†¯=Æ%L€®"¿ý%âwQ˜H_éwõ#"Ü�H„-»Ö0PõºÞ¥@°lÛ�t´+Ã=¼~•¬Z>ñ~�)E‚®8¿’…@ Å²!tiv6diü•â¨n�©
J@u˜$íoá}ÝÉ–i3Áñ§EÊ®�äK�„o«9
‘9�Px¶:lrÔpÊÕ²²`¸uÓ/µo­î’h±†™º¤Õá¤Üôƒa30 ?GÝf×�k!{h¢Ræ×;ì]
OËÄ(«‹ž<üÓÎÃijW$Ä,=
B‘Å)HS†b@‚ÕIw´«–¨;¬Ùlͨn³]]C�þÃzÃÅH4¯9¦d˜«çï¡~�¬ˆÊ \ES ·Â>VjPÈ7³�ßtë™LËYýUå€(ÉxpЋØÁß`›¿ÃTdߢ}éøO Éñ¬1°y°‰¼wx;l¦"–SH{ïÚË“°ØéÆÛ'µ‚� ‰œõO
+‘xÑ6@·î“ü <SË~m!¾áº™Àƒøu’°ag¥Þ¼ÃæÚ ñŠw­“ë•Î2z­B•CÜ.7`˜Uy̨²Bzx’qê/›ä?º—d¾¨¢
ѧcŠA×<38æª"<ž ‚õ�Æ—½
+;i÷¤ð =¨?³F‰%dr,¯Ô=wxŽ$Ì„½‹eÐQ˜	}èax>�,�¢RÔ÷ÕüMoÖ+&Dù
={ùfs�9µ¨<|ó\¡Ð’0së·§!Æì¡K^j1®!çóã7ƒÂF!2ùš/ÞQ	ýW…!dHc±g±Ä{«£Pa,†S™"GÂd¯Íçe䶬ÍöáÇþ°Ë�V¼Èˆ�€CaDÜ�øç�f:*ºXþÉÁŽ)2Å·áV׫ÂPHLVz륚íä«Ÿ96? Í2åÈÕZrÍ­Í »È»Tn¢"Öhd T3‡½:¬&™t0M	
;Éà¡?„R„ùHÌ÷�ŽlߪeÌ—cN^Žaî[¦|©"ÏP%]Éúí9F{ ,R˜,wÃy'kÊ?Áz�ï×J#ů§¼¶�7èÑf[ØÖ¸Ü8�m>é,Õ£ñgsöèîǼ–Ÿ >¢’m�ƒ»šz¶‡–œµýdïŽf[¹öEódd@â?õ–ûn±áH¬‘YÄ.·äÈ"R½¨³®®c41V8;MmàZË¢ò·ÝHu0”`QMĦ‹Â‘.;¢¯|í/âcb�ÇóŽ—GÛR>BŒÛb}7krê«<Hú€·Ïg†Îq¯Kîý� \—|XY¿k˜ôÆñÚ.ŠÖ§	rõy£çu‚dàlríÝ‚KWe>À¡꓃ BÓwè‰)YXP›Ålè•1«€KDà©)ÎýâÌ2~eœM=¤®%Õ3– Cu^yQ ä7ô£¿˜e*²»ž¬js»
¯ù‘1'¡Û~POœÓü	T™æ·UFaØ­ŸsA?Áè¼³Þïê/Ã×›Ý/ˆ'xû:ï+#™>ãàiýƒžþˆ¶	âh1CJi•ÅĨ�
0+íˆ	ªä›Ò¼fÓjæ®3„":b^¿’ž¾>œÒGßzHű�I
ŠÍ2‚W<—ø­î±aj4Dµ“	5«\6†3Ÿ‚ c½Fbá¯8çÒIzTp…!‡ˆ­W@Ö…•Le2ˆm¿MߨC8Žžç
¾|à̤ÞBÂîÞÄx˜1=WUTw.ÒB²è¾Ô�ç+Sïj©zx¡Ê-iSŒÌ¥ŠvÔ¼+ù$zÁÏ™FK0&}
–ã㪼¬Y‡~9M+Ã¥SÐ%Ì.äÛ¼­=éšâÒá™>uMÎWÐ_Jú±Å("3²8Bwú÷7Ôm´pJ°B�4¥”Nƒk[‰urÙÍù¤†sH÷Ö°aÍúFŒÆ]bføÓy<;X†4Ò²RÖ:’êa“‘qXL¢e9G膥`ÓC®%…›ëTÕ“�PnòDXup­<§Û­Èž¤ODZ‹ø5­¦/»#øí>¹Ý¨€º ~'–®y×âSï2ˆÊ²„´` l—Ú-|Us¡o(ШUó4¶ƒ�¼&‘níüÅçcè¯7Lçdk~Üæî…MTx€iÊL1ĺŠœŽõ‰4Ábͯ†Á¬R=ÐFÿ‡	hC(íú6IÙÇ0”¬ aúÊBJiÞþv£¬zh7ùp¢wÉ×é–WŠ|WXva,qkOæê¸ü¢AÂLR¿i9ßv«�!Uno¿¾Ó7…­EýØé2CGÊHß
soo¹°®âîç´ÃÓ.·ü‰XÝ[ä
+sŽ[ò¯ÆºŽÏ ZªT˜Fu醭aw;ôfI´ª|fÜÚâñ‚ÑîB5ç:�ô›C]Åt)´¨[³')Öá(Ö²Xý”©A8çŒFŠƒ9'™�ûkóm
Áh%žºË!]Çqf°pPŠpÛhT€[LœPv?çM4™£nÓ
MZw ×Ð]ÚUå)nÆ<DíÃ�Ð0ŸJç!pº�­µB‡#_JÔ&bƒf�ç×M2ÇjH@§ùåAßÄt
+Ópd½Ô[`çCDîãY`=O¨ã<IÅÿò‹I‡ªF<
óPZ�ä„N|£Ñkÿh!Jž¾”Ú§x¼¬ÃÇ�`3´üµj¥mÛ*õ·ÒÝ“$Á³a†£ò��Ñ*ààw¥+}ü[=5êÔ;ºžiþÜÉzÇS^ dSuœÏóÿüÿ,.Ä2lsŽ¸@
î³ñÀH²Ç¦¸c;däýHŽˆEpcæ2®ªÉ'ýœ²( HñíÀfº6¢~ãÍè’6yÏØlêÖ¿Œ·ð‘®ª_0
°—j†BƒLgxN†N¼¸4tãr&ð$Òá“×â�³¦\׬#RdBÚsdz/¬Ôü(Lš]ÓÄ>º
+Á¸ç‡ÂúIo>¢ž  Y†¬ƒ;¢+A²ne�çΚ[czýMµm/p5@?¶~t€pð’ºF°‹[Ç
+ }W—ÔÖ¤í®d�Ïê3Æ­­Ò‡¿�$ºÕVP› øÅVc%3¥@¡íä&žH˜.ÀýÁ6vÀáõ£…z…BqÛNÉš›2•TûD:½õ®àxü
\Æ/(tùDѦ$C‹%Ð}B–ÌCÀèçQÅÞ§�ŠµHËÅL9Ú~[[f︙¼mZŒ=6%	Ù]NÐu¤s0E‚ÿYð»\I'T‹p>̵†ƒ"H=‘ª-ùQLO*I!P9RÖ°´
+tE$ú�oÜK‚†¥ocÙÙ E/¥ïµ
+žž3¬ªA9^éH_ˆÊ3ìšæدÙnà‹)áâm>À}ÐhàÄ�šŒ
åø3ÓÝŸ•Tw²•ä!l}òrû´žMßÁž}µe¤Ä¨(ÔvÇ �µþ«Š	ÉpÝ8})Z¯ìf�ä8»8Iƒ~±žH.<³�»k—�Ã¥ÌdÕ¹<™Xð’hɤbÕs!÷Müÿ´/$¥nŒñIpƒR{Ä„'âcêRIÙ=\XÌDçl„ñÙ7<²´-œà	SæÞ’ÇV�ûñâ¸bå#É^e‚ÏÙþ*Y¥µ
+÷5bóWŸüÕôt³C9D$š)I®«K$j tR(PPÀ"“‰ìXjÄrÍq=L7D�ã`f*n^˜ÑééÍz˜`ÕîÊ�_Òºn°u|ù5Öe3Œ?�Ä‚!×J„·LR8“*'²¸¢hŽ•ˆã€AŒe~ô"ž^'Ô®qiÙ&­´fˆÄãow^xvÁoóÏRvÎ?îè†÷ÖlùÑ2ú«4Nc|mOdòpÝ.#8£²#îK²nd¹!6Hßçw¿Mï;ž†‚ìÞ	BUuו€‚CTl®´ÔZ¡ØlAi!Lëö.¨N«�¬œÏÂðNÕ ÷?õaØÞ&.8Gq2x4Sâ@ò~ê–œ%´Æ­j¤«¦³úN‚Ó˜N S�ˆWVµêYkÇ°¬5²¥áŽ¥ôbûz\séeñ½kQZy¤h*Z–E(ÚRˆ3Fè~�˜;ã�|$ªÓÃ[®ÍÖ-˜N]ˆÉáÙP�<|Å:³èôFÎõSº6¾Ï,)£Tÿ¨²š
+Ñ�åêB:­ÃÖŠ
Êx$To9@H¸%±.¨Ì~jô&+A
 7—ê³Óê®ãOºQœßÝÓ¼UëªðKŒGf´Â8�Jý?âá~«¦°,i´KRQFÈ:çZÔ²öhÚO>Oɽfx‡2ȪA™`dµjgÞqÚþæ
b[{e=?_)ºüDÁêÊl[TÌ�37Æ8)Ñn+àAíMõ­¨Š"z´CE'h˜¹BÅQqzïªö0|#aÄ—loàÊ—v’³XfŒ´x�è@—zÁÄJ/Ÿa‰¹­2ŸÝ¥1%~¬uÂ…ÚÐ63íè4(ÖOHv´Éã‡6ø‚æ*ñ;yŸÄp+íKÈG?üþúI‹À7	
\sNw%Ø’‰î;J¸To•Ö!�N�ÉSenéN†£�²p¬î“‹
+4­úWM‹~©¡CÏßÊÿU-Ÿ}ìŽY¾†¢á_±@Yh€íu›�øbÔnW,ø”=ízt<îKfp¥]“ŸqæÅÞ-3Æn’aZ|ìŠï|=AW?~†ŠŠ¬‘-šë\ïb;üšsî¶j÷�Žmùé4§xßîh&ô¥ü"{kƒ³é|‡l#g nl+Ï�7#R±´Ö>õŒ™Y©âeë:@³Í¿xçc…/}RÖ¸g´µõIßârÎëýM•4yþ^Ú'ȇ·ø§–ýͬ&‘^×Á7È:6'ó'r2!LÇ1¤Abw>ñg²*¯Ž¾O‚Gk(9ïu
+�%¶íV,ÜQòQÛÆtäf‡ÅuZý~J´A{�3’ÀJ™‰&Ð0M\ý\¶XÀö1S¤³ô;5¯EaÏôJ0·/›Í4j³}
+eOLÌq3©¶Ô}ÅÂù„×
+�³ÝMB®Oá÷£…ˆ¾b4Ûm5Ðo{\ˆciÿ™ÇWáÿ3Î%üg©çŽŒ¸Û¹�J…QÒ‚Q
]¢À›ÿБ:™¾††4§VõÏ_$2}Y뤩ØÝððÙ� ÿ¶cÚ¨"yo�g2ÃŽ‘}	º8SJ)ì"Ko™†øžJ/	Æ´“+b<7H @,U¸)‹}ȼŒë§ü`J†g¹÷ûŠ¡tm
+…™¡é*®ïÏZžx;À-Ïåìƒ"ïÚ†ùòù·)*¤¥3�ËÚ^ý=äÜúP~Ø.†ÜTË‹ùæ�(Õ¯
^þkΛ±¢é¤TrÌ°íåZãÒm5Xî3·#xæÓÄ·¼+»b{ÿÃ�0œ}-å1˜Ë¾•áQÎÁz‰Â¬ÊÞ¹tEpyIêY`à7¢K	KÀ½1«Òâ
++aëØ “)¯[L’ïµ' ò+Ÿ°Ÿl
‘\ñ™ÛtôÍ<ÌÖëwÊ¢bð59Ð*ßCdŠã•Q¦T¹/®¬“¯}%%§º/»ï³t.fÌ
fMÚ˜Õ]Õ4}/	
ÃÆѾ9ÿ5$ÉýÓ\úP/eë1WÞ³…Óv`ÓHT»Š@NùÛèjÔø«Â2¬ËXì^â{ËÆmô«—Ä 3¥è)Ç�	UGø:ÿ‚|…o?W6Á~ÇÈ!]ØâgÆ®±ê3_áoxFP²¾Nµ¢CŸs|’u(ÙR«ãòâü)ÞNcZöÒ¼°nPF›‘úâP‰6�úÓ(1êv¾o*ï›”|QÐ�ù#$!4SzâS#Ž·uþI6Då%3פx{ˆé´¯KKÁçÌ®CÌ
|HuæË‚Þ
+mèLj¿I¼Äyê4¢“xC‹´¾}í_dšÈb‡a¼Ð˜
,ÇÁ”jÿ»¡|
+ôÏ™�¶ôú�û¿
+h?IOø¿{EÁk–X4~Ôåqp�„DuNLi’ã¨L’¸œKŒ}ƒ—Öxåp·UÚ¡e=.L,¾uêÀ±Ó>Ø6¶�Ëh
¾­I
©¥2ÈæýkæYל2oíˆ6K�îØà|ž	°
+4£|í4öî
#a`ã�åƱÂcJN¿$DÁäÊ:ß÷”¶Sù¿�š0'x\n)|”"<
jÈàlZñL|ì�ó“ ¨EëhÈ`TdÈægòㄲ'{°›ö…`*ÌñN¦ÈKìí111—Q'ÁX¢‡^¡8fŽ$°}d+xÑW_Ìñ÷õ•Â
 Rö>ü?ëáˆò$ƒ‚EÍ›z`…Ó.´ï�îÞ9C˜Lö*¸`b@å
Ml
å½/O‹EW9
+¦?Ä›Q‰ìó
+€u“¶o-ռζÈFE£ð.åƒÊŠë>{‰*¨òwµš°s÷ãÁ±A
+Ä¡gK°–jྤvÖ?�”lMöV([®™4úÊáD3p½$V¶Å,t‰#”ò·k¼�Í_y´©¡4A{;D9"š;ó;ée�$X|9T7N®åüok½µÏÝ�3äñ= àŠŸœó,çPzìýªk,AUóÚd¢`VX�¬@a!G»�¸¬³^„žÍdSïÄâzy’_W}TkÓˆ}¯µj,BMðî´¥{¦XS~§aN·¶®žc“£Ô‘«8³s&ëÊ‹·Å	&èñÜ”?äý«>�ÀÞ×]Q´®óP™Øk`ßäÕÝfû®‹Y×Z«ruì=È3€1\&ÀHCNXùlu[80ëFÝŨïØìNÄ]©
+˜%0œÒAJ^ý´¼%¤w}/ö‡î²òAæìQæãžûnúéùÎÕŽÙPÒòçÌÃzÈ/Z;ž)\x‘ÚìëÖÞ9”U.‰Ó_>ò_øá5Uûc-­@6
QEæ*D}X2a/GúGc1§OMc-Œ¾2å\¶ý„ÆP¶ó2¥‡`1”{݆àYšU!²TQŒywµÄB´¶BS�Òhឤ2šA1±3_o�yPüTIŠ¼û«õ[»TW�”—¡6ŠÅ~u‘#·ë�õpmðI„#³ZÕY$Ø�óyø2XõþÇ0†¸-{ñÍ·¾ªå¼2ñåÐèœ/ûY-T !ÓXÈ`lgÀðß‹Ù§¦ß
+_ÃýS‡µ	)1ŒÊ�OesLQ²
+Ôqµw
ˆlød�{ŽÞ‹t¢Þâ+ïí[^.\1}
)ÃÌÚtú¢à›%×ùRO|cÇŠˆ?ô€L�]£µúem˜m…pRn7+o“Þ«¶�›4s·Í–çë:yÊtôÒ²
ê+ã\æ—�‹HöÉ�ˆD#|q™eѺTÀ?È6@å¦}Òú”¶¢§†ñ®ÐJÛ?ûÝ(
+!N™<‘cÞšó¬1¬
+Jµ¸�Q
+¸*	ÞNK
+Ä'ΕoäNï
çÊòHª,—üw*»ú.|¶0ÚIÐ	ž4[Vƒç›
-Gy2½
û{(b'óXèŽïÝÕˆYzåeø’ºkSoðÕzN
+…Ï\{¥?!݈¿Q圲,é“Ó{Ü™Óó½%·‡ƒR™ØKY,áëÎú¤ÌLŠšàßÎÐc+t_5ñ‡^€¨aà¹3n<‰¨t6.ôÌö›Šûƒì-w\£ÐZÆ.�ž(¯íôúDÀëôèT!þYÑPêÒ•m‘�Q•ôƒMƒhØ�›‹Öš– Z¿,ÃCó
+ËÝ@Á¢g�ßqìöD€¶þ¸µÿO™ë&Ñsu€r“·NŽ¸¬¸Ü/½à=Nº&F¼«F_L-C§ˆ�}yï=]Ií˵¦² †¤Ä,Õmza­®4@Aĺ@q‘s “†D(�7–Øuç´qçGªw=cPÏú#ÆÅ·¹ªËPl²Uø¾d¤GË^ôë/mŠ¯,¾R�Á
+¶Èãé©t²�„4å¼н”n_0gþZXßåì…×bKÀ!È*Š¢Só±[¸ùq]²Q¨ù
+R㻯Ù�QôÏŽ}ÔZ—7“Á ¬¤jžé
ñ"�FOi�Š>?ÎyÛ!änQT)Æd§
Õ©Jü[—p1}àn‹ß�¯¶ñˆ#ªU{¹SV}¿W†yT¼"~,�*0W‰™ý.ÜXxäݾw‚”ÕÏ#hïyª ?N8,�¬Ÿ¢Ò‚÷†—ó]ÅŒPpF�ÅKÕ~G‹kýj
Ý¿þKIÕ$õºÁÞ�º©‰uVé¡OýC±ÉåMìi	ž2C´gyƒ?’ËvH4åËÌŠJ
ÂCéØK!ÄÕãþIêf|ÐÝþs/ô³@Ä:÷8=]׆ËlÙím1qGoi{tÒ-3î.¡¡�¡)òË“–š1®”9c¿X;È:Œ5ð4‘�t�# `bK)qA¢
©˜æš ›c´­5ÁzZ1ŠÞÖª)\“²1ì×±u2�7Õ@}}·
f RÙáÝoW9Ç\P¦0»EÆ}UB%×/y×—¶¤^â¡26ýù,bÍŽóPI2ƒM<¦éË:ª‚ »û­h�¡1¢Yâl8.ì4„ãGóqj#ÊÑY
+bJÁœ>ZÔ¶X-wJÂp²u©âÆ0S§±sª3KÅæóì“#‹yžÇ�­¶÷âÙØn¼ú}åÔ\C"…}ñõkRO‘"ÆÉصCŸ°Ç&î—»ýl#˜LV¢n÷‘¡ÈÀ)5~ÁrioΟeÓH²ƒ'¨ŠÒc~1GÙÏVÛÔ&¶b®Æz†­(óÞçy]µu9Û³·ºSß<ñ‘¨¥ÔÆúµ•†Š·ý]n>+�`½÷£�¯´¢w¬lŤŸÊPh;w#7Ž®vUsË0 ÒÕ1©HÖ�W¦Bü0%Ï�	x4î/ƤúEGû ¤y+Ë(§ÛH·ïv²x�¹1=›uBCpƒÉ�Œ5¾ÂÇ™Ò{A•0žÑ5'†:]+³lYô9²Ÿo
Û;O%í§æe½;ió]…J.Å*¸½ÚWf�éë]šÆ¨’IFD>’!(š
9$˜Õ{è{W»‰êå|�rg,fi©†Yœž›V™êkS3ððŠ³Œê£s(h"ñÞJÚ¹‚ërG×ȃ®Ÿ¦Ô\ãûö!]aX
+=ÄWDe1ˆ�¦H”L9Ê
�³‹Šâ(ÉLU~f
3Š^ùž©DÃUBAB´m0Ap ÿØÁ÷4@-ð³ÅÌO­‰D^¯-;<�BÖ6÷¨qs LâãÔ#½×ÄoQ,Lñ¹½
+A™âõ2ѶŠŸÓ¶Äøí÷w6Ê+–IºÓœnµq×oúWïkN)ï�‡mÖ8/1aÀÈ[­ø
'! ´ŒÄPxÉ¢rB<�–ðœØEÔ?Pr|7°™2�­²�3Dá ÄWUOš9¬hÓÄ5@)NI´°
›s0ÇÖnŸ[fö½U¹fHɸ>›»|¾¸¬{ü*ÄØ*X‰À¤ø‹Ã’mdñ„]�8Î̱r¯�éúë$Ÿ5îyôÅ1™ú&àv(WØáñªLŽe½pò‰õTàb{´ŠÄB!ð¸YRE!ɾdä\ÁÔ|
+Äôò}	0á·Ï<ðx­×³5(©²ÓÇXõ̼‰h8�L©�m¢Í°]ºÓŒx$“
+­�u|Ðí8t^ˆš/€‹MÝp­_’<{*ñ>Jn
ÐÅ—6¹s²R¯aÆ‹úr×�€]9ä¯:²(`\‰áÉlA7¾ĦK”ž·†9z8nb64Ë¢jE¢$µ1V|·ZBËÐöX#Y»ͪföWßqYûlf/ö»­8Fj…›ë_X1¡ÁèínÕ
(N1©þ¢CÑð´ýÆ9(AÄEêÞ–«ôáÃÉ€ÖÜÑf}_�¢£J¾:¤ íéJ$<ÂBÿˆSUÅö�
ìMø›Yr¤˜¾�ÃÈ×`Qí�å?›�Ù±Vƒ�ÝŽˆ½¸ÂˆÚÖñhÃÙƒXÔ‡7Ó¶,Í!Á•FÿÁEè^F¸¯xÀÁ¦ÿàB*·ÛvªR&¤N�<•ê`¢µ+çN¼é
¬
+g¤£Ê¾2f~mû„�m}…i
+'óP4I×¥ŸÐ?`b¬FH.�÷R}ÿÀ#]«i�ÀAñ7FÌÐ5øùq6O‰Ç/êúWbõÑF�åq-¢´ð
§]xžök%˜Ã–td˜¯‘ŒÎ¼r¿
+ä&oH[œ¯A•9f
 endobj
-682 0 obj <<
+726 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1930 0 R
+/Encoding 2092 0 R
 /FirstChar 2
 /LastChar 216
-/Widths 1944 0 R
-/BaseFont /NUKCNW+URWPalladioL-Roma
-/FontDescriptor 680 0 R
+/Widths 2107 0 R
+/BaseFont /WWIPFK+URWPalladioL-Roma
+/FontDescriptor 724 0 R
 >> endobj
-680 0 obj <<
+724 0 obj <<
 /Ascent 715
 /CapHeight 680
 /Descent -282
-/FontName /NUKCNW+URWPalladioL-Roma
+/FontName /WWIPFK+URWPalladioL-Roma
 /ItalicAngle 0
 /StemV 84
 /XHeight 469
 /FontBBox [-166 -283 1021 943]
 /Flags 4
-/CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/emdash/Oslash)
-/FontFile 681 0 R
+/CharSet (/fi/fl/exclam/numbersign/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/equal/question/at/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/quoteleft/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/circumflex/quotedblright/endash/emdash/Oslash)
+/FontFile 725 0 R
 >> endobj
-1944 0 obj
-[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ]
+2107 0 obj
+[605 608 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 500 500 840 0 278 333 333 389 606 250 333 250 606 500 500 500 500 500 500 500 500 500 500 250 250 0 606 0 444 747 778 611 709 774 611 556 763 832 337 333 726 611 946 831 786 604 786 668 525 613 778 722 1000 667 667 667 333 0 333 0 0 278 500 553 444 611 479 333 556 582 291 234 556 291 883 582 546 601 560 395 424 326 603 565 834 516 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 333 0 0 0 0 0 0 0 0 0 0 0 500 0 500 1000 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 833 ]
 endobj
-657 0 obj <<
+701 0 obj <<
 /Length1 1614
 /Length2 24766
 /Length3 532
@@ -9526,7 +10435,7 @@ endobj
 /Filter /FlateDecode
 >>
 stream
-xÚ¬zS�m]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%
c;CQ;[gZzNE5ykkc;iA;kc‚3)©�£‰�³…�­°�³	'�š‰1�°‰
##
)���½‡£…™¹3
ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿç�J&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,
''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
l�zàlG`akdíbü�»©Ý¿Ù;ÚýDØüø~Àä휜�Œ-ì�	~²Ê‹þOgsçr;Yü¸	ìL"�íŒ\þ)é_¾˜¯³�…­�³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrú�ùÁþ§;ÿU'ÁÿV½�½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%
ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþw�þ·Cüÿ{žÿ;´¨‹µµ¬��É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:)EMYqªÿóFýWœü�òÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`Dl�ìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþ�õ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ��]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛd�lTÇ�tº¥°jÑ^7KÒ» š¬ôªÇûS
+xÚ¬zS�m]³eÙ¶]uʶmÛ¶mÛö)Û¶mÛæ)ó”«ëû¯:n÷S÷}Xkfæ92GÎ{G,RBy%
c;CQ;[gZzNE5ykkc;iA;kc‚3)©�£‰�³…�­°�³	'�š‰1�°‰
##
)���½‡£…™¹3
ùõYþ	!0ôøÏÏN'3[²ŸWk;{[çˆÿç�J&&Îæ&¦Ö&Brò²bäb²*b&¶&ŽÖò.†ÖFÒF&¶N&¦vŽÖÿ¶ 0²³5¶ø§4'Ú,
''{#‹Ÿm&îF&öÿ¸¨	ìMm,œœ~Þ	,œÌ
l�zàlG`akdíbü�»©Ý¿Ù;ÚýDØüø~Àä휜�Œ-ì�	~²Ê‹þOgsçr;Yü¸	ìL"�íŒ\þ)é_¾˜¯³�…­�³‰»ó?¹MŒ-œì­
<~rÿ€Ù;Zü‹†‹“…­Ù1 &p413p4¶6qrú�ùÁþ§;ÿU'ÁÿV½�½½µÇ¿vÛý+ê?9X8;™X›ÒB10þä4rþÉmfaE÷ϨHØšÚ0Ðÿ›ÝØÅþ?|®&Žÿjù?3CñCÂÀØÎÖÚƒÀØÄŠNÖÎù'%
ùÿ›Ê´ÿs"ÿHü?"ðÿˆ¼ÿâþw�þ·Cüÿ{žÿ;´¨‹µµ¬��É¿6üÇC MðÏ%óØXX{üßÂÿ{¤šÉ¿qü¿¡H8ü4BÀÖìGzZú3Z8‰Z¸›Ë[8™˜Xÿté_v[cGk[“5ÿÕHzúÿæS6·0²²ý§í,ÿæ2±5þïÔúq:MAaQiªÿóFýWœü�òÎÊö?Ôþ½;ãÿ\üƒ"(hçNàEÃÀÂH@ÃDÏðsà~øp0±øü_2þˆá¿Ö2ÎŽîZ?eÿìü§øþk¥óß`Dl�ìŒÿ™%g[ãŸñúOÃ?n#GÇUÿuâŠþ�õ¿ÝÄÄÝÄj}ÅΈ+Ø2ýw†szîÈ”°Ö@ðHˆ}i£rQ��]¯_zøG¥þGmmÓçW»ÇòûÏ#IÊã±>4ë_½©&×ù8>ÄýˆÛd�lTÇ�tº¥°jÑ^7KÒ» š¬ôªÇûS
 Šº%`¸3�LŽ7)ü‰]üQHžíá|�ÒâP»š
 ÿ\�%�ý}þ54>:2Ü{Ú„M•IÊå
 Kåï�ƒÍ§©R!RÕDzÝžeÌ}øØ"œ³\ʤ!g?5íµ	Îk“T$f}QìŒ}}œ7Ãë–aI­zQ£Ø`�{1®ËÊ›¡9sõ‰ór5úË<#¤=ø…ˆ´±36…è4Ó+òŽÇ¾a‘Ïp:‰é"“|:[5P6“Ó<M`IÍÍÍLÕ‘˜‡‰ŠŒDa_gÁ¡Ãœá½]é–§	9ç8sêÓšÆô e¬bô:miØ*N±«z|+hytHOÛV77Ùa‰
@@ -9625,541 +10534,638 @@ Iö×~pºóE¦f}^!˜tQ°Ù’‹ƒEäì>‰ n|'ÆV²5D9_äå‹7â̬FJvõ˜2È­ÛŒ’ý;Û£K¿>Z&ú‰Àš¤þØɉ,
 y‘üP'càÜ^M#R°·ñÃ4
{LJB«œ»×ën¾HïŸMc–9|þ*S5ïV®ñKãÁ“ü�vÚJ¦‰‡’à°áR‹ÁPKw©ä;ÉͳðåH-ºOÖ²ÉâØÉ*Wü—¼éýšö•p…+èó®a7AÔºº;˜âR·~4ÿÕ|S®‘mƒ®W•~	©Ãâ‡}DL×WF5J‰åéØ|¨i÷>#\2®˜
 šÒ30D”€`Ÿ†§¾ç�4}&1xÒ¤Ö¥	ÎdP•Ý‹$ȾCO‡Ù’jÛvëö?`C&W'aÔCJ•I'sŠFðìM˼k©¡¨»°+X	ŠcAÐÀ«á¥£ùr!<s%!ÈbˆÀNÑ*d3³Ê6�†Ø0´+3ïÍNYÀ8�îj•ÛP³7Þ¨VäÎc=$0€Ž9€òõ
«£…WCÒ¸1å
Ô²9L±ž±~óŸ–äWÚyüInÐäöÀ'¼I3
ú]`+ò7vÃÝ!�’ÔËö—k«Zœ–(&4¨j�„¸`é+àpôxÿÅë«SüWâ$åM7ƒ[IZÒýš®ê~‚VƒÍ:Ø\é«…Œ
€Øy_à£öý
 .ÈëÃ6‹û¯™ÅSßcŽ¾Q&É5	fd
-ön’“,6"”@K;\ÿŸÁüø¯
+ön’“,6"”@K;\ÿŸÁüø¯
 endobj
-658 0 obj <<
+702 0 obj <<
 /Type /Font
 /Subtype /Type1
-/Encoding 1930 0 R
+/Encoding 2092 0 R
 /FirstChar 2
 /LastChar 151
-/Widths 1945 0 R
-/BaseFont /KRZENH+URWPalladioL-Bold
-/FontDescriptor 656 0 R
+/Widths 2108 0 R
+/BaseFont /ZBDFML+URWPalladioL-Bold
+/FontDescriptor 700 0 R
 >> endobj
-656 0 obj <<
+700 0 obj <<
 /Ascent 708
 /CapHeight 672
 /Descent -266
-/FontName /KRZENH+URWPalladioL-Bold
+/FontName /ZBDFML+URWPalladioL-Bold
 /ItalicAngle 0
 /StemV 123
 /XHeight 471
 /FontBBox [-152 -301 1000 935]
 /Flags 4
 /CharSet (/fi/fl/exclam/dollar/percent/quoteright/parenleft/parenright/asterisk/plus/comma/hyphen/period/slash/zero/one/two/three/four/five/six/seven/eight/nine/colon/semicolon/question/at/A/B/C/D/E/F/G/H/I/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/bracketleft/bracketright/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/q/r/s/t/u/v/w/x/y/z/quotedblright/emdash)
-/FontFile 657 0 R
+/FontFile 701 0 R
 >> endobj
-1945 0 obj
+2108 0 obj
 [611 611 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 278 0 0 500 889 0 278 333 333 444 606 250 333 250 296 500 500 500 500 500 500 500 500 500 500 250 250 0 0 0 444 747 778 667 722 833 611 556 833 833 389 0 778 611 1000 833 833 611 833 722 611 667 778 778 1000 667 667 667 333 0 333 0 0 0 500 611 444 611 500 389 556 611 333 333 611 333 889 611 556 611 611 389 444 333 611 556 833 500 556 500 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 500 0 0 1000 ]
 endobj
-659 0 obj <<
+703 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1946 0 R
-/Kids [650 0 R 677 0 R 687 0 R 742 0 R 806 0 R 867 0 R]
+/Parent 2109 0 R
+/Kids [694 0 R 721 0 R 731 0 R 786 0 R 850 0 R 912 0 R]
 >> endobj
-886 0 obj <<
+941 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1946 0 R
-/Kids [871 0 R 888 0 R 902 0 R 913 0 R 920 0 R 932 0 R]
+/Parent 2109 0 R
+/Kids [929 0 R 943 0 R 957 0 R 968 0 R 975 0 R 987 0 R]
 >> endobj
-944 0 obj <<
+999 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1946 0 R
-/Kids [937 0 R 946 0 R 957 0 R 965 0 R 972 0 R 978 0 R]
+/Parent 2109 0 R
+/Kids [992 0 R 1001 0 R 1012 0 R 1020 0 R 1027 0 R 1033 0 R]
 >> endobj
-1001 0 obj <<
+1056 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1946 0 R
-/Kids [986 0 R 1008 0 R 1018 0 R 1023 0 R 1027 0 R 1034 0 R]
+/Parent 2109 0 R
+/Kids [1041 0 R 1063 0 R 1073 0 R 1078 0 R 1082 0 R 1089 0 R]
 >> endobj
-1050 0 obj <<
+1105 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1946 0 R
-/Kids [1043 0 R 1053 0 R 1060 0 R 1065 0 R 1074 0 R 1081 0 R]
+/Parent 2109 0 R
+/Kids [1097 0 R 1108 0 R 1115 0 R 1120 0 R 1129 0 R 1136 0 R]
 >> endobj
-1093 0 obj <<
+1148 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1946 0 R
-/Kids [1085 0 R 1096 0 R 1101 0 R 1110 0 R 1117 0 R 1126 0 R]
+/Parent 2109 0 R
+/Kids [1140 0 R 1151 0 R 1156 0 R 1164 0 R 1172 0 R 1181 0 R]
 >> endobj
-1145 0 obj <<
+1199 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1947 0 R
-/Kids [1136 0 R 1147 0 R 1152 0 R 1158 0 R 1164 0 R 1172 0 R]
+/Parent 2110 0 R
+/Kids [1189 0 R 1201 0 R 1207 0 R 1213 0 R 1219 0 R 1223 0 R]
 >> endobj
-1182 0 obj <<
+1237 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1947 0 R
-/Kids [1179 0 R 1184 0 R 1189 0 R 1195 0 R 1199 0 R 1205 0 R]
+/Parent 2110 0 R
+/Kids [1234 0 R 1239 0 R 1243 0 R 1248 0 R 1254 0 R 1258 0 R]
 >> endobj
-1219 0 obj <<
+1273 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1947 0 R
-/Kids [1216 0 R 1221 0 R 1225 0 R 1235 0 R 1243 0 R 1248 0 R]
+/Parent 2110 0 R
+/Kids [1265 0 R 1276 0 R 1280 0 R 1284 0 R 1294 0 R 1301 0 R]
 >> endobj
-1255 0 obj <<
+1310 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1947 0 R
-/Kids [1252 0 R 1257 0 R 1263 0 R 1271 0 R 1277 0 R 1284 0 R]
+/Parent 2110 0 R
+/Kids [1307 0 R 1312 0 R 1316 0 R 1320 0 R 1328 0 R 1334 0 R]
 >> endobj
-1296 0 obj <<
+1346 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1947 0 R
-/Kids [1291 0 R 1298 0 R 1310 0 R 1315 0 R 1321 0 R 1326 0 R]
+/Parent 2110 0 R
+/Kids [1340 0 R 1348 0 R 1356 0 R 1361 0 R 1373 0 R 1378 0 R]
 >> endobj
-1339 0 obj <<
+1388 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1947 0 R
-/Kids [1331 0 R 1341 0 R 1345 0 R 1349 0 R 1353 0 R 1361 0 R]
+/Parent 2110 0 R
+/Kids [1382 0 R 1390 0 R 1395 0 R 1404 0 R 1408 0 R 1412 0 R]
 >> endobj
-1382 0 obj <<
+1423 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1948 0 R
-/Kids [1366 0 R 1384 0 R 1399 0 R 1414 0 R 1424 0 R 1430 0 R]
+/Parent 2111 0 R
+/Kids [1416 0 R 1425 0 R 1430 0 R 1449 0 R 1462 0 R 1482 0 R]
 >> endobj
-1445 0 obj <<
+1499 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1948 0 R
-/Kids [1436 0 R 1447 0 R 1459 0 R 1468 0 R 1474 0 R 1478 0 R]
+/Parent 2111 0 R
+/Kids [1488 0 R 1501 0 R 1505 0 R 1511 0 R 1521 0 R 1533 0 R]
 >> endobj
-1487 0 obj <<
+1547 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1948 0 R
-/Kids [1482 0 R 1489 0 R 1500 0 R 1504 0 R 1508 0 R 1519 0 R]
+/Parent 2111 0 R
+/Kids [1541 0 R 1549 0 R 1557 0 R 1565 0 R 1574 0 R 1583 0 R]
 >> endobj
-1529 0 obj <<
+1592 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1948 0 R
-/Kids [1523 0 R 1531 0 R 1541 0 R 1600 0 R 1656 0 R 1710 0 R]
+/Parent 2111 0 R
+/Kids [1587 0 R 1594 0 R 1605 0 R 1609 0 R 1613 0 R 1624 0 R]
 >> endobj
-1752 0 obj <<
+1634 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1948 0 R
-/Kids [1744 0 R 1754 0 R 1760 0 R 1765 0 R 1769 0 R 1774 0 R]
+/Parent 2111 0 R
+/Kids [1628 0 R 1636 0 R 1646 0 R 1705 0 R 1761 0 R 1815 0 R]
 >> endobj
-1789 0 obj <<
+1857 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1948 0 R
-/Kids [1786 0 R 1791 0 R 1803 0 R 1808 0 R 1819 0 R 1824 0 R]
+/Parent 2111 0 R
+/Kids [1849 0 R 1859 0 R 1865 0 R 1870 0 R 1874 0 R 1879 0 R]
 >> endobj
-1839 0 obj <<
+1894 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1949 0 R
-/Kids [1829 0 R 1841 0 R 1853 0 R 1857 0 R 1868 0 R 1873 0 R]
+/Parent 2112 0 R
+/Kids [1890 0 R 1896 0 R 1908 0 R 1919 0 R 1926 0 R 1938 0 R]
 >> endobj
-1889 0 obj <<
+1952 0 obj <<
 /Type /Pages
 /Count 6
-/Parent 1949 0 R
-/Kids [1878 0 R 1891 0 R 1901 0 R 1908 0 R 1915 0 R 1924 0 R]
+/Parent 2112 0 R
+/Kids [1942 0 R 1954 0 R 1960 0 R 1964 0 R 1974 0 R 1986 0 R]
 >> endobj
-1946 0 obj <<
+1998 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2112 0 R
+/Kids [1992 0 R 2000 0 R 2009 0 R 2013 0 R 2024 0 R 2030 0 R]
+>> endobj
+2039 0 obj <<
+/Type /Pages
+/Count 6
+/Parent 2112 0 R
+/Kids [2035 0 R 2041 0 R 2053 0 R 2063 0 R 2069 0 R 2078 0 R]
+>> endobj
+2091 0 obj <<
+/Type /Pages
+/Count 1
+/Parent 2112 0 R
+/Kids [2085 0 R]
+>> endobj
+2109 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 1950 0 R
-/Kids [659 0 R 886 0 R 944 0 R 1001 0 R 1050 0 R 1093 0 R]
+/Parent 2113 0 R
+/Kids [703 0 R 941 0 R 999 0 R 1056 0 R 1105 0 R 1148 0 R]
 >> endobj
-1947 0 obj <<
+2110 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 1950 0 R
-/Kids [1145 0 R 1182 0 R 1219 0 R 1255 0 R 1296 0 R 1339 0 R]
+/Parent 2113 0 R
+/Kids [1199 0 R 1237 0 R 1273 0 R 1310 0 R 1346 0 R 1388 0 R]
 >> endobj
-1948 0 obj <<
+2111 0 obj <<
 /Type /Pages
 /Count 36
-/Parent 1950 0 R
-/Kids [1382 0 R 1445 0 R 1487 0 R 1529 0 R 1752 0 R 1789 0 R]
+/Parent 2113 0 R
+/Kids [1423 0 R 1499 0 R 1547 0 R 1592 0 R 1634 0 R 1857 0 R]
 >> endobj
-1949 0 obj <<
+2112 0 obj <<
 /Type /Pages
-/Count 12
-/Parent 1950 0 R
-/Kids [1839 0 R 1889 0 R]
+/Count 25
+/Parent 2113 0 R
+/Kids [1894 0 R 1952 0 R 1998 0 R 2039 0 R 2091 0 R]
 >> endobj
-1950 0 obj <<
+2113 0 obj <<
 /Type /Pages
-/Count 120
-/Kids [1946 0 R 1947 0 R 1948 0 R 1949 0 R]
+/Count 133
+/Kids [2109 0 R 2110 0 R 2111 0 R 2112 0 R]
 >> endobj
-1951 0 obj <<
+2114 0 obj <<
 /Type /Outlines
 /First 7 0 R
-/Last 607 0 R
+/Last 639 0 R
 /Count 10
 >> endobj
+691 0 obj <<
+/Title 692 0 R
+/A 689 0 R
+/Parent 639 0 R
+/Prev 687 0 R
+>> endobj
+687 0 obj <<
+/Title 688 0 R
+/A 685 0 R
+/Parent 639 0 R
+/Prev 683 0 R
+/Next 691 0 R
+>> endobj
+683 0 obj <<
+/Title 684 0 R
+/A 681 0 R
+/Parent 639 0 R
+/Prev 679 0 R
+/Next 687 0 R
+>> endobj
+679 0 obj <<
+/Title 680 0 R
+/A 677 0 R
+/Parent 639 0 R
+/Prev 675 0 R
+/Next 683 0 R
+>> endobj
+675 0 obj <<
+/Title 676 0 R
+/A 673 0 R
+/Parent 639 0 R
+/Prev 671 0 R
+/Next 679 0 R
+>> endobj
+671 0 obj <<
+/Title 672 0 R
+/A 669 0 R
+/Parent 639 0 R
+/Prev 667 0 R
+/Next 675 0 R
+>> endobj
+667 0 obj <<
+/Title 668 0 R
+/A 665 0 R
+/Parent 639 0 R
+/Prev 663 0 R
+/Next 671 0 R
+>> endobj
+663 0 obj <<
+/Title 664 0 R
+/A 661 0 R
+/Parent 639 0 R
+/Prev 659 0 R
+/Next 667 0 R
+>> endobj
+659 0 obj <<
+/Title 660 0 R
+/A 657 0 R
+/Parent 639 0 R
+/Prev 655 0 R
+/Next 663 0 R
+>> endobj
+655 0 obj <<
+/Title 656 0 R
+/A 653 0 R
+/Parent 639 0 R
+/Prev 651 0 R
+/Next 659 0 R
+>> endobj
+651 0 obj <<
+/Title 652 0 R
+/A 649 0 R
+/Parent 639 0 R
+/Prev 647 0 R
+/Next 655 0 R
+>> endobj
 647 0 obj <<
 /Title 648 0 R
 /A 645 0 R
-/Parent 607 0 R
+/Parent 639 0 R
 /Prev 643 0 R
+/Next 651 0 R
 >> endobj
 643 0 obj <<
 /Title 644 0 R
 /A 641 0 R
-/Parent 607 0 R
-/Prev 639 0 R
+/Parent 639 0 R
 /Next 647 0 R
 >> endobj
 639 0 obj <<
 /Title 640 0 R
 /A 637 0 R
-/Parent 607 0 R
-/Prev 635 0 R
-/Next 643 0 R
+/Parent 2114 0 R
+/Prev 603 0 R
+/First 643 0 R
+/Last 691 0 R
+/Count -13
 >> endobj
 635 0 obj <<
 /Title 636 0 R
 /A 633 0 R
-/Parent 607 0 R
+/Parent 623 0 R
 /Prev 631 0 R
-/Next 639 0 R
 >> endobj
 631 0 obj <<
 /Title 632 0 R
 /A 629 0 R
-/Parent 607 0 R
+/Parent 623 0 R
 /Prev 627 0 R
 /Next 635 0 R
 >> endobj
 627 0 obj <<
 /Title 628 0 R
 /A 625 0 R
-/Parent 607 0 R
-/Prev 623 0 R
+/Parent 623 0 R
 /Next 631 0 R
 >> endobj
 623 0 obj <<
 /Title 624 0 R
 /A 621 0 R
-/Parent 607 0 R
-/Prev 619 0 R
-/Next 627 0 R
+/Parent 603 0 R
+/Prev 615 0 R
+/First 627 0 R
+/Last 635 0 R
+/Count -3
 >> endobj
 619 0 obj <<
 /Title 620 0 R
 /A 617 0 R
-/Parent 607 0 R
-/Prev 615 0 R
-/Next 623 0 R
+/Parent 615 0 R
 >> endobj
 615 0 obj <<
 /Title 616 0 R
 /A 613 0 R
-/Parent 607 0 R
-/Prev 611 0 R
-/Next 619 0 R
+/Parent 603 0 R
+/Prev 607 0 R
+/Next 623 0 R
+/First 619 0 R
+/Last 619 0 R
+/Count -1
 >> endobj
 611 0 obj <<
 /Title 612 0 R
 /A 609 0 R
 /Parent 607 0 R
-/Next 615 0 R
 >> endobj
 607 0 obj <<
 /Title 608 0 R
 /A 605 0 R
-/Parent 1951 0 R
-/Prev 571 0 R
+/Parent 603 0 R
+/Next 615 0 R
 /First 611 0 R
-/Last 647 0 R
-/Count -10
+/Last 611 0 R
+/Count -1
 >> endobj
 603 0 obj <<
 /Title 604 0 R
 /A 601 0 R
-/Parent 591 0 R
-/Prev 599 0 R
+/Parent 2114 0 R
+/Prev 583 0 R
+/Next 639 0 R
+/First 607 0 R
+/Last 623 0 R
+/Count -3
 >> endobj
 599 0 obj <<
 /Title 600 0 R
 /A 597 0 R
-/Parent 591 0 R
+/Parent 583 0 R
 /Prev 595 0 R
-/Next 603 0 R
 >> endobj
 595 0 obj <<
 /Title 596 0 R
 /A 593 0 R
-/Parent 591 0 R
+/Parent 583 0 R
+/Prev 587 0 R
 /Next 599 0 R
 >> endobj
 591 0 obj <<
 /Title 592 0 R
 /A 589 0 R
-/Parent 571 0 R
-/Prev 583 0 R
-/First 595 0 R
-/Last 603 0 R
-/Count -3
+/Parent 587 0 R
 >> endobj
 587 0 obj <<
 /Title 588 0 R
 /A 585 0 R
 /Parent 583 0 R
+/Next 595 0 R
+/First 591 0 R
+/Last 591 0 R
+/Count -1
 >> endobj
 583 0 obj <<
 /Title 584 0 R
 /A 581 0 R
-/Parent 571 0 R
-/Prev 575 0 R
-/Next 591 0 R
+/Parent 2114 0 R
+/Prev 559 0 R
+/Next 603 0 R
 /First 587 0 R
-/Last 587 0 R
-/Count -1
+/Last 599 0 R
+/Count -3
 >> endobj
 579 0 obj <<
 /Title 580 0 R
 /A 577 0 R
-/Parent 575 0 R
+/Parent 559 0 R
+/Prev 567 0 R
 >> endobj
 575 0 obj <<
 /Title 576 0 R
 /A 573 0 R
-/Parent 571 0 R
-/Next 583 0 R
-/First 579 0 R
-/Last 579 0 R
-/Count -1
+/Parent 567 0 R
+/Prev 571 0 R
 >> endobj
 571 0 obj <<
 /Title 572 0 R
 /A 569 0 R
-/Parent 1951 0 R
-/Prev 551 0 R
-/Next 607 0 R
-/First 575 0 R
-/Last 591 0 R
-/Count -3
+/Parent 567 0 R
+/Next 575 0 R
 >> endobj
 567 0 obj <<
 /Title 568 0 R
 /A 565 0 R
-/Parent 551 0 R
+/Parent 559 0 R
 /Prev 563 0 R
+/Next 579 0 R
+/First 571 0 R
+/Last 575 0 R
+/Count -2
 >> endobj
 563 0 obj <<
 /Title 564 0 R
 /A 561 0 R
-/Parent 551 0 R
-/Prev 555 0 R
+/Parent 559 0 R
 /Next 567 0 R
 >> endobj
 559 0 obj <<
 /Title 560 0 R
 /A 557 0 R
-/Parent 555 0 R
+/Parent 2114 0 R
+/Prev 243 0 R
+/Next 583 0 R
+/First 563 0 R
+/Last 579 0 R
+/Count -3
 >> endobj
 555 0 obj <<
 /Title 556 0 R
 /A 553 0 R
-/Parent 551 0 R
-/Next 563 0 R
-/First 559 0 R
-/Last 559 0 R
-/Count -1
+/Parent 539 0 R
+/Prev 551 0 R
 >> endobj
 551 0 obj <<
 /Title 552 0 R
 /A 549 0 R
-/Parent 1951 0 R
-/Prev 527 0 R
-/Next 571 0 R
-/First 555 0 R
-/Last 567 0 R
-/Count -3
+/Parent 539 0 R
+/Prev 547 0 R
+/Next 555 0 R
 >> endobj
 547 0 obj <<
 /Title 548 0 R
 /A 545 0 R
-/Parent 527 0 R
-/Prev 535 0 R
+/Parent 539 0 R
+/Prev 543 0 R
+/Next 551 0 R
 >> endobj
 543 0 obj <<
 /Title 544 0 R
 /A 541 0 R
-/Parent 535 0 R
-/Prev 539 0 R
+/Parent 539 0 R
+/Next 547 0 R
 >> endobj
 539 0 obj <<
 /Title 540 0 R
 /A 537 0 R
-/Parent 535 0 R
-/Next 543 0 R
+/Parent 531 0 R
+/Prev 535 0 R
+/First 543 0 R
+/Last 555 0 R
+/Count -4
 >> endobj
 535 0 obj <<
 /Title 536 0 R
 /A 533 0 R
-/Parent 527 0 R
-/Prev 531 0 R
-/Next 547 0 R
-/First 539 0 R
-/Last 543 0 R
-/Count -2
+/Parent 531 0 R
+/Next 539 0 R
 >> endobj
 531 0 obj <<
 /Title 532 0 R
 /A 529 0 R
-/Parent 527 0 R
-/Next 535 0 R
+/Parent 243 0 R
+/Prev 479 0 R
+/First 535 0 R
+/Last 539 0 R
+/Count -2
 >> endobj
 527 0 obj <<
 /Title 528 0 R
 /A 525 0 R
-/Parent 1951 0 R
-/Prev 243 0 R
-/Next 551 0 R
-/First 531 0 R
-/Last 547 0 R
-/Count -3
+/Parent 479 0 R
+/Prev 523 0 R
 >> endobj
 523 0 obj <<
 /Title 524 0 R
 /A 521 0 R
-/Parent 475 0 R
-/Prev 519 0 R
+/Parent 479 0 R
+/Prev 507 0 R
+/Next 527 0 R
 >> endobj
 519 0 obj <<
 /Title 520 0 R
 /A 517 0 R
-/Parent 475 0 R
-/Prev 503 0 R
-/Next 523 0 R
+/Parent 507 0 R
+/Prev 515 0 R
 >> endobj
 515 0 obj <<
 /Title 516 0 R
 /A 513 0 R
-/Parent 503 0 R
+/Parent 507 0 R
 /Prev 511 0 R
+/Next 519 0 R
 >> endobj
 511 0 obj <<
 /Title 512 0 R
 /A 509 0 R
-/Parent 503 0 R
-/Prev 507 0 R
+/Parent 507 0 R
 /Next 515 0 R
 >> endobj
 507 0 obj <<
 /Title 508 0 R
 /A 505 0 R
-/Parent 503 0 R
-/Next 511 0 R
+/Parent 479 0 R
+/Prev 503 0 R
+/Next 523 0 R
+/First 511 0 R
+/Last 519 0 R
+/Count -3
 >> endobj
 503 0 obj <<
 /Title 504 0 R
 /A 501 0 R
-/Parent 475 0 R
+/Parent 479 0 R
 /Prev 499 0 R
-/Next 519 0 R
-/First 507 0 R
-/Last 515 0 R
-/Count -3
+/Next 507 0 R
 >> endobj
 499 0 obj <<
 /Title 500 0 R
 /A 497 0 R
-/Parent 475 0 R
+/Parent 479 0 R
 /Prev 495 0 R
 /Next 503 0 R
 >> endobj
 495 0 obj <<
 /Title 496 0 R
 /A 493 0 R
-/Parent 475 0 R
-/Prev 491 0 R
+/Parent 479 0 R
+/Prev 483 0 R
 /Next 499 0 R
 >> endobj
 491 0 obj <<
 /Title 492 0 R
 /A 489 0 R
-/Parent 475 0 R
-/Prev 479 0 R
-/Next 495 0 R
+/Parent 483 0 R
+/Prev 487 0 R
 >> endobj
 487 0 obj <<
 /Title 488 0 R
 /A 485 0 R
-/Parent 479 0 R
-/Prev 483 0 R
+/Parent 483 0 R
+/Next 491 0 R
 >> endobj
 483 0 obj <<
 /Title 484 0 R
 /A 481 0 R
 /Parent 479 0 R
-/Next 487 0 R
+/Next 495 0 R
+/First 487 0 R
+/Last 491 0 R
+/Count -2
 >> endobj
 479 0 obj <<
 /Title 480 0 R
 /A 477 0 R
-/Parent 475 0 R
-/Next 491 0 R
+/Parent 243 0 R
+/Prev 275 0 R
+/Next 531 0 R
 /First 483 0 R
-/Last 487 0 R
-/Count -2
+/Last 527 0 R
+/Count -7
 >> endobj
 475 0 obj <<
 /Title 476 0 R
 /A 473 0 R
-/Parent 243 0 R
-/Prev 275 0 R
-/First 479 0 R
-/Last 523 0 R
-/Count -7
+/Parent 459 0 R
+/Prev 471 0 R
 >> endobj
 471 0 obj <<
 /Title 472 0 R
 /A 469 0 R
-/Parent 455 0 R
+/Parent 459 0 R
 /Prev 467 0 R
+/Next 475 0 R
 >> endobj
 467 0 obj <<
 /Title 468 0 R
 /A 465 0 R
-/Parent 455 0 R
+/Parent 459 0 R
 /Prev 463 0 R
 /Next 471 0 R
 >> endobj
 463 0 obj <<
 /Title 464 0 R
 /A 461 0 R
-/Parent 455 0 R
-/Prev 459 0 R
+/Parent 459 0 R
 /Next 467 0 R
 >> endobj
 459 0 obj <<
 /Title 460 0 R
 /A 457 0 R
-/Parent 455 0 R
-/Next 463 0 R
+/Parent 275 0 R
+/Prev 455 0 R
+/First 463 0 R
+/Last 475 0 R
+/Count -4
 >> endobj
 455 0 obj <<
 /Title 456 0 R
 /A 453 0 R
 /Parent 275 0 R
 /Prev 451 0 R
-/First 459 0 R
-/Last 471 0 R
-/Count -4
+/Next 459 0 R
 >> endobj
 451 0 obj <<
 /Title 452 0 R
@@ -10207,21 +11213,21 @@ endobj
 /Title 428 0 R
 /A 425 0 R
 /Parent 275 0 R
-/Prev 347 0 R
+/Prev 423 0 R
 /Next 431 0 R
 >> endobj
 423 0 obj <<
 /Title 424 0 R
 /A 421 0 R
-/Parent 347 0 R
-/Prev 419 0 R
+/Parent 275 0 R
+/Prev 347 0 R
+/Next 427 0 R
 >> endobj
 419 0 obj <<
 /Title 420 0 R
 /A 417 0 R
 /Parent 347 0 R
 /Prev 415 0 R
-/Next 423 0 R
 >> endobj
 415 0 obj <<
 /Title 416 0 R
@@ -10346,10 +11352,10 @@ endobj
 /A 345 0 R
 /Parent 275 0 R
 /Prev 343 0 R
-/Next 427 0 R
+/Next 423 0 R
 /First 351 0 R
-/Last 423 0 R
-/Count -19
+/Last 419 0 R
+/Count -18
 >> endobj
 343 0 obj <<
 /Title 344 0 R
@@ -10475,10 +11481,10 @@ endobj
 /A 273 0 R
 /Parent 243 0 R
 /Prev 247 0 R
-/Next 475 0 R
+/Next 479 0 R
 /First 279 0 R
-/Last 455 0 R
-/Count -24
+/Last 459 0 R
+/Count -26
 >> endobj
 271 0 obj <<
 /Title 272 0 R
@@ -10534,12 +11540,12 @@ endobj
 243 0 obj <<
 /Title 244 0 R
 /A 241 0 R
-/Parent 1951 0 R
+/Parent 2114 0 R
 /Prev 231 0 R
-/Next 527 0 R
+/Next 559 0 R
 /First 247 0 R
-/Last 475 0 R
-/Count -3
+/Last 531 0 R
+/Count -4
 >> endobj
 239 0 obj <<
 /Title 240 0 R
@@ -10556,7 +11562,7 @@ endobj
 231 0 obj <<
 /Title 232 0 R
 /A 229 0 R
-/Parent 1951 0 R
+/Parent 2114 0 R
 /Prev 131 0 R
 /Next 243 0 R
 /First 235 0 R
@@ -10738,7 +11744,7 @@ endobj
 131 0 obj <<
 /Title 132 0 R
 /A 129 0 R
-/Parent 1951 0 R
+/Parent 2114 0 R
 /Prev 91 0 R
 /Next 231 0 R
 /First 135 0 R
@@ -10812,7 +11818,7 @@ endobj
 91 0 obj <<
 /Title 92 0 R
 /A 89 0 R
-/Parent 1951 0 R
+/Parent 2114 0 R
 /Prev 67 0 R
 /Next 131 0 R
 /First 95 0 R
@@ -10855,7 +11861,7 @@ endobj
 67 0 obj <<
 /Title 68 0 R
 /A 65 0 R
-/Parent 1951 0 R
+/Parent 2114 0 R
 /Prev 7 0 R
 /Next 91 0 R
 /First 71 0 R
@@ -10964,2001 +11970,2164 @@ endobj
 7 0 obj <<
 /Title 8 0 R
 /A 5 0 R
-/Parent 1951 0 R
+/Parent 2114 0 R
 /Next 67 0 R
 /First 11 0 R
 /Last 23 0 R
 /Count -4
 >> endobj
-1952 0 obj <<
-/Names [(Access_Control_Lists) 1486 0 R (Bv9ARM.ch01) 874 0 R (Bv9ARM.ch02) 923 0 R (Bv9ARM.ch03) 940 0 R (Bv9ARM.ch04) 989 0 R (Bv9ARM.ch05) 1077 0 R (Bv9ARM.ch06) 1088 0 R (Bv9ARM.ch07) 1485 0 R (Bv9ARM.ch08) 1511 0 R (Bv9ARM.ch09) 1526 0 R (Bv9ARM.ch10) 1747 0 R (Configuration_File_Grammar) 1113 0 R (DNSSEC) 1056 0 R (Doc-Start) 655 0 R (Setting_TTLs) 1452 0 R (acache) 930 0 R (access_control) 1231 0 R (acl) 1121 0 R (address_match_lists) 1094 0 R (admin_tools) 963 0 R (appendix.A) 570 0 R (appendix.B) 606 0 R (bibliography) 1535 0 R (boolean_options) 1005 0 R (builtin) 1305 0 R (chapter*.1) 690 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 526 0 R (chapter.8) 550 0 R (cite.RFC1033) 1662 0 R (cite.RFC1034) 1547 0 R (cite.RFC1035) 1549 0 R (cite.RFC1101) 1644 0 R (cite.RFC1123) 1646 0 R (cite.RFC1183) 1606 0 R (cite.RFC1464) 1684 0 R (cite.RFC1535) 1592 0 R (cite.RFC1536) 1594 0 R (cite.RFC1537) 1664 0 R (cite.RFC1591) 1648 0 R (cite.RFC1706) 1608 0 R (cite.RFC1712) 1704 0 R (cite.RFC1713) 1686 0 R (cite.RFC1794) 1688 0 R (cite.RFC1876) 1610 0 R (cite.RFC1912) 1666 0 R (cite.RFC1982) 1596 0 R (cite.RFC1995) 1554 0 R (cite.RFC1996) 1556 0 R (cite.RFC2010) 1668 0 R (cite.RFC2052) 1612 0 R (cite.RFC2065) 1716 0 R (cite.RFC2136) 1558 0 R (cite.RFC2137) 1718 0 R (cite.RFC2163) 1614 0 R (cite.RFC2168) 1616 0 R (cite.RFC2181) 1560 0 R (cite.RFC2219) 1670 0 R (cite.RFC2230) 1618 0 R (cite.RFC2240) 1690 0 R (cite.RFC2308) 1562 0 R (cite.RFC2317) 1650 0 R (cite.RFC2345) 1692 0 R (cite.RFC2352) 1694 0 R (cite.RFC2535) 1720 0 R (cite.RFC2536) 1620 0 R (cite.RFC2537) 1622 0 R (cite.RFC2538) 1624 0 R (cite.RFC2539) 1626 0 R (cite.RFC2540) 1628 0 R (cite.RFC2671) 1564 0 R (cite.RFC2672) 1566 0 R (cite.RFC2673) 1706 0 R (cite.RFC2782) 1630 0 R (cite.RFC2825) 1674 0 R (cite.RFC2826) 1652 0 R (cite.RFC2845) 1568 0 R (cite.RFC2874) 1708 0 R (cite.RFC2915) 1632 0 R (cite.RFC2929) 1654 0 R (cite.RFC2930) 1570 0 R (cite.RFC2931) 1572 0 R (cite.RFC3007) 1574 0 R (cite.RFC3008) 1722 0 R (cite.RFC3071) 1696 0 R (cite.RFC3090) 1724 0 R (cite.RFC3110) 1634 0 R (cite.RFC3123) 1636 0 R (cite.RFC3225) 1580 0 R (cite.RFC3258) 1698 0 R (cite.RFC3445) 1726 0 R (cite.RFC3490) 1676 0 R (cite.RFC3491) 1678 0 R (cite.RFC3492) 1680 0 R (cite.RFC3596) 1638 0 R (cite.RFC3597) 1640 0 R (cite.RFC3645) 1576 0 R (cite.RFC3655) 1728 0 R (cite.RFC3658) 1730 0 R (cite.RFC3755) 1732 0 R (cite.RFC3757) 1734 0 R (cite.RFC3833) 1582 0 R (cite.RFC3845) 1736 0 R (cite.RFC3901) 1700 0 R (cite.RFC4033) 1584 0 R (cite.RFC4035) 1586 0 R (cite.RFC4044) 1588 0 R (cite.RFC4074) 1598 0 R (cite.RFC974) 1551 0 R (cite.id2499963) 1741 0 R (configuration_file_elements) 1089 0 R (controls_statement_definition_and_usage) 976 0 R (diagnostic_tools) 911 0 R (dynamic_update) 999 0 R (dynamic_update_policies) 1051 0 R (dynamic_update_security) 1241 0 R (empty) 1313 0 R (historical_dns_information) 1528 0 R (id2464966) 875 0 R (id2466572) 876 0 R (id2467531) 880 0 R (id2467541) 881 0 R (id2467713) 893 0 R (id2467734) 894 0 R (id2467768) 895 0 R (id2467852) 898 0 R (id2467945) 891 0 R (id2470250) 905 0 R (id2470274) 908 0 R (id2470372) 909 0 R (id2470393) 910 0 R (id2470423) 916 0 R (id2470526) 917 0 R (id2470553) 918 0 R (id2470587) 924 0 R (id2470614) 925 0 R (id2470627) 926 0 R (id2470721) 929 0 R (id2470731) 935 0 R (id2470763) 942 0 R (id2470779) 943 0 R (id2470802) 949 0 R (id2470819) 950 0 R (id2471156) 953 0 R (id2471161) 954 0 R (id2473080) 981 0 R (id2473092) 982 0 R (id2473469) 1014 0 R (id2473488) 1015 0 R (id2473923) 1031 0 R (id2473940) 1032 0 R (id2473978) 1037 0 R (id2473996) 1038 0 R (id2474007) 1039 0 R (id2474046) 1040 0 R (id2474172) 1041 0 R (id2474285) 1047 0 R (id2474299) 1048 0 R (id2474417) 1049 0 R (id2474621) 1057 0 R (id2474691) 1058 0 R (id2474770) 1063 0 R (id2474844) 1068 0 R (id2474974) 1070 0 R (id2474996) 1071 0 R (id2475165) 1078 0 R (id2475313) 1090 0 R (id2476171) 1099 0 R (id2476199) 1104 0 R (id2476374) 1105 0 R (id2476389) 1106 0 R (id2476419) 1107 0 R (id2476502) 1114 0 R (id2476918) 1120 0 R (id2476961) 1122 0 R (id2477176) 1124 0 R (id2477605) 1131 0 R (id2477622) 1132 0 R (id2477645) 1133 0 R (id2477669) 1139 0 R (id2477760) 1143 0 R (id2477885) 1144 0 R (id2477938) 1150 0 R (id2478768) 1161 0 R (id2479441) 1167 0 R (id2479514) 1168 0 R (id2479578) 1175 0 R (id2479622) 1176 0 R (id2479637) 1177 0 R (id2481622) 1202 0 R (id2483531) 1228 0 R (id2483590) 1230 0 R (id2484011) 1240 0 R (id2485010) 1260 0 R (id2485069) 1266 0 R (id2485253) 1268 0 R (id2485483) 1274 0 R (id2486119) 1288 0 R (id2487441) 1318 0 R (id2488552) 1335 0 R (id2488603) 1336 0 R (id2488685) 1338 0 R (id2490133) 1356 0 R (id2490140) 1357 0 R (id2490146) 1358 0 R (id2490560) 1364 0 R (id2490593) 1369 0 R (id2492021) 1411 0 R (id2492346) 1417 0 R (id2492364) 1418 0 R (id2492385) 1421 0 R (id2492621) 1427 0 R (id2493653) 1433 0 R (id2493781) 1439 0 R (id2493802) 1440 0 R (id2494233) 1442 0 R (id2494370) 1444 0 R (id2494392) 1450 0 R (id2494865) 1453 0 R (id2494989) 1455 0 R (id2495004) 1456 0 R (id2495253) 1462 0 R (id2495275) 1463 0 R (id2495336) 1464 0 R (id2495405) 1465 0 R (id2495442) 1466 0 R (id2495504) 1471 0 R (id2496119) 1496 0 R (id2496196) 1497 0 R (id2496256) 1498 0 R (id2496336) 1512 0 R (id2496341) 1513 0 R (id2496353) 1514 0 R (id2496370) 1515 0 R (id2496432) 1527 0 R (id2496672) 1534 0 R (id2496928) 1539 0 R (id2496930) 1545 0 R (id2496938) 1550 0 R (id2496962) 1546 0 R (id2496985) 1548 0 R (id2497021) 1559 0 R (id2497048) 1561 0 R (id2497074) 1553 0 R (id2497098) 1555 0 R (id2497122) 1557 0 R (id2497177) 1563 0 R (id2497204) 1565 0 R (id2497230) 1567 0 R (id2497361) 1569 0 R (id2497390) 1571 0 R (id2497420) 1573 0 R (id2497447) 1575 0 R (id2497522) 1578 0 R (id2497529) 1579 0 R (id2497556) 1581 0 R (id2497592) 1583 0 R (id2497657) 1587 0 R (id2497722) 1585 0 R (id2497787) 1590 0 R (id2497796) 1591 0 R (id2497821) 1593 0 R (id2497890) 1595 0 R (id2497925) 1597 0 R (id2497965) 1604 0 R (id2497971) 1605 0 R (id2498028) 1607 0 R (id2498066) 1615 0 R (id2498101) 1609 0 R (id2498155) 1611 0 R (id2498194) 1613 0 R (id2498219) 1617 0 R (id2498245) 1619 0 R (id2498272) 1621 0 R (id2498298) 1623 0 R (id2498338) 1625 0 R (id2498368) 1627 0 R (id2498397) 1629 0 R (id2498440) 1631 0 R (id2498473) 1633 0 R (id2498500) 1635 0 R (id2498523) 1637 0 R (id2498581) 1639 0 R (id2498605) 1642 0 R (id2498613) 1643 0 R (id2498638) 1645 0 R (id2498661) 1647 0 R (id2498684) 1649 0 R (id2498730) 1651 0 R (id2498754) 1653 0 R (id2498804) 1660 0 R (id2498811) 1661 0 R (id2498835) 1663 0 R (id2498861) 1665 0 R (id2498888) 1667 0 R (id2498924) 1669 0 R (id2498965) 1672 0 R (id2498970) 1673 0 R (id2499002) 1675 0 R (id2499048) 1677 0 R (id2499083) 1679 0 R (id2499110) 1682 0 R (id2499128) 1683 0 R (id2499150) 1685 0 R (id2499176) 1687 0 R (id2499202) 1689 0 R (id2499225) 1691 0 R (id2499271) 1693 0 R (id2499294) 1695 0 R (id2499321) 1697 0 R (id2499347) 1699 0 R (id2499384) 1702 0 R (id2499390) 1703 0 R (id2499448) 1705 0 R (id2499475) 1707 0 R (id2499511) 1714 0 R (id2499523) 1715 0 R (id2499562) 1717 0 R (id2499657) 1719 0 R (id2499687) 1721 0 R (id2499713) 1723 0 R (id2499739) 1725 0 R (id2499776) 1727 0 R (id2499812) 1729 0 R (id2499838) 1731 0 R (id2499865) 1733 0 R (id2499910) 1735 0 R (id2499952) 1738 0 R (id2499961) 1740 0 R (id2499963) 1742 0 R (incremental_zone_transfers) 1011 0 R (internet_drafts) 1737 0 R (ipv6addresses) 1072 0 R (journal) 1000 0 R (lwresd) 1079 0 R (man.dig) 1748 0 R (man.dnssec-keygen) 1797 0 R (man.dnssec-signzone) 1814 0 R (man.host) 1781 0 R (man.named) 1863 0 R (man.named-checkconf) 1834 0 R (man.named-checkzone) 1847 0 R (man.rndc) 1885 0 R (man.rndc-confgen) 1918 0 R (man.rndc.conf) 1898 0 R (notify) 990 0 R (options) 1187 0 R (page.1) 654 0 R (page.10) 915 0 R (page.100) 1767 0 R (page.101) 1771 0 R (page.102) 1776 0 R (page.103) 1788 0 R (page.104) 1793 0 R (page.105) 1805 0 R (page.106) 1810 0 R (page.107) 1821 0 R (page.108) 1826 0 R (page.109) 1831 0 R (page.11) 922 0 R (page.110) 1843 0 R (page.111) 1855 0 R (page.112) 1859 0 R (page.113) 1870 0 R (page.114) 1875 0 R (page.115) 1880 0 R (page.116) 1893 0 R (page.117) 1903 0 R (page.118) 1910 0 R (page.119) 1917 0 R (page.12) 934 0 R (page.120) 1926 0 R (page.13) 939 0 R (page.14) 948 0 R (page.15) 959 0 R (page.16) 967 0 R (page.17) 974 0 R (page.18) 980 0 R (page.19) 988 0 R (page.2) 679 0 R (page.20) 1010 0 R (page.21) 1020 0 R (page.22) 1025 0 R (page.23) 1029 0 R (page.24) 1036 0 R (page.25) 1045 0 R (page.26) 1055 0 R (page.27) 1062 0 R (page.28) 1067 0 R (page.29) 1076 0 R (page.3) 689 0 R (page.30) 1083 0 R (page.31) 1087 0 R (page.32) 1098 0 R (page.33) 1103 0 R (page.34) 1112 0 R (page.35) 1119 0 R (page.36) 1128 0 R (page.37) 1138 0 R (page.38) 1149 0 R (page.39) 1154 0 R (page.4) 744 0 R (page.40) 1160 0 R (page.41) 1166 0 R (page.42) 1174 0 R (page.43) 1181 0 R (page.44) 1186 0 R (page.45) 1191 0 R (page.46) 1197 0 R (page.47) 1201 0 R (page.48) 1207 0 R (page.49) 1218 0 R (page.5) 808 0 R (page.50) 1223 0 R (page.51) 1227 0 R (page.52) 1237 0 R (page.53) 1245 0 R (page.54) 1250 0 R (page.55) 1254 0 R (page.56) 1259 0 R (page.57) 1265 0 R (page.58) 1273 0 R (page.59) 1279 0 R (page.6) 869 0 R (page.60) 1286 0 R (page.61) 1293 0 R (page.62) 1300 0 R (page.63) 1312 0 R (page.64) 1317 0 R (page.65) 1323 0 R (page.66) 1328 0 R (page.67) 1333 0 R (page.68) 1343 0 R (page.69) 1347 0 R (page.7) 873 0 R (page.70) 1351 0 R (page.71) 1355 0 R (page.72) 1363 0 R (page.73) 1368 0 R (page.74) 1386 0 R (page.75) 1401 0 R (page.76) 1416 0 R (page.77) 1426 0 R (page.78) 1432 0 R (page.79) 1438 0 R (page.8) 890 0 R (page.80) 1449 0 R (page.81) 1461 0 R (page.82) 1470 0 R (page.83) 1476 0 R (page.84) 1480 0 R (page.85) 1484 0 R (page.86) 1491 0 R (page.87) 1502 0 R (page.88) 1506 0 R (page.89) 1510 0 R (page.9) 904 0 R (page.90) 1521 0 R (page.91) 1525 0 R (page.92) 1533 0 R (page.93) 1543 0 R (page.94) 1602 0 R (page.95) 1658 0 R (page.96) 1712 0 R (page.97) 1746 0 R (page.98) 1756 0 R (page.99) 1762 0 R (proposed_standards) 1016 0 R (query_address) 1246 0 R (rfcs) 900 0 R (rndc) 1134 0 R (rrset_ordering) 955 0 R (sample_configuration) 941 0 R (section*.10) 1671 0 R (section*.11) 1681 0 R (section*.12) 1701 0 R (section*.13) 1713 0 R (section*.14) 1739 0 R (section*.15) 1749 0 R (section*.16) 1750 0 R (section*.17) 1751 0 R (section*.18) 1757 0 R (section*.19) 1758 0 R (section*.2) 1538 0 R (section*.20) 1763 0 R (section*.21) 1772 0 R (section*.22) 1777 0 R (section*.23) 1778 0 R (section*.24) 1779 0 R (section*.25) 1780 0 R (section*.26) 1782 0 R (section*.27) 1783 0 R (section*.28) 1784 0 R (section*.29) 1794 0 R (section*.3) 1544 0 R (section*.30) 1795 0 R (section*.31) 1796 0 R (section*.32) 1798 0 R (section*.33) 1799 0 R (section*.34) 1800 0 R (section*.35) 1801 0 R (section*.36) 1806 0 R (section*.37) 1811 0 R (section*.38) 1812 0 R (section*.39) 1813 0 R (section*.4) 1552 0 R (section*.40) 1815 0 R (section*.41) 1816 0 R (section*.42) 1817 0 R (section*.43) 1822 0 R (section*.44) 1827 0 R (section*.45) 1832 0 R (section*.46) 1833 0 R (section*.47) 1835 0 R (section*.48) 1836 0 R (section*.49) 1837 0 R (section*.5) 1577 0 R (section*.50) 1838 0 R (section*.51) 1844 0 R (section*.52) 1845 0 R (section*.53) 1846 0 R (section*.54) 1848 0 R (section*.55) 1849 0 R (section*.56) 1850 0 R (section*.57) 1851 0 R (section*.58) 1860 0 R (section*.59) 1861 0 R (section*.6) 1589 0 R (section*.60) 1862 0 R (section*.61) 1864 0 R (section*.62) 1865 0 R (section*.63) 1866 0 R (section*.64) 1871 0 R (section*.65) 1876 0 R (section*.66) 1881 0 R (section*.67) 1882 0 R (section*.68) 1883 0 R (section*.69) 1884 0 R (section*.7) 1603 0 R (section*.70) 1886 0 R (section*.71) 1887 0 R (section*.72) 1888 0 R (section*.73) 1894 0 R (section*.74) 1895 0 R (section*.75) 1896 0 R (section*.76) 1897 0 R (section*.77) 1899 0 R (section*.78) 1904 0 R (section*.79) 1905 0 R (section*.8) 1641 0 R (section*.80) 1906 0 R (section*.81) 1911 0 R (section*.82) 1912 0 R (section*.83) 1913 0 R (section*.84) 1919 0 R (section*.85) 1920 0 R (section*.86) 1921 0 R (section*.87) 1922 0 R (section*.88) 1927 0 R (section*.89) 1928 0 R (section*.9) 1659 0 R (section*.90) 1929 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 474 0 R (section.7.1) 530 0 R (section.7.2) 534 0 R (section.7.3) 546 0 R (section.8.1) 554 0 R (section.8.2) 562 0 R (section.8.3) 566 0 R (section.A.1) 574 0 R (section.A.2) 582 0 R (section.A.3) 590 0 R (section.B.1) 610 0 R (section.B.10) 646 0 R (section.B.2) 614 0 R (section.B.3) 618 0 R (section.B.4) 622 0 R (section.B.5) 626 0 R (section.B.6) 630 0 R (section.B.7) 634 0 R (section.B.8) 638 0 R (section.B.9) 642 0 R (server_statement_definition_and_usage) 1214 0 R (server_statement_grammar) 1324 0 R (statsfile) 1193 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 326 0 R (subsection.6.2.12) 330 0 R (subsection.6.2.13) 334 0 R (subsection.6.2.14) 338 0 R (subsection.6.2.15) 342 0 R (subsection.6.2.16) 346 0 R (subsection.6.2.17) 426 0 R (subsection.6.2.18) 430 0 R (subsection.6.2.19) 434 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 438 0 R (subsection.6.2.21) 442 0 R (subsection.6.2.22) 446 0 R (subsection.6.2.23) 450 0 R (subsection.6.2.24) 454 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 478 0 R (subsection.6.3.2) 490 0 R (subsection.6.3.3) 494 0 R (subsection.6.3.4) 498 0 R (subsection.6.3.5) 502 0 R (subsection.6.3.6) 518 0 R (subsection.6.3.7) 522 0 R (subsection.7.2.1) 538 0 R (subsection.7.2.2) 542 0 R (subsection.8.1.1) 558 0 R (subsection.A.1.1) 578 0 R (subsection.A.2.1) 586 0 R (subsection.A.3.1) 594 0 R (subsection.A.3.2) 598 0 R (subsection.A.3.3) 602 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.16.1) 350 0 R (subsubsection.6.2.16.10) 386 0 R (subsubsection.6.2.16.11) 390 0 R (subsubsection.6.2.16.12) 394 0 R (subsubsection.6.2.16.13) 398 0 R (subsubsection.6.2.16.14) 402 0 R (subsubsection.6.2.16.15) 406 0 R (subsubsection.6.2.16.16) 410 0 R (subsubsection.6.2.16.17) 414 0 R (subsubsection.6.2.16.18) 418 0 R (subsubsection.6.2.16.19) 422 0 R (subsubsection.6.2.16.2) 354 0 R (subsubsection.6.2.16.3) 358 0 R (subsubsection.6.2.16.4) 362 0 R (subsubsection.6.2.16.5) 366 0 R (subsubsection.6.2.16.6) 370 0 R (subsubsection.6.2.16.7) 374 0 R (subsubsection.6.2.16.8) 378 0 R (subsubsection.6.2.16.9) 382 0 R (subsubsection.6.2.24.1) 458 0 R (subsubsection.6.2.24.2) 462 0 R (subsubsection.6.2.24.3) 466 0 R (subsubsection.6.2.24.4) 470 0 R (subsubsection.6.3.1.1) 482 0 R (subsubsection.6.3.1.2) 486 0 R (subsubsection.6.3.5.1) 506 0 R (subsubsection.6.3.5.2) 510 0 R (subsubsection.6.3.5.3) 514 0 R (table.1.1) 882 0 R (table.1.2) 892 0 R (table.3.1) 951 0 R (table.3.2) 983 0 R (table.6.1) 1091 0 R (table.6.10) 1422 0 R (table.6.11) 1428 0 R (table.6.12) 1434 0 R (table.6.13) 1441 0 R (table.6.14) 1443 0 R (table.6.15) 1451 0 R (table.6.16) 1454 0 R (table.6.17) 1457 0 R (table.6.18) 1472 0 R (table.6.2) 1115 0 R (table.6.3) 1123 0 R (table.6.4) 1162 0 R (table.6.5) 1203 0 R (table.6.6) 1289 0 R (table.6.7) 1319 0 R (table.6.8) 1359 0 R (table.6.9) 1412 0 R (the_category_phrase) 1156 0 R (the_sortlist_statement) 1280 0 R (topology) 1275 0 R (tsig) 1030 0 R (tuning) 1294 0 R (types_of_resource_records_and_when_to_use_them) 899 0 R (view_statement_grammar) 1308 0 R (zone_statement_grammar) 1233 0 R (zone_transfers) 1006 0 R (zonefile_format) 1307 0 R]
+2115 0 obj <<
+/Names [(Access_Control_Lists) 1591 0 R (Bv9ARM.ch01) 932 0 R (Bv9ARM.ch02) 978 0 R (Bv9ARM.ch03) 995 0 R (Bv9ARM.ch04) 1044 0 R (Bv9ARM.ch05) 1132 0 R (Bv9ARM.ch06) 1143 0 R (Bv9ARM.ch07) 1590 0 R (Bv9ARM.ch08) 1616 0 R (Bv9ARM.ch09) 1631 0 R (Bv9ARM.ch10) 1852 0 R (Configuration_File_Grammar) 1168 0 R (DNSSEC) 1111 0 R (Doc-Start) 699 0 R (Setting_TTLs) 1526 0 R (acache) 985 0 R (access_control) 1290 0 R (acl) 1176 0 R (address_match_lists) 1149 0 R (admin_tools) 1018 0 R (appendix.A) 602 0 R (appendix.B) 638 0 R (bibliography) 1640 0 R (boolean_options) 1060 0 R (builtin) 1368 0 R (chapter*.1) 734 0 R (chapter.1) 6 0 R (chapter.2) 66 0 R (chapter.3) 90 0 R (chapter.4) 130 0 R (chapter.5) 230 0 R (chapter.6) 242 0 R (chapter.7) 558 0 R (chapter.8) 582 0 R (cite.RFC1033) 1767 0 R (cite.RFC1034) 1652 0 R (cite.RFC1035) 1654 0 R (cite.RFC1101) 1749 0 R (cite.RFC1123) 1751 0 R (cite.RFC1183) 1711 0 R (cite.RFC1464) 1789 0 R (cite.RFC1535) 1697 0 R (cite.RFC1536) 1699 0 R (cite.RFC1537) 1769 0 R (cite.RFC1591) 1753 0 R (cite.RFC1706) 1713 0 R (cite.RFC1712) 1809 0 R (cite.RFC1713) 1791 0 R (cite.RFC1794) 1793 0 R (cite.RFC1876) 1715 0 R (cite.RFC1912) 1771 0 R (cite.RFC1982) 1701 0 R (cite.RFC1995) 1659 0 R (cite.RFC1996) 1661 0 R (cite.RFC2010) 1773 0 R (cite.RFC2052) 1717 0 R (cite.RFC2065) 1821 0 R (cite.RFC2136) 1663 0 R (cite.RFC2137) 1823 0 R (cite.RFC2163) 1719 0 R (cite.RFC2168) 1721 0 R (cite.RFC2181) 1665 0 R (cite.RFC2219) 1775 0 R (cite.RFC2230) 1723 0 R (cite.RFC2240) 1795 0 R (cite.RFC2308) 1667 0 R (cite.RFC2317) 1755 0 R (cite.RFC2345) 1797 0 R (cite.RFC2352) 1799 0 R (cite.RFC2535) 1825 0 R (cite.RFC2536) 1725 0 R (cite.RFC2537) 1727 0 R (cite.RFC2538) 1729 0 R (cite.RFC2539) 1731 0 R (cite.RFC2540) 1733 0 R (cite.RFC2671) 1669 0 R (cite.RFC2672) 1671 0 R (cite.RFC2673) 1811 0 R (cite.RFC2782) 1735 0 R (cite.RFC2825) 1779 0 R (cite.RFC2826) 1757 0 R (cite.RFC2845) 1673 0 R (cite.RFC2874) 1813 0 R (cite.RFC2915) 1737 0 R (cite.RFC2929) 1759 0 R (cite.RFC2930) 1675 0 R (cite.RFC2931) 1677 0 R (cite.RFC3007) 1679 0 R (cite.RFC3008) 1827 0 R (cite.RFC3071) 1801 0 R (cite.RFC3090) 1829 0 R (cite.RFC3110) 1739 0 R (cite.RFC3123) 1741 0 R (cite.RFC3225) 1685 0 R (cite.RFC3258) 1803 0 R (cite.RFC3445) 1831 0 R (cite.RFC3490) 1781 0 R (cite.RFC3491) 1783 0 R (cite.RFC3492) 1785 0 R (cite.RFC3596) 1743 0 R (cite.RFC3597) 1745 0 R (cite.RFC3645) 1681 0 R (cite.RFC3655) 1833 0 R (cite.RFC3658) 1835 0 R (cite.RFC3755) 1837 0 R (cite.RFC3757) 1839 0 R (cite.RFC3833) 1687 0 R (cite.RFC3845) 1841 0 R (cite.RFC3901) 1805 0 R (cite.RFC4033) 1689 0 R (cite.RFC4034) 1691 0 R (cite.RFC4035) 1693 0 R (cite.RFC4074) 1703 0 R (cite.RFC974) 1656 0 R (cite.id2504427) 1846 0 R (configuration_file_elements) 1144 0 R (controls_statement_definition_and_usage) 1031 0 R (diagnostic_tools) 966 0 R (dynamic_update) 1054 0 R (dynamic_update_policies) 1106 0 R (dynamic_update_security) 1299 0 R (empty) 1376 0 R (historical_dns_information) 1633 0 R (id2464966) 933 0 R (id2466572) 934 0 R (id2467531) 935 0 R (id2467541) 936 0 R (id2467713) 948 0 R (id2467734) 949 0 R (id2467768) 950 0 R (id2467852) 953 0 R (id2467945) 946 0 R (id2470250) 960 0 R (id2470274) 963 0 R (id2470372) 964 0 R (id2470393) 965 0 R (id2470423) 971 0 R (id2470526) 972 0 R (id2470553) 973 0 R (id2470587) 979 0 R (id2470614) 980 0 R (id2470627) 981 0 R (id2470721) 984 0 R (id2470731) 990 0 R (id2470763) 997 0 R (id2470779) 998 0 R (id2470802) 1004 0 R (id2470819) 1005 0 R (id2471224) 1008 0 R (id2471229) 1009 0 R (id2473110) 1036 0 R (id2473122) 1037 0 R (id2473515) 1069 0 R (id2473533) 1070 0 R (id2473969) 1086 0 R (id2473986) 1087 0 R (id2474024) 1092 0 R (id2474042) 1093 0 R (id2474121) 1094 0 R (id2474161) 1095 0 R (id2474286) 1100 0 R (id2474331) 1102 0 R (id2474345) 1103 0 R (id2474462) 1104 0 R (id2474599) 1112 0 R (id2474678) 1113 0 R (id2474759) 1118 0 R (id2474902) 1123 0 R (id2475169) 1125 0 R (id2475190) 1126 0 R (id2475291) 1133 0 R (id2475438) 1145 0 R (id2476300) 1154 0 R (id2476328) 1159 0 R (id2476522) 1160 0 R (id2476537) 1161 0 R (id2476567) 1167 0 R (id2476718) 1169 0 R (id2477161) 1175 0 R (id2477272) 1177 0 R (id2477419) 1179 0 R (id2477780) 1186 0 R (id2477797) 1192 0 R (id2477889) 1193 0 R (id2477912) 1194 0 R (id2478003) 1198 0 R (id2478197) 1204 0 R (id2478249) 1205 0 R (id2478942) 1216 0 R (id2479645) 1226 0 R (id2479719) 1227 0 R (id2479783) 1230 0 R (id2479827) 1231 0 R (id2479842) 1232 0 R (id2482169) 1261 0 R (id2484043) 1287 0 R (id2484102) 1289 0 R (id2484598) 1304 0 R (id2485793) 1323 0 R (id2485852) 1325 0 R (id2486200) 1337 0 R (id2486839) 1352 0 R (id2488339) 1386 0 R (id2489091) 1399 0 R (id2489142) 1400 0 R (id2489292) 1402 0 R (id2490761) 1419 0 R (id2490769) 1420 0 R (id2490774) 1421 0 R (id2491188) 1428 0 R (id2491221) 1433 0 R (id2492840) 1485 0 R (id2493223) 1491 0 R (id2493309) 1492 0 R (id2493330) 1495 0 R (id2493498) 1497 0 R (id2494737) 1508 0 R (id2494865) 1514 0 R (id2495022) 1515 0 R (id2495385) 1517 0 R (id2495522) 1519 0 R (id2495544) 1524 0 R (id2496017) 1527 0 R (id2496141) 1529 0 R (id2496156) 1530 0 R (id2496268) 1536 0 R (id2496291) 1537 0 R (id2496420) 1538 0 R (id2496489) 1539 0 R (id2496525) 1544 0 R (id2496587) 1545 0 R (id2497018) 1553 0 R (id2497363) 1561 0 R (id2497368) 1562 0 R (id2499022) 1568 0 R (id2499029) 1569 0 R (id2499405) 1571 0 R (id2499411) 1572 0 R (id2500259) 1581 0 R (id2500446) 1601 0 R (id2500592) 1602 0 R (id2500651) 1603 0 R (id2500731) 1617 0 R (id2500737) 1618 0 R (id2500748) 1619 0 R (id2500765) 1620 0 R (id2500964) 1632 0 R (id2501136) 1639 0 R (id2501255) 1644 0 R (id2501257) 1650 0 R (id2501266) 1655 0 R (id2501289) 1651 0 R (id2501381) 1653 0 R (id2501417) 1664 0 R (id2501444) 1666 0 R (id2501469) 1658 0 R (id2501494) 1660 0 R (id2501517) 1662 0 R (id2501573) 1668 0 R (id2501600) 1670 0 R (id2501626) 1672 0 R (id2501688) 1674 0 R (id2501718) 1676 0 R (id2501748) 1678 0 R (id2501843) 1680 0 R (id2501917) 1683 0 R (id2501925) 1684 0 R (id2501952) 1686 0 R (id2501988) 1688 0 R (id2502053) 1690 0 R (id2502118) 1692 0 R (id2502183) 1695 0 R (id2502192) 1696 0 R (id2502217) 1698 0 R (id2502285) 1700 0 R (id2502321) 1702 0 R (id2502361) 1709 0 R (id2502366) 1710 0 R (id2502424) 1712 0 R (id2502461) 1720 0 R (id2502497) 1714 0 R (id2502551) 1716 0 R (id2502589) 1718 0 R (id2502615) 1722 0 R (id2502641) 1724 0 R (id2502667) 1726 0 R (id2502694) 1728 0 R (id2502733) 1730 0 R (id2502763) 1732 0 R (id2502793) 1734 0 R (id2502836) 1736 0 R (id2502869) 1738 0 R (id2502896) 1740 0 R (id2502919) 1742 0 R (id2502977) 1744 0 R (id2503001) 1747 0 R (id2503009) 1748 0 R (id2503034) 1750 0 R (id2503057) 1752 0 R (id2503080) 1754 0 R (id2503126) 1756 0 R (id2503149) 1758 0 R (id2503200) 1765 0 R (id2503207) 1766 0 R (id2503230) 1768 0 R (id2503257) 1770 0 R (id2503352) 1772 0 R (id2503388) 1774 0 R (id2503429) 1777 0 R (id2503434) 1778 0 R (id2503466) 1780 0 R (id2503512) 1782 0 R (id2503547) 1784 0 R (id2503574) 1787 0 R (id2503592) 1788 0 R (id2503614) 1790 0 R (id2503640) 1792 0 R (id2503666) 1794 0 R (id2503689) 1796 0 R (id2503735) 1798 0 R (id2503758) 1800 0 R (id2503785) 1802 0 R (id2503811) 1804 0 R (id2503848) 1807 0 R (id2503854) 1808 0 R (id2503912) 1810 0 R (id2503939) 1812 0 R (id2503975) 1819 0 R (id2503987) 1820 0 R (id2504026) 1822 0 R (id2504053) 1824 0 R (id2504083) 1826 0 R (id2504108) 1828 0 R (id2504135) 1830 0 R (id2504240) 1832 0 R (id2504276) 1834 0 R (id2504302) 1836 0 R (id2504329) 1838 0 R (id2504374) 1840 0 R (id2504416) 1843 0 R (id2504425) 1845 0 R (id2504427) 1847 0 R (incremental_zone_transfers) 1066 0 R (internet_drafts) 1842 0 R (ipv6addresses) 1127 0 R (journal) 1055 0 R (lwresd) 1134 0 R (man.dig) 1853 0 R (man.dnssec-dsfromkey) 1902 0 R (man.dnssec-keyfromlabel) 1916 0 R (man.dnssec-keygen) 1932 0 R (man.dnssec-signzone) 1949 0 R (man.host) 1886 0 R (man.named) 2003 0 R (man.named-checkconf) 1970 0 R (man.named-checkzone) 1982 0 R (man.nsupdate) 2021 0 R (man.rndc) 2047 0 R (man.rndc-confgen) 2075 0 R (man.rndc.conf) 2059 0 R (notify) 1045 0 R (options) 1246 0 R (page.1) 698 0 R (page.10) 970 0 R (page.100) 1707 0 R (page.101) 1763 0 R (page.102) 1817 0 R (page.103) 1851 0 R (page.104) 1861 0 R (page.105) 1867 0 R (page.106) 1872 0 R (page.107) 1876 0 R (page.108) 1881 0 R (page.109) 1892 0 R (page.11) 977 0 R (page.110) 1898 0 R (page.111) 1910 0 R (page.112) 1921 0 R (page.113) 1928 0 R (page.114) 1940 0 R (page.115) 1944 0 R (page.116) 1956 0 R (page.117) 1962 0 R (page.118) 1966 0 R (page.119) 1976 0 R (page.12) 989 0 R (page.120) 1988 0 R (page.121) 1994 0 R (page.122) 2002 0 R (page.123) 2011 0 R (page.124) 2015 0 R (page.125) 2026 0 R (page.126) 2032 0 R (page.127) 2037 0 R (page.128) 2043 0 R (page.129) 2055 0 R (page.13) 994 0 R (page.130) 2065 0 R (page.131) 2071 0 R (page.132) 2080 0 R (page.133) 2087 0 R (page.14) 1003 0 R (page.15) 1014 0 R (page.16) 1022 0 R (page.17) 1029 0 R (page.18) 1035 0 R (page.19) 1043 0 R (page.2) 723 0 R (page.20) 1065 0 R (page.21) 1075 0 R (page.22) 1080 0 R (page.23) 1084 0 R (page.24) 1091 0 R (page.25) 1099 0 R (page.26) 1110 0 R (page.27) 1117 0 R (page.28) 1122 0 R (page.29) 1131 0 R (page.3) 733 0 R (page.30) 1138 0 R (page.31) 1142 0 R (page.32) 1153 0 R (page.33) 1158 0 R (page.34) 1166 0 R (page.35) 1174 0 R (page.36) 1183 0 R (page.37) 1191 0 R (page.38) 1203 0 R (page.39) 1209 0 R (page.4) 788 0 R (page.40) 1215 0 R (page.41) 1221 0 R (page.42) 1225 0 R (page.43) 1236 0 R (page.44) 1241 0 R (page.45) 1245 0 R (page.46) 1250 0 R (page.47) 1256 0 R (page.48) 1260 0 R (page.49) 1267 0 R (page.5) 852 0 R (page.50) 1278 0 R (page.51) 1282 0 R (page.52) 1286 0 R (page.53) 1296 0 R (page.54) 1303 0 R (page.55) 1309 0 R (page.56) 1314 0 R (page.57) 1318 0 R (page.58) 1322 0 R (page.59) 1330 0 R (page.6) 914 0 R (page.60) 1336 0 R (page.61) 1342 0 R (page.62) 1350 0 R (page.63) 1358 0 R (page.64) 1363 0 R (page.65) 1375 0 R (page.66) 1380 0 R (page.67) 1384 0 R (page.68) 1392 0 R (page.69) 1397 0 R (page.7) 931 0 R (page.70) 1406 0 R (page.71) 1410 0 R (page.72) 1414 0 R (page.73) 1418 0 R (page.74) 1427 0 R (page.75) 1432 0 R (page.76) 1451 0 R (page.77) 1464 0 R (page.78) 1484 0 R (page.79) 1490 0 R (page.8) 945 0 R (page.80) 1503 0 R (page.81) 1507 0 R (page.82) 1513 0 R (page.83) 1523 0 R (page.84) 1535 0 R (page.85) 1543 0 R (page.86) 1551 0 R (page.87) 1559 0 R (page.88) 1567 0 R (page.89) 1576 0 R (page.9) 959 0 R (page.90) 1585 0 R (page.91) 1589 0 R (page.92) 1596 0 R (page.93) 1607 0 R (page.94) 1611 0 R (page.95) 1615 0 R (page.96) 1626 0 R (page.97) 1630 0 R (page.98) 1638 0 R (page.99) 1648 0 R (proposed_standards) 1071 0 R (query_address) 1305 0 R (rfcs) 955 0 R (rndc) 1187 0 R (rrset_ordering) 1010 0 R (sample_configuration) 996 0 R (section*.10) 1776 0 R (section*.100) 2058 0 R (section*.101) 2060 0 R (section*.102) 2061 0 R (section*.103) 2066 0 R (section*.104) 2067 0 R (section*.105) 2072 0 R (section*.106) 2073 0 R (section*.107) 2074 0 R (section*.108) 2076 0 R (section*.109) 2081 0 R (section*.11) 1786 0 R (section*.110) 2082 0 R (section*.111) 2083 0 R (section*.112) 2088 0 R (section*.113) 2089 0 R (section*.114) 2090 0 R (section*.12) 1806 0 R (section*.13) 1818 0 R (section*.14) 1844 0 R (section*.15) 1854 0 R (section*.16) 1855 0 R (section*.17) 1856 0 R (section*.18) 1862 0 R (section*.19) 1863 0 R (section*.2) 1643 0 R (section*.20) 1868 0 R (section*.21) 1877 0 R (section*.22) 1882 0 R (section*.23) 1883 0 R (section*.24) 1884 0 R (section*.25) 1885 0 R (section*.26) 1887 0 R (section*.27) 1888 0 R (section*.28) 1893 0 R (section*.29) 1899 0 R (section*.3) 1649 0 R (section*.30) 1900 0 R (section*.31) 1901 0 R (section*.32) 1903 0 R (section*.33) 1904 0 R (section*.34) 1905 0 R (section*.35) 1906 0 R (section*.36) 1911 0 R (section*.37) 1912 0 R (section*.38) 1913 0 R (section*.39) 1914 0 R (section*.4) 1657 0 R (section*.40) 1915 0 R (section*.41) 1917 0 R (section*.42) 1922 0 R (section*.43) 1923 0 R (section*.44) 1924 0 R (section*.45) 1929 0 R (section*.46) 1930 0 R (section*.47) 1931 0 R (section*.48) 1933 0 R (section*.49) 1934 0 R (section*.5) 1682 0 R (section*.50) 1935 0 R (section*.51) 1936 0 R (section*.52) 1945 0 R (section*.53) 1946 0 R (section*.54) 1947 0 R (section*.55) 1948 0 R (section*.56) 1950 0 R (section*.57) 1951 0 R (section*.58) 1957 0 R (section*.59) 1958 0 R (section*.6) 1694 0 R (section*.60) 1967 0 R (section*.61) 1968 0 R (section*.62) 1969 0 R (section*.63) 1971 0 R (section*.64) 1972 0 R (section*.65) 1977 0 R (section*.66) 1978 0 R (section*.67) 1979 0 R (section*.68) 1980 0 R (section*.69) 1981 0 R (section*.7) 1708 0 R (section*.70) 1983 0 R (section*.71) 1984 0 R (section*.72) 1989 0 R (section*.73) 1990 0 R (section*.74) 1995 0 R (section*.75) 1996 0 R (section*.76) 1997 0 R (section*.77) 2004 0 R (section*.78) 2005 0 R (section*.79) 2006 0 R (section*.8) 1746 0 R (section*.80) 2007 0 R (section*.81) 2016 0 R (section*.82) 2017 0 R (section*.83) 2018 0 R (section*.84) 2019 0 R (section*.85) 2020 0 R (section*.86) 2022 0 R (section*.87) 2027 0 R (section*.88) 2028 0 R (section*.89) 2033 0 R (section*.9) 1764 0 R (section*.90) 2038 0 R (section*.91) 2044 0 R (section*.92) 2045 0 R (section*.93) 2046 0 R (section*.94) 2048 0 R (section*.95) 2049 0 R (section*.96) 2050 0 R (section*.97) 2051 0 R (section*.98) 2056 0 R (section*.99) 2057 0 R (section.1.1) 10 0 R (section.1.2) 14 0 R (section.1.3) 18 0 R (section.1.4) 22 0 R (section.2.1) 70 0 R (section.2.2) 74 0 R (section.2.3) 78 0 R (section.2.4) 82 0 R (section.2.5) 86 0 R (section.3.1) 94 0 R (section.3.2) 106 0 R (section.3.3) 110 0 R (section.4.1) 134 0 R (section.4.2) 138 0 R (section.4.3) 146 0 R (section.4.4) 150 0 R (section.4.5) 158 0 R (section.4.6) 194 0 R (section.4.7) 198 0 R (section.4.8) 202 0 R (section.4.9) 218 0 R (section.5.1) 234 0 R (section.5.2) 238 0 R (section.6.1) 246 0 R (section.6.2) 274 0 R (section.6.3) 478 0 R (section.6.4) 530 0 R (section.7.1) 562 0 R (section.7.2) 566 0 R (section.7.3) 578 0 R (section.8.1) 586 0 R (section.8.2) 594 0 R (section.8.3) 598 0 R (section.A.1) 606 0 R (section.A.2) 614 0 R (section.A.3) 622 0 R (section.B.1) 642 0 R (section.B.10) 678 0 R (section.B.11) 682 0 R (section.B.12) 686 0 R (section.B.13) 690 0 R (section.B.2) 646 0 R (section.B.3) 650 0 R (section.B.4) 654 0 R (section.B.5) 658 0 R (section.B.6) 662 0 R (section.B.7) 666 0 R (section.B.8) 670 0 R (section.B.9) 674 0 R (server_resource_limits) 1331 0 R (server_statement_definition_and_usage) 1274 0 R (server_statement_grammar) 1387 0 R (statistics) 1552 0 R (statistics_counters) 1560 0 R (statschannels) 1385 0 R (statsfile) 1252 0 R (subsection.1.4.1) 26 0 R (subsection.1.4.2) 30 0 R (subsection.1.4.3) 34 0 R (subsection.1.4.4) 38 0 R (subsection.1.4.5) 54 0 R (subsection.1.4.6) 62 0 R (subsection.3.1.1) 98 0 R (subsection.3.1.2) 102 0 R (subsection.3.3.1) 114 0 R (subsection.3.3.2) 126 0 R (subsection.4.2.1) 142 0 R (subsection.4.4.1) 154 0 R (subsection.4.5.1) 162 0 R (subsection.4.5.2) 174 0 R (subsection.4.5.3) 178 0 R (subsection.4.5.4) 182 0 R (subsection.4.5.5) 186 0 R (subsection.4.5.6) 190 0 R (subsection.4.8.1) 206 0 R (subsection.4.8.2) 210 0 R (subsection.4.8.3) 214 0 R (subsection.4.9.1) 222 0 R (subsection.4.9.2) 226 0 R (subsection.6.1.1) 250 0 R (subsection.6.1.2) 262 0 R (subsection.6.2.1) 278 0 R (subsection.6.2.10) 314 0 R (subsection.6.2.11) 326 0 R (subsection.6.2.12) 330 0 R (subsection.6.2.13) 334 0 R (subsection.6.2.14) 338 0 R (subsection.6.2.15) 342 0 R (subsection.6.2.16) 346 0 R (subsection.6.2.17) 422 0 R (subsection.6.2.18) 426 0 R (subsection.6.2.19) 430 0 R (subsection.6.2.2) 282 0 R (subsection.6.2.20) 434 0 R (subsection.6.2.21) 438 0 R (subsection.6.2.22) 442 0 R (subsection.6.2.23) 446 0 R (subsection.6.2.24) 450 0 R (subsection.6.2.25) 454 0 R (subsection.6.2.26) 458 0 R (subsection.6.2.3) 286 0 R (subsection.6.2.4) 290 0 R (subsection.6.2.5) 294 0 R (subsection.6.2.6) 298 0 R (subsection.6.2.7) 302 0 R (subsection.6.2.8) 306 0 R (subsection.6.2.9) 310 0 R (subsection.6.3.1) 482 0 R (subsection.6.3.2) 494 0 R (subsection.6.3.3) 498 0 R (subsection.6.3.4) 502 0 R (subsection.6.3.5) 506 0 R (subsection.6.3.6) 522 0 R (subsection.6.3.7) 526 0 R (subsection.6.4.1) 538 0 R (subsection.7.2.1) 570 0 R (subsection.7.2.2) 574 0 R (subsection.8.1.1) 590 0 R (subsection.A.1.1) 610 0 R (subsection.A.2.1) 618 0 R (subsection.A.3.1) 626 0 R (subsection.A.3.2) 630 0 R (subsection.A.3.3) 634 0 R (subsubsection.1.4.4.1) 42 0 R (subsubsection.1.4.4.2) 46 0 R (subsubsection.1.4.4.3) 50 0 R (subsubsection.1.4.5.1) 58 0 R (subsubsection.3.3.1.1) 118 0 R (subsubsection.3.3.1.2) 122 0 R (subsubsection.4.5.1.1) 166 0 R (subsubsection.4.5.1.2) 170 0 R (subsubsection.6.1.1.1) 254 0 R (subsubsection.6.1.1.2) 258 0 R (subsubsection.6.1.2.1) 266 0 R (subsubsection.6.1.2.2) 270 0 R (subsubsection.6.2.10.1) 318 0 R (subsubsection.6.2.10.2) 322 0 R (subsubsection.6.2.16.1) 350 0 R (subsubsection.6.2.16.10) 386 0 R (subsubsection.6.2.16.11) 390 0 R (subsubsection.6.2.16.12) 394 0 R (subsubsection.6.2.16.13) 398 0 R (subsubsection.6.2.16.14) 402 0 R (subsubsection.6.2.16.15) 406 0 R (subsubsection.6.2.16.16) 410 0 R (subsubsection.6.2.16.17) 414 0 R (subsubsection.6.2.16.18) 418 0 R (subsubsection.6.2.16.2) 354 0 R (subsubsection.6.2.16.3) 358 0 R (subsubsection.6.2.16.4) 362 0 R (subsubsection.6.2.16.5) 366 0 R (subsubsection.6.2.16.6) 370 0 R (subsubsection.6.2.16.7) 374 0 R (subsubsection.6.2.16.8) 378 0 R (subsubsection.6.2.16.9) 382 0 R (subsubsection.6.2.26.1) 462 0 R (subsubsection.6.2.26.2) 466 0 R (subsubsection.6.2.26.3) 470 0 R (subsubsection.6.2.26.4) 474 0 R (subsubsection.6.3.1.1) 486 0 R (subsubsection.6.3.1.2) 490 0 R (subsubsection.6.3.5.1) 510 0 R (subsubsection.6.3.5.2) 514 0 R (subsubsection.6.3.5.3) 518 0 R (subsubsection.6.4.0.1) 534 0 R (subsubsection.6.4.1.1) 542 0 R (subsubsection.6.4.1.2) 546 0 R (subsubsection.6.4.1.3) 550 0 R (subsubsection.6.4.1.4) 554 0 R (table.1.1) 937 0 R (table.1.2) 947 0 R (table.3.1) 1006 0 R (table.3.2) 1038 0 R (table.6.1) 1146 0 R (table.6.10) 1498 0 R (table.6.11) 1509 0 R (table.6.12) 1516 0 R (table.6.13) 1518 0 R (table.6.14) 1525 0 R (table.6.15) 1528 0 R (table.6.16) 1531 0 R (table.6.17) 1546 0 R (table.6.18) 1554 0 R (table.6.19) 1563 0 R (table.6.2) 1170 0 R (table.6.20) 1570 0 R (table.6.21) 1577 0 R (table.6.3) 1178 0 R (table.6.4) 1217 0 R (table.6.5) 1262 0 R (table.6.6) 1353 0 R (table.6.7) 1422 0 R (table.6.8) 1486 0 R (table.6.9) 1496 0 R (the_category_phrase) 1211 0 R (the_sortlist_statement) 1343 0 R (topology) 1338 0 R (tsig) 1085 0 R (tuning) 1354 0 R (types_of_resource_records_and_when_to_use_them) 954 0 R (view_statement_grammar) 1371 0 R (zone_statement_grammar) 1292 0 R (zone_transfers) 1061 0 R (zonefile_format) 1370 0 R]
 /Limits [(Access_Control_Lists) (zonefile_format)]
 >> endobj
-1953 0 obj <<
-/Kids [1952 0 R]
+2116 0 obj <<
+/Kids [2115 0 R]
 >> endobj
-1954 0 obj <<
-/Dests 1953 0 R
+2117 0 obj <<
+/Dests 2116 0 R
 >> endobj
-1955 0 obj <<
+2118 0 obj <<
 /Type /Catalog
-/Pages 1950 0 R
-/Outlines 1951 0 R
-/Names 1954 0 R
+/Pages 2113 0 R
+/Outlines 2114 0 R
+/Names 2117 0 R
 /PageMode /UseOutlines 
-/OpenAction 649 0 R
+/OpenAction 693 0 R
 >> endobj
-1956 0 obj <<
+2119 0 obj <<
 /Author()/Title()/Subject()/Creator(LaTeX with hyperref package)/Producer(pdfeTeX-1.21a)/Keywords()
-/CreationDate (D:20081024041421Z)
+/CreationDate (D:20081116011130Z)
 /PTEX.Fullbanner (This is pdfeTeX, Version 3.141592-1.21a-2.2 (Web2C 7.5.4) kpathsea version 3.5.4)
 >> endobj
 xref
-0 1957
+0 2120
 0000000001 65535 f 
 0000000002 00000 f 
 0000000003 00000 f 
 0000000004 00000 f 
 0000000000 00000 f 
 0000000009 00000 n 
-0000066894 00000 n 
-0000671475 00000 n 
+0000070820 00000 n 
+0000731720 00000 n 
 0000000054 00000 n 
 0000000086 00000 n 
-0000067018 00000 n 
-0000671403 00000 n 
+0000070944 00000 n 
+0000731648 00000 n 
 0000000133 00000 n 
 0000000173 00000 n 
-0000067143 00000 n 
-0000671317 00000 n 
+0000071069 00000 n 
+0000731562 00000 n 
 0000000221 00000 n 
 0000000273 00000 n 
-0000067268 00000 n 
-0000671231 00000 n 
+0000071194 00000 n 
+0000731476 00000 n 
 0000000321 00000 n 
 0000000377 00000 n 
-0000071531 00000 n 
-0000671121 00000 n 
+0000075519 00000 n 
+0000731366 00000 n 
 0000000425 00000 n 
 0000000478 00000 n 
-0000071656 00000 n 
-0000671047 00000 n 
+0000075643 00000 n 
+0000731292 00000 n 
 0000000531 00000 n 
 0000000572 00000 n 
-0000071781 00000 n 
-0000670960 00000 n 
+0000075768 00000 n 
+0000731205 00000 n 
 0000000625 00000 n 
 0000000674 00000 n 
-0000071906 00000 n 
-0000670873 00000 n 
+0000075892 00000 n 
+0000731118 00000 n 
 0000000727 00000 n 
 0000000757 00000 n 
-0000076184 00000 n 
-0000670749 00000 n 
+0000080171 00000 n 
+0000730994 00000 n 
 0000000810 00000 n 
 0000000861 00000 n 
-0000076309 00000 n 
-0000670675 00000 n 
+0000080296 00000 n 
+0000730920 00000 n 
 0000000919 00000 n 
 0000000964 00000 n 
-0000076434 00000 n 
-0000670588 00000 n 
+0000080421 00000 n 
+0000730833 00000 n 
 0000001022 00000 n 
 0000001062 00000 n 
-0000076559 00000 n 
-0000670514 00000 n 
+0000080546 00000 n 
+0000730759 00000 n 
 0000001120 00000 n 
 0000001162 00000 n 
-0000079531 00000 n 
-0000670390 00000 n 
+0000083518 00000 n 
+0000730635 00000 n 
 0000001215 00000 n 
 0000001260 00000 n 
-0000079656 00000 n 
-0000670329 00000 n 
+0000083643 00000 n 
+0000730574 00000 n 
 0000001318 00000 n 
 0000001355 00000 n 
-0000079781 00000 n 
-0000670255 00000 n 
+0000083768 00000 n 
+0000730500 00000 n 
 0000001408 00000 n 
 0000001463 00000 n 
-0000082709 00000 n 
-0000670130 00000 n 
+0000086696 00000 n 
+0000730375 00000 n 
 0000001509 00000 n 
 0000001556 00000 n 
-0000082834 00000 n 
-0000670056 00000 n 
+0000086821 00000 n 
+0000730301 00000 n 
 0000001604 00000 n 
 0000001648 00000 n 
-0000082959 00000 n 
-0000669969 00000 n 
+0000086946 00000 n 
+0000730214 00000 n 
 0000001696 00000 n 
 0000001735 00000 n 
-0000083084 00000 n 
-0000669882 00000 n 
+0000087071 00000 n 
+0000730127 00000 n 
 0000001783 00000 n 
 0000001825 00000 n 
-0000083208 00000 n 
-0000669795 00000 n 
+0000087195 00000 n 
+0000730040 00000 n 
 0000001873 00000 n 
 0000001936 00000 n 
-0000084291 00000 n 
-0000669721 00000 n 
+0000088275 00000 n 
+0000729966 00000 n 
 0000001984 00000 n 
 0000002034 00000 n 
-0000086001 00000 n 
-0000669593 00000 n 
+0000089985 00000 n 
+0000729838 00000 n 
 0000002080 00000 n 
 0000002126 00000 n 
-0000086125 00000 n 
-0000669480 00000 n 
+0000090109 00000 n 
+0000729725 00000 n 
 0000002174 00000 n 
 0000002218 00000 n 
-0000086250 00000 n 
-0000669404 00000 n 
+0000090234 00000 n 
+0000729649 00000 n 
 0000002271 00000 n 
 0000002323 00000 n 
-0000086375 00000 n 
-0000669327 00000 n 
+0000090359 00000 n 
+0000729572 00000 n 
 0000002377 00000 n 
 0000002436 00000 n 
-0000088903 00000 n 
-0000669236 00000 n 
+0000092896 00000 n 
+0000729481 00000 n 
 0000002485 00000 n 
 0000002523 00000 n 
-0000089155 00000 n 
-0000669119 00000 n 
+0000093155 00000 n 
+0000729364 00000 n 
 0000002572 00000 n 
 0000002618 00000 n 
-0000089281 00000 n 
-0000669001 00000 n 
+0000093284 00000 n 
+0000729246 00000 n 
 0000002672 00000 n 
 0000002739 00000 n 
-0000092488 00000 n 
-0000668922 00000 n 
+0000096500 00000 n 
+0000729167 00000 n 
 0000002798 00000 n 
 0000002842 00000 n 
-0000092614 00000 n 
-0000668843 00000 n 
+0000096628 00000 n 
+0000729088 00000 n 
 0000002901 00000 n 
 0000002949 00000 n 
-0000102943 00000 n 
-0000668764 00000 n 
+0000107160 00000 n 
+0000729009 00000 n 
 0000003003 00000 n 
 0000003036 00000 n 
-0000107874 00000 n 
-0000668632 00000 n 
+0000112147 00000 n 
+0000728877 00000 n 
 0000003083 00000 n 
 0000003126 00000 n 
-0000108000 00000 n 
-0000668553 00000 n 
+0000112276 00000 n 
+0000728798 00000 n 
 0000003175 00000 n 
 0000003205 00000 n 
-0000108126 00000 n 
-0000668421 00000 n 
+0000112405 00000 n 
+0000728666 00000 n 
 0000003254 00000 n 
 0000003292 00000 n 
-0000108252 00000 n 
-0000668356 00000 n 
+0000112534 00000 n 
+0000728601 00000 n 
 0000003346 00000 n 
 0000003388 00000 n 
-0000112543 00000 n 
-0000668263 00000 n 
+0000116796 00000 n 
+0000728508 00000 n 
 0000003437 00000 n 
 0000003496 00000 n 
-0000112670 00000 n 
-0000668131 00000 n 
+0000116925 00000 n 
+0000728376 00000 n 
 0000003545 00000 n 
 0000003578 00000 n 
-0000112799 00000 n 
-0000668066 00000 n 
+0000117054 00000 n 
+0000728311 00000 n 
 0000003632 00000 n 
 0000003681 00000 n 
-0000120171 00000 n 
-0000667934 00000 n 
+0000124364 00000 n 
+0000728179 00000 n 
 0000003730 00000 n 
 0000003758 00000 n 
-0000120298 00000 n 
-0000667816 00000 n 
+0000124493 00000 n 
+0000728061 00000 n 
 0000003812 00000 n 
 0000003881 00000 n 
-0000120427 00000 n 
-0000667737 00000 n 
+0000124622 00000 n 
+0000727982 00000 n 
 0000003940 00000 n 
 0000003988 00000 n 
-0000123302 00000 n 
-0000667658 00000 n 
+0000127456 00000 n 
+0000727903 00000 n 
 0000004047 00000 n 
 0000004092 00000 n 
-0000123431 00000 n 
-0000667565 00000 n 
+0000127585 00000 n 
+0000727810 00000 n 
 0000004146 00000 n 
 0000004214 00000 n 
-0000123560 00000 n 
-0000667472 00000 n 
+0000127714 00000 n 
+0000727717 00000 n 
 0000004268 00000 n 
 0000004338 00000 n 
-0000123689 00000 n 
-0000667379 00000 n 
+0000127843 00000 n 
+0000727624 00000 n 
 0000004392 00000 n 
 0000004455 00000 n 
-0000123817 00000 n 
-0000667286 00000 n 
+0000131746 00000 n 
+0000727531 00000 n 
 0000004509 00000 n 
 0000004564 00000 n 
-0000127463 00000 n 
-0000667207 00000 n 
+0000131875 00000 n 
+0000727452 00000 n 
 0000004618 00000 n 
 0000004650 00000 n 
-0000127592 00000 n 
-0000667114 00000 n 
+0000132004 00000 n 
+0000727359 00000 n 
 0000004699 00000 n 
 0000004727 00000 n 
-0000127721 00000 n 
-0000667021 00000 n 
+0000132133 00000 n 
+0000727266 00000 n 
 0000004776 00000 n 
 0000004808 00000 n 
-0000131327 00000 n 
-0000666889 00000 n 
+0000135910 00000 n 
+0000727134 00000 n 
 0000004857 00000 n 
 0000004887 00000 n 
-0000131456 00000 n 
-0000666810 00000 n 
+0000136039 00000 n 
+0000727055 00000 n 
 0000004941 00000 n 
 0000004982 00000 n 
-0000131584 00000 n 
-0000666717 00000 n 
+0000136168 00000 n 
+0000726962 00000 n 
 0000005036 00000 n 
 0000005078 00000 n 
-0000135026 00000 n 
-0000666638 00000 n 
+0000139609 00000 n 
+0000726883 00000 n 
 0000005132 00000 n 
 0000005177 00000 n 
-0000138100 00000 n 
-0000666520 00000 n 
+0000142684 00000 n 
+0000726765 00000 n 
 0000005226 00000 n 
 0000005272 00000 n 
-0000138229 00000 n 
-0000666441 00000 n 
+0000142813 00000 n 
+0000726686 00000 n 
 0000005326 00000 n 
 0000005386 00000 n 
-0000138357 00000 n 
-0000666362 00000 n 
+0000142941 00000 n 
+0000726607 00000 n 
 0000005440 00000 n 
 0000005509 00000 n 
-0000140837 00000 n 
-0000666229 00000 n 
+0000145423 00000 n 
+0000726474 00000 n 
 0000005556 00000 n 
 0000005609 00000 n 
-0000140966 00000 n 
-0000666150 00000 n 
+0000145552 00000 n 
+0000726395 00000 n 
 0000005658 00000 n 
 0000005714 00000 n 
-0000141095 00000 n 
-0000666071 00000 n 
+0000145681 00000 n 
+0000726316 00000 n 
 0000005763 00000 n 
 0000005812 00000 n 
-0000145279 00000 n 
-0000665938 00000 n 
+0000149865 00000 n 
+0000726183 00000 n 
 0000005859 00000 n 
 0000005911 00000 n 
-0000145408 00000 n 
-0000665820 00000 n 
+0000149994 00000 n 
+0000726065 00000 n 
 0000005960 00000 n 
 0000006011 00000 n 
-0000150015 00000 n 
-0000665702 00000 n 
+0000154684 00000 n 
+0000725947 00000 n 
 0000006065 00000 n 
 0000006110 00000 n 
-0000150142 00000 n 
-0000665623 00000 n 
+0000154812 00000 n 
+0000725868 00000 n 
 0000006169 00000 n 
 0000006203 00000 n 
-0000153580 00000 n 
-0000665544 00000 n 
+0000158401 00000 n 
+0000725789 00000 n 
 0000006262 00000 n 
 0000006310 00000 n 
-0000153709 00000 n 
-0000665426 00000 n 
+0000158529 00000 n 
+0000725671 00000 n 
 0000006364 00000 n 
 0000006404 00000 n 
-0000153838 00000 n 
-0000665347 00000 n 
+0000158658 00000 n 
+0000725592 00000 n 
 0000006463 00000 n 
 0000006497 00000 n 
-0000153967 00000 n 
-0000665268 00000 n 
+0000162385 00000 n 
+0000725513 00000 n 
 0000006556 00000 n 
 0000006604 00000 n 
-0000157817 00000 n 
-0000665135 00000 n 
+0000162514 00000 n 
+0000725380 00000 n 
 0000006653 00000 n 
 0000006703 00000 n 
-0000160916 00000 n 
-0000665056 00000 n 
+0000165534 00000 n 
+0000725301 00000 n 
 0000006757 00000 n 
 0000006804 00000 n 
-0000161044 00000 n 
-0000664963 00000 n 
+0000165662 00000 n 
+0000725208 00000 n 
 0000006858 00000 n 
 0000006918 00000 n 
-0000161303 00000 n 
-0000664870 00000 n 
+0000165920 00000 n 
+0000725115 00000 n 
 0000006972 00000 n 
 0000007024 00000 n 
-0000161432 00000 n 
-0000664777 00000 n 
+0000171027 00000 n 
+0000725022 00000 n 
 0000007078 00000 n 
 0000007143 00000 n 
-0000166331 00000 n 
-0000664684 00000 n 
+0000171156 00000 n 
+0000724929 00000 n 
 0000007197 00000 n 
 0000007248 00000 n 
-0000166460 00000 n 
-0000664591 00000 n 
+0000174630 00000 n 
+0000724836 00000 n 
 0000007302 00000 n 
 0000007366 00000 n 
-0000166589 00000 n 
-0000664498 00000 n 
+0000174759 00000 n 
+0000724743 00000 n 
 0000007420 00000 n 
 0000007467 00000 n 
-0000170354 00000 n 
-0000664405 00000 n 
+0000174888 00000 n 
+0000724650 00000 n 
 0000007521 00000 n 
 0000007581 00000 n 
-0000170483 00000 n 
-0000664312 00000 n 
+0000175017 00000 n 
+0000724557 00000 n 
 0000007635 00000 n 
 0000007686 00000 n 
-0000170612 00000 n 
-0000664180 00000 n 
+0000179033 00000 n 
+0000724425 00000 n 
 0000007741 00000 n 
 0000007806 00000 n 
-0000175144 00000 n 
-0000664101 00000 n 
+0000179162 00000 n 
+0000724346 00000 n 
 0000007866 00000 n 
 0000007913 00000 n 
-0000181571 00000 n 
-0000664022 00000 n 
+0000185987 00000 n 
+0000724267 00000 n 
 0000007973 00000 n 
 0000008021 00000 n 
-0000185205 00000 n 
-0000663929 00000 n 
+0000192355 00000 n 
+0000724174 00000 n 
 0000008076 00000 n 
 0000008126 00000 n 
-0000185334 00000 n 
-0000663836 00000 n 
+0000192484 00000 n 
+0000724081 00000 n 
 0000008181 00000 n 
 0000008244 00000 n 
-0000187219 00000 n 
-0000663743 00000 n 
+0000192612 00000 n 
+0000723988 00000 n 
 0000008299 00000 n 
 0000008351 00000 n 
-0000187348 00000 n 
-0000663650 00000 n 
+0000192740 00000 n 
+0000723895 00000 n 
 0000008406 00000 n 
 0000008471 00000 n 
-0000187477 00000 n 
-0000663557 00000 n 
+0000192869 00000 n 
+0000723802 00000 n 
 0000008526 00000 n 
 0000008578 00000 n 
-0000190809 00000 n 
-0000663424 00000 n 
+0000198137 00000 n 
+0000723669 00000 n 
 0000008633 00000 n 
 0000008698 00000 n 
-0000198905 00000 n 
-0000663345 00000 n 
+0000206589 00000 n 
+0000723590 00000 n 
 0000008758 00000 n 
 0000008802 00000 n 
-0000220055 00000 n 
-0000663252 00000 n 
+0000227810 00000 n 
+0000723497 00000 n 
 0000008862 00000 n 
 0000008901 00000 n 
-0000220184 00000 n 
-0000663159 00000 n 
+0000227938 00000 n 
+0000723404 00000 n 
 0000008961 00000 n 
 0000009008 00000 n 
-0000220313 00000 n 
-0000663066 00000 n 
+0000228067 00000 n 
+0000723311 00000 n 
 0000009068 00000 n 
 0000009111 00000 n 
-0000224587 00000 n 
-0000662973 00000 n 
+0000235196 00000 n 
+0000723218 00000 n 
 0000009171 00000 n 
 0000009210 00000 n 
-0000228114 00000 n 
-0000662880 00000 n 
+0000235325 00000 n 
+0000723125 00000 n 
 0000009270 00000 n 
 0000009312 00000 n 
-0000231064 00000 n 
-0000662787 00000 n 
+0000242275 00000 n 
+0000723032 00000 n 
 0000009372 00000 n 
 0000009415 00000 n 
-0000238656 00000 n 
-0000662694 00000 n 
+0000250260 00000 n 
+0000722939 00000 n 
 0000009475 00000 n 
 0000009518 00000 n 
-0000242961 00000 n 
-0000662601 00000 n 
+0000250389 00000 n 
+0000722846 00000 n 
 0000009578 00000 n 
 0000009639 00000 n 
-0000243090 00000 n 
-0000662508 00000 n 
+0000254380 00000 n 
+0000722753 00000 n 
 0000009700 00000 n 
 0000009752 00000 n 
-0000246876 00000 n 
-0000662415 00000 n 
+0000257620 00000 n 
+0000722660 00000 n 
 0000009813 00000 n 
 0000009866 00000 n 
-0000247005 00000 n 
-0000662322 00000 n 
+0000257749 00000 n 
+0000722567 00000 n 
 0000009927 00000 n 
 0000009965 00000 n 
-0000251036 00000 n 
-0000662229 00000 n 
+0000261821 00000 n 
+0000722474 00000 n 
 0000010026 00000 n 
 0000010078 00000 n 
-0000254054 00000 n 
-0000662136 00000 n 
+0000265032 00000 n 
+0000722381 00000 n 
 0000010139 00000 n 
 0000010183 00000 n 
-0000258009 00000 n 
-0000662043 00000 n 
+0000265290 00000 n 
+0000722288 00000 n 
 0000010244 00000 n 
 0000010280 00000 n 
-0000262835 00000 n 
-0000661950 00000 n 
+0000274081 00000 n 
+0000722195 00000 n 
 0000010341 00000 n 
 0000010404 00000 n 
-0000266161 00000 n 
-0000661857 00000 n 
+0000277408 00000 n 
+0000722102 00000 n 
 0000010465 00000 n 
 0000010515 00000 n 
-0000269322 00000 n 
-0000661764 00000 n 
+0000281163 00000 n 
+0000722023 00000 n 
 0000010576 00000 n 
-0000010625 00000 n 
-0000273049 00000 n 
-0000661685 00000 n 
-0000010686 00000 n 
-0000010742 00000 n 
-0000273177 00000 n 
-0000661592 00000 n 
-0000010797 00000 n 
-0000010848 00000 n 
-0000277701 00000 n 
-0000661499 00000 n 
-0000010903 00000 n 
-0000010967 00000 n 
-0000281213 00000 n 
-0000661406 00000 n 
-0000011022 00000 n 
-0000011079 00000 n 
-0000281342 00000 n 
-0000661313 00000 n 
-0000011134 00000 n 
-0000011204 00000 n 
-0000281471 00000 n 
-0000661220 00000 n 
-0000011259 00000 n 
-0000011308 00000 n 
-0000281600 00000 n 
-0000661127 00000 n 
-0000011363 00000 n 
-0000011425 00000 n 
-0000286259 00000 n 
-0000661034 00000 n 
-0000011480 00000 n 
-0000011529 00000 n 
-0000290062 00000 n 
-0000660916 00000 n 
-0000011584 00000 n 
-0000011646 00000 n 
-0000290191 00000 n 
-0000660837 00000 n 
-0000011706 00000 n 
-0000011745 00000 n 
-0000294250 00000 n 
-0000660744 00000 n 
-0000011805 00000 n 
-0000011839 00000 n 
-0000299864 00000 n 
-0000660651 00000 n 
-0000011899 00000 n 
-0000011940 00000 n 
-0000310269 00000 n 
-0000660572 00000 n 
-0000012000 00000 n 
-0000012052 00000 n 
-0000314360 00000 n 
-0000660454 00000 n 
-0000012101 00000 n 
-0000012134 00000 n 
-0000314488 00000 n 
-0000660336 00000 n 
-0000012188 00000 n 
-0000012260 00000 n 
-0000314616 00000 n 
-0000660257 00000 n 
-0000012319 00000 n 
-0000012363 00000 n 
-0000325410 00000 n 
-0000660178 00000 n 
-0000012422 00000 n 
-0000012475 00000 n 
-0000325798 00000 n 
-0000660085 00000 n 
-0000012529 00000 n 
-0000012579 00000 n 
-0000329220 00000 n 
-0000659992 00000 n 
-0000012633 00000 n 
-0000012671 00000 n 
-0000329479 00000 n 
-0000659899 00000 n 
-0000012725 00000 n 
+0000010632 00000 n 
+0000284537 00000 n 
+0000721930 00000 n 
+0000010687 00000 n 
+0000010751 00000 n 
+0000284666 00000 n 
+0000721837 00000 n 
+0000010806 00000 n 
+0000010883 00000 n 
+0000284794 00000 n 
+0000721744 00000 n 
+0000010938 00000 n 
+0000010989 00000 n 
+0000289362 00000 n 
+0000721651 00000 n 
+0000011044 00000 n 
+0000011108 00000 n 
+0000292729 00000 n 
+0000721558 00000 n 
+0000011163 00000 n 
+0000011220 00000 n 
+0000292857 00000 n 
+0000721465 00000 n 
+0000011275 00000 n 
+0000011345 00000 n 
+0000292986 00000 n 
+0000721372 00000 n 
+0000011400 00000 n 
+0000011449 00000 n 
+0000293115 00000 n 
+0000721279 00000 n 
+0000011504 00000 n 
+0000011566 00000 n 
+0000297818 00000 n 
+0000721186 00000 n 
+0000011621 00000 n 
+0000011670 00000 n 
+0000301909 00000 n 
+0000721068 00000 n 
+0000011725 00000 n 
+0000011787 00000 n 
+0000302038 00000 n 
+0000720989 00000 n 
+0000011847 00000 n 
+0000011886 00000 n 
+0000306096 00000 n 
+0000720896 00000 n 
+0000011946 00000 n 
+0000011980 00000 n 
+0000311992 00000 n 
+0000720803 00000 n 
+0000012040 00000 n 
+0000012081 00000 n 
+0000323134 00000 n 
+0000720724 00000 n 
+0000012141 00000 n 
+0000012193 00000 n 
+0000330383 00000 n 
+0000720592 00000 n 
+0000012242 00000 n 
+0000012275 00000 n 
+0000330512 00000 n 
+0000720474 00000 n 
+0000012329 00000 n 
+0000012401 00000 n 
+0000330640 00000 n 
+0000720395 00000 n 
+0000012460 00000 n 
+0000012504 00000 n 
+0000341427 00000 n 
+0000720316 00000 n 
+0000012563 00000 n 
+0000012616 00000 n 
+0000341814 00000 n 
+0000720223 00000 n 
+0000012670 00000 n 
+0000012720 00000 n 
+0000345189 00000 n 
+0000720130 00000 n 
 0000012774 00000 n 
-0000332384 00000 n 
-0000659767 00000 n 
-0000012828 00000 n 
-0000012880 00000 n 
-0000332512 00000 n 
-0000659688 00000 n 
-0000012939 00000 n 
-0000012991 00000 n 
-0000332641 00000 n 
-0000659595 00000 n 
-0000013050 00000 n 
-0000013103 00000 n 
-0000332769 00000 n 
-0000659516 00000 n 
-0000013162 00000 n 
-0000013211 00000 n 
-0000332898 00000 n 
-0000659423 00000 n 
-0000013265 00000 n 
-0000013345 00000 n 
-0000336811 00000 n 
-0000659344 00000 n 
-0000013399 00000 n 
-0000013448 00000 n 
-0000340557 00000 n 
-0000659211 00000 n 
-0000013495 00000 n 
-0000013547 00000 n 
-0000340686 00000 n 
-0000659132 00000 n 
-0000013596 00000 n 
-0000013640 00000 n 
-0000344779 00000 n 
-0000659000 00000 n 
-0000013689 00000 n 
-0000013730 00000 n 
-0000344908 00000 n 
-0000658921 00000 n 
+0000012812 00000 n 
+0000345448 00000 n 
+0000720037 00000 n 
+0000012866 00000 n 
+0000012915 00000 n 
+0000348312 00000 n 
+0000719905 00000 n 
+0000012969 00000 n 
+0000013021 00000 n 
+0000348440 00000 n 
+0000719826 00000 n 
+0000013080 00000 n 
+0000013132 00000 n 
+0000348569 00000 n 
+0000719733 00000 n 
+0000013191 00000 n 
+0000013244 00000 n 
+0000348698 00000 n 
+0000719654 00000 n 
+0000013303 00000 n 
+0000013352 00000 n 
+0000352344 00000 n 
+0000719561 00000 n 
+0000013406 00000 n 
+0000013486 00000 n 
+0000356394 00000 n 
+0000719482 00000 n 
+0000013540 00000 n 
+0000013589 00000 n 
+0000356523 00000 n 
+0000719364 00000 n 
+0000013638 00000 n 
+0000013678 00000 n 
+0000359826 00000 n 
+0000719285 00000 n 
+0000013737 00000 n 
 0000013784 00000 n 
-0000013832 00000 n 
-0000345037 00000 n 
-0000658842 00000 n 
-0000013886 00000 n 
-0000013937 00000 n 
-0000345166 00000 n 
-0000658763 00000 n 
-0000013986 00000 n 
-0000014033 00000 n 
-0000349429 00000 n 
-0000658630 00000 n 
-0000014080 00000 n 
-0000014117 00000 n 
-0000349558 00000 n 
-0000658512 00000 n 
-0000014166 00000 n 
-0000014205 00000 n 
-0000349687 00000 n 
-0000658447 00000 n 
-0000014259 00000 n 
-0000014337 00000 n 
-0000349816 00000 n 
-0000658354 00000 n 
-0000014386 00000 n 
-0000014453 00000 n 
-0000349945 00000 n 
-0000658275 00000 n 
-0000014502 00000 n 
-0000014547 00000 n 
-0000353384 00000 n 
-0000658142 00000 n 
-0000014595 00000 n 
-0000014627 00000 n 
-0000353513 00000 n 
-0000658024 00000 n 
-0000014676 00000 n 
-0000014715 00000 n 
-0000353642 00000 n 
-0000657959 00000 n 
-0000014769 00000 n 
-0000014830 00000 n 
-0000357407 00000 n 
-0000657827 00000 n 
-0000014879 00000 n 
-0000014936 00000 n 
-0000357536 00000 n 
-0000657762 00000 n 
-0000014990 00000 n 
-0000015039 00000 n 
-0000357665 00000 n 
-0000657644 00000 n 
-0000015088 00000 n 
-0000015150 00000 n 
-0000357794 00000 n 
-0000657565 00000 n 
-0000015204 00000 n 
-0000015259 00000 n 
-0000381817 00000 n 
-0000657472 00000 n 
-0000015313 00000 n 
-0000015354 00000 n 
-0000381946 00000 n 
-0000657393 00000 n 
-0000015408 00000 n 
-0000015460 00000 n 
-0000384676 00000 n 
-0000657273 00000 n 
-0000015508 00000 n 
-0000015542 00000 n 
-0000384805 00000 n 
-0000657194 00000 n 
-0000015591 00000 n 
-0000015618 00000 n 
-0000402812 00000 n 
-0000657101 00000 n 
-0000015667 00000 n 
-0000015695 00000 n 
-0000410349 00000 n 
-0000657008 00000 n 
-0000015744 00000 n 
-0000015781 00000 n 
-0000416667 00000 n 
-0000656915 00000 n 
-0000015830 00000 n 
-0000015869 00000 n 
-0000426187 00000 n 
-0000656822 00000 n 
-0000015918 00000 n 
-0000015957 00000 n 
-0000429074 00000 n 
-0000656729 00000 n 
-0000016006 00000 n 
-0000016045 00000 n 
-0000435466 00000 n 
-0000656636 00000 n 
-0000016094 00000 n 
-0000016123 00000 n 
-0000444851 00000 n 
-0000656543 00000 n 
-0000016172 00000 n 
-0000016200 00000 n 
-0000448491 00000 n 
-0000656450 00000 n 
-0000016249 00000 n 
-0000016282 00000 n 
-0000457889 00000 n 
-0000656371 00000 n 
-0000016332 00000 n 
-0000016369 00000 n 
-0000016738 00000 n 
-0000016860 00000 n 
-0000024689 00000 n 
-0000016422 00000 n 
-0000024563 00000 n 
-0000024626 00000 n 
-0000652234 00000 n 
-0000626291 00000 n 
-0000652060 00000 n 
-0000653259 00000 n 
-0000019723 00000 n 
-0000019940 00000 n 
-0000020009 00000 n 
-0000020078 00000 n 
-0000020146 00000 n 
-0000020214 00000 n 
-0000020263 00000 n 
-0000020310 00000 n 
-0000020643 00000 n 
-0000020665 00000 n 
-0000020833 00000 n 
-0000020998 00000 n 
-0000021167 00000 n 
-0000021346 00000 n 
-0000021655 00000 n 
-0000021815 00000 n 
-0000026053 00000 n 
-0000025868 00000 n 
-0000024789 00000 n 
-0000025990 00000 n 
-0000625079 00000 n 
-0000598600 00000 n 
-0000624905 00000 n 
-0000597915 00000 n 
-0000595770 00000 n 
-0000597751 00000 n 
-0000037759 00000 n 
-0000029109 00000 n 
-0000026138 00000 n 
-0000037633 00000 n 
-0000037696 00000 n 
-0000029643 00000 n 
-0000029797 00000 n 
-0000029954 00000 n 
-0000030111 00000 n 
-0000030267 00000 n 
-0000030424 00000 n 
-0000030586 00000 n 
-0000030747 00000 n 
-0000030908 00000 n 
-0000031070 00000 n 
-0000031237 00000 n 
-0000031404 00000 n 
-0000031569 00000 n 
-0000031731 00000 n 
-0000031897 00000 n 
-0000032058 00000 n 
-0000032213 00000 n 
-0000032370 00000 n 
-0000032526 00000 n 
-0000032683 00000 n 
-0000032840 00000 n 
-0000032997 00000 n 
-0000033151 00000 n 
-0000033307 00000 n 
-0000033469 00000 n 
-0000033631 00000 n 
-0000033787 00000 n 
-0000033944 00000 n 
-0000034106 00000 n 
-0000034273 00000 n 
-0000034439 00000 n 
-0000034600 00000 n 
-0000034755 00000 n 
-0000034912 00000 n 
-0000035069 00000 n 
-0000035231 00000 n 
-0000035388 00000 n 
-0000035545 00000 n 
-0000035707 00000 n 
-0000035864 00000 n 
-0000036026 00000 n 
-0000036193 00000 n 
-0000036359 00000 n 
-0000036521 00000 n 
-0000036683 00000 n 
-0000036845 00000 n 
-0000037006 00000 n 
-0000037168 00000 n 
-0000037323 00000 n 
-0000037478 00000 n 
-0000051124 00000 n 
-0000041076 00000 n 
-0000037844 00000 n 
-0000051061 00000 n 
-0000595219 00000 n 
-0000578138 00000 n 
-0000595035 00000 n 
-0000041666 00000 n 
-0000041829 00000 n 
-0000041991 00000 n 
-0000042154 00000 n 
-0000042312 00000 n 
-0000042475 00000 n 
-0000042638 00000 n 
-0000042793 00000 n 
-0000042951 00000 n 
-0000043109 00000 n 
-0000043265 00000 n 
-0000043423 00000 n 
-0000043586 00000 n 
-0000043754 00000 n 
-0000043922 00000 n 
-0000044085 00000 n 
-0000044253 00000 n 
-0000044421 00000 n 
-0000044579 00000 n 
-0000044742 00000 n 
-0000044905 00000 n 
-0000045067 00000 n 
-0000045229 00000 n 
-0000045392 00000 n 
-0000045554 00000 n 
-0000045716 00000 n 
-0000045879 00000 n 
-0000046042 00000 n 
-0000046205 00000 n 
-0000046374 00000 n 
-0000046543 00000 n 
-0000046707 00000 n 
-0000046870 00000 n 
-0000047034 00000 n 
-0000047198 00000 n 
-0000047361 00000 n 
-0000047525 00000 n 
-0000047694 00000 n 
-0000047862 00000 n 
-0000048031 00000 n 
-0000048200 00000 n 
-0000048369 00000 n 
-0000048538 00000 n 
-0000048707 00000 n 
-0000048876 00000 n 
-0000049045 00000 n 
-0000049215 00000 n 
-0000049385 00000 n 
-0000049555 00000 n 
-0000049724 00000 n 
-0000049894 00000 n 
-0000050064 00000 n 
-0000050232 00000 n 
-0000050401 00000 n 
-0000050571 00000 n 
-0000050738 00000 n 
-0000050899 00000 n 
-0000063946 00000 n 
-0000054652 00000 n 
-0000051222 00000 n 
-0000063883 00000 n 
-0000055218 00000 n 
-0000055381 00000 n 
-0000055544 00000 n 
-0000055707 00000 n 
-0000055870 00000 n 
-0000056032 00000 n 
-0000056195 00000 n 
-0000056363 00000 n 
-0000056531 00000 n 
-0000056699 00000 n 
-0000056867 00000 n 
-0000057023 00000 n 
-0000057185 00000 n 
-0000057352 00000 n 
-0000057519 00000 n 
-0000057681 00000 n 
-0000057843 00000 n 
-0000058005 00000 n 
-0000058167 00000 n 
-0000058334 00000 n 
-0000058501 00000 n 
-0000058667 00000 n 
-0000058829 00000 n 
-0000058991 00000 n 
-0000059146 00000 n 
+0000359955 00000 n 
+0000719167 00000 n 
+0000013838 00000 n 
+0000013883 00000 n 
+0000360084 00000 n 
+0000719088 00000 n 
+0000013942 00000 n 
+0000014001 00000 n 
+0000363183 00000 n 
+0000718995 00000 n 
+0000014060 00000 n 
+0000014124 00000 n 
+0000363442 00000 n 
+0000718902 00000 n 
+0000014183 00000 n 
+0000014239 00000 n 
+0000366164 00000 n 
+0000718823 00000 n 
+0000014298 00000 n 
+0000014360 00000 n 
+0000368398 00000 n 
+0000718690 00000 n 
+0000014407 00000 n 
+0000014459 00000 n 
+0000368527 00000 n 
+0000718611 00000 n 
+0000014508 00000 n 
+0000014552 00000 n 
+0000372713 00000 n 
+0000718479 00000 n 
+0000014601 00000 n 
+0000014642 00000 n 
+0000372842 00000 n 
+0000718400 00000 n 
+0000014696 00000 n 
+0000014744 00000 n 
+0000372970 00000 n 
+0000718321 00000 n 
+0000014798 00000 n 
+0000014849 00000 n 
+0000373099 00000 n 
+0000718242 00000 n 
+0000014898 00000 n 
+0000014945 00000 n 
+0000377366 00000 n 
+0000718109 00000 n 
+0000014992 00000 n 
+0000015029 00000 n 
+0000377495 00000 n 
+0000717991 00000 n 
+0000015078 00000 n 
+0000015117 00000 n 
+0000377624 00000 n 
+0000717926 00000 n 
+0000015171 00000 n 
+0000015249 00000 n 
+0000377753 00000 n 
+0000717833 00000 n 
+0000015298 00000 n 
+0000015365 00000 n 
+0000377882 00000 n 
+0000717754 00000 n 
+0000015414 00000 n 
+0000015459 00000 n 
+0000381321 00000 n 
+0000717621 00000 n 
+0000015507 00000 n 
+0000015539 00000 n 
+0000381450 00000 n 
+0000717503 00000 n 
+0000015588 00000 n 
+0000015627 00000 n 
+0000381579 00000 n 
+0000717438 00000 n 
+0000015681 00000 n 
+0000015742 00000 n 
+0000385344 00000 n 
+0000717306 00000 n 
+0000015791 00000 n 
+0000015848 00000 n 
+0000385473 00000 n 
+0000717241 00000 n 
+0000015902 00000 n 
+0000015951 00000 n 
+0000385602 00000 n 
+0000717123 00000 n 
+0000016000 00000 n 
+0000016062 00000 n 
+0000385731 00000 n 
+0000717044 00000 n 
+0000016116 00000 n 
+0000016171 00000 n 
+0000409752 00000 n 
+0000716951 00000 n 
+0000016225 00000 n 
+0000016266 00000 n 
+0000409881 00000 n 
+0000716872 00000 n 
+0000016320 00000 n 
+0000016372 00000 n 
+0000412612 00000 n 
+0000716752 00000 n 
+0000016420 00000 n 
+0000016454 00000 n 
+0000412741 00000 n 
+0000716673 00000 n 
+0000016503 00000 n 
+0000016530 00000 n 
+0000430434 00000 n 
+0000716580 00000 n 
+0000016579 00000 n 
+0000016607 00000 n 
+0000437928 00000 n 
+0000716487 00000 n 
+0000016656 00000 n 
+0000016696 00000 n 
+0000440723 00000 n 
+0000716394 00000 n 
+0000016745 00000 n 
+0000016788 00000 n 
+0000446647 00000 n 
+0000716301 00000 n 
+0000016837 00000 n 
+0000016874 00000 n 
+0000453150 00000 n 
+0000716208 00000 n 
+0000016923 00000 n 
+0000016962 00000 n 
+0000462862 00000 n 
+0000716115 00000 n 
+0000017011 00000 n 
+0000017050 00000 n 
+0000465578 00000 n 
+0000716022 00000 n 
+0000017099 00000 n 
+0000017138 00000 n 
+0000475305 00000 n 
+0000715929 00000 n 
+0000017187 00000 n 
+0000017216 00000 n 
+0000481121 00000 n 
+0000715836 00000 n 
+0000017266 00000 n 
+0000017299 00000 n 
+0000495077 00000 n 
+0000715743 00000 n 
+0000017349 00000 n 
+0000017378 00000 n 
+0000498576 00000 n 
+0000715650 00000 n 
+0000017428 00000 n 
+0000017462 00000 n 
+0000504687 00000 n 
+0000715571 00000 n 
+0000017512 00000 n 
+0000017549 00000 n 
+0000017918 00000 n 
+0000018040 00000 n 
+0000025869 00000 n 
+0000017602 00000 n 
+0000025743 00000 n 
+0000025806 00000 n 
+0000711071 00000 n 
+0000685128 00000 n 
+0000710897 00000 n 
+0000712096 00000 n 
+0000020903 00000 n 
+0000021120 00000 n 
+0000021189 00000 n 
+0000021258 00000 n 
+0000021326 00000 n 
+0000021394 00000 n 
+0000021443 00000 n 
+0000021490 00000 n 
+0000021823 00000 n 
+0000021845 00000 n 
+0000022013 00000 n 
+0000022178 00000 n 
+0000022347 00000 n 
+0000022526 00000 n 
+0000022835 00000 n 
+0000022995 00000 n 
+0000027233 00000 n 
+0000027048 00000 n 
+0000025969 00000 n 
+0000027170 00000 n 
+0000683907 00000 n 
+0000657386 00000 n 
+0000683733 00000 n 
+0000656701 00000 n 
+0000654557 00000 n 
+0000656537 00000 n 
+0000038940 00000 n 
+0000030289 00000 n 
+0000027318 00000 n 
+0000038814 00000 n 
+0000038877 00000 n 
+0000030823 00000 n 
+0000030977 00000 n 
+0000031134 00000 n 
+0000031291 00000 n 
+0000031447 00000 n 
+0000031604 00000 n 
+0000031766 00000 n 
+0000031927 00000 n 
+0000032088 00000 n 
+0000032250 00000 n 
+0000032417 00000 n 
+0000032584 00000 n 
+0000032749 00000 n 
+0000032911 00000 n 
+0000033077 00000 n 
+0000033238 00000 n 
+0000033393 00000 n 
+0000033550 00000 n 
+0000033706 00000 n 
+0000033863 00000 n 
+0000034020 00000 n 
+0000034177 00000 n 
+0000034331 00000 n 
+0000034487 00000 n 
+0000034649 00000 n 
+0000034811 00000 n 
+0000034967 00000 n 
+0000035124 00000 n 
+0000035286 00000 n 
+0000035453 00000 n 
+0000035619 00000 n 
+0000035780 00000 n 
+0000035935 00000 n 
+0000036092 00000 n 
+0000036249 00000 n 
+0000036411 00000 n 
+0000036568 00000 n 
+0000036725 00000 n 
+0000036887 00000 n 
+0000037044 00000 n 
+0000037206 00000 n 
+0000037373 00000 n 
+0000037539 00000 n 
+0000037701 00000 n 
+0000037863 00000 n 
+0000038025 00000 n 
+0000038187 00000 n 
+0000038349 00000 n 
+0000038504 00000 n 
+0000038659 00000 n 
+0000052318 00000 n 
+0000042272 00000 n 
+0000039025 00000 n 
+0000052255 00000 n 
+0000654006 00000 n 
+0000636925 00000 n 
+0000653822 00000 n 
+0000042862 00000 n 
+0000043025 00000 n 
+0000043187 00000 n 
+0000043350 00000 n 
+0000043508 00000 n 
+0000043671 00000 n 
+0000043834 00000 n 
+0000043989 00000 n 
+0000044147 00000 n 
+0000044305 00000 n 
+0000044461 00000 n 
+0000044619 00000 n 
+0000044782 00000 n 
+0000044950 00000 n 
+0000045118 00000 n 
+0000045281 00000 n 
+0000045449 00000 n 
+0000045617 00000 n 
+0000045775 00000 n 
+0000045938 00000 n 
+0000046101 00000 n 
+0000046263 00000 n 
+0000046425 00000 n 
+0000046588 00000 n 
+0000046750 00000 n 
+0000046912 00000 n 
+0000047075 00000 n 
+0000047238 00000 n 
+0000047401 00000 n 
+0000047570 00000 n 
+0000047739 00000 n 
+0000047903 00000 n 
+0000048066 00000 n 
+0000048230 00000 n 
+0000048394 00000 n 
+0000048557 00000 n 
+0000048721 00000 n 
+0000048890 00000 n 
+0000049059 00000 n 
+0000049228 00000 n 
+0000049397 00000 n 
+0000049566 00000 n 
+0000049735 00000 n 
+0000049904 00000 n 
+0000050073 00000 n 
+0000050242 00000 n 
+0000050412 00000 n 
+0000050582 00000 n 
+0000050752 00000 n 
+0000050922 00000 n 
+0000051092 00000 n 
+0000051262 00000 n 
+0000051432 00000 n 
+0000051601 00000 n 
+0000051771 00000 n 
+0000051932 00000 n 
+0000052093 00000 n 
+0000065459 00000 n 
+0000055941 00000 n 
+0000052416 00000 n 
+0000065396 00000 n 
+0000056515 00000 n 
+0000056678 00000 n 
+0000056841 00000 n 
+0000057004 00000 n 
+0000057167 00000 n 
+0000057330 00000 n 
+0000057493 00000 n 
+0000057656 00000 n 
+0000057824 00000 n 
+0000057991 00000 n 
+0000058159 00000 n 
+0000058327 00000 n 
+0000058484 00000 n 
+0000058646 00000 n 
+0000058811 00000 n 
+0000058977 00000 n 
+0000059139 00000 n 
 0000059301 00000 n 
-0000059458 00000 n 
-0000059620 00000 n 
-0000059782 00000 n 
-0000059939 00000 n 
-0000060094 00000 n 
-0000060251 00000 n 
-0000060413 00000 n 
-0000060569 00000 n 
-0000060726 00000 n 
-0000060882 00000 n 
-0000061039 00000 n 
-0000061201 00000 n 
-0000061358 00000 n 
-0000061520 00000 n 
-0000061677 00000 n 
-0000061838 00000 n 
-0000062000 00000 n 
-0000062162 00000 n 
-0000062317 00000 n 
-0000062473 00000 n 
-0000062630 00000 n 
-0000062787 00000 n 
-0000062944 00000 n 
-0000063100 00000 n 
-0000063257 00000 n 
-0000063414 00000 n 
-0000577172 00000 n 
-0000557205 00000 n 
-0000576999 00000 n 
-0000063571 00000 n 
-0000063727 00000 n 
-0000064391 00000 n 
-0000064206 00000 n 
-0000064057 00000 n 
-0000064328 00000 n 
-0000067519 00000 n 
-0000066709 00000 n 
-0000064432 00000 n 
-0000066831 00000 n 
-0000066955 00000 n 
-0000067080 00000 n 
-0000067205 00000 n 
-0000556316 00000 n 
-0000534984 00000 n 
-0000556142 00000 n 
-0000067330 00000 n 
-0000067393 00000 n 
-0000067456 00000 n 
-0000534210 00000 n 
-0000516663 00000 n 
-0000534037 00000 n 
-0000653377 00000 n 
-0000072030 00000 n 
-0000070848 00000 n 
-0000067643 00000 n 
-0000071342 00000 n 
-0000071405 00000 n 
-0000071468 00000 n 
-0000071593 00000 n 
-0000071718 00000 n 
-0000071843 00000 n 
-0000070998 00000 n 
-0000071191 00000 n 
-0000071968 00000 n 
-0000314552 00000 n 
-0000357858 00000 n 
-0000076684 00000 n 
-0000075648 00000 n 
-0000072154 00000 n 
-0000076121 00000 n 
-0000076246 00000 n 
-0000075798 00000 n 
-0000075960 00000 n 
-0000076371 00000 n 
-0000076496 00000 n 
-0000076621 00000 n 
-0000092551 00000 n 
-0000079906 00000 n 
-0000079346 00000 n 
-0000076808 00000 n 
-0000079468 00000 n 
-0000079593 00000 n 
-0000079718 00000 n 
-0000079843 00000 n 
+0000059463 00000 n 
+0000059625 00000 n 
+0000059792 00000 n 
+0000059959 00000 n 
+0000060126 00000 n 
+0000060288 00000 n 
+0000060450 00000 n 
+0000060607 00000 n 
+0000060774 00000 n 
+0000060936 00000 n 
+0000061103 00000 n 
+0000061270 00000 n 
+0000636036 00000 n 
+0000614704 00000 n 
+0000635862 00000 n 
+0000061437 00000 n 
+0000061604 00000 n 
+0000061759 00000 n 
+0000061916 00000 n 
+0000062073 00000 n 
+0000062235 00000 n 
+0000062396 00000 n 
+0000062552 00000 n 
+0000062707 00000 n 
+0000062864 00000 n 
+0000063026 00000 n 
+0000063183 00000 n 
+0000063340 00000 n 
+0000063496 00000 n 
+0000063652 00000 n 
+0000063813 00000 n 
+0000063970 00000 n 
+0000064132 00000 n 
+0000064289 00000 n 
+0000064451 00000 n 
+0000064613 00000 n 
+0000064775 00000 n 
+0000064931 00000 n 
+0000065086 00000 n 
+0000065241 00000 n 
+0000068260 00000 n 
+0000066412 00000 n 
+0000065570 00000 n 
+0000068197 00000 n 
+0000066626 00000 n 
+0000066783 00000 n 
+0000066940 00000 n 
+0000067096 00000 n 
+0000067253 00000 n 
+0000067409 00000 n 
+0000067566 00000 n 
+0000067724 00000 n 
+0000613738 00000 n 
+0000593771 00000 n 
+0000613565 00000 n 
+0000067882 00000 n 
+0000068039 00000 n 
+0000071445 00000 n 
+0000070635 00000 n 
+0000068358 00000 n 
+0000070757 00000 n 
+0000070881 00000 n 
+0000071006 00000 n 
+0000071131 00000 n 
+0000071256 00000 n 
+0000071319 00000 n 
+0000071382 00000 n 
+0000592977 00000 n 
+0000574660 00000 n 
+0000592804 00000 n 
+0000712214 00000 n 
+0000076016 00000 n 
+0000074836 00000 n 
+0000071569 00000 n 
+0000075330 00000 n 
+0000075393 00000 n 
+0000075456 00000 n 
+0000075580 00000 n 
+0000075705 00000 n 
+0000075830 00000 n 
+0000074986 00000 n 
+0000075179 00000 n 
+0000075953 00000 n 
+0000330576 00000 n 
+0000385795 00000 n 
+0000080671 00000 n 
+0000079635 00000 n 
+0000076140 00000 n 
+0000080108 00000 n 
+0000080233 00000 n 
+0000079785 00000 n 
+0000079947 00000 n 
+0000080358 00000 n 
+0000080483 00000 n 
+0000080608 00000 n 
+0000096564 00000 n 
+0000083893 00000 n 
 0000083333 00000 n 
-0000082192 00000 n 
-0000080017 00000 n 
-0000082646 00000 n 
-0000082771 00000 n 
-0000082896 00000 n 
-0000083021 00000 n 
-0000083146 00000 n 
-0000082342 00000 n 
-0000082494 00000 n 
-0000083270 00000 n 
-0000273113 00000 n 
-0000084416 00000 n 
-0000084106 00000 n 
-0000083418 00000 n 
-0000084228 00000 n 
-0000084353 00000 n 
-0000086501 00000 n 
-0000085816 00000 n 
-0000084514 00000 n 
-0000085938 00000 n 
-0000086063 00000 n 
-0000086187 00000 n 
-0000086312 00000 n 
-0000086438 00000 n 
-0000653495 00000 n 
-0000089406 00000 n 
-0000088538 00000 n 
-0000086599 00000 n 
-0000088840 00000 n 
-0000088966 00000 n 
-0000089029 00000 n 
-0000089092 00000 n 
-0000088680 00000 n 
-0000089218 00000 n 
-0000089344 00000 n 
-0000254118 00000 n 
-0000092740 00000 n 
-0000092303 00000 n 
-0000089517 00000 n 
-0000092425 00000 n 
-0000516007 00000 n 
-0000504421 00000 n 
-0000515830 00000 n 
-0000092677 00000 n 
-0000096525 00000 n 
-0000096340 00000 n 
-0000092864 00000 n 
-0000096462 00000 n 
-0000503882 00000 n 
-0000494141 00000 n 
-0000503705 00000 n 
-0000100909 00000 n 
-0000100518 00000 n 
-0000096688 00000 n 
-0000100846 00000 n 
-0000100660 00000 n 
-0000161496 00000 n 
-0000103195 00000 n 
-0000102758 00000 n 
-0000101046 00000 n 
-0000102880 00000 n 
-0000103006 00000 n 
-0000103069 00000 n 
-0000103132 00000 n 
-0000105847 00000 n 
-0000108379 00000 n 
-0000105696 00000 n 
-0000103319 00000 n 
-0000107811 00000 n 
-0000107937 00000 n 
-0000108063 00000 n 
-0000107489 00000 n 
-0000107650 00000 n 
-0000493282 00000 n 
-0000483910 00000 n 
-0000493110 00000 n 
-0000483348 00000 n 
-0000474265 00000 n 
-0000483175 00000 n 
-0000108189 00000 n 
-0000108315 00000 n 
-0000653613 00000 n 
-0000107318 00000 n 
-0000107376 00000 n 
-0000107466 00000 n 
-0000198969 00000 n 
-0000231128 00000 n 
-0000112928 00000 n 
-0000111994 00000 n 
-0000108531 00000 n 
-0000112478 00000 n 
-0000112606 00000 n 
-0000112150 00000 n 
-0000112316 00000 n 
-0000112734 00000 n 
-0000112863 00000 n 
-0000361883 00000 n 
-0000116420 00000 n 
-0000116040 00000 n 
-0000113079 00000 n 
-0000116355 00000 n 
-0000116187 00000 n 
-0000117654 00000 n 
-0000117463 00000 n 
-0000116545 00000 n 
-0000117589 00000 n 
-0000120556 00000 n 
-0000119980 00000 n 
-0000117753 00000 n 
-0000120106 00000 n 
-0000120233 00000 n 
-0000120362 00000 n 
-0000120491 00000 n 
-0000123946 00000 n 
-0000123111 00000 n 
-0000120694 00000 n 
-0000123237 00000 n 
-0000123366 00000 n 
-0000123495 00000 n 
-0000123624 00000 n 
-0000123752 00000 n 
-0000123881 00000 n 
-0000127849 00000 n 
-0000127081 00000 n 
-0000124084 00000 n 
-0000127398 00000 n 
-0000127228 00000 n 
-0000127527 00000 n 
-0000127656 00000 n 
-0000127785 00000 n 
-0000653737 00000 n 
-0000310333 00000 n 
-0000131713 00000 n 
-0000131136 00000 n 
-0000127961 00000 n 
-0000131262 00000 n 
-0000131391 00000 n 
-0000131519 00000 n 
-0000131648 00000 n 
-0000135155 00000 n 
-0000134835 00000 n 
-0000131851 00000 n 
-0000134961 00000 n 
-0000135090 00000 n 
-0000138486 00000 n 
-0000137727 00000 n 
-0000135267 00000 n 
-0000138035 00000 n 
-0000138164 00000 n 
-0000137874 00000 n 
-0000138293 00000 n 
-0000138421 00000 n 
-0000357600 00000 n 
-0000141224 00000 n 
-0000140646 00000 n 
-0000138652 00000 n 
-0000140772 00000 n 
-0000140901 00000 n 
-0000141030 00000 n 
-0000141159 00000 n 
-0000141664 00000 n 
-0000141473 00000 n 
-0000141323 00000 n 
-0000141599 00000 n 
-0000145666 00000 n 
-0000144900 00000 n 
-0000141706 00000 n 
-0000145214 00000 n 
-0000145343 00000 n 
-0000145471 00000 n 
-0000145536 00000 n 
-0000145601 00000 n 
-0000145047 00000 n 
-0000653862 00000 n 
-0000150078 00000 n 
-0000150270 00000 n 
-0000149824 00000 n 
-0000145765 00000 n 
-0000149950 00000 n 
-0000150205 00000 n 
-0000154096 00000 n 
-0000153389 00000 n 
-0000150395 00000 n 
-0000153515 00000 n 
-0000153644 00000 n 
-0000153773 00000 n 
-0000153902 00000 n 
-0000154031 00000 n 
-0000156826 00000 n 
-0000158075 00000 n 
-0000156700 00000 n 
-0000154221 00000 n 
-0000157752 00000 n 
-0000157881 00000 n 
-0000157946 00000 n 
-0000158010 00000 n 
-0000161559 00000 n 
-0000160725 00000 n 
-0000158229 00000 n 
-0000160851 00000 n 
-0000160980 00000 n 
-0000161108 00000 n 
-0000161173 00000 n 
-0000161238 00000 n 
-0000161367 00000 n 
-0000166717 00000 n 
-0000165800 00000 n 
-0000161671 00000 n 
-0000166266 00000 n 
-0000165956 00000 n 
-0000166107 00000 n 
-0000166395 00000 n 
-0000166524 00000 n 
-0000166652 00000 n 
-0000460456 00000 n 
-0000170741 00000 n 
-0000169599 00000 n 
-0000166855 00000 n 
-0000170289 00000 n 
-0000170418 00000 n 
-0000169764 00000 n 
-0000169916 00000 n 
-0000170103 00000 n 
-0000170547 00000 n 
-0000170676 00000 n 
-0000653987 00000 n 
-0000175273 00000 n 
-0000174953 00000 n 
-0000170866 00000 n 
-0000175079 00000 n 
-0000175208 00000 n 
-0000178462 00000 n 
-0000178083 00000 n 
-0000175398 00000 n 
-0000178397 00000 n 
-0000178230 00000 n 
-0000181635 00000 n 
-0000181830 00000 n 
-0000181380 00000 n 
-0000178574 00000 n 
-0000181506 00000 n 
-0000181700 00000 n 
-0000181765 00000 n 
-0000185463 00000 n 
-0000184678 00000 n 
-0000181942 00000 n 
-0000185140 00000 n 
-0000185269 00000 n 
-0000185398 00000 n 
-0000184834 00000 n 
-0000184987 00000 n 
-0000187606 00000 n 
-0000187028 00000 n 
-0000185575 00000 n 
-0000187154 00000 n 
-0000187283 00000 n 
-0000187412 00000 n 
-0000187541 00000 n 
-0000189177 00000 n 
-0000188986 00000 n 
-0000187718 00000 n 
-0000189112 00000 n 
-0000654112 00000 n 
-0000190937 00000 n 
-0000190618 00000 n 
-0000189276 00000 n 
-0000190744 00000 n 
-0000190873 00000 n 
-0000195079 00000 n 
-0000194711 00000 n 
-0000191049 00000 n 
-0000195014 00000 n 
-0000194858 00000 n 
-0000269386 00000 n 
-0000199034 00000 n 
-0000198714 00000 n 
-0000195204 00000 n 
-0000198840 00000 n 
-0000202871 00000 n 
-0000202551 00000 n 
-0000199159 00000 n 
-0000202677 00000 n 
-0000202742 00000 n 
-0000202806 00000 n 
-0000208134 00000 n 
-0000206840 00000 n 
-0000202996 00000 n 
-0000208069 00000 n 
-0000207032 00000 n 
-0000207186 00000 n 
-0000207342 00000 n 
-0000207527 00000 n 
-0000207701 00000 n 
-0000207885 00000 n 
-0000277765 00000 n 
-0000212392 00000 n 
-0000212201 00000 n 
-0000208313 00000 n 
-0000212327 00000 n 
-0000654237 00000 n 
-0000216088 00000 n 
-0000215897 00000 n 
-0000212517 00000 n 
-0000216023 00000 n 
-0000220442 00000 n 
-0000219499 00000 n 
-0000216200 00000 n 
-0000219990 00000 n 
-0000220119 00000 n 
-0000219655 00000 n 
-0000220248 00000 n 
-0000220377 00000 n 
-0000219824 00000 n 
-0000286323 00000 n 
-0000224715 00000 n 
-0000224024 00000 n 
-0000220608 00000 n 
-0000224522 00000 n 
-0000224180 00000 n 
-0000224351 00000 n 
-0000224651 00000 n 
-0000345230 00000 n 
-0000228243 00000 n 
-0000227923 00000 n 
-0000224840 00000 n 
-0000228049 00000 n 
-0000228178 00000 n 
-0000231193 00000 n 
-0000230873 00000 n 
-0000228355 00000 n 
-0000230999 00000 n 
-0000235248 00000 n 
-0000235057 00000 n 
-0000231346 00000 n 
-0000235183 00000 n 
-0000654362 00000 n 
+0000080795 00000 n 
+0000083455 00000 n 
+0000083580 00000 n 
+0000083705 00000 n 
+0000083830 00000 n 
+0000087320 00000 n 
+0000086179 00000 n 
+0000084004 00000 n 
+0000086633 00000 n 
+0000086758 00000 n 
+0000086883 00000 n 
+0000087008 00000 n 
+0000087133 00000 n 
+0000086329 00000 n 
+0000086481 00000 n 
+0000087257 00000 n 
+0000281227 00000 n 
+0000088400 00000 n 
+0000088090 00000 n 
+0000087405 00000 n 
+0000088212 00000 n 
+0000088337 00000 n 
+0000090485 00000 n 
+0000089800 00000 n 
+0000088498 00000 n 
+0000089922 00000 n 
+0000090047 00000 n 
+0000090171 00000 n 
+0000090296 00000 n 
+0000090422 00000 n 
+0000712332 00000 n 
+0000093412 00000 n 
+0000092524 00000 n 
+0000090583 00000 n 
+0000092831 00000 n 
+0000092960 00000 n 
+0000093025 00000 n 
+0000093090 00000 n 
+0000092670 00000 n 
+0000093219 00000 n 
+0000093348 00000 n 
+0000265096 00000 n 
+0000096757 00000 n 
+0000096310 00000 n 
+0000093524 00000 n 
+0000096435 00000 n 
+0000573985 00000 n 
+0000561996 00000 n 
+0000573806 00000 n 
+0000096692 00000 n 
+0000100548 00000 n 
+0000100358 00000 n 
+0000096883 00000 n 
+0000100483 00000 n 
+0000561455 00000 n 
+0000551709 00000 n 
+0000561276 00000 n 
+0000105074 00000 n 
+0000104676 00000 n 
+0000100714 00000 n 
+0000105009 00000 n 
+0000104822 00000 n 
+0000171091 00000 n 
+0000107419 00000 n 
+0000106970 00000 n 
+0000105213 00000 n 
+0000107095 00000 n 
+0000107224 00000 n 
+0000107289 00000 n 
+0000107354 00000 n 
+0000110116 00000 n 
+0000112663 00000 n 
+0000109960 00000 n 
+0000107544 00000 n 
+0000112082 00000 n 
+0000112211 00000 n 
+0000112340 00000 n 
+0000111759 00000 n 
+0000111921 00000 n 
+0000550839 00000 n 
+0000541419 00000 n 
+0000550665 00000 n 
+0000540855 00000 n 
+0000531769 00000 n 
+0000540680 00000 n 
+0000112469 00000 n 
+0000112598 00000 n 
+0000712455 00000 n 
+0000111588 00000 n 
+0000111646 00000 n 
+0000111736 00000 n 
+0000206653 00000 n 
+0000242339 00000 n 
+0000117183 00000 n 
+0000116248 00000 n 
+0000112819 00000 n 
+0000116731 00000 n 
+0000116860 00000 n 
+0000116404 00000 n 
+0000116569 00000 n 
+0000116989 00000 n 
+0000117118 00000 n 
+0000389821 00000 n 
+0000120797 00000 n 
+0000120417 00000 n 
+0000117335 00000 n 
+0000120732 00000 n 
+0000120564 00000 n 
+0000122047 00000 n 
+0000121856 00000 n 
+0000120922 00000 n 
+0000121982 00000 n 
+0000124750 00000 n 
+0000124173 00000 n 
+0000122146 00000 n 
+0000124299 00000 n 
+0000124428 00000 n 
+0000124557 00000 n 
+0000124686 00000 n 
+0000127972 00000 n 
+0000127265 00000 n 
+0000124888 00000 n 
+0000127391 00000 n 
+0000127520 00000 n 
+0000127649 00000 n 
+0000127778 00000 n 
+0000127907 00000 n 
+0000132261 00000 n 
+0000131363 00000 n 
+0000128097 00000 n 
+0000131681 00000 n 
+0000131810 00000 n 
+0000131510 00000 n 
+0000131939 00000 n 
+0000132068 00000 n 
+0000132196 00000 n 
+0000712580 00000 n 
+0000323198 00000 n 
+0000136297 00000 n 
+0000135719 00000 n 
+0000132386 00000 n 
+0000135845 00000 n 
+0000135974 00000 n 
+0000136103 00000 n 
+0000136232 00000 n 
+0000139738 00000 n 
+0000139418 00000 n 
+0000136435 00000 n 
+0000139544 00000 n 
+0000139673 00000 n 
+0000143070 00000 n 
+0000142311 00000 n 
+0000139850 00000 n 
+0000142619 00000 n 
+0000142748 00000 n 
+0000142458 00000 n 
+0000142877 00000 n 
+0000143005 00000 n 
+0000385537 00000 n 
+0000145810 00000 n 
+0000145232 00000 n 
+0000143238 00000 n 
+0000145358 00000 n 
+0000145487 00000 n 
+0000145616 00000 n 
+0000145745 00000 n 
+0000146250 00000 n 
+0000146059 00000 n 
+0000145909 00000 n 
+0000146185 00000 n 
+0000150252 00000 n 
+0000149486 00000 n 
+0000146292 00000 n 
+0000149800 00000 n 
+0000149929 00000 n 
+0000150057 00000 n 
+0000150122 00000 n 
+0000150187 00000 n 
+0000149633 00000 n 
+0000712705 00000 n 
+0000154748 00000 n 
+0000154940 00000 n 
+0000154493 00000 n 
+0000150351 00000 n 
+0000154619 00000 n 
+0000154875 00000 n 
+0000158787 00000 n 
+0000158210 00000 n 
+0000155065 00000 n 
+0000158336 00000 n 
+0000158464 00000 n 
+0000158593 00000 n 
+0000158722 00000 n 
+0000161394 00000 n 
+0000162773 00000 n 
+0000161268 00000 n 
+0000158925 00000 n 
+0000162320 00000 n 
+0000162449 00000 n 
+0000162578 00000 n 
+0000162643 00000 n 
+0000162708 00000 n 
+0000166049 00000 n 
+0000165343 00000 n 
+0000162928 00000 n 
+0000165469 00000 n 
+0000165597 00000 n 
+0000165726 00000 n 
+0000165790 00000 n 
+0000165855 00000 n 
+0000165984 00000 n 
+0000171284 00000 n 
+0000170496 00000 n 
+0000166161 00000 n 
+0000170962 00000 n 
+0000170652 00000 n 
+0000170803 00000 n 
+0000171220 00000 n 
+0000510397 00000 n 
+0000175146 00000 n 
+0000173875 00000 n 
+0000171422 00000 n 
+0000174565 00000 n 
+0000174694 00000 n 
+0000174823 00000 n 
+0000174952 00000 n 
+0000174040 00000 n 
+0000174192 00000 n 
+0000174378 00000 n 
+0000175081 00000 n 
+0000712830 00000 n 
+0000179291 00000 n 
+0000178842 00000 n 
+0000175272 00000 n 
+0000178968 00000 n 
+0000179097 00000 n 
+0000179226 00000 n 
+0000183212 00000 n 
+0000182833 00000 n 
+0000179416 00000 n 
+0000183147 00000 n 
+0000182980 00000 n 
+0000186051 00000 n 
+0000186245 00000 n 
+0000185796 00000 n 
+0000183324 00000 n 
+0000185922 00000 n 
+0000186116 00000 n 
+0000186181 00000 n 
+0000189675 00000 n 
+0000189484 00000 n 
+0000186357 00000 n 
+0000189610 00000 n 
+0000192997 00000 n 
+0000191830 00000 n 
+0000189787 00000 n 
+0000192290 00000 n 
+0000192419 00000 n 
+0000192548 00000 n 
+0000191986 00000 n 
+0000192140 00000 n 
+0000192676 00000 n 
+0000192804 00000 n 
+0000192932 00000 n 
+0000194483 00000 n 
+0000194292 00000 n 
+0000193109 00000 n 
+0000194418 00000 n 
+0000712955 00000 n 
+0000196016 00000 n 
+0000195825 00000 n 
+0000194582 00000 n 
+0000195951 00000 n 
+0000198266 00000 n 
+0000197946 00000 n 
+0000196115 00000 n 
+0000198072 00000 n 
+0000198201 00000 n 
+0000202789 00000 n 
+0000202420 00000 n 
+0000198378 00000 n 
+0000202724 00000 n 
+0000202567 00000 n 
+0000359890 00000 n 
+0000206718 00000 n 
+0000206398 00000 n 
+0000202927 00000 n 
+0000206524 00000 n 
+0000210794 00000 n 
+0000210300 00000 n 
+0000206843 00000 n 
+0000210599 00000 n 
+0000210664 00000 n 
+0000210729 00000 n 
+0000210447 00000 n 
+0000215794 00000 n 
+0000214662 00000 n 
+0000210919 00000 n 
+0000215729 00000 n 
+0000214845 00000 n 
+0000215002 00000 n 
+0000215186 00000 n 
+0000215359 00000 n 
+0000215544 00000 n 
+0000713080 00000 n 
+0000289426 00000 n 
+0000220074 00000 n 
+0000219883 00000 n 
+0000215975 00000 n 
+0000220009 00000 n 
+0000223936 00000 n 
+0000223745 00000 n 
+0000220199 00000 n 
+0000223871 00000 n 
+0000228196 00000 n 
+0000227253 00000 n 
+0000224048 00000 n 
+0000227745 00000 n 
+0000227873 00000 n 
+0000227409 00000 n 
+0000228002 00000 n 
+0000228131 00000 n 
+0000227579 00000 n 
+0000297882 00000 n 
+0000232129 00000 n 
+0000231567 00000 n 
+0000228365 00000 n 
+0000232064 00000 n 
+0000231723 00000 n 
+0000231893 00000 n 
+0000373163 00000 n 
+0000235454 00000 n 
+0000235005 00000 n 
+0000232298 00000 n 
+0000235131 00000 n 
+0000235260 00000 n 
+0000235389 00000 n 
+0000238850 00000 n 
+0000238659 00000 n 
+0000235579 00000 n 
 0000238785 00000 n 
-0000238284 00000 n 
-0000235401 00000 n 
-0000238591 00000 n 
-0000238720 00000 n 
-0000238431 00000 n 
-0000243217 00000 n 
-0000242410 00000 n 
-0000238951 00000 n 
-0000242896 00000 n 
-0000243025 00000 n 
-0000242566 00000 n 
-0000243153 00000 n 
-0000242741 00000 n 
-0000247134 00000 n 
-0000246685 00000 n 
-0000243329 00000 n 
-0000246811 00000 n 
-0000246940 00000 n 
-0000247069 00000 n 
-0000251164 00000 n 
-0000250497 00000 n 
-0000247287 00000 n 
-0000250971 00000 n 
-0000251100 00000 n 
-0000250653 00000 n 
-0000250815 00000 n 
-0000254312 00000 n 
-0000253673 00000 n 
-0000251330 00000 n 
-0000253989 00000 n 
-0000253820 00000 n 
-0000254182 00000 n 
-0000254247 00000 n 
-0000258137 00000 n 
-0000257637 00000 n 
-0000254437 00000 n 
-0000257944 00000 n 
-0000258073 00000 n 
-0000257784 00000 n 
-0000654487 00000 n 
-0000262963 00000 n 
-0000262285 00000 n 
-0000258316 00000 n 
-0000262770 00000 n 
-0000262441 00000 n 
-0000473910 00000 n 
-0000471912 00000 n 
-0000473745 00000 n 
-0000262898 00000 n 
-0000262603 00000 n 
-0000336875 00000 n 
-0000281535 00000 n 
-0000266290 00000 n 
-0000265970 00000 n 
-0000263089 00000 n 
-0000266096 00000 n 
-0000266225 00000 n 
-0000269580 00000 n 
-0000269131 00000 n 
-0000266456 00000 n 
-0000269257 00000 n 
-0000269451 00000 n 
-0000269515 00000 n 
-0000273306 00000 n 
-0000272858 00000 n 
-0000269679 00000 n 
-0000272984 00000 n 
-0000273241 00000 n 
-0000277829 00000 n 
-0000277340 00000 n 
-0000273418 00000 n 
-0000277636 00000 n 
-0000277487 00000 n 
-0000281728 00000 n 
-0000280676 00000 n 
-0000277941 00000 n 
-0000281148 00000 n 
-0000280832 00000 n 
-0000281277 00000 n 
-0000281406 00000 n 
-0000280994 00000 n 
-0000281664 00000 n 
-0000654612 00000 n 
-0000284830 00000 n 
-0000284639 00000 n 
-0000281840 00000 n 
-0000284765 00000 n 
-0000286388 00000 n 
-0000286068 00000 n 
-0000284942 00000 n 
-0000286194 00000 n 
-0000287824 00000 n 
-0000287633 00000 n 
-0000286500 00000 n 
-0000287759 00000 n 
-0000290450 00000 n 
-0000289871 00000 n 
-0000287923 00000 n 
-0000289997 00000 n 
-0000290126 00000 n 
-0000290255 00000 n 
-0000290320 00000 n 
-0000290385 00000 n 
-0000294379 00000 n 
-0000294059 00000 n 
-0000290562 00000 n 
-0000294185 00000 n 
-0000294314 00000 n 
-0000299993 00000 n 
-0000297603 00000 n 
-0000294491 00000 n 
-0000299799 00000 n 
-0000299928 00000 n 
-0000297849 00000 n 
-0000298011 00000 n 
-0000298173 00000 n 
-0000298334 00000 n 
-0000298494 00000 n 
-0000298665 00000 n 
-0000298827 00000 n 
-0000298989 00000 n 
-0000299149 00000 n 
-0000299310 00000 n 
-0000299473 00000 n 
-0000299636 00000 n 
-0000654737 00000 n 
-0000305217 00000 n 
-0000303157 00000 n 
-0000300118 00000 n 
-0000305152 00000 n 
-0000303394 00000 n 
-0000303554 00000 n 
-0000303716 00000 n 
-0000303877 00000 n 
-0000304038 00000 n 
-0000304200 00000 n 
-0000304363 00000 n 
-0000304517 00000 n 
-0000304670 00000 n 
-0000304832 00000 n 
-0000304992 00000 n 
-0000310526 00000 n 
-0000308563 00000 n 
-0000305342 00000 n 
-0000310204 00000 n 
-0000308782 00000 n 
-0000308942 00000 n 
-0000309104 00000 n 
-0000309263 00000 n 
-0000309422 00000 n 
-0000309575 00000 n 
-0000309738 00000 n 
-0000309888 00000 n 
-0000310050 00000 n 
-0000310398 00000 n 
-0000310462 00000 n 
-0000314874 00000 n 
-0000313808 00000 n 
-0000310651 00000 n 
-0000314295 00000 n 
-0000314423 00000 n 
-0000314680 00000 n 
-0000313964 00000 n 
-0000314134 00000 n 
-0000314745 00000 n 
-0000314810 00000 n 
-0000318327 00000 n 
-0000318006 00000 n 
-0000314999 00000 n 
-0000318132 00000 n 
-0000318197 00000 n 
-0000318262 00000 n 
-0000321897 00000 n 
-0000321576 00000 n 
-0000318426 00000 n 
-0000321702 00000 n 
-0000321767 00000 n 
-0000321832 00000 n 
-0000325927 00000 n 
-0000325219 00000 n 
-0000322009 00000 n 
-0000325345 00000 n 
-0000325474 00000 n 
-0000325539 00000 n 
-0000325604 00000 n 
-0000325668 00000 n 
-0000325733 00000 n 
-0000325862 00000 n 
-0000654862 00000 n 
-0000329738 00000 n 
-0000328899 00000 n 
-0000326052 00000 n 
-0000329025 00000 n 
-0000329090 00000 n 
-0000329155 00000 n 
-0000329284 00000 n 
-0000329349 00000 n 
-0000329414 00000 n 
-0000329543 00000 n 
-0000329608 00000 n 
-0000329673 00000 n 
-0000333026 00000 n 
-0000332193 00000 n 
-0000329917 00000 n 
-0000332319 00000 n 
-0000332448 00000 n 
-0000332576 00000 n 
-0000332704 00000 n 
-0000332833 00000 n 
-0000332962 00000 n 
-0000336940 00000 n 
-0000336490 00000 n 
-0000333219 00000 n 
-0000336616 00000 n 
-0000336681 00000 n 
-0000336746 00000 n 
-0000338422 00000 n 
-0000338231 00000 n 
-0000337065 00000 n 
-0000338357 00000 n 
-0000338875 00000 n 
-0000338684 00000 n 
-0000338534 00000 n 
-0000338810 00000 n 
-0000340815 00000 n 
-0000340366 00000 n 
-0000338917 00000 n 
-0000340492 00000 n 
-0000340621 00000 n 
-0000340750 00000 n 
-0000654987 00000 n 
-0000345295 00000 n 
-0000344351 00000 n 
-0000340927 00000 n 
-0000344714 00000 n 
-0000471591 00000 n 
-0000462378 00000 n 
-0000471405 00000 n 
-0000344498 00000 n 
-0000344843 00000 n 
-0000344972 00000 n 
-0000345101 00000 n 
-0000346333 00000 n 
-0000346142 00000 n 
-0000345528 00000 n 
-0000346268 00000 n 
-0000346760 00000 n 
-0000346569 00000 n 
-0000346419 00000 n 
-0000346695 00000 n 
-0000350073 00000 n 
-0000348847 00000 n 
-0000346802 00000 n 
-0000349364 00000 n 
-0000349493 00000 n 
-0000349622 00000 n 
-0000349751 00000 n 
-0000349880 00000 n 
-0000350009 00000 n 
-0000349003 00000 n 
-0000349175 00000 n 
-0000350527 00000 n 
-0000350336 00000 n 
-0000350186 00000 n 
-0000350462 00000 n 
-0000353771 00000 n 
-0000353193 00000 n 
-0000350569 00000 n 
-0000353319 00000 n 
-0000353448 00000 n 
-0000353577 00000 n 
-0000353706 00000 n 
-0000655112 00000 n 
-0000358050 00000 n 
-0000356831 00000 n 
-0000353857 00000 n 
-0000357342 00000 n 
-0000357471 00000 n 
-0000357729 00000 n 
-0000356987 00000 n 
-0000357166 00000 n 
-0000357922 00000 n 
-0000357986 00000 n 
-0000364935 00000 n 
-0000361107 00000 n 
-0000358202 00000 n 
-0000361233 00000 n 
-0000361298 00000 n 
-0000361363 00000 n 
-0000361428 00000 n 
-0000361493 00000 n 
-0000361558 00000 n 
-0000361623 00000 n 
-0000361688 00000 n 
-0000361753 00000 n 
-0000361818 00000 n 
-0000361948 00000 n 
-0000362013 00000 n 
-0000362078 00000 n 
-0000362143 00000 n 
-0000362208 00000 n 
-0000362273 00000 n 
-0000362338 00000 n 
-0000362403 00000 n 
-0000362468 00000 n 
-0000362533 00000 n 
-0000362598 00000 n 
-0000362663 00000 n 
-0000362728 00000 n 
-0000362793 00000 n 
-0000362858 00000 n 
-0000362923 00000 n 
-0000362988 00000 n 
-0000363053 00000 n 
+0000713205 00000 n 
+0000242404 00000 n 
+0000242084 00000 n 
+0000239019 00000 n 
+0000242210 00000 n 
+0000246107 00000 n 
+0000245916 00000 n 
+0000242560 00000 n 
+0000246042 00000 n 
+0000250518 00000 n 
+0000249704 00000 n 
+0000246276 00000 n 
+0000250195 00000 n 
+0000250324 00000 n 
+0000249860 00000 n 
+0000250453 00000 n 
+0000250021 00000 n 
+0000254509 00000 n 
+0000254014 00000 n 
+0000250673 00000 n 
+0000254315 00000 n 
+0000254444 00000 n 
+0000254161 00000 n 
+0000257878 00000 n 
+0000257429 00000 n 
+0000254634 00000 n 
+0000257555 00000 n 
+0000257684 00000 n 
+0000257813 00000 n 
+0000261950 00000 n 
+0000261283 00000 n 
+0000258033 00000 n 
+0000261756 00000 n 
+0000261885 00000 n 
+0000261439 00000 n 
+0000261601 00000 n 
+0000713330 00000 n 
+0000265418 00000 n 
+0000264650 00000 n 
+0000262119 00000 n 
+0000264967 00000 n 
+0000264797 00000 n 
+0000265160 00000 n 
+0000265225 00000 n 
+0000265354 00000 n 
+0000269455 00000 n 
+0000269083 00000 n 
+0000265601 00000 n 
+0000269390 00000 n 
+0000269230 00000 n 
+0000274209 00000 n 
+0000273530 00000 n 
+0000269623 00000 n 
+0000274016 00000 n 
+0000273686 00000 n 
+0000531414 00000 n 
+0000529417 00000 n 
+0000531249 00000 n 
+0000274144 00000 n 
+0000273849 00000 n 
+0000356458 00000 n 
+0000293050 00000 n 
+0000277537 00000 n 
+0000277217 00000 n 
+0000274335 00000 n 
+0000277343 00000 n 
+0000277472 00000 n 
+0000281291 00000 n 
+0000280972 00000 n 
+0000277662 00000 n 
+0000281098 00000 n 
+0000284923 00000 n 
+0000284346 00000 n 
+0000281433 00000 n 
+0000284472 00000 n 
+0000284601 00000 n 
+0000284730 00000 n 
+0000284858 00000 n 
+0000713455 00000 n 
+0000289491 00000 n 
+0000289000 00000 n 
+0000285035 00000 n 
+0000289297 00000 n 
+0000289147 00000 n 
+0000293243 00000 n 
+0000292193 00000 n 
+0000289603 00000 n 
+0000292664 00000 n 
+0000292349 00000 n 
+0000292792 00000 n 
+0000292921 00000 n 
+0000292511 00000 n 
+0000293179 00000 n 
+0000296310 00000 n 
+0000296119 00000 n 
+0000293355 00000 n 
+0000296245 00000 n 
+0000297947 00000 n 
+0000297627 00000 n 
+0000296422 00000 n 
+0000297753 00000 n 
+0000299421 00000 n 
+0000299230 00000 n 
+0000298059 00000 n 
+0000299356 00000 n 
+0000302297 00000 n 
+0000301718 00000 n 
+0000299520 00000 n 
+0000301844 00000 n 
+0000301973 00000 n 
+0000302102 00000 n 
+0000302167 00000 n 
+0000302232 00000 n 
+0000713580 00000 n 
+0000306225 00000 n 
+0000305905 00000 n 
+0000302409 00000 n 
+0000306031 00000 n 
+0000306160 00000 n 
+0000312121 00000 n 
+0000309387 00000 n 
+0000306337 00000 n 
+0000311927 00000 n 
+0000312056 00000 n 
+0000309651 00000 n 
+0000309813 00000 n 
+0000309975 00000 n 
+0000310136 00000 n 
+0000310296 00000 n 
+0000310458 00000 n 
+0000310629 00000 n 
+0000310791 00000 n 
+0000310953 00000 n 
+0000311114 00000 n 
+0000311275 00000 n 
+0000311438 00000 n 
+0000311601 00000 n 
+0000311764 00000 n 
+0000317105 00000 n 
+0000315364 00000 n 
+0000312233 00000 n 
+0000317040 00000 n 
+0000315583 00000 n 
+0000315744 00000 n 
+0000315913 00000 n 
+0000316075 00000 n 
+0000316237 00000 n 
+0000316399 00000 n 
+0000316560 00000 n 
+0000316723 00000 n 
+0000316877 00000 n 
+0000323263 00000 n 
+0000320266 00000 n 
+0000317230 00000 n 
+0000323069 00000 n 
+0000320548 00000 n 
+0000320702 00000 n 
+0000320856 00000 n 
+0000321010 00000 n 
+0000321164 00000 n 
+0000321325 00000 n 
+0000321487 00000 n 
+0000321647 00000 n 
+0000321807 00000 n 
+0000321969 00000 n 
+0000322129 00000 n 
+0000322288 00000 n 
+0000322439 00000 n 
+0000322602 00000 n 
+0000322753 00000 n 
+0000322915 00000 n 
+0000326791 00000 n 
+0000326470 00000 n 
+0000323375 00000 n 
+0000326596 00000 n 
+0000326661 00000 n 
+0000326726 00000 n 
+0000331027 00000 n 
+0000329830 00000 n 
+0000326960 00000 n 
+0000330318 00000 n 
+0000330447 00000 n 
+0000330704 00000 n 
+0000329986 00000 n 
+0000330156 00000 n 
+0000330769 00000 n 
+0000330834 00000 n 
+0000330899 00000 n 
+0000330963 00000 n 
+0000713705 00000 n 
+0000334374 00000 n 
+0000334183 00000 n 
+0000331209 00000 n 
+0000334309 00000 n 
+0000338114 00000 n 
+0000337793 00000 n 
+0000334460 00000 n 
+0000337919 00000 n 
+0000337984 00000 n 
+0000338049 00000 n 
+0000341943 00000 n 
+0000341236 00000 n 
+0000338226 00000 n 
+0000341362 00000 n 
+0000341491 00000 n 
+0000341554 00000 n 
+0000341619 00000 n 
+0000341684 00000 n 
+0000341749 00000 n 
+0000341878 00000 n 
+0000345707 00000 n 
+0000344868 00000 n 
+0000342055 00000 n 
+0000344994 00000 n 
+0000345059 00000 n 
+0000345124 00000 n 
+0000345253 00000 n 
+0000345318 00000 n 
+0000345383 00000 n 
+0000345512 00000 n 
+0000345577 00000 n 
+0000345642 00000 n 
+0000348826 00000 n 
+0000348121 00000 n 
+0000345832 00000 n 
+0000348247 00000 n 
+0000348375 00000 n 
+0000348504 00000 n 
+0000348633 00000 n 
+0000348762 00000 n 
+0000352603 00000 n 
+0000352153 00000 n 
+0000349023 00000 n 
+0000352279 00000 n 
+0000352408 00000 n 
+0000352473 00000 n 
+0000352538 00000 n 
+0000713830 00000 n 
+0000356782 00000 n 
+0000356024 00000 n 
+0000352742 00000 n 
+0000356329 00000 n 
+0000356587 00000 n 
+0000356652 00000 n 
+0000356717 00000 n 
+0000356171 00000 n 
+0000360343 00000 n 
+0000359635 00000 n 
+0000356907 00000 n 
+0000359761 00000 n 
+0000360019 00000 n 
+0000360148 00000 n 
+0000360213 00000 n 
+0000360278 00000 n 
+0000363634 00000 n 
+0000362992 00000 n 
+0000360455 00000 n 
 0000363118 00000 n 
-0000363183 00000 n 
-0000363248 00000 n 
-0000363313 00000 n 
-0000363378 00000 n 
-0000363443 00000 n 
-0000363507 00000 n 
-0000363572 00000 n 
-0000363637 00000 n 
-0000363702 00000 n 
-0000363767 00000 n 
-0000363832 00000 n 
-0000363897 00000 n 
-0000363962 00000 n 
-0000364027 00000 n 
-0000364092 00000 n 
-0000364157 00000 n 
-0000364222 00000 n 
-0000364287 00000 n 
-0000364352 00000 n 
-0000364417 00000 n 
-0000364482 00000 n 
-0000364547 00000 n 
-0000364612 00000 n 
-0000364677 00000 n 
-0000364742 00000 n 
-0000364807 00000 n 
-0000364871 00000 n 
-0000371581 00000 n 
-0000368017 00000 n 
-0000365047 00000 n 
-0000368143 00000 n 
-0000368208 00000 n 
-0000368273 00000 n 
-0000368338 00000 n 
-0000368403 00000 n 
-0000368468 00000 n 
-0000368533 00000 n 
-0000368598 00000 n 
-0000368663 00000 n 
-0000368728 00000 n 
-0000368793 00000 n 
-0000368858 00000 n 
-0000368922 00000 n 
-0000368987 00000 n 
-0000369052 00000 n 
-0000369117 00000 n 
-0000369182 00000 n 
-0000369247 00000 n 
-0000369312 00000 n 
-0000369377 00000 n 
-0000369442 00000 n 
-0000369507 00000 n 
-0000369572 00000 n 
-0000369637 00000 n 
-0000369701 00000 n 
-0000369766 00000 n 
-0000369831 00000 n 
-0000369896 00000 n 
-0000369961 00000 n 
-0000370026 00000 n 
-0000370091 00000 n 
-0000370156 00000 n 
-0000370221 00000 n 
-0000370286 00000 n 
-0000370351 00000 n 
-0000370416 00000 n 
-0000370481 00000 n 
-0000370546 00000 n 
-0000370611 00000 n 
-0000370676 00000 n 
-0000370740 00000 n 
-0000370804 00000 n 
-0000370868 00000 n 
-0000370933 00000 n 
-0000370998 00000 n 
-0000371063 00000 n 
-0000371128 00000 n 
-0000371193 00000 n 
-0000371258 00000 n 
-0000371323 00000 n 
-0000371388 00000 n 
-0000371453 00000 n 
-0000371517 00000 n 
-0000377756 00000 n 
-0000374318 00000 n 
-0000371693 00000 n 
-0000374444 00000 n 
-0000374509 00000 n 
-0000374574 00000 n 
-0000374639 00000 n 
-0000374704 00000 n 
-0000374769 00000 n 
-0000374834 00000 n 
-0000374899 00000 n 
-0000374964 00000 n 
-0000375029 00000 n 
-0000375094 00000 n 
-0000375159 00000 n 
-0000375224 00000 n 
-0000375289 00000 n 
-0000375354 00000 n 
-0000375419 00000 n 
-0000375484 00000 n 
-0000375549 00000 n 
-0000375614 00000 n 
-0000375679 00000 n 
-0000375744 00000 n 
-0000375809 00000 n 
-0000375874 00000 n 
-0000375939 00000 n 
-0000376004 00000 n 
-0000376069 00000 n 
-0000376134 00000 n 
-0000376199 00000 n 
-0000376264 00000 n 
-0000376329 00000 n 
-0000376394 00000 n 
-0000376459 00000 n 
-0000376524 00000 n 
-0000376589 00000 n 
-0000376653 00000 n 
-0000376718 00000 n 
-0000376783 00000 n 
-0000376848 00000 n 
-0000376913 00000 n 
-0000376978 00000 n 
-0000377043 00000 n 
-0000377108 00000 n 
-0000377173 00000 n 
-0000377238 00000 n 
-0000377303 00000 n 
-0000377368 00000 n 
-0000377433 00000 n 
-0000377498 00000 n 
-0000377563 00000 n 
-0000377628 00000 n 
-0000377692 00000 n 
-0000382335 00000 n 
-0000380071 00000 n 
-0000377868 00000 n 
-0000380197 00000 n 
-0000380262 00000 n 
-0000380327 00000 n 
-0000380392 00000 n 
-0000380457 00000 n 
-0000380522 00000 n 
-0000380587 00000 n 
-0000380652 00000 n 
-0000380717 00000 n 
-0000380782 00000 n 
-0000380847 00000 n 
-0000380912 00000 n 
-0000380977 00000 n 
-0000381042 00000 n 
-0000381104 00000 n 
-0000381168 00000 n 
-0000381233 00000 n 
-0000381297 00000 n 
-0000381362 00000 n 
-0000381427 00000 n 
-0000381492 00000 n 
-0000381557 00000 n 
-0000381622 00000 n 
-0000381687 00000 n 
-0000381752 00000 n 
-0000381881 00000 n 
-0000382010 00000 n 
-0000382075 00000 n 
-0000382140 00000 n 
-0000382205 00000 n 
-0000382270 00000 n 
-0000385129 00000 n 
-0000384485 00000 n 
-0000382460 00000 n 
-0000384611 00000 n 
-0000384740 00000 n 
-0000384869 00000 n 
-0000384934 00000 n 
-0000384999 00000 n 
-0000385064 00000 n 
-0000655237 00000 n 
-0000389467 00000 n 
-0000389147 00000 n 
-0000385241 00000 n 
-0000389273 00000 n 
-0000389338 00000 n 
-0000389403 00000 n 
-0000392936 00000 n 
+0000363247 00000 n 
+0000363312 00000 n 
+0000363377 00000 n 
+0000363506 00000 n 
+0000363570 00000 n 
+0000366293 00000 n 
+0000365908 00000 n 
+0000363746 00000 n 
+0000366034 00000 n 
+0000366099 00000 n 
+0000529136 00000 n 
+0000521853 00000 n 
+0000528956 00000 n 
+0000366228 00000 n 
+0000366760 00000 n 
+0000366569 00000 n 
+0000366419 00000 n 
+0000366695 00000 n 
+0000368655 00000 n 
+0000368207 00000 n 
+0000366802 00000 n 
+0000368333 00000 n 
+0000368462 00000 n 
+0000368591 00000 n 
+0000713955 00000 n 
+0000373228 00000 n 
+0000372285 00000 n 
+0000368767 00000 n 
+0000372648 00000 n 
+0000521532 00000 n 
+0000512319 00000 n 
+0000521346 00000 n 
+0000372432 00000 n 
+0000372777 00000 n 
+0000372905 00000 n 
+0000373034 00000 n 
+0000374270 00000 n 
+0000374079 00000 n 
+0000373465 00000 n 
+0000374205 00000 n 
+0000374697 00000 n 
+0000374506 00000 n 
+0000374356 00000 n 
+0000374632 00000 n 
+0000378010 00000 n 
+0000376784 00000 n 
+0000374739 00000 n 
+0000377301 00000 n 
+0000377430 00000 n 
+0000377559 00000 n 
+0000377688 00000 n 
+0000377817 00000 n 
+0000377946 00000 n 
+0000376940 00000 n 
+0000377112 00000 n 
+0000378464 00000 n 
+0000378273 00000 n 
+0000378123 00000 n 
+0000378399 00000 n 
+0000381708 00000 n 
+0000381130 00000 n 
+0000378506 00000 n 
+0000381256 00000 n 
+0000381385 00000 n 
+0000381514 00000 n 
+0000381643 00000 n 
+0000714080 00000 n 
+0000385987 00000 n 
+0000384768 00000 n 
+0000381794 00000 n 
+0000385279 00000 n 
+0000385408 00000 n 
+0000385666 00000 n 
+0000384924 00000 n 
+0000385103 00000 n 
+0000385859 00000 n 
+0000385923 00000 n 
+0000392873 00000 n 
+0000389045 00000 n 
+0000386140 00000 n 
+0000389171 00000 n 
+0000389236 00000 n 
+0000389301 00000 n 
+0000389366 00000 n 
+0000389431 00000 n 
+0000389496 00000 n 
+0000389561 00000 n 
+0000389626 00000 n 
+0000389691 00000 n 
+0000389756 00000 n 
+0000389886 00000 n 
+0000389951 00000 n 
+0000390016 00000 n 
+0000390081 00000 n 
+0000390146 00000 n 
+0000390211 00000 n 
+0000390276 00000 n 
+0000390341 00000 n 
+0000390406 00000 n 
+0000390471 00000 n 
+0000390536 00000 n 
+0000390601 00000 n 
+0000390666 00000 n 
+0000390731 00000 n 
+0000390796 00000 n 
+0000390861 00000 n 
+0000390926 00000 n 
+0000390991 00000 n 
+0000391056 00000 n 
+0000391121 00000 n 
+0000391186 00000 n 
+0000391251 00000 n 
+0000391316 00000 n 
+0000391381 00000 n 
+0000391445 00000 n 
+0000391510 00000 n 
+0000391575 00000 n 
+0000391640 00000 n 
+0000391705 00000 n 
+0000391770 00000 n 
+0000391835 00000 n 
+0000391900 00000 n 
+0000391965 00000 n 
+0000392030 00000 n 
+0000392095 00000 n 
+0000392160 00000 n 
+0000392225 00000 n 
+0000392290 00000 n 
+0000392355 00000 n 
+0000392420 00000 n 
+0000392485 00000 n 
+0000392550 00000 n 
+0000392615 00000 n 
 0000392680 00000 n 
-0000389619 00000 n 
-0000392806 00000 n 
-0000392871 00000 n 
-0000396183 00000 n 
-0000395992 00000 n 
-0000393074 00000 n 
-0000396118 00000 n 
-0000399962 00000 n 
-0000399706 00000 n 
-0000396308 00000 n 
-0000399832 00000 n 
-0000399897 00000 n 
-0000403136 00000 n 
-0000402361 00000 n 
-0000400100 00000 n 
-0000402487 00000 n 
-0000402552 00000 n 
-0000402617 00000 n 
-0000402682 00000 n 
-0000402747 00000 n 
-0000402876 00000 n 
-0000402941 00000 n 
-0000403006 00000 n 
-0000403071 00000 n 
-0000407608 00000 n 
-0000407417 00000 n 
-0000403274 00000 n 
-0000407543 00000 n 
-0000655362 00000 n 
-0000410737 00000 n 
-0000409964 00000 n 
-0000407746 00000 n 
-0000410090 00000 n 
-0000410155 00000 n 
-0000410220 00000 n 
-0000410284 00000 n 
-0000410413 00000 n 
-0000410478 00000 n 
-0000410542 00000 n 
-0000410607 00000 n 
-0000410672 00000 n 
-0000414128 00000 n 
-0000413872 00000 n 
-0000410875 00000 n 
-0000413998 00000 n 
-0000414063 00000 n 
-0000416991 00000 n 
-0000416281 00000 n 
-0000414266 00000 n 
-0000416407 00000 n 
-0000416472 00000 n 
-0000416537 00000 n 
-0000416602 00000 n 
-0000416731 00000 n 
-0000416796 00000 n 
-0000416861 00000 n 
-0000416926 00000 n 
-0000420670 00000 n 
-0000420414 00000 n 
-0000417142 00000 n 
-0000420540 00000 n 
-0000420605 00000 n 
-0000424107 00000 n 
-0000423851 00000 n 
-0000420795 00000 n 
-0000423977 00000 n 
-0000424042 00000 n 
-0000426576 00000 n 
-0000425868 00000 n 
-0000424245 00000 n 
-0000425994 00000 n 
-0000426059 00000 n 
-0000426124 00000 n 
-0000426251 00000 n 
-0000426316 00000 n 
-0000426381 00000 n 
-0000426446 00000 n 
-0000426511 00000 n 
-0000655487 00000 n 
-0000429462 00000 n 
-0000428688 00000 n 
-0000426727 00000 n 
-0000428814 00000 n 
-0000428879 00000 n 
-0000428944 00000 n 
-0000429009 00000 n 
-0000429137 00000 n 
-0000429202 00000 n 
-0000429267 00000 n 
-0000429332 00000 n 
-0000429397 00000 n 
-0000432818 00000 n 
-0000432627 00000 n 
-0000429600 00000 n 
-0000432753 00000 n 
-0000435789 00000 n 
-0000435080 00000 n 
-0000432943 00000 n 
-0000435206 00000 n 
-0000435271 00000 n 
-0000435336 00000 n 
-0000435401 00000 n 
-0000435529 00000 n 
-0000435594 00000 n 
-0000435659 00000 n 
-0000435724 00000 n 
-0000439301 00000 n 
-0000439045 00000 n 
-0000435940 00000 n 
-0000439171 00000 n 
-0000439236 00000 n 
-0000442176 00000 n 
-0000441920 00000 n 
-0000439507 00000 n 
-0000442046 00000 n 
-0000442111 00000 n 
-0000445175 00000 n 
-0000444400 00000 n 
-0000442382 00000 n 
-0000444526 00000 n 
-0000444591 00000 n 
-0000444656 00000 n 
-0000444721 00000 n 
-0000444786 00000 n 
-0000444915 00000 n 
-0000444980 00000 n 
-0000445045 00000 n 
-0000445110 00000 n 
-0000655612 00000 n 
-0000448684 00000 n 
-0000448041 00000 n 
-0000445326 00000 n 
-0000448167 00000 n 
-0000448232 00000 n 
-0000448297 00000 n 
-0000448362 00000 n 
-0000448427 00000 n 
-0000448555 00000 n 
-0000448620 00000 n 
-0000452245 00000 n 
-0000451859 00000 n 
-0000448848 00000 n 
-0000451985 00000 n 
-0000452050 00000 n 
-0000452115 00000 n 
-0000452180 00000 n 
-0000454598 00000 n 
-0000454213 00000 n 
-0000452370 00000 n 
-0000454339 00000 n 
-0000454404 00000 n 
-0000454469 00000 n 
-0000454534 00000 n 
-0000458278 00000 n 
-0000457698 00000 n 
-0000454749 00000 n 
-0000457824 00000 n 
-0000457953 00000 n 
-0000458018 00000 n 
-0000458083 00000 n 
-0000458148 00000 n 
-0000458213 00000 n 
-0000460305 00000 n 
-0000459919 00000 n 
-0000458416 00000 n 
-0000460045 00000 n 
-0000460110 00000 n 
-0000460175 00000 n 
-0000460240 00000 n 
-0000460489 00000 n 
-0000471833 00000 n 
-0000474157 00000 n 
-0000474126 00000 n 
-0000483645 00000 n 
-0000493701 00000 n 
-0000504168 00000 n 
-0000516376 00000 n 
-0000534653 00000 n 
-0000556743 00000 n 
-0000577753 00000 n 
-0000595571 00000 n 
-0000598402 00000 n 
-0000598172 00000 n 
-0000625660 00000 n 
-0000652769 00000 n 
-0000655737 00000 n 
-0000655860 00000 n 
-0000655986 00000 n 
-0000656112 00000 n 
-0000656202 00000 n 
-0000656294 00000 n 
-0000671585 00000 n 
-0000688895 00000 n 
-0000688936 00000 n 
-0000688976 00000 n 
-0000689110 00000 n 
+0000392745 00000 n 
+0000392809 00000 n 
+0000399519 00000 n 
+0000395955 00000 n 
+0000392985 00000 n 
+0000396081 00000 n 
+0000396146 00000 n 
+0000396211 00000 n 
+0000396276 00000 n 
+0000396341 00000 n 
+0000396406 00000 n 
+0000396471 00000 n 
+0000396536 00000 n 
+0000396601 00000 n 
+0000396666 00000 n 
+0000396731 00000 n 
+0000396796 00000 n 
+0000396860 00000 n 
+0000396925 00000 n 
+0000396990 00000 n 
+0000397055 00000 n 
+0000397120 00000 n 
+0000397185 00000 n 
+0000397250 00000 n 
+0000397315 00000 n 
+0000397380 00000 n 
+0000397445 00000 n 
+0000397510 00000 n 
+0000397575 00000 n 
+0000397639 00000 n 
+0000397704 00000 n 
+0000397769 00000 n 
+0000397834 00000 n 
+0000397899 00000 n 
+0000397964 00000 n 
+0000398029 00000 n 
+0000398094 00000 n 
+0000398159 00000 n 
+0000398224 00000 n 
+0000398289 00000 n 
+0000398354 00000 n 
+0000398419 00000 n 
+0000398484 00000 n 
+0000398549 00000 n 
+0000398614 00000 n 
+0000398678 00000 n 
+0000398742 00000 n 
+0000398806 00000 n 
+0000398871 00000 n 
+0000398936 00000 n 
+0000399001 00000 n 
+0000399066 00000 n 
+0000399131 00000 n 
+0000399196 00000 n 
+0000399261 00000 n 
+0000399326 00000 n 
+0000399391 00000 n 
+0000399455 00000 n 
+0000405692 00000 n 
+0000402254 00000 n 
+0000399631 00000 n 
+0000402380 00000 n 
+0000402445 00000 n 
+0000402510 00000 n 
+0000402575 00000 n 
+0000402640 00000 n 
+0000402705 00000 n 
+0000402770 00000 n 
+0000402835 00000 n 
+0000402900 00000 n 
+0000402965 00000 n 
+0000403030 00000 n 
+0000403095 00000 n 
+0000403160 00000 n 
+0000403225 00000 n 
+0000403290 00000 n 
+0000403355 00000 n 
+0000403420 00000 n 
+0000403485 00000 n 
+0000403550 00000 n 
+0000403615 00000 n 
+0000403680 00000 n 
+0000403745 00000 n 
+0000403810 00000 n 
+0000403875 00000 n 
+0000403940 00000 n 
+0000404005 00000 n 
+0000404070 00000 n 
+0000404135 00000 n 
+0000404200 00000 n 
+0000404265 00000 n 
+0000404330 00000 n 
+0000404395 00000 n 
+0000404460 00000 n 
+0000404525 00000 n 
+0000404589 00000 n 
+0000404654 00000 n 
+0000404719 00000 n 
+0000404784 00000 n 
+0000404849 00000 n 
+0000404914 00000 n 
+0000404979 00000 n 
+0000405044 00000 n 
+0000405109 00000 n 
+0000405174 00000 n 
+0000405239 00000 n 
+0000405304 00000 n 
+0000405369 00000 n 
+0000405434 00000 n 
+0000405499 00000 n 
+0000405564 00000 n 
+0000405628 00000 n 
+0000410270 00000 n 
+0000408006 00000 n 
+0000405804 00000 n 
+0000408132 00000 n 
+0000408197 00000 n 
+0000408262 00000 n 
+0000408327 00000 n 
+0000408392 00000 n 
+0000408457 00000 n 
+0000408522 00000 n 
+0000408587 00000 n 
+0000408652 00000 n 
+0000408717 00000 n 
+0000408782 00000 n 
+0000408847 00000 n 
+0000408912 00000 n 
+0000408977 00000 n 
+0000409039 00000 n 
+0000409103 00000 n 
+0000409168 00000 n 
+0000409232 00000 n 
+0000409297 00000 n 
+0000409362 00000 n 
+0000409427 00000 n 
+0000409492 00000 n 
+0000409557 00000 n 
+0000409622 00000 n 
+0000409687 00000 n 
+0000409816 00000 n 
+0000409945 00000 n 
+0000410010 00000 n 
+0000410075 00000 n 
+0000410140 00000 n 
+0000410205 00000 n 
+0000413065 00000 n 
+0000412421 00000 n 
+0000410395 00000 n 
+0000412547 00000 n 
+0000412676 00000 n 
+0000412805 00000 n 
+0000412870 00000 n 
+0000412935 00000 n 
+0000413000 00000 n 
+0000714205 00000 n 
+0000417403 00000 n 
+0000417083 00000 n 
+0000413178 00000 n 
+0000417209 00000 n 
+0000417274 00000 n 
+0000417339 00000 n 
+0000420874 00000 n 
+0000420618 00000 n 
+0000417556 00000 n 
+0000420744 00000 n 
+0000420809 00000 n 
+0000424122 00000 n 
+0000423931 00000 n 
+0000421013 00000 n 
+0000424057 00000 n 
+0000427851 00000 n 
+0000427595 00000 n 
+0000424248 00000 n 
+0000427721 00000 n 
+0000427786 00000 n 
+0000430691 00000 n 
+0000429983 00000 n 
+0000427990 00000 n 
+0000430109 00000 n 
+0000430174 00000 n 
+0000430239 00000 n 
+0000430304 00000 n 
+0000430369 00000 n 
+0000430498 00000 n 
+0000430563 00000 n 
+0000430627 00000 n 
+0000435364 00000 n 
+0000435108 00000 n 
+0000430830 00000 n 
+0000435234 00000 n 
+0000435299 00000 n 
+0000714330 00000 n 
+0000438315 00000 n 
+0000437542 00000 n 
+0000435490 00000 n 
+0000437668 00000 n 
+0000437733 00000 n 
+0000437798 00000 n 
+0000437863 00000 n 
+0000437992 00000 n 
+0000438057 00000 n 
+0000438120 00000 n 
+0000438185 00000 n 
+0000438250 00000 n 
+0000440916 00000 n 
+0000440207 00000 n 
+0000438468 00000 n 
+0000440333 00000 n 
+0000440398 00000 n 
+0000440463 00000 n 
+0000440528 00000 n 
+0000440593 00000 n 
+0000440658 00000 n 
+0000440787 00000 n 
+0000440852 00000 n 
+0000443940 00000 n 
+0000443555 00000 n 
+0000441068 00000 n 
+0000443681 00000 n 
+0000443746 00000 n 
+0000443810 00000 n 
+0000443875 00000 n 
+0000447035 00000 n 
+0000446261 00000 n 
+0000444080 00000 n 
+0000446387 00000 n 
+0000446452 00000 n 
+0000446517 00000 n 
+0000446582 00000 n 
+0000446711 00000 n 
+0000446776 00000 n 
+0000446841 00000 n 
+0000446905 00000 n 
+0000446970 00000 n 
+0000450308 00000 n 
+0000450117 00000 n 
+0000447201 00000 n 
+0000450243 00000 n 
+0000453409 00000 n 
+0000452699 00000 n 
+0000450434 00000 n 
+0000452825 00000 n 
+0000452890 00000 n 
+0000452955 00000 n 
+0000453020 00000 n 
+0000453085 00000 n 
+0000453214 00000 n 
+0000453279 00000 n 
+0000453344 00000 n 
+0000714455 00000 n 
+0000457067 00000 n 
+0000456748 00000 n 
+0000453574 00000 n 
+0000456874 00000 n 
+0000456939 00000 n 
+0000457003 00000 n 
+0000460443 00000 n 
+0000460252 00000 n 
+0000457193 00000 n 
+0000460378 00000 n 
+0000463120 00000 n 
+0000462477 00000 n 
+0000460583 00000 n 
+0000462603 00000 n 
+0000462668 00000 n 
+0000462732 00000 n 
+0000462797 00000 n 
+0000462926 00000 n 
+0000462991 00000 n 
+0000463056 00000 n 
+0000465837 00000 n 
+0000465063 00000 n 
+0000463272 00000 n 
+0000465189 00000 n 
+0000465254 00000 n 
+0000465318 00000 n 
+0000465383 00000 n 
+0000465448 00000 n 
+0000465513 00000 n 
+0000465642 00000 n 
+0000465707 00000 n 
+0000465772 00000 n 
+0000469228 00000 n 
+0000468907 00000 n 
+0000465990 00000 n 
+0000469033 00000 n 
+0000469098 00000 n 
+0000469163 00000 n 
+0000472297 00000 n 
+0000471912 00000 n 
+0000469341 00000 n 
+0000472038 00000 n 
+0000472103 00000 n 
+0000472168 00000 n 
+0000472233 00000 n 
+0000714580 00000 n 
+0000475693 00000 n 
+0000475114 00000 n 
+0000472436 00000 n 
+0000475240 00000 n 
+0000475369 00000 n 
+0000475434 00000 n 
+0000475499 00000 n 
+0000475564 00000 n 
+0000475629 00000 n 
+0000478674 00000 n 
+0000478483 00000 n 
+0000475833 00000 n 
+0000478609 00000 n 
+0000481314 00000 n 
+0000480605 00000 n 
+0000478885 00000 n 
+0000480731 00000 n 
+0000480796 00000 n 
+0000480861 00000 n 
+0000480926 00000 n 
+0000480991 00000 n 
+0000481056 00000 n 
+0000481185 00000 n 
+0000481250 00000 n 
+0000485767 00000 n 
+0000485446 00000 n 
+0000481510 00000 n 
+0000485572 00000 n 
+0000485637 00000 n 
+0000485702 00000 n 
+0000489361 00000 n 
+0000489106 00000 n 
+0000485893 00000 n 
+0000489232 00000 n 
+0000489297 00000 n 
+0000492296 00000 n 
+0000492040 00000 n 
+0000489487 00000 n 
+0000492166 00000 n 
+0000492231 00000 n 
+0000714705 00000 n 
+0000495466 00000 n 
+0000494691 00000 n 
+0000492422 00000 n 
+0000494817 00000 n 
+0000494882 00000 n 
+0000494947 00000 n 
+0000495012 00000 n 
+0000495141 00000 n 
+0000495206 00000 n 
+0000495271 00000 n 
+0000495336 00000 n 
+0000495401 00000 n 
+0000498834 00000 n 
+0000498190 00000 n 
+0000495632 00000 n 
+0000498316 00000 n 
+0000498381 00000 n 
+0000498446 00000 n 
+0000498511 00000 n 
+0000498640 00000 n 
+0000498705 00000 n 
+0000498770 00000 n 
+0000502306 00000 n 
+0000501985 00000 n 
+0000499000 00000 n 
+0000502111 00000 n 
+0000502176 00000 n 
+0000502241 00000 n 
+0000504879 00000 n 
+0000504301 00000 n 
+0000502432 00000 n 
+0000504427 00000 n 
+0000504492 00000 n 
+0000504557 00000 n 
+0000504622 00000 n 
+0000504751 00000 n 
+0000504815 00000 n 
+0000508675 00000 n 
+0000508290 00000 n 
+0000505017 00000 n 
+0000508416 00000 n 
+0000508481 00000 n 
+0000508546 00000 n 
+0000508611 00000 n 
+0000510245 00000 n 
+0000509861 00000 n 
+0000508815 00000 n 
+0000509987 00000 n 
+0000510052 00000 n 
+0000510115 00000 n 
+0000510180 00000 n 
+0000714830 00000 n 
+0000510430 00000 n 
+0000521774 00000 n 
+0000529362 00000 n 
+0000531661 00000 n 
+0000531630 00000 n 
+0000541154 00000 n 
+0000551267 00000 n 
+0000561743 00000 n 
+0000574367 00000 n 
+0000593432 00000 n 
+0000614319 00000 n 
+0000636463 00000 n 
+0000654358 00000 n 
+0000657188 00000 n 
+0000656958 00000 n 
+0000684495 00000 n 
+0000711606 00000 n 
+0000714910 00000 n 
+0000715033 00000 n 
+0000715159 00000 n 
+0000715285 00000 n 
+0000715402 00000 n 
+0000715494 00000 n 
+0000731830 00000 n 
+0000750703 00000 n 
+0000750744 00000 n 
+0000750784 00000 n 
+0000750918 00000 n 
 trailer
 <<
-/Size 1957
-/Root 1955 0 R
-/Info 1956 0 R
-/ID [<B3E059B0906A0C00E3685A1538A2E1E1> <B3E059B0906A0C00E3685A1538A2E1E1>]
+/Size 2120
+/Root 2118 0 R
+/Info 2119 0 R
+/ID [<E7B0BB00F44154DCC90012FC495A8314> <E7B0BB00F44154DCC90012FC495A8314>]
 >>
 startxref
-689368
+751176
 %%EOF
diff --git a/doc/arm/Makefile.in b/doc/arm/Makefile.in
index 85f318d..5fa267e 100644
--- a/doc/arm/Makefile.in
+++ b/doc/arm/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001, 2002  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12.18.8 2007/08/28 07:20:03 tbox Exp $
+# $Id: Makefile.in,v 1.20.332.2 2009/02/12 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -44,6 +44,10 @@ Bv9ARM.html: Bv9ARM-book.xml releaseinfo.xml
 	${XSLTPROC} --stringparam root.filename Bv9ARM \
 		${top_srcdir}/doc/xsl/isc-docbook-chunk.xsl -
 
+Bv9ARM-all.html: Bv9ARM-book.xml releaseinfo.xml
+	expand Bv9ARM-book.xml | \
+	${XSLTPROC} -o Bv9ARM-all.html ../xsl/isc-docbook-html.xsl -
+
 Bv9ARM.tex: Bv9ARM-book.xml releaseinfo.xml
 	expand Bv9ARM-book.xml | \
 	${XSLTPROC} ${top_srcdir}/doc/xsl/pre-latex.xsl - | \
diff --git a/doc/arm/man.dig.html b/doc/arm/man.dig.html
index e6aa96d..4a5697a 100644
--- a/doc/arm/man.dig.html
+++ b/doc/arm/man.dig.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dig.html,v 1.2.2.65 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: man.dig.html,v 1.93.14.7 2009/04/03 01:52:23 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -52,7 +52,7 @@
 <div class="cmdsynopsis"><p><code class="command">dig</code>  [global-queryopt...] [query...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2563849"></a><h2>DESCRIPTION</h2>
+<a name="id2570492"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dig</strong></span>
       (domain information groper) is a flexible tool
       for interrogating DNS name servers.  It performs DNS lookups and
@@ -98,7 +98,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2563944"></a><h2>SIMPLE USAGE</h2>
+<a name="id2603014"></a><h2>SIMPLE USAGE</h2>
 <p>
       A typical invocation of <span><strong class="command">dig</strong></span> looks like:
       </p>
@@ -144,7 +144,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2569789"></a><h2>OPTIONS</h2>
+<a name="id2603125"></a><h2>OPTIONS</h2>
 <p>
       The <code class="option">-b</code> option sets the source IP address of the query
       to <em class="parameter"><code>address</code></em>.  This must be a valid
@@ -248,7 +248,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2624336"></a><h2>QUERY OPTIONS</h2>
+<a name="id2630091"></a><h2>QUERY OPTIONS</h2>
 <p><span><strong class="command">dig</strong></span>
       provides a number of query options which affect
       the way in which lookups are made and the results displayed.  Some of
@@ -326,13 +326,15 @@
             </p></dd>
 <dt><span class="term"><code class="option">+[no]adflag</code></span></dt>
 <dd><p>
-              Set [do not set] the AD (authentic data) bit in the query.  The
-              AD bit
-              currently has a standard meaning only in responses, not in
-              queries,
-              but the ability to set the bit in the query is provided for
-              completeness.
-            </p></dd>
+	      Set [do not set] the AD (authentic data) bit in the
+	      query.  This requests the server to return whether
+	      all of the answer and authority sections have all
+	      been validated as secure according to the security
+	      policy of the server.  AD=1 indicates that all records
+	      have been validated as secure and the answer is not
+	      from a OPT-OUT range.  AD=0 indicate that some part
+	      of the answer was insecure or not validated.
+	    </p></dd>
 <dt><span class="term"><code class="option">+[no]cdflag</code></span></dt>
 <dd><p>
               Set [do not set] the CD (checking disabled) bit in the query.
@@ -547,7 +549,7 @@
 	      on its own line.
             </p>
 <p>
-	      If not specified <span><strong class="command">dig</strong></span> will look for
+	      If not specified, <span><strong class="command">dig</strong></span> will look for
 	      <code class="filename">/etc/trusted-key.key</code> then
 	      <code class="filename">trusted-key.key</code> in the current directory.
 	    </p>
@@ -561,13 +563,17 @@
               validation.
               Requires dig be compiled with -DDIG_SIGCHASE.
             </p></dd>
+<dt><span class="term"><code class="option">+[no]nsid</code></span></dt>
+<dd><p>
+              Include an EDNS name server ID request when sending a query.
+            </p></dd>
 </dl></div>
 <p>
 
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2625254"></a><h2>MULTIPLE QUERIES</h2>
+<a name="id2631092"></a><h2>MULTIPLE QUERIES</h2>
 <p>
       The BIND 9 implementation of <span><strong class="command">dig </strong></span>
       supports
@@ -613,7 +619,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2625408"></a><h2>IDN SUPPORT</h2>
+<a name="id2631177"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">dig</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names.
@@ -627,14 +633,14 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2625436"></a><h2>FILES</h2>
+<a name="id2631206"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 <p><code class="filename">${HOME}/.digrc</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2625458"></a><h2>SEE ALSO</h2>
+<a name="id2631227"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">host</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
@@ -642,7 +648,7 @@ dig +qr www.isc.org any -x 127.0.0.1 isc.org ns +noqr
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2625495"></a><h2>BUGS</h2>
+<a name="id2631265"></a><h2>BUGS</h2>
 <p>
       There are probably too many query options.
     </p>
diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html
new file mode 100644
index 0000000..ebf41d2
--- /dev/null
+++ b/doc/arm/man.dnssec-dsfromkey.html
@@ -0,0 +1,170 @@
+<!--
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.dnssec-dsfromkey.html,v 1.6.14.6 2009/04/03 01:52:23 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-dsfromkey</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.host.html" title="host">
+<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.host.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2603968"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-dsfromkey</strong></span>
+      outputs the Delegation Signer (DS) resource record (RR), as defined in
+      RFC 3658 and RFC 4509, for the given key(s).
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2603981"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-1</span></dt>
+<dd><p>
+            Use SHA-1 as the digest algorithm (the default is to use
+            both SHA-1 and SHA-256).
+          </p></dd>
+<dt><span class="term">-2</span></dt>
+<dd><p>
+            Use SHA-256 as the digest algorithm.
+          </p></dd>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd><p>
+            Select the digest algorithm. The value of
+            <code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
+            SHA-256 (SHA256). These values are case insensitive.
+          </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+<dt><span class="term">-s</span></dt>
+<dd><p>
+            Keyset mode: in place of the keyfile name, the argument is
+            the DNS domain name of a keyset file. Following options make sense
+            only in this mode.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Specifies the DNS class (default is IN), useful only
+            in the keyset mode.
+          </p></dd>
+<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+            Look for <code class="filename">keyset</code> files in
+            <code class="option">directory</code> as the directory, ignored when
+            not in the keyset mode.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604180"></a><h2>EXAMPLE</h2>
+<p>
+      To build the SHA-256 DS RR from the
+      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
+      keyfile name, the following command would be issued:
+    </p>
+<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
+    </p>
+<p>
+      The command would print something like:
+    </p>
+<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604216"></a><h2>FILES</h2>
+<p>
+      The keyfile can be designed by the key identification
+      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
+      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
+      <span class="refentrytitle">dnssec-keygen</span>(8).
+    </p>
+<p>
+      The keyset file name is built from the <code class="option">directory</code>,
+      the string <code class="filename">keyset-</code> and the
+      <code class="option">dnsname</code>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604258"></a><h2>CAVEAT</h2>
+<p>
+      A keyfile error can give a "file not found" even if the file exists.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604267"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 3658</em>,
+      <em class="citetitle">RFC 4509</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604304"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.host.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">host </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-keyfromlabel</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html
new file mode 100644
index 0000000..dffae42
--- /dev/null
+++ b/doc/arm/man.dnssec-keyfromlabel.html
@@ -0,0 +1,210 @@
+<!--
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.dnssec-keyfromlabel.html,v 1.31.14.6 2009/04/03 01:52:21 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-keyfromlabel</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
+<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604759"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
+      gets keys with the given label from a crypto hardware and builds
+      key files for DNSSEC (Secure DNS), as defined in RFC 2535
+      and RFC 4034.  
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604773"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd>
+<p>
+	    Selects the cryptographic algorithm.  The value of
+	    <code class="option">algorithm</code> must be one of RSAMD5 (RSA)
+	    or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
+	    These values are case insensitive.
+	  </p>
+<p>
+            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
+            algorithm, and DSA is recommended.
+          </p>
+<p>
+            Note 2: DH automatically sets the -k flag.
+          </p>
+</dd>
+<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
+<dd><p>
+            Specifies the label of keys in the crypto hardware
+            (PKCS#11 device).
+          </p></dd>
+<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
+<dd><p>
+            Specifies the owner type of the key.  The value of
+            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
+            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
+            a host (KEY)),
+            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
+            These values are
+            case insensitive.
+          </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
+<dd><p>
+            Indicates that the DNS record containing the key should have
+            the specified class.  If not specified, class IN is used.
+          </p></dd>
+<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
+<dd><p>
+            Set the specified flag in the flag field of the KEY/DNSKEY record.
+            The only recognized flag is KSK (Key Signing Key) DNSKEY.
+          </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Prints a short summary of the options and arguments to
+            <span><strong class="command">dnssec-keygen</strong></span>.
+          </p></dd>
+<dt><span class="term">-k</span></dt>
+<dd><p>
+            Generate KEY records rather than DNSKEY records.
+          </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
+<dd><p>
+            Sets the protocol value for the generated key.  The protocol
+            is a number between 0 and 255.  The default is 3 (DNSSEC).
+            Other possible values for this argument are listed in
+            RFC 2535 and its successors.
+          </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
+<dd><p>
+            Indicates the use of the key.  <code class="option">type</code> must be
+            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
+            is AUTHCONF.  AUTH refers to the ability to authenticate
+            data, and CONF the ability to encrypt data.
+          </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+            Sets the debugging level.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2604969"></a><h2>GENERATED KEY FILES</h2>
+<p>
+      When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
+      successfully,
+      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
+      to the standard output.  This is an identification string for
+      the key files it has generated.
+    </p>
+<div class="itemizedlist"><ul type="disc">
+<li><p><code class="filename">nnnn</code> is the key name.
+        </p></li>
+<li><p><code class="filename">aaa</code> is the numeric representation
+          of the
+          algorithm.
+        </p></li>
+<li><p><code class="filename">iiiii</code> is the key identifier (or
+          footprint).
+        </p></li>
+</ul></div>
+<p><span><strong class="command">dnssec-keyfromlabel</strong></span> 
+      creates two files, with names based
+      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
+      contains the public key, and
+      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
+      private
+      key.
+    </p>
+<p>
+      The <code class="filename">.key</code> file contains a DNS KEY record
+      that
+      can be inserted into a zone file (directly or with a $INCLUDE
+      statement).
+    </p>
+<p>
+      The <code class="filename">.private</code> file contains algorithm
+      specific
+      fields.  For obvious security reasons, this file does not have
+      general read permission.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605063"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+      <em class="citetitle">RFC 2539</em>,
+      <em class="citetitle">RFC 2845</em>,
+      <em class="citetitle">RFC 4033</em>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2605102"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">dnssec-dsfromkey</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-keygen</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/doc/arm/man.dnssec-keygen.html b/doc/arm/man.dnssec-keygen.html
index ac3fbe8..fd12259 100644
--- a/doc/arm/man.dnssec-keygen.html
+++ b/doc/arm/man.dnssec-keygen.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-keygen.html,v 1.2.2.66 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: man.dnssec-keygen.html,v 1.97.14.6 2009/04/03 01:52:21 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.host.html" title="host">
+<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
 <link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@@ -31,7 +31,7 @@
 <tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.host.html">Prev</a> </td>
+<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
 </td>
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2598403"></a><h2>DESCRIPTION</h2>
+<a name="id2605817"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-keygen</strong></span>
       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
       and RFC 4034.  It can also generate keys for use with
@@ -58,20 +58,20 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2598417"></a><h2>OPTIONS</h2>
+<a name="id2605831"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
 <dd>
 <p>
             Selects the cryptographic algorithm.  The value of
             <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
-            	      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
-            are case insensitive.
+	    DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
+	    These values are case insensitive.
           </p>
 <p>
             Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
-            algorithm,
-            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
+            algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
+	    mandatory.
           </p>
 <p>
             Note 2: HMAC-MD5 and DH automatically set the -k flag.
@@ -94,8 +94,8 @@
             zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
             a host (KEY)),
             USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
-            These values are
-            case insensitive.
+            These values are case insensitive.  Defaults to ZONE for DNSKEY
+	    generation.
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
@@ -166,7 +166,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2598692"></a><h2>GENERATED KEYS</h2>
+<a name="id2606584"></a><h2>GENERATED KEYS</h2>
 <p>
       When <span><strong class="command">dnssec-keygen</strong></span> completes
       successfully,
@@ -212,7 +212,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2600711"></a><h2>EXAMPLE</h2>
+<a name="id2608808"></a><h2>EXAMPLE</h2>
 <p>
       To generate a 768-bit DSA key for the domain
       <strong class="userinput"><code>example.com</code></strong>, the following command would be
@@ -233,7 +233,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2601518"></a><h2>SEE ALSO</h2>
+<a name="id2608865"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 2539</em>,
@@ -242,7 +242,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2601549"></a><h2>AUTHOR</h2>
+<a name="id2608896"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -252,13 +252,14 @@
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.host.html">Prev</a> </td>
+<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
 </td>
 </tr>
 <tr>
-<td width="40%" align="left" valign="top">host </td>
+<td width="40%" align="left" valign="top">
+<span class="application">dnssec-keyfromlabel</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <span class="application">dnssec-signzone</span>
 </td>
diff --git a/doc/arm/man.dnssec-signzone.html b/doc/arm/man.dnssec-signzone.html
index a12d355..89cab24 100644
--- a/doc/arm/man.dnssec-signzone.html
+++ b/doc/arm/man.dnssec-signzone.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.dnssec-signzone.html,v 1.2.2.65 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: man.dnssec-signzone.html,v 1.94.14.6 2009/04/03 01:52:21 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,10 +47,10 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {zonefile} [key...]</p></div>
+<div class="cmdsynopsis"><p><code class="command">dnssec-signzone</code>  [<code class="option">-a</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-e <em class="replaceable"><code>end-time</code></em></code>] [<code class="option">-f <em class="replaceable"><code>output-file</code></em></code>] [<code class="option">-g</code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>key</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-I <em class="replaceable"><code>input-format</code></em></code>] [<code class="option">-j <em class="replaceable"><code>jitter</code></em></code>] [<code class="option">-N <em class="replaceable"><code>soa-serial-format</code></em></code>] [<code class="option">-o <em class="replaceable"><code>origin</code></em></code>] [<code class="option">-O <em class="replaceable"><code>output-format</code></em></code>] [<code class="option">-p</code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>start-time</code></em></code>] [<code class="option">-t</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] [<code class="option">-3 <em class="replaceable"><code>salt</code></em></code>] [<code class="option">-H <em class="replaceable"><code>iterations</code></em></code>] [<code class="option">-A</code>] {zonefile} [key...]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2599262"></a><h2>DESCRIPTION</h2>
+<a name="id2608094"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">dnssec-signzone</strong></span>
       signs a zone.  It generates
       NSEC and RRSIG records and produces a signed version of the
@@ -61,7 +61,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2599282"></a><h2>OPTIONS</h2>
+<a name="id2608114"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd><p>
@@ -244,6 +244,23 @@
 <dd><p>
             Ignore KSK flag on key when determining what to sign.
           </p></dd>
+<dt><span class="term">-3 <em class="replaceable"><code>salt</code></em></span></dt>
+<dd><p>
+            Generate a NSEC3 chain with the given hex encoded salt.
+	    A dash (<em class="replaceable"><code>salt</code></em>) can
+	    be used to indicate that no salt is to be used when generating		    the NSEC3 chain.
+          </p></dd>
+<dt><span class="term">-H <em class="replaceable"><code>iterations</code></em></span></dt>
+<dd><p>
+	    When generating a NSEC3 chain use this many interations.  The
+	    default is 100.
+          </p></dd>
+<dt><span class="term">-A</span></dt>
+<dd><p>
+	    When generating a NSEC3 chain set the OPTOUT flag on all
+	    NSEC3 records and do not generate NSEC3 records for insecure
+	    delegations.
+          </p></dd>
 <dt><span class="term">zonefile</span></dt>
 <dd><p>
             The file containing the zone to be signed.
@@ -259,7 +276,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2653693"></a><h2>EXAMPLE</h2>
+<a name="id2659164"></a><h2>EXAMPLE</h2>
 <p>
       The following command signs the <strong class="userinput"><code>example.com</code></strong>
       zone with the DSA key generated by <span><strong class="command">dnssec-keygen</strong></span>
@@ -288,14 +305,14 @@ db.example.com.signed
 %</pre>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2653766"></a><h2>SEE ALSO</h2>
+<a name="id2659237"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
       <em class="citetitle">RFC 4033</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2653790"></a><h2>AUTHOR</h2>
+<a name="id2659330"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html
index f180544..fe37654 100644
--- a/doc/arm/man.host.html
+++ b/doc/arm/man.host.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.host.html,v 1.2.2.64 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: man.host.html,v 1.93.14.6 2009/04/03 01:52:23 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -23,7 +23,7 @@
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
 <link rel="prev" href="man.dig.html" title="dig">
-<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
+<link rel="next" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -33,7 +33,7 @@
 <td width="20%" align="left">
 <a accesskey="p" href="man.dig.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
 </td>
 </tr>
 </table>
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">host</code>  [<code class="option">-aCdlnrsTwv</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-N <em class="replaceable"><code>ndots</code></em></code>] [<code class="option">-R <em class="replaceable"><code>number</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-W <em class="replaceable"><code>wait</code></em></code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-4</code>] [<code class="option">-6</code>] {name} [server]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2597501"></a><h2>DESCRIPTION</h2>
+<a name="id2603329"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">host</strong></span>
       is a simple utility for performing DNS lookups.
       It is normally used to convert names to IP addresses and vice versa.
@@ -148,7 +148,7 @@
       referrals to other name servers.
     </p>
 <p>
-      By default <span><strong class="command">host</strong></span> uses UDP when making
+      By default, <span><strong class="command">host</strong></span> uses UDP when making
       queries.  The
       <code class="option">-T</code> option makes it use a TCP connection when querying
       the name server.  TCP will be automatically selected for queries that
@@ -166,7 +166,7 @@
       NS, SOA, SIG, KEY, AXFR, etc.  When no query type is specified,
       <span><strong class="command">host</strong></span> automatically selects an appropriate
       query
-      type.  By default it looks for A, AAAA, and MX records, but if the
+      type.  By default, it looks for A, AAAA, and MX records, but if the
       <code class="option">-C</code> option was given, queries will be made for SOA
       records, and if <em class="parameter"><code>name</code></em> is a
       dotted-decimal IPv4
@@ -202,7 +202,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2597947"></a><h2>IDN SUPPORT</h2>
+<a name="id2603843"></a><h2>IDN SUPPORT</h2>
 <p>
       If <span><strong class="command">host</strong></span> has been built with IDN (internationalized
       domain name) support, it can accept and display non-ASCII domain names. 
@@ -216,12 +216,12 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2598044"></a><h2>FILES</h2>
+<a name="id2603872"></a><h2>FILES</h2>
 <p><code class="filename">/etc/resolv.conf</code>
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2598058"></a><h2>SEE ALSO</h2>
+<a name="id2603885"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">dig</span>(1)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>.
     </p>
@@ -234,13 +234,13 @@
 <td width="40%" align="left">
 <a accesskey="p" href="man.dig.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keygen.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-dsfromkey.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">dig </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">dnssec-keygen</span>
+<td width="40%" align="right" valign="top"> <span class="application">dnssec-dsfromkey</span>
 </td>
 </tr>
 </table>
diff --git a/doc/arm/man.named-checkconf.html b/doc/arm/man.named-checkconf.html
index 3d5cdd2..10287aa 100644
--- a/doc/arm/man.named-checkconf.html
+++ b/doc/arm/man.named-checkconf.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named-checkconf.html,v 1.2.2.67 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: man.named-checkconf.html,v 1.92.14.6 2009/04/03 01:52:21 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,18 +47,22 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkconf</code>  [<code class="option">-h</code>] [<code class="option">-v</code>] [<code class="option">-j</code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] {filename} [<code class="option">-z</code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2599904"></a><h2>DESCRIPTION</h2>
+<a name="id2609005"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       checks the syntax, but not the semantics, of a named
       configuration file.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2599917"></a><h2>OPTIONS</h2>
+<a name="id2609019"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Print the usage summary and exit.
+          </p></dd>
 <dt><span class="term">-t <em class="replaceable"><code>directory</code></em></span></dt>
 <dd><p>
             Chroot to <code class="filename">directory</code> so that
@@ -88,21 +92,21 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2600020"></a><h2>RETURN VALUES</h2>
+<a name="id2609136"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkconf</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2600034"></a><h2>SEE ALSO</h2>
+<a name="id2609149"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkzone</span>(8)</span>,
       <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2600064"></a><h2>AUTHOR</h2>
+<a name="id2609179"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named-checkzone.html b/doc/arm/man.named-checkzone.html
index 264e960..723c484 100644
--- a/doc/arm/man.named-checkzone.html
+++ b/doc/arm/man.named-checkzone.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named-checkzone.html,v 1.2.2.70 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: man.named-checkzone.html,v 1.98.14.6 2009/04/03 01:52:21 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -47,11 +47,11 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
+<div class="cmdsynopsis"><p><code class="command">named-checkzone</code>  [<code class="option">-d</code>] [<code class="option">-h</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-M <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-S <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
 <div class="cmdsynopsis"><p><code class="command">named-compilezone</code>  [<code class="option">-d</code>] [<code class="option">-j</code>] [<code class="option">-q</code>] [<code class="option">-v</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-C <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-f <em class="replaceable"><code>format</code></em></code>] [<code class="option">-F <em class="replaceable"><code>format</code></em></code>] [<code class="option">-i <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-k <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-m <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-n <em class="replaceable"><code>mode</code></em></code>] [<code class="option">-o <em class="replaceable"><code>filename</code></em></code>] [<code class="option">-s <em class="replaceable"><code>style</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-w <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-D</code>] [<code class="option">-W <em class="replaceable"><code>mode</code></em></code>] {zonename} {filename}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2601603"></a><h2>DESCRIPTION</h2>
+<a name="id2610131"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       checks the syntax and integrity of a zone file.  It performs the
       same checks as <span><strong class="command">named</strong></span> does when loading a
@@ -71,12 +71,16 @@
      </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2601653"></a><h2>OPTIONS</h2>
+<a name="id2659401"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-d</span></dt>
 <dd><p>
             Enable debugging.
           </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+            Print the usage summary and exit.
+          </p></dd>
 <dt><span class="term">-q</span></dt>
 <dd><p>
             Quiet mode - exit code only.
@@ -92,7 +96,7 @@
           </p></dd>
 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
 <dd><p>
-            Specify the class of the zone.  If not specified "IN" is assumed.
+            Specify the class of the zone.  If not specified, "IN" is assumed.
           </p></dd>
 <dt><span class="term">-i <em class="replaceable"><code>mode</code></em></span></dt>
 <dd>
@@ -187,6 +191,8 @@
 <dt><span class="term">-o <em class="replaceable"><code>filename</code></em></span></dt>
 <dd><p>
             Write zone output to <code class="filename">filename</code>.
+	    If <code class="filename">filename</code> is <code class="filename">-</code> then
+	    write to standard out.
 	    This is mandatory for <span><strong class="command">named-compilezone</strong></span>.
           </p></dd>
 <dt><span class="term">-s <em class="replaceable"><code>style</code></em></span></dt>
@@ -251,14 +257,14 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2656364"></a><h2>RETURN VALUES</h2>
+<a name="id2660208"></a><h2>RETURN VALUES</h2>
 <p><span><strong class="command">named-checkzone</strong></span>
       returns an exit status of 1 if
       errors were detected and 0 otherwise.
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2656378"></a><h2>SEE ALSO</h2>
+<a name="id2660221"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named-checkconf</span>(8)</span>,
       <em class="citetitle">RFC 1035</em>,
@@ -266,7 +272,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2656480"></a><h2>AUTHOR</h2>
+<a name="id2660254"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.named.html b/doc/arm/man.named.html
index b08e738..08489e0 100644
--- a/doc/arm/man.named.html
+++ b/doc/arm/man.named.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.named.html,v 1.2.2.72 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: man.named.html,v 1.99.14.6 2009/04/03 01:52:22 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -23,7 +23,7 @@
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
 <link rel="prev" href="man.named-checkzone.html" title="named-checkzone">
-<link rel="next" href="man.rndc.html" title="rndc">
+<link rel="next" href="man.nsupdate.html" title="nsupdate">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
 <div class="navheader">
@@ -33,7 +33,7 @@
 <td width="20%" align="left">
 <a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
-<td width="20%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
+<td width="20%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
 </td>
 </tr>
 </table>
@@ -47,10 +47,10 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">named</code>  [<code class="option">-4</code>] [<code class="option">-6</code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-d <em class="replaceable"><code>debug-level</code></em></code>] [<code class="option">-f</code>] [<code class="option">-g</code>] [<code class="option">-m <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-n <em class="replaceable"><code>#cpus</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-s</code>] [<code class="option">-S <em class="replaceable"><code>#max-socks</code></em></code>] [<code class="option">-t <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>] [<code class="option">-v</code>] [<code class="option">-V</code>] [<code class="option">-x <em class="replaceable"><code>cache-file</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2602169"></a><h2>DESCRIPTION</h2>
+<a name="id2610579"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">named</strong></span>
       is a Domain Name System (DNS) server,
       part of the BIND 9 distribution from ISC.  For more
@@ -65,7 +65,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2602200"></a><h2>OPTIONS</h2>
+<a name="id2610610"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-4</span></dt>
 <dd><p>
@@ -216,6 +216,10 @@
 <dd><p>
             Report the version number and exit.
           </p></dd>
+<dt><span class="term">-V</span></dt>
+<dd><p>
+            Report the version number and build options, and exit.
+          </p></dd>
 <dt><span class="term">-x <em class="replaceable"><code>cache-file</code></em></span></dt>
 <dd>
 <p>
@@ -234,7 +238,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603333"></a><h2>SIGNALS</h2>
+<a name="id2612848"></a><h2>SIGNALS</h2>
 <p>
       In routine operation, signals should not be used to control
       the nameserver; <span><strong class="command">rndc</strong></span> should be used
@@ -255,7 +259,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605226"></a><h2>CONFIGURATION</h2>
+<a name="id2612898"></a><h2>CONFIGURATION</h2>
 <p>
       The <span><strong class="command">named</strong></span> configuration file is too complex
       to describe in detail here.  A complete description is provided
@@ -264,20 +268,20 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605245"></a><h2>FILES</h2>
+<a name="id2612917"></a><h2>FILES</h2>
 <div class="variablelist"><dl>
 <dt><span class="term"><code class="filename">/etc/named.conf</code></span></dt>
 <dd><p>
             The default configuration file.
           </p></dd>
-<dt><span class="term"><code class="filename">/var/run/named.pid</code></span></dt>
+<dt><span class="term"><code class="filename">/var/run/named/named.pid</code></span></dt>
 <dd><p>
             The default process-id file.
           </p></dd>
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645430"></a><h2>SEE ALSO</h2>
+<a name="id2612961"></a><h2>SEE ALSO</h2>
 <p><em class="citetitle">RFC 1033</em>,
       <em class="citetitle">RFC 1034</em>,
       <em class="citetitle">RFC 1035</em>,
@@ -290,7 +294,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2645500"></a><h2>AUTHOR</h2>
+<a name="id2613099"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -302,14 +306,14 @@
 <td width="40%" align="left">
 <a accesskey="p" href="man.named-checkzone.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
-<td width="40%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
+<td width="40%" align="right"> <a accesskey="n" href="man.nsupdate.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
 <span class="application">named-checkzone</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
-<td width="40%" align="right" valign="top"> <span class="application">rndc</span>
+<td width="40%" align="right" valign="top"> <span class="application">nsupdate</span>
 </td>
 </tr>
 </table>
diff --git a/doc/arm/man.nsupdate.html b/doc/arm/man.nsupdate.html
new file mode 100644
index 0000000..5848fb2
--- /dev/null
+++ b/doc/arm/man.nsupdate.html
@@ -0,0 +1,569 @@
+<!--
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2000-2003 Internet Software Consortium.
+ - 
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: man.nsupdate.html,v 1.22.14.7 2009/04/03 01:52:22 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>nsupdate</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
+<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
+<link rel="prev" href="man.named.html" title="named">
+<link rel="next" href="man.rndc.html" title="rndc">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
+<div class="navheader">
+<table width="100%" summary="Navigation header">
+<tr><th colspan="3" align="center"><span class="application">nsupdate</span></th></tr>
+<tr>
+<td width="20%" align="left">
+<a accesskey="p" href="man.named.html">Prev</a> </td>
+<th width="60%" align="center">Manual pages</th>
+<td width="20%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
+</td>
+</tr>
+</table>
+<hr>
+</div>
+<div class="refentry" lang="en">
+<a name="man.nsupdate"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">nsupdate</span> &#8212; Dynamic DNS update utility</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">nsupdate</code>  [<code class="option">-d</code>] [<code class="option">-D</code>] [[<code class="option">-g</code>] |  [<code class="option">-o</code>] |  [<code class="option">-y <em class="replaceable"><code>[<span class="optional">hmac:</span>]keyname:secret</code></em></code>] |  [<code class="option">-k <em class="replaceable"><code>keyfile</code></em></code>]] [<code class="option">-t <em class="replaceable"><code>timeout</code></em></code>] [<code class="option">-u <em class="replaceable"><code>udptimeout</code></em></code>] [<code class="option">-r <em class="replaceable"><code>udpretries</code></em></code>] [<code class="option">-R <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-v</code>] [filename]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2611329"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">nsupdate</strong></span>
+      is used to submit Dynamic DNS Update requests as defined in RFC2136
+      to a name server.
+      This allows resource records to be added or removed from a zone
+      without manually editing the zone file.
+      A single update request can contain requests to add or remove more than
+      one
+      resource record.
+    </p>
+<p>
+      Zones that are under dynamic control via
+      <span><strong class="command">nsupdate</strong></span>
+      or a DHCP server should not be edited by hand.
+      Manual edits could
+      conflict with dynamic updates and cause data to be lost.
+    </p>
+<p>
+      The resource records that are dynamically added or removed with
+      <span><strong class="command">nsupdate</strong></span>
+      have to be in the same zone.
+      Requests are sent to the zone's master server.
+      This is identified by the MNAME field of the zone's SOA record.
+    </p>
+<p>
+      The
+      <code class="option">-d</code>
+      option makes
+      <span><strong class="command">nsupdate</strong></span>
+      operate in debug mode.
+      This provides tracing information about the update requests that are
+      made and the replies received from the name server.
+    </p>
+<p>
+      The <code class="option">-D</code> option makes <span><strong class="command">nsupdate</strong></span>
+      report additional debugging information to <code class="option">-d</code>.
+    </p>
+<p>
+      Transaction signatures can be used to authenticate the Dynamic
+      DNS updates.  These use the TSIG resource record type described
+      in RFC2845 or the SIG(0) record described in RFC3535 and
+      RFC2931 or GSS-TSIG as described in RFC3645.  TSIG relies on
+      a shared secret that should only be known to
+      <span><strong class="command">nsupdate</strong></span> and the name server.  Currently,
+      the only supported encryption algorithm for TSIG is HMAC-MD5,
+      which is defined in RFC 2104.  Once other algorithms are
+      defined for TSIG, applications will need to ensure they select
+      the appropriate algorithm as well as the key when authenticating
+      each other.  For instance, suitable <span class="type">key</span> and
+      <span class="type">server</span> statements would be added to
+      <code class="filename">/etc/named.conf</code> so that the name server
+      can associate the appropriate secret key and algorithm with
+      the IP address of the client application that will be using
+      TSIG authentication.  SIG(0) uses public key cryptography.
+      To use a SIG(0) key, the public key must be stored in a KEY
+      record in a zone served by the name server.
+      <span><strong class="command">nsupdate</strong></span> does not read
+      <code class="filename">/etc/named.conf</code>.
+      GSS-TSIG uses Kerberos credentials.
+    </p>
+<p><span><strong class="command">nsupdate</strong></span>
+      uses the <code class="option">-y</code> or <code class="option">-k</code> option
+      to provide the shared secret needed to generate a TSIG record
+      for authenticating Dynamic DNS update requests, default type
+      HMAC-MD5.  These options are mutually exclusive.  With the
+      <code class="option">-k</code> option, <span><strong class="command">nsupdate</strong></span> reads
+      the shared secret from the file <em class="parameter"><code>keyfile</code></em>,
+      whose name is of the form
+      <code class="filename">K{name}.+157.+{random}.private</code>.  For
+      historical reasons, the file
+      <code class="filename">K{name}.+157.+{random}.key</code> must also be
+      present.  When the <code class="option">-y</code> option is used, a
+      signature is generated from
+      [<span class="optional"><em class="parameter"><code>hmac:</code></em></span>]<em class="parameter"><code>keyname:secret.</code></em>
+      <em class="parameter"><code>keyname</code></em> is the name of the key, and
+      <em class="parameter"><code>secret</code></em> is the base64 encoded shared
+      secret.  Use of the <code class="option">-y</code> option is discouraged
+      because the shared secret is supplied as a command line
+      argument in clear text.  This may be visible in the output
+      from
+      <span class="citerefentry"><span class="refentrytitle">ps</span>(1)</span> or in a history file maintained by the user's
+      shell.
+    </p>
+<p>
+      The <code class="option">-k</code> may also be used to specify a SIG(0) key used
+      to authenticate Dynamic DNS update requests.  In this case, the key
+      specified is not an HMAC-MD5 key.
+    </p>
+<p>
+      The <code class="option">-g</code> and <code class="option">-o</code> specify that
+      GSS-TSIG is to be used.  The <code class="option">-o</code> should only
+      be used with old Microsoft Windows 2000 servers.
+    </p>
+<p>
+      By default,
+      <span><strong class="command">nsupdate</strong></span>
+      uses UDP to send update requests to the name server unless they are too
+      large to fit in a UDP request in which case TCP will be used.
+      The
+      <code class="option">-v</code>
+      option makes
+      <span><strong class="command">nsupdate</strong></span>
+      use a TCP connection.
+      This may be preferable when a batch of update requests is made.
+    </p>
+<p>
+      The <code class="option">-t</code> option sets the maximum time an update request
+      can
+      take before it is aborted.  The default is 300 seconds.  Zero can be
+      used
+      to disable the timeout.
+    </p>
+<p>
+      The <code class="option">-u</code> option sets the UDP retry interval.  The default
+      is
+      3 seconds.  If zero, the interval will be computed from the timeout
+      interval
+      and number of UDP retries.
+    </p>
+<p>
+      The <code class="option">-r</code> option sets the number of UDP retries. The
+      default is
+      3.  If zero, only one update request will be made.
+    </p>
+<p>
+      The <code class="option">-R <em class="replaceable"><code>randomdev</code></em></code> option
+      specifies a source of randomness.  If the operating system
+      does not provide a <code class="filename">/dev/random</code> or
+      equivalent device, the default source of randomness is keyboard
+      input.  <code class="filename">randomdev</code> specifies the name of
+      a character device or file containing random data to be used
+      instead of the default.  The special value
+      <code class="filename">keyboard</code> indicates that keyboard input
+      should be used.  This option may be specified multiple times.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2612201"></a><h2>INPUT FORMAT</h2>
+<p><span><strong class="command">nsupdate</strong></span>
+      reads input from
+      <em class="parameter"><code>filename</code></em>
+      or standard input.
+      Each command is supplied on exactly one line of input.
+      Some commands are for administrative purposes.
+      The others are either update instructions or prerequisite checks on the
+      contents of the zone.
+      These checks set conditions that some name or set of
+      resource records (RRset) either exists or is absent from the zone.
+      These conditions must be met if the entire update request is to succeed.
+      Updates will be rejected if the tests for the prerequisite conditions
+      fail.
+    </p>
+<p>
+      Every update request consists of zero or more prerequisites
+      and zero or more updates.
+      This allows a suitably authenticated update request to proceed if some
+      specified resource records are present or missing from the zone.
+      A blank input line (or the <span><strong class="command">send</strong></span> command)
+      causes the
+      accumulated commands to be sent as one Dynamic DNS update request to the
+      name server.
+    </p>
+<p>
+      The command formats and their meaning are as follows:
+      </p>
+<div class="variablelist"><dl>
+<dt><span class="term">
+              <span><strong class="command">server</strong></span>
+               {servername}
+               [port]
+            </span></dt>
+<dd><p>
+              Sends all dynamic update requests to the name server
+              <em class="parameter"><code>servername</code></em>.
+              When no server statement is provided,
+              <span><strong class="command">nsupdate</strong></span>
+              will send updates to the master server of the correct zone.
+              The MNAME field of that zone's SOA record will identify the
+              master
+              server for that zone.
+              <em class="parameter"><code>port</code></em>
+              is the port number on
+              <em class="parameter"><code>servername</code></em>
+              where the dynamic update requests get sent.
+              If no port number is specified, the default DNS port number of
+              53 is
+              used.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">local</strong></span>
+               {address}
+               [port]
+            </span></dt>
+<dd><p>
+              Sends all dynamic update requests using the local
+              <em class="parameter"><code>address</code></em>.
+
+              When no local statement is provided,
+              <span><strong class="command">nsupdate</strong></span>
+              will send updates using an address and port chosen by the
+              system.
+              <em class="parameter"><code>port</code></em>
+              can additionally be used to make requests come from a specific
+              port.
+              If no port number is specified, the system will assign one.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">zone</strong></span>
+               {zonename}
+            </span></dt>
+<dd><p>
+              Specifies that all updates are to be made to the zone
+              <em class="parameter"><code>zonename</code></em>.
+              If no
+              <em class="parameter"><code>zone</code></em>
+              statement is provided,
+              <span><strong class="command">nsupdate</strong></span>
+              will attempt determine the correct zone to update based on the
+              rest of the input.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">class</strong></span>
+               {classname}
+            </span></dt>
+<dd><p>
+              Specify the default class.
+              If no <em class="parameter"><code>class</code></em> is specified, the
+              default class is
+              <em class="parameter"><code>IN</code></em>.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">ttl</strong></span>
+               {seconds}
+            </span></dt>
+<dd><p>
+              Specify the default time to live for records to be added.
+	      The value <em class="parameter"><code>none</code></em> will clear the default
+	      ttl.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">key</strong></span>
+               {name}
+               {secret}
+            </span></dt>
+<dd><p>
+              Specifies that all updates are to be TSIG-signed using the
+              <em class="parameter"><code>keyname</code></em> <em class="parameter"><code>keysecret</code></em> pair.
+              The <span><strong class="command">key</strong></span> command
+              overrides any key specified on the command line via
+              <code class="option">-y</code> or <code class="option">-k</code>.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">prereq nxdomain</strong></span>
+               {domain-name}
+            </span></dt>
+<dd><p>
+              Requires that no resource record of any type exists with name
+              <em class="parameter"><code>domain-name</code></em>.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">prereq yxdomain</strong></span>
+               {domain-name}
+            </span></dt>
+<dd><p>
+              Requires that
+              <em class="parameter"><code>domain-name</code></em>
+              exists (has as at least one resource record, of any type).
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">prereq nxrrset</strong></span>
+               {domain-name}
+               [class]
+               {type}
+            </span></dt>
+<dd><p>
+              Requires that no resource record exists of the specified
+              <em class="parameter"><code>type</code></em>,
+              <em class="parameter"><code>class</code></em>
+              and
+              <em class="parameter"><code>domain-name</code></em>.
+              If
+              <em class="parameter"><code>class</code></em>
+              is omitted, IN (internet) is assumed.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">prereq yxrrset</strong></span>
+               {domain-name}
+               [class]
+               {type}
+            </span></dt>
+<dd><p>
+              This requires that a resource record of the specified
+              <em class="parameter"><code>type</code></em>,
+              <em class="parameter"><code>class</code></em>
+              and
+              <em class="parameter"><code>domain-name</code></em>
+              must exist.
+              If
+              <em class="parameter"><code>class</code></em>
+              is omitted, IN (internet) is assumed.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">prereq yxrrset</strong></span>
+               {domain-name}
+               [class]
+               {type}
+               {data...}
+            </span></dt>
+<dd><p>
+              The
+              <em class="parameter"><code>data</code></em>
+              from each set of prerequisites of this form
+              sharing a common
+              <em class="parameter"><code>type</code></em>,
+              <em class="parameter"><code>class</code></em>,
+              and
+              <em class="parameter"><code>domain-name</code></em>
+              are combined to form a set of RRs.  This set of RRs must
+              exactly match the set of RRs existing in the zone at the
+              given
+              <em class="parameter"><code>type</code></em>,
+              <em class="parameter"><code>class</code></em>,
+              and
+              <em class="parameter"><code>domain-name</code></em>.
+              The
+              <em class="parameter"><code>data</code></em>
+              are written in the standard text representation of the resource
+              record's
+              RDATA.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">update delete</strong></span>
+               {domain-name}
+               [ttl]
+               [class]
+               [type [data...]]
+            </span></dt>
+<dd><p>
+              Deletes any resource records named
+              <em class="parameter"><code>domain-name</code></em>.
+              If
+              <em class="parameter"><code>type</code></em>
+              and
+              <em class="parameter"><code>data</code></em>
+              is provided, only matching resource records will be removed.
+              The internet class is assumed if
+              <em class="parameter"><code>class</code></em>
+              is not supplied.  The
+              <em class="parameter"><code>ttl</code></em>
+              is ignored, and is only allowed for compatibility.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">update add</strong></span>
+               {domain-name}
+               {ttl}
+               [class]
+               {type}
+               {data...}
+            </span></dt>
+<dd><p>
+              Adds a new resource record with the specified
+              <em class="parameter"><code>ttl</code></em>,
+              <em class="parameter"><code>class</code></em>
+              and
+              <em class="parameter"><code>data</code></em>.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">show</strong></span>
+            </span></dt>
+<dd><p>
+              Displays the current message, containing all of the
+              prerequisites and
+              updates specified since the last send.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">send</strong></span>
+            </span></dt>
+<dd><p>
+              Sends the current message.  This is equivalent to entering a
+              blank line.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">answer</strong></span>
+            </span></dt>
+<dd><p>
+              Displays the answer.
+            </p></dd>
+<dt><span class="term">
+              <span><strong class="command">debug</strong></span>
+            </span></dt>
+<dd><p>
+              Turn on debugging.
+            </p></dd>
+</dl></div>
+<p>
+    </p>
+<p>
+      Lines beginning with a semicolon are comments and are ignored.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2667233"></a><h2>EXAMPLES</h2>
+<p>
+      The examples below show how
+      <span><strong class="command">nsupdate</strong></span>
+      could be used to insert and delete resource records from the
+      <span class="type">example.com</span>
+      zone.
+      Notice that the input in each example contains a trailing blank line so
+      that
+      a group of commands are sent as one dynamic update request to the
+      master name server for
+      <span class="type">example.com</span>.
+
+      </p>
+<pre class="programlisting">
+# nsupdate
+&gt; update delete oldhost.example.com A
+&gt; update add newhost.example.com 86400 A 172.16.1.1
+&gt; send
+</pre>
+<p>
+    </p>
+<p>
+      Any A records for
+      <span class="type">oldhost.example.com</span>
+      are deleted.
+      And an A record for
+      <span class="type">newhost.example.com</span>
+      with IP address 172.16.1.1 is added.
+      The newly-added record has a 1 day TTL (86400 seconds).
+      </p>
+<pre class="programlisting">
+# nsupdate
+&gt; prereq nxdomain nickname.example.com
+&gt; update add nickname.example.com 86400 CNAME somehost.example.com
+&gt; send
+</pre>
+<p>
+    </p>
+<p>
+      The prerequisite condition gets the name server to check that there
+      are no resource records of any type for
+      <span class="type">nickname.example.com</span>.
+
+      If there are, the update request fails.
+      If this name does not exist, a CNAME for it is added.
+      This ensures that when the CNAME is added, it cannot conflict with the
+      long-standing rule in RFC1034 that a name must not exist as any other
+      record type if it exists as a CNAME.
+      (The rule has been updated for DNSSEC in RFC2535 to allow CNAMEs to have
+      RRSIG, DNSKEY and NSEC records.)
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2667283"></a><h2>FILES</h2>
+<div class="variablelist"><dl>
+<dt><span class="term"><code class="constant">/etc/resolv.conf</code></span></dt>
+<dd><p>
+            used to identify default name server
+          </p></dd>
+<dt><span class="term"><code class="constant">K{name}.+157.+{random}.key</code></span></dt>
+<dd><p>
+            base-64 encoding of HMAC-MD5 key created by
+            <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+          </p></dd>
+<dt><span class="term"><code class="constant">K{name}.+157.+{random}.private</code></span></dt>
+<dd><p>
+            base-64 encoding of HMAC-MD5 key created by
+            <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+          </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2667352"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">RFC2136</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC3007</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC2104</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC2845</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC1034</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC2535</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">RFC2931</span></span>,
+      <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+      <span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>.
+    </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2667422"></a><h2>BUGS</h2>
+<p>
+      The TSIG key is redundantly stored in two separate files.
+      This is a consequence of nsupdate using the DST library
+      for its cryptographic operations, and may change in future
+      releases.
+    </p>
+</div>
+</div>
+<div class="navfooter">
+<hr>
+<table width="100%" summary="Navigation footer">
+<tr>
+<td width="40%" align="left">
+<a accesskey="p" href="man.named.html">Prev</a> </td>
+<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
+<td width="40%" align="right"> <a accesskey="n" href="man.rndc.html">Next</a>
+</td>
+</tr>
+<tr>
+<td width="40%" align="left" valign="top">
+<span class="application">named</span> </td>
+<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
+<td width="40%" align="right" valign="top"> <span class="application">rndc</span>
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/doc/arm/man.rndc-confgen.html b/doc/arm/man.rndc-confgen.html
index fa5924d..4839e89 100644
--- a/doc/arm/man.rndc-confgen.html
+++ b/doc/arm/man.rndc-confgen.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc-confgen.html,v 1.2.2.76 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: man.rndc-confgen.html,v 1.102.14.7 2009/04/03 01:52:22 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -48,7 +48,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc-confgen</code>  [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605546"></a><h2>DESCRIPTION</h2>
+<a name="id2616981"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc-confgen</strong></span>
       generates configuration files
       for <span><strong class="command">rndc</strong></span>.  It can be used as a
@@ -64,7 +64,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2605612"></a><h2>OPTIONS</h2>
+<a name="id2625034"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-a</span></dt>
 <dd>
@@ -171,7 +171,7 @@
 </dl></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2606203"></a><h2>EXAMPLES</h2>
+<a name="id2634158"></a><h2>EXAMPLES</h2>
 <p>
       To allow <span><strong class="command">rndc</strong></span> to be used with
       no manual configuration, run
@@ -188,7 +188,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607830"></a><h2>SEE ALSO</h2>
+<a name="id2634215"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -196,7 +196,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2607868"></a><h2>AUTHOR</h2>
+<a name="id2634253"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.rndc.conf.html b/doc/arm/man.rndc.conf.html
index 47a5d9d..cb72238 100644
--- a/doc/arm/man.rndc.conf.html
+++ b/doc/arm/man.rndc.conf.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc.conf.html,v 1.2.2.75 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: man.rndc.conf.html,v 1.103.14.7 2009/04/03 01:52:22 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc.conf</code> </p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604313"></a><h2>DESCRIPTION</h2>
+<a name="id2606668"></a><h2>DESCRIPTION</h2>
 <p><code class="filename">rndc.conf</code> is the configuration file
       for <span><strong class="command">rndc</strong></span>, the BIND 9 name server control
       utility.  This file has a similar structure and syntax to
@@ -135,7 +135,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604485"></a><h2>EXAMPLE</h2>
+<a name="id2614213"></a><h2>EXAMPLE</h2>
 <pre class="programlisting">
       options {
         default-server  localhost;
@@ -209,7 +209,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604743"></a><h2>NAME SERVER CONFIGURATION</h2>
+<a name="id2614334"></a><h2>NAME SERVER CONFIGURATION</h2>
 <p>
       The name server must be configured to accept rndc connections and
       to recognize the key specified in the <code class="filename">rndc.conf</code>
@@ -219,7 +219,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604769"></a><h2>SEE ALSO</h2>
+<a name="id2614360"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">mmencode</span>(1)</span>,
@@ -227,7 +227,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604807"></a><h2>AUTHOR</h2>
+<a name="id2614398"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
diff --git a/doc/arm/man.rndc.html b/doc/arm/man.rndc.html
index 351267b..f88a70e 100644
--- a/doc/arm/man.rndc.html
+++ b/doc/arm/man.rndc.html
@@ -1,5 +1,5 @@
 <!--
- - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
  - Copyright (C) 2000-2003 Internet Software Consortium.
  - 
  - Permission to use, copy, modify, and distribute this software for any
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: man.rndc.html,v 1.2.2.74 2008/10/18 01:29:59 tbox Exp $ -->
+<!-- $Id: man.rndc.html,v 1.101.14.7 2009/04/03 01:52:22 tbox Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
@@ -22,7 +22,7 @@
 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
 <link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
-<link rel="prev" href="man.named.html" title="named">
+<link rel="prev" href="man.nsupdate.html" title="nsupdate">
 <link rel="next" href="man.rndc.conf.html" title="rndc.conf">
 </head>
 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
@@ -31,7 +31,7 @@
 <tr><th colspan="3" align="center"><span class="application">rndc</span></th></tr>
 <tr>
 <td width="20%" align="left">
-<a accesskey="p" href="man.named.html">Prev</a> </td>
+<a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
 <th width="60%" align="center">Manual pages</th>
 <td width="20%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
 </td>
@@ -50,7 +50,7 @@
 <div class="cmdsynopsis"><p><code class="command">rndc</code>  [<code class="option">-b <em class="replaceable"><code>source-address</code></em></code>] [<code class="option">-c <em class="replaceable"><code>config-file</code></em></code>] [<code class="option">-k <em class="replaceable"><code>key-file</code></em></code>] [<code class="option">-s <em class="replaceable"><code>server</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y <em class="replaceable"><code>key_id</code></em></code>] {command}</p></div>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603601"></a><h2>DESCRIPTION</h2>
+<a name="id2612305"></a><h2>DESCRIPTION</h2>
 <p><span><strong class="command">rndc</strong></span>
       controls the operation of a name
       server.  It supersedes the <span><strong class="command">ndc</strong></span> utility
@@ -79,7 +79,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603651"></a><h2>OPTIONS</h2>
+<a name="id2612355"></a><h2>OPTIONS</h2>
 <div class="variablelist"><dl>
 <dt><span class="term">-b <em class="replaceable"><code>source-address</code></em></span></dt>
 <dd><p>
@@ -151,7 +151,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2603876"></a><h2>LIMITATIONS</h2>
+<a name="id2613262"></a><h2>LIMITATIONS</h2>
 <p><span><strong class="command">rndc</strong></span>
       does not yet support all the commands of
       the BIND 8 <span><strong class="command">ndc</strong></span> utility.
@@ -165,7 +165,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604043"></a><h2>SEE ALSO</h2>
+<a name="id2613293"></a><h2>SEE ALSO</h2>
 <p><span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
       <span class="citerefentry"><span class="refentrytitle">rndc-confgen</span>(8)</span>,
       <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
@@ -175,7 +175,7 @@
     </p>
 </div>
 <div class="refsect1" lang="en">
-<a name="id2604099"></a><h2>AUTHOR</h2>
+<a name="id2613349"></a><h2>AUTHOR</h2>
 <p><span class="corpauthor">Internet Systems Consortium</span>
     </p>
 </div>
@@ -185,14 +185,14 @@
 <table width="100%" summary="Navigation footer">
 <tr>
 <td width="40%" align="left">
-<a accesskey="p" href="man.named.html">Prev</a> </td>
+<a accesskey="p" href="man.nsupdate.html">Prev</a> </td>
 <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
 <td width="40%" align="right"> <a accesskey="n" href="man.rndc.conf.html">Next</a>
 </td>
 </tr>
 <tr>
 <td width="40%" align="left" valign="top">
-<span class="application">named</span> </td>
+<span class="application">nsupdate</span> </td>
 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 <td width="40%" align="right" valign="top"> <code class="filename">rndc.conf</code>
 </td>
diff --git a/doc/misc/Makefile.in b/doc/misc/Makefile.in
index c5df0cb..501e3be 100644
--- a/doc/misc/Makefile.in
+++ b/doc/misc/Makefile.in
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3.18.4 2007/12/02 22:36:01 marka Exp $
+# $Id: Makefile.in,v 1.7 2007/09/24 04:21:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/doc/misc/format-options.pl b/doc/misc/format-options.pl
index aa433b3..b0b8d52 100644
--- a/doc/misc/format-options.pl
+++ b/doc/misc/format-options.pl
@@ -15,7 +15,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: format-options.pl,v 1.2.18.2 2007/12/02 23:46:31 tbox Exp $
+# $Id: format-options.pl,v 1.5 2007/09/24 04:21:59 marka Exp $
 
 print <<END;
 
diff --git a/doc/misc/ipv6 b/doc/misc/ipv6
index aeba275..4060bc3 100644
--- a/doc/misc/ipv6
+++ b/doc/misc/ipv6
@@ -110,4 +110,4 @@ RELEVANT RFCs
 3542:  Advanced Sockets Application Program Interface (API) for IPv6
 
 
-$Id: ipv6,v 1.6.18.3 2004/08/10 04:28:41 jinmei Exp $
+$Id: ipv6,v 1.9 2004/08/10 04:27:51 jinmei Exp $
diff --git a/doc/misc/migration b/doc/misc/migration
index 4116b63..21856bf 100644
--- a/doc/misc/migration
+++ b/doc/misc/migration
@@ -264,4 +264,4 @@ necessary, the umask should be set explicitly in the script used to
 start the named process.
 
 
-$Id: migration,v 1.45.18.3 2008/03/18 15:45:43 jreed Exp $
+$Id: migration,v 1.49 2008/03/18 15:42:53 jreed Exp $
diff --git a/doc/misc/options b/doc/misc/options
index c9a29a7..3416a3b 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -55,7 +55,10 @@ options {
         allow-notify { <address_match_element>; ... };
         allow-query { <address_match_element>; ... };
         allow-query-cache { <address_match_element>; ... };
+        allow-query-cache-on { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
         allow-recursion { <address_match_element>; ... };
+        allow-recursion-on { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
         allow-update { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
@@ -134,6 +137,7 @@ options {
         max-transfer-time-in <integer>;
         max-transfer-time-out <integer>;
         max-udp-size <integer>;
+        memstatistics <boolean>;
         memstatistics-file <quoted_string>;
         min-refresh-time <integer>;
         min-retry-time <integer>;
@@ -146,6 +150,8 @@ options {
         notify-delay <integer>;
         notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        notify-to-soa <boolean>;
+        nsec3-test-zone <boolean>; // test only
         pid-file ( <quoted_string> | none );
         port <integer>;
         preferred-glue <string>;
@@ -153,11 +159,14 @@ options {
         query-source <querysource4>;
         query-source-v6 <querysource6>;
         querylog <boolean>;
+        queryport-pool-ports <integer>; // obsolete
+        queryport-pool-updateinterval <integer>; // obsolete
         random-device <quoted_string>;
         recursing-file <quoted_string>;
         recursion <boolean>;
         recursive-clients <integer>;
         request-ixfr <boolean>;
+        request-nsid <boolean>;
         reserved-sockets <integer>;
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
@@ -166,7 +175,10 @@ options {
         serial-queries <integer>; // obsolete
         serial-query-rate <integer>;
         server-id ( <quoted_string> | none |;
-        sig-validity-interval <integer>;
+        sig-signing-nodes <integer>;
+        sig-signing-signatures <integer>;
+        sig-signing-type <integer>;
+        sig-validity-interval <integer> [ <integer> ];
         sortlist { <address_match_element>; ... };
         stacksize <size>;
         statistics-file <quoted_string>;
@@ -185,10 +197,12 @@ options {
         transfers-out <integer>;
         transfers-per-ns <integer>;
         treat-cr-as-space <boolean>; // obsolete
+        try-tcp-refresh <boolean>;
         update-check-ksk <boolean>;
         use-alt-transfer-source <boolean>;
         use-id-pool <boolean>; // obsolete
         use-ixfr <boolean>;
+        use-queryport-pool <boolean>; // obsolete
         use-v4-udp-ports { <portrange>; ... };
         use-v6-udp-ports { <portrange>; ... };
         version ( <quoted_string> | none );
@@ -216,6 +230,11 @@ server <netprefix> {
         transfers <integer>;
 };
 
+statistics-channels {
+        inet ( <ipv4_address> | <ipv6_address> | * ) [ port ( <integer> | *
+            ) ] [ allow { <address_match_element>; ... } ];
+};
+
 trusted-keys { <string> <integer> <integer> <integer> <quoted_string>; ... };
 
 view <string> <optional_class> {
@@ -226,7 +245,10 @@ view <string> <optional_class> {
         allow-notify { <address_match_element>; ... };
         allow-query { <address_match_element>; ... };
         allow-query-cache { <address_match_element>; ... };
+        allow-query-cache-on { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
         allow-recursion { <address_match_element>; ... };
+        allow-recursion-on { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
         allow-update { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
@@ -305,12 +327,17 @@ view <string> <optional_class> {
         notify-delay <integer>;
         notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        notify-to-soa <boolean>;
+        nsec3-test-zone <boolean>; // test only
         preferred-glue <string>;
         provide-ixfr <boolean>;
         query-source <querysource4>;
         query-source-v6 <querysource6>;
+        queryport-pool-ports <integer>; // obsolete
+        queryport-pool-updateinterval <integer>; // obsolete
         recursion <boolean>;
         request-ixfr <boolean>;
+        request-nsid <boolean>;
         rfc2308-type1 <boolean>; // not yet implemented
         root-delegation-only [ exclude { <quoted_string>; ... } ];
         rrset-order { [ class <string> ] [ type <string> ] [ name
@@ -337,7 +364,10 @@ view <string> <optional_class> {
                     <integer> | * ) ];
                 transfers <integer>;
         };
-        sig-validity-interval <integer>;
+        sig-signing-nodes <integer>;
+        sig-signing-signatures <integer>;
+        sig-signing-type <integer>;
+        sig-validity-interval <integer> [ <integer> ];
         sortlist { <address_match_element>; ... };
         suppress-initial-notify <boolean>; // not yet implemented
         topology { <address_match_element>; ... }; // not implemented
@@ -346,13 +376,16 @@ view <string> <optional_class> {
         transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
         trusted-keys { <string> <integer> <integer> <integer>
             <quoted_string>; ... };
+        try-tcp-refresh <boolean>;
         update-check-ksk <boolean>;
         use-alt-transfer-source <boolean>;
+        use-queryport-pool <boolean>; // obsolete
         zero-no-soa-ttl <boolean>;
         zero-no-soa-ttl-cache <boolean>;
         zone <string> <optional_class> {
                 allow-notify { <address_match_element>; ... };
                 allow-query { <address_match_element>; ... };
+                allow-query-on { <address_match_element>; ... };
                 allow-transfer { <address_match_element>; ... };
                 allow-update { <address_match_element>; ... };
                 allow-update-forwarding { <address_match_element>; ... };
@@ -403,19 +436,26 @@ view <string> <optional_class> {
                     ) ];
                 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
                     | * ) ];
+                notify-to-soa <boolean>;
+                nsec3-test-zone <boolean>; // test only
                 pubkey <integer> <integer> <integer>
                     <quoted_string>; // obsolete
-                sig-validity-interval <integer>;
+                sig-signing-nodes <integer>;
+                sig-signing-signatures <integer>;
+                sig-signing-type <integer>;
+                sig-validity-interval <integer> [ <integer> ];
                 transfer-source ( <ipv4_address> | * ) [ port ( <integer> |
                     * ) ];
                 transfer-source-v6 ( <ipv6_address> | * ) [ port (
                     <integer> | * ) ];
+                try-tcp-refresh <boolean>;
                 type ( master | slave | stub | hint | forward |
                     delegation-only );
                 update-check-ksk <boolean>;
                 update-policy { ( grant | deny ) <string> ( name |
-                    subdomain | wildcard | self | selfsub | selfwild )
-                    <string> <rrtypelist>; ... };
+                    subdomain | wildcard | self | selfsub | selfwild |
+                    krb5-self | ms-self | krb5-subdomain | ms-subdomain |
+                    tcp-self | 6to4-self ) <string> <rrtypelist>; ... };
                 use-alt-transfer-source <boolean>;
                 zero-no-soa-ttl <boolean>;
                 zone-statistics <boolean>;
@@ -426,6 +466,7 @@ view <string> <optional_class> {
 zone <string> <optional_class> {
         allow-notify { <address_match_element>; ... };
         allow-query { <address_match_element>; ... };
+        allow-query-on { <address_match_element>; ... };
         allow-transfer { <address_match_element>; ... };
         allow-update { <address_match_element>; ... };
         allow-update-forwarding { <address_match_element>; ... };
@@ -473,15 +514,22 @@ zone <string> <optional_class> {
         notify-delay <integer>;
         notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        notify-to-soa <boolean>;
+        nsec3-test-zone <boolean>; // test only
         pubkey <integer> <integer> <integer> <quoted_string>; // obsolete
-        sig-validity-interval <integer>;
+        sig-signing-nodes <integer>;
+        sig-signing-signatures <integer>;
+        sig-signing-type <integer>;
+        sig-validity-interval <integer> [ <integer> ];
         transfer-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ];
         transfer-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ];
+        try-tcp-refresh <boolean>;
         type ( master | slave | stub | hint | forward | delegation-only );
         update-check-ksk <boolean>;
         update-policy { ( grant | deny ) <string> ( name | subdomain |
-            wildcard | self | selfsub | selfwild ) <string> <rrtypelist>;
-            ... };
+            wildcard | self | selfsub | selfwild | krb5-self | ms-self |
+            krb5-subdomain | ms-subdomain | tcp-self | 6to4-self ) <string>
+            <rrtypelist>; ... };
         use-alt-transfer-source <boolean>;
         zero-no-soa-ttl <boolean>;
         zone-statistics <boolean>;
diff --git a/doc/misc/sort-options.pl b/doc/misc/sort-options.pl
index f516159..4251521 100755
--- a/doc/misc/sort-options.pl
+++ b/doc/misc/sort-options.pl
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: sort-options.pl,v 1.3.36.2 2007/12/02 23:46:31 tbox Exp $
+# $Id: sort-options.pl,v 1.3 2007/09/24 23:46:48 tbox Exp $
 
 sub sortlevel() {
 	my @options = ();
diff --git a/lib/Makefile.in b/lib/Makefile.in
index e8be294..e46aef2 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001, 2003  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.19 2004/03/05 05:05:00 marka Exp $
+# $Id: Makefile.in,v 1.21 2007/06/19 23:47:13 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/bind9/Makefile.in b/lib/bind9/Makefile.in
index 270e9ae..7c1e5b0 100644
--- a/lib/bind9/Makefile.in
+++ b/lib/bind9/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.4.18.5 2004/12/10 00:11:50 marka Exp $
+# $Id: Makefile.in,v 1.11 2007/06/19 23:47:16 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/bind9/api b/lib/bind9/api
index 3a74aee..39934b4 100644
--- a/lib/bind9/api
+++ b/lib/bind9/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 31
-LIBREVISION = 1
-LIBAGE = 1
+LIBINTERFACE = 50
+LIBREVISION = 2
+LIBAGE = 0
diff --git a/lib/bind9/check.c b/lib/bind9/check.c
index 2967650..800cbf9 100644
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.44.18.41 2008/03/29 23:46:10 tbox Exp $ */
+/* $Id: check.c,v 1.95.12.3 2009/02/17 03:43:07 marka Exp $ */
 
 /*! \file */
 
@@ -46,10 +46,6 @@
 
 #include <bind9/check.h>
 
-#ifndef DNS_RDATASET_FIXED
-#define DNS_RDATASET_FIXED 1
-#endif
-
 static void
 freekey(char *key, unsigned int type, isc_symvalue_t value, void *userarg) {
 	UNUSED(type);
@@ -128,7 +124,8 @@ check_orderent(const cfg_obj_t *ent, isc_log_t *logctx) {
 	} else if (strcasecmp(cfg_obj_asstring(obj), "fixed") == 0) {
 #if !DNS_RDATASET_FIXED
 		cfg_obj_log(obj, logctx, ISC_LOG_WARNING,
-			    "rrset-order: order 'fixed' not fully implemented");
+			    "rrset-order: order 'fixed' was disabled at "
+			    "compilation time");
 #endif
 	} else if (strcasecmp(cfg_obj_asstring(obj), "random") != 0 &&
 		   strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) {
@@ -390,7 +387,8 @@ checkacl(const char *aclname, cfg_aclconfctx_t *actx, const cfg_obj_t *zconfig,
 	}
 	if (aclobj == NULL)
 		return (ISC_R_SUCCESS);
-	result = cfg_acl_fromconfig(aclobj, config, logctx, actx, mctx, &acl);
+	result = cfg_acl_fromconfig(aclobj, config, logctx,
+				    actx, mctx, 0, &acl);
 	if (acl != NULL)
 		dns_acl_detach(&acl);
 	return (result);
@@ -403,9 +401,10 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	isc_result_t result = ISC_R_SUCCESS, tresult;
 	int i = 0;
 
-	static const char *acls[] = { "allow-query", "allow-query-cache",
-		"allow-recursion", "blackhole", "match-clients",
-		"match-destinations", "sortlist", NULL };
+	static const char *acls[] = { "allow-query", "allow-query-on",
+		"allow-query-cache", "allow-query-cache-on",
+		"blackhole", "match-clients", "match-destinations",
+		"sortlist", NULL };
 
 	while (acls[i] != NULL) {
 		tresult = checkacl(acls[i++], actx, NULL, voptions, config,
@@ -416,6 +415,81 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
 	return (result);
 }
 
+/*
+ * Check allow-recursion and allow-recursion-on acls, and also log a
+ * warning if they're inconsistent with the "recursion" option.
+ */
+static isc_result_t
+check_recursionacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
+		    const char *viewname, const cfg_obj_t *config,
+		    isc_log_t *logctx, isc_mem_t *mctx)
+{
+	const cfg_obj_t *options, *aclobj, *obj = NULL;
+	dns_acl_t *acl = NULL;
+	isc_result_t result = ISC_R_SUCCESS, tresult;
+	isc_boolean_t recursion;
+	const char *forview = " for view ";
+	int i = 0;
+
+	static const char *acls[] = { "allow-recursion", "allow-recursion-on",
+				      NULL };
+
+	if (voptions != NULL)
+		cfg_map_get(voptions, "recursion", &obj);
+	if (obj == NULL && config != NULL) {
+		options = NULL;
+		cfg_map_get(config, "options", &options);
+		if (options != NULL)
+			cfg_map_get(options, "recursion", &obj);
+	}
+	if (obj == NULL)
+		recursion = ISC_TRUE;
+	else
+		recursion = cfg_obj_asboolean(obj);
+
+	if (viewname == NULL) {
+		viewname = "";
+		forview = "";
+	}
+
+	for (i = 0; acls[i] != NULL; i++) {
+		aclobj = options = NULL;
+		acl = NULL;
+
+		if (voptions != NULL)
+			cfg_map_get(voptions, acls[i], &aclobj);
+		if (config != NULL && aclobj == NULL) {
+			options = NULL;
+			cfg_map_get(config, "options", &options);
+			if (options != NULL)
+				cfg_map_get(options, acls[i], &aclobj);
+		}
+		if (aclobj == NULL)
+			continue;
+
+		tresult = cfg_acl_fromconfig(aclobj, config, logctx,
+					    actx, mctx, 0, &acl);
+
+		if (tresult != ISC_R_SUCCESS)
+			result = tresult;
+
+		if (acl == NULL)
+			continue;
+
+		if (recursion == ISC_FALSE && !dns_acl_isnone(acl)) {
+			cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
+				    "both \"recursion no;\" and "
+				    "\"%s\" active%s%s",
+				    acls[i], forview, viewname);
+		}
+
+		if (acl != NULL)
+			dns_acl_detach(&acl);
+	}
+
+	return (result);
+}
+
 typedef struct {
 	const char *name;
 	unsigned int scale;
@@ -428,6 +502,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	isc_result_t tresult;
 	unsigned int i;
 	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *resignobj = NULL;
 	const cfg_listelt_t *element;
 	isc_symtab_t *symtab = NULL;
 	dns_fixedname_t fixed;
@@ -443,7 +518,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	{ "max-transfer-idle-out", 60, 28 * 24 * 60 },	/* 28 days */
 	{ "max-transfer-time-in", 60, 28 * 24 * 60 },	/* 28 days */
 	{ "max-transfer-time-out", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "sig-validity-interval", 86400, 10 * 366 },	/* 10 years */
 	{ "statistics-interval", 60, 28 * 24 * 60 },	/* 28 days */
 	};
 
@@ -471,6 +545,43 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 			result = ISC_R_RANGE;
 		}
 	}
+
+	obj = NULL;
+	cfg_map_get(options, "sig-validity-interval", &obj);
+	if (obj != NULL) {
+		isc_uint32_t validity, resign = 0;
+
+		validity = cfg_obj_asuint32(cfg_tuple_get(obj, "validity"));
+		resignobj = cfg_tuple_get(obj, "re-sign");
+		if (!cfg_obj_isvoid(resignobj))
+			resign = cfg_obj_asuint32(resignobj);
+
+		if (validity > 3660 || validity == 0) { /* 10 years */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%u' is out of range (1..3660)",
+				    "sig-validity-interval", validity);
+			result = ISC_R_RANGE;
+		}
+
+		if (!cfg_obj_isvoid(resignobj)) {
+			if (resign > 3660 || resign == 0) { /* 10 years */
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s '%u' is out of range (1..3660)",
+					    "sig-validity-interval (re-sign)",
+					    validity);
+				result = ISC_R_RANGE;
+			} else if ((validity > 7 && validity < resign) ||
+				   (validity <= 7 && validity * 24 < resign)) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "validity interval (%u days) "
+					    "less than re-signing interval "
+					    "(%u %s)", validity, resign,
+					    (validity > 7) ? "days" : "hours");
+				result = ISC_R_RANGE;
+			}
+		}
+	}
+
 	obj = NULL;
 	(void)cfg_map_get(options, "preferred-glue", &obj);
 	if (obj != NULL) {
@@ -483,6 +594,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 				    "preferred-glue unexpected value '%s'",
 				    str);
 	}
+
 	obj = NULL;
 	(void)cfg_map_get(options, "root-delegation-only", &obj);
 	if (obj != NULL) {
@@ -543,7 +655,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	(void)cfg_map_get(options, "dnssec-lookaside", &obj);
 	if (obj != NULL) {
 		tresult = isc_symtab_create(mctx, 100, freekey, mctx,
-					    ISC_TRUE, &symtab);
+					    ISC_FALSE, &symtab);
 		if (tresult != ISC_R_SUCCESS)
 			result = tresult;
 		for (element = cfg_list_first(obj);
@@ -680,6 +792,19 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 		}
 	}
 
+	/*
+	 * Check that server-id is not too long.
+	 * 1024 bytes should be big enough.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "server-id", &obj);
+	if (obj != NULL && cfg_obj_isstring(obj) &&
+	    strlen(cfg_obj_asstring(obj)) > 1024U) {
+		cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+			    "'server-id' too big (>1024 bytes)");
+		result = ISC_R_FAILURE;
+	}
+
 	return (result);
 }
 
@@ -784,8 +909,11 @@ validate_masters(const cfg_obj_t *obj, const cfg_obj_t *config,
 			if (new == NULL)
 				goto cleanup;
 			if (stackcount != 0) {
+				void *ptr;
+
+				DE_CONST(stack, ptr);
 				memcpy(new, stack, oldsize);
-				isc_mem_put(mctx, stack, oldsize);
+				isc_mem_put(mctx, ptr, oldsize);
 			}
 			stack = new;
 			stackcount = newlen;
@@ -798,8 +926,12 @@ validate_masters(const cfg_obj_t *obj, const cfg_obj_t *config,
 		goto resume;
 	}
  cleanup:
-	if (stack != NULL)
-		isc_mem_put(mctx, stack, stackcount * sizeof(*stack));
+	if (stack != NULL) {
+		void *ptr;
+
+		DE_CONST(stack, ptr);
+		isc_mem_put(mctx, ptr, stackcount * sizeof(*stack));
+	}
 	isc_symtab_destroy(&symtab);
 	*countp = count;
 	return (result);
@@ -936,6 +1068,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "max-refresh-time", SLAVEZONE | STUBZONE },
 	{ "min-refresh-time", SLAVEZONE | STUBZONE },
 	{ "sig-validity-interval", MASTERZONE },
+	{ "sig-re-signing-interval", MASTERZONE },
+	{ "sig-signing-nodes", MASTERZONE },
+	{ "sig-signing-type", MASTERZONE },
+	{ "sig-signing-signatures", MASTERZONE },
 	{ "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE },
 	{ "allow-update", MASTERZONE | CHECKACL },
 	{ "allow-update-forwarding", SLAVEZONE | CHECKACL },
@@ -955,6 +1091,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	{ "check-srv-cname", MASTERZONE },
 	{ "masterfile-format", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE },
 	{ "update-check-ksk", MASTERZONE },
+	{ "try-tcp-refresh", SLAVEZONE },
 	};
 
 	static optionstable dialups[] = {
@@ -1020,7 +1157,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 
 	/*
 	 * Look for an already existing zone.
-	 * We need to make this cannonical as isc_symtab_define()
+	 * We need to make this canonical as isc_symtab_define()
 	 * deals with strings.
 	 */
 	dns_fixedname_init(&fixedname);
@@ -1125,6 +1262,17 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		} else if (res2 == ISC_R_SUCCESS &&
 			   check_update_policy(obj, logctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "sig-signing-type", &obj);
+		if (res1 == ISC_R_SUCCESS) {
+			isc_uint32_t type = cfg_obj_asuint32(obj);
+			if (type < 0xff00U || type > 0xffffU)
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "sig-signing-type: %u out of "
+					    "range [%u..%u]", type,
+					    0xff00U, 0xffffU);
+			result = ISC_R_FAILURE;
+		}
 	}
 
 	/*
@@ -1297,27 +1445,56 @@ bind9_check_key(const cfg_obj_t *key, isc_log_t *logctx) {
 	return (ISC_R_SUCCESS);
 }
 
+/*
+ * Check key list for duplicates key names and that the key names
+ * are valid domain names as these keys are used for TSIG.
+ *
+ * Check the key contents for validity.
+ */
 static isc_result_t
-check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
+check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab,
+	      isc_mem_t *mctx, isc_log_t *logctx)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fname;
+	dns_name_t *name;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	const cfg_listelt_t *element;
 
+	dns_fixedname_init(&fname);
+	name = dns_fixedname_name(&fname);
 	for (element = cfg_list_first(keys);
 	     element != NULL;
 	     element = cfg_list_next(element))
 	{
 		const cfg_obj_t *key = cfg_listelt_value(element);
-		const char *keyname = cfg_obj_asstring(cfg_map_getname(key));
+		const char *keyid = cfg_obj_asstring(cfg_map_getname(key));
 		isc_symvalue_t symvalue;
+		isc_buffer_t b;
+		char *keyname;
 
+		isc_buffer_init(&b, keyid, strlen(keyid));
+		isc_buffer_add(&b, strlen(keyid));
+		tresult = dns_name_fromtext(name, &b, dns_rootname,
+					    ISC_FALSE, NULL);
+		if (tresult != ISC_R_SUCCESS) {
+			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
+				    "key '%s': bad key name", keyid);
+			result = tresult;
+			continue;
+		}
 		tresult = bind9_check_key(key, logctx);
 		if (tresult != ISC_R_SUCCESS)
 			return (tresult);
 
+		dns_name_format(name, namebuf, sizeof(namebuf));
+		keyname = isc_mem_strdup(mctx, namebuf);
+		if (keyname == NULL)
+			return (ISC_R_NOMEMORY);
 		symvalue.as_cpointer = key;
-		tresult = isc_symtab_define(symtab, keyname, 1,
-					    symvalue, isc_symexists_reject);
+		tresult = isc_symtab_define(symtab, keyname, 1, symvalue,
+					    isc_symexists_reject);
 		if (tresult == ISC_R_EXISTS) {
 			const char *file;
 			unsigned int line;
@@ -1332,10 +1509,13 @@ check_keylist(const cfg_obj_t *keys, isc_symtab_t *symtab, isc_log_t *logctx) {
 			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
 				    "key '%s': already exists "
 				    "previous definition: %s:%u",
-				    keyname, file, line);
+				    keyid, file, line);
+			isc_mem_free(mctx, keyname);
 			result = tresult;
-		} else if (tresult != ISC_R_SUCCESS)
+		} else if (tresult != ISC_R_SUCCESS) {
+			isc_mem_free(mctx, keyname);
 			return (tresult);
+		}
 	}
 	return (result);
 }
@@ -1350,18 +1530,60 @@ static struct {
 	{ NULL, NULL }
 };
 
+/*
+ * RNDC keys are not normalised unlike TSIG keys.
+ *
+ * 	"foo." is different to "foo".
+ */
+static isc_boolean_t
+rndckey_exists(const cfg_obj_t *keylist, const char *keyname) {
+	const cfg_listelt_t *element;
+	const cfg_obj_t *obj;
+	const char *str;
+
+	if (keylist == NULL)
+		return (ISC_FALSE);
+
+	for (element = cfg_list_first(keylist);
+	     element != NULL;
+	     element = cfg_list_next(element))
+	{
+		obj = cfg_listelt_value(element);
+		str = cfg_obj_asstring(cfg_map_getname(obj));
+		if (!strcasecmp(str, keyname))
+			return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
 static isc_result_t
-check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
+check_servers(const cfg_obj_t *config, const cfg_obj_t *voptions,
+	      isc_symtab_t *symtab, isc_log_t *logctx)
+{
+	dns_fixedname_t fname;
 	isc_result_t result = ISC_R_SUCCESS;
 	isc_result_t tresult;
 	const cfg_listelt_t *e1, *e2;
-	const cfg_obj_t *v1, *v2;
+	const cfg_obj_t *v1, *v2, *keys;
+	const cfg_obj_t *servers;
 	isc_netaddr_t n1, n2;
 	unsigned int p1, p2;
 	const cfg_obj_t *obj;
 	char buf[ISC_NETADDR_FORMATSIZE];
+	char namebuf[DNS_NAME_FORMATSIZE];
 	const char *xfr;
+	const char *keyval;
+	isc_buffer_t b;
 	int source;
+	dns_name_t *keyname;
+
+	servers = NULL;
+	if (voptions != NULL)
+		(void)cfg_map_get(voptions, "server", &servers);
+	if (servers == NULL)
+		(void)cfg_map_get(config, "server", &servers);
+	if (servers == NULL)
+		return (ISC_R_SUCCESS);
 
 	for (e1 = cfg_list_first(servers); e1 != NULL; e1 = cfg_list_next(e1)) {
 		v1 = cfg_listelt_value(e1);
@@ -1389,8 +1611,8 @@ check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
 			if (obj != NULL) {
 				isc_netaddr_format(&n1, buf, sizeof(buf));
 				cfg_obj_log(v1, logctx, ISC_LOG_ERROR,
-					    "server '%s': %s not legal",
-					    buf, xfr);
+					    "server '%s/%u': %s not legal",
+					    buf, p1, xfr);
 				result = ISC_R_FAILURE;
 			}
 		} while (sources[++source].v4 != NULL);
@@ -1413,15 +1635,42 @@ check_servers(const cfg_obj_t *servers, isc_log_t *logctx) {
 				result = ISC_R_FAILURE;
 			}
 		}
+		keys = NULL;
+		cfg_map_get(v1, "keys", &keys);
+		if (keys != NULL) {
+			/*
+			 * Normalize key name.
+			 */
+			keyval = cfg_obj_asstring(keys);
+			dns_fixedname_init(&fname);
+			isc_buffer_init(&b, keyval, strlen(keyval));
+			isc_buffer_add(&b, strlen(keyval));
+			keyname = dns_fixedname_name(&fname);
+			tresult = dns_name_fromtext(keyname, &b, dns_rootname,
+						    ISC_FALSE, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
+					    "bad key name '%s'", keyval);
+				result = ISC_R_FAILURE;
+				continue;
+			}
+			dns_name_format(keyname, namebuf, sizeof(namebuf));
+			tresult = isc_symtab_lookup(symtab, namebuf, 1, NULL);
+			if (tresult != ISC_R_SUCCESS) {
+				cfg_obj_log(keys, logctx, ISC_LOG_ERROR,
+					    "unknown key '%s'", keyval);
+				result = ISC_R_FAILURE;
+			}
+		}
 	}
 	return (result);
 }
 
 static isc_result_t
 check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
-	       dns_rdataclass_t vclass, isc_log_t *logctx, isc_mem_t *mctx)
+	       const char *viewname, dns_rdataclass_t vclass,
+	       isc_log_t *logctx, isc_mem_t *mctx)
 {
-	const cfg_obj_t *servers = NULL;
 	const cfg_obj_t *zones = NULL;
 	const cfg_obj_t *keys = NULL;
 	const cfg_listelt_t *element;
@@ -1464,37 +1713,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	isc_symtab_destroy(&symtab);
 
 	/*
-	 * Check that all key statements are syntactically correct and
-	 * there are no duplicate keys.
-	 */
-	tresult = isc_symtab_create(mctx, 100, NULL, NULL, ISC_TRUE, &symtab);
-	if (tresult != ISC_R_SUCCESS)
-		return (ISC_R_NOMEMORY);
-
-	(void)cfg_map_get(config, "key", &keys);
-	tresult = check_keylist(keys, symtab, logctx);
-	if (tresult == ISC_R_EXISTS)
-		result = ISC_R_FAILURE;
-	else if (tresult != ISC_R_SUCCESS) {
-		isc_symtab_destroy(&symtab);
-		return (tresult);
-	}
-
-	if (voptions != NULL) {
-		keys = NULL;
-		(void)cfg_map_get(voptions, "key", &keys);
-		tresult = check_keylist(keys, symtab, logctx);
-		if (tresult == ISC_R_EXISTS)
-			result = ISC_R_FAILURE;
-		else if (tresult != ISC_R_SUCCESS) {
-			isc_symtab_destroy(&symtab);
-			return (tresult);
-		}
-	}
-
-	isc_symtab_destroy(&symtab);
-
-	/*
 	 * Check that forwarding is reasonable.
 	 */
 	if (voptions == NULL) {
@@ -1508,6 +1726,7 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 		if (check_forward(voptions, NULL, logctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	}
+
 	/*
 	 * Check that dual-stack-servers is reasonable.
 	 */
@@ -1530,14 +1749,45 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 			result = ISC_R_FAILURE;
 	}
 
+	/*
+	 * Check that all key statements are syntactically correct and
+	 * there are no duplicate keys.
+	 */
+	tresult = isc_symtab_create(mctx, 100, freekey, mctx,
+				    ISC_FALSE, &symtab);
+	if (tresult != ISC_R_SUCCESS)
+		return (ISC_R_NOMEMORY);
+
+	(void)cfg_map_get(config, "key", &keys);
+	tresult = check_keylist(keys, symtab, mctx, logctx);
+	if (tresult == ISC_R_EXISTS)
+		result = ISC_R_FAILURE;
+	else if (tresult != ISC_R_SUCCESS) {
+		isc_symtab_destroy(&symtab);
+		return (tresult);
+	}
+
 	if (voptions != NULL) {
-		(void)cfg_map_get(voptions, "server", &servers);
-		if (servers != NULL &&
-		    check_servers(servers, logctx) != ISC_R_SUCCESS)
+		keys = NULL;
+		(void)cfg_map_get(voptions, "key", &keys);
+		tresult = check_keylist(keys, symtab, mctx, logctx);
+		if (tresult == ISC_R_EXISTS)
 			result = ISC_R_FAILURE;
+		else if (tresult != ISC_R_SUCCESS) {
+			isc_symtab_destroy(&symtab);
+			return (tresult);
+		}
 	}
 
 	/*
+	 * Global servers can refer to keys in views.
+	 */
+	if (check_servers(config, voptions, symtab, logctx) != ISC_R_SUCCESS)
+		result = ISC_R_FAILURE;
+
+	isc_symtab_destroy(&symtab);
+
+	/*
 	 * Check that dnssec-enable/dnssec-validation are sensible.
 	 */
 	obj = NULL;
@@ -1575,6 +1825,11 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
 	if (tresult != ISC_R_SUCCESS)
 		result = tresult;
 
+	tresult = check_recursionacls(&actx, voptions, viewname,
+				      config, logctx, mctx);
+	if (tresult != ISC_R_SUCCESS)
+		result = tresult;
+
 	cfg_aclconfctx_destroy(&actx);
 
 	return (result);
@@ -1698,33 +1953,14 @@ bind9_check_logging(const cfg_obj_t *config, isc_log_t *logctx,
 }
 
 static isc_result_t
-key_exists(const cfg_obj_t *keylist, const char *keyname) {
-	const cfg_listelt_t *element;
-	const char *str;
-	const cfg_obj_t *obj;
-
-	if (keylist == NULL)
-		return (ISC_R_NOTFOUND);
-	for (element = cfg_list_first(keylist);
-	     element != NULL;
-	     element = cfg_list_next(element))
-	{
-		obj = cfg_listelt_value(element);
-		str = cfg_obj_asstring(cfg_map_getname(obj));
-		if (strcasecmp(str, keyname) == 0)
-			return (ISC_R_SUCCESS);
-	}
-	return (ISC_R_NOTFOUND);
-}
-
-static isc_result_t
 bind9_check_controlskeys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 			 isc_log_t *logctx)
 {
-	isc_result_t result = ISC_R_SUCCESS, tresult;
+	isc_result_t result = ISC_R_SUCCESS;
 	const cfg_obj_t *control_keylist;
 	const cfg_listelt_t *element;
 	const cfg_obj_t *key;
+	const char *keyval;
 
 	control_keylist = cfg_tuple_get(control, "keys");
 	if (cfg_obj_isvoid(control_keylist))
@@ -1735,11 +1971,12 @@ bind9_check_controlskeys(const cfg_obj_t *control, const cfg_obj_t *keylist,
 	     element = cfg_list_next(element))
 	{
 		key = cfg_listelt_value(element);
-		tresult = key_exists(keylist, cfg_obj_asstring(key));
-		if (tresult != ISC_R_SUCCESS) {
+		keyval = cfg_obj_asstring(key);
+
+		if (!rndckey_exists(keylist, keyval)) {
 			cfg_obj_log(key, logctx, ISC_LOG_ERROR,
-				    "unknown key '%s'", cfg_obj_asstring(key));
-			result = tresult;
+				    "unknown key '%s'", keyval);
+			result = ISC_R_NOTFOUND;
 		}
 	}
 	return (result);
@@ -1791,7 +2028,7 @@ bind9_check_controls(const cfg_obj_t *config, isc_log_t *logctx,
 			control = cfg_listelt_value(element2);
 			allow = cfg_tuple_get(control, "allow");
 			tresult = cfg_acl_fromconfig(allow, config, logctx,
-						     &actx, mctx, &acl);
+						     &actx, mctx, 0, &acl);
 			if (acl != NULL)
 				dns_acl_detach(&acl);
 			if (tresult != ISC_R_SUCCESS)
@@ -1847,7 +2084,6 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 		      isc_mem_t *mctx)
 {
 	const cfg_obj_t *options = NULL;
-	const cfg_obj_t *servers = NULL;
 	const cfg_obj_t *views = NULL;
 	const cfg_obj_t *acls = NULL;
 	const cfg_obj_t *kals = NULL;
@@ -1866,11 +2102,6 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 	    check_options(options, logctx, mctx) != ISC_R_SUCCESS)
 		result = ISC_R_FAILURE;
 
-	(void)cfg_map_get(config, "server", &servers);
-	if (servers != NULL &&
-	    check_servers(servers, logctx) != ISC_R_SUCCESS)
-		result = ISC_R_FAILURE;
-
 	if (bind9_check_logging(config, logctx, mctx) != ISC_R_SUCCESS)
 		result = ISC_R_FAILURE;
 
@@ -1888,7 +2119,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 			result = ISC_R_FAILURE;
 
 	if (views == NULL) {
-		if (check_viewconf(config, NULL, dns_rdataclass_in,
+		if (check_viewconf(config, NULL, NULL, dns_rdataclass_in,
 				   logctx, mctx) != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
 	} else {
@@ -1960,7 +2191,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 			}
 		}
 		if (tresult == ISC_R_SUCCESS)
-			tresult = check_viewconf(config, voptions,
+			tresult = check_viewconf(config, voptions, key,
 						 vclass, logctx, mctx);
 		if (tresult != ISC_R_SUCCESS)
 			result = ISC_R_FAILURE;
@@ -1979,8 +2210,9 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 		}
 	}
 
-	tresult = cfg_map_get(config, "acl", &acls);
-	if (tresult == ISC_R_SUCCESS) {
+	cfg_map_get(config, "acl", &acls);
+
+	if (acls != NULL) {
 		const cfg_listelt_t *elt;
 		const cfg_listelt_t *elt2;
 		const char *aclname;
@@ -1989,6 +2221,7 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 		     elt != NULL;
 		     elt = cfg_list_next(elt)) {
 			const cfg_obj_t *acl = cfg_listelt_value(elt);
+			unsigned int line = cfg_obj_line(acl);
 			unsigned int i;
 
 			aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
@@ -2013,7 +2246,6 @@ bind9_check_namedconf(const cfg_obj_t *config, isc_log_t *logctx,
 								      "name"));
 				if (strcasecmp(aclname, name) == 0) {
 					const char *file = cfg_obj_file(acl);
-					unsigned int line = cfg_obj_line(acl);
 
 					if (file == NULL)
 						file = "<unknown file>";
diff --git a/lib/bind9/getaddresses.c b/lib/bind9/getaddresses.c
index b6edce0..a75e14e 100644
--- a/lib/bind9/getaddresses.c
+++ b/lib/bind9/getaddresses.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddresses.c,v 1.15.18.5 2005/10/14 01:28:24 marka Exp $ */
+/* $Id: getaddresses.c,v 1.22 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/bind9/include/Makefile.in b/lib/bind9/include/Makefile.in
index 6c6611e..65eecb0 100644
--- a/lib/bind9/include/Makefile.in
+++ b/lib/bind9/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2004/03/05 05:09:08 marka Exp $
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:16 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/bind9/include/bind9/Makefile.in b/lib/bind9/include/bind9/Makefile.in
index 8ef5c32..8abfaf6 100644
--- a/lib/bind9/include/bind9/Makefile.in
+++ b/lib/bind9/include/bind9/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6 2004/03/05 05:09:10 marka Exp $
+# $Id: Makefile.in,v 1.8 2007/06/19 23:47:16 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/bind9/include/bind9/check.h b/lib/bind9/include/bind9/check.h
index 25a8e0c..1647568 100644
--- a/lib/bind9/include/bind9/check.h
+++ b/lib/bind9/include/bind9/check.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.h,v 1.2.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: check.h,v 1.9 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef BIND9_CHECK_H
 #define BIND9_CHECK_H 1
 
-/*! \file */
+/*! \file bind9/check.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/bind9/include/bind9/getaddresses.h b/lib/bind9/include/bind9/getaddresses.h
index e6d030d..736feb6 100644
--- a/lib/bind9/include/bind9/getaddresses.h
+++ b/lib/bind9/include/bind9/getaddresses.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddresses.h,v 1.3.18.2 2005/04/29 00:15:48 marka Exp $ */
+/* $Id: getaddresses.h,v 1.9.332.2 2009/01/18 23:47:35 tbox Exp $ */
 
 #ifndef BIND9_GETADDRESSES_H
 #define BIND9_GETADDRESSES_H 1
 
-/*! \file */
+/*! \file bind9/getaddresses.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
@@ -40,7 +40,7 @@ bind9_getaddresses(const char *hostname, in_port_t port,
  * first 'addrsize' are returned and the remainder silently truncated.
  *
  * This routine may block.  If called by a program using the isc_app
- * framework, it should be surounded by isc_app_block()/isc_app_unblock().
+ * framework, it should be surrounded by isc_app_block()/isc_app_unblock().
  *
  *  Requires:
  *\li	'hostname' is not NULL.
@@ -48,7 +48,7 @@ bind9_getaddresses(const char *hostname, in_port_t port,
  *\li	'addrsize' > 0
  *\li	'addrcount' is not NULL.
  *
- * 
+ *
  * Returns:
  *\li	#ISC_R_SUCCESS
  *\li	#ISC_R_NOTFOUND
diff --git a/lib/bind9/include/bind9/version.h b/lib/bind9/include/bind9/version.h
index 154e240d..5b08b7c 100644
--- a/lib/bind9/include/bind9/version.h
+++ b/lib/bind9/include/bind9/version.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:15:48 marka Exp $ */
+/* $Id: version.h,v 1.9 2007/06/19 23:47:16 tbox Exp $ */
 
-/*! \file */
+/*! \file bind9/version.h */
 
 #include <isc/platform.h>
 
diff --git a/lib/bind9/version.c b/lib/bind9/version.c
index 2cc17da..d5934cc 100644
--- a/lib/bind9/version.c
+++ b/lib/bind9/version.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.4.18.2 2005/04/29 00:15:47 marka Exp $ */
+/* $Id: version.c,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in
index 286a5f9..ef5c12a 100644
--- a/lib/dns/Makefile.in
+++ b/lib/dns/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.144.18.10 2006/01/06 00:01:43 marka Exp $
+# $Id: Makefile.in,v 1.163 2008/09/24 02:46:22 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -29,10 +29,14 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
+USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
+
 CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} \
 		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 
-CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@
+CDEFINES =	-DUSE_MD5 @USE_OPENSSL@ @USE_PKCS11@ @USE_GSSAPI@ \
+		${USE_ISC_SPNEGO}
+
 CWARNINGS =
 
 ISCLIBS =	../../lib/isc/libisc.@A@
@@ -43,7 +47,8 @@ LIBS =		@LIBS@
 
 # Alphabetically
 
-DSTOBJS =	dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
+DSTOBJS =	@DST_EXTRA_OBJS@ \
+		dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
 		gssapi_link.@O@ gssapictx.@O@ hmac_link.@O@ key.@O@ \
 		openssl_link.@O@ openssldh_link.@O@ openssldsa_link.@O@ \
 		opensslrsa_link.@O@
@@ -52,10 +57,10 @@ DSTOBJS =	dst_api.@O@ dst_lib.@O@ dst_parse.@O@ dst_result.@O@ \
 DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
 		cache.@O@ callbacks.@O@ compress.@O@ \
 		db.@O@ dbiterator.@O@ dbtable.@O@ diff.@O@ dispatch.@O@ \
-		dlz.@O@ dnssec.@O@ ds.@O@ forward.@O@ journal.@O@ keytable.@O@ \
-		lib.@O@ log.@O@ lookup.@O@ \
+		dlz.@O@ dnssec.@O@ ds.@O@ forward.@O@ iptable.@O@ journal.@O@ \
+		keytable.@O@ lib.@O@ log.@O@ lookup.@O@ \
 		master.@O@ masterdump.@O@ message.@O@ \
-		name.@O@ ncache.@O@ nsec.@O@ order.@O@ peer.@O@ portlist.@O@ \
+		name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ order.@O@ peer.@O@ portlist.@O@ \
 		rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \
 		rdatalist.@O@ \
 		rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ request.@O@ \
@@ -68,7 +73,8 @@ DNSOBJS =	acache.@O@ acl.@O@ adb.@O@ byaddr.@O@ \
 OBJS=		${DNSOBJS} ${OTHEROBJS} ${DSTOBJS}
 
 # Alphabetically
-DSTSRCS =	dst_api.c dst_lib.c dst_parse.c \
+DSTSRCS =	@DST_EXTRA_SRCS@ \
+		dst_api.c dst_lib.c dst_parse.c \
 		dst_result.c gssapi_link.c gssapictx.c \
 		hmac_link.c key.c \
 		openssl_link.c openssldh_link.c \
@@ -77,10 +83,10 @@ DSTSRCS =	dst_api.c dst_lib.c dst_parse.c \
 DNSSRCS =	acache.c acl.c adb.c byaddr.c \
 		cache.c callbacks.c compress.c \
 		db.c dbiterator.c dbtable.c diff.c dispatch.c \
-		dlz.c dnssec.c ds.c forward.c journal.c keytable.c \
-		lib.c log.c lookup.c \
+		dlz.c dnssec.c ds.c forward.c iptable.c journal.c \
+		keytable.c lib.c log.c lookup.c \
 		master.c masterdump.c message.c \
-		name.c ncache.c nsec.c order.c peer.c portlist.c \
+		name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \
 		rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c \
 		rdatalist.c \
 		rdataset.c rdatasetiter.c rdataslab.c request.c \
@@ -169,3 +175,5 @@ subdirs: include/dns/enumtype.h include/dns/enumclass.h \
 	include/dns/rdatastruct.h code.h
 ${OBJS}: include/dns/enumtype.h include/dns/enumclass.h \
 	include/dns/rdatastruct.h
+
+spnego.@O@: spnego_asn1.c spnego.h
diff --git a/lib/dns/acache.c b/lib/dns/acache.c
index cd56c3c..2ad4981 100644
--- a/lib/dns/acache.c
+++ b/lib/dns/acache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.c,v 1.3.2.18 2008/02/07 23:45:56 tbox Exp $ */
+/* $Id: acache.c,v 1.22 2008/02/07 23:46:54 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index 844c132..3af8dd3 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,18 +15,25 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.c,v 1.25.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: acl.c,v 1.50.44.3 2009/01/18 23:47:35 tbox Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
 #include <isc/mem.h>
+#include <isc/once.h>
 #include <isc/string.h>
 #include <isc/util.h>
 
 #include <dns/acl.h>
+#include <dns/iptable.h>
 
+/*
+ * Create a new ACL, including an IP table and an array with room
+ * for 'n' ACL elements.  The elements are uninitialized and the
+ * length is 0.
+ */
 isc_result_t
 dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
 	isc_result_t result;
@@ -43,14 +50,23 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
 		return (ISC_R_NOMEMORY);
 	acl->mctx = mctx;
 	acl->name = NULL;
+
 	result = isc_refcount_init(&acl->refcount, 1);
 	if (result != ISC_R_SUCCESS) {
 		isc_mem_put(mctx, acl, sizeof(*acl));
 		return (result);
 	}
+
+	result = dns_iptable_create(mctx, &acl->iptable);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, acl, sizeof(*acl));
+		return (result);
+	}
+
 	acl->elements = NULL;
 	acl->alloc = 0;
 	acl->length = 0;
+	acl->has_negatives = ISC_FALSE;
 
 	ISC_LINK_INIT(acl, nextincache);
 	/*
@@ -73,111 +89,282 @@ dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target) {
 	return (result);
 }
 
-isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt) {
-	if (acl->length + 1 > acl->alloc) {
-		/*
-		 * Resize the ACL.
-		 */
-		unsigned int newalloc;
-		void *newmem;
-
-		newalloc = acl->alloc * 2;
-		if (newalloc < 4)
-			newalloc = 4;
-		newmem = isc_mem_get(acl->mctx,
-				     newalloc * sizeof(dns_aclelement_t));
-		if (newmem == NULL)
-			return (ISC_R_NOMEMORY);
-		memcpy(newmem, acl->elements,
-		       acl->length * sizeof(dns_aclelement_t));
-		isc_mem_put(acl->mctx, acl->elements,
-			    acl->alloc * sizeof(dns_aclelement_t));
-		acl->elements = newmem;
-		acl->alloc = newalloc;
-	}
-	/*
-	 * Append the new element.
-	 */
-	acl->elements[acl->length++] = *elt;
-
-	return (ISC_R_SUCCESS);
-}
-
+/*
+ * Create a new ACL and initialize it with the value "any" or "none",
+ * depending on the value of the "neg" parameter.
+ * "any" is a positive iptable entry with bit length 0.
+ * "none" is the same as "!any".
+ */
 static isc_result_t
 dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) {
 	isc_result_t result;
 	dns_acl_t *acl = NULL;
-	result = dns_acl_create(mctx, 1, &acl);
+	result = dns_acl_create(mctx, 0, &acl);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	acl->elements[0].negative = neg;
-	acl->elements[0].type = dns_aclelementtype_any;
-	acl->length = 1;
+
+	result = dns_iptable_addprefix(acl->iptable, NULL, 0, ISC_TF(!neg));
+	if (result != ISC_R_SUCCESS) {
+		dns_acl_detach(&acl);
+		return (result);
+	}
+
 	*target = acl;
 	return (result);
 }
 
+/*
+ * Create a new ACL that matches everything.
+ */
 isc_result_t
 dns_acl_any(isc_mem_t *mctx, dns_acl_t **target) {
 	return (dns_acl_anyornone(mctx, ISC_FALSE, target));
 }
 
+/*
+ * Create a new ACL that matches nothing.
+ */
 isc_result_t
 dns_acl_none(isc_mem_t *mctx, dns_acl_t **target) {
 	return (dns_acl_anyornone(mctx, ISC_TRUE, target));
 }
 
+/*
+ * If pos is ISC_TRUE, test whether acl is set to "{ any; }"
+ * If pos is ISC_FALSE, test whether acl is set to "{ none; }"
+ */
+static isc_boolean_t
+dns_acl_isanyornone(dns_acl_t *acl, isc_boolean_t pos)
+{
+	/* Should never happen but let's be safe */
+	if (acl == NULL ||
+	    acl->iptable == NULL ||
+	    acl->iptable->radix == NULL ||
+	    acl->iptable->radix->head == NULL ||
+	    acl->iptable->radix->head->prefix == NULL)
+		return (ISC_FALSE);
+
+	if (acl->length != 0 || acl->node_count != 1)
+		return (ISC_FALSE);
+
+	if (acl->iptable->radix->head->prefix->bitlen == 0 &&
+	    acl->iptable->radix->head->data[0] != NULL &&
+	    acl->iptable->radix->head->data[0] ==
+		    acl->iptable->radix->head->data[1] &&
+	    *(isc_boolean_t *) (acl->iptable->radix->head->data[0]) == pos)
+		return (ISC_TRUE);
+
+	return (ISC_FALSE); /* All others */
+}
+
+/*
+ * Test whether acl is set to "{ any; }"
+ */
+isc_boolean_t
+dns_acl_isany(dns_acl_t *acl)
+{
+	return (dns_acl_isanyornone(acl, ISC_TRUE));
+}
+
+/*
+ * Test whether acl is set to "{ none; }"
+ */
+isc_boolean_t
+dns_acl_isnone(dns_acl_t *acl)
+{
+	return (dns_acl_isanyornone(acl, ISC_FALSE));
+}
+
+/*
+ * Determine whether a given address or signer matches a given ACL.
+ * For a match with a positive ACL element or iptable radix entry,
+ * return with a positive value in match; for a match with a negated ACL
+ * element or radix entry, return with a negative value in match.
+ */
 isc_result_t
 dns_acl_match(const isc_netaddr_t *reqaddr,
 	      const dns_name_t *reqsigner,
 	      const dns_acl_t *acl,
 	      const dns_aclenv_t *env,
 	      int *match,
-	      dns_aclelement_t const**matchelt)
+	      const dns_aclelement_t **matchelt)
 {
+	isc_uint16_t bitlen, family;
+	isc_prefix_t pfx;
+	isc_radix_node_t *node = NULL;
+	const isc_netaddr_t *addr;
+	isc_netaddr_t v4addr;
+	isc_result_t result;
+	int match_num = -1;
 	unsigned int i;
 
 	REQUIRE(reqaddr != NULL);
 	REQUIRE(matchelt == NULL || *matchelt == NULL);
-	
+
+	if (env == NULL || env->match_mapped == ISC_FALSE ||
+	    reqaddr->family != AF_INET6 ||
+	    !IN6_IS_ADDR_V4MAPPED(&reqaddr->type.in6))
+		addr = reqaddr;
+	else {
+		isc_netaddr_fromv4mapped(&v4addr, reqaddr);
+		addr = &v4addr;
+	}
+
+	/* Always match with host addresses. */
+	family = addr->family;
+	bitlen = family == AF_INET6 ? 128 : 32;
+	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
+
+	/* Assume no match. */
+	*match = 0;
+
+	/* Search radix. */
+	result = isc_radix_search(acl->iptable->radix, &node, &pfx);
+
+	/* Found a match. */
+	if (result == ISC_R_SUCCESS && node != NULL) {
+		match_num = node->node_num[ISC_IS6(family)];
+		if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
+			*match = match_num;
+		else
+			*match = -match_num;
+	}
+
+	/* Now search non-radix elements for a match with a lower node_num. */
 	for (i = 0; i < acl->length; i++) {
 		dns_aclelement_t *e = &acl->elements[i];
 
+		/* Already found a better match? */
+		if (match_num != -1 && match_num < e->node_num) {
+			isc_refcount_destroy(&pfx.refcount);
+			return (ISC_R_SUCCESS);
+		}
+
 		if (dns_aclelement_match(reqaddr, reqsigner,
 					 e, env, matchelt)) {
-			*match = e->negative ? -((int)i+1) : ((int)i+1);
+			if (match_num == -1 || e->node_num < match_num) {
+				if (e->negative == ISC_TRUE)
+					*match = -e->node_num;
+				else
+					*match = e->node_num;
+			}
+			isc_refcount_destroy(&pfx.refcount);
 			return (ISC_R_SUCCESS);
 		}
 	}
-	/* No match. */
-	*match = 0;
+
+	isc_refcount_destroy(&pfx.refcount);
 	return (ISC_R_SUCCESS);
 }
 
+/*
+ * Merge the contents of one ACL into another.  Call dns_iptable_merge()
+ * for the IP tables, then concatenate the element arrays.
+ *
+ * If pos is set to false, then the nested ACL is to be negated.  This
+ * means reverse the sense of each *positive* element or IP table node,
+ * but leave negatives alone, so as to prevent a double-negative causing
+ * an unexpected positive match in the parent ACL.
+ */
 isc_result_t
-dns_acl_elementmatch(const dns_acl_t *acl,
-		     const dns_aclelement_t *elt,
-		     const dns_aclelement_t **matchelt)
+dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos)
 {
-	unsigned int i;
+	isc_result_t result;
+	unsigned int newalloc, nelem, i;
+	int max_node = 0, nodes;
 
-	REQUIRE(elt != NULL);
-	REQUIRE(matchelt == NULL || *matchelt == NULL);
-	
-	for (i = 0; i < acl->length; i++) {
-		dns_aclelement_t *e = &acl->elements[i];
+	/* Resize the element array if needed. */
+	if (dest->length + source->length > dest->alloc) {
+		void *newmem;
 
-		if (dns_aclelement_equal(e, elt) == ISC_TRUE) {
-			if (matchelt != NULL)
-				*matchelt = e;
-			return (ISC_R_SUCCESS);
+		newalloc = dest->alloc + source->alloc;
+		if (newalloc < 4)
+			newalloc = 4;
+
+		newmem = isc_mem_get(dest->mctx,
+				     newalloc * sizeof(dns_aclelement_t));
+		if (newmem == NULL)
+			return (ISC_R_NOMEMORY);
+
+		/* Copy in the original elements */
+		memcpy(newmem, dest->elements,
+		       dest->length * sizeof(dns_aclelement_t));
+
+		/* Release the memory for the old elements array */
+		isc_mem_put(dest->mctx, dest->elements,
+			    dest->alloc * sizeof(dns_aclelement_t));
+		dest->elements = newmem;
+		dest->alloc = newalloc;
+	}
+
+	/*
+	 * Now copy in the new elements, increasing their node_num
+	 * values so as to keep the new ACL consistent.  If we're
+	 * negating, then negate positive elements, but keep negative
+	 * elements the same for security reasons.
+	 */
+	nelem = dest->length;
+	dest->length += source->length;
+	for (i = 0; i < source->length; i++) {
+		if (source->elements[i].node_num > max_node)
+			max_node = source->elements[i].node_num;
+
+		/* Copy type. */
+		dest->elements[nelem + i].type = source->elements[i].type;
+
+		/* Adjust node numbering. */
+		dest->elements[nelem + i].node_num =
+			source->elements[i].node_num + dest->node_count;
+
+		/* Duplicate nested acl. */
+		if (source->elements[i].type == dns_aclelementtype_nestedacl &&
+		   source->elements[i].nestedacl != NULL)
+			dns_acl_attach(source->elements[i].nestedacl,
+				       &dest->elements[nelem + i].nestedacl);
+
+		/* Duplicate key name. */
+		if (source->elements[i].type == dns_aclelementtype_keyname) {
+			dns_name_init(&dest->elements[nelem+i].keyname, NULL);
+			result = dns_name_dup(&source->elements[i].keyname,
+					      dest->mctx,
+					      &dest->elements[nelem+i].keyname);
+			if (result != ISC_R_SUCCESS)
+				return result;
+		}
+
+		/* reverse sense of positives if this is a negative acl */
+		if (!pos && source->elements[i].negative == ISC_FALSE) {
+			dest->elements[nelem + i].negative = ISC_TRUE;
+		} else {
+			dest->elements[nelem + i].negative =
+				source->elements[i].negative;
 		}
 	}
 
-	return (ISC_R_NOTFOUND);
+
+	/*
+	 * Merge the iptables.  Make sure the destination ACL's
+	 * node_count value is set correctly afterward.
+	 */
+	nodes = max_node + dest->node_count;
+	result = dns_iptable_merge(dest->iptable, source->iptable, pos);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (nodes > dest->node_count)
+		dest->node_count = nodes;
+
+	return (ISC_R_SUCCESS);
 }
 
+/*
+ * Like dns_acl_match, but matches against the single ACL element 'e'
+ * rather than a complete ACL, and returns ISC_TRUE iff it matched.
+ *
+ * To determine whether the match was positive or negative, the
+ * caller should examine e->negative.  Since the element 'e' may be
+ * a reference to a named ACL or a nested ACL, a matching element
+ * returned through 'matchelt' is not necessarily 'e' itself.
+ */
 isc_boolean_t
 dns_aclelement_match(const isc_netaddr_t *reqaddr,
 		     const dns_name_t *reqsigner,
@@ -186,92 +373,68 @@ dns_aclelement_match(const isc_netaddr_t *reqaddr,
 		     const dns_aclelement_t **matchelt)
 {
 	dns_acl_t *inner = NULL;
-	const isc_netaddr_t *addr;
-	isc_netaddr_t v4addr;
 	int indirectmatch;
 	isc_result_t result;
 
 	switch (e->type) {
-	case dns_aclelementtype_ipprefix:
-		if (env == NULL ||
-		    env->match_mapped == ISC_FALSE ||
-		    reqaddr->family != AF_INET6 ||
-		    !IN6_IS_ADDR_V4MAPPED(&reqaddr->type.in6))
-			addr = reqaddr;
-		else {
-			isc_netaddr_fromv4mapped(&v4addr, reqaddr);
-			addr = &v4addr;
-		}
-
-		if (isc_netaddr_eqprefix(addr,
-					 &e->u.ip_prefix.address, 
-					 e->u.ip_prefix.prefixlen))
-			goto matched;
-		break;
-		
 	case dns_aclelementtype_keyname:
 		if (reqsigner != NULL &&
-		    dns_name_equal(reqsigner, &e->u.keyname))
-			goto matched;
-		break;
-		
+		    dns_name_equal(reqsigner, &e->keyname)) {
+			if (matchelt != NULL)
+				*matchelt = e;
+			return (ISC_TRUE);
+		} else {
+			return (ISC_FALSE);
+		}
+
 	case dns_aclelementtype_nestedacl:
-		inner = e->u.nestedacl;
-	nested:
-		result = dns_acl_match(reqaddr, reqsigner,
-				       inner,
-				       env,
-				       &indirectmatch, matchelt);
-		INSIST(result == ISC_R_SUCCESS);
-
-		/*
-		 * Treat negative matches in indirect ACLs as
-		 * "no match".
-		 * That way, a negated indirect ACL will never become 
-		 * a surprise positive match through double negation.
-		 * XXXDCL this should be documented.
-		 */
-		if (indirectmatch > 0)
-			goto matchelt_set;
-		
-		/*
-		 * A negative indirect match may have set *matchelt,
-		 * but we don't want it set when we return.
-		 */
-		if (matchelt != NULL)
-			*matchelt = NULL;
+		inner = e->nestedacl;
 		break;
-		
-	case dns_aclelementtype_any:
-	matched:
-		if (matchelt != NULL)
-			*matchelt = e;
-	matchelt_set:
-		return (ISC_TRUE);
-			
+
 	case dns_aclelementtype_localhost:
-		if (env != NULL && env->localhost != NULL) {
-			inner = env->localhost;
-			goto nested;
-		} else {
-			break;
-		}
-		
+		if (env == NULL || env->localhost == NULL)
+			return (ISC_FALSE);
+		inner = env->localhost;
+		break;
+
 	case dns_aclelementtype_localnets:
-		if (env != NULL && env->localnets != NULL) {
-			inner = env->localnets;
-			goto nested;
-		} else {
-			break;
-		}
-		
+		if (env == NULL || env->localnets == NULL)
+			return (ISC_FALSE);
+		inner = env->localnets;
+		break;
+
 	default:
+		/* Should be impossible. */
 		INSIST(0);
-		break;
 	}
 
+	result = dns_acl_match(reqaddr, reqsigner, inner, env,
+			       &indirectmatch, matchelt);
+	INSIST(result == ISC_R_SUCCESS);
+
+	/*
+	 * Treat negative matches in indirect ACLs as "no match".
+	 * That way, a negated indirect ACL will never become a
+	 * surprise positive match through double negation.
+	 * XXXDCL this should be documented.
+	 */
+
+	if (indirectmatch > 0) {
+		if (matchelt != NULL)
+			*matchelt = e;
+		return (ISC_TRUE);
+	}
+
+	/*
+	 * A negative indirect match may have set *matchelt, but we don't
+	 * want it set when we return.
+	 */
+
+	if (matchelt != NULL)
+		*matchelt = NULL;
+
 	return (ISC_FALSE);
-}	
+}
 
 void
 dns_acl_attach(dns_acl_t *source, dns_acl_t **target) {
@@ -285,15 +448,10 @@ destroy(dns_acl_t *dacl) {
 	unsigned int i;
 	for (i = 0; i < dacl->length; i++) {
 		dns_aclelement_t *de = &dacl->elements[i];
-		switch (de->type) {
-		case dns_aclelementtype_keyname:
-			dns_name_free(&de->u.keyname, dacl->mctx);
-			break;
-		case dns_aclelementtype_nestedacl:
-			dns_acl_detach(&de->u.nestedacl);
-			break;
-		default:
-			break;
+		if (de->type == dns_aclelementtype_keyname) {
+			dns_name_free(&de->keyname, dacl->mctx);
+		} else if (de->type == dns_aclelementtype_nestedacl) {
+			dns_acl_detach(&de->nestedacl);
 		}
 	}
 	if (dacl->elements != NULL)
@@ -301,6 +459,8 @@ destroy(dns_acl_t *dacl) {
 			    dacl->alloc * sizeof(dns_aclelement_t));
 	if (dacl->name != NULL)
 		isc_mem_free(dacl->mctx, dacl->name);
+	if (dacl->iptable != NULL)
+		dns_iptable_detach(&dacl->iptable);
 	isc_refcount_destroy(&dacl->refcount);
 	dacl->magic = 0;
 	isc_mem_put(dacl->mctx, dacl, sizeof(*dacl));
@@ -317,69 +477,83 @@ dns_acl_detach(dns_acl_t **aclp) {
 	*aclp = NULL;
 }
 
-isc_boolean_t
-dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb) {
-	if (ea->type != eb->type)
-		return (ISC_FALSE);
-	switch (ea->type) {
-	case dns_aclelementtype_ipprefix:
-		if (ea->u.ip_prefix.prefixlen !=
-		    eb->u.ip_prefix.prefixlen)
-			return (ISC_FALSE);
-		return (isc_netaddr_eqprefix(&ea->u.ip_prefix.address,
-					     &eb->u.ip_prefix.address,
-					     ea->u.ip_prefix.prefixlen));
-	case dns_aclelementtype_keyname:
-		return (dns_name_equal(&ea->u.keyname, &eb->u.keyname));
-	case dns_aclelementtype_nestedacl:
-		return (dns_acl_equal(ea->u.nestedacl, eb->u.nestedacl));
-	case dns_aclelementtype_localhost:
-	case dns_aclelementtype_localnets:
-	case dns_aclelementtype_any:
-		return (ISC_TRUE);
-	default:
-		INSIST(0);
-		return (ISC_FALSE);
-	}
+
+static isc_once_t	insecure_prefix_once = ISC_ONCE_INIT;
+static isc_mutex_t	insecure_prefix_lock;
+static isc_boolean_t	insecure_prefix_found;
+
+static void
+initialize_action(void) {
+	RUNTIME_CHECK(isc_mutex_init(&insecure_prefix_lock) == ISC_R_SUCCESS);
 }
 
-isc_boolean_t
-dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b) {
-	unsigned int i;
-	if (a == b)
-		return (ISC_TRUE);
-	if (a->length != b->length)
-		return (ISC_FALSE);
-	for (i = 0; i < a->length; i++) {
-		if (! dns_aclelement_equal(&a->elements[i],
-					   &b->elements[i]))
-			return (ISC_FALSE);
+/*
+ * Called via isc_radix_walk() to find IP table nodes that are
+ * insecure.
+ */
+static void
+is_insecure(isc_prefix_t *prefix, void **data) {
+	isc_boolean_t secure;
+	int bitlen, family;
+
+	bitlen = prefix->bitlen;
+	family = prefix->family;
+
+	/* Negated entries are always secure. */
+	secure = * (isc_boolean_t *)data[ISC_IS6(family)];
+	if (!secure) {
+		return;
 	}
-	return (ISC_TRUE);
-}
 
-static isc_boolean_t
-is_loopback(const dns_aclipprefix_t *p) {
-	switch (p->address.family) {
+	/* If loopback prefix found, return */
+	switch (family) {
 	case AF_INET:
-		if (p->prefixlen == 32 &&
-		    htonl(p->address.type.in.s_addr) == INADDR_LOOPBACK)
-			return (ISC_TRUE);
+		if (bitlen == 32 &&
+		    htonl(prefix->add.sin.s_addr) == INADDR_LOOPBACK)
+			return;
 		break;
 	case AF_INET6:
-		if (p->prefixlen == 128 &&
-		    IN6_IS_ADDR_LOOPBACK(&p->address.type.in6))
-			return (ISC_TRUE);
+		if (bitlen == 128 && IN6_IS_ADDR_LOOPBACK(&prefix->add.sin6))
+			return;
 		break;
 	default:
 		break;
 	}
-	return (ISC_FALSE);
+
+	/* Non-negated, non-loopback */
+	insecure_prefix_found = ISC_TRUE;	/* LOCKED */
+	return;
 }
 
+/*
+ * Return ISC_TRUE iff the acl 'a' is considered insecure, that is,
+ * if it contains IP addresses other than those of the local host.
+ * This is intended for applications such as printing warning
+ * messages for suspect ACLs; it is not intended for making access
+ * control decisions.  We make no guarantee that an ACL for which
+ * this function returns ISC_FALSE is safe.
+ */
 isc_boolean_t
 dns_acl_isinsecure(const dns_acl_t *a) {
 	unsigned int i;
+	isc_boolean_t insecure;
+
+	RUNTIME_CHECK(isc_once_do(&insecure_prefix_once,
+				  initialize_action) == ISC_R_SUCCESS);
+
+	/*
+	 * Walk radix tree to find out if there are any non-negated,
+	 * non-loopback prefixes.
+	 */
+	LOCK(&insecure_prefix_lock);
+	insecure_prefix_found = ISC_FALSE;
+	isc_radix_process(a->iptable->radix, is_insecure);
+	insecure = insecure_prefix_found;
+	UNLOCK(&insecure_prefix_lock);
+	if (insecure)
+		return(ISC_TRUE);
+
+	/* Now check non-radix elements */
 	for (i = 0; i < a->length; i++) {
 		dns_aclelement_t *e = &a->elements[i];
 
@@ -388,23 +562,16 @@ dns_acl_isinsecure(const dns_acl_t *a) {
 			continue;
 
 		switch (e->type) {
-		case dns_aclelementtype_ipprefix:
-			/* The loopback address is considered secure. */
-			if (! is_loopback(&e->u.ip_prefix))
-				return (ISC_TRUE);
-			continue;
-			
 		case dns_aclelementtype_keyname:
 		case dns_aclelementtype_localhost:
 			continue;
 
 		case dns_aclelementtype_nestedacl:
-			if (dns_acl_isinsecure(e->u.nestedacl))
+			if (dns_acl_isinsecure(e->nestedacl))
 				return (ISC_TRUE);
 			continue;
-			
+
 		case dns_aclelementtype_localnets:
-		case dns_aclelementtype_any:
 			return (ISC_TRUE);
 
 		default:
@@ -412,10 +579,14 @@ dns_acl_isinsecure(const dns_acl_t *a) {
 			return (ISC_TRUE);
 		}
 	}
+
 	/* No insecure elements were found. */
 	return (ISC_FALSE);
 }
 
+/*
+ * Initialize ACL environment, setting up localhost and localnets ACLs
+ */
 isc_result_t
 dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
 	isc_result_t result;
diff --git a/lib/dns/adb.c b/lib/dns/adb.c
index ae5dec8..7056215 100644
--- a/lib/dns/adb.c
+++ b/lib/dns/adb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb.c,v 1.215.18.24 2008/10/17 03:35:14 marka Exp $ */
+/* $Id: adb.c,v 1.243.42.4 2009/02/03 22:34:28 jinmei Exp $ */
 
 /*! \file
  *
@@ -26,13 +26,6 @@
  *
  */
 
-/*%
- * After we have cleaned all buckets, dump the database contents.
- */
-#if 0
-#define DUMP_ADB_AFTER_CLEANING
-#endif
-
 #include <config.h>
 
 #include <limits.h>
@@ -40,9 +33,9 @@
 #include <isc/mutexblock.h>
 #include <isc/netaddr.h>
 #include <isc/random.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/stats.h>
+#include <isc/string.h>         /* Required for HP/UX (and others?) */
 #include <isc/task.h>
-#include <isc/timer.h>
 #include <isc/util.h>
 
 #include <dns/adb.h>
@@ -55,28 +48,29 @@
 #include <dns/rdatatype.h>
 #include <dns/resolver.h>
 #include <dns/result.h>
+#include <dns/stats.h>
 
-#define DNS_ADB_MAGIC		  ISC_MAGIC('D', 'a', 'd', 'b')
-#define DNS_ADB_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADB_MAGIC)
-#define DNS_ADBNAME_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'N')
-#define DNS_ADBNAME_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBNAME_MAGIC)
-#define DNS_ADBNAMEHOOK_MAGIC	  ISC_MAGIC('a', 'd', 'N', 'H')
+#define DNS_ADB_MAGIC             ISC_MAGIC('D', 'a', 'd', 'b')
+#define DNS_ADB_VALID(x)          ISC_MAGIC_VALID(x, DNS_ADB_MAGIC)
+#define DNS_ADBNAME_MAGIC         ISC_MAGIC('a', 'd', 'b', 'N')
+#define DNS_ADBNAME_VALID(x)      ISC_MAGIC_VALID(x, DNS_ADBNAME_MAGIC)
+#define DNS_ADBNAMEHOOK_MAGIC     ISC_MAGIC('a', 'd', 'N', 'H')
 #define DNS_ADBNAMEHOOK_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBNAMEHOOK_MAGIC)
-#define DNS_ADBLAMEINFO_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'Z')
+#define DNS_ADBLAMEINFO_MAGIC     ISC_MAGIC('a', 'd', 'b', 'Z')
 #define DNS_ADBLAMEINFO_VALID(x)  ISC_MAGIC_VALID(x, DNS_ADBLAMEINFO_MAGIC)
-#define DNS_ADBENTRY_MAGIC	  ISC_MAGIC('a', 'd', 'b', 'E')
-#define DNS_ADBENTRY_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBENTRY_MAGIC)
-#define DNS_ADBFETCH_MAGIC	  ISC_MAGIC('a', 'd', 'F', '4')
-#define DNS_ADBFETCH_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFETCH_MAGIC)
-#define DNS_ADBFETCH6_MAGIC	  ISC_MAGIC('a', 'd', 'F', '6')
-#define DNS_ADBFETCH6_VALID(x)	  ISC_MAGIC_VALID(x, DNS_ADBFETCH6_MAGIC)
+#define DNS_ADBENTRY_MAGIC        ISC_MAGIC('a', 'd', 'b', 'E')
+#define DNS_ADBENTRY_VALID(x)     ISC_MAGIC_VALID(x, DNS_ADBENTRY_MAGIC)
+#define DNS_ADBFETCH_MAGIC        ISC_MAGIC('a', 'd', 'F', '4')
+#define DNS_ADBFETCH_VALID(x)     ISC_MAGIC_VALID(x, DNS_ADBFETCH_MAGIC)
+#define DNS_ADBFETCH6_MAGIC       ISC_MAGIC('a', 'd', 'F', '6')
+#define DNS_ADBFETCH6_VALID(x)    ISC_MAGIC_VALID(x, DNS_ADBFETCH6_MAGIC)
 
 /*!
  * The number of buckets needs to be a prime (for good hashing).
  *
  * XXXRTH  How many buckets do we need?
  */
-#define NBUCKETS	       1009	/*%< how many buckets for names/addrs */
+#define NBUCKETS               1009     /*%< how many buckets for names/addrs */
 
 /*!
  * For type 3 negative cache entries, we will remember that the address is
@@ -84,26 +78,25 @@
  * The intent is to keep us from constantly asking about A/AAAA records
  * if the zone has extremely low TTLs.
  */
-#define ADB_CACHE_MINIMUM	10	/*%< seconds */
-#define ADB_CACHE_MAXIMUM	86400	/*%< seconds (86400 = 24 hours) */
-#define ADB_ENTRY_WINDOW	1800	/*%< seconds */
+#define ADB_CACHE_MINIMUM       10      /*%< seconds */
+#define ADB_CACHE_MAXIMUM       86400   /*%< seconds (86400 = 24 hours) */
+#define ADB_ENTRY_WINDOW        1800    /*%< seconds */
 
 /*%
- * Wake up every CLEAN_SECONDS and clean CLEAN_BUCKETS buckets, so that all
- * buckets are cleaned in CLEAN_PERIOD seconds.
+ * The period in seconds after which an ADB name entry is regarded as stale
+ * and forced to be cleaned up.
+ * TODO: This should probably be configurable at run-time.
  */
-#define CLEAN_PERIOD		3600
-/*% See #CLEAN_PERIOD */
-#define CLEAN_SECONDS		30
-/*% See #CLEAN_PERIOD */
-#define CLEAN_BUCKETS		((NBUCKETS * CLEAN_SECONDS) / CLEAN_PERIOD)
+#ifndef ADB_STALE_MARGIN
+#define ADB_STALE_MARGIN        1800
+#endif
 
-#define FREE_ITEMS		64	/*%< free count for memory pools */
-#define FILL_COUNT		16	/*%< fill count for memory pools */
+#define FREE_ITEMS              64      /*%< free count for memory pools */
+#define FILL_COUNT              16      /*%< fill count for memory pools */
 
-#define DNS_ADB_INVALIDBUCKET (-1)	/*%< invalid bucket address */
+#define DNS_ADB_INVALIDBUCKET (-1)      /*%< invalid bucket address */
 
-#define DNS_ADB_MINADBSIZE	(1024*1024)	/*%< 1 Megabyte */
+#define DNS_ADB_MINADBSIZE      (1024*1024)     /*%< 1 Megabyte */
 
 typedef ISC_LIST(dns_adbname_t) dns_adbnamelist_t;
 typedef struct dns_adbnamehook dns_adbnamehook_t;
@@ -115,61 +108,62 @@ typedef struct dns_adbfetch6 dns_adbfetch6_t;
 
 /*% dns adb structure */
 struct dns_adb {
-	unsigned int			magic;
+	unsigned int                    magic;
 
-	isc_mutex_t			lock;
-	isc_mutex_t			reflock; /*%< Covers irefcnt, erefcnt */
+	isc_mutex_t                     lock;
+	isc_mutex_t                     reflock; /*%< Covers irefcnt, erefcnt */
 	isc_mutex_t                     overmemlock; /*%< Covers overmem */
-	isc_mem_t		       *mctx;
-	dns_view_t		       *view;
-	isc_timermgr_t		       *timermgr;
-	isc_timer_t		       *timer;
-	isc_taskmgr_t		       *taskmgr;
-	isc_task_t		       *task;
-	isc_boolean_t			overmem;
-
-	isc_interval_t			tick_interval;
-	int				next_cleanbucket;
-
-	unsigned int			irefcnt;
-	unsigned int			erefcnt;
-
-	isc_mutex_t			mplock;
-	isc_mempool_t		       *nmp;	/*%< dns_adbname_t */
-	isc_mempool_t		       *nhmp;	/*%< dns_adbnamehook_t */
-	isc_mempool_t		       *limp;	/*%< dns_adblameinfo_t */
-	isc_mempool_t		       *emp;	/*%< dns_adbentry_t */
-	isc_mempool_t		       *ahmp;	/*%< dns_adbfind_t */
-	isc_mempool_t		       *aimp;	/*%< dns_adbaddrinfo_t */
-	isc_mempool_t		       *afmp;	/*%< dns_adbfetch_t */
+	isc_mem_t                      *mctx;
+	dns_view_t                     *view;
+
+	isc_taskmgr_t                  *taskmgr;
+	isc_task_t                     *task;
+	isc_boolean_t                   overmem;
+
+	isc_interval_t                  tick_interval;
+	int                             next_cleanbucket;
+
+	unsigned int                    irefcnt;
+	unsigned int                    erefcnt;
+
+	isc_mutex_t                     mplock;
+	isc_mempool_t                  *nmp;    /*%< dns_adbname_t */
+	isc_mempool_t                  *nhmp;   /*%< dns_adbnamehook_t */
+	isc_mempool_t                  *limp;   /*%< dns_adblameinfo_t */
+	isc_mempool_t                  *emp;    /*%< dns_adbentry_t */
+	isc_mempool_t                  *ahmp;   /*%< dns_adbfind_t */
+	isc_mempool_t                  *aimp;   /*%< dns_adbaddrinfo_t */
+	isc_mempool_t                  *afmp;   /*%< dns_adbfetch_t */
 
 	/*!
 	 * Bucketized locks and lists for names.
 	 *
 	 * XXXRTH  Have a per-bucket structure that contains all of these?
 	 */
-	dns_adbnamelist_t		names[NBUCKETS];
+	dns_adbnamelist_t               names[NBUCKETS];
+	dns_adbnamelist_t               deadnames[NBUCKETS];
 	/*% See dns_adbnamelist_t */
-	isc_mutex_t			namelocks[NBUCKETS];
+	isc_mutex_t                     namelocks[NBUCKETS];
 	/*% See dns_adbnamelist_t */
-	isc_boolean_t			name_sd[NBUCKETS];
+	isc_boolean_t                   name_sd[NBUCKETS];
 	/*% See dns_adbnamelist_t */
-	unsigned int			name_refcnt[NBUCKETS];
+	unsigned int                    name_refcnt[NBUCKETS];
 
 	/*!
 	 * Bucketized locks for entries.
 	 *
 	 * XXXRTH  Have a per-bucket structure that contains all of these?
 	 */
-	dns_adbentrylist_t		entries[NBUCKETS];
-	isc_mutex_t			entrylocks[NBUCKETS];
-	isc_boolean_t			entry_sd[NBUCKETS]; /*%< shutting down */
-	unsigned int			entry_refcnt[NBUCKETS];
-
-	isc_event_t			cevent;
-	isc_boolean_t			cevent_sent;
-	isc_boolean_t			shutting_down;
-	isc_eventlist_t			whenshutdown;
+	dns_adbentrylist_t              entries[NBUCKETS];
+	dns_adbentrylist_t              deadentries[NBUCKETS];
+	isc_mutex_t                     entrylocks[NBUCKETS];
+	isc_boolean_t                   entry_sd[NBUCKETS]; /*%< shutting down */
+	unsigned int                    entry_refcnt[NBUCKETS];
+
+	isc_event_t                     cevent;
+	isc_boolean_t                   cevent_sent;
+	isc_boolean_t                   shutting_down;
+	isc_eventlist_t                 whenshutdown;
 };
 
 /*
@@ -178,34 +172,35 @@ struct dns_adb {
 
 /*% dns_adbname structure */
 struct dns_adbname {
-	unsigned int			magic;
-	dns_name_t			name;
-	dns_adb_t		       *adb;
-	unsigned int			partial_result;
-	unsigned int			flags;
-	int				lock_bucket;
-	dns_name_t			target;
-	isc_stdtime_t			expire_target;
-	isc_stdtime_t			expire_v4;
-	isc_stdtime_t			expire_v6;
-	unsigned int			chains;
-	dns_adbnamehooklist_t		v4;
-	dns_adbnamehooklist_t		v6;
-	dns_adbfetch_t		       *fetch_a;
-	dns_adbfetch_t		       *fetch_aaaa;
-	unsigned int			fetch_err;
-	unsigned int			fetch6_err;
-	dns_adbfindlist_t		finds;
-	ISC_LINK(dns_adbname_t)		plink;
+	unsigned int                    magic;
+	dns_name_t                      name;
+	dns_adb_t                      *adb;
+	unsigned int                    partial_result;
+	unsigned int                    flags;
+	int                             lock_bucket;
+	dns_name_t                      target;
+	isc_stdtime_t                   expire_target;
+	isc_stdtime_t                   expire_v4;
+	isc_stdtime_t                   expire_v6;
+	unsigned int                    chains;
+	dns_adbnamehooklist_t           v4;
+	dns_adbnamehooklist_t           v6;
+	dns_adbfetch_t                 *fetch_a;
+	dns_adbfetch_t                 *fetch_aaaa;
+	unsigned int                    fetch_err;
+	unsigned int                    fetch6_err;
+	dns_adbfindlist_t               finds;
+	/* for LRU-based management */
+	isc_stdtime_t                   last_used;
+
+	ISC_LINK(dns_adbname_t)         plink;
 };
 
 /*% The adbfetch structure */
 struct dns_adbfetch {
-	unsigned int			magic;
-	dns_adbnamehook_t	       *namehook;
-	dns_adbentry_t		       *entry;
-	dns_fetch_t		       *fetch;
-	dns_rdataset_t			rdataset;
+	unsigned int                    magic;
+	dns_fetch_t                    *fetch;
+	dns_rdataset_t                  rdataset;
 };
 
 /*%
@@ -214,9 +209,9 @@ struct dns_adbfetch {
  * namehook that will contain the next address this host has.
  */
 struct dns_adbnamehook {
-	unsigned int			magic;
-	dns_adbentry_t		       *entry;
-	ISC_LINK(dns_adbnamehook_t)	plink;
+	unsigned int                    magic;
+	dns_adbentry_t                 *entry;
+	ISC_LINK(dns_adbnamehook_t)     plink;
 };
 
 /*%
@@ -225,13 +220,13 @@ struct dns_adbnamehook {
  * extended to other types of information about zones.
  */
 struct dns_adblameinfo {
-	unsigned int			magic;
+	unsigned int                    magic;
 
-	dns_name_t			qname;
-	dns_rdatatype_t			qtype;
-	isc_stdtime_t			lame_timer;
+	dns_name_t                      qname;
+	dns_rdatatype_t                 qtype;
+	isc_stdtime_t                   lame_timer;
 
-	ISC_LINK(dns_adblameinfo_t)	plink;
+	ISC_LINK(dns_adblameinfo_t)     plink;
 };
 
 /*%
@@ -240,16 +235,16 @@ struct dns_adblameinfo {
  * the host.
  */
 struct dns_adbentry {
-	unsigned int			magic;
+	unsigned int                    magic;
 
-	int				lock_bucket;
-	unsigned int			refcnt;
+	int                             lock_bucket;
+	unsigned int                    refcnt;
 
-	unsigned int			flags;
-	unsigned int			srtt;
-	isc_sockaddr_t			sockaddr;
+	unsigned int                    flags;
+	unsigned int                    srtt;
+	isc_sockaddr_t                  sockaddr;
 
-	isc_stdtime_t			expires;
+	isc_stdtime_t                   expires;
 	/*%<
 	 * A nonzero 'expires' field indicates that the entry should
 	 * persist until that time.  This allows entries found
@@ -258,8 +253,8 @@ struct dns_adbentry {
 	 * name.
 	 */
 
-	ISC_LIST(dns_adblameinfo_t)	lameinfo;
-	ISC_LINK(dns_adbentry_t)	plink;
+	ISC_LIST(dns_adblameinfo_t)     lameinfo;
+	ISC_LINK(dns_adbentry_t)        plink;
 };
 
 /*
@@ -284,7 +279,8 @@ static inline void free_adbfetch(dns_adb_t *, dns_adbfetch_t **);
 static inline dns_adbname_t *find_name_and_lock(dns_adb_t *, dns_name_t *,
 						unsigned int, int *);
 static inline dns_adbentry_t *find_entry_and_lock(dns_adb_t *,
-						  isc_sockaddr_t *, int *);
+						  isc_sockaddr_t *, int *,
+						  isc_stdtime_t);
 static void dump_adb(dns_adb_t *, FILE *, isc_boolean_t debug, isc_stdtime_t);
 static void print_dns_name(FILE *, dns_name_t *);
 static void print_namehook_list(FILE *, const char *legend,
@@ -305,15 +301,15 @@ static isc_boolean_t clean_namehooks(dns_adb_t *, dns_adbnamehooklist_t *);
 static void clean_target(dns_adb_t *, dns_name_t *);
 static void clean_finds_at_name(dns_adbname_t *, isc_eventtype_t,
 				unsigned int);
-static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t,
-					    isc_boolean_t);
+static isc_boolean_t check_expire_namehooks(dns_adbname_t *, isc_stdtime_t);
+static isc_boolean_t check_expire_entry(dns_adb_t *, dns_adbentry_t **,
+					isc_stdtime_t);
 static void cancel_fetches_at_name(dns_adbname_t *);
 static isc_result_t dbfind_name(dns_adbname_t *, isc_stdtime_t,
 				dns_rdatatype_t);
 static isc_result_t fetch_name(dns_adbname_t *, isc_boolean_t,
 			       dns_rdatatype_t);
 static inline void check_exit(dns_adb_t *);
-static void timer_cleanup(isc_task_t *, isc_event_t *);
 static void destroy(dns_adb_t *);
 static isc_boolean_t shutdown_names(dns_adb_t *);
 static isc_boolean_t shutdown_entries(dns_adb_t *);
@@ -328,28 +324,34 @@ static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t);
 /*
  * MUST NOT overlap DNS_ADBFIND_* flags!
  */
-#define FIND_EVENT_SENT		0x40000000
-#define FIND_EVENT_FREED	0x80000000
-#define FIND_EVENTSENT(h)	(((h)->flags & FIND_EVENT_SENT) != 0)
-#define FIND_EVENTFREED(h)	(((h)->flags & FIND_EVENT_FREED) != 0)
-
-#define NAME_NEEDS_POKE		0x80000000
-#define NAME_IS_DEAD		0x40000000
-#define NAME_HINT_OK		DNS_ADBFIND_HINTOK
-#define NAME_GLUE_OK		DNS_ADBFIND_GLUEOK
-#define NAME_STARTATZONE	DNS_ADBFIND_STARTATZONE
-#define NAME_DEAD(n)		(((n)->flags & NAME_IS_DEAD) != 0)
-#define NAME_NEEDSPOKE(n)	(((n)->flags & NAME_NEEDS_POKE) != 0)
-#define NAME_GLUEOK(n)		(((n)->flags & NAME_GLUE_OK) != 0)
-#define NAME_HINTOK(n)		(((n)->flags & NAME_HINT_OK) != 0)
+#define FIND_EVENT_SENT         0x40000000
+#define FIND_EVENT_FREED        0x80000000
+#define FIND_EVENTSENT(h)       (((h)->flags & FIND_EVENT_SENT) != 0)
+#define FIND_EVENTFREED(h)      (((h)->flags & FIND_EVENT_FREED) != 0)
+
+#define NAME_NEEDS_POKE         0x80000000
+#define NAME_IS_DEAD            0x40000000
+#define NAME_HINT_OK            DNS_ADBFIND_HINTOK
+#define NAME_GLUE_OK            DNS_ADBFIND_GLUEOK
+#define NAME_STARTATZONE        DNS_ADBFIND_STARTATZONE
+#define NAME_DEAD(n)            (((n)->flags & NAME_IS_DEAD) != 0)
+#define NAME_NEEDSPOKE(n)       (((n)->flags & NAME_NEEDS_POKE) != 0)
+#define NAME_GLUEOK(n)          (((n)->flags & NAME_GLUE_OK) != 0)
+#define NAME_HINTOK(n)          (((n)->flags & NAME_HINT_OK) != 0)
+
+/*
+ * Private flag(s) for entries.
+ * MUST NOT overlap FCTX_ADDRINFO_xxx and DNS_FETCHOPT_NOEDNS0.
+ */
+#define ENTRY_IS_DEAD		0x80000000
 
 /*
  * To the name, address classes are all that really exist.  If it has a
  * V6 address it doesn't care if it came from a AAAA query.
  */
-#define NAME_HAS_V4(n)		(!ISC_LIST_EMPTY((n)->v4))
-#define NAME_HAS_V6(n)		(!ISC_LIST_EMPTY((n)->v6))
-#define NAME_HAS_ADDRS(n)	(NAME_HAS_V4(n) || NAME_HAS_V6(n))
+#define NAME_HAS_V4(n)          (!ISC_LIST_EMPTY((n)->v4))
+#define NAME_HAS_V6(n)          (!ISC_LIST_EMPTY((n)->v6))
+#define NAME_HAS_ADDRS(n)       (NAME_HAS_V4(n) || NAME_HAS_V6(n))
 
 /*
  * Fetches are broken out into A and AAAA types.  In some cases,
@@ -358,34 +360,34 @@ static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t);
  * Note: since we have removed the support of A6 in adb, FETCH_A and FETCH_AAAA
  * are now equal to FETCH_V4 and FETCH_V6, respectively.
  */
-#define NAME_FETCH_A(n)		((n)->fetch_a != NULL)
-#define NAME_FETCH_AAAA(n)	((n)->fetch_aaaa != NULL)
-#define NAME_FETCH_V4(n)	(NAME_FETCH_A(n))
-#define NAME_FETCH_V6(n)	(NAME_FETCH_AAAA(n))
-#define NAME_FETCH(n)		(NAME_FETCH_V4(n) || NAME_FETCH_V6(n))
+#define NAME_FETCH_A(n)         ((n)->fetch_a != NULL)
+#define NAME_FETCH_AAAA(n)      ((n)->fetch_aaaa != NULL)
+#define NAME_FETCH_V4(n)        (NAME_FETCH_A(n))
+#define NAME_FETCH_V6(n)        (NAME_FETCH_AAAA(n))
+#define NAME_FETCH(n)           (NAME_FETCH_V4(n) || NAME_FETCH_V6(n))
 
 /*
  * Find options and tests to see if there are addresses on the list.
  */
-#define FIND_WANTEVENT(fn)	(((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
-#define FIND_WANTEMPTYEVENT(fn)	(((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
-#define FIND_AVOIDFETCHES(fn)	(((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
+#define FIND_WANTEVENT(fn)      (((fn)->options & DNS_ADBFIND_WANTEVENT) != 0)
+#define FIND_WANTEMPTYEVENT(fn) (((fn)->options & DNS_ADBFIND_EMPTYEVENT) != 0)
+#define FIND_AVOIDFETCHES(fn)   (((fn)->options & DNS_ADBFIND_AVOIDFETCHES) \
 				 != 0)
-#define FIND_STARTATZONE(fn)	(((fn)->options & DNS_ADBFIND_STARTATZONE) \
+#define FIND_STARTATZONE(fn)    (((fn)->options & DNS_ADBFIND_STARTATZONE) \
 				 != 0)
-#define FIND_HINTOK(fn)		(((fn)->options & DNS_ADBFIND_HINTOK) != 0)
-#define FIND_GLUEOK(fn)		(((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
-#define FIND_HAS_ADDRS(fn)	(!ISC_LIST_EMPTY((fn)->list))
-#define FIND_RETURNLAME(fn)	(((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
+#define FIND_HINTOK(fn)         (((fn)->options & DNS_ADBFIND_HINTOK) != 0)
+#define FIND_GLUEOK(fn)         (((fn)->options & DNS_ADBFIND_GLUEOK) != 0)
+#define FIND_HAS_ADDRS(fn)      (!ISC_LIST_EMPTY((fn)->list))
+#define FIND_RETURNLAME(fn)     (((fn)->options & DNS_ADBFIND_RETURNLAME) != 0)
 
 /*
  * These are currently used on simple unsigned ints, so they are
  * not really associated with any particular type.
  */
-#define WANT_INET(x)		(((x) & DNS_ADBFIND_INET) != 0)
-#define WANT_INET6(x)		(((x) & DNS_ADBFIND_INET6) != 0)
+#define WANT_INET(x)            (((x) & DNS_ADBFIND_INET) != 0)
+#define WANT_INET6(x)           (((x) & DNS_ADBFIND_INET6) != 0)
 
-#define EXPIRE_OK(exp, now)	((exp == INT_MAX) || (exp < now))
+#define EXPIRE_OK(exp, now)     ((exp == INT_MAX) || (exp < now))
 
 /*
  * Find out if the flags on a name (nf) indicate if it is a hint or
@@ -398,19 +400,19 @@ static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t);
 #define STARTATZONE_MATCHES(nf, o) (((nf)->flags & NAME_STARTATZONE) == \
 				    ((o) & DNS_ADBFIND_STARTATZONE))
 
-#define ENTER_LEVEL		ISC_LOG_DEBUG(50)
-#define EXIT_LEVEL		ENTER_LEVEL
-#define CLEAN_LEVEL		ISC_LOG_DEBUG(100)
-#define DEF_LEVEL		ISC_LOG_DEBUG(5)
-#define NCACHE_LEVEL		ISC_LOG_DEBUG(20)
+#define ENTER_LEVEL             ISC_LOG_DEBUG(50)
+#define EXIT_LEVEL              ENTER_LEVEL
+#define CLEAN_LEVEL             ISC_LOG_DEBUG(100)
+#define DEF_LEVEL               ISC_LOG_DEBUG(5)
+#define NCACHE_LEVEL            ISC_LOG_DEBUG(20)
 
-#define NCACHE_RESULT(r)	((r) == DNS_R_NCACHENXDOMAIN || \
+#define NCACHE_RESULT(r)        ((r) == DNS_R_NCACHENXDOMAIN || \
 				 (r) == DNS_R_NCACHENXRRSET)
-#define AUTH_NX(r)		((r) == DNS_R_NXDOMAIN || \
+#define AUTH_NX(r)              ((r) == DNS_R_NXDOMAIN || \
 				 (r) == DNS_R_NXRRSET)
-#define NXDOMAIN_RESULT(r)	((r) == DNS_R_NXDOMAIN || \
+#define NXDOMAIN_RESULT(r)      ((r) == DNS_R_NXDOMAIN || \
 				 (r) == DNS_R_NCACHENXDOMAIN)
-#define NXRRSET_RESULT(r)	((r) == DNS_R_NCACHENXRRSET || \
+#define NXRRSET_RESULT(r)       ((r) == DNS_R_NCACHENXRRSET || \
 				 (r) == DNS_R_NXRRSET || \
 				 (r) == DNS_R_HINTNXRRSET)
 
@@ -418,14 +420,14 @@ static void dump_entry(FILE *, dns_adbentry_t *, isc_boolean_t, isc_stdtime_t);
  * Error state rankings.
  */
 
-#define FIND_ERR_SUCCESS		0  /* highest rank */
-#define FIND_ERR_CANCELED		1
-#define FIND_ERR_FAILURE		2
-#define FIND_ERR_NXDOMAIN		3
-#define FIND_ERR_NXRRSET		4
-#define FIND_ERR_UNEXPECTED		5
-#define FIND_ERR_NOTFOUND		6
-#define FIND_ERR_MAX			7
+#define FIND_ERR_SUCCESS                0  /* highest rank */
+#define FIND_ERR_CANCELED               1
+#define FIND_ERR_FAILURE                2
+#define FIND_ERR_NXDOMAIN               3
+#define FIND_ERR_NXRRSET                4
+#define FIND_ERR_UNEXPECTED             5
+#define FIND_ERR_NOTFOUND               6
+#define FIND_ERR_MAX                    7
 
 static const char *errnames[] = {
 	"success",
@@ -437,7 +439,7 @@ static const char *errnames[] = {
 	"not_found"
 };
 
-#define NEWERR(old, new)	(ISC_MIN((old), (new)))
+#define NEWERR(old, new)        (ISC_MIN((old), (new)))
 
 static isc_result_t find_err_map[FIND_ERR_MAX] = {
 	ISC_R_SUCCESS,
@@ -446,7 +448,7 @@ static isc_result_t find_err_map[FIND_ERR_MAX] = {
 	DNS_R_NXDOMAIN,
 	DNS_R_NXRRSET,
 	ISC_R_UNEXPECTED,
-	ISC_R_NOTFOUND		/* not YET found */
+	ISC_R_NOTFOUND          /* not YET found */
 };
 
 static void
@@ -463,6 +465,15 @@ DP(int level, const char *format, ...) {
 	va_end(args);
 }
 
+/*%
+ * Increment resolver-related statistics counters.
+ */
+static inline void
+inc_stats(dns_adb_t *adb, isc_statscounter_t counter) {
+	if (adb->view->resstats != NULL)
+		isc_stats_increment(adb->view->resstats, counter);
+}
+
 static inline dns_ttl_t
 ttlclamp(dns_ttl_t ttl) {
 	if (ttl < ADB_CACHE_MINIMUM)
@@ -536,7 +547,8 @@ import_rdataset(dns_adbname_t *adbname, dns_rdataset_t *rdataset,
 			goto fail;
 		}
 
-		foundentry = find_entry_and_lock(adb, &sockaddr, &addr_bucket);
+		foundentry = find_entry_and_lock(adb, &sockaddr, &addr_bucket,
+						 now);
 		if (foundentry == NULL) {
 			dns_adbentry_t *entry;
 
@@ -617,6 +629,7 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
 	dns_adbname_t *name;
 	isc_boolean_t result = ISC_FALSE;
 	isc_boolean_t result4, result6;
+	int bucket;
 	dns_adb_t *adb;
 
 	INSIST(n != NULL);
@@ -661,8 +674,13 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
 		if (result)
 			result = dec_adb_irefcnt(adb);
 	} else {
-		name->flags |= NAME_IS_DEAD;
 		cancel_fetches_at_name(name);
+		if (!NAME_DEAD(name)) {
+			bucket = name->lock_bucket;
+			ISC_LIST_UNLINK(adb->names[bucket], name, plink);
+			ISC_LIST_APPEND(adb->deadnames[bucket], name, plink);
+			name->flags |= NAME_IS_DEAD;
+		}
 	}
 	return (result);
 }
@@ -671,11 +689,8 @@ kill_name(dns_adbname_t **n, isc_eventtype_t ev) {
  * Requires the name's bucket be locked and no entry buckets be locked.
  */
 static isc_boolean_t
-check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now,
-		       isc_boolean_t overmem)
-{
+check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now) {
 	dns_adb_t *adb;
-	isc_boolean_t expire;
 	isc_boolean_t result4 = ISC_FALSE;
 	isc_boolean_t result6 = ISC_FALSE;
 
@@ -683,20 +698,10 @@ check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now,
 	adb = name->adb;
 	INSIST(DNS_ADB_VALID(adb));
 
-	if (overmem) {
-		isc_uint32_t val;
-
-		isc_random_get(&val);
-
-		expire = ISC_TF((val % 4) == 0);
-	} else
-		expire = ISC_FALSE;
-
 	/*
 	 * Check to see if we need to remove the v4 addresses
 	 */
-	if (!NAME_FETCH_V4(name) &&
-	    (expire || EXPIRE_OK(name->expire_v4, now))) {
+	if (!NAME_FETCH_V4(name) && EXPIRE_OK(name->expire_v4, now)) {
 		if (NAME_HAS_V4(name)) {
 			DP(DEF_LEVEL, "expiring v4 for name %p", name);
 			result4 = clean_namehooks(adb, &name->v4);
@@ -709,8 +714,7 @@ check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now,
 	/*
 	 * Check to see if we need to remove the v6 addresses
 	 */
-	if (!NAME_FETCH_V6(name) &&
-	    (expire || EXPIRE_OK(name->expire_v6, now))) {
+	if (!NAME_FETCH_V6(name) && EXPIRE_OK(name->expire_v6, now)) {
 		if (NAME_HAS_V6(name)) {
 			DP(DEF_LEVEL, "expiring v6 for name %p", name);
 			result6 = clean_namehooks(adb, &name->v6);
@@ -723,7 +727,7 @@ check_expire_namehooks(dns_adbname_t *name, isc_stdtime_t now,
 	/*
 	 * Check to see if we need to remove the alias target.
 	 */
-	if (expire || EXPIRE_OK(name->expire_target, now)) {
+	if (EXPIRE_OK(name->expire_target, now)) {
 		clean_target(adb, &name->target);
 		name->expire_target = INT_MAX;
 	}
@@ -753,7 +757,10 @@ unlink_name(dns_adb_t *adb, dns_adbname_t *name) {
 	bucket = name->lock_bucket;
 	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
 
-	ISC_LIST_UNLINK(adb->names[bucket], name, plink);
+	if (NAME_DEAD(name))
+		ISC_LIST_UNLINK(adb->deadnames[bucket], name, plink);
+	else
+		ISC_LIST_UNLINK(adb->names[bucket], name, plink);
 	name->lock_bucket = DNS_ADB_INVALIDBUCKET;
 	INSIST(adb->name_refcnt[bucket] > 0);
 	adb->name_refcnt[bucket]--;
@@ -767,6 +774,26 @@ unlink_name(dns_adb_t *adb, dns_adbname_t *name) {
  */
 static inline void
 link_entry(dns_adb_t *adb, int bucket, dns_adbentry_t *entry) {
+	int i;
+	dns_adbentry_t *e;
+
+	if (adb->overmem) {
+		for (i = 0; i < 2; i++) {
+			e = ISC_LIST_TAIL(adb->entries[bucket]);
+			if (e == NULL)
+				break;
+			if (e->refcnt == 0) {
+				unlink_entry(adb, e);
+				free_adbentry(adb, &e);
+				continue;
+			}
+			INSIST((e->flags & ENTRY_IS_DEAD) == 0);
+			e->flags |= ENTRY_IS_DEAD;
+			ISC_LIST_UNLINK(adb->entries[bucket], e, plink);
+			ISC_LIST_PREPEND(adb->deadentries[bucket], e, plink);
+		}
+	}
+
 	ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
 	entry->lock_bucket = bucket;
 	adb->entry_refcnt[bucket]++;
@@ -783,7 +810,10 @@ unlink_entry(dns_adb_t *adb, dns_adbentry_t *entry) {
 	bucket = entry->lock_bucket;
 	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
 
-	ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
+	if ((entry->flags & ENTRY_IS_DEAD) != 0)
+		ISC_LIST_UNLINK(adb->deadentries[bucket], entry, plink);
+	else
+		ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
 	entry->lock_bucket = DNS_ADB_INVALIDBUCKET;
 	INSIST(adb->entry_refcnt[bucket] > 0);
 	adb->entry_refcnt[bucket]--;
@@ -862,7 +892,7 @@ shutdown_entries(dns_adb_t *adb) {
 		adb->entry_sd[bucket] = ISC_TRUE;
 
 		entry = ISC_LIST_HEAD(adb->entries[bucket]);
-		if (entry == NULL) {
+		if (adb->entry_refcnt[bucket] == 0) {
 			/*
 			 * This bucket has no entries.  We must decrement the
 			 * irefcnt ourselves, since it will not be
@@ -1140,7 +1170,7 @@ check_exit(dns_adb_t *adb) {
 		 * If there aren't any external references either, we're
 		 * done.  Send the control event to initiate shutdown.
 		 */
-		INSIST(!adb->cevent_sent);	/* Sanity check. */
+		INSIST(!adb->cevent_sent);      /* Sanity check. */
 		event = &adb->cevent;
 		isc_task_send(adb->task, &event);
 		adb->cevent_sent = ISC_TRUE;
@@ -1220,7 +1250,8 @@ dec_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
 
 	destroy_entry = ISC_FALSE;
 	if (entry->refcnt == 0 &&
-	    (adb->entry_sd[bucket] || entry->expires == 0)) {
+	    (adb->entry_sd[bucket] || entry->expires == 0 || adb->overmem ||
+	     (entry->flags & ENTRY_IS_DEAD) != 0)) {
 		destroy_entry = ISC_TRUE;
 		result = unlink_entry(adb, entry);
 	}
@@ -1235,7 +1266,7 @@ dec_entry_refcnt(dns_adb_t *adb, dns_adbentry_t *entry, isc_boolean_t lock) {
 
 	free_adbentry(adb, &entry);
 	if (result)
-		result =dec_adb_irefcnt(adb);
+		result = dec_adb_irefcnt(adb);
 
 	return (result);
 }
@@ -1463,31 +1494,13 @@ new_adbfetch(dns_adb_t *adb) {
 		return (NULL);
 
 	f->magic = 0;
-	f->namehook = NULL;
-	f->entry = NULL;
 	f->fetch = NULL;
 
-	f->namehook = new_adbnamehook(adb, NULL);
-	if (f->namehook == NULL)
-		goto err;
-
-	f->entry = new_adbentry(adb);
-	if (f->entry == NULL)
-		goto err;
-
 	dns_rdataset_init(&f->rdataset);
 
 	f->magic = DNS_ADBFETCH_MAGIC;
 
 	return (f);
-
- err:
-	if (f->namehook != NULL)
-		free_adbnamehook(adb, &f->namehook);
-	if (f->entry != NULL)
-		free_adbentry(adb, &f->entry);
-	isc_mempool_put(adb->afmp, f);
-	return (NULL);
 }
 
 static inline void
@@ -1500,11 +1513,6 @@ free_adbfetch(dns_adb_t *adb, dns_adbfetch_t **fetch) {
 
 	f->magic = 0;
 
-	if (f->namehook != NULL)
-		free_adbnamehook(adb, &f->namehook);
-	if (f->entry != NULL)
-		free_adbentry(adb, &f->entry);
-
 	if (dns_rdataset_isassociated(&f->rdataset))
 		dns_rdataset_disassociate(&f->rdataset);
 
@@ -1622,8 +1630,10 @@ find_name_and_lock(dns_adb_t *adb, dns_name_t *name,
  * the bucket changes.
  */
 static inline dns_adbentry_t *
-find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp) {
-	dns_adbentry_t *entry;
+find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp,
+	isc_stdtime_t now)
+{
+	dns_adbentry_t *entry, *entry_next;
 	int bucket;
 
 	bucket = isc_sockaddr_hash(addr, ISC_TRUE) % NBUCKETS;
@@ -1637,11 +1647,18 @@ find_entry_and_lock(dns_adb_t *adb, isc_sockaddr_t *addr, int *bucketp) {
 		*bucketp = bucket;
 	}
 
-	entry = ISC_LIST_HEAD(adb->entries[bucket]);
-	while (entry != NULL) {
-		if (isc_sockaddr_equal(addr, &entry->sockaddr))
+	/* Search the list, while cleaning up expired entries. */
+	for (entry = ISC_LIST_HEAD(adb->entries[bucket]);
+	     entry != NULL;
+	     entry = entry_next) {
+		entry_next = ISC_LIST_NEXT(entry, plink);
+		(void)check_expire_entry(adb, &entry, now);
+		if (entry != NULL &&
+		    isc_sockaddr_equal(addr, &entry->sockaddr)) {
+			ISC_LIST_UNLINK(adb->entries[bucket], entry, plink);
+			ISC_LIST_PREPEND(adb->entries[bucket], entry, plink);
 			return (entry);
-		entry = ISC_LIST_NEXT(entry, plink);
+		}
 	}
 
 	return (NULL);
@@ -1775,19 +1792,12 @@ shutdown_task(isc_task_t *task, isc_event_t *ev) {
 	adb = ev->ev_arg;
 	INSIST(DNS_ADB_VALID(adb));
 
+	isc_event_free(&ev);
 	/*
 	 * Wait for lock around check_exit() call to be released.
 	 */
 	LOCK(&adb->lock);
-	/*
-	 * Kill the timer, and then the ADB itself.  Note that this implies
-	 * that this task was the one scheduled to get timer events.  If
-	 * this is not true (and it is unfortunate there is no way to INSIST()
-	 * this) badness will occur.
-	 */
-	isc_timer_detach(&adb->timer);
 	UNLOCK(&adb->lock);
-	isc_event_free(&ev);
 	destroy(adb);
 }
 
@@ -1826,6 +1836,62 @@ check_expire_name(dns_adbname_t **namep, isc_stdtime_t now) {
 	return (result);
 }
 
+/*%
+ * Examine the tail entry of the LRU list to see if it expires or is stale
+ * (unused for some period); if so, the name entry will be freed.  If the ADB
+ * is in the overmem condition, the tail and the next to tail entries
+ * will be unconditionally removed (unless they have an outstanding fetch).
+ * We don't care about a race on 'overmem' at the risk of causing some
+ * collateral damage or a small delay in starting cleanup, so we don't bother
+ * to lock ADB (if it's not locked).
+ *
+ * Name bucket must be locked; adb may be locked; no other locks held.
+ */
+static void
+check_stale_name(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
+	int victims, max_victims;
+	isc_boolean_t result;
+	dns_adbname_t *victim, *next_victim;
+	isc_boolean_t overmem = adb->overmem;
+	int scans = 0;
+
+	INSIST(bucket != DNS_ADB_INVALIDBUCKET);
+
+	max_victims = overmem ? 2 : 1;
+
+	/*
+	 * We limit the number of scanned entries to 10 (arbitrary choice)
+	 * in order to avoid examining too many entries when there are many
+	 * tail entries that have fetches (this should be rare, but could
+	 * happen).
+	 */
+	victim = ISC_LIST_TAIL(adb->names[bucket]);
+	for (victims = 0;
+	     victim != NULL && victims < max_victims && scans < 10;
+	     victim = next_victim) {
+		INSIST(!NAME_DEAD(victim));
+		scans++;
+		next_victim = ISC_LIST_PREV(victim, plink);
+		result = check_expire_name(&victim, now);
+		if (victim == NULL) {
+			victims++;
+			goto next;
+		}
+
+		if (!NAME_FETCH(victim) &&
+		    (overmem || victim->last_used + ADB_STALE_MARGIN <= now)) {
+			RUNTIME_CHECK(kill_name(&victim,
+						DNS_EVENT_ADBCANCELED) ==
+				      ISC_FALSE);
+			victims++;
+		}
+
+	next:
+		if (!overmem)
+			break;
+	}
+}
+
 /*
  * Entry bucket must be locked; adb may be locked; no other locks held.
  */
@@ -1833,7 +1899,6 @@ static isc_boolean_t
 check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now)
 {
 	dns_adbentry_t *entry;
-	isc_boolean_t expire;
 	isc_boolean_t result = ISC_FALSE;
 
 	INSIST(entryp != NULL && DNS_ADBENTRY_VALID(*entryp));
@@ -1842,16 +1907,7 @@ check_expire_entry(dns_adb_t *adb, dns_adbentry_t **entryp, isc_stdtime_t now)
 	if (entry->refcnt != 0)
 		return (result);
 
-	if (adb->overmem) {
-		isc_uint32_t val;
-
-		isc_random_get(&val);
-
-		expire = ISC_TF((val % 4) == 0);
-	} else
-		expire = ISC_FALSE;
-
-	if (entry->expires == 0 || (! expire && entry->expires > now))
+	if (entry->expires == 0 || entry->expires > now)
 		return (result);
 
 	/*
@@ -1888,7 +1944,7 @@ cleanup_names(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
 	while (name != NULL) {
 		next_name = ISC_LIST_NEXT(name, plink);
 		INSIST(result == ISC_FALSE);
-		result = check_expire_namehooks(name, now, adb->overmem);
+		result = check_expire_namehooks(name, now);
 		if (!result)
 			result = check_expire_name(&name, now);
 		name = next_name;
@@ -1920,66 +1976,9 @@ cleanup_entries(dns_adb_t *adb, int bucket, isc_stdtime_t now) {
 }
 
 static void
-timer_cleanup(isc_task_t *task, isc_event_t *ev) {
-	dns_adb_t *adb;
-	isc_stdtime_t now;
-	unsigned int i;
-	isc_interval_t interval;
-
-	UNUSED(task);
-
-	adb = ev->ev_arg;
-	INSIST(DNS_ADB_VALID(adb));
-
-	LOCK(&adb->lock);
-
-	isc_stdtime_get(&now);
-
-	for (i = 0; i < CLEAN_BUCKETS; i++) {
-		/*
-		 * Call our cleanup routines.
-		 */
-		RUNTIME_CHECK(cleanup_names(adb, adb->next_cleanbucket, now) ==
-			      ISC_FALSE);
-		RUNTIME_CHECK(cleanup_entries(adb, adb->next_cleanbucket, now)
-			      == ISC_FALSE);
-
-		/*
-		 * Set the next bucket to be cleaned.
-		 */
-		adb->next_cleanbucket++;
-		if (adb->next_cleanbucket >= NBUCKETS) {
-			adb->next_cleanbucket = 0;
-#ifdef DUMP_ADB_AFTER_CLEANING
-			dump_adb(adb, stdout, ISC_TRUE, now);
-#endif
-		}
-	}
-
-	/*
-	 * Reset the timer.
-	 * XXXDCL isc_timer_reset might return ISC_R_UNEXPECTED or
-	 * ISC_R_NOMEMORY, but it isn't clear what could be done here
-	 * if either one of those things happened.
-	 */
-	interval = adb->tick_interval;
-	if (adb->overmem)
-		isc_interval_set(&interval, 0, 1);
-	(void)isc_timer_reset(adb->timer, isc_timertype_once, NULL,
-			      &interval, ISC_FALSE);
-
-	UNLOCK(&adb->lock);
-
-	isc_event_free(&ev);
-}
-
-static void
 destroy(dns_adb_t *adb) {
 	adb->magic = 0;
 
-	/*
-	 * The timer is already dead, from the task's shutdown callback.
-	 */
 	isc_task_detach(&adb->task);
 
 	isc_mempool_destroy(&adb->nmp);
@@ -2016,10 +2015,12 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 
 	REQUIRE(mem != NULL);
 	REQUIRE(view != NULL);
-	REQUIRE(timermgr != NULL);
+	REQUIRE(timermgr != NULL); /* this is actually unused */
 	REQUIRE(taskmgr != NULL);
 	REQUIRE(newadb != NULL && *newadb == NULL);
 
+	UNUSED(timermgr);
+
 	adb = isc_mem_get(mem, sizeof(dns_adb_t));
 	if (adb == NULL)
 		return (ISC_R_NOMEMORY);
@@ -2039,10 +2040,8 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 	adb->aimp = NULL;
 	adb->afmp = NULL;
 	adb->task = NULL;
-	adb->timer = NULL;
 	adb->mctx = NULL;
 	adb->view = view;
-	adb->timermgr = timermgr;
 	adb->taskmgr = taskmgr;
 	adb->next_cleanbucket = 0;
 	ISC_EVENT_INIT(&adb->cevent, sizeof(adb->cevent), 0, NULL,
@@ -2080,12 +2079,14 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 		goto fail1;
 	for (i = 0; i < NBUCKETS; i++) {
 		ISC_LIST_INIT(adb->names[i]);
+		ISC_LIST_INIT(adb->deadnames[i]);
 		adb->name_sd[i] = ISC_FALSE;
 		adb->name_refcnt[i] = 0;
 		adb->irefcnt++;
 	}
 	for (i = 0; i < NBUCKETS; i++) {
 		ISC_LIST_INIT(adb->entries[i]);
+		ISC_LIST_INIT(adb->deadentries[i]);
 		adb->entry_sd[i] = ISC_FALSE;
 		adb->entry_refcnt[i] = 0;
 		adb->irefcnt++;
@@ -2118,25 +2119,12 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
 #undef MPINIT
 
 	/*
-	 * Allocate a timer and a task for our periodic cleanup.
+	 * Allocate an internal task.
 	 */
 	result = isc_task_create(adb->taskmgr, 0, &adb->task);
 	if (result != ISC_R_SUCCESS)
 		goto fail3;
 	isc_task_setname(adb->task, "ADB", adb);
-	/*
-	 * XXXMLG When this is changed to be a config file option,
-	 */
-	isc_interval_set(&adb->tick_interval, CLEAN_SECONDS, 0);
-	result = isc_timer_create(adb->timermgr, isc_timertype_once,
-				  NULL, &adb->tick_interval, adb->task,
-				  timer_cleanup, adb, &adb->timer);
-	if (result != ISC_R_SUCCESS)
-		goto fail3;
-
-	DP(ISC_LOG_DEBUG(5), "cleaning interval for adb: "
-	   "%u buckets every %u seconds, %u buckets in system, %u cl.interval",
-	   CLEAN_BUCKETS, CLEAN_SECONDS, NBUCKETS, CLEAN_PERIOD);
 
 	/*
 	 * Normal return.
@@ -2148,8 +2136,6 @@ dns_adb_create(isc_mem_t *mem, dns_view_t *view, isc_timermgr_t *timermgr,
  fail3:
 	if (adb->task != NULL)
 		isc_task_detach(&adb->task);
-	if (adb->timer != NULL)
-		isc_timer_detach(&adb->timer);
 
 	/* clean up entrylocks */
 	DESTROYMUTEXBLOCK(adb->entrylocks, NBUCKETS);
@@ -2328,18 +2314,18 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 	 *
 	 * Possibilities:  Note that these are not always exclusive.
 	 *
-	 *	No name found.  In this case, allocate a new name header and
-	 *	an initial namehook or two.  If any of these allocations
-	 *	fail, clean up and return ISC_R_NOMEMORY.
+	 *      No name found.  In this case, allocate a new name header and
+	 *      an initial namehook or two.  If any of these allocations
+	 *      fail, clean up and return ISC_R_NOMEMORY.
 	 *
-	 *	Name found, valid addresses present.  Allocate one addrinfo
-	 *	structure for each found and append it to the linked list
-	 *	of addresses for this header.
+	 *      Name found, valid addresses present.  Allocate one addrinfo
+	 *      structure for each found and append it to the linked list
+	 *      of addresses for this header.
 	 *
-	 *	Name found, queries pending.  In this case, if a task was
-	 *	passed in, allocate a job id, attach it to the name's job
-	 *	list and remember to tell the caller that there will be
-	 *	more info coming later.
+	 *      Name found, queries pending.  In this case, if a task was
+	 *      passed in, allocate a job id, attach it to the name's job
+	 *      list and remember to tell the caller that there will be
+	 *      more info coming later.
 	 */
 
 	find = new_adbfind(adb);
@@ -2374,6 +2360,12 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 	 * Nothing found.  Allocate a new adbname structure for this name.
 	 */
 	if (adbname == NULL) {
+		/*
+		 * See if there is any stale name at the end of list, and purge
+		 * it if so.
+		 */
+		check_stale_name(adb, bucket, now);
+
 		adbname = new_adbname(adb, name);
 		if (adbname == NULL) {
 			RUNTIME_CHECK(free_adbfind(adb, &find) == ISC_FALSE);
@@ -2387,13 +2379,17 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
 			adbname->flags |= NAME_GLUE_OK;
 		if (FIND_STARTATZONE(find))
 			adbname->flags |= NAME_STARTATZONE;
+	} else {
+		/* Move this name forward in the LRU list */
+		ISC_LIST_UNLINK(adb->names[bucket], adbname, plink);
+		ISC_LIST_PREPEND(adb->names[bucket], adbname, plink);
 	}
+	adbname->last_used = now;
 
 	/*
 	 * Expire old entries, etc.
 	 */
-	RUNTIME_CHECK(check_expire_namehooks(adbname, now, adb->overmem) ==
-		      ISC_FALSE);
+	RUNTIME_CHECK(check_expire_namehooks(adbname, now) == ISC_FALSE);
 
 	/*
 	 * Do we know that the name is an alias?
@@ -2953,8 +2949,8 @@ print_namehook_list(FILE *f, const char *legend, dns_adbnamehooklist_t *list,
 
 static inline void
 print_fetch(FILE *f, dns_adbfetch_t *ft, const char *type) {
-	fprintf(f, "\t\tFetch(%s): %p -> { nh %p, entry %p, fetch %p }\n",
-		type, ft, ft->namehook, ft->entry, ft->fetch);
+	fprintf(f, "\t\tFetch(%s): %p -> { fetch %p }\n",
+		type, ft, ft->fetch);
 }
 
 static void
@@ -2991,7 +2987,7 @@ dbfind_name(dns_adbname_t *adbname, isc_stdtime_t now, dns_rdatatype_t rdtype)
 	INSIST(rdtype == dns_rdatatype_a || rdtype == dns_rdatatype_aaaa);
 
 	dns_fixedname_init(&foundname);
-	fname =	dns_fixedname_name(&foundname);
+	fname = dns_fixedname_name(&foundname);
 	dns_rdataset_init(&rdataset);
 
 	if (rdtype == dns_rdatatype_a)
@@ -3202,6 +3198,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
 				name->fetch_err = FIND_ERR_NXDOMAIN;
 			else
 				name->fetch_err = FIND_ERR_NXRRSET;
+			inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
 		} else {
 			DP(NCACHE_LEVEL, "adb fetch name %p: "
 			   "caching negative entry for AAAA (ttl %u)",
@@ -3212,6 +3209,7 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
 				name->fetch6_err = FIND_ERR_NXDOMAIN;
 			else
 				name->fetch6_err = FIND_ERR_NXRRSET;
+			inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
 		}
 		goto out;
 	}
@@ -3251,9 +3249,11 @@ fetch_callback(isc_task_t *task, isc_event_t *ev) {
 		if (address_type == DNS_ADBFIND_INET) {
 			name->expire_v4 = ISC_MIN(name->expire_v4, now + 300);
 			name->fetch_err = FIND_ERR_FAILURE;
+			inc_stats(adb, dns_resstatscounter_gluefetchv4fail);
 		} else {
 			name->expire_v6 = ISC_MIN(name->expire_v6, now + 300);
 			name->fetch6_err = FIND_ERR_FAILURE;
+			inc_stats(adb, dns_resstatscounter_gluefetchv6fail);
 		}
 		goto out;
 	}
@@ -3338,10 +3338,13 @@ fetch_name(dns_adbname_t *adbname,
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
-	if (type == dns_rdatatype_a)
+	if (type == dns_rdatatype_a) {
 		adbname->fetch_a = fetch;
-	else
+		inc_stats(adb, dns_resstatscounter_gluefetchv4);
+	} else {
 		adbname->fetch_aaaa = fetch;
+		inc_stats(adb, dns_resstatscounter_gluefetchv6);
+	}
 	fetch = NULL;  /* Keep us from cleaning this up below. */
 
  cleanup:
@@ -3464,7 +3467,7 @@ dns_adb_findaddrinfo(dns_adb_t *adb, isc_sockaddr_t *sa,
 
 	result = ISC_R_SUCCESS;
 	bucket = DNS_ADB_INVALIDBUCKET;
-	entry = find_entry_and_lock(adb, sa, &bucket);
+	entry = find_entry_and_lock(adb, sa, &bucket, now);
 	if (adb->entry_sd[bucket]) {
 		result = ISC_R_SHUTTINGDOWN;
 		goto unlock;
@@ -3590,7 +3593,6 @@ static void
 water(void *arg, int mark) {
 	dns_adb_t *adb = arg;
 	isc_boolean_t overmem = ISC_TF(mark == ISC_MEM_HIWATER);
-	isc_interval_t interval;
 
 	REQUIRE(DNS_ADB_VALID(adb));
 
@@ -3604,11 +3606,6 @@ water(void *arg, int mark) {
 	LOCK(&adb->overmemlock);
 	if (adb->overmem != overmem) {
 		adb->overmem = overmem;
-		if (overmem) {
-			isc_interval_set(&interval, 0, 1);
-			(void)isc_timer_reset(adb->timer, isc_timertype_once,
-					      NULL, &interval, ISC_TRUE);
-		}
 		isc_mem_waterack(adb->mctx, mark);
 	}
 	UNLOCK(&adb->overmemlock);
diff --git a/lib/dns/api b/lib/dns/api
index 0b8a3bc..5ef8dc0 100644
--- a/lib/dns/api
+++ b/lib/dns/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 36
-LIBREVISION = 2
-LIBAGE = 0
+LIBINTERFACE = 51
+LIBREVISION = 1
+LIBAGE = 1
diff --git a/lib/dns/byaddr.c b/lib/dns/byaddr.c
index 38d6e8b..234d6b2 100644
--- a/lib/dns/byaddr.c
+++ b/lib/dns/byaddr.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.c,v 1.34.18.3 2005/04/29 00:15:49 marka Exp $ */
+/* $Id: byaddr.c,v 1.39 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/cache.c b/lib/dns/cache.c
index c9b4a95..aee824e 100644
--- a/lib/dns/cache.c
+++ b/lib/dns/cache.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,13 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.c,v 1.57.18.18 2008/02/07 23:45:56 tbox Exp $ */
+/* $Id: cache.c,v 1.80.50.3 2009/05/06 23:34:30 jinmei Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
 #include <isc/mem.h>
+#include <isc/string.h>
 #include <isc/task.h>
 #include <isc/time.h>
 #include <isc/timer.h>
@@ -47,7 +48,7 @@
  * DNS_CACHE_MINSIZE is how many bytes is the floor for dns_cache_setcachesize().
  * See also DNS_CACHE_CLEANERINCREMENT
  */
-#define DNS_CACHE_MINSIZE 		2097152	/*%< Bytes.  2097152 = 2 MB */
+#define DNS_CACHE_MINSIZE	2097152 /*%< Bytes.  2097152 = 2 MB */
 /*!
  * Control incremental cleaning.
  * CLEANERINCREMENT is how many nodes are examined in one pass.
@@ -60,7 +61,7 @@
  ***/
 
 /*
- * A cache_cleaner_t encapsulsates the state of the periodic
+ * A cache_cleaner_t encapsulates the state of the periodic
  * cache cleaning.
  */
 
@@ -69,7 +70,7 @@ typedef struct cache_cleaner cache_cleaner_t;
 typedef enum {
 	cleaner_s_idle,	/*%< Waiting for cleaning-interval to expire. */
 	cleaner_s_busy,	/*%< Currently cleaning. */
-	cleaner_s_done  /*%< Freed enough memory after being overmem. */
+	cleaner_s_done	/*%< Freed enough memory after being overmem. */
 } cleaner_state_t;
 
 /*
@@ -95,19 +96,19 @@ struct cache_cleaner {
 	 */
 
 	dns_cache_t	*cache;
-	isc_task_t 	*task;
+	isc_task_t	*task;
 	unsigned int	cleaning_interval; /*% The cleaning-interval from
 					      named.conf, in seconds. */
-	isc_timer_t 	*cleaning_timer;
+	isc_timer_t	*cleaning_timer;
 	isc_event_t	*resched_event;	/*% Sent by cleaner task to
 					   itself to reschedule */
 	isc_event_t	*overmem_event;
 
 	dns_dbiterator_t *iterator;
-	unsigned int 	 increment;	/*% Number of names to
+	unsigned int	increment;	/*% Number of names to
 					   clean in one increment */
-	cleaner_state_t  state;		/*% Idle/Busy. */
-	isc_boolean_t	 overmem;	/*% The cache is in an overmem state. */
+	cleaner_state_t	state;		/*% Idle/Busy. */
+	isc_boolean_t	overmem;	/*% The cache is in an overmem state. */
 	isc_boolean_t	 replaceiterator;
 };
 
@@ -133,7 +134,7 @@ struct dns_cache {
 	char			**db_argv;
 
 	/* Locked by 'filelock'. */
-	char *			filename;
+	char			*filename;
 	/* Access to the on-disk cache file is also locked by 'filelock'. */
 };
 
@@ -157,79 +158,6 @@ cleaner_shutdown_action(isc_task_t *task, isc_event_t *event);
 static void
 overmem_cleaning_action(isc_task_t *task, isc_event_t *event);
 
-/*%
- * Work out how many nodes can be cleaned in the time between two
- * requests to the nameserver.  Smooth the resulting number and use
- * it as a estimate for the number of nodes to be cleaned in the next
- * iteration.
- */
-static void
-adjust_increment(cache_cleaner_t *cleaner, unsigned int remaining,
-		 isc_time_t *start)
-{
-	isc_time_t end;
-	isc_uint64_t usecs;
-	isc_uint64_t new;
-	unsigned int pps = dns_pps;
-	unsigned int interval;
-	unsigned int names;
-
-	/*
-	 * Tune for minumum of 100 packets per second (pps).
-	 */
-	if (pps < 100)
-		pps = 100;
-
-	isc_time_now(&end);
-
-	interval = 1000000 / pps; /* Interval between packets in usecs. */
-	if (interval == 0)
-		interval = 1;
-
-	INSIST(cleaner->increment >= remaining);
-	names = cleaner->increment - remaining;
-	usecs = isc_time_microdiff(&end, start);
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "adjust_increment interval=%u "
-		      "names=%u usec=%" ISC_PLATFORM_QUADFORMAT "u",
-		      interval, names, usecs);
-
-	if (usecs == 0) {
-		/*
-		 * If we cleaned all the nodes in unmeasurable time
-		 * double the number of nodes to be cleaned next time.
-		 */
-		if (names == cleaner->increment) {
-			cleaner->increment *= 2;
-			if (cleaner->increment > DNS_CACHE_CLEANERINCREMENT)
-				cleaner->increment = DNS_CACHE_CLEANERINCREMENT;
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-				      "%p:new cleaner->increment = %u\n",
-				      cleaner, cleaner->increment);
-		}
-		return;
-	}
-
-	new = (names * interval);
-	new /= (usecs * 2);
-	if (new == 0)
-		new = 1;
-
-	/* Smooth */
-	new = (new + cleaner->increment * 7) / 8;
-
-	if (new > DNS_CACHE_CLEANERINCREMENT)
-		new = DNS_CACHE_CLEANERINCREMENT;
-
-	cleaner->increment = (unsigned int)new;
-
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE,
-		      ISC_LOG_DEBUG(1), "%p:new cleaner->increment = %u\n",
-		      cleaner, cleaner->increment);
-}
-
 static inline isc_result_t
 cache_create_db(dns_cache_t *cache, dns_db_t **db) {
 	return (dns_db_create(cache->mctx, cache->db_type, dns_rootname,
@@ -246,6 +174,7 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	isc_result_t result;
 	dns_cache_t *cache;
 	int i;
+	isc_task_t *dbtask;
 
 	REQUIRE(cachep != NULL);
 	REQUIRE(*cachep == NULL);
@@ -301,12 +230,29 @@ dns_cache_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	result = cache_create_db(cache, &cache->db);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_dbargv;
+	if (taskmgr != NULL) {
+		dbtask = NULL;
+		result = isc_task_create(taskmgr, 1, &dbtask);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_db;
+		dns_db_settask(cache->db, dbtask);
+		isc_task_detach(&dbtask);
+	}
 
 	cache->filename = NULL;
 
 	cache->magic = CACHE_MAGIC;
 
-	result = cache_cleaner_init(cache, taskmgr, timermgr, &cache->cleaner);
+	/*
+	 * RBT-type cache DB has its own mechanism of cache cleaning and doesn't
+	 * need the control of the generic cleaner.
+	 */
+	if (strcmp(db_type, "rbt") == 0)
+		result = cache_cleaner_init(cache, NULL, NULL, &cache->cleaner);
+	else {
+		result = cache_cleaner_init(cache, taskmgr, timermgr,
+					    &cache->cleaner);
+	}
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_db;
 
@@ -603,8 +549,7 @@ cache_cleaner_init(dns_cache_t *cache, isc_taskmgr_t *taskmgr,
 
 		cleaner->cleaning_interval = 0; /* Initially turned off. */
 		result = isc_timer_create(timermgr, isc_timertype_inactive,
-					   NULL, NULL,
-					   cleaner->task,
+					   NULL, NULL, cleaner->task,
 					   cleaning_timer_action, cleaner,
 					   &cleaner->cleaning_timer);
 		if (result != ISC_R_SUCCESS) {
@@ -848,7 +793,6 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 				 "cache cleaner: dns_dbiterator_current() "
 				 "failed: %s", dns_result_totext(result));
 
-			adjust_increment(cleaner, n_names, &start);
 			end_cleaning(cleaner, event);
 			return;
 		}
@@ -892,14 +836,11 @@ incremental_cleaning_action(isc_task_t *task, isc_event_t *event) {
 				}
 			}
 
-			adjust_increment(cleaner, n_names, &start);
 			end_cleaning(cleaner, event);
 			return;
 		}
 	}
 
-	adjust_increment(cleaner, 0U, &start);
-
 	/*
 	 * We have successfully performed a cleaning increment but have
 	 * not gone through the entire cache.  Free the iterator locks
@@ -929,7 +870,7 @@ dns_cache_clean(dns_cache_t *cache, isc_stdtime_t now) {
 
 	REQUIRE(VALID_CACHE(cache));
 
-	result = dns_db_createiterator(cache->db, ISC_FALSE, &iterator);
+	result = dns_db_createiterator(cache->db, 0, &iterator);
 	if (result != ISC_R_SUCCESS)
 		return result;
 
@@ -1002,7 +943,7 @@ dns_cache_setcachesize(dns_cache_t *cache, isc_uint32_t size) {
 	REQUIRE(VALID_CACHE(cache));
 
 	/*
-	 * Impose a minumum cache size; pathological things happen if there
+	 * Impose a minimum cache size; pathological things happen if there
 	 * is too little room.
 	 */
 	if (size != 0 && size < DNS_CACHE_MINSIZE)
diff --git a/lib/dns/callbacks.c b/lib/dns/callbacks.c
index a487ed0..928f37d 100644
--- a/lib/dns/callbacks.c
+++ b/lib/dns/callbacks.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: callbacks.c,v 1.13.18.2 2005/04/29 00:15:49 marka Exp $ */
+/* $Id: callbacks.c,v 1.17 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/compress.c b/lib/dns/compress.c
index 2103767..11473ee 100644
--- a/lib/dns/compress.c
+++ b/lib/dns/compress.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.c,v 1.52.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: compress.c,v 1.59 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/db.c b/lib/dns/db.c
index 32ff6ae..a4c2864 100644
--- a/lib/dns/db.c
+++ b/lib/dns/db.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.c,v 1.74.18.6 2005/10/13 02:12:24 marka Exp $ */
+/* $Id: db.c,v 1.88 2008/09/24 02:46:22 marka Exp $ */
 
 /*! \file */
 
@@ -95,7 +95,7 @@ static inline dns_dbimplementation_t *
 impfind(const char *name) {
 	dns_dbimplementation_t *imp;
 
-	for (imp = ISC_LIST_HEAD(implementations); 
+	for (imp = ISC_LIST_HEAD(implementations);
 	     imp != NULL;
 	     imp = ISC_LIST_NEXT(imp, link))
 		if (strcasecmp(name, imp->name) == 0)
@@ -229,6 +229,21 @@ dns_db_isstub(dns_db_t *db) {
 }
 
 isc_boolean_t
+dns_db_isdnssec(dns_db_t *db) {
+
+	/*
+	 * Is 'db' secure or partially secure?
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE((db->attributes & DNS_DBATTR_CACHE) == 0);
+
+	if (db->methods->isdnssec != NULL)
+		return ((db->methods->isdnssec)(db));
+	return ((db->methods->issecure)(db));
+}
+
+isc_boolean_t
 dns_db_issecure(dns_db_t *db) {
 
 	/*
@@ -450,6 +465,21 @@ dns_db_findnode(dns_db_t *db, dns_name_t *name,
 }
 
 isc_result_t
+dns_db_findnsec3node(dns_db_t *db, dns_name_t *name,
+		     isc_boolean_t create, dns_dbnode_t **nodep)
+{
+
+	/*
+	 * Find the node with name 'name'.
+	 */
+
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(nodep != NULL && *nodep == NULL);
+
+	return ((db->methods->findnsec3node)(db, name, create, nodep));
+}
+
+isc_result_t
 dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	    dns_rdatatype_t type, unsigned int options, isc_stdtime_t now,
 	    dns_dbnode_t **nodep, dns_name_t *foundname,
@@ -527,6 +557,30 @@ dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep) {
 	ENSURE(*nodep == NULL);
 }
 
+void
+dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep,
+		    dns_dbnode_t **targetp)
+{
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(targetp != NULL && *targetp == NULL);
+	/*
+	 * This doesn't check the implementation magic.  If we find that
+	 * we need such checks in future then this will be done in the
+	 * method.
+	 */
+	REQUIRE(sourcep != NULL && *sourcep != NULL);
+
+	UNUSED(db);
+
+	if (db->methods->transfernode == NULL) {
+		*targetp = *sourcep;
+		*sourcep = NULL;
+	} else
+		(db->methods->transfernode)(db, sourcep, targetp);
+
+	ENSURE(*sourcep == NULL);
+}
+
 isc_result_t
 dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
 
@@ -559,7 +613,7 @@ dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
  ***/
 
 isc_result_t
-dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
+dns_db_createiterator(dns_db_t *db, unsigned int flags,
 		      dns_dbiterator_t **iteratorp)
 {
 	/*
@@ -569,7 +623,7 @@ dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
 	REQUIRE(DNS_DB_VALID(db));
 	REQUIRE(iteratorp != NULL && *iteratorp == NULL);
 
-	return (db->methods->createiterator(db, relative_names, iteratorp));
+	return (db->methods->createiterator(db, flags, iteratorp));
 }
 
 /***
@@ -687,7 +741,7 @@ dns_db_deleterdataset(dns_db_t *db, dns_dbnode_t *node,
 					      type, covers));
 }
 
-void 
+void
 dns_db_overmem(dns_db_t *db, isc_boolean_t overmem) {
 
 	REQUIRE(DNS_DB_VALID(db));
@@ -713,11 +767,11 @@ dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp)
 	dns_rdataset_init(&rdataset);
 	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_soa, 0,
 				     (isc_stdtime_t)0, &rdataset, NULL);
- 	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto freenode;
 
 	result = dns_rdataset_first(&rdataset);
- 	if (result != ISC_R_SUCCESS)
+	if (result != ISC_R_SUCCESS)
 		goto freerdataset;
 	dns_rdataset_current(&rdataset, &rdata);
 	result = dns_rdataset_next(&rdataset);
@@ -770,7 +824,7 @@ dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
 		RWUNLOCK(&implock, isc_rwlocktype_write);
 		return (ISC_R_EXISTS);
 	}
-	
+
 	imp = isc_mem_get(mctx, sizeof(dns_dbimplementation_t));
 	if (imp == NULL) {
 		RWUNLOCK(&implock, isc_rwlocktype_write);
@@ -819,3 +873,54 @@ dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
 
 	return (ISC_R_NOTFOUND);
 }
+
+dns_stats_t *
+dns_db_getrrsetstats(dns_db_t *db) {
+	REQUIRE(DNS_DB_VALID(db));
+
+	if (db->methods->getrrsetstats != NULL)
+		return ((db->methods->getrrsetstats)(db));
+
+	return (NULL);
+}
+
+isc_result_t
+dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
+			  dns_hash_t *hash, isc_uint8_t *flags,
+			  isc_uint16_t *iterations,
+			  unsigned char *salt, size_t *salt_length)
+{
+	REQUIRE(DNS_DB_VALID(db));
+	REQUIRE(dns_db_iszone(db) == ISC_TRUE);
+
+	if (db->methods->getnsec3parameters != NULL)
+		return ((db->methods->getnsec3parameters)(db, version, hash,
+							  flags, iterations,
+							  salt, salt_length));
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
+dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+		      isc_stdtime_t resign)
+{
+	if (db->methods->setsigningtime != NULL)
+		return ((db->methods->setsigningtime)(db, rdataset, resign));
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_result_t
+dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name)
+{
+	if (db->methods->getsigningtime != NULL)
+		return ((db->methods->getsigningtime)(db, rdataset, name));
+	return (ISC_R_NOTFOUND);
+}
+
+void
+dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version)
+{
+	if (db->methods->resigned != NULL)
+		(db->methods->resigned)(db, rdataset, version);
+}
diff --git a/lib/dns/dbiterator.c b/lib/dns/dbiterator.c
index d462ad5..8981e49 100644
--- a/lib/dns/dbiterator.c
+++ b/lib/dns/dbiterator.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbiterator.c,v 1.14.18.2 2005/04/29 00:15:50 marka Exp $ */
+/* $Id: dbiterator.c,v 1.18 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/dbtable.c b/lib/dns/dbtable.c
index b091e42..57bbfc1 100644
--- a/lib/dns/dbtable.c
+++ b/lib/dns/dbtable.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dbtable.c,v 1.28.18.3 2005/07/12 01:22:19 marka Exp $
+ * $Id: dbtable.c,v 1.33 2007/06/19 23:47:16 tbox Exp $
  */
 
 /*! \file
diff --git a/lib/dns/diff.c b/lib/dns/diff.c
index 22a3938..9489821 100644
--- a/lib/dns/diff.c
+++ b/lib/dns/diff.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.c,v 1.9.18.3 2005/04/27 05:01:15 sra Exp $ */
+/* $Id: diff.c,v 1.18.50.2 2009/01/05 23:47:22 tbox Exp $ */
 
 /*! \file */
 
@@ -35,6 +35,7 @@
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
 #include <dns/result.h>
 
@@ -120,6 +121,7 @@ dns_difftuple_copy(dns_difftuple_t *orig, dns_difftuple_t **copyp) {
 void
 dns_diff_init(isc_mem_t *mctx, dns_diff_t *diff) {
 	diff->mctx = mctx;
+	diff->resign = 0;
 	ISC_LIST_INIT(diff->tuples);
 	diff->magic = DNS_DIFF_MAGIC;
 }
@@ -192,6 +194,40 @@ dns_diff_appendminimal(dns_diff_t *diff, dns_difftuple_t **tuplep)
 	ENSURE(*tuplep == NULL);
 }
 
+static isc_stdtime_t
+setresign(dns_rdataset_t *modified, isc_uint32_t delta) {
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t sig;
+	isc_stdtime_t when;
+	isc_result_t result;
+
+	result = dns_rdataset_first(modified);
+	INSIST(result == ISC_R_SUCCESS);
+	dns_rdataset_current(modified, &rdata);
+	(void)dns_rdata_tostruct(&rdata, &sig, NULL);
+	if ((rdata.flags & DNS_RDATA_OFFLINE) != 0)
+		when = 0;
+	else
+		when = sig.timeexpire - delta;
+	dns_rdata_reset(&rdata);
+
+	result = dns_rdataset_next(modified);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(modified, &rdata);
+		(void)dns_rdata_tostruct(&rdata, &sig, NULL);
+		if ((rdata.flags & DNS_RDATA_OFFLINE) != 0) {
+			goto next_rr;
+		}
+		if (when == 0 || sig.timeexpire - delta < when)
+			when = sig.timeexpire - delta;
+ next_rr:
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(modified);
+	}
+	INSIST(result == ISC_R_NOMORE);
+	return (when);
+}
+
 static isc_result_t
 diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 	   isc_boolean_t warn)
@@ -220,14 +256,15 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 		 * but such diffs should never be created in the first
 		 * place.
 		 */
-		node = NULL;
-		CHECK(dns_db_findnode(db, name, ISC_TRUE, &node));
 
 		while (t != NULL && dns_name_equal(&t->name, name)) {
 			dns_rdatatype_t type, covers;
 			dns_diffop_t op;
 			dns_rdatalist_t rdl;
 			dns_rdataset_t rds;
+			dns_rdataset_t ardataset;
+			dns_rdataset_t *modified = NULL;
+			isc_boolean_t offline;
 
 			op = t->op;
 			type = t->rdata.type;
@@ -255,6 +292,16 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 			ISC_LIST_INIT(rdl.rdata);
 			ISC_LINK_INIT(&rdl, link);
 
+			node = NULL;
+			if (type != dns_rdatatype_nsec3 &&
+			    covers != dns_rdatatype_nsec3)
+				CHECK(dns_db_findnode(db, name, ISC_TRUE,
+						      &node));
+			else
+				CHECK(dns_db_findnsec3node(db, name, ISC_TRUE,
+							   &node));
+
+			offline = ISC_FALSE;
 			while (t != NULL &&
 			       dns_name_equal(&t->name, name) &&
 			       t->op == op &&
@@ -269,13 +316,15 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 						      sizeof(classbuf));
 				if (t->ttl != rdl.ttl && warn)
 					isc_log_write(DIFF_COMMON_LOGARGS,
-					      	ISC_LOG_WARNING,
+						ISC_LOG_WARNING,
 						"'%s/%s/%s': TTL differs in "
 						"rdataset, adjusting "
 						"%lu -> %lu",
 						namebuf, typebuf, classbuf,
 						(unsigned long) t->ttl,
 						(unsigned long) rdl.ttl);
+				if (t->rdata.flags & DNS_RDATA_OFFLINE)
+					offline = ISC_TRUE;
 				ISC_LIST_APPEND(rdl.rdata, &t->rdata, link);
 				t = ISC_LIST_NEXT(t, link);
 			}
@@ -285,28 +334,52 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 			 */
 			dns_rdataset_init(&rds);
 			CHECK(dns_rdatalist_tordataset(&rdl, &rds));
+			if (rds.type == dns_rdatatype_rrsig)
+				switch (op) {
+				case DNS_DIFFOP_ADDRESIGN:
+				case DNS_DIFFOP_DELRESIGN:
+					modified = &ardataset;
+					dns_rdataset_init(modified);
+					break;
+				default:
+					break;
+				}
 			rds.trust = dns_trust_ultimate;
 
 			/*
 			 * Merge the rdataset into the database.
 			 */
-			if (op == DNS_DIFFOP_ADD) {
+			switch (op) {
+			case DNS_DIFFOP_ADD:
+			case DNS_DIFFOP_ADDRESIGN:
 				result = dns_db_addrdataset(db, node, ver,
 							    0, &rds,
 							    DNS_DBADD_MERGE|
 							    DNS_DBADD_EXACT|
 							    DNS_DBADD_EXACTTTL,
-							    NULL);
-			} else if (op == DNS_DIFFOP_DEL) {
+							    modified);
+				break;
+			case DNS_DIFFOP_DEL:
+			case DNS_DIFFOP_DELRESIGN:
 				result = dns_db_subtractrdataset(db, node, ver,
 							       &rds,
 							       DNS_DBSUB_EXACT,
-							       NULL);
-			} else {
+							       modified);
+				break;
+			default:
 				INSIST(0);
 			}
-			if (result == DNS_R_UNCHANGED) {
-			  	/*
+
+			if (result == ISC_R_SUCCESS) {
+				if (modified != NULL) {
+					isc_stdtime_t resign;
+					resign = setresign(modified,
+							   diff->resign);
+					dns_db_setsigningtime(db, modified,
+							      resign);
+				}
+			} else if (result == DNS_R_UNCHANGED) {
+				/*
 				 * This will not happen when executing a
 				 * dynamic update, because that code will
 				 * generate strictly minimal diffs.
@@ -318,16 +391,21 @@ diff_apply(dns_diff_t *diff, dns_db_t *db, dns_dbversion_t *ver,
 					isc_log_write(DIFF_COMMON_LOGARGS,
 						      ISC_LOG_WARNING,
 						      "update with no effect");
-			} else if (result == ISC_R_SUCCESS ||
-				   result == DNS_R_NXRRSET) {
+			} else if (result == DNS_R_NXRRSET) {
 				/*
 				 * OK.
 				 */
 			} else {
+				if (modified != NULL &&
+				    dns_rdataset_isassociated(modified))
+					dns_rdataset_disassociate(modified);
 				CHECK(result);
 			}
+			dns_db_detachnode(db, &node);
+			if (modified != NULL &&
+			    dns_rdataset_isassociated(modified))
+				dns_rdataset_disassociate(modified);
 		}
-		dns_db_detachnode(db, &node);
 	}
 	return (ISC_R_SUCCESS);
 
@@ -455,7 +533,7 @@ dns_diff_sort(dns_diff_t *diff, dns_diff_compare_func *compare) {
 
 /*
  * Create an rdataset containing the single RR of the given
- * tuple.  The caller must allocate the the rdata, rdataset and
+ * tuple.  The caller must allocate the rdata, rdataset and
  * an rdatalist structure for it to refer to.
  */
 
@@ -485,6 +563,7 @@ dns_diff_print(dns_diff_t *diff, FILE *file) {
 	dns_difftuple_t *t;
 	char *mem = NULL;
 	unsigned int size = 2048;
+	const char *op = NULL;
 
 	REQUIRE(DNS_DIFF_VALID(diff));
 
@@ -536,15 +615,20 @@ dns_diff_print(dns_diff_t *diff, FILE *file) {
 		buf.used--;
 
 		isc_buffer_usedregion(&buf, &r);
+		switch (t->op) {
+		case DNS_DIFFOP_EXISTS: op = "exists"; break;
+		case DNS_DIFFOP_ADD: op = "add"; break;
+		case DNS_DIFFOP_DEL: op = "del"; break;
+		case DNS_DIFFOP_ADDRESIGN: op = "add re-sign"; break;
+		case DNS_DIFFOP_DELRESIGN: op = "del re-sign"; break;
+		}
 		if (file != NULL)
-			fprintf(file, "%s %.*s\n",
-				t->op == DNS_DIFFOP_ADD ?  "add" : "del",
-				(int) r.length, (char *) r.base);
+			fprintf(file, "%s %.*s\n", op, (int) r.length,
+				(char *) r.base);
 		else
 			isc_log_write(DIFF_COMMON_LOGARGS, ISC_LOG_DEBUG(7),
-				      "%s %.*s",
-				      t->op == DNS_DIFFOP_ADD ?  "add" : "del",
-				      (int) r.length, (char *) r.base);
+				      "%s %.*s", op, (int) r.length,
+				      (char *) r.base);
 	}
 	result = ISC_R_SUCCESS;
  cleanup:
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index 794cdb5..9b4e968 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.c,v 1.116.18.37 2008/09/04 00:24:41 jinmei Exp $ */
+/* $Id: dispatch.c,v 1.155.12.7 2009/04/28 21:39:45 jinmei Exp $ */
 
 /*! \file */
 
@@ -32,6 +32,7 @@
 #include <isc/portset.h>
 #include <isc/print.h>
 #include <isc/random.h>
+#include <isc/stats.h>
 #include <isc/string.h>
 #include <isc/task.h>
 #include <isc/time.h>
@@ -43,14 +44,18 @@
 #include <dns/log.h>
 #include <dns/message.h>
 #include <dns/portlist.h>
+#include <dns/stats.h>
 #include <dns/tcpmsg.h>
 #include <dns/types.h>
 
 typedef ISC_LIST(dns_dispentry_t)	dns_displist_t;
 
-typedef struct dispsocket dispsocket_t;
+typedef struct dispsocket		dispsocket_t;
 typedef ISC_LIST(dispsocket_t)		dispsocketlist_t;
 
+typedef struct dispportentry		dispportentry_t;
+typedef ISC_LIST(dispportentry_t)	dispportlist_t;
+
 /* ARC4 Random generator state */
 typedef struct arc4ctx {
 	isc_uint8_t	i;
@@ -76,6 +81,7 @@ struct dns_dispatchmgr {
 	isc_mem_t		       *mctx;
 	dns_acl_t		       *blackhole;
 	dns_portlist_t		       *portlist;
+	isc_stats_t		       *stats;
 	isc_entropy_t		       *entropy; /*%< entropy source */
 
 	/* Locked by "lock". */
@@ -170,7 +176,8 @@ struct dispsocket {
 	isc_socket_t			*socket;
 	dns_dispatch_t			*disp;
 	isc_sockaddr_t			host;
-	in_port_t			localport;
+	in_port_t			localport; /* XXX: should be removed later */
+	dispportentry_t			*portentry;
 	dns_dispentry_t			*resp;
 	isc_task_t			*task;
 	ISC_LINK(dispsocket_t)		link;
@@ -178,6 +185,21 @@ struct dispsocket {
 	ISC_LINK(dispsocket_t)		blink;
 };
 
+/*%
+ * A port table entry.  We remember every port we first open in a table with a
+ * reference counter so that we can 'reuse' the same port (with different
+ * destination addresses) using the SO_REUSEADDR socket option.
+ */
+struct dispportentry {
+	in_port_t			port;
+	unsigned int			refs;
+	ISC_LINK(struct dispportentry)	link;
+};
+
+#ifndef DNS_DISPATCH_PORTTABLESIZE
+#define DNS_DISPATCH_PORTTABLESIZE	1024
+#endif
+
 #define INVALID_BUCKET		(0xffffdead)
 
 /*%
@@ -227,6 +249,8 @@ struct dns_dispatch {
 	dns_tcpmsg_t		tcpmsg;		/*%< for tcp streams */
 	dns_qid_t		*qid;
 	arc4ctx_t		arc4ctx;	/*%< for QID/UDP port num */
+	dispportlist_t		*port_table;	/*%< hold ports 'owned' by us */
+	isc_mempool_t		*portpool;	/*%< port table entries  */
 };
 
 #define QID_MAGIC		ISC_MAGIC('Q', 'i', 'd', ' ')
@@ -330,6 +354,12 @@ mgr_log(dns_dispatchmgr_t *mgr, int level, const char *fmt, ...) {
 		      level, "dispatchmgr %p: %s", mgr, msgbuf);
 }
 
+static inline void
+inc_stats(dns_dispatchmgr_t *mgr, isc_statscounter_t counter) {
+	if (mgr->stats != NULL)
+		isc_stats_increment(mgr->stats, counter);
+}
+
 static void
 dispatch_log(dns_dispatch_t *disp, int level, const char *fmt, ...)
      ISC_FORMAT_PRINTF(3, 4);
@@ -677,6 +707,64 @@ destroy_disp(isc_task_t *task, isc_event_t *event) {
 }
 
 /*%
+ * Manipulate port table per dispatch: find an entry for a given port number,
+ * create a new entry, and decrement a given entry with possible clean-up.
+ */
+static dispportentry_t *
+port_search(dns_dispatch_t *disp, in_port_t port) {
+	dispportentry_t *portentry;
+
+	REQUIRE(disp->port_table != NULL);
+
+	portentry = ISC_LIST_HEAD(disp->port_table[port %
+						   DNS_DISPATCH_PORTTABLESIZE]);
+	while (portentry != NULL) {
+		if (portentry->port == port)
+			return (portentry);
+		portentry = ISC_LIST_NEXT(portentry, link);
+	}
+
+	return (NULL);
+}
+
+static dispportentry_t *
+new_portentry(dns_dispatch_t *disp, in_port_t port) {
+	dispportentry_t *portentry;
+
+	REQUIRE(disp->port_table != NULL);
+
+	portentry = isc_mempool_get(disp->portpool);
+	if (portentry == NULL)
+		return (portentry);
+
+	portentry->port = port;
+	portentry->refs = 0;
+	ISC_LINK_INIT(portentry, link);
+	ISC_LIST_APPEND(disp->port_table[port % DNS_DISPATCH_PORTTABLESIZE],
+			portentry, link);
+
+	return (portentry);
+}
+
+static void
+deref_portentry(dns_dispatch_t *disp, dispportentry_t **portentryp) {
+	dispportentry_t *portentry = *portentryp;
+
+	REQUIRE(disp->port_table != NULL);
+	REQUIRE(portentry != NULL && portentry->refs > 0);
+
+	portentry->refs--;
+	if (portentry->refs == 0) {
+		ISC_LIST_UNLINK(disp->port_table[portentry->port %
+						 DNS_DISPATCH_PORTTABLESIZE],
+				portentry, link);
+		isc_mempool_put(disp->portpool, portentry);
+	}
+
+	*portentryp = NULL;
+}
+
+/*%
  * Find a dispsocket for socket address 'dest', and port number 'port'.
  * Return NULL if no such entry exists.
  */
@@ -692,7 +780,7 @@ socket_search(dns_qid_t *qid, isc_sockaddr_t *dest, in_port_t port,
 
 	while (dispsock != NULL) {
 		if (isc_sockaddr_equal(dest, &dispsock->host) &&
-		    dispsock->localport == port)
+		    dispsock->portentry->port == port)
 			return (dispsock);
 		dispsock = ISC_LIST_NEXT(dispsock, blink);
 	}
@@ -720,6 +808,8 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 	dispsocket_t *dispsock;
 	unsigned int nports;
 	in_port_t *ports;
+	unsigned int bindoptions;
+	dispportentry_t *portentry = NULL;
 
 	if (isc_sockaddr_pf(&disp->local) == AF_INET) {
 		nports = disp->mgr->nv4ports;
@@ -745,6 +835,7 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 		dispsock->socket = NULL;
 		dispsock->disp = disp;
 		dispsock->resp = NULL;
+		dispsock->portentry = NULL;
 		isc_random_get(&r);
 		dispsock->task = NULL;
 		isc_task_attach(disp->task[r % disp->ntasks], &dispsock->task);
@@ -767,16 +858,29 @@ get_dispsocket(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 		bucket = dns_hash(qid, dest, 0, port);
 		if (socket_search(qid, dest, port, bucket) != NULL)
 			continue;
-
-		result = open_socket(sockmgr, &localaddr, 0, &sock);
-		if (result == ISC_R_SUCCESS || result != ISC_R_ADDRINUSE)
+		bindoptions = 0;
+		portentry = port_search(disp, port);
+		if (portentry != NULL)
+			bindoptions |= ISC_SOCKET_REUSEADDRESS;
+		result = open_socket(sockmgr, &localaddr, bindoptions, &sock);
+		if (result == ISC_R_SUCCESS) {
+			if (portentry == NULL) {
+				portentry = new_portentry(disp, port);
+				if (portentry == NULL) {
+					result = ISC_R_NOMEMORY;
+					break;
+				}
+			}
+			portentry->refs++;
+			break;
+		} else if (result != ISC_R_ADDRINUSE)
 			break;
 	}
 
 	if (result == ISC_R_SUCCESS) {
 		dispsock->socket = sock;
 		dispsock->host = *dest;
-		dispsock->localport = port;
+		dispsock->portentry = portentry;
 		dispsock->bucket = bucket;
 		ISC_LIST_APPEND(qid->sock_table[bucket], dispsock, blink);
 		*dispsockp = dispsock;
@@ -813,6 +917,8 @@ destroy_dispsocket(dns_dispatch_t *disp, dispsocket_t **dispsockp) {
 
 	disp->nsockets--;
 	dispsock->magic = 0;
+	if (dispsock->portentry != NULL)
+		deref_portentry(disp, &dispsock->portentry);
 	if (dispsock->socket != NULL)
 		isc_socket_detach(&dispsock->socket);
 	if (ISC_LINK_LINKED(dispsock, blink)) {
@@ -847,6 +953,9 @@ deactivate_dispsocket(dns_dispatch_t *disp, dispsocket_t *dispsock) {
 		dispsock->resp->dispsocket = NULL;
 	}
 
+	INSIST(dispsock->portentry != NULL);
+	deref_portentry(disp, &dispsock->portentry);
+
 	if (disp->nsockets > DNS_DISPATCH_POOLSOCKS)
 		destroy_dispsocket(disp, &dispsock);
 	else {
@@ -1161,6 +1270,7 @@ udp_recv(isc_event_t *ev_in, dns_dispatch_t *disp, dispsocket_t *dispsock) {
 			     bucket, (resp == NULL ? "not found" : "found"));
 
 		if (resp == NULL) {
+			inc_stats(mgr, dns_resstatscounter_mismatch);
 			free_buffer(disp, ev->region.base, ev->region.length);
 			goto unlock;
 		}
@@ -1168,6 +1278,7 @@ udp_recv(isc_event_t *ev_in, dns_dispatch_t *disp, dispsocket_t *dispsock) {
 							 &resp->host)) {
 		dispatch_log(disp, LVL(90),
 			     "response to an exclusive socket doesn't match");
+		inc_stats(mgr, dns_resstatscounter_mismatch);
 		free_buffer(disp, ev->region.base, ev->region.length);
 		goto unlock;
 	}
@@ -1603,6 +1714,9 @@ destroy_mgr(dns_dispatchmgr_t **mgrp) {
 	if (mgr->blackhole != NULL)
 		dns_acl_detach(&mgr->blackhole);
 
+	if (mgr->stats != NULL)
+		isc_stats_detach(&mgr->stats);
+
 	if (mgr->v4ports != NULL) {
 		isc_mem_put(mctx, mgr->v4ports,
 			    mgr->nv4ports * sizeof(in_port_t));
@@ -1628,6 +1742,7 @@ open_socket(isc_socketmgr_t *mgr, isc_sockaddr_t *local,
 					   isc_sockettype_udp, &sock);
 		if (result != ISC_R_SUCCESS)
 			return (result);
+		isc_socket_setname(sock, "dispatcher", NULL);
 	} else {
 		result = isc_socket_open(sock);
 		if (result != ISC_R_SUCCESS)
@@ -1692,6 +1807,7 @@ dns_dispatchmgr_create(isc_mem_t *mctx, isc_entropy_t *entropy,
 	isc_mem_attach(mctx, &mgr->mctx);
 
 	mgr->blackhole = NULL;
+	mgr->stats = NULL;
 
 	result = isc_mutex_init(&mgr->lock);
 	if (result != ISC_R_SUCCESS)
@@ -2001,6 +2117,15 @@ dns_dispatchmgr_destroy(dns_dispatchmgr_t **mgrp) {
 		destroy_mgr(&mgr);
 }
 
+void
+dns_dispatchmgr_setstats(dns_dispatchmgr_t *mgr, isc_stats_t *stats) {
+	REQUIRE(VALID_DISPATCHMGR(mgr));
+	REQUIRE(ISC_LIST_EMPTY(mgr->list));
+	REQUIRE(mgr->stats == NULL);
+
+	isc_stats_attach(stats, &mgr->stats);
+}
+
 static int
 port_cmp(const void *key, const void *ent) {
 	in_port_t p1 = *(const in_port_t *)key;
@@ -2269,6 +2394,8 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
 	ISC_LIST_INIT(disp->inactivesockets);
 	disp->nsockets = 0;
 	dispatch_arc4init(&disp->arc4ctx, mgr->entropy, NULL);
+	disp->port_table = NULL;
+	disp->portpool = NULL;
 
 	result = isc_mutex_init(&disp->lock);
 	if (result != ISC_R_SUCCESS)
@@ -2298,13 +2425,14 @@ dispatch_allocate(dns_dispatchmgr_t *mgr, unsigned int maxrequests,
 
 
 /*
- * MUST be unlocked, and not used by anthing.
+ * MUST be unlocked, and not used by anything.
  */
 static void
 dispatch_free(dns_dispatch_t **dispp)
 {
 	dns_dispatch_t *disp;
 	dns_dispatchmgr_t *mgr;
+	int i;
 
 	REQUIRE(VALID_DISPATCH(*dispp));
 	disp = *dispp;
@@ -2329,6 +2457,18 @@ dispatch_free(dns_dispatch_t **dispp)
 
 	if (disp->qid != NULL)
 		qid_destroy(mgr->mctx, &disp->qid);
+
+	if (disp->port_table != NULL) {
+		for (i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++)
+			INSIST(ISC_LIST_EMPTY(disp->port_table[i]));
+		isc_mem_put(mgr->mctx, disp->port_table,
+			    sizeof(disp->port_table[0]) *
+			    DNS_DISPATCH_PORTTABLESIZE);
+	}
+
+	if (disp->portpool != NULL)
+		isc_mempool_destroy(&disp->portpool);
+
 	disp->mgr = NULL;
 	DESTROYLOCK(&disp->lock);
 	disp->magic = 0;
@@ -2462,9 +2602,8 @@ dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 	}
 
 	/*
-	 * First, see if we have a dispatcher that matches.
+	 * See if we have a dispatcher that matches.
 	 */
-	disp = NULL;
 	result = dispatch_find(mgr, localaddr, attributes, mask, &disp);
 	if (result == ISC_R_SUCCESS) {
 		disp->refcount++;
@@ -2569,6 +2708,15 @@ get_udpsocket(dns_dispatchmgr_t *mgr, dns_dispatch_t *disp,
 		 * If this fails 1024 times, we then ask the kernel for
 		 * choosing one.
 		 */
+	} else {
+		/* Allow to reuse address for non-random ports. */
+		result = open_socket(sockmgr, localaddr,
+				     ISC_SOCKET_REUSEADDRESS, &sock);
+
+		if (result == ISC_R_SUCCESS)
+			*sockp = sock;
+
+		return (result);
 	}
 
 	memset(held, 0, sizeof(held));
@@ -2650,6 +2798,21 @@ dispatch_createudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 			if (result != ISC_R_SUCCESS)
 				goto deallocate_dispatch;
 		}
+
+		disp->port_table = isc_mem_get(mgr->mctx,
+					       sizeof(disp->port_table[0]) *
+					       DNS_DISPATCH_PORTTABLESIZE);
+		if (disp->port_table == NULL)
+			goto deallocate_dispatch;
+		for (i = 0; i < DNS_DISPATCH_PORTTABLESIZE; i++)
+			ISC_LIST_INIT(disp->port_table[i]);
+
+		result = isc_mempool_create(mgr->mctx, sizeof(dispportentry_t),
+					    &disp->portpool);
+		if (result != ISC_R_SUCCESS)
+			goto deallocate_dispatch;
+		isc_mempool_setname(disp->portpool, "disp_portpool");
+		isc_mempool_setfreemax(disp->portpool, 128);
 	}
 	disp->socktype = isc_sockettype_udp;
 	disp->socket = sock;
@@ -2829,6 +2992,8 @@ dns_dispatch_addresponse2(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 				oldestresp->item_out = ISC_TRUE;
 				isc_task_send(oldestresp->task,
 					      ISC_EVENT_PTR(&rev));
+				inc_stats(disp->mgr,
+					  dns_resstatscounter_dispabort);
 			}
 		}
 
@@ -2852,6 +3017,7 @@ dns_dispatch_addresponse2(dns_dispatch_t *disp, isc_sockaddr_t *dest,
 		if (result != ISC_R_SUCCESS) {
 			UNLOCK(&qid->lock);
 			UNLOCK(&disp->lock);
+			inc_stats(disp->mgr, dns_resstatscounter_dispsockfail);
 			return (result);
 		}
 	} else {
diff --git a/lib/dns/dlz.c b/lib/dns/dlz.c
index ee6c03b..75486af 100644
--- a/lib/dns/dlz.c
+++ b/lib/dns/dlz.c
@@ -1,8 +1,8 @@
 /*
- * Portions Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -50,7 +50,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlz.c,v 1.2.2.2 2005/09/06 03:47:17 marka Exp $ */
+/* $Id: dlz.c,v 1.5.332.2 2009/01/18 23:47:35 tbox Exp $ */
 
 /*! \file */
 
@@ -126,7 +126,7 @@ dns_dlzallowzonexfr(dns_view_t *view, dns_name_t *name,
 	dlzdatabase = view->dlzdatabase;
 	allowzonexfr = dlzdatabase->implementation->methods->allowzonexfr;
 	result = (*allowzonexfr)(dlzdatabase->implementation->driverarg,
-			         dlzdatabase->dbdata, dlzdatabase->mctx,
+				 dlzdatabase->dbdata, dlzdatabase->mctx,
 				 view->rdclass, name, clientaddr, dbp);
 
 	if (result == ISC_R_NOTIMPLEMENTED)
@@ -275,7 +275,7 @@ dns_dlzfindzone(dns_view_t *view, dns_name_t *name, unsigned int minlabels,
 	 * trying shorter names portions of the name until we find a
 	 * match, have an error, or are below the 'minlabels'
 	 * threshold.  minlabels is 0, if the standard database didn't
-	 * have a zone name match.  Otherwise minlables is the number
+	 * have a zone name match.  Otherwise minlabels is the number
 	 * of labels in that name.  We need to beat that for a
 	 * "better" match for the DLZ database to be authoritative
 	 * instead of the standard database.
diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index 75ca440..f06d715 100644
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: dnssec.c,v 1.81.18.10 2007/09/14 04:35:42 marka Exp $
+ * $Id: dnssec.c,v 1.93 2008/11/14 23:47:33 tbox Exp $
  */
 
 /*! \file */
@@ -366,6 +366,9 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
+	if (set->type != sig.covered)
+		return (DNS_R_SIGINVALID);
+
 	if (isc_serial_lt(sig.timeexpire, sig.timesigned))
 		return (DNS_R_SIGINVALID);
 
@@ -382,6 +385,27 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	}
 
 	/*
+	 * NS, SOA and DNSSKEY records are signed by their owner.
+	 * DS records are signed by the parent.
+	 */
+	switch (set->type) {
+	case dns_rdatatype_ns:
+	case dns_rdatatype_soa:
+	case dns_rdatatype_dnskey:
+		if (!dns_name_equal(name, &sig.signer))
+			return (DNS_R_SIGINVALID);
+		break;
+	case dns_rdatatype_ds:
+		if (dns_name_equal(name, &sig.signer))
+			return (DNS_R_SIGINVALID);
+		/* FALLTHROUGH */
+	default:
+		if (!dns_name_issubdomain(name, &sig.signer))
+			return (DNS_R_SIGINVALID);
+		break;
+	}
+
+	/*
 	 * Is the key allowed to sign data?
 	 */
 	flags = dst_key_flags(key);
@@ -407,7 +431,7 @@ dns_dnssec_verify2(dns_name_t *name, dns_rdataset_t *set, dst_key_t *key,
 	dns_fixedname_init(&fnewname);
 	labels = dns_name_countlabels(name) - 1;
 	RUNTIME_CHECK(dns_name_downcase(name, dns_fixedname_name(&fnewname),
-				        NULL) == ISC_R_SUCCESS);
+					NULL) == ISC_R_SUCCESS);
 	if (labels - sig.labels > 0)
 		dns_name_split(dns_fixedname_name(&fnewname), sig.labels + 1,
 			       NULL, dns_fixedname_name(&fnewname));
@@ -487,9 +511,9 @@ cleanup_struct:
 	dns_rdata_freestruct(&sig);
 
 	if (ret == ISC_R_SUCCESS && labels - sig.labels > 0) {
-		if (wild != NULL) 
+		if (wild != NULL)
 			RUNTIME_CHECK(dns_name_concatenate(dns_wildcardname,
-					         dns_fixedname_name(&fnewname),
+						 dns_fixedname_name(&fnewname),
 						 wild, NULL) == ISC_R_SUCCESS);
 		ret = DNS_R_FROMWILDCARD;
 	}
@@ -541,6 +565,9 @@ dns_dnssec_findzonekeys2(dns_db_t *db, dns_dbversion_t *ver,
 		if (!is_zone_key(pubkey) ||
 		    (dst_key_flags(pubkey) & DNS_KEYTYPE_NOAUTH) != 0)
 			goto next;
+		/* Corrupted .key file? */
+		if (!dns_name_equal(name, dst_key_name(pubkey)))
+			goto next;
 		keys[count] = NULL;
 		result = dst_key_fromfile(dst_key_name(pubkey),
 					  dst_key_id(pubkey),
@@ -802,7 +829,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	RETERR(dst_context_create(key, mctx, &ctx));
 
 	/*
- 	 * Digest the SIG(0) record, except for the signature.
+	 * Digest the SIG(0) record, except for the signature.
 	 */
 	dns_rdata_toregion(&rdata, &r);
 	r.length -= sig.siglen;
diff --git a/lib/dns/ds.c b/lib/dns/ds.c
index 7cd1609..e994cc5 100644
--- a/lib/dns/ds.c
+++ b/lib/dns/ds.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.c,v 1.4.20.5 2006/02/22 23:50:09 marka Exp $ */
+/* $Id: ds.c,v 1.11 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 7d98e10..144c685 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.1.6.7 2006/01/27 23:57:44 marka Exp $
+ * $Id: dst_api.c,v 1.16.12.3 2009/03/02 02:00:34 marka Exp $
  */
 
 /*! \file */
@@ -60,6 +73,8 @@ static isc_entropy_t *dst_entropy_pool = NULL;
 static unsigned int dst_entropy_flags = 0;
 static isc_boolean_t dst_initialized = ISC_FALSE;
 
+void gss_log(int level, const char *fmt, ...) ISC_FORMAT_PRINTF(2, 3);
+
 isc_mem_t *dst__memory_pool = NULL;
 
 /*
@@ -110,19 +125,21 @@ static isc_result_t	addsuffix(char *filename, unsigned int len,
 			return (_r);		\
 	} while (0);				\
 
+#ifdef OPENSSL
 static void *
 default_memalloc(void *arg, size_t size) {
-        UNUSED(arg);
-        if (size == 0U)
-                size = 1;
-        return (malloc(size));
+	UNUSED(arg);
+	if (size == 0U)
+		size = 1;
+	return (malloc(size));
 }
 
 static void
 default_memfree(void *arg, void *ptr) {
-        UNUSED(arg);
-        free(ptr);
+	UNUSED(arg);
+	free(ptr);
 }
+#endif
 
 isc_result_t
 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
@@ -147,6 +164,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 				  NULL, &dst__memory_pool, 0);
 	if (result != ISC_R_SUCCESS)
 		return (result);
+	isc_mem_setname(dst__memory_pool, "dst", NULL);
 	isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
 #else
 	isc_mem_attach(mctx, &dst__memory_pool);
@@ -167,8 +185,10 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	RETERR(dst__openssl_init());
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
+	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
 #ifdef HAVE_OPENSSL_DSA
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
+	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
 #endif
 	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
 #endif /* OPENSSL */
@@ -223,7 +243,7 @@ dst_context_create(dst_key_t *key, isc_mem_t *mctx, dst_context_t **dctxp) {
 
 	if (key->func->createctx == NULL)
 		return (DST_R_UNSUPPORTEDALG);
-	if (key->opaque == NULL)
+	if (key->keydata.generic == NULL)
 		return (DST_R_NULLKEY);
 
 	dctx = isc_mem_get(mctx, sizeof(dst_context_t));
@@ -273,8 +293,9 @@ dst_context_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 	key = dctx->key;
 	CHECKALG(key->key_alg);
-	if (key->opaque == NULL)
+	if (key->keydata.generic == NULL)
 		return (DST_R_NULLKEY);
+
 	if (key->func->sign == NULL)
 		return (DST_R_NOTPRIVATEKEY);
 	if (key->func->isprivate == NULL ||
@@ -290,7 +311,7 @@ dst_context_verify(dst_context_t *dctx, isc_region_t *sig) {
 	REQUIRE(sig != NULL);
 
 	CHECKALG(dctx->key->key_alg);
-	if (dctx->key->opaque == NULL)
+	if (dctx->key->keydata.generic == NULL)
 		return (DST_R_NULLKEY);
 	if (dctx->key->func->verify == NULL)
 		return (DST_R_NOTPUBLICKEY);
@@ -309,7 +330,7 @@ dst_key_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 	CHECKALG(pub->key_alg);
 	CHECKALG(priv->key_alg);
 
-	if (pub->opaque == NULL || priv->opaque == NULL)
+	if (pub->keydata.generic == NULL || priv->keydata.generic == NULL)
 		return (DST_R_NULLKEY);
 
 	if (pub->key_alg != priv->key_alg ||
@@ -383,10 +404,8 @@ dst_key_fromfile(dns_name_t *name, dns_keytag_t id,
 		return (result);
 	}
 
-	if (!dns_name_equal(name, key->key_name) ||
-	    id != key->key_id ||
-	    alg != key->key_alg)
-	{
+	if (!dns_name_equal(name, key->key_name) || id != key->key_id ||
+	    alg != key->key_alg) {
 		dst_key_free(&key);
 		return (DST_R_INVALIDPRIVATEKEY);
 	}
@@ -427,8 +446,7 @@ dst_key_fromnamedfile(const char *filename, int type, isc_mem_t *mctx,
 		return (result);
 
 	if ((type & (DST_TYPE_PRIVATE | DST_TYPE_PUBLIC)) == DST_TYPE_PUBLIC ||
-	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY)
-	{
+	    (pubkey->key_flags & DNS_KEYFLAG_TYPEMASK) == DNS_KEYTYPE_NOKEY) {
 		result = computeid(pubkey);
 		if (result != ISC_R_SUCCESS) {
 			dst_key_free(&pubkey);
@@ -512,7 +530,7 @@ dst_key_todns(const dst_key_t *key, isc_buffer_t *target) {
 						    & 0xffff));
 	}
 
-	if (key->opaque == NULL) /*%< NULL KEY */
+	if (key->keydata.generic == NULL) /*%< NULL KEY */
 		return (ISC_R_SUCCESS);
 
 	return (key->func->todns(key, target));
@@ -620,20 +638,71 @@ dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer) {
 	return (result);
 }
 
+gss_ctx_id_t
+dst_key_getgssctx(const dst_key_t *key)
+{
+	REQUIRE(key != NULL);
+
+	return (key->keydata.gssctx);
+}
+
 isc_result_t
-dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
+dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
 		   dst_key_t **keyp)
 {
 	dst_key_t *key;
 
-	REQUIRE(opaque != NULL);
+	REQUIRE(gssctx != NULL);
 	REQUIRE(keyp != NULL && *keyp == NULL);
 
 	key = get_key_struct(name, DST_ALG_GSSAPI, 0, DNS_KEYPROTO_DNSSEC,
 			     0, dns_rdataclass_in, mctx);
 	if (key == NULL)
 		return (ISC_R_NOMEMORY);
-	key->opaque = opaque;
+
+	key->keydata.gssctx = gssctx;
+	*keyp = key;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags,
+		  unsigned int protocol, dns_rdataclass_t rdclass,
+		  const char *engine, const char *label, const char *pin,
+		  isc_mem_t *mctx, dst_key_t **keyp)
+{
+	dst_key_t *key;
+	isc_result_t result;
+
+	REQUIRE(dst_initialized == ISC_TRUE);
+	REQUIRE(dns_name_isabsolute(name));
+	REQUIRE(mctx != NULL);
+	REQUIRE(keyp != NULL && *keyp == NULL);
+	REQUIRE(label != NULL);
+
+	CHECKALG(alg);
+
+	key = get_key_struct(name, alg, flags, protocol, 0, rdclass, mctx);
+	if (key == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (key->func->fromlabel == NULL) {
+		dst_key_free(&key);
+		return (DST_R_UNSUPPORTEDALG);
+	}
+
+	result = key->func->fromlabel(key, engine, label, pin);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
+	result = computeid(key);
+	if (result != ISC_R_SUCCESS) {
+		dst_key_free(&key);
+		return (result);
+	}
+
 	*keyp = key;
 	return (ISC_R_SUCCESS);
 }
@@ -734,11 +803,14 @@ dst_key_free(dst_key_t **keyp) {
 	key = *keyp;
 	mctx = key->mctx;
 
-	if (key->opaque != NULL) {
+	if (key->keydata.generic != NULL) {
 		INSIST(key->func->destroy != NULL);
 		key->func->destroy(key);
 	}
-
+	if (key->engine != NULL)
+		isc_mem_free(mctx, key->engine);
+	if (key->label != NULL)
+		isc_mem_free(mctx, key->label);
 	dns_name_free(key->key_name, mctx);
 	isc_mem_put(mctx, key->key_name, sizeof(dns_name_t));
 	memset(key, 0, sizeof(dst_key_t));
@@ -775,9 +847,11 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 	switch (key->key_alg) {
 	case DST_ALG_RSAMD5:
 	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
 		*n = (key->key_size + 7) / 8;
 		break;
 	case DST_ALG_DSA:
+	case DST_ALG_NSEC3DSA:
 		*n = DNS_SIG_DSASIGSIZE;
 		break;
 	case DST_ALG_HMACMD5:
@@ -860,7 +934,7 @@ get_key_struct(dns_name_t *name, unsigned int alg,
 	key->key_flags = flags;
 	key->key_proto = protocol;
 	key->mctx = mctx;
-	key->opaque = NULL;
+	key->keydata.generic = NULL;
 	key->key_size = bits;
 	key->key_class = rdclass;
 	key->func = dst_t_func[alg];
@@ -925,6 +999,13 @@ dst_key_read_public(const char *filename, int type,
 	NEXTTOKEN(lex, opt, &token);
 	if (token.type != isc_tokentype_string)
 		BADTOKEN();
+
+	/*
+	 * We don't support "@" in .key files.
+	 */
+	if (!strcmp(DST_AS_STR(token), "@"))
+		BADTOKEN();
+
 	dns_fixedname_init(&name);
 	isc_buffer_init(&b, DST_AS_STR(token), strlen(DST_AS_STR(token)));
 	isc_buffer_add(&b, strlen(DST_AS_STR(token)));
@@ -990,7 +1071,9 @@ issymmetric(const dst_key_t *key) {
 	switch (key->key_alg) {
 	case DST_ALG_RSAMD5:
 	case DST_ALG_RSASHA1:
+	case DST_ALG_NSEC3RSASHA1:
 	case DST_ALG_DSA:
+	case DST_ALG_NSEC3DSA:
 	case DST_ALG_DH:
 		return (ISC_FALSE);
 	case DST_ALG_HMACMD5:
@@ -1080,9 +1163,12 @@ write_public_key(const dst_key_t *key, int type, const char *directory) {
 	fwrite(r.base, 1, r.length, fp);
 
 	fputc('\n', fp);
+	fflush(fp);
+	if (ferror(fp))
+		ret = DST_R_WRITEERROR;
 	fclose(fp);
 
-	return (ISC_R_SUCCESS);
+	return (ret);
 }
 
 static isc_result_t
@@ -1116,8 +1202,10 @@ buildfilename(dns_name_t *name, dns_keytag_t id,
 	len = 1 + 3 + 1 + 5 + strlen(suffix) + 1;
 	if (isc_buffer_availablelength(out) < len)
 		return (ISC_R_NOSPACE);
-	sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id, suffix);
+	sprintf((char *) isc_buffer_used(out), "+%03d+%05d%s", alg, id,
+		suffix);
 	isc_buffer_add(out, len);
+
 	return (ISC_R_SUCCESS);
 }
 
@@ -1186,7 +1274,8 @@ algorithm_status(unsigned int alg) {
 #ifndef OPENSSL
 	if (alg == DST_ALG_RSAMD5 || alg == DST_ALG_RSASHA1 ||
 	    alg == DST_ALG_DSA || alg == DST_ALG_DH ||
-	    alg == DST_ALG_HMACMD5)
+	    alg == DST_ALG_HMACMD5 || alg == DST_ALG_NSEC3DSA ||
+	    alg == DST_ALG_NSEC3RSASHA1)
 		return (DST_R_NOCRYPTO);
 #endif
 	return (DST_R_UNSUPPORTEDALG);
@@ -1219,3 +1308,8 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 		flags &= ~ISC_ENTROPY_GOODONLY;
 	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
 }
+
+unsigned int
+dst__entropy_status(void) {
+	return (isc_entropy_status(dst_entropy_pool));
+}
diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index f2deb72..0c1a71c 100644
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: dst_internal.h,v 1.11 2008/04/01 23:47:10 tbox Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -27,9 +40,22 @@
 #include <isc/magic.h>
 #include <isc/region.h>
 #include <isc/types.h>
+#include <isc/md5.h>
+#include <isc/sha1.h>
+#include <isc/hmacmd5.h>
+#include <isc/hmacsha.h>
 
 #include <dst/dst.h>
 
+#ifdef OPENSSL
+#include <openssl/dh.h>
+#include <openssl/dsa.h>
+#include <openssl/err.h>
+#include <openssl/evp.h>
+#include <openssl/objects.h>
+#include <openssl/rsa.h>
+#endif
+
 ISC_LANG_BEGINDECLS
 
 #define KEY_MAGIC       ISC_MAGIC('D','S','T','K')
@@ -46,6 +72,13 @@ extern isc_mem_t *dst__memory_pool;
 
 typedef struct dst_func dst_func_t;
 
+typedef struct dst_hmacmd5_key    dst_hmacmd5_key_t;
+typedef struct dst_hmacsha1_key   dst_hmacsha1_key_t;
+typedef struct dst_hmacsha224_key dst_hmacsha224_key_t;
+typedef struct dst_hmacsha256_key dst_hmacsha256_key_t;
+typedef struct dst_hmacsha384_key dst_hmacsha384_key_t;
+typedef struct dst_hmacsha512_key dst_hmacsha512_key_t;
+
 /*% DST Key Structure */
 struct dst_key {
 	unsigned int	magic;
@@ -58,7 +91,27 @@ struct dst_key {
 	isc_uint16_t	key_bits;	/*%< hmac digest bits */
 	dns_rdataclass_t key_class;	/*%< class of the key record */
 	isc_mem_t	*mctx;		/*%< memory context */
-	void *		opaque;		/*%< pointer to key in crypto pkg fmt */
+	char		*engine;	/*%< engine name (HSM) */
+	char		*label;		/*%< engine label (HSM) */
+	union {
+		void *generic;
+		gss_ctx_id_t gssctx;
+#ifdef OPENSSL
+#if USE_EVP_RSA
+		RSA *rsa;
+#endif
+		DSA *dsa;
+		DH *dh;
+		EVP_PKEY *pkey;
+#endif
+		dst_hmacmd5_key_t *hmacmd5;
+		dst_hmacsha1_key_t *hmacsha1;
+		dst_hmacsha224_key_t *hmacsha224;
+		dst_hmacsha256_key_t *hmacsha256;
+		dst_hmacsha384_key_t *hmacsha384;
+		dst_hmacsha512_key_t *hmacsha512;
+
+	} keydata;			/*%< pointer to key in crypto pkg fmt */
 	dst_func_t *	func;		/*%< crypto package specific functions */
 };
 
@@ -66,7 +119,21 @@ struct dst_context {
 	unsigned int magic;
 	dst_key_t *key;
 	isc_mem_t *mctx;
-	void *opaque;
+	union {
+		void *generic;
+		dst_gssapi_signverifyctx_t *gssctx;
+		isc_md5_t *md5ctx;
+		isc_sha1_t *sha1ctx;
+		isc_hmacmd5_t *hmacmd5ctx;
+		isc_hmacsha1_t *hmacsha1ctx;
+		isc_hmacsha224_t *hmacsha224ctx;
+		isc_hmacsha256_t *hmacsha256ctx;
+		isc_hmacsha384_t *hmacsha384ctx;
+		isc_hmacsha512_t *hmacsha512ctx;
+#ifdef OPENSSL
+		EVP_MD_CTX *evp_md_ctx;
+#endif
+	} ctxdata;
 };
 
 struct dst_func {
@@ -100,6 +167,9 @@ struct dst_func {
 
 	/* cleanup */
 	void (*cleanup)(void);
+
+	isc_result_t (*fromlabel)(dst_key_t *key, const char *engine,
+				  const char *label, const char *pin);
 };
 
 /*%
@@ -136,6 +206,11 @@ void * dst__mem_realloc(void *ptr, size_t size);
 isc_result_t dst__entropy_getdata(void *buf, unsigned int len,
 				  isc_boolean_t pseudo);
 
+/*
+ * Entropy status hook.
+ */
+unsigned int dst__entropy_status(void);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DST_DST_INTERNAL_H */
diff --git a/lib/dns/dst_lib.c b/lib/dns/dst_lib.c
index 305051c..f1021d3 100644
--- a/lib/dns/dst_lib.c
+++ b/lib/dns/dst_lib.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_lib.c,v 1.1.6.3 2005/04/29 00:15:51 marka Exp $
+ * $Id: dst_lib.c,v 1.5 2007/06/19 23:47:16 tbox Exp $
  */
 
 /*! \file */
diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h
index 79e10b0..80eef93 100644
--- a/lib/dns/dst_openssl.h
+++ b/lib/dns/dst_openssl.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_openssl.h,v 1.1.4.3 2005/04/29 00:15:52 marka Exp $ */
+/* $Id: dst_openssl.h,v 1.7 2008/04/01 23:47:10 tbox Exp $ */
 
 #ifndef DST_OPENSSL_H
 #define DST_OPENSSL_H 1
@@ -28,6 +28,12 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 dst__openssl_toresult(isc_result_t fallback);
 
+ENGINE *
+dst__openssl_getengine(const char *name);
+
+isc_result_t
+dst__openssl_setdefault(const char *name);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DST_OPENSSL_H */
diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index ce361ef..2da72ae 100644
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -1,6 +1,19 @@
 /*
- * Portions Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +31,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_parse.c,v 1.1.6.9 2008/01/22 23:27:05 tbox Exp $
+ * $Id: dst_parse.c,v 1.14.120.2 2009/03/02 23:47:11 tbox Exp $
  */
 
 #include <config.h>
@@ -54,6 +67,9 @@ static struct parse_map map[] = {
 	{TAG_RSA_EXPONENT1, "Exponent1:"},
 	{TAG_RSA_EXPONENT2, "Exponent2:"},
 	{TAG_RSA_COEFFICIENT, "Coefficient:"},
+	{TAG_RSA_ENGINE, "Engine:" },
+	{TAG_RSA_LABEL, "Label:" },
+	{TAG_RSA_PIN, "PIN:" },
 
 	{TAG_DH_PRIME, "Prime(p):"},
 	{TAG_DH_GENERATOR, "Generator(g):"},
@@ -115,16 +131,39 @@ find_tag(const int value) {
 static int
 check_rsa(const dst_private_t *priv) {
 	int i, j;
-	if (priv->nelements != RSA_NTAGS)
-		return (-1);
-	for (i = 0; i < RSA_NTAGS; i++) {
-		for (j = 0; j < priv->nelements; j++)
+	isc_boolean_t have[RSA_NTAGS];
+	isc_boolean_t ok;
+	unsigned int mask;
+
+	for (i = 0; i < RSA_NTAGS; i++)
+		have[i] = ISC_FALSE;
+	for (j = 0; j < priv->nelements; j++) {
+		for (i = 0; i < RSA_NTAGS; i++)
 			if (priv->elements[j].tag == TAG(DST_ALG_RSAMD5, i))
 				break;
-		if (j == priv->nelements)
+		if (i == RSA_NTAGS)
 			return (-1);
+		have[i] = ISC_TRUE;
 	}
-	return (0);
+
+	mask = ~0;
+	mask <<= sizeof(mask) * 8 - TAG_SHIFT;
+	mask >>= sizeof(mask) * 8 - TAG_SHIFT;
+
+	if (have[TAG_RSA_ENGINE & mask])
+		ok = have[TAG_RSA_MODULUS & mask] &&
+		     have[TAG_RSA_PUBLICEXPONENT & mask] &&
+		     have[TAG_RSA_LABEL & mask];
+	else
+		ok = have[TAG_RSA_MODULUS & mask] &&
+		     have[TAG_RSA_PUBLICEXPONENT & mask] &&
+		     have[TAG_RSA_PRIVATEEXPONENT & mask] &&
+		     have[TAG_RSA_PRIME1 & mask] &&
+		     have[TAG_RSA_PRIME2 & mask] &&
+		     have[TAG_RSA_EXPONENT1 & mask] &&
+		     have[TAG_RSA_EXPONENT2 & mask] &&
+		     have[TAG_RSA_COEFFICIENT & mask];
+	return (ok ? 0 : -1 );
 }
 
 static int
@@ -486,8 +525,10 @@ dst__privstruct_writefile(const dst_key_t *key, const dst_private_t *priv,
 		fprintf(fp, "\n");
 	}
 
+	fflush(fp);
+	iret = ferror(fp) ? DST_R_WRITEERROR : ISC_R_SUCCESS;
 	fclose(fp);
-	return (ISC_R_SUCCESS);
+	return (iret);
 }
 
 /*! \file */
diff --git a/lib/dns/dst_parse.h b/lib/dns/dst_parse.h
index 665fcfc..27c7580 100644
--- a/lib/dns/dst_parse.h
+++ b/lib/dns/dst_parse.h
@@ -1,6 +1,19 @@
 /*
- * Portions Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2000-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_parse.h,v 1.1.6.7 2008/05/15 23:46:06 tbox Exp $ */
+/* $Id: dst_parse.h,v 1.11 2008/05/15 00:50:26 each Exp $ */
 
 /*! \file */
 #ifndef DST_DST_PARSE_H
@@ -37,7 +50,7 @@
 #define TAG(alg, off)		(((alg) << TAG_SHIFT) + (off))
 
 /* These are used by both RSA-MD5 and RSA-SHA1 */
-#define RSA_NTAGS		8
+#define RSA_NTAGS		11
 #define TAG_RSA_MODULUS		((DST_ALG_RSAMD5 << TAG_SHIFT) + 0)
 #define TAG_RSA_PUBLICEXPONENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 1)
 #define TAG_RSA_PRIVATEEXPONENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 2)
@@ -46,6 +59,9 @@
 #define TAG_RSA_EXPONENT1	((DST_ALG_RSAMD5 << TAG_SHIFT) + 5)
 #define TAG_RSA_EXPONENT2	((DST_ALG_RSAMD5 << TAG_SHIFT) + 6)
 #define TAG_RSA_COEFFICIENT	((DST_ALG_RSAMD5 << TAG_SHIFT) + 7)
+#define TAG_RSA_ENGINE		((DST_ALG_RSAMD5 << TAG_SHIFT) + 8)
+#define TAG_RSA_LABEL		((DST_ALG_RSAMD5 << TAG_SHIFT) + 9)
+#define TAG_RSA_PIN		((DST_ALG_RSAMD5 << TAG_SHIFT) + 10)
 
 #define DH_NTAGS		4
 #define TAG_DH_PRIME		((DST_ALG_DH << TAG_SHIFT) + 0)
diff --git a/lib/dns/dst_result.c b/lib/dns/dst_result.c
index c9bf073..429dbb2 100644
--- a/lib/dns/dst_result.c
+++ b/lib/dns/dst_result.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -17,7 +17,7 @@
 
 /*%
  * Principal Author: Brian Wellington
- * $Id: dst_result.c,v 1.1.6.3 2005/04/29 00:15:52 marka Exp $
+ * $Id: dst_result.c,v 1.7 2008/04/01 23:47:10 tbox Exp $
  */
 
 #include <config.h>
@@ -49,7 +49,8 @@ static const char *text[DST_R_NRESULTS] = {
 	"not a key that can compute a secret",	/*%< 17 */
 	"failure computing a shared secret",	/*%< 18 */
 	"no randomness available",		/*%< 19 */
-	"bad key type"				/*%< 20 */
+	"bad key type",				/*%< 20 */
+	"no engine"				/*%< 21 */
 };
 
 #define DST_RESULT_RESULTSET			2
diff --git a/lib/dns/forward.c b/lib/dns/forward.c
index e80a477..39e2ef5 100644
--- a/lib/dns/forward.c
+++ b/lib/dns/forward.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.c,v 1.6.18.4 2005/07/12 01:22:20 marka Exp $ */
+/* $Id: forward.c,v 1.12 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/gen-unix.h b/lib/dns/gen-unix.h
index fc2dbf2..4186f63 100644
--- a/lib/dns/gen-unix.h
+++ b/lib/dns/gen-unix.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gen-unix.h,v 1.14.18.3 2005/06/08 02:07:54 marka Exp $ */
+/* $Id: gen-unix.h,v 1.19.332.2 2009/01/18 23:47:35 tbox Exp $ */
 
 /*! \file
  * \brief
@@ -23,7 +23,7 @@
  * directly portable between Unix-like systems and Windows NT, option
  * parsing and directory scanning.  It is here because it was decided
  * that the "gen" build utility was not to depend on libisc.a, so
- * the functions delcared in isc/commandline.h and isc/dir.h could not
+ * the functions declared in isc/commandline.h and isc/dir.h could not
  * be used.
  *
  * The commandline stuff is really just a wrapper around getopt().
diff --git a/lib/dns/gen.c b/lib/dns/gen.c
index 1e6212a..ede8bc0 100644
--- a/lib/dns/gen.c
+++ b/lib/dns/gen.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gen.c,v 1.73.18.6 2006/10/02 06:36:43 marka Exp $ */
+/* $Id: gen.c,v 1.83 2008/09/25 04:02:38 tbox Exp $ */
 
 /*! \file */
 
@@ -41,6 +41,8 @@
 #include "gen-unix.h"
 #endif
 
+#define TYPECLASSLEN 21
+
 #define FROMTEXTARGS "rdclass, type, lexer, origin, options, target, callbacks"
 #define FROMTEXTCLASS "rdclass"
 #define FROMTEXTTYPE "type"
@@ -134,21 +136,21 @@ const char copyright[] =
 struct cc {
 	struct cc *next;
 	int rdclass;
-	char classname[11];
+	char classname[TYPECLASSLEN];
 } *classes;
 
 struct tt {
 	struct tt *next;
 	int rdclass;
 	int type;
-	char classname[11];
-	char typename[11];
+	char classname[TYPECLASSLEN];
+	char typename[TYPECLASSLEN];
 	char dirname[256];		/* XXX Should be max path length */
 } *types;
 
 struct ttnam {
-	char typename[11];
-	char macroname[11];
+	char typename[TYPECLASSLEN];
+	char macroname[TYPECLASSLEN];
 	char attr[256];
 	unsigned int sorted;
 	int type;
@@ -215,7 +217,7 @@ doswitch(const char *name, const char *function, const char *args,
 	int first = 1;
 	int lasttype = 0;
 	int subswitch = 0;
-	char buf1[11], buf2[11];
+	char buf1[TYPECLASSLEN], buf2[TYPECLASSLEN];
 	const char *result = " result =";
 
 	if (res == NULL)
@@ -281,7 +283,7 @@ doswitch(const char *name, const char *function, const char *args,
 void
 dodecl(char *type, char *function, char *args) {
 	struct tt *tt;
-	char buf1[11], buf2[11];
+	char buf1[TYPECLASSLEN], buf2[TYPECLASSLEN];
 
 	fputs("\n", stdout);
 	for (tt = types; tt; tt = tt->next)
@@ -332,7 +334,7 @@ insert_into_typenames(int type, const char *typename, const char *attr) {
 		fprintf(stderr, "Error: typenames array too small\n");
 		exit(1);
 	}
-	
+
 	if (strlen(typename) > sizeof(ttn->typename) - 1) {
 		fprintf(stderr, "Error:  type name %s is too long\n",
 			typename);
@@ -392,6 +394,8 @@ add(int rdclass, const char *classname, int type, const char *typename,
 	newtt->type = type;
 	strcpy(newtt->classname, classname);
 	strcpy(newtt->typename, typename);
+	if (strncmp(dirname, "./", 2) == 0)
+		dirname += 2;
 	strcpy(newtt->dirname, dirname);
 
 	tt = types;
@@ -449,16 +453,16 @@ add(int rdclass, const char *classname, int type, const char *typename,
 
 void
 sd(int rdclass, const char *classname, const char *dirname, char filetype) {
-	char buf[sizeof("0123456789_65535.h")];
-	char fmt[sizeof("%10[-0-9a-z]_%d.h")];
+	char buf[sizeof("01234567890123456789_65535.h")];
+	char fmt[sizeof("%20[-0-9a-z]_%d.h")];
 	int type;
-	char typename[11];
+	char typename[TYPECLASSLEN];
 	isc_dir_t dir;
 
 	if (!start_directory(dirname, &dir))
 		return;
 
-	sprintf(fmt,"%s%c", "%10[-0-9a-z]_%d.", filetype);
+	sprintf(fmt,"%s%c", "%20[-0-9a-z]_%d.", filetype);
 	while (next_file(&dir)) {
 		if (sscanf(dir.filename, fmt, typename, &type) != 2)
 			continue;
@@ -495,7 +499,7 @@ main(int argc, char **argv) {
 	char buf[256];			/* XXX Should be max path length */
 	char srcdir[256];		/* XXX Should be max path length */
 	int rdclass;
-	char classname[11];
+	char classname[TYPECLASSLEN];
 	struct tt *tt;
 	struct cc *cc;
 	struct ttnam *ttn, *ttn2;
@@ -510,7 +514,7 @@ main(int argc, char **argv) {
 	int structs = 0;
 	int depend = 0;
 	int c, i, j;
-	char buf1[11];
+	char buf1[TYPECLASSLEN];
 	char filetype = 'c';
 	FILE *fd;
 	char *prefix = NULL;
@@ -594,7 +598,7 @@ main(int argc, char **argv) {
 	sd(0, "", buf, filetype);
 
 	if (time(&now) != -1) {
-		if ((tm = localtime(&now)) != NULL && tm->tm_year > 104) 
+		if ((tm = localtime(&now)) != NULL && tm->tm_year > 104)
 			sprintf(year, "-%d", tm->tm_year + 1900);
 		else
 			year[0] = 0;
@@ -692,7 +696,7 @@ main(int argc, char **argv) {
 				"\t\t    strncasecmp(_s,(_tn),"
 				"(sizeof(_s) - 1)) == 0) { \\\n");
 		fprintf(stdout, "\t\t\tif ((dns_rdatatype_attributes(_d) & "
-		       		  "DNS_RDATATYPEATTR_RESERVED) != 0) \\\n");
+				  "DNS_RDATATYPEATTR_RESERVED) != 0) \\\n");
 		fprintf(stdout, "\t\t\t\treturn (ISC_R_NOTIMPLEMENTED); \\\n");
 		fprintf(stdout, "\t\t\t*(_tp) = _d; \\\n");
 		fprintf(stdout, "\t\t\treturn (ISC_R_SUCCESS); \\\n");
@@ -743,7 +747,7 @@ main(int argc, char **argv) {
 			if (ttn == NULL)
 				continue;
 			fprintf(stdout, "\tcase %u: return (%s); \\\n",
-			        i, upper(ttn->attr));
+				i, upper(ttn->attr));
 		}
 		fprintf(stdout, "\t}\n");
 
@@ -755,7 +759,7 @@ main(int argc, char **argv) {
 				continue;
 			fprintf(stdout, "\tcase %u: return "
 				"(str_totext(\"%s\", target)); \\\n",
-			        i, upper(ttn->typename));
+				i, upper(ttn->typename));
 		}
 		fprintf(stdout, "\t}\n");
 
diff --git a/lib/dns/gssapi_link.c b/lib/dns/gssapi_link.c
index a6a367a..0dd27bb 100644
--- a/lib/dns/gssapi_link.c
+++ b/lib/dns/gssapi_link.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,13 +16,13 @@
  */
 
 /*
- * $Id: gssapi_link.c,v 1.1.6.3 2005/04/29 00:15:53 marka Exp $
+ * $Id: gssapi_link.c,v 1.12 2008/11/11 03:55:01 marka Exp $
  */
 
-#ifdef GSSAPI
-
 #include <config.h>
 
+#ifdef GSSAPI
+
 #include <isc/buffer.h>
 #include <isc/mem.h>
 #include <isc/string.h>
@@ -33,60 +33,73 @@
 #include "dst_internal.h"
 #include "dst_parse.h"
 
-#include <gssapi/gssapi.h>
+#include <dst/gssapi.h>
 
 #define INITIAL_BUFFER_SIZE 1024
 #define BUFFER_EXTRA 1024
 
 #define REGION_TO_GBUFFER(r, gb) \
 	do { \
-		(gb).length = (r).length;	\
-		(gb).value = (r).base;	\
+		(gb).length = (r).length; \
+		(gb).value = (r).base; \
 	} while (0)
 
-typedef struct gssapi_ctx {
-	isc_buffer_t *buffer;
-	gss_ctx_id_t *context_id;
-} gssapi_ctx_t;
 
+struct dst_gssapi_signverifyctx {
+	isc_buffer_t *buffer;
+};
 
+/*%
+ * Allocate a temporary "context" for use in gathering data for signing
+ * or verifying.
+ */
 static isc_result_t
-gssapi_createctx(dst_key_t *key, dst_context_t *dctx) {
-	gssapi_ctx_t *ctx;
+gssapi_create_signverify_ctx(dst_key_t *key, dst_context_t *dctx) {
+	dst_gssapi_signverifyctx_t *ctx;
 	isc_result_t result;
 
 	UNUSED(key);
 
-	ctx = isc_mem_get(dctx->mctx, sizeof(gssapi_ctx_t));
+	ctx = isc_mem_get(dctx->mctx, sizeof(dst_gssapi_signverifyctx_t));
 	if (ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	ctx->buffer = NULL;
 	result = isc_buffer_allocate(dctx->mctx, &ctx->buffer,
 				     INITIAL_BUFFER_SIZE);
 	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(dctx->mctx, ctx, sizeof(gssapi_ctx_t));
+		isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
 		return (result);
 	}
-	ctx->context_id = key->opaque;
-	dctx->opaque = ctx;
+
+	dctx->ctxdata.gssctx = ctx;
+
 	return (ISC_R_SUCCESS);
 }
 
+/*%
+ * Destroy the temporary sign/verify context.
+ */
 static void
-gssapi_destroyctx(dst_context_t *dctx) {
-	gssapi_ctx_t *ctx = dctx->opaque;
+gssapi_destroy_signverify_ctx(dst_context_t *dctx) {
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
 
 	if (ctx != NULL) {
 		if (ctx->buffer != NULL)
 			isc_buffer_free(&ctx->buffer);
-		isc_mem_put(dctx->mctx, ctx, sizeof(gssapi_ctx_t));
-		dctx->opaque = NULL;
+		isc_mem_put(dctx->mctx, ctx, sizeof(dst_gssapi_signverifyctx_t));
+		dctx->ctxdata.gssctx = NULL;
 	}
 }
 
+/*%
+ * Add data to our running buffer of data we will be signing or verifying.
+ * This code will see if the new data will fit in our existing buffer, and
+ * copy it in if it will.  If not, it will attempt to allocate a larger
+ * buffer and copy old+new into it, and free the old buffer.
+ */
 static isc_result_t
 gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	gssapi_ctx_t *ctx = dctx->opaque;
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
 	isc_buffer_t *newbuffer = NULL;
 	isc_region_t r;
 	unsigned int length;
@@ -103,8 +116,8 @@ gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
 		return (result);
 
 	isc_buffer_usedregion(ctx->buffer, &r);
-	(void) isc_buffer_copyregion(newbuffer, &r);
-	(void) isc_buffer_copyregion(newbuffer, data);
+	(void)isc_buffer_copyregion(newbuffer, &r);
+	(void)isc_buffer_copyregion(newbuffer, data);
 
 	isc_buffer_free(&ctx->buffer);
 	ctx->buffer = newbuffer;
@@ -112,56 +125,129 @@ gssapi_adddata(dst_context_t *dctx, const isc_region_t *data) {
 	return (ISC_R_SUCCESS);
 }
 
+/*%
+ * Sign.
+ */
 static isc_result_t
 gssapi_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	gssapi_ctx_t *ctx = dctx->opaque;
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
 	isc_region_t message;
 	gss_buffer_desc gmessage, gsig;
 	OM_uint32 minor, gret;
+	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
+	char buf[1024];
 
+	/*
+	 * Convert the data we wish to sign into a structure gssapi can
+	 * understand.
+	 */
 	isc_buffer_usedregion(ctx->buffer, &message);
 	REGION_TO_GBUFFER(message, gmessage);
 
-	gret = gss_get_mic(&minor, ctx->context_id,
-			   GSS_C_QOP_DEFAULT, &gmessage, &gsig);
-	if (gret != 0)
+	/*
+	 * Generate the signature.
+	 */
+	gret = gss_get_mic(&minor, gssctx, GSS_C_QOP_DEFAULT, &gmessage,
+			   &gsig);
+
+	/*
+	 * If it did not complete, we log the result and return a generic
+	 * failure code.
+	 */
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "GSS sign error: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
 		return (ISC_R_FAILURE);
+	}
 
+	/*
+	 * If it will not fit in our allocated buffer, return that we need
+	 * more space.
+	 */
 	if (gsig.length > isc_buffer_availablelength(sig)) {
 		gss_release_buffer(&minor, &gsig);
 		return (ISC_R_NOSPACE);
 	}
 
+	/*
+	 * Copy the output into our buffer space, and release the gssapi
+	 * allocated space.
+	 */
 	isc_buffer_putmem(sig, gsig.value, gsig.length);
-
-	gss_release_buffer(&minor, &gsig);
+	if (gsig.length != 0)
+		gss_release_buffer(&minor, &gsig);
 
 	return (ISC_R_SUCCESS);
 }
 
+/*%
+ * Verify.
+ */
 static isc_result_t
 gssapi_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	gssapi_ctx_t *ctx = dctx->opaque;
-	isc_region_t message;
+	dst_gssapi_signverifyctx_t *ctx = dctx->ctxdata.gssctx;
+	isc_region_t message, r;
 	gss_buffer_desc gmessage, gsig;
 	OM_uint32 minor, gret;
-
+	gss_ctx_id_t gssctx = dctx->key->keydata.gssctx;
+	unsigned char *buf;
+	char err[1024];
+
+	/*
+	 * Convert the data we wish to sign into a structure gssapi can
+	 * understand.
+	 */
 	isc_buffer_usedregion(ctx->buffer, &message);
 	REGION_TO_GBUFFER(message, gmessage);
 
-	REGION_TO_GBUFFER(*sig, gsig);
-
-	gret = gss_verify_mic(&minor, ctx->context_id, &gmessage, &gsig, NULL);
-	if (gret != 0)
+	/*
+	 * XXXMLG
+	 * It seem that gss_verify_mic() modifies the signature buffer,
+	 * at least on Heimdal's implementation.  Copy it here to an allocated
+	 * buffer.
+	 */
+	buf = isc_mem_allocate(dst__memory_pool, sig->length);
+	if (buf == NULL)
 		return (ISC_R_FAILURE);
+	memcpy(buf, sig->base, sig->length);
+	r.base = buf;
+	r.length = sig->length;
+	REGION_TO_GBUFFER(r, gsig);
+
+	/*
+	 * Verify the data.
+	 */
+	gret = gss_verify_mic(&minor, gssctx, &gmessage, &gsig, NULL);
+
+	isc_mem_free(dst__memory_pool, buf);
+
+	/*
+	 * Convert return codes into something useful to us.
+	 */
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "GSS verify error: %s",
+			gss_error_tostring(gret, minor, err, sizeof(err)));
+		if (gret == GSS_S_DEFECTIVE_TOKEN ||
+		    gret == GSS_S_BAD_SIG ||
+		    gret == GSS_S_DUPLICATE_TOKEN ||
+		    gret == GSS_S_OLD_TOKEN ||
+		    gret == GSS_S_UNSEQ_TOKEN ||
+		    gret == GSS_S_GAP_TOKEN ||
+		    gret == GSS_S_CONTEXT_EXPIRED ||
+		    gret == GSS_S_NO_CONTEXT ||
+		    gret == GSS_S_FAILURE)
+			return(DST_R_VERIFYFAILURE);
+		else
+			return (ISC_R_FAILURE);
+	}
 
 	return (ISC_R_SUCCESS);
 }
 
 static isc_boolean_t
 gssapi_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	gss_ctx_id_t gsskey1 = key1->opaque;
-	gss_ctx_id_t gsskey2 = key2->opaque;
+	gss_ctx_id_t gsskey1 = key1->keydata.gssctx;
+	gss_ctx_id_t gsskey2 = key2->keydata.gssctx;
 
 	/* No idea */
 	return (ISC_TF(gsskey1 == gsskey2));
@@ -179,18 +265,19 @@ gssapi_generate(dst_key_t *key, int unused) {
 static isc_boolean_t
 gssapi_isprivate(const dst_key_t *key) {
 	UNUSED(key);
-        return (ISC_TRUE);
+	return (ISC_TRUE);
 }
 
 static void
 gssapi_destroy(dst_key_t *key) {
-	UNUSED(key);
-	/* No idea */
+	REQUIRE(key != NULL);
+	dst_gssapi_deletectx(key->mctx, &key->keydata.gssctx);
+	key->keydata.gssctx = NULL;
 }
 
 static dst_func_t gssapi_functions = {
-	gssapi_createctx,
-	gssapi_destroyctx,
+	gssapi_create_signverify_ctx,
+	gssapi_destroy_signverify_ctx,
 	gssapi_adddata,
 	gssapi_sign,
 	gssapi_verify,
@@ -205,6 +292,7 @@ static dst_func_t gssapi_functions = {
 	NULL, /*%< tofile */
 	NULL, /*%< parse */
 	NULL, /*%< cleanup */
+	NULL  /*%< fromlabel */
 };
 
 isc_result_t
diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
index ce5d6fa..11eadb9 100644
--- a/lib/dns/gssapictx.c
+++ b/lib/dns/gssapictx.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,11 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapictx.c,v 1.1.6.3 2005/04/29 00:15:54 marka Exp $ */
+/* $Id: gssapictx.c,v 1.12 2008/04/03 06:09:04 tbox Exp $ */
 
 #include <config.h>
 
 #include <stdlib.h>
+#include <string.h>
 
 #include <isc/buffer.h>
 #include <isc/dir.h>
@@ -27,6 +28,7 @@
 #include <isc/lex.h>
 #include <isc/mem.h>
 #include <isc/once.h>
+#include <isc/print.h>
 #include <isc/random.h>
 #include <isc/string.h>
 #include <isc/time.h>
@@ -39,34 +41,76 @@
 #include <dns/result.h>
 #include <dns/types.h>
 #include <dns/keyvalues.h>
+#include <dns/log.h>
 
 #include <dst/gssapi.h>
 #include <dst/result.h>
 
 #include "dst_internal.h"
 
-#ifdef GSSAPI
+/*
+ * If we're using our own SPNEGO implementation (see configure.in),
+ * pull it in now.  Otherwise, we just use whatever GSSAPI supplies.
+ */
+#if defined(GSSAPI) && defined(USE_ISC_SPNEGO)
+#include "spnego.h"
+#define	gss_accept_sec_context	gss_accept_sec_context_spnego
+#define	gss_init_sec_context	gss_init_sec_context_spnego
+#endif
 
-#include <gssapi/gssapi.h>
+/*
+ * Solaris8 apparently needs an explicit OID set, and Solaris10 needs
+ * one for anything but Kerberos.  Supplying an explicit OID set
+ * doesn't appear to hurt anything in other implementations, so we
+ * always use one.  If we're not using our own SPNEGO implementation,
+ * we include SPNEGO's OID.
+ */
+#if defined(GSSAPI)
 
-#define RETERR(x) do { \
-	result = (x); \
-	if (result != ISC_R_SUCCESS) \
-		goto out; \
+static unsigned char krb5_mech_oid_bytes[] = {
+	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
+};
+
+#ifndef USE_ISC_SPNEGO
+static unsigned char spnego_mech_oid_bytes[] = {
+	0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
+};
+#endif
+
+static gss_OID_desc mech_oid_set_array[] = {
+	{ sizeof(krb5_mech_oid_bytes), krb5_mech_oid_bytes },
+#ifndef USE_ISC_SPNEGO
+	{ sizeof(spnego_mech_oid_bytes), spnego_mech_oid_bytes },
+#endif
+};
+
+static gss_OID_set_desc mech_oid_set = {
+	sizeof(mech_oid_set_array) / sizeof(*mech_oid_set_array),
+	mech_oid_set_array
+};
+
+#endif
+
+#define REGION_TO_GBUFFER(r, gb) \
+	do { \
+		(gb).length = (r).length; \
+		(gb).value = (r).base; \
 	} while (0)
 
-#define REGION_TO_GBUFFER(r, gb)		\
-	do {					\
-		(gb).length = (r).length;	\
-		(gb).value = (r).base;		\
+#define GBUFFER_TO_REGION(gb, r) \
+	do { \
+		(r).length = (gb).length; \
+		(r).base = (gb).value; \
 	} while (0)
 
-#define GBUFFER_TO_REGION(gb, r)		\
-	do {					\
-		(r).length = (gb).length;	\
-		(r).base = (gb).value;		\
+
+#define RETERR(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto out; \
 	} while (0)
 
+#ifdef GSSAPI
 static inline void
 name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
 		gss_buffer_desc *gbuffer)
@@ -77,22 +121,81 @@ name_to_gbuffer(dns_name_t *name, isc_buffer_t *buffer,
 
 	if (!dns_name_isabsolute(name))
 		namep = name;
-	else {
+	else
+	{
 		unsigned int labels;
 		dns_name_init(&tname, NULL);
 		labels = dns_name_countlabels(name);
 		dns_name_getlabelsequence(name, 0, labels - 1, &tname);
 		namep = &tname;
 	}
-					
+
 	result = dns_name_totext(namep, ISC_FALSE, buffer);
 	isc_buffer_putuint8(buffer, 0);
 	isc_buffer_usedregion(buffer, &r);
 	REGION_TO_GBUFFER(r, *gbuffer);
 }
 
+static void
+log_cred(const gss_cred_id_t cred) {
+	OM_uint32 gret, minor, lifetime;
+	gss_name_t gname;
+	gss_buffer_desc gbuffer;
+	gss_cred_usage_t usage;
+	const char *usage_text;
+	char buf[1024];
+
+	gret = gss_inquire_cred(&minor, cred, &gname, &lifetime, &usage, NULL);
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed gss_inquire_cred: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		return;
+	}
+
+	gret = gss_display_name(&minor, gname, &gbuffer, NULL);
+	if (gret != GSS_S_COMPLETE)
+		gss_log(3, "failed gss_display_name: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	else {
+		switch (usage) {
+		case GSS_C_BOTH:
+			usage_text = "GSS_C_BOTH";
+			break;
+		case GSS_C_INITIATE:
+			usage_text = "GSS_C_INITIATE";
+			break;
+		case GSS_C_ACCEPT:
+			usage_text = "GSS_C_ACCEPT";
+			break;
+		default:
+			usage_text = "???";
+		}
+		gss_log(3, "gss cred: \"%s\", %s, %lu", (char *)gbuffer.value,
+			usage_text, (unsigned long)lifetime);
+	}
+
+	if (gret == GSS_S_COMPLETE) {
+		if (gbuffer.length != 0) {
+			gret = gss_release_buffer(&minor, &gbuffer);
+			if (gret != GSS_S_COMPLETE)
+				gss_log(3, "failed gss_release_buffer: %s",
+					gss_error_tostring(gret, minor, buf,
+							   sizeof(buf)));
+		}
+	}
+
+	gret = gss_release_name(&minor, &gname);
+	if (gret != GSS_S_COMPLETE)
+		gss_log(3, "failed gss_release_name: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+}
+#endif
+
 isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
+dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
+		       gss_cred_id_t *cred)
+{
+#ifdef GSSAPI
 	isc_buffer_t namebuf;
 	gss_name_t gname;
 	gss_buffer_desc gnamebuf;
@@ -101,164 +204,535 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
 	gss_OID_set mechs;
 	OM_uint32 lifetime;
 	gss_cred_usage_t usage;
+	char buf[1024];
 
 	REQUIRE(cred != NULL && *cred == NULL);
 
+	/*
+	 * XXXSRA In theory we could use GSS_C_NT_HOSTBASED_SERVICE
+	 * here when we're in the acceptor role, which would let us
+	 * default the hostname and use a compiled in default service
+	 * name of "DNS", giving one less thing to configure in
+	 * named.conf.  Unfortunately, this creates a circular
+	 * dependency due to DNS-based realm lookup in at least one
+	 * GSSAPI implementation (Heimdal).  Oh well.
+	 */
 	if (name != NULL) {
 		isc_buffer_init(&namebuf, array, sizeof(array));
 		name_to_gbuffer(name, &namebuf, &gnamebuf);
-		gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID,
-				       &gname);
-		if (gret != GSS_S_COMPLETE)
+		gret = gss_import_name(&minor, &gnamebuf,
+				       GSS_C_NO_OID, &gname);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed gss_import_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
 			return (ISC_R_FAILURE);
+		}
 	} else
 		gname = NULL;
 
+	/* Get the credentials. */
+	if (gname != NULL)
+		gss_log(3, "acquiring credentials for %s",
+			(char *)gnamebuf.value);
+	else {
+		/* XXXDCL does this even make any sense? */
+		gss_log(3, "acquiring credentials for ?");
+	}
+
 	if (initiate)
 		usage = GSS_C_INITIATE;
 	else
 		usage = GSS_C_ACCEPT;
 
 	gret = gss_acquire_cred(&minor, gname, GSS_C_INDEFINITE,
-				GSS_C_NO_OID_SET, usage,
-				cred, &mechs, &lifetime);
-	if (gret != GSS_S_COMPLETE)
+				&mech_oid_set,
+				usage, cred, &mechs, &lifetime);
+
+	if (gret != GSS_S_COMPLETE) {
+		gss_log(3, "failed to acquire %s credentials for %s: %s",
+			initiate ? "initiate" : "accept",
+			(char *)gnamebuf.value,
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
 		return (ISC_R_FAILURE);
+	}
+
+	gss_log(4, "acquired %s credentials for %s",
+		initiate ? "initiate" : "accept",
+		(char *)gnamebuf.value);
+
+	log_cred(*cred);
+
 	return (ISC_R_SUCCESS);
+#else
+	UNUSED(name);
+	UNUSED(initiate);
+	UNUSED(cred);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_boolean_t
+dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
+				    dns_name_t *realm)
+{
+#ifdef GSSAPI
+	char sbuf[DNS_NAME_FORMATSIZE];
+	char nbuf[DNS_NAME_FORMATSIZE];
+	char rbuf[DNS_NAME_FORMATSIZE];
+	char *sname;
+	char *rname;
+
+	/*
+	 * It is far, far easier to write the names we are looking at into
+	 * a string, and do string operations on them.
+	 */
+	dns_name_format(signer, sbuf, sizeof(sbuf));
+	if (name != NULL)
+		dns_name_format(name, nbuf, sizeof(nbuf));
+	dns_name_format(realm, rbuf, sizeof(rbuf));
+
+	/*
+	 * Find the realm portion.  This is the part after the @.  If it
+	 * does not exist, we don't have something we like, so we fail our
+	 * compare.
+	 */
+	rname = strstr(sbuf, "\\@");
+	if (rname == NULL)
+		return (isc_boolean_false);
+	*rname = '\0';
+	rname += 2;
+
+	/*
+	 * Find the host portion of the signer's name.  We do this by
+	 * searching for the first / character.  We then check to make
+	 * certain the instance name is "host"
+	 *
+	 * This will work for
+	 *    host/example.com@EXAMPLE.COM
+	 */
+	sname = strchr(sbuf, '/');
+	if (sname == NULL)
+		return (isc_boolean_false);
+	*sname = '\0';
+	sname++;
+	if (strcmp(sbuf, "host") != 0)
+		return (isc_boolean_false);
+
+	/*
+	 * Now, we do a simple comparison between the name and the realm.
+	 */
+	if (name != NULL) {
+		if ((strcasecmp(sname, nbuf) == 0)
+		    && (strcmp(rname, rbuf) == 0))
+			return (isc_boolean_true);
+	} else {
+		if (strcmp(rname, rbuf) == 0)
+			return (isc_boolean_true);
+	}
+
+	return (isc_boolean_false);
+#else
+	UNUSED(signer);
+	UNUSED(name);
+	UNUSED(realm);
+	return (isc_boolean_false);
+#endif
+}
+
+isc_boolean_t
+dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
+				  dns_name_t *realm)
+{
+#ifdef GSSAPI
+	char sbuf[DNS_NAME_FORMATSIZE];
+	char nbuf[DNS_NAME_FORMATSIZE];
+	char rbuf[DNS_NAME_FORMATSIZE];
+	char *sname;
+	char *nname;
+	char *rname;
+
+	/*
+	 * It is far, far easier to write the names we are looking at into
+	 * a string, and do string operations on them.
+	 */
+	dns_name_format(signer, sbuf, sizeof(sbuf));
+	if (name != NULL)
+		dns_name_format(name, nbuf, sizeof(nbuf));
+	dns_name_format(realm, rbuf, sizeof(rbuf));
+
+	/*
+	 * Find the realm portion.  This is the part after the @.  If it
+	 * does not exist, we don't have something we like, so we fail our
+	 * compare.
+	 */
+	rname = strstr(sbuf, "\\@");
+	if (rname == NULL)
+		return (isc_boolean_false);
+	sname = strstr(sbuf, "\\$");
+	if (sname == NULL)
+		return (isc_boolean_false);
+
+	/*
+	 * Verify that the $ and @ follow one another.
+	 */
+	if (rname - sname != 2)
+		return (isc_boolean_false);
+
+	/*
+	 * Find the host portion of the signer's name.  Zero out the $ so
+	 * it terminates the signer's name, and skip past the @ for
+	 * the realm.
+	 *
+	 * All service principals in Microsoft format seem to be in
+	 *    machinename$@EXAMPLE.COM
+	 * format.
+	 */
+	*rname = '\0';
+	rname += 2;
+	*sname = '\0';
+	sname = sbuf;
+
+	/*
+	 * Find the first . in the target name, and make it the end of
+	 * the string.   The rest of the name has to match the realm.
+	 */
+	if (name != NULL) {
+		nname = strchr(nbuf, '.');
+		if (nname == NULL)
+			return (isc_boolean_false);
+		*nname++ = '\0';
+	}
+
+	/*
+	 * Now, we do a simple comparison between the name and the realm.
+	 */
+	if (name != NULL) {
+		if ((strcasecmp(sname, nbuf) == 0)
+		    && (strcmp(rname, rbuf) == 0)
+		    && (strcasecmp(nname, rbuf) == 0))
+			return (isc_boolean_true);
+	} else {
+		if (strcmp(rname, rbuf) == 0)
+			return (isc_boolean_true);
+	}
+
+
+	return (isc_boolean_false);
+#else
+	UNUSED(signer);
+	UNUSED(name);
+	UNUSED(realm);
+	return (isc_boolean_false);
+#endif
 }
 
 isc_result_t
-dst_gssapi_initctx(dns_name_t *name, void *cred,
-		   isc_region_t *intoken, isc_buffer_t *outtoken,
-		   void **context)
+dst_gssapi_releasecred(gss_cred_id_t *cred) {
+#ifdef GSSAPI
+	OM_uint32 gret, minor;
+	char buf[1024];
+
+	REQUIRE(cred != NULL && *cred != NULL);
+
+	gret = gss_release_cred(&minor, cred);
+	if (gret != GSS_S_COMPLETE) {
+		/* Log the error, but still free the credential's memory */
+		gss_log(3, "failed releasing credential: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	}
+	*cred = NULL;
+
+	return(ISC_R_SUCCESS);
+#else
+	UNUSED(cred);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
+}
+
+isc_result_t
+dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
+		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx)
 {
+#ifdef GSSAPI
 	isc_region_t r;
 	isc_buffer_t namebuf;
-	gss_buffer_desc gnamebuf, gintoken, *gintokenp, gouttoken;
-	OM_uint32 gret, minor, flags, ret_flags;
-	gss_OID mech_type, ret_mech_type;
-	OM_uint32 lifetime;
 	gss_name_t gname;
+	OM_uint32 gret, minor, ret_flags, flags;
+	gss_buffer_desc gintoken, *gintokenp, gouttoken = GSS_C_EMPTY_BUFFER;
 	isc_result_t result;
+	gss_buffer_desc gnamebuf;
 	unsigned char array[DNS_NAME_MAXTEXT + 1];
+	char buf[1024];
+
+	/* Client must pass us a valid gss_ctx_id_t here */
+	REQUIRE(gssctx != NULL);
 
 	isc_buffer_init(&namebuf, array, sizeof(array));
 	name_to_gbuffer(name, &namebuf, &gnamebuf);
+
+	/* Get the name as a GSS name */
 	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
-	if (gret != GSS_S_COMPLETE)
-		return (ISC_R_FAILURE);
+	if (gret != GSS_S_COMPLETE) {
+		result = ISC_R_FAILURE;
+		goto out;
+	}
 
 	if (intoken != NULL) {
+		/* Don't call gss_release_buffer for gintoken! */
 		REGION_TO_GBUFFER(*intoken, gintoken);
 		gintokenp = &gintoken;
-	} else
+	} else {
 		gintokenp = NULL;
+	}
 
-	if (*context == NULL)
-		*context = GSS_C_NO_CONTEXT;
 	flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG |
-		GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG;
-	mech_type = GSS_C_NO_OID;
-
-	gret = gss_init_sec_context(&minor, cred, context, gname,
-				    mech_type, flags, 0,
-				    GSS_C_NO_CHANNEL_BINDINGS, gintokenp,
-				    &ret_mech_type, &gouttoken, &ret_flags,
-				    &lifetime);
-	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED)
-		return (ISC_R_FAILURE);
+		GSS_C_SEQUENCE_FLAG | GSS_C_INTEG_FLAG;
+
+	gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx,
+				    gname, GSS_SPNEGO_MECHANISM, flags,
+				    0, NULL, gintokenp,
+				    NULL, &gouttoken, &ret_flags, NULL);
+
+	if (gret != GSS_S_COMPLETE && gret != GSS_S_CONTINUE_NEEDED) {
+		gss_log(3, "Failure initiating security context");
+		gss_log(3, "%s", gss_error_tostring(gret, minor,
+						    buf, sizeof(buf)));
+		result = ISC_R_FAILURE;
+		goto out;
+	}
 
-	GBUFFER_TO_REGION(gouttoken, r);
-	RETERR(isc_buffer_copyregion(outtoken, &r));
+	/*
+	 * XXXSRA Not handled yet: RFC 3645 3.1.1: check ret_flags
+	 * MUTUAL and INTEG flags, fail if either not set.
+	 */
+
+	/*
+	 * RFC 2744 states the a valid output token has a non-zero length.
+	 */
+	if (gouttoken.length != 0) {
+		GBUFFER_TO_REGION(gouttoken, r);
+		RETERR(isc_buffer_copyregion(outtoken, &r));
+		(void)gss_release_buffer(&minor, &gouttoken);
+	}
+	(void)gss_release_name(&minor, &gname);
 
 	if (gret == GSS_S_COMPLETE)
-		return (ISC_R_SUCCESS);
+		result = ISC_R_SUCCESS;
 	else
-		return (DNS_R_CONTINUE);
+		result = DNS_R_CONTINUE;
 
  out:
- 	return (result);
+	return (result);
+#else
+	UNUSED(name);
+	UNUSED(intoken);
+	UNUSED(outtoken);
+	UNUSED(gssctx);
+
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
 isc_result_t
-dst_gssapi_acceptctx(dns_name_t *name, void *cred,
-		     isc_region_t *intoken, isc_buffer_t *outtoken,
-		     void **context)
+dst_gssapi_acceptctx(gss_cred_id_t cred,
+		     isc_region_t *intoken, isc_buffer_t **outtoken,
+		     gss_ctx_id_t *ctxout, dns_name_t *principal,
+		     isc_mem_t *mctx)
 {
+#ifdef GSSAPI
 	isc_region_t r;
 	isc_buffer_t namebuf;
-	gss_buffer_desc gnamebuf, gintoken, gouttoken;
-	OM_uint32 gret, minor, flags;
-	gss_OID mech_type;
-	OM_uint32 lifetime;
-	gss_cred_id_t delegated_cred;
-	gss_name_t gname;
+	gss_buffer_desc gnamebuf = GSS_C_EMPTY_BUFFER, gintoken,
+			gouttoken = GSS_C_EMPTY_BUFFER;
+	OM_uint32 gret, minor;
+	gss_ctx_id_t context = GSS_C_NO_CONTEXT;
+	gss_name_t gname = NULL;
 	isc_result_t result;
-	unsigned char array[DNS_NAME_MAXTEXT + 1];
+	char buf[1024];
 
-	isc_buffer_init(&namebuf, array, sizeof(array));
-	name_to_gbuffer(name, &namebuf, &gnamebuf);
-	gret = gss_import_name(&minor, &gnamebuf, GSS_C_NO_OID, &gname);
-	if (gret != GSS_S_COMPLETE)
-		return (ISC_R_FAILURE);
+	REQUIRE(outtoken != NULL && *outtoken == NULL);
+
+	log_cred(cred);
 
 	REGION_TO_GBUFFER(*intoken, gintoken);
 
-	if (*context == NULL)
-		*context = GSS_C_NO_CONTEXT;
+	if (*ctxout == NULL)
+		context = GSS_C_NO_CONTEXT;
+	else
+		context = *ctxout;
+
+	gret = gss_accept_sec_context(&minor, &context, cred, &gintoken,
+				      GSS_C_NO_CHANNEL_BINDINGS, &gname,
+				      NULL, &gouttoken, NULL, NULL, NULL);
+
+	result = ISC_R_FAILURE;
+
+	switch (gret) {
+	case GSS_S_COMPLETE:
+		result = ISC_R_SUCCESS;
+		break;
+	case GSS_S_CONTINUE_NEEDED:
+		result = DNS_R_CONTINUE;
+		break;
+	case GSS_S_DEFECTIVE_TOKEN:
+	case GSS_S_DEFECTIVE_CREDENTIAL:
+	case GSS_S_BAD_SIG:
+	case GSS_S_DUPLICATE_TOKEN:
+	case GSS_S_OLD_TOKEN:
+	case GSS_S_NO_CRED:
+	case GSS_S_CREDENTIALS_EXPIRED:
+	case GSS_S_BAD_BINDINGS:
+	case GSS_S_NO_CONTEXT:
+	case GSS_S_BAD_MECH:
+	case GSS_S_FAILURE:
+		result = DNS_R_INVALIDTKEY;
+		/* fall through */
+	default:
+		gss_log(3, "failed gss_accept_sec_context: %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+		return (result);
+	}
 
-	gret = gss_accept_sec_context(&minor, context, cred, &gintoken,
-				      GSS_C_NO_CHANNEL_BINDINGS, gname,
-				      &mech_type, &gouttoken, &flags,
-				      &lifetime, &delegated_cred);
-	if (gret != GSS_S_COMPLETE)
-		return (ISC_R_FAILURE);
+	if (gouttoken.length > 0) {
+		RETERR(isc_buffer_allocate(mctx, outtoken, gouttoken.length));
+		GBUFFER_TO_REGION(gouttoken, r);
+		RETERR(isc_buffer_copyregion(*outtoken, &r));
+		(void)gss_release_buffer(&minor, &gouttoken);
+	}
 
-	GBUFFER_TO_REGION(gouttoken, r);
-	RETERR(isc_buffer_copyregion(outtoken, &r));
+	if (gret == GSS_S_COMPLETE) {
+		gret = gss_display_name(&minor, gname, &gnamebuf, NULL);
+		if (gret != GSS_S_COMPLETE) {
+			gss_log(3, "failed gss_display_name: %s",
+				gss_error_tostring(gret, minor,
+						   buf, sizeof(buf)));
+			RETERR(ISC_R_FAILURE);
+		}
+
+		/*
+		 * Compensate for a bug in Solaris8's implementation
+		 * of gss_display_name().  Should be harmless in any
+		 * case, since principal names really should not
+		 * contain null characters.
+		 */
+		if (gnamebuf.length > 0 &&
+		    ((char *)gnamebuf.value)[gnamebuf.length - 1] == '\0')
+			gnamebuf.length--;
+
+		gss_log(3, "gss-api source name (accept) is %.*s",
+			(int)gnamebuf.length, (char *)gnamebuf.value);
+
+		GBUFFER_TO_REGION(gnamebuf, r);
+		isc_buffer_init(&namebuf, r.base, r.length);
+		isc_buffer_add(&namebuf, r.length);
+
+		RETERR(dns_name_fromtext(principal, &namebuf, dns_rootname,
+					 ISC_FALSE, NULL));
+
+		if (gnamebuf.length != 0) {
+			gret = gss_release_buffer(&minor, &gnamebuf);
+			if (gret != GSS_S_COMPLETE)
+				gss_log(3, "failed gss_release_buffer: %s",
+					gss_error_tostring(gret, minor, buf,
+							   sizeof(buf)));
+		}
+	}
 
-	return (ISC_R_SUCCESS);
+	*ctxout = context;
 
  out:
-	return (result);
-}
+	if (gname != NULL) {
+		gret = gss_release_name(&minor, &gname);
+		if (gret != GSS_S_COMPLETE)
+			gss_log(3, "failed gss_release_name: %s",
+				gss_error_tostring(gret, minor, buf,
+						   sizeof(buf)));
+	}
 
+	return (result);
 #else
-
-isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred) {
-	UNUSED(name);
-	UNUSED(initiate);
-	UNUSED(cred);
-	return (ISC_R_NOTIMPLEMENTED);
-}
-
-isc_result_t
-dst_gssapi_initctx(dns_name_t *name, void *cred,
-		   isc_region_t *intoken, isc_buffer_t *outtoken,
-		   void **context)
-{
-	UNUSED(name);
 	UNUSED(cred);
 	UNUSED(intoken);
 	UNUSED(outtoken);
-	UNUSED(context);
+	UNUSED(ctxout);
+	UNUSED(principal);
+	UNUSED(mctx);
+
 	return (ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
 isc_result_t
-dst_gssapi_acceptctx(dns_name_t *name, void *cred,
-		     isc_region_t *intoken, isc_buffer_t *outtoken,
-		     void **context)
+dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx)
 {
-	UNUSED(name);
-	UNUSED(cred);
-	UNUSED(intoken);
-	UNUSED(outtoken);
-	UNUSED(context);
+#ifdef GSSAPI
+	OM_uint32 gret, minor;
+	char buf[1024];
+
+	UNUSED(mctx);
+
+	REQUIRE(gssctx != NULL && *gssctx != NULL);
+
+	/* Delete the context from the GSS provider */
+	gret = gss_delete_sec_context(&minor, gssctx, GSS_C_NO_BUFFER);
+	if (gret != GSS_S_COMPLETE) {
+		/* Log the error, but still free the context's memory */
+		gss_log(3, "Failure deleting security context %s",
+			gss_error_tostring(gret, minor, buf, sizeof(buf)));
+	}
+	return(ISC_R_SUCCESS);
+#else
+	UNUSED(mctx);
+	UNUSED(gssctx);
 	return (ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
+char *
+gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
+		   char *buf, size_t buflen) {
+#ifdef GSSAPI
+	gss_buffer_desc msg_minor = GSS_C_EMPTY_BUFFER,
+			msg_major = GSS_C_EMPTY_BUFFER;
+	OM_uint32 msg_ctx, minor_stat;
+
+	/* Handle major status */
+	msg_ctx = 0;
+	(void)gss_display_status(&minor_stat, major, GSS_C_GSS_CODE,
+				 GSS_C_NULL_OID, &msg_ctx, &msg_major);
+
+	/* Handle minor status */
+	msg_ctx = 0;
+	(void)gss_display_status(&minor_stat, minor, GSS_C_MECH_CODE,
+				 GSS_C_NULL_OID, &msg_ctx, &msg_minor);
+
+	snprintf(buf, buflen, "GSSAPI error: Major = %s, Minor = %s.",
+		(char *)msg_major.value, (char *)msg_minor.value);
+
+	if (msg_major.length != 0)
+		(void)gss_release_buffer(&minor_stat, &msg_major);
+	if (msg_minor.length != 0)
+		(void)gss_release_buffer(&minor_stat, &msg_minor);
+	return(buf);
+#else
+	snprintf(buf, buflen, "GSSAPI error: Major = %u, Minor = %u.",
+		 major, minor);
+
+	return (buf);
 #endif
+}
+
+void
+gss_log(int level, const char *fmt, ...) {
+	va_list ap;
+
+	va_start(ap, fmt);
+	isc_log_vwrite(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+		       DNS_LOGMODULE_TKEY, ISC_LOG_DEBUG(level), fmt, ap);
+	va_end(ap);
+}
 
 /*! \file */
diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c
index 9655c89..fce98d7 100644
--- a/lib/dns/hmac_link.c
+++ b/lib/dns/hmac_link.c
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: hmac_link.c,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $
+ * $Id: hmac_link.c,v 1.11 2008/04/01 23:47:10 tbox Exp $
  */
 
 #include <config.h>
@@ -43,9 +56,9 @@
 
 static isc_result_t hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct hmackey {
+struct dst_hmacmd5_key {
 	unsigned char key[HMAC_LEN];
-} HMAC_Key;
+};
 
 static isc_result_t
 getkeybits(dst_key_t *key, struct dst_private_element *element) {
@@ -61,30 +74,30 @@ getkeybits(dst_key_t *key, struct dst_private_element *element) {
 static isc_result_t
 hmacmd5_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacmd5_t *hmacmd5ctx;
-	HMAC_Key *hkey = key->opaque;
+	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
 
 	hmacmd5ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacmd5_t));
 	if (hmacmd5ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacmd5_init(hmacmd5ctx, hkey->key, HMAC_LEN);
-	dctx->opaque = hmacmd5ctx;
+	dctx->ctxdata.hmacmd5ctx = hmacmd5ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacmd5_destroyctx(dst_context_t *dctx) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
 
 	if (hmacmd5ctx != NULL) {
 		isc_hmacmd5_invalidate(hmacmd5ctx);
 		isc_mem_put(dctx->mctx, hmacmd5ctx, sizeof(isc_hmacmd5_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacmd5ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacmd5_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
 
 	isc_hmacmd5_update(hmacmd5ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -92,7 +105,7 @@ hmacmd5_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacmd5_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_MD5_DIGESTLENGTH)
@@ -106,7 +119,7 @@ hmacmd5_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacmd5_t *hmacmd5ctx = dctx->opaque;
+	isc_hmacmd5_t *hmacmd5ctx = dctx->ctxdata.hmacmd5ctx;
 
 	if (sig->length > ISC_MD5_DIGESTLENGTH)
 		return (DST_R_VERIFYFAILURE);
@@ -119,10 +132,10 @@ hmacmd5_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacmd5_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMAC_Key *hkey1, *hkey2;
+	dst_hmacmd5_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMAC_Key *)key1->opaque;
-	hkey2 = (HMAC_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacmd5;
+	hkey2 = key2->keydata.hmacmd5;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -170,20 +183,20 @@ hmacmd5_isprivate(const dst_key_t *key) {
 
 static void
 hmacmd5_destroy(dst_key_t *key) {
-	HMAC_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMAC_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMAC_Key));
-	key->opaque = NULL;
+	dst_hmacmd5_key_t *hkey = key->keydata.hmacmd5;
+	memset(hkey, 0, sizeof(dst_hmacmd5_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacmd5_key_t));
+	key->keydata.hmacmd5 = NULL;
 }
 
 static isc_result_t
 hmacmd5_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMAC_Key *hkey;
+	dst_hmacmd5_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacmd5 != NULL);
 
-	hkey = (HMAC_Key *) key->opaque;
+	hkey = key->keydata.hmacmd5;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -195,7 +208,7 @@ hmacmd5_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMAC_Key *hkey;
+	dst_hmacmd5_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_md5_t md5ctx;
@@ -204,7 +217,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMAC_Key *) isc_mem_get(key->mctx, sizeof(HMAC_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacmd5_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -222,7 +235,7 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacmd5 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -230,15 +243,15 @@ hmacmd5_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacmd5_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMAC_Key *hkey;
+	dst_hmacmd5_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacmd5 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMAC_Key *) key->opaque;
+	hkey = key->keydata.hmacmd5;
 
 	priv.elements[cnt].tag = TAG_HMACMD5_KEY;
 	priv.elements[cnt].length = bytes;
@@ -272,7 +285,7 @@ hmacmd5_parse(dst_key_t *key, isc_lex_t *lexer) {
 		switch (priv.elements[i].tag) {
 		case TAG_HMACMD5_KEY:
 			isc_buffer_init(&b, priv.elements[i].data,
-				        priv.elements[i].length);
+					priv.elements[i].length);
 			isc_buffer_add(&b, priv.elements[i].length);
 			tresult = hmacmd5_fromdns(key, &b);
 			if (tresult != ISC_R_SUCCESS)
@@ -310,6 +323,7 @@ static dst_func_t hmacmd5_functions = {
 	hmacmd5_tofile,
 	hmacmd5_parse,
 	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
 };
 
 isc_result_t
@@ -322,37 +336,37 @@ dst__hmacmd5_init(dst_func_t **funcp) {
 
 static isc_result_t hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct {
+struct dst_hmacsha1_key {
 	unsigned char key[ISC_SHA1_DIGESTLENGTH];
-} HMACSHA1_Key;
+};
 
 static isc_result_t
 hmacsha1_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacsha1_t *hmacsha1ctx;
-	HMACSHA1_Key *hkey = key->opaque;
+	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
 
 	hmacsha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha1_t));
 	if (hmacsha1ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacsha1_init(hmacsha1ctx, hkey->key, ISC_SHA1_DIGESTLENGTH);
-	dctx->opaque = hmacsha1ctx;
+	dctx->ctxdata.hmacsha1ctx = hmacsha1ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacsha1_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
 
 	if (hmacsha1ctx != NULL) {
 		isc_hmacsha1_invalidate(hmacsha1ctx);
 		isc_mem_put(dctx->mctx, hmacsha1ctx, sizeof(isc_hmacsha1_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacsha1ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacsha1_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
 
 	isc_hmacsha1_update(hmacsha1ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -360,7 +374,7 @@ hmacsha1_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacsha1_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_SHA1_DIGESTLENGTH)
@@ -374,7 +388,7 @@ hmacsha1_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacsha1_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha1_t *hmacsha1ctx = dctx->opaque;
+	isc_hmacsha1_t *hmacsha1ctx = dctx->ctxdata.hmacsha1ctx;
 
 	if (sig->length > ISC_SHA1_DIGESTLENGTH || sig->length == 0)
 		return (DST_R_VERIFYFAILURE);
@@ -387,10 +401,10 @@ hmacsha1_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacsha1_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMACSHA1_Key *hkey1, *hkey2;
+	dst_hmacsha1_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMACSHA1_Key *)key1->opaque;
-	hkey2 = (HMACSHA1_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacsha1;
+	hkey2 = key2->keydata.hmacsha1;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -438,20 +452,20 @@ hmacsha1_isprivate(const dst_key_t *key) {
 
 static void
 hmacsha1_destroy(dst_key_t *key) {
-	HMACSHA1_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMACSHA1_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA1_Key));
-	key->opaque = NULL;
+	dst_hmacsha1_key_t *hkey = key->keydata.hmacsha1;
+	memset(hkey, 0, sizeof(dst_hmacsha1_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha1_key_t));
+	key->keydata.hmacsha1 = NULL;
 }
 
 static isc_result_t
 hmacsha1_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA1_Key *hkey;
+	dst_hmacsha1_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacsha1 != NULL);
 
-	hkey = (HMACSHA1_Key *) key->opaque;
+	hkey = key->keydata.hmacsha1;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -463,7 +477,7 @@ hmacsha1_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA1_Key *hkey;
+	dst_hmacsha1_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_sha1_t sha1ctx;
@@ -472,7 +486,7 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMACSHA1_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA1_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha1_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -490,7 +504,7 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacsha1 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -498,15 +512,15 @@ hmacsha1_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacsha1_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMACSHA1_Key *hkey;
+	dst_hmacsha1_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacsha1 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMACSHA1_Key *) key->opaque;
+	hkey = key->keydata.hmacsha1;
 
 	priv.elements[cnt].tag = TAG_HMACSHA1_KEY;
 	priv.elements[cnt].length = bytes;
@@ -541,7 +555,7 @@ hmacsha1_parse(dst_key_t *key, isc_lex_t *lexer) {
 		switch (priv.elements[i].tag) {
 		case TAG_HMACSHA1_KEY:
 			isc_buffer_init(&b, priv.elements[i].data,
-				        priv.elements[i].length);
+					priv.elements[i].length);
 			isc_buffer_add(&b, priv.elements[i].length);
 			tresult = hmacsha1_fromdns(key, &b);
 			if (tresult != ISC_R_SUCCESS)
@@ -579,6 +593,7 @@ static dst_func_t hmacsha1_functions = {
 	hmacsha1_tofile,
 	hmacsha1_parse,
 	NULL, /* cleanup */
+	NULL, /* fromlabel */
 };
 
 isc_result_t
@@ -591,37 +606,37 @@ dst__hmacsha1_init(dst_func_t **funcp) {
 
 static isc_result_t hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct {
+struct dst_hmacsha224_key {
 	unsigned char key[ISC_SHA224_DIGESTLENGTH];
-} HMACSHA224_Key;
+};
 
 static isc_result_t
 hmacsha224_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacsha224_t *hmacsha224ctx;
-	HMACSHA224_Key *hkey = key->opaque;
+	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
 
 	hmacsha224ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha224_t));
 	if (hmacsha224ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacsha224_init(hmacsha224ctx, hkey->key, ISC_SHA224_DIGESTLENGTH);
-	dctx->opaque = hmacsha224ctx;
+	dctx->ctxdata.hmacsha224ctx = hmacsha224ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacsha224_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
 
 	if (hmacsha224ctx != NULL) {
 		isc_hmacsha224_invalidate(hmacsha224ctx);
 		isc_mem_put(dctx->mctx, hmacsha224ctx, sizeof(isc_hmacsha224_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacsha224ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacsha224_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
 
 	isc_hmacsha224_update(hmacsha224ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -629,7 +644,7 @@ hmacsha224_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacsha224_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_SHA224_DIGESTLENGTH)
@@ -643,7 +658,7 @@ hmacsha224_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacsha224_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha224_t *hmacsha224ctx = dctx->opaque;
+	isc_hmacsha224_t *hmacsha224ctx = dctx->ctxdata.hmacsha224ctx;
 
 	if (sig->length > ISC_SHA224_DIGESTLENGTH || sig->length == 0)
 		return (DST_R_VERIFYFAILURE);
@@ -656,10 +671,10 @@ hmacsha224_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacsha224_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMACSHA224_Key *hkey1, *hkey2;
+	dst_hmacsha224_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMACSHA224_Key *)key1->opaque;
-	hkey2 = (HMACSHA224_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacsha224;
+	hkey2 = key2->keydata.hmacsha224;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -707,20 +722,20 @@ hmacsha224_isprivate(const dst_key_t *key) {
 
 static void
 hmacsha224_destroy(dst_key_t *key) {
-	HMACSHA224_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMACSHA224_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA224_Key));
-	key->opaque = NULL;
+	dst_hmacsha224_key_t *hkey = key->keydata.hmacsha224;
+	memset(hkey, 0, sizeof(dst_hmacsha224_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha224_key_t));
+	key->keydata.hmacsha224 = NULL;
 }
 
 static isc_result_t
 hmacsha224_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA224_Key *hkey;
+	dst_hmacsha224_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacsha224 != NULL);
 
-	hkey = (HMACSHA224_Key *) key->opaque;
+	hkey = key->keydata.hmacsha224;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -732,7 +747,7 @@ hmacsha224_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA224_Key *hkey;
+	dst_hmacsha224_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_sha224_t sha224ctx;
@@ -741,7 +756,7 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMACSHA224_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA224_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha224_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -759,7 +774,7 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacsha224 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -767,15 +782,15 @@ hmacsha224_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacsha224_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMACSHA224_Key *hkey;
+	dst_hmacsha224_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacsha224 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMACSHA224_Key *) key->opaque;
+	hkey = key->keydata.hmacsha224;
 
 	priv.elements[cnt].tag = TAG_HMACSHA224_KEY;
 	priv.elements[cnt].length = bytes;
@@ -810,7 +825,7 @@ hmacsha224_parse(dst_key_t *key, isc_lex_t *lexer) {
 		switch (priv.elements[i].tag) {
 		case TAG_HMACSHA224_KEY:
 			isc_buffer_init(&b, priv.elements[i].data,
-				        priv.elements[i].length);
+					priv.elements[i].length);
 			isc_buffer_add(&b, priv.elements[i].length);
 			tresult = hmacsha224_fromdns(key, &b);
 			if (tresult != ISC_R_SUCCESS)
@@ -848,6 +863,7 @@ static dst_func_t hmacsha224_functions = {
 	hmacsha224_tofile,
 	hmacsha224_parse,
 	NULL, /* cleanup */
+	NULL, /* fromlabel */
 };
 
 isc_result_t
@@ -860,37 +876,37 @@ dst__hmacsha224_init(dst_func_t **funcp) {
 
 static isc_result_t hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct {
+struct dst_hmacsha256_key {
 	unsigned char key[ISC_SHA256_DIGESTLENGTH];
-} HMACSHA256_Key;
+};
 
 static isc_result_t
 hmacsha256_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacsha256_t *hmacsha256ctx;
-	HMACSHA256_Key *hkey = key->opaque;
+	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
 
 	hmacsha256ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha256_t));
 	if (hmacsha256ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacsha256_init(hmacsha256ctx, hkey->key, ISC_SHA256_DIGESTLENGTH);
-	dctx->opaque = hmacsha256ctx;
+	dctx->ctxdata.hmacsha256ctx = hmacsha256ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacsha256_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
 
 	if (hmacsha256ctx != NULL) {
 		isc_hmacsha256_invalidate(hmacsha256ctx);
 		isc_mem_put(dctx->mctx, hmacsha256ctx, sizeof(isc_hmacsha256_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacsha256ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacsha256_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
 
 	isc_hmacsha256_update(hmacsha256ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -898,7 +914,7 @@ hmacsha256_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacsha256_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_SHA256_DIGESTLENGTH)
@@ -912,7 +928,7 @@ hmacsha256_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacsha256_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha256_t *hmacsha256ctx = dctx->opaque;
+	isc_hmacsha256_t *hmacsha256ctx = dctx->ctxdata.hmacsha256ctx;
 
 	if (sig->length > ISC_SHA256_DIGESTLENGTH || sig->length == 0)
 		return (DST_R_VERIFYFAILURE);
@@ -925,10 +941,10 @@ hmacsha256_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacsha256_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMACSHA256_Key *hkey1, *hkey2;
+	dst_hmacsha256_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMACSHA256_Key *)key1->opaque;
-	hkey2 = (HMACSHA256_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacsha256;
+	hkey2 = key2->keydata.hmacsha256;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -976,20 +992,20 @@ hmacsha256_isprivate(const dst_key_t *key) {
 
 static void
 hmacsha256_destroy(dst_key_t *key) {
-	HMACSHA256_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMACSHA256_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA256_Key));
-	key->opaque = NULL;
+	dst_hmacsha256_key_t *hkey = key->keydata.hmacsha256;
+	memset(hkey, 0, sizeof(dst_hmacsha256_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha256_key_t));
+	key->keydata.hmacsha256 = NULL;
 }
 
 static isc_result_t
 hmacsha256_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA256_Key *hkey;
+	dst_hmacsha256_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacsha256 != NULL);
 
-	hkey = (HMACSHA256_Key *) key->opaque;
+	hkey = key->keydata.hmacsha256;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -1001,7 +1017,7 @@ hmacsha256_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA256_Key *hkey;
+	dst_hmacsha256_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_sha256_t sha256ctx;
@@ -1010,7 +1026,7 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMACSHA256_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA256_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha256_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -1028,7 +1044,7 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacsha256 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -1036,15 +1052,15 @@ hmacsha256_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacsha256_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMACSHA256_Key *hkey;
+	dst_hmacsha256_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacsha256 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMACSHA256_Key *) key->opaque;
+	hkey = key->keydata.hmacsha256;
 
 	priv.elements[cnt].tag = TAG_HMACSHA256_KEY;
 	priv.elements[cnt].length = bytes;
@@ -1079,7 +1095,7 @@ hmacsha256_parse(dst_key_t *key, isc_lex_t *lexer) {
 		switch (priv.elements[i].tag) {
 		case TAG_HMACSHA256_KEY:
 			isc_buffer_init(&b, priv.elements[i].data,
-				        priv.elements[i].length);
+					priv.elements[i].length);
 			isc_buffer_add(&b, priv.elements[i].length);
 			tresult = hmacsha256_fromdns(key, &b);
 			if (tresult != ISC_R_SUCCESS)
@@ -1117,6 +1133,7 @@ static dst_func_t hmacsha256_functions = {
 	hmacsha256_tofile,
 	hmacsha256_parse,
 	NULL, /* cleanup */
+	NULL, /* fromlabel */
 };
 
 isc_result_t
@@ -1129,37 +1146,37 @@ dst__hmacsha256_init(dst_func_t **funcp) {
 
 static isc_result_t hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct {
+struct dst_hmacsha384_key {
 	unsigned char key[ISC_SHA384_DIGESTLENGTH];
-} HMACSHA384_Key;
+};
 
 static isc_result_t
 hmacsha384_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacsha384_t *hmacsha384ctx;
-	HMACSHA384_Key *hkey = key->opaque;
+	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
 
 	hmacsha384ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha384_t));
 	if (hmacsha384ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacsha384_init(hmacsha384ctx, hkey->key, ISC_SHA384_DIGESTLENGTH);
-	dctx->opaque = hmacsha384ctx;
+	dctx->ctxdata.hmacsha384ctx = hmacsha384ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacsha384_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
 
 	if (hmacsha384ctx != NULL) {
 		isc_hmacsha384_invalidate(hmacsha384ctx);
 		isc_mem_put(dctx->mctx, hmacsha384ctx, sizeof(isc_hmacsha384_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacsha384ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacsha384_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
 
 	isc_hmacsha384_update(hmacsha384ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -1167,7 +1184,7 @@ hmacsha384_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacsha384_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_SHA384_DIGESTLENGTH)
@@ -1181,7 +1198,7 @@ hmacsha384_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacsha384_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha384_t *hmacsha384ctx = dctx->opaque;
+	isc_hmacsha384_t *hmacsha384ctx = dctx->ctxdata.hmacsha384ctx;
 
 	if (sig->length > ISC_SHA384_DIGESTLENGTH || sig->length == 0)
 		return (DST_R_VERIFYFAILURE);
@@ -1194,10 +1211,10 @@ hmacsha384_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacsha384_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMACSHA384_Key *hkey1, *hkey2;
+	dst_hmacsha384_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMACSHA384_Key *)key1->opaque;
-	hkey2 = (HMACSHA384_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacsha384;
+	hkey2 = key2->keydata.hmacsha384;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -1245,20 +1262,20 @@ hmacsha384_isprivate(const dst_key_t *key) {
 
 static void
 hmacsha384_destroy(dst_key_t *key) {
-	HMACSHA384_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMACSHA384_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA384_Key));
-	key->opaque = NULL;
+	dst_hmacsha384_key_t *hkey = key->keydata.hmacsha384;
+	memset(hkey, 0, sizeof(dst_hmacsha384_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha384_key_t));
+	key->keydata.hmacsha384 = NULL;
 }
 
 static isc_result_t
 hmacsha384_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA384_Key *hkey;
+	dst_hmacsha384_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacsha384 != NULL);
 
-	hkey = (HMACSHA384_Key *) key->opaque;
+	hkey = key->keydata.hmacsha384;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -1270,7 +1287,7 @@ hmacsha384_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA384_Key *hkey;
+	dst_hmacsha384_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_sha384_t sha384ctx;
@@ -1279,7 +1296,7 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMACSHA384_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA384_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha384_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -1297,7 +1314,7 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacsha384 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -1305,15 +1322,15 @@ hmacsha384_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacsha384_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMACSHA384_Key *hkey;
+	dst_hmacsha384_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacsha384 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMACSHA384_Key *) key->opaque;
+	hkey = key->keydata.hmacsha384;
 
 	priv.elements[cnt].tag = TAG_HMACSHA384_KEY;
 	priv.elements[cnt].length = bytes;
@@ -1348,7 +1365,7 @@ hmacsha384_parse(dst_key_t *key, isc_lex_t *lexer) {
 		switch (priv.elements[i].tag) {
 		case TAG_HMACSHA384_KEY:
 			isc_buffer_init(&b, priv.elements[i].data,
-				        priv.elements[i].length);
+					priv.elements[i].length);
 			isc_buffer_add(&b, priv.elements[i].length);
 			tresult = hmacsha384_fromdns(key, &b);
 			if (tresult != ISC_R_SUCCESS)
@@ -1386,6 +1403,7 @@ static dst_func_t hmacsha384_functions = {
 	hmacsha384_tofile,
 	hmacsha384_parse,
 	NULL, /* cleanup */
+	NULL, /* fromlabel */
 };
 
 isc_result_t
@@ -1398,37 +1416,37 @@ dst__hmacsha384_init(dst_func_t **funcp) {
 
 static isc_result_t hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data);
 
-typedef struct {
+struct dst_hmacsha512_key {
 	unsigned char key[ISC_SHA512_DIGESTLENGTH];
-} HMACSHA512_Key;
+};
 
 static isc_result_t
 hmacsha512_createctx(dst_key_t *key, dst_context_t *dctx) {
 	isc_hmacsha512_t *hmacsha512ctx;
-	HMACSHA512_Key *hkey = key->opaque;
+	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
 
 	hmacsha512ctx = isc_mem_get(dctx->mctx, sizeof(isc_hmacsha512_t));
 	if (hmacsha512ctx == NULL)
 		return (ISC_R_NOMEMORY);
 	isc_hmacsha512_init(hmacsha512ctx, hkey->key, ISC_SHA512_DIGESTLENGTH);
-	dctx->opaque = hmacsha512ctx;
+	dctx->ctxdata.hmacsha512ctx = hmacsha512ctx;
 	return (ISC_R_SUCCESS);
 }
 
 static void
 hmacsha512_destroyctx(dst_context_t *dctx) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
 
 	if (hmacsha512ctx != NULL) {
 		isc_hmacsha512_invalidate(hmacsha512ctx);
 		isc_mem_put(dctx->mctx, hmacsha512ctx, sizeof(isc_hmacsha512_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.hmacsha512ctx = NULL;
 	}
 }
 
 static isc_result_t
 hmacsha512_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
 
 	isc_hmacsha512_update(hmacsha512ctx, data->base, data->length);
 	return (ISC_R_SUCCESS);
@@ -1436,7 +1454,7 @@ hmacsha512_adddata(dst_context_t *dctx, const isc_region_t *data) {
 
 static isc_result_t
 hmacsha512_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
 	unsigned char *digest;
 
 	if (isc_buffer_availablelength(sig) < ISC_SHA512_DIGESTLENGTH)
@@ -1450,7 +1468,7 @@ hmacsha512_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 hmacsha512_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_hmacsha512_t *hmacsha512ctx = dctx->opaque;
+	isc_hmacsha512_t *hmacsha512ctx = dctx->ctxdata.hmacsha512ctx;
 
 	if (sig->length > ISC_SHA512_DIGESTLENGTH || sig->length == 0)
 		return (DST_R_VERIFYFAILURE);
@@ -1463,10 +1481,10 @@ hmacsha512_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 static isc_boolean_t
 hmacsha512_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	HMACSHA512_Key *hkey1, *hkey2;
+	dst_hmacsha512_key_t *hkey1, *hkey2;
 
-	hkey1 = (HMACSHA512_Key *)key1->opaque;
-	hkey2 = (HMACSHA512_Key *)key2->opaque;
+	hkey1 = key1->keydata.hmacsha512;
+	hkey2 = key2->keydata.hmacsha512;
 
 	if (hkey1 == NULL && hkey2 == NULL)
 		return (ISC_TRUE);
@@ -1514,20 +1532,20 @@ hmacsha512_isprivate(const dst_key_t *key) {
 
 static void
 hmacsha512_destroy(dst_key_t *key) {
-	HMACSHA512_Key *hkey = key->opaque;
-	memset(hkey, 0, sizeof(HMACSHA512_Key));
-	isc_mem_put(key->mctx, hkey, sizeof(HMACSHA512_Key));
-	key->opaque = NULL;
+	dst_hmacsha512_key_t *hkey = key->keydata.hmacsha512;
+	memset(hkey, 0, sizeof(dst_hmacsha512_key_t));
+	isc_mem_put(key->mctx, hkey, sizeof(dst_hmacsha512_key_t));
+	key->keydata.hmacsha512 = NULL;
 }
 
 static isc_result_t
 hmacsha512_todns(const dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA512_Key *hkey;
+	dst_hmacsha512_key_t *hkey;
 	unsigned int bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.hmacsha512 != NULL);
 
-	hkey = (HMACSHA512_Key *) key->opaque;
+	hkey = key->keydata.hmacsha512;
 
 	bytes = (key->key_size + 7) / 8;
 	if (isc_buffer_availablelength(data) < bytes)
@@ -1539,7 +1557,7 @@ hmacsha512_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 static isc_result_t
 hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	HMACSHA512_Key *hkey;
+	dst_hmacsha512_key_t *hkey;
 	int keylen;
 	isc_region_t r;
 	isc_sha512_t sha512ctx;
@@ -1548,7 +1566,7 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	if (r.length == 0)
 		return (ISC_R_SUCCESS);
 
-	hkey = (HMACSHA512_Key *) isc_mem_get(key->mctx, sizeof(HMACSHA512_Key));
+	hkey = isc_mem_get(key->mctx, sizeof(dst_hmacsha512_key_t));
 	if (hkey == NULL)
 		return (ISC_R_NOMEMORY);
 
@@ -1566,7 +1584,7 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	}
 
 	key->key_size = keylen * 8;
-	key->opaque = hkey;
+	key->keydata.hmacsha512 = hkey;
 
 	return (ISC_R_SUCCESS);
 }
@@ -1574,15 +1592,15 @@ hmacsha512_fromdns(dst_key_t *key, isc_buffer_t *data) {
 static isc_result_t
 hmacsha512_tofile(const dst_key_t *key, const char *directory) {
 	int cnt = 0;
-	HMACSHA512_Key *hkey;
+	dst_hmacsha512_key_t *hkey;
 	dst_private_t priv;
 	int bytes = (key->key_size + 7) / 8;
 	unsigned char buf[2];
 
-	if (key->opaque == NULL)
+	if (key->keydata.hmacsha512 == NULL)
 		return (DST_R_NULLKEY);
 
-	hkey = (HMACSHA512_Key *) key->opaque;
+	hkey = key->keydata.hmacsha512;
 
 	priv.elements[cnt].tag = TAG_HMACSHA512_KEY;
 	priv.elements[cnt].length = bytes;
@@ -1617,7 +1635,7 @@ hmacsha512_parse(dst_key_t *key, isc_lex_t *lexer) {
 		switch (priv.elements[i].tag) {
 		case TAG_HMACSHA512_KEY:
 			isc_buffer_init(&b, priv.elements[i].data,
-				        priv.elements[i].length);
+					priv.elements[i].length);
 			isc_buffer_add(&b, priv.elements[i].length);
 			tresult = hmacsha512_fromdns(key, &b);
 			if (tresult != ISC_R_SUCCESS)
@@ -1655,6 +1673,7 @@ static dst_func_t hmacsha512_functions = {
 	hmacsha512_tofile,
 	hmacsha512_parse,
 	NULL, /* cleanup */
+	NULL, /* fromlabel */
 };
 
 isc_result_t
diff --git a/lib/dns/include/Makefile.in b/lib/dns/include/Makefile.in
index 593ad5a..b52cb98 100644
--- a/lib/dns/include/Makefile.in
+++ b/lib/dns/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12.18.1 2004/12/09 04:41:46 marka Exp $
+# $Id: Makefile.in,v 1.15 2007/06/19 23:47:16 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/dns/include/dns/Makefile.in b/lib/dns/include/dns/Makefile.in
index 3f367bc..e9e049e 100644
--- a/lib/dns/include/dns/Makefile.in
+++ b/lib/dns/include/dns/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.50 2004/03/05 05:09:40 marka Exp $
+# $Id: Makefile.in,v 1.55 2008/11/14 23:47:33 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -23,14 +23,14 @@ top_srcdir =	@top_srcdir@
 
 HEADERS =	acl.h adb.h byaddr.h cache.h callbacks.h \
 		cert.h compress.h \
-		db.h dbiterator.h dbtable.h diff.h dispatch.h \
-		dnssec.h ds.h events.h fixedname.h journal.h keyflags.h \
+		db.h dbiterator.h dbtable.h diff.h dispatch.h dlz.h \
+		dnssec.h ds.h events.h fixedname.h iptable.h journal.h keyflags.h \
 		keytable.h keyvalues.h lib.h log.h master.h masterdump.h \
 		message.h name.h ncache.h \
 		nsec.h peer.h portlist.h rbt.h rcode.h \
 		rdata.h rdataclass.h rdatalist.h rdataset.h rdatasetiter.h \
 		rdataslab.h rdatatype.h request.h resolver.h result.h \
-		rootns.h sdb.h secalg.h secproto.h soa.h ssu.h \
+		rootns.h sdb.h sdlz.h secalg.h secproto.h soa.h ssu.h \
 		tcpmsg.h time.h tkey.h \
 		tsig.h ttl.h types.h validator.h version.h view.h xfrin.h \
 		zone.h zonekey.h zt.h
diff --git a/lib/dns/include/dns/acache.h b/lib/dns/include/dns/acache.h
index 50d7fc1..28990c2 100644
--- a/lib/dns/include/dns/acache.h
+++ b/lib/dns/include/dns/acache.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acache.h,v 1.3.2.4 2006/05/03 00:07:49 marka Exp $ */
+/* $Id: acache.h,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_ACACHE_H
 #define DNS_ACACHE_H 1
diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h
index 34e394f..721fe51 100644
--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: acl.h,v 1.22.18.4 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: acl.h,v 1.31.206.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/acl.h
  * \brief
  * Address match list handling.
  */
@@ -40,6 +40,7 @@
 
 #include <dns/name.h>
 #include <dns/types.h>
+#include <dns/iptable.h>
 
 /***
  *** Types
@@ -62,20 +63,21 @@ struct dns_aclipprefix {
 };
 
 struct dns_aclelement {
-	dns_aclelemettype_t type;
-	isc_boolean_t negative;
-	union {
-		dns_aclipprefix_t ip_prefix;
-		dns_name_t 	  keyname;
-		dns_acl_t 	  *nestedacl;
-	} u;
+	dns_aclelemettype_t	type;
+	isc_boolean_t		negative;
+	dns_name_t		keyname;
+	dns_acl_t		*nestedacl;
+	int			node_num;
 };
 
 struct dns_acl {
 	unsigned int		magic;
 	isc_mem_t		*mctx;
 	isc_refcount_t		refcount;
+	dns_iptable_t		*iptable;
+#define node_count		iptable->radix->num_added_node
 	dns_aclelement_t	*elements;
+	isc_boolean_t 		has_negatives;
 	unsigned int 		alloc;		/*%< Elements allocated */
 	unsigned int 		length;		/*%< Elements initialized */
 	char 			*name;		/*%< Temporary use only */
@@ -100,14 +102,9 @@ ISC_LANG_BEGINDECLS
 isc_result_t
 dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
 /*%<
- * Create a new ACL with room for 'n' elements.
- * The elements are uninitialized and the length is 0.
- */
-
-isc_result_t
-dns_acl_appendelement(dns_acl_t *acl, const dns_aclelement_t *elt);
-/*%<
- * Append an element to an existing ACL.
+ * Create a new ACL, including an IP table and an array with room
+ * for 'n' ACL elements.  The elements are uninitialized and the
+ * length is 0.
  */
 
 isc_result_t
@@ -122,6 +119,30 @@ dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
  * Create a new ACL that matches nothing.
  */
 
+isc_boolean_t
+dns_acl_isany(dns_acl_t *acl);
+/*%<
+ * Test whether ACL is set to "{ any; }"
+ */
+
+isc_boolean_t
+dns_acl_isnone(dns_acl_t *acl);
+/*%<
+ * Test whether ACL is set to "{ none; }"
+ */
+
+isc_result_t
+dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos);
+/*%<
+ * Merge the contents of one ACL into another.  Call dns_iptable_merge()
+ * for the IP tables, then concatenate the element arrays.
+ *
+ * If pos is set to false, then the nested ACL is to be negated.  This
+ * means reverse the sense of each *positive* element or IP table node,
+ * but leave negatives alone, so as to prevent a double-negative causing
+ * an unexpected positive match in the parent ACL.
+ */
+
 void
 dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
 
@@ -129,17 +150,11 @@ void
 dns_acl_detach(dns_acl_t **aclp);
 
 isc_boolean_t
-dns_aclelement_equal(const dns_aclelement_t *ea, const dns_aclelement_t *eb);
-
-isc_boolean_t
-dns_acl_equal(const dns_acl_t *a, const dns_acl_t *b);
-
-isc_boolean_t
 dns_acl_isinsecure(const dns_acl_t *a);
 /*%<
  * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is,
  * if it contains IP addresses other than those of the local host.
- * This is intended for applications such as printing warning 
+ * This is intended for applications such as printing warning
  * messages for suspect ACLs; it is not intended for making access
  * control decisions.  We make no guarantee that an ACL for which
  * this function returns #ISC_FALSE is safe.
@@ -147,6 +162,9 @@ dns_acl_isinsecure(const dns_acl_t *a);
 
 isc_result_t
 dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
+/*%<
+ * Initialize ACL environment, setting up localhost and localnets ACLs
+ */
 
 void
 dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
@@ -168,19 +186,17 @@ dns_acl_match(const isc_netaddr_t *reqaddr,
  * Match the address 'reqaddr', and optionally the key name 'reqsigner',
  * against 'acl'.  'reqsigner' may be NULL.
  *
- * If there is a positive match, '*match' will be set to a positive value
- * indicating the distance from the beginning of the list.
- *
- * If there is a negative match, '*match' will be set to a negative value
- * whose absolute value indicates the distance from the beginning of
- * the list.
- *
- * If there is a match (either positive or negative) and 'matchelt' is
- * non-NULL, *matchelt will be attached to the primitive
- * (non-indirect) address match list element that matched.
+ * If there is a match, '*match' will be set to an integer whose absolute
+ * value corresponds to the order in which the matching value was inserted
+ * into the ACL.  For a positive match, this value will be positive; for a
+ * negative match, it will be negative.
  *
  * If there is no match, *match will be set to zero.
  *
+ * If there is a match in the element list (either positive or negative)
+ * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
+ * element.
+ *
  * Returns:
  *\li	#ISC_R_SUCCESS		Always succeeds.
  */
@@ -189,34 +205,18 @@ isc_boolean_t
 dns_aclelement_match(const isc_netaddr_t *reqaddr,
 		     const dns_name_t *reqsigner,
 		     const dns_aclelement_t *e,
-		     const dns_aclenv_t *env,		     
+		     const dns_aclenv_t *env,
 		     const dns_aclelement_t **matchelt);
 /*%<
  * Like dns_acl_match, but matches against the single ACL element 'e'
- * rather than a complete list and returns ISC_TRUE iff it matched.
- * To determine whether the match was prositive or negative, the 
+ * rather than a complete ACL, and returns ISC_TRUE iff it matched.
+ *
+ * To determine whether the match was positive or negative, the
  * caller should examine e->negative.  Since the element 'e' may be
- * a reference to a named ACL or a nested ACL, the matching element
+ * a reference to a named ACL or a nested ACL, a matching element
  * returned through 'matchelt' is not necessarily 'e' itself.
  */
 
-isc_result_t
-dns_acl_elementmatch(const dns_acl_t *acl,
-		     const dns_aclelement_t *elt,
-		     const dns_aclelement_t **matchelt);
-/*%<
- * Search for an ACL element in 'acl' which is exactly the same as 'elt'.
- * If there is one, and 'matchelt' is non NULL, then '*matchelt' will point
- * to the entry.
- *
- * This function is intended to be used for avoiding duplicated ACL entries
- * before adding an entry.
- *
- * Returns:
- *\li	#ISC_R_SUCCESS		Match succeeds.
- *\li	#ISC_R_NOTFOUND		Match fails.
- */
-
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ACL_H */
diff --git a/lib/dns/include/dns/adb.h b/lib/dns/include/dns/adb.h
index 1e3cd61..d4ac40c 100644
--- a/lib/dns/include/dns/adb.h
+++ b/lib/dns/include/dns/adb.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: adb.h,v 1.76.18.3 2005/06/23 04:23:16 marka Exp $ */
+/* $Id: adb.h,v 1.85 2008/04/03 06:09:04 tbox Exp $ */
 
 #ifndef DNS_ADB_H
 #define DNS_ADB_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/adb.h
  *\brief
  * DNS Address Database
  *
@@ -99,7 +99,7 @@ ISC_LANG_BEGINDECLS
 
 typedef struct dns_adbname		dns_adbname_t;
 
-/*! 
+/*!
  *\brief
  * Represents a lookup for a single name.
  *
@@ -220,7 +220,7 @@ struct dns_adbaddrinfo {
 	ISC_LINK(dns_adbaddrinfo_t)	publink;
 };
 
-/*!< 
+/*!<
  * The event sent to the caller task is just a plain old isc_event_t.  It
  * contains no data other than a simple status, passed in the "type" field
  * to indicate that another address resolved, or all partially resolved
@@ -345,7 +345,7 @@ dns_adb_createfind(dns_adb_t *adb, isc_task_t *task, isc_taskaction_t action,
  *
  * If no events will be generated, the *find->result_v4 and/or result_v6
  * members may be examined for address lookup status.  The usual #ISC_R_SUCCESS,
- * #ISC_R_FAILURE, and #DNS_R_NX{DOMAIN,RRSET} are returned, along with
+ * #ISC_R_FAILURE, #DNS_R_NXDOMAIN, and #DNS_R_NXRRSET are returned, along with
  * #ISC_R_NOTFOUND meaning the ADB has not _yet_ found the values.  In this
  * latter case, retrying may produce more addresses.
  *
@@ -520,7 +520,7 @@ void
 dns_adb_adjustsrtt(dns_adb_t *adb, dns_adbaddrinfo_t *addr,
 		   unsigned int rtt, unsigned int factor);
 /*%<
- * Mix the round trip time into the existing smoothed rtt.  
+ * Mix the round trip time into the existing smoothed rtt.
 
  * The formula used
  * (where srtt is the existing rtt value, and rtt and factor are arguments to
@@ -623,13 +623,12 @@ void
 dns_adb_flushname(dns_adb_t *adb, dns_name_t *name);
 /*%<
  * Flush 'name' from the adb cache.
- * 
+ *
  * Requires:
  *\li	'adb' is valid.
  *\li	'name' is valid.
  */
 
-
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ADB_H */
diff --git a/lib/dns/include/dns/bit.h b/lib/dns/include/dns/bit.h
index 770f294..28c733d 100644
--- a/lib/dns/include/dns/bit.h
+++ b/lib/dns/include/dns/bit.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bit.h,v 1.8.18.2 2005/04/29 00:16:09 marka Exp $ */
+/* $Id: bit.h,v 1.14 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_BIT_H
 #define DNS_BIT_H 1
 
-/*! \file */
+/*! \file dns/bit.h */
 
 #include <isc/int.h>
 #include <isc/boolean.h>
diff --git a/lib/dns/include/dns/byaddr.h b/lib/dns/include/dns/byaddr.h
index 1f1e88c..edf8430 100644
--- a/lib/dns/include/dns/byaddr.h
+++ b/lib/dns/include/dns/byaddr.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: byaddr.h,v 1.16.18.2 2005/04/29 00:16:09 marka Exp $ */
+/* $Id: byaddr.h,v 1.22 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_BYADDR_H
 #define DNS_BYADDR_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/byaddr.h
  * \brief
  * The byaddr module provides reverse lookup services for IPv4 and IPv6
  * addresses.
@@ -121,8 +121,8 @@ dns_byaddr_cancel(dns_byaddr_t *byaddr);
  *
  * Notes:
  *
- *\li	If 'byaddr' has not completed, post its #BYADDRDONE event with a
- *	result code of #ISC_R_CANCELED.
+ *\li	If 'byaddr' has not completed, post its #DNS_EVENT_BYADDRDONE
+ *	event with a result code of #ISC_R_CANCELED.
  *
  * Requires:
  *
@@ -138,8 +138,8 @@ dns_byaddr_destroy(dns_byaddr_t **byaddrp);
  *
  *\li	'*byaddrp' is a valid byaddr.
  *
- *\li	The caller has received the BYADDRDONE event (either because the
- *	byaddr completed or because dns_byaddr_cancel() was called).
+ *\li	The caller has received the #DNS_EVENT_BYADDRDONE event (either because
+ *	the byaddr completed or because dns_byaddr_cancel() was called).
  *
  * Ensures:
  *
diff --git a/lib/dns/include/dns/cache.h b/lib/dns/include/dns/cache.h
index fc4f78e..7b37235 100644
--- a/lib/dns/include/dns/cache.h
+++ b/lib/dns/include/dns/cache.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cache.h,v 1.19.18.3 2005/08/23 02:31:38 marka Exp $ */
+/* $Id: cache.h,v 1.26 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_CACHE_H
 #define DNS_CACHE_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/cache.h
  * \brief
  * Defines dns_cache_t, the cache object.
  *
diff --git a/lib/dns/include/dns/callbacks.h b/lib/dns/include/dns/callbacks.h
index 6aee70b..8a8385a 100644
--- a/lib/dns/include/dns/callbacks.h
+++ b/lib/dns/include/dns/callbacks.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: callbacks.h,v 1.18.18.2 2005/04/29 00:16:10 marka Exp $ */
+/* $Id: callbacks.h,v 1.24 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_CALLBACKS_H
 #define DNS_CALLBACKS_H 1
 
-/*! \file */
+/*! \file dns/callbacks.h */
 
 /***
  ***	Imports
diff --git a/lib/dns/include/dns/cert.h b/lib/dns/include/dns/cert.h
index 4de1aec..1cda848 100644
--- a/lib/dns/include/dns/cert.h
+++ b/lib/dns/include/dns/cert.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert.h,v 1.13.18.2 2005/04/29 00:16:10 marka Exp $ */
+/* $Id: cert.h,v 1.19 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_CERT_H
 #define DNS_CERT_H 1
 
-/*! \file */
+/*! \file dns/cert.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/compress.h b/lib/dns/include/dns/compress.h
index 4d9c011..4632aff 100644
--- a/lib/dns/include/dns/compress.h
+++ b/lib/dns/include/dns/compress.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: compress.h,v 1.32.18.6 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: compress.h,v 1.40.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_COMPRESS_H
 #define DNS_COMPRESS_H 1
@@ -32,7 +32,7 @@ ISC_LANG_BEGINDECLS
 #define DNS_COMPRESS_ALL		0x01	/*%< all compression. */
 #define DNS_COMPRESS_CASESENSITIVE	0x02	/*%< case sensitive compression. */
 
-/*! \file
+/*! \file dns/compress.h
  *	Direct manipulation of the structures is strongly discouraged.
  */
 
@@ -77,7 +77,7 @@ struct dns_decompress {
 isc_result_t
 dns_compress_init(dns_compress_t *cctx, int edns, isc_mem_t *mctx);
 /*%<
- *	Inialise the compression context structure pointed to by 'cctx'.
+ *	Initialise the compression context structure pointed to by 'cctx'.
  *
  *	Requires:
  *	\li	'cctx' is a valid dns_compress_t structure.
@@ -136,7 +136,7 @@ dns_compress_setsensitive(dns_compress_t *cctx, isc_boolean_t sensitive);
 isc_boolean_t
 dns_compress_getsensitive(dns_compress_t *cctx);
 /*
- *	Return whether case is to be preservered when compressing
+ *	Return whether case is to be preserved when compressing
  *	domain names.
  *
  *	Requires:
diff --git a/lib/dns/include/dns/db.h b/lib/dns/include/dns/db.h
index b03ae57..3b78208 100644
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: db.h,v 1.76.18.10 2007/08/28 07:20:05 tbox Exp $ */
+/* $Id: db.h,v 1.93.50.3 2009/01/18 23:25:17 marka Exp $ */
 
 #ifndef DNS_DB_H
 #define DNS_DB_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/db.h
  * \brief
  * The DNS DB interface allows named rdatasets to be stored and retrieved.
  *
@@ -111,8 +111,7 @@ typedef struct dns_dbmethods {
 				      isc_stdtime_t now);
 	void		(*printnode)(dns_db_t *db, dns_dbnode_t *node,
 				     FILE *out);
-	isc_result_t 	(*createiterator)(dns_db_t *db,
-					  isc_boolean_t relative_names,
+	isc_result_t 	(*createiterator)(dns_db_t *db, unsigned int options,
 					  dns_dbiterator_t **iteratorp);
 	isc_result_t	(*findrdataset)(dns_db_t *db, dns_dbnode_t *node,
 					dns_dbversion_t *version,
@@ -146,6 +145,28 @@ typedef struct dns_dbmethods {
 	void		(*overmem)(dns_db_t *db, isc_boolean_t overmem);
 	void		(*settask)(dns_db_t *db, isc_task_t *);
 	isc_result_t	(*getoriginnode)(dns_db_t *db, dns_dbnode_t **nodep);
+	void		(*transfernode)(dns_db_t *db, dns_dbnode_t **sourcep,
+					dns_dbnode_t **targetp);
+	isc_result_t    (*getnsec3parameters)(dns_db_t *db,
+					      dns_dbversion_t *version,
+					      dns_hash_t *hash,
+					      isc_uint8_t *flags,
+					      isc_uint16_t *iterations,
+					      unsigned char *salt,
+					      size_t *salt_len);
+	isc_result_t    (*findnsec3node)(dns_db_t *db, dns_name_t *name,
+					 isc_boolean_t create,
+					 dns_dbnode_t **nodep);
+	isc_result_t	(*setsigningtime)(dns_db_t *db,
+					  dns_rdataset_t *rdataset,
+					  isc_stdtime_t resign);
+	isc_result_t	(*getsigningtime)(dns_db_t *db,
+					  dns_rdataset_t *rdataset,
+					  dns_name_t *name);
+	void		(*resigned)(dns_db_t *db, dns_rdataset_t *rdataset,
+					   dns_dbversion_t *version);
+	isc_boolean_t	(*isdnssec)(dns_db_t *db);
+	dns_stats_t	*(*getrrsetstats)(dns_db_t *db);
 } dns_dbmethods_t;
 
 typedef isc_result_t
@@ -153,7 +174,7 @@ typedef isc_result_t
 		      dns_dbtype_t type, dns_rdataclass_t rdclass,
 		      unsigned int argc, char *argv[], void *driverarg,
 		      dns_db_t **dbp);
-					
+
 #define DNS_DB_MAGIC		ISC_MAGIC('D','N','S','D')
 #define DNS_DB_VALID(db)	ISC_MAGIC_VALID(db, DNS_DB_MAGIC)
 
@@ -191,6 +212,7 @@ struct dns_db {
 #define DNS_DBFIND_NOEXACT		0x10
 #define DNS_DBFIND_FORCENSEC		0x20
 #define DNS_DBFIND_COVERINGNSEC		0x40
+#define DNS_DBFIND_FORCENSEC3		0x80
 /*@}*/
 
 /*@{*/
@@ -208,6 +230,15 @@ struct dns_db {
  */
 #define DNS_DBSUB_EXACT			0x01
 
+/*@{*/
+/*%
+ * Iterator options
+ */
+#define DNS_DB_RELATIVENAMES	0x1
+#define DNS_DB_NSEC3ONLY	0x2
+#define DNS_DB_NONSEC3		0x4
+/*@}*/
+
 /*****
  ***** Methods
  *****/
@@ -355,6 +386,20 @@ dns_db_issecure(dns_db_t *db);
  * \li	#ISC_FALSE	'db' is not secure.
  */
 
+isc_boolean_t
+dns_db_isdnssec(dns_db_t *db);
+/*%<
+ * Is 'db' secure or partially secure?
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database with zone semantics.
+ *
+ * Returns:
+ * \li	#ISC_TRUE	'db' is secure or is partially.
+ * \li	#ISC_FALSE	'db' is not secure.
+ */
+
 dns_name_t *
 dns_db_origin(dns_db_t *db);
 /*%<
@@ -626,7 +671,7 @@ dns_db_findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
  *
  * \li	#ISC_R_SUCCESS
  * \li	#ISC_R_NOTFOUND			If !create and name not found.
- * \li	#ISC_R_NOMEMORY		        Can only happen if create is ISC_TRUE.
+ * \li	#ISC_R_NOMEMORY			Can only happen if create is ISC_TRUE.
  *
  * \li	Other results are possible, depending upon the database
  *	implementation used.
@@ -785,8 +830,8 @@ dns_db_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
  *						name, and 'rdataset' contains
  *						the negative caching proof.
  *
- *	\li	#DNS_R_EMPTYNAME			The name exists but there is
- *						no data at the name. 
+ *	\li	#DNS_R_EMPTYNAME		The name exists but there is
+ *						no data at the name.
  *
  *	\li	#DNS_R_COVERINGNSEC		The returned data is a NSEC
  *						that potentially covers 'name'.
@@ -883,6 +928,27 @@ dns_db_detachnode(dns_db_t *db, dns_dbnode_t **nodep);
  * \li	*nodep is NULL.
  */
 
+void
+dns_db_transfernode(dns_db_t *db, dns_dbnode_t **sourcep,
+		    dns_dbnode_t **targetp);
+/*%<
+ * Transfer a node between pointer.
+ *
+ * This is equivalent to calling dns_db_attachnode() then dns_db_detachnode().
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'*sourcep' is a valid node.
+ *
+ * \li	'targetp' points to a NULL dns_dbnode_t *.
+ *
+ * Ensures:
+ *
+ * \li	'*sourcep' is NULL.
+ */
+
 isc_result_t
 dns_db_expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now);
 /*%<
@@ -917,16 +983,17 @@ dns_db_printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out);
  ***/
 
 isc_result_t
-dns_db_createiterator(dns_db_t *db, isc_boolean_t relative_names,
+dns_db_createiterator(dns_db_t *db, unsigned int options,
 		      dns_dbiterator_t **iteratorp);
 /*%<
  * Create an iterator for version 'version' of 'db'.
  *
  * Notes:
  *
- * \li	If 'relative_names' is ISC_TRUE, then node names returned by the
- *	iterator will be relative to the iterator's current origin.  If
- *	#ISC_FALSE, then the node names will be absolute.
+ * \li	One or more of the following options can be set.
+ *	#DNS_DB_RELATIVENAMES
+ *	#DNS_DB_NSEC3ONLY
+ *	#DNS_DB_NONSEC3
  *
  * Requires:
  *
@@ -1005,7 +1072,7 @@ isc_result_t
 dns_db_allrdatasets(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		    isc_stdtime_t now, dns_rdatasetiter_t **iteratorp);
 /*%<
- * Make '*iteratorp' an rdataset iteratator for all rdatasets at 'node' in
+ * Make '*iteratorp' an rdataset iterator for all rdatasets at 'node' in
  * version 'version' of 'db'.
  *
  * Notes:
@@ -1192,7 +1259,7 @@ dns_db_getsoaserial(dns_db_t *db, dns_dbversion_t *ver, isc_uint32_t *serialp);
 void
 dns_db_overmem(dns_db_t *db, isc_boolean_t overmem);
 /*%<
- * Enable / disable agressive cache cleaning.
+ * Enable / disable aggressive cache cleaning.
  */
 
 unsigned int
@@ -1262,7 +1329,7 @@ dns_db_register(const char *name, dns_dbcreatefunc_t create, void *driverarg,
 void
 dns_db_unregister(dns_dbimplementation_t **dbimp);
 /*%<
- * Remove a database implementation from the the list of supported
+ * Remove a database implementation from the list of supported
  * implementations.  No databases of this type can be active when this
  * is called.
  *
@@ -1294,6 +1361,117 @@ dns_db_getoriginnode(dns_db_t *db, dns_dbnode_t **nodep);
  * \li	#ISC_R_NOTFOUND - the DB implementation does not support this feature.
  */
 
+isc_result_t
+dns_db_getnsec3parameters(dns_db_t *db, dns_dbversion_t *version,
+			  dns_hash_t *hash, isc_uint8_t *flags,
+			  isc_uint16_t *interations,
+			  unsigned char *salt, size_t *salt_length);
+/*%<
+ * Get the NSEC3 parameters that are associated with this zone.
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND - the DB implementation does not support this feature
+ *			  or this zone does not have NSEC3 records.
+ */
+
+isc_result_t
+dns_db_findnsec3node(dns_db_t *db, dns_name_t *name,
+		     isc_boolean_t create, dns_dbnode_t **nodep);
+/*%<
+ * Find the NSEC3 node with name 'name'.
+ *
+ * Notes:
+ * \li	If 'create' is ISC_TRUE and no node with name 'name' exists, then
+ *	such a node will be created.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database.
+ *
+ * \li	'name' is a valid, non-empty, absolute name.
+ *
+ * \li	nodep != NULL && *nodep == NULL
+ *
+ * Ensures:
+ *
+ * \li	On success, *nodep is attached to the node with name 'name'.
+ *
+ * Returns:
+ *
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND			If !create and name not found.
+ * \li	#ISC_R_NOMEMORY			Can only happen if create is ISC_TRUE.
+ *
+ * \li	Other results are possible, depending upon the database
+ *	implementation used.
+ */
+
+isc_result_t
+dns_db_setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+		      isc_stdtime_t resign);
+/*%<
+ * Sets the re-signing time associated with 'rdataset' to 'resign'.
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ * \li	'rdataset' to be associated with 'db'.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOMEMORY
+ * \li	#ISC_R_NOTIMPLEMENTED - Not supported by this DB implementation.
+ */
+
+isc_result_t
+dns_db_getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, dns_name_t *name);
+/*%<
+ * Return the rdataset with the earliest signing time in the zone.
+ * Note: the rdataset is version agnostic.
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ * \li	'rdataset' to be initialized but not associated.
+ * \li	'name' to be NULL or have a buffer associated with it.
+ *
+ * Returns:
+ * \li	#ISC_R_SUCCESS
+ * \li	#ISC_R_NOTFOUND - No dataset exists.
+ */
+
+void
+dns_db_resigned(dns_db_t *db, dns_rdataset_t *rdataset,
+		dns_dbversion_t *version);
+/*%<
+ * Mark 'rdataset' as not being available to be returned by
+ * dns_db_getsigningtime().  If the changes associated with 'version'
+ * are committed this will be permanent.  If the version is not committed
+ * this change will be rolled back when the version is closed.
+ *
+ * Requires:
+ * \li	'db' is a valid zone database.
+ * \li	'rdataset' to be associated with 'db'.
+ * \li	'version' to be open for writing.
+ */
+
+dns_stats_t *
+dns_db_getrrsetstats(dns_db_t *db);
+/*%<
+ * Get statistics information counting RRsets stored in the DB, when available.
+ * The statistics may not be available depending on the DB implementation.
+ *
+ * Requires:
+ *
+ * \li	'db' is a valid database (zone or cache).
+ *
+ * Returns:
+ * \li	when available, a pointer to a statistics object created by
+ *	dns_rdatasetstats_create(); otherwise NULL.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_DB_H */
diff --git a/lib/dns/include/dns/dbiterator.h b/lib/dns/include/dns/dbiterator.h
index 47ce082..366d676 100644
--- a/lib/dns/include/dns/dbiterator.h
+++ b/lib/dns/include/dns/dbiterator.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbiterator.h,v 1.19.18.2 2005/04/29 00:16:11 marka Exp $ */
+/* $Id: dbiterator.h,v 1.25 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_DBITERATOR_H
 #define DNS_DBITERATOR_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/dbiterator.h
  * \brief
  * The DNS DB Iterator interface allows iteration of all of the nodes in a
  * database.
diff --git a/lib/dns/include/dns/dbtable.h b/lib/dns/include/dns/dbtable.h
index 18d3e50..503de95 100644
--- a/lib/dns/include/dns/dbtable.h
+++ b/lib/dns/include/dns/dbtable.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dbtable.h,v 1.17.18.2 2005/04/29 00:16:11 marka Exp $ */
+/* $Id: dbtable.h,v 1.23 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_DBTABLE_H
 #define DNS_DBTABLE_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/dbtable.h
  * \brief
  * DNS DB Tables
  *
diff --git a/lib/dns/include/dns/diff.h b/lib/dns/include/dns/diff.h
index cd96a0b..a13b678 100644
--- a/lib/dns/include/dns/diff.h
+++ b/lib/dns/include/dns/diff.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: diff.h,v 1.6.18.2 2005/04/29 00:16:12 marka Exp $ */
+/* $Id: diff.h,v 1.15.120.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_DIFF_H
 #define DNS_DIFF_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/diff.h
  * \brief
  * A diff is a convenience type representing a list of changes to be
  * made to a database.
@@ -59,12 +59,18 @@
  * individual RRs of a "RRset exists (value dependent)"
  * prerequisite set.  In this case, op==DNS_DIFFOP_EXISTS,
  * and the TTL is ignored.
+ *
+ * DNS_DIFFOP_*RESIGN will cause the 'resign' attribute of the resulting
+ * RRset to be recomputed to be 'resign' seconds before the earliest RRSIG
+ * timeexpire.
  */
 
 typedef enum {
-	DNS_DIFFOP_ADD,	        /*%< Add an RR. */
-	DNS_DIFFOP_DEL,		/*%< Delete an RR. */
-	DNS_DIFFOP_EXISTS	/*%< Assert RR existence. */
+	DNS_DIFFOP_ADD = 0,		/*%< Add an RR. */
+	DNS_DIFFOP_DEL = 1,		/*%< Delete an RR. */
+	DNS_DIFFOP_EXISTS = 2,		/*%< Assert RR existence. */
+	DNS_DIFFOP_ADDRESIGN = 4,	/*%< ADD + RESIGN. */
+	DNS_DIFFOP_DELRESIGN = 5,	/*%< DEL + RESIGN. */
 } dns_diffop_t;
 
 typedef struct dns_difftuple dns_difftuple_t;
@@ -73,7 +79,7 @@ typedef struct dns_difftuple dns_difftuple_t;
 #define DNS_DIFFTUPLE_VALID(t)	ISC_MAGIC_VALID(t, DNS_DIFFTUPLE_MAGIC)
 
 struct dns_difftuple {
-        unsigned int			magic;
+	unsigned int			magic;
 	isc_mem_t			*mctx;
 	dns_diffop_t			op;
 	dns_name_t			name;
@@ -96,10 +102,15 @@ typedef struct dns_diff dns_diff_t;
 struct dns_diff {
 	unsigned int			magic;
 	isc_mem_t *			mctx;
+	/*
+	 * Set the 'resign' attribute to this many second before the
+	 * earliest RRSIG timeexpire.
+	 */
+	isc_uint32_t			resign;
 	ISC_LIST(dns_difftuple_t)	tuples;
 };
 
-/* Type of comparision function for sorting diffs. */
+/* Type of comparison function for sorting diffs. */
 typedef int dns_diff_compare_func(const void *, const void *);
 
 /***
@@ -110,7 +121,7 @@ ISC_LANG_BEGINDECLS
 
 /**************************************************************************/
 /*
- * Maniuplation of diffs and tuples.
+ * Manipulation of diffs and tuples.
  */
 
 isc_result_t
diff --git a/lib/dns/include/dns/dispatch.h b/lib/dns/include/dns/dispatch.h
index 8c14320..96a44fe 100644
--- a/lib/dns/include/dns/dispatch.h
+++ b/lib/dns/include/dns/dispatch.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dispatch.h,v 1.48.18.9 2008/06/24 23:45:55 tbox Exp $ */
+/* $Id: dispatch.h,v 1.60.82.2 2009/01/29 23:47:44 tbox Exp $ */
 
 #ifndef DNS_DISPATCH_H
 #define DNS_DISPATCH_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/dispatch.h
  * \brief
  * DNS Dispatch Management
  * 	Shared UDP and single-use TCP dispatches for queries and responses.
@@ -55,7 +55,7 @@
 #include <isc/buffer.h>
 #include <isc/lang.h>
 #include <isc/socket.h>
-#include <dns/types.h>
+#include <isc/types.h>
 
 #include <dns/types.h>
 
@@ -222,6 +222,21 @@ dns_dispatchmgr_setavailports(dns_dispatchmgr_t *mgr, isc_portset_t *v4portset,
  *\li	v6portset is NULL or a valid port set
  */
 
+void
+dns_dispatchmgr_setstats(dns_dispatchmgr_t *mgr, isc_stats_t *stats);
+/*%<
+ * Sets statistics counter for the dispatchmgr.  This function is expected to
+ * be called only on zone creation (when necessary).
+ * Once installed, it cannot be removed or replaced.  Also, there is no
+ * interface to get the installed stats from the zone; the caller must keep the
+ * stats to reference (e.g. dump) it later.
+ *
+ * Requires:
+ *\li	mgr is a valid dispatchmgr with no managed dispatch.
+ *\li	stats is a valid statistics supporting resolver statistics counters
+ *	(see dns/stats.h).
+ */
+
 isc_result_t
 dns_dispatch_getudp(dns_dispatchmgr_t *mgr, isc_socketmgr_t *sockmgr,
 		    isc_taskmgr_t *taskmgr, isc_sockaddr_t *localaddr,
diff --git a/lib/dns/include/dns/dlz.h b/lib/dns/include/dns/dlz.h
index 4c61c91..75ba99f 100644
--- a/lib/dns/include/dns/dlz.h
+++ b/lib/dns/include/dns/dlz.h
@@ -1,8 +1,8 @@
 /*
- * Portions Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -50,9 +50,9 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlz.h,v 1.2.2.2 2005/09/06 03:47:18 marka Exp $ */
+/* $Id: dlz.h,v 1.7.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
-/*! \file */
+/*! \file dns/dlz.h */
 
 #ifndef DLZ_H
 #define DLZ_H 1
@@ -133,7 +133,7 @@ typedef void
 /*%<
  * Method prototype.  Drivers implementing the DLZ interface MUST
  * supply a destroy method.  This method is called when the DNS server
- * is shuting down and no longer needs the driver.
+ * is shutting down and no longer needs the driver.
  */
 
 typedef isc_result_t
@@ -157,7 +157,7 @@ typedef isc_result_t
  * \li	3) we run out of domain name labels. I.E. we have tried the
  *	   shortest domain name
  * \li	4) the number of labels in the domain name is less than
- *	   min_lables for dns_dlzfindzone
+ *	   min_labels for dns_dlzfindzone
  *
  * The driver's find zone method should return ISC_R_SUCCESS and a
  * database pointer to the name server if the zone is supported by the
@@ -202,7 +202,7 @@ dns_dlzallowzonexfr(dns_view_t *view, dns_name_t *name,
 
 /*%<
  * This method is called when the DNS server is performing a zone
- * transfer query.  It will call the DLZ driver's allow zone tranfer
+ * transfer query.  It will call the DLZ driver's allow zone transfer
  * method.
  */
 
@@ -223,7 +223,7 @@ void
 dns_dlzdestroy(dns_dlzdb_t **dbp);
 
 /*%<
- * This method is called when the DNS server is shuting down and no
+ * This method is called when the DNS server is shutting down and no
  * longer needs the driver.  If the DLZ driver supplies a destroy
  * methods, this function will call it.
  */
diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 2804e03..f8a59d0 100644
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec.h,v 1.26.18.2 2005/04/29 00:16:12 marka Exp $ */
+/* $Id: dnssec.h,v 1.32 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_DNSSEC_H
 #define DNS_DNSSEC_H 1
 
-/*! \file */
+/*! \file dns/dnssec.h */
 
 #include <isc/lang.h>
 #include <isc/stdtime.h>
diff --git a/lib/dns/include/dns/ds.h b/lib/dns/include/dns/ds.h
index 5e4cc40..b59fb83 100644
--- a/lib/dns/include/dns/ds.h
+++ b/lib/dns/include/dns/ds.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds.h,v 1.3.20.5 2006/02/22 23:50:09 marka Exp $ */
+/* $Id: ds.h,v 1.10 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_DS_H
 #define DNS_DS_H 1
diff --git a/lib/dns/include/dns/events.h b/lib/dns/include/dns/events.h
index d1ebef3..bb61b9d 100644
--- a/lib/dns/include/dns/events.h
+++ b/lib/dns/include/dns/events.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,14 +15,14 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.42.18.3 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: events.h,v 1.49.332.2 2009/05/07 23:47:12 tbox Exp $ */
 
 #ifndef DNS_EVENTS_H
 #define DNS_EVENTS_H 1
 
 #include <isc/eventclass.h>
 
-/*! \file 
+/*! \file dns/events.h
  * \brief
  * Registry of DNS event numbers.
  */
@@ -68,6 +68,7 @@
 #define DNS_EVENT_ACACHECONTROL			(ISC_EVENTCLASS_DNS + 38)
 #define DNS_EVENT_ACACHECLEAN			(ISC_EVENTCLASS_DNS + 39)
 #define DNS_EVENT_ACACHEOVERMEM			(ISC_EVENTCLASS_DNS + 40)
+#define DNS_EVENT_RBTPRUNE			(ISC_EVENTCLASS_DNS + 41)
 
 #define DNS_EVENT_FIRSTEVENT			(ISC_EVENTCLASS_DNS + 0)
 #define DNS_EVENT_LASTEVENT			(ISC_EVENTCLASS_DNS + 65535)
diff --git a/lib/dns/include/dns/fixedname.h b/lib/dns/include/dns/fixedname.h
index 8380de6..5a2aaf3 100644
--- a/lib/dns/include/dns/fixedname.h
+++ b/lib/dns/include/dns/fixedname.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fixedname.h,v 1.13.18.2 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: fixedname.h,v 1.19 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_FIXEDNAME_H
 #define DNS_FIXEDNAME_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/fixedname.h
  * \brief
  * Fixed-size Names
  *
diff --git a/lib/dns/include/dns/forward.h b/lib/dns/include/dns/forward.h
index ddf6d7f..512c5e3 100644
--- a/lib/dns/include/dns/forward.h
+++ b/lib/dns/include/dns/forward.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: forward.h,v 1.3.18.3 2005/04/27 05:01:33 sra Exp $ */
+/* $Id: forward.h,v 1.11 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_FORWARD_H
 #define DNS_FORWARD_H 1
 
-/*! \file */
+/*! \file dns/forward.h */
 
 #include <isc/lang.h>
 #include <isc/result.h>
diff --git a/lib/dns/include/dns/iptable.h b/lib/dns/include/dns/iptable.h
new file mode 100644
index 0000000..d7eb140
--- /dev/null
+++ b/lib/dns/include/dns/iptable.h
@@ -0,0 +1,70 @@
+/*
+ * Copyright (C) 2007  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: iptable.h,v 1.4 2007/09/14 01:46:05 marka Exp $ */
+
+#ifndef DNS_IPTABLE_H
+#define DNS_IPTABLE_H 1
+
+#include <isc/lang.h>
+#include <isc/magic.h>
+#include <isc/radix.h>
+
+struct dns_iptable {
+	unsigned int		magic;
+	isc_mem_t		*mctx;
+	isc_refcount_t		refcount;
+	isc_radix_tree_t	*radix;
+	ISC_LINK(dns_iptable_t)	nextincache;
+};
+
+#define DNS_IPTABLE_MAGIC	ISC_MAGIC('T','a','b','l')
+#define DNS_IPTABLE_VALID(a)	ISC_MAGIC_VALID(a, DNS_IPTABLE_MAGIC)
+
+/***
+ *** Functions
+ ***/
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target);
+/*
+ * Create a new IP table and the underlying radix structure
+ */
+
+isc_result_t
+dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr,
+		      isc_uint16_t bitlen, isc_boolean_t pos);
+/*
+ * Add an IP prefix to an existing IP table
+ */
+
+isc_result_t
+dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, isc_boolean_t pos);
+/*
+ * Merge one IP table into another one.
+ */
+
+void
+dns_iptable_attach(dns_iptable_t *source, dns_iptable_t **target);
+
+void
+dns_iptable_detach(dns_iptable_t **tabp);
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_IPTABLE_H */
diff --git a/lib/dns/include/dns/journal.h b/lib/dns/include/dns/journal.h
index b776a30..3917d8d 100644
--- a/lib/dns/include/dns/journal.h
+++ b/lib/dns/include/dns/journal.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.h,v 1.25.18.2 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: journal.h,v 1.33.120.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_JOURNAL_H
 #define DNS_JOURNAL_H 1
@@ -24,9 +24,9 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/journal.h
  * \brief
- * Database journalling.
+ * Database journaling.
  */
 
 /***
@@ -42,6 +42,11 @@
 #include <dns/types.h>
 
 /***
+ *** Defines.
+ ***/
+#define DNS_JOURNALOPT_RESIGN	0x00000001
+
+/***
  *** Types
  ***/
 
@@ -188,7 +193,7 @@ dns_journal_iter_init(dns_journal_t *j,
  * Returns:
  *\li	ISC_R_SUCCESS
  *\li	ISC_R_RANGE	begin_serial is outside the addressable range.
- *\li	ISC_R_NOTFOUND	begin_serial is within the range of adressable
+ *\li	ISC_R_NOTFOUND	begin_serial is within the range of addressable
  *			serial numbers covered by the journal, but
  *			this particular serial number does not exist.
  */
@@ -225,17 +230,18 @@ dns_journal_current_rr(dns_journal_t *j, dns_name_t **name, isc_uint32_t *ttl,
  */
 
 isc_result_t
-dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename);
+dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, unsigned int options,
+			const char *filename);
 /*%<
  * Roll forward (play back) the journal file "filename" into the
  * database "db".  This should be called when the server starts
  * after a shutdown or crash.
  *
  * Requires:
- *\li      'mctx' is a valid memory context.
+ *\li   'mctx' is a valid memory context.
  *\li	'db' is a valid database which does not have a version
  *           open for writing.
- *  \li    'filename' is the name of the journal file belonging to 'db'.
+ *\li   'filename' is the name of the journal file belonging to 'db'.
  *
  * Returns:
  *\li	DNS_R_NOJOURNAL when journal does not exist.
@@ -264,7 +270,7 @@ dns_db_diff(isc_mem_t *mctx,
 
 isc_result_t
 dns_journal_compact(isc_mem_t *mctx, char *filename, isc_uint32_t serial,
-                    isc_uint32_t target_size);
+		    isc_uint32_t target_size);
 /*%<
  * Attempt to compact the journal if it is greater that 'target_size'.
  * Changes from 'serial' onwards will be preserved.  If the journal
diff --git a/lib/dns/include/dns/keyflags.h b/lib/dns/include/dns/keyflags.h
index 665b517..74a1740 100644
--- a/lib/dns/include/dns/keyflags.h
+++ b/lib/dns/include/dns/keyflags.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyflags.h,v 1.10.18.2 2005/04/29 00:16:13 marka Exp $ */
+/* $Id: keyflags.h,v 1.16 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_KEYFLAGS_H
 #define DNS_KEYFLAGS_H 1
 
-/*! \file */
+/*! \file dns/keyflags.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/keytable.h b/lib/dns/include/dns/keytable.h
index b8bfcc1..553aa99 100644
--- a/lib/dns/include/dns/keytable.h
+++ b/lib/dns/include/dns/keytable.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.h,v 1.11.18.3 2005/12/05 00:00:03 marka Exp $ */
+/* $Id: keytable.h,v 1.16 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_KEYTABLE_H
 #define DNS_KEYTABLE_H 1
diff --git a/lib/dns/include/dns/keyvalues.h b/lib/dns/include/dns/keyvalues.h
index df17ace..7040389 100644
--- a/lib/dns/include/dns/keyvalues.h
+++ b/lib/dns/include/dns/keyvalues.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyvalues.h,v 1.15.18.2 2005/04/29 00:16:14 marka Exp $ */
+/* $Id: keyvalues.h,v 1.23 2008/09/25 04:02:39 tbox Exp $ */
 
 #ifndef DNS_KEYVALUES_H
 #define DNS_KEYVALUES_H 1
 
-/*! \file */
+/*! \file dns/keyvalues.h */
 
 /*
  * Flags field of the KEY RR rdata
@@ -64,9 +64,11 @@
 #define DNS_KEYALG_RSA		DNS_KEYALG_RSAMD5
 #define DNS_KEYALG_DH		2       /*%< Diffie Hellman KEY */
 #define DNS_KEYALG_DSA		3       /*%< DSA KEY */
-#define DNS_KEYALG_DSS		NS_ALG_DSA
+#define DNS_KEYALG_NSEC3DSA	6
+#define DNS_KEYALG_DSS		DNS_ALG_DSA
 #define DNS_KEYALG_ECC		4
 #define DNS_KEYALG_RSASHA1	5
+#define DNS_KEYALG_NSEC3RSASHA1	7
 #define DNS_KEYALG_INDIRECT	252
 #define DNS_KEYALG_PRIVATEDNS	253
 #define DNS_KEYALG_PRIVATEOID	254     /*%< Key begins with OID giving alg */
diff --git a/lib/dns/include/dns/lib.h b/lib/dns/include/dns/lib.h
index d59dde3..fd3325b 100644
--- a/lib/dns/include/dns/lib.h
+++ b/lib/dns/include/dns/lib.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.8.18.4 2005/09/20 04:33:48 marka Exp $ */
+/* $Id: lib.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_LIB_H
 #define DNS_LIB_H 1
 
-/*! \file */
+/*! \file dns/lib.h */
 
 #include <isc/types.h>
 #include <isc/lang.h>
diff --git a/lib/dns/include/dns/log.h b/lib/dns/include/dns/log.h
index 7bee174..b7aed42 100644
--- a/lib/dns/include/dns/log.h
+++ b/lib/dns/include/dns/log.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.33.18.4 2005/09/05 00:18:27 marka Exp $ */
+/* $Id: log.h,v 1.42.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
-/*! \file
+/*! \file dns/log.h
  * \author  Principal Authors: DCL */
 
 #ifndef DNS_LOG_H
@@ -41,6 +41,7 @@ LIBDNS_EXTERNAL_DATA extern isc_logmodule_t dns_modules[];
 #define DNS_LOGCATEGORY_DISPATCH	(&dns_categories[8])
 #define DNS_LOGCATEGORY_LAME_SERVERS	(&dns_categories[9])
 #define DNS_LOGCATEGORY_DELEGATION_ONLY	(&dns_categories[10])
+#define DNS_LOGCATEGORY_EDNS_DISABLED	(&dns_categories[11])
 
 /* Backwards compatibility. */
 #define DNS_LOGCATEGORY_GENERAL		ISC_LOGCATEGORY_GENERAL
@@ -87,7 +88,7 @@ dns_log_init(isc_log_t *lctx);
  *\li	dns_log_init() is called only once.
  *
  * Ensures:
- * \li	The catgories and modules defined above are available for
+ * \li	The categories and modules defined above are available for
  * 	use by isc_log_usechannnel() and isc_log_write().
  */
 
diff --git a/lib/dns/include/dns/lookup.h b/lib/dns/include/dns/lookup.h
index aea6f84..0e9a327 100644
--- a/lib/dns/include/dns/lookup.h
+++ b/lib/dns/include/dns/lookup.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.h,v 1.6.18.2 2005/04/29 00:16:15 marka Exp $ */
+/* $Id: lookup.h,v 1.12.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_LOOKUP_H
 #define DNS_LOOKUP_H 1
@@ -24,11 +24,11 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/lookup.h
  * \brief
  * The lookup module performs simple DNS lookups.  It implements
- * the full resolver algorithm, both looking for local data and 
- * resoving external names as necessary.
+ * the full resolver algorithm, both looking for local data and
+ * resolving external names as necessary.
  *
  * MP:
  *\li	The module ensures appropriate synchronization of data structures it
diff --git a/lib/dns/include/dns/master.h b/lib/dns/include/dns/master.h
index 1f94c8c..93a782d 100644
--- a/lib/dns/include/dns/master.h
+++ b/lib/dns/include/dns/master.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.h,v 1.38.18.6 2005/06/20 01:19:43 marka Exp $ */
+/* $Id: master.h,v 1.51 2008/04/02 02:37:42 marka Exp $ */
 
 #ifndef DNS_MASTER_H
 #define DNS_MASTER_H 1
 
-/*! \file */
+/*! \file dns/master.h */
 
 /***
  ***	Imports
@@ -42,7 +42,7 @@
 #define DNS_MASTER_HINT 	0x00000010	/*%< Loading a hint master file. */
 #define DNS_MASTER_SLAVE 	0x00000020	/*%< Loading a slave master file. */
 #define DNS_MASTER_CHECKNS 	0x00000040	/*%<
-						 * Check NS records to see 
+						 * Check NS records to see
 						 * if they are an address
 						 */
 #define DNS_MASTER_FATALNS 	0x00000080	/*%<
@@ -55,6 +55,8 @@
 #define DNS_MASTER_CHECKMX	0x00000800
 #define DNS_MASTER_CHECKMXFAIL	0x00001000
 
+#define DNS_MASTER_RESIGN	0x00002000
+
 ISC_LANG_BEGINDECLS
 
 /*
@@ -113,6 +115,17 @@ dns_master_loadfile2(const char *master_file,
 		     dns_masterformat_t format);
 
 isc_result_t
+dns_master_loadfile3(const char *master_file,
+		     dns_name_t *top,
+		     dns_name_t *origin,
+		     dns_rdataclass_t zclass,
+		     unsigned int options,
+		     isc_uint32_t resign,
+		     dns_rdatacallbacks_t *callbacks,
+		     isc_mem_t *mctx,
+		     dns_masterformat_t format);
+
+isc_result_t
 dns_master_loadstream(FILE *stream,
 		      dns_name_t *top,
 		      dns_name_t *origin,
@@ -163,6 +176,19 @@ dns_master_loadfileinc2(const char *master_file,
 			dns_masterformat_t format);
 
 isc_result_t
+dns_master_loadfileinc3(const char *master_file,
+			dns_name_t *top,
+			dns_name_t *origin,
+			dns_rdataclass_t zclass,
+			unsigned int options,
+			isc_uint32_t resign,
+			dns_rdatacallbacks_t *callbacks,
+			isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **ctxp, isc_mem_t *mctx,
+			dns_masterformat_t format);
+
+isc_result_t
 dns_master_loadstreaminc(FILE *stream,
 			 dns_name_t *top,
 			 dns_name_t *origin,
@@ -212,6 +238,9 @@ dns_master_loadlexerinc(isc_lex_t *lex,
  * is completed or has failed.  If the initial setup fails 'done' is
  * not called.
  *
+ * 'resign' the number of seconds before a RRSIG expires that it should
+ * be re-signed.  0 is used if not provided.
+ *
  * Requires:
  *\li	'master_file' points to a valid string.
  *\li	'lexer' points to a valid lexer.
diff --git a/lib/dns/include/dns/masterdump.h b/lib/dns/include/dns/masterdump.h
index 8cf5c13..42521b3 100644
--- a/lib/dns/include/dns/masterdump.h
+++ b/lib/dns/include/dns/masterdump.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.h,v 1.31.14.4 2005/09/01 03:04:28 marka Exp $ */
+/* $Id: masterdump.h,v 1.42 2008/09/24 02:46:23 marka Exp $ */
 
 #ifndef DNS_MASTERDUMP_H
 #define DNS_MASTERDUMP_H 1
 
-/*! \file */
+/*! \file dns/masterdump.h */
 
 /***
  ***	Imports
@@ -91,11 +91,14 @@ typedef struct dns_master_style dns_master_style_t;
 /*% Print negative caching entries. */
 #define	DNS_STYLEFLAG_NCACHE		0x00800000U
 
-/*% Never print the TTL */
+/*% Never print the TTL. */
 #define	DNS_STYLEFLAG_NO_TTL		0x01000000U
-                    
-/*% Never print the CLASS */
-#define	DNS_STYLEFLAG_NO_CLASS		0x02000000U 
+
+/*% Never print the CLASS. */
+#define	DNS_STYLEFLAG_NO_CLASS		0x02000000U
+
+/*% Report re-signing time. */
+#define	DNS_STYLEFLAG_RESIGN		0x04000000U
 
 ISC_LANG_BEGINDECLS
 
@@ -119,8 +122,8 @@ LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_default;
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_full;
 
 /*%
- * A master file style that prints explicit TTL values on each 
- * record line, never using $TTL statements.  The TTL has a tab 
+ * A master file style that prints explicit TTL values on each
+ * record line, never using $TTL statements.  The TTL has a tab
  * stop of its own, but the class and type share one.
  */
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
@@ -133,9 +136,9 @@ LIBDNS_EXTERNAL_DATA extern const dns_master_style_t
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_cache;
 
 /*%
- * A master style that prints name, ttl, class, type, and value on 
- * every line.  Similar to explicitttl above, but more verbose.  
- * Intended for generating master files which can be easily parsed 
+ * A master style that prints name, ttl, class, type, and value on
+ * every line.  Similar to explicitttl above, but more verbose.
+ * Intended for generating master files which can be easily parsed
  * by perl scripts and similar applications.
  */
 LIBDNS_EXTERNAL_DATA extern const dns_master_style_t dns_master_style_simple;
@@ -231,7 +234,7 @@ dns_master_dumptostream2(isc_mem_t *mctx, dns_db_t *db,
  *\li	'task' to be valid.
  *\li	'done' to be non NULL.
  *\li	'dctxp' to be non NULL && '*dctxp' to be NULL.
- * 
+ *
  * Returns:
  *\li	ISC_R_SUCCESS
  *\li	ISC_R_CONTINUE	dns_master_dumptostreaminc() only.
@@ -329,6 +332,9 @@ dns_master_stylecreate(dns_master_style_t **style, unsigned int flags,
 void
 dns_master_styledestroy(dns_master_style_t **style, isc_mem_t *mctx);
 
+const char *
+dns_trust_totext(dns_trust_t trust);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_MASTERDUMP_H */
diff --git a/lib/dns/include/dns/message.h b/lib/dns/include/dns/message.h
index 9002b83..f880095 100644
--- a/lib/dns/include/dns/message.h
+++ b/lib/dns/include/dns/message.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.h,v 1.114.18.6 2006/03/02 23:19:20 marka Exp $ */
+/* $Id: message.h,v 1.125.118.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_MESSAGE_H
 #define DNS_MESSAGE_H 1
@@ -33,7 +33,7 @@
 
 #include <dst/dst.h>
 
-/*! \file 
+/*! \file dns/message.h
  * \brief Message Handling Module
  *
  * How this beast works:
@@ -101,8 +101,12 @@
 #define DNS_MESSAGEFLAG_AD		0x0020U
 #define DNS_MESSAGEFLAG_CD		0x0010U
 
+/*%< EDNS0 extended message flags */
 #define DNS_MESSAGEEXTFLAG_DO		0x8000U
 
+/*%< EDNS0 extended OPT codes */
+#define DNS_OPT_NSID		0x0003		/*%< NSID opt code */
+
 #define DNS_MESSAGE_REPLYPRESERVE	(DNS_MESSAGEFLAG_RD|DNS_MESSAGEFLAG_CD)
 #define DNS_MESSAGEEXTFLAG_REPLYPRESERVE (DNS_MESSAGEEXTFLAG_DO)
 
@@ -157,7 +161,7 @@ typedef int dns_messagetextflag_t;
 						   occurs */
 #define DNS_MESSAGEPARSE_CLONEBUFFER	0x0004	/*%< save a copy of the
 						   source buffer */
-#define DNS_MESSAGEPARSE_IGNORETRUNCATION 0x0008 /*%< trucation errors are
+#define DNS_MESSAGEPARSE_IGNORETRUNCATION 0x0008 /*%< truncation errors are
 						  * not fatal. */
 
 /*
@@ -771,7 +775,7 @@ dns_message_addname(dns_message_t *msg, dns_name_t *name,
 
 void
 dns_message_removename(dns_message_t *msg, dns_name_t *name,
-                       dns_section_t section);
+		       dns_section_t section);
 /*%<
  * Remove a existing name from a given section.
  *
@@ -1031,7 +1035,7 @@ dns_message_setopt(dns_message_t *msg, dns_rdataset_t *opt);
  *\li	The OPT record has either been freed or ownership of it has
  *	been transferred to the message.
  *
- *\li	If ISC_R_SUCCESS was returned, the OPT record will be rendered 
+ *\li	If ISC_R_SUCCESS was returned, the OPT record will be rendered
  *	when dns_message_renderend() is called.
  *
  * Returns:
@@ -1195,7 +1199,7 @@ dns_message_takebuffer(dns_message_t *msg, isc_buffer_t **buffer);
  *\li	msg be a valid message.
  *
  *\li	buffer != NULL && *buffer is a valid isc_buffer_t, which was
- *	dynamincally allocated via isc_buffer_allocate().
+ *	dynamically allocated via isc_buffer_allocate().
  */
 
 isc_result_t
@@ -1315,7 +1319,7 @@ dns_message_setsortorder(dns_message_t *msg, dns_rdatasetorderfunc_t order,
  *\li	order_arg is NULL if and only if order is NULL.
  */
 
-void 
+void
 dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
 /*%<
  * Adjust the time used to sign/verify a message by timeadjust.
@@ -1325,7 +1329,7 @@ dns_message_settimeadjust(dns_message_t *msg, int timeadjust);
  *\li	msg be a valid message.
  */
 
-int 
+int
 dns_message_gettimeadjust(dns_message_t *msg);
 /*%<
  * Return the current time adjustment.
diff --git a/lib/dns/include/dns/name.h b/lib/dns/include/dns/name.h
index 038ae05..0149301 100644
--- a/lib/dns/include/dns/name.h
+++ b/lib/dns/include/dns/name.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.h,v 1.107.18.15 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: name.h,v 1.126.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_NAME_H
 #define DNS_NAME_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/name.h
  * \brief
  * Provides facilities for manipulating DNS names and labels, including
  * conversions to and from wire format and text format.
@@ -131,6 +131,7 @@ struct dns_name {
 #define DNS_NAMEATTR_READONLY		0x0002
 #define DNS_NAMEATTR_DYNAMIC		0x0004
 #define DNS_NAMEATTR_DYNOFFSETS		0x0008
+#define DNS_NAMEATTR_NOCOMPRESS		0x0010
 /*
  * Attributes below 0x0100 reserved for name.c usage.
  */
@@ -242,7 +243,7 @@ dns_name_setbuffer(dns_name_t *name, isc_buffer_t *buffer);
  *
  * Notes:
  * \li	Specification of a target buffer in dns_name_fromwire(),
- *	dns_name_fromtext(), and dns_name_concatentate() is optional if
+ *	dns_name_fromtext(), and dns_name_concatenate() is optional if
  *	'name' has a dedicated buffer.
  *
  * \li	The caller must not write to buffer until the name has been
@@ -721,7 +722,7 @@ dns_name_fromwire(dns_name_t *name, isc_buffer_t *source,
 
 isc_result_t
 dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
-	        isc_buffer_t *target);
+		isc_buffer_t *target);
 /*%<
  * Convert 'name' into wire format, compressing it as specified by the
  * compression context 'cctx', and storing the result in 'target'.
@@ -840,7 +841,7 @@ dns_name_totext(dns_name_t *name, isc_boolean_t omit_final_dot,
  * name as generated by dns_name_totext().  This does not
  * include space for a terminating NULL.
  *
- * This definition is conservative - the actual maximum 
+ * This definition is conservative - the actual maximum
  * is 1004, derived as follows:
  *
  *   A backslash-decimal escaped character takes 4 bytes.
@@ -952,7 +953,7 @@ dns_name_split(dns_name_t *name, unsigned int suffixlabels,
  *
  * Notes:
  * \li     'name' is split such that 'suffix' holds the most significant
- *      'suffixlabels' labels.  All other labels are stored in 'prefix'. 
+ *      'suffixlabels' labels.  All other labels are stored in 'prefix'.
  *
  *\li	Copying name data is avoided as much as possible, so 'prefix'
  *	and 'suffix' will end up pointing at the data for 'name'.
@@ -1082,7 +1083,7 @@ dns_name_dynamic(dns_name_t *name);
  *
  * Returns:
  *
- *\li	'ISC_TRUE' if the name is dynamic othewise 'ISC_FALSE'.
+ *\li	'ISC_TRUE' if the name is dynamic otherwise 'ISC_FALSE'.
  */
 
 isc_result_t
@@ -1185,7 +1186,7 @@ dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard);
  * Requires:
  *	'name' to be valid.
  */
- 
+
 
 isc_boolean_t
 dns_name_ismailbox(const dns_name_t *name);
@@ -1220,7 +1221,7 @@ dns_name_destroy(void);
 ISC_LANG_ENDDECLS
 
 /*
- *** High Peformance Macros
+ *** High Performance Macros
  ***/
 
 /*
diff --git a/lib/dns/include/dns/ncache.h b/lib/dns/include/dns/ncache.h
index 459effb..a818fe6 100644
--- a/lib/dns/include/dns/ncache.h
+++ b/lib/dns/include/dns/ncache.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.h,v 1.17.18.2 2005/04/29 00:16:16 marka Exp $ */
+/* $Id: ncache.h,v 1.25 2008/09/25 04:02:39 tbox Exp $ */
 
 #ifndef DNS_NCACHE_H
 #define DNS_NCACHE_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/ncache.h
  *\brief
  * DNS Ncache
  *
@@ -63,6 +63,11 @@ isc_result_t
 dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
 	       dns_rdataset_t *addedrdataset);
+isc_result_t
+dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
+		     dns_dbnode_t *node, dns_rdatatype_t covers,
+		     isc_stdtime_t now, dns_ttl_t maxttl,
+		     isc_boolean_t optout, dns_rdataset_t *addedrdataset);
 /*%<
  * Convert the authority data from 'message' into a negative cache
  * rdataset, and store it in 'cache' at 'node' with a TTL limited to
@@ -71,6 +76,8 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
  * The 'covers' argument is the RR type whose nonexistence we are caching,
  * or dns_rdatatype_any when caching a NXDOMAIN response.
  *
+ * 'optout' indicates a DNS_RATASETATTR_OPTOUT should be set.
+ *
  * Note:
  *\li	If 'addedrdataset' is not NULL, then it will be attached to the added
  *	rdataset.  See dns_db_addrdataset() for more details.
@@ -154,6 +161,19 @@ dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
  *
  */
 
+void
+dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
+		   dns_rdataset_t *rdataset);
+
+/*%<
+ * Extract the current rdataset and name from a ncache entry.
+ *
+ * Requires:
+ * \li	'ncacherdataset' to be valid and to be a negative cache entry
+ * \li	'found' to be valid.
+ * \li	'rdataset' to be unassociated.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_NCACHE_H */
diff --git a/lib/dns/include/dns/nsec.h b/lib/dns/include/dns/nsec.h
index 46b75fa..335a463 100644
--- a/lib/dns/include/dns/nsec.h
+++ b/lib/dns/include/dns/nsec.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec.h,v 1.4.20.2 2005/04/29 00:16:16 marka Exp $ */
+/* $Id: nsec.h,v 1.12 2008/09/25 04:02:39 tbox Exp $ */
 
 #ifndef DNS_NSEC_H
 #define DNS_NSEC_H 1
 
-/*! \file */
+/*! \file dns/nsec.h */
 
 #include <isc/lang.h>
 
@@ -64,6 +64,17 @@ dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
  *\li	'nsec' points to a valid rdataset of type NSEC
  */
 
+isc_result_t
+dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
+		  isc_boolean_t *answer);
+/*
+ * Report whether the DNSKEY RRset has a NSEC only algorithm.  Unknown
+ * algorithms are assumed to support NSEC3.
+ *
+ * Requires:
+ * 	'answer' to be non NULL.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_NSEC_H */
diff --git a/lib/dns/include/dns/nsec3.h b/lib/dns/include/dns/nsec3.h
new file mode 100644
index 0000000..2d6a8dd
--- /dev/null
+++ b/lib/dns/include/dns/nsec3.h
@@ -0,0 +1,194 @@
+/*
+ * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsec3.h,v 1.5.48.2 2009/01/18 23:47:41 tbox Exp $ */
+
+#ifndef DNS_NSEC3_H
+#define DNS_NSEC3_H 1
+
+#include <isc/lang.h>
+#include <isc/iterated_hash.h>
+
+#include <dns/db.h>
+#include <dns/diff.h>
+#include <dns/name.h>
+#include <dns/rdatastruct.h>
+#include <dns/types.h>
+
+/*
+ * hash = 1, flags =1, iterations = 2, salt length = 1, salt = 255 (max)
+ * hash length = 1, hash = 255 (max), bitmap = 8192 + 512 (max)
+ */
+#define DNS_NSEC3_BUFFERSIZE (6 + 255 + 255 + 8192 + 512)
+/*
+ * hash = 1, flags = 1, iterations = 2, salt length = 1, salt = 255 (max)
+ */
+#define DNS_NSEC3PARAM_BUFFERSIZE (5 + 255)
+
+/*
+ * Test "unknown" algorithm.  Is mapped to dns_hash_sha1.
+ */
+#define DNS_NSEC3_UNKNOWNALG 245U
+
+ISC_LANG_BEGINDECLS
+
+isc_result_t
+dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
+		     dns_dbnode_t *node, unsigned int hashalg,
+		     unsigned int optin, unsigned int iterations,
+		     const unsigned char *salt, size_t salt_length,
+		     const unsigned char *nexthash, size_t hash_length,
+		     unsigned char *buffer, dns_rdata_t *rdata);
+/*%<
+ * Build the rdata of a NSEC3 record for the data at 'node'.
+ * Note: 'node' is not the node where the NSEC3 record will be stored.
+ *
+ * Requires:
+ *	buffer	Points to a temporary buffer of at least
+ * 		DNS_NSEC_BUFFERSIZE bytes.
+ *	rdata	Points to an initialized dns_rdata_t.
+ *
+ * Ensures:
+ *      *rdata	Contains a valid NSEC3 rdata.  The 'data' member refers
+ *		to 'buffer'.
+ */
+
+isc_boolean_t
+dns_nsec3_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type);
+/*%<
+ * Determine if a type is marked as present in an NSEC3 record.
+ *
+ * Requires:
+ *	'nsec' points to a valid rdataset of type NSEC3
+ */
+
+isc_result_t
+dns_nsec3_hashname(dns_fixedname_t *result,
+		   unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
+		   size_t *hash_length, dns_name_t *name, dns_name_t *origin,
+		   dns_hash_t hashalg, unsigned int iterations,
+		   const unsigned char *salt, size_t saltlength);
+/*%<
+ * Make a hashed domain name from an unhashed one. If rethash is not NULL
+ * the raw hash is stored there.
+ */
+
+unsigned int
+dns_nsec3_hashlength(dns_hash_t hash);
+/*%<
+ * Return the length of the hash produced by the specified algorithm
+ * or zero when unknown.
+ */
+
+isc_boolean_t
+dns_nsec3_supportedhash(dns_hash_t hash);
+/*%<
+ * Return whether we support this hash algorithm or not.
+ */
+
+isc_result_t
+dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
+		   dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
+		   dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
+		    dns_name_t *name, dns_ttl_t nsecttl,
+		    isc_boolean_t unsecure, dns_diff_t *diff);
+/*%<
+ * Add NSEC3 records for 'name', recording the change in 'diff'.
+ * Adjust previous NSEC3 records, if any, to reflect the addition.
+ * The existing NSEC3 records are removed.
+ *
+ * dns_nsec3_addnsec3() will only add records to the chain identified by
+ * 'nsec3param'.
+ *
+ * 'unsecure' should be set to reflect if this is a potentially
+ * unsecure delegation (no DS record).
+ *
+ * dns_nsec3_addnsec3s() will examine the NSEC3PARAM RRset to determine which
+ * chains to be updated.  NSEC3PARAM records with the DNS_NSEC3FLAG_CREATE
+ * will be preferentially chosen over NSEC3PARAM records without
+ * DNS_NSEC3FLAG_CREATE set.  NSEC3PARAM records with DNS_NSEC3FLAG_REMOVE
+ * set will be ignored by dns_nsec3_addnsec3s().  If DNS_NSEC3FLAG_CREATE
+ * is set then the new NSEC3 will have OPTOUT set to match the that in the
+ * NSEC3PARAM record otherwise OPTOUT will be inherited from the previous
+ * record in the chain.
+ *
+ * Requires:
+ *	'db' to be valid.
+ *	'version' to be valid or NULL.
+ *	'name' to be valid.
+ *	'nsec3param' to be valid.
+ *	'diff' to be valid.
+ */
+
+isc_result_t
+dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff);
+
+isc_result_t
+dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		    dns_diff_t *diff);
+/*%<
+ * Remove NSEC3 records for 'name', recording the change in 'diff'.
+ * Adjust previous NSEC3 records, if any, to reflect the removal.
+ *
+ * dns_nsec3_delnsec3() performs the above for the chain identified by
+ * 'nsec3param'.
+ *
+ * dns_nsec3_delnsec3s() examines the NSEC3PARAM RRset in a similar manner
+ * to dns_nsec3_addnsec3s().  Unlike dns_nsec3_addnsec3s() updated NSEC3
+ * records have the OPTOUT flag preserved.
+ *
+ * Requires:
+ *	'db' to be valid.
+ *	'version' to be valid or NULL.
+ *	'name' to be valid.
+ *	'nsec3param' to be valid.
+ *	'diff' to be valid.
+ */
+
+isc_result_t
+dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
+		 isc_boolean_t complete, isc_boolean_t *answer);
+/*%<
+ * Check if there are any complete/to be built NSEC3 chains.
+ * If 'complete' is ISC_TRUE only complete chains will be recognized.
+ *
+ * Requires:
+ *	'db' to be valid.
+ *	'version' to be valid or NULL.
+ *	'answer' to be non NULL.
+ */
+
+isc_result_t
+dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
+			isc_mem_t *mctx, unsigned int *iterationsp);
+/*%<
+ * Find the maximum permissible number of iterations allowed based on
+ * the key strength.
+ *
+ * Requires:
+ *	'db' to be valid.
+ *	'version' to be valid or NULL.
+ *	'mctx' to be valid.
+ *	'iterationsp' to be non NULL.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* DNS_NSEC3_H */
diff --git a/lib/dns/include/dns/opcode.h b/lib/dns/include/dns/opcode.h
index 4796dba..368b2b2 100644
--- a/lib/dns/include/dns/opcode.h
+++ b/lib/dns/include/dns/opcode.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: opcode.h,v 1.2.18.2 2005/04/29 00:16:16 marka Exp $ */
+/* $Id: opcode.h,v 1.8 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_OPCODE_H
 #define DNS_OPCODE_H 1
 
-/*! \file */
+/*! \file dns/opcode.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/order.h b/lib/dns/include/dns/order.h
index 6458db0..85663c3 100644
--- a/lib/dns/include/dns/order.h
+++ b/lib/dns/include/dns/order.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: order.h,v 1.3.18.2 2005/04/29 00:16:17 marka Exp $ */
+/* $Id: order.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_ORDER_H
 #define DNS_ORDER_H 1
 
-/*! \file */
+/*! \file dns/order.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/dns/include/dns/peer.h b/lib/dns/include/dns/peer.h
index be5a8c3..9e7a188 100644
--- a/lib/dns/include/dns/peer.h
+++ b/lib/dns/include/dns/peer.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.h,v 1.20.18.8 2006/02/28 03:10:48 marka Exp $ */
+/* $Id: peer.h,v 1.33.118.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_PEER_H
 #define DNS_PEER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/peer.h
  * \brief
  * Data structures for peers (e.g. a 'server' config file statement)
  */
@@ -73,11 +73,12 @@ struct dns_peer {
 	isc_boolean_t		provide_ixfr;
 	isc_boolean_t		request_ixfr;
 	isc_boolean_t		support_edns;
+	isc_boolean_t		request_nsid;
 	dns_name_t	       *key;
 	isc_sockaddr_t	       *transfer_source;
-	isc_sockaddr_t	       *notify_source;  
-	isc_sockaddr_t	       *query_source;  
-	isc_uint16_t		udpsize;		/* recieve size */
+	isc_sockaddr_t	       *notify_source;
+	isc_sockaddr_t	       *query_source;
+	isc_uint16_t		udpsize;		/* receive size */
 	isc_uint16_t		maxudp;			/* transmit size */
 
 	isc_uint32_t		bitflags;
@@ -150,6 +151,12 @@ isc_result_t
 dns_peer_getprovideixfr(dns_peer_t *peer, isc_boolean_t *retval);
 
 isc_result_t
+dns_peer_setrequestnsid(dns_peer_t *peer, isc_boolean_t newval);
+
+isc_result_t
+dns_peer_getrequestnsid(dns_peer_t *peer, isc_boolean_t *retval);
+
+isc_result_t
 dns_peer_setsupportedns(dns_peer_t *peer, isc_boolean_t newval);
 
 isc_result_t
diff --git a/lib/dns/include/dns/portlist.h b/lib/dns/include/dns/portlist.h
index 2d400d4..f76731a 100644
--- a/lib/dns/include/dns/portlist.h
+++ b/lib/dns/include/dns/portlist.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portlist.h,v 1.3.18.2 2005/04/29 00:16:17 marka Exp $ */
+/* $Id: portlist.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
 
-/*! \file */
+/*! \file dns/portlist.h */
 
 #include <isc/lang.h>
 #include <isc/net.h>
diff --git a/lib/dns/include/dns/rbt.h b/lib/dns/include/dns/rbt.h
index a1edf0c..6eea787 100644
--- a/lib/dns/include/dns/rbt.h
+++ b/lib/dns/include/dns/rbt.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.h,v 1.59.18.5 2005/10/13 01:26:07 marka Exp $ */
+/* $Id: rbt.h,v 1.71.48.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_RBT_H
 #define DNS_RBT_H 1
 
-/*! \file */
+/*! \file dns/rbt.h */
 
 #include <isc/lang.h>
 #include <isc/magic.h>
@@ -37,10 +37,10 @@ ISC_LANG_BEGINDECLS
  * Option values for dns_rbt_findnode() and dns_rbt_findname().
  * These are used to form a bitmask.
  */
-#define DNS_RBTFIND_NOOPTIONS			0x00
-#define DNS_RBTFIND_EMPTYDATA			0x01
-#define DNS_RBTFIND_NOEXACT			0x02
-#define DNS_RBTFIND_NOPREDECESSOR		0x04
+#define DNS_RBTFIND_NOOPTIONS                   0x00
+#define DNS_RBTFIND_EMPTYDATA                   0x01
+#define DNS_RBTFIND_NOEXACT                     0x02
+#define DNS_RBTFIND_NOPREDECESSOR               0x04
 /*@}*/
 
 #ifndef DNS_RBT_USEISCREFCOUNT
@@ -52,14 +52,14 @@ ISC_LANG_BEGINDECLS
 /*
  * These should add up to 30.
  */
-#define DNS_RBT_LOCKLENGTH			10
-#define DNS_RBT_REFLENGTH			20
+#define DNS_RBT_LOCKLENGTH                      10
+#define DNS_RBT_REFLENGTH                       20
 
-#define DNS_RBTNODE_MAGIC		ISC_MAGIC('R','B','N','O')
+#define DNS_RBTNODE_MAGIC               ISC_MAGIC('R','B','N','O')
 #if DNS_RBT_USEMAGIC
-#define DNS_RBTNODE_VALID(n)		ISC_MAGIC_VALID(n, DNS_RBTNODE_MAGIC)
+#define DNS_RBTNODE_VALID(n)            ISC_MAGIC_VALID(n, DNS_RBTNODE_MAGIC)
 #else
-#define DNS_RBTNODE_VALID(n)		ISC_TRUE
+#define DNS_RBTNODE_VALID(n)            ISC_TRUE
 #endif
 
 /*%
@@ -69,22 +69,31 @@ ISC_LANG_BEGINDECLS
  * appended to this structure.  Allocating a contiguous block of memory for
  * multiple dns_rbtnode structures will not work.
  */
-typedef struct dns_rbtnode {
+typedef struct dns_rbtnode dns_rbtnode_t;
+struct dns_rbtnode {
 #if DNS_RBT_USEMAGIC
 	unsigned int magic;
 #endif
-	struct dns_rbtnode *parent;
-	struct dns_rbtnode *left;
-	struct dns_rbtnode *right;
-	struct dns_rbtnode *down;
+	dns_rbtnode_t *parent;
+	dns_rbtnode_t *left;
+	dns_rbtnode_t *right;
+	dns_rbtnode_t *down;
 #ifdef DNS_RBT_USEHASH
-	struct dns_rbtnode *hashnext;
+	dns_rbtnode_t *hashnext;
 #endif
+
+	/*%
+	 * Used for LRU cache.  This linked list is used to mark nodes which
+	 * have no data any longer, but we cannot unlink at that exact moment
+	 * because we did not or could not obtain a write lock on the tree.
+	 */
+	ISC_LINK(dns_rbtnode_t) deadlink;
+
 	/*@{*/
 	/*!
 	 * The following bitfields add up to a total bitwidth of 32.
 	 * The range of values necessary for each item is indicated,
-	 * but in the case of "attributes" the field is wider to accomodate
+	 * but in the case of "attributes" the field is wider to accommodate
 	 * possible future expansion.  "offsetlen" could be one bit
 	 * narrower by always adjusting its value by 1 to find the real
 	 * offsetlen, but doing so does not gain anything (except perhaps
@@ -93,13 +102,14 @@ typedef struct dns_rbtnode {
 	 * In each case below the "range" indicated is what's _necessary_ for
 	 * the bitfield to hold, not what it actually _can_ hold.
 	 */
-	unsigned int is_root : 1;	/*%< range is 0..1 */
-	unsigned int color : 1;		/*%< range is 0..1 */
-	unsigned int find_callback : 1;	/*%< range is 0..1 */
-	unsigned int attributes : 4;	/*%< range is 0..2 */
-	unsigned int namelen : 8;	/*%< range is 1..255 */
-	unsigned int offsetlen : 8;	/*%< range is 1..128 */
-	unsigned int padbytes : 9;	/*%< range is 0..380 */
+	unsigned int is_root : 1;       /*%< range is 0..1 */
+	unsigned int color : 1;         /*%< range is 0..1 */
+	unsigned int find_callback : 1; /*%< range is 0..1 */
+	unsigned int attributes : 3;    /*%< range is 0..2 */
+	unsigned int nsec3 : 1;    	/*%< range is 0..1 */
+	unsigned int namelen : 8;       /*%< range is 1..255 */
+	unsigned int offsetlen : 8;     /*%< range is 1..128 */
+	unsigned int padbytes : 9;      /*%< range is 0..380 */
 	/*@}*/
 
 #ifdef DNS_RBT_USEHASH
@@ -121,14 +131,14 @@ typedef struct dns_rbtnode {
 	isc_refcount_t references; /* note that this is not in the bitfield */
 #endif
 	/*@}*/
-} dns_rbtnode_t;
+};
 
 typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
 					      dns_name_t *name,
 					      void *callback_arg);
 
 /*****
- *****	Chain Info
+ *****  Chain Info
  *****/
 
 /*!
@@ -145,7 +155,7 @@ typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
  * tree when a node is added).  The obvious implication of this is that for a
  * chain to remain valid, the tree has to be locked down against writes for the
  * duration of the useful life of the chain, because additions or removals can
- * change the path from the root to the node the chain has targetted.
+ * change the path from the root to the node the chain has targeted.
  *
  * The dns_rbtnodechain_ functions _first, _last, _prev and _next all take
  * dns_name_t parameters for the name and the origin, which can be NULL.  If
@@ -182,15 +192,15 @@ typedef isc_result_t (*dns_rbtfindcallback_t)(dns_rbtnode_t *node,
 #define DNS_RBT_LEVELBLOCK 254
 
 typedef struct dns_rbtnodechain {
-	unsigned int		magic;
-	isc_mem_t *		mctx;
+	unsigned int            magic;
+	isc_mem_t *             mctx;
 	/*%
 	 * The terminal node of the chain.  It is not in levels[].
 	 * This is ostensibly private ... but in a pinch it could be
 	 * used tell that the chain points nowhere without needing to
 	 * call dns_rbtnodechain_current().
 	 */
-	dns_rbtnode_t *		end;
+	dns_rbtnode_t *         end;
 	/*%
 	 * The maximum number of labels in a name is 128; bitstrings mean
 	 * a conceptually very large number (which I have not bothered to
@@ -199,7 +209,7 @@ typedef struct dns_rbtnodechain {
 	 * labels in a name to 255, meaning only 254 pointers are needed
 	 * in the worst case.
 	 */
-	dns_rbtnode_t *		levels[DNS_RBT_LEVELBLOCK];
+	dns_rbtnode_t *         levels[DNS_RBT_LEVELBLOCK];
 	/*%
 	 * level_count indicates how deep the chain points into the
 	 * tree of trees, and is the index into the levels[] array.
@@ -208,7 +218,7 @@ typedef struct dns_rbtnodechain {
 	 * a level_count of 0, the first level has a level_count of 1, and
 	 * so on.
 	 */
-	unsigned int		level_count;
+	unsigned int            level_count;
 	/*%
 	 * level_matches tells how many levels matched above the node
 	 * returned by dns_rbt_findnode().  A match (partial or exact) found
@@ -216,7 +226,7 @@ typedef struct dns_rbtnodechain {
 	 * This is used by the rbtdb to set the start point for a recursive
 	 * search of superdomains until the RR it is looking for is found.
 	 */
-	unsigned int		level_matches;
+	unsigned int            level_matches;
 } dns_rbtnodechain_t;
 
 /*****
@@ -229,27 +239,27 @@ dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
  * Initialize a red-black tree of trees.
  *
  * Notes:
- *\li	The deleter argument, if non-null, points to a function that is
- *	responsible for cleaning up any memory associated with the data
- *	pointer of a node when the node is deleted.  It is passed the
- *	deleted node's data pointer as its first argument and deleter_arg
- *	as its second argument.
+ *\li   The deleter argument, if non-null, points to a function that is
+ *      responsible for cleaning up any memory associated with the data
+ *      pointer of a node when the node is deleted.  It is passed the
+ *      deleted node's data pointer as its first argument and deleter_arg
+ *      as its second argument.
  *
  * Requires:
- * \li	mctx is a pointer to a valid memory context.
- *\li	rbtp != NULL && *rbtp == NULL
- *\li	arg == NULL iff deleter == NULL
+ * \li  mctx is a pointer to a valid memory context.
+ *\li   rbtp != NULL && *rbtp == NULL
+ *\li   arg == NULL iff deleter == NULL
  *
  * Ensures:
- *\li	If result is ISC_R_SUCCESS:
- *		*rbtp points to a valid red-black tree manager
+ *\li   If result is ISC_R_SUCCESS:
+ *              *rbtp points to a valid red-black tree manager
  *
- *\li	If result is failure:
- *		*rbtp does not point to a valid red-black tree manager.
+ *\li   If result is failure:
+ *              *rbtp does not point to a valid red-black tree manager.
  *
  * Returns:
- *\li	#ISC_R_SUCCESS	Success
- *\li	#ISC_R_NOMEMORY	Resource limit: Out of Memory
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_NOMEMORY Resource limit: Out of Memory
  */
 
 isc_result_t
@@ -258,38 +268,38 @@ dns_rbt_addname(dns_rbt_t *rbt, dns_name_t *name, void *data);
  * Add 'name' to the tree of trees, associated with 'data'.
  *
  * Notes:
- *\li	'data' is never required to be non-NULL, but specifying it
- *	when the name is added is faster than searching for 'name'
- *	again and then setting the data pointer.  The lack of a data pointer
- *	for a node also has other ramifications regarding whether
- *	dns_rbt_findname considers a node to exist, or dns_rbt_deletename
- *	joins nodes.
+ *\li   'data' is never required to be non-NULL, but specifying it
+ *      when the name is added is faster than searching for 'name'
+ *      again and then setting the data pointer.  The lack of a data pointer
+ *      for a node also has other ramifications regarding whether
+ *      dns_rbt_findname considers a node to exist, or dns_rbt_deletename
+ *      joins nodes.
  *
  * Requires:
- *\li	rbt is a valid rbt manager.
- *\li	dns_name_isabsolute(name) == TRUE
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE
  *
  * Ensures:
- *\li	'name' is not altered in any way.
+ *\li   'name' is not altered in any way.
  *
- *\li	Any external references to nodes in the tree are unaffected by
- *	node splits that are necessary to insert the new name.
+ *\li   Any external references to nodes in the tree are unaffected by
+ *      node splits that are necessary to insert the new name.
  *
- *\li	If result is #ISC_R_SUCCESS:
- *		'name' is findable in the red/black tree of trees in O(log N).
- *		The data pointer of the node for 'name' is set to 'data'.
+ *\li   If result is #ISC_R_SUCCESS:
+ *              'name' is findable in the red/black tree of trees in O(log N).
+ *              The data pointer of the node for 'name' is set to 'data'.
  *
- *\li	If result is #ISC_R_EXISTS or #ISC_R_NOSPACE:
- *		The tree of trees is unaltered.
+ *\li   If result is #ISC_R_EXISTS or #ISC_R_NOSPACE:
+ *              The tree of trees is unaltered.
  *
- *\li	If result is #ISC_R_NOMEMORY:
- *		No guarantees.
+ *\li   If result is #ISC_R_NOMEMORY:
+ *              No guarantees.
  *
  * Returns:
- *\li	#ISC_R_SUCCESS	Success
- *\li	#ISC_R_EXISTS	The name already exists with associated data.
- *\li	#ISC_R_NOSPACE 	The name had more logical labels than are allowed.
- *\li	#ISC_R_NOMEMORY	Resource Limit: Out of Memory
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_EXISTS   The name already exists with associated data.
+ *\li   #ISC_R_NOSPACE  The name had more logical labels than are allowed.
+ *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory
  */
 
 isc_result_t
@@ -299,31 +309,31 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep);
  * Just like dns_rbt_addname, but returns the address of the node.
  *
  * Requires:
- *\li	rbt is a valid rbt structure.
- *\li	dns_name_isabsolute(name) == TRUE
- *\li	nodep != NULL && *nodep == NULL
+ *\li   rbt is a valid rbt structure.
+ *\li   dns_name_isabsolute(name) == TRUE
+ *\li   nodep != NULL && *nodep == NULL
  *
  * Ensures:
- *\li	'name' is not altered in any way.
+ *\li   'name' is not altered in any way.
  *
- *\li	Any external references to nodes in the tree are unaffected by
- *	node splits that are necessary to insert the new name.
+ *\li   Any external references to nodes in the tree are unaffected by
+ *      node splits that are necessary to insert the new name.
  *
- *\li	If result is ISC_R_SUCCESS:
- *		'name' is findable in the red/black tree of trees in O(log N).
- *		*nodep is the node that was added for 'name'.
+ *\li   If result is ISC_R_SUCCESS:
+ *              'name' is findable in the red/black tree of trees in O(log N).
+ *              *nodep is the node that was added for 'name'.
  *
- *\li	If result is ISC_R_EXISTS:
- *		The tree of trees is unaltered.
- *		*nodep is the existing node for 'name'.
+ *\li   If result is ISC_R_EXISTS:
+ *              The tree of trees is unaltered.
+ *              *nodep is the existing node for 'name'.
  *
- *\li	If result is ISC_R_NOMEMORY:
- *		No guarantees.
+ *\li   If result is ISC_R_NOMEMORY:
+ *              No guarantees.
  *
  * Returns:
- *\li	#ISC_R_SUCCESS	Success
- *\li	#ISC_R_EXISTS	The name already exists, possibly without data.
- *\li	#ISC_R_NOMEMORY	Resource Limit: Out of Memory
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_EXISTS   The name already exists, possibly without data.
+ *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory
  */
 
 isc_result_t
@@ -333,36 +343,36 @@ dns_rbt_findname(dns_rbt_t *rbt, dns_name_t *name, unsigned int options,
  * Get the data pointer associated with 'name'.
  *
  * Notes:
- *\li	When #DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *\li   When #DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
  *      returned (also subject to #DNS_RBTFIND_EMPTYDATA), even when there is
- *	an exact match in the tree.
+ *      an exact match in the tree.
  *
  *\li   A node that has no data is considered not to exist for this function,
  *      unless the #DNS_RBTFIND_EMPTYDATA option is set.
  *
  * Requires:
- *\li	rbt is a valid rbt manager.
- *\li	dns_name_isabsolute(name) == TRUE
- *\li	data != NULL && *data == NULL
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE
+ *\li   data != NULL && *data == NULL
  *
  * Ensures:
- *\li	'name' and the tree are not altered in any way.
+ *\li   'name' and the tree are not altered in any way.
  *
- *\li	If result is ISC_R_SUCCESS:
- *		*data is the data associated with 'name'.
+ *\li   If result is ISC_R_SUCCESS:
+ *              *data is the data associated with 'name'.
  *
- *\li	If result is DNS_R_PARTIALMATCH:
- *		*data is the data associated with the deepest superdomain
- * 		of 'name' which has data.
+ *\li   If result is DNS_R_PARTIALMATCH:
+ *              *data is the data associated with the deepest superdomain
+ *              of 'name' which has data.
  *
- *\li	If result is ISC_R_NOTFOUND:
- *		Neither the name nor a superdomain was found with data.
+ *\li   If result is ISC_R_NOTFOUND:
+ *              Neither the name nor a superdomain was found with data.
  *
  * Returns:
- *\li	#ISC_R_SUCCESS		Success
- *\li	#DNS_R_PARTIALMATCH	Superdomain found with data
- *\li	#ISC_R_NOTFOUND		No match
- *\li	#ISC_R_NOSPACE		Concatenating nodes to form foundname failed
+ *\li   #ISC_R_SUCCESS          Success
+ *\li   #DNS_R_PARTIALMATCH     Superdomain found with data
+ *\li   #ISC_R_NOTFOUND         No match
+ *\li   #ISC_R_NOSPACE          Concatenating nodes to form foundname failed
  */
 
 isc_result_t
@@ -374,100 +384,100 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
  * Find the node for 'name'.
  *
  * Notes:
- *\li	A node that has no data is considered not to exist for this function,
- *	unless the DNS_RBTFIND_EMPTYDATA option is set.  This applies to both
- *	exact matches and partial matches.
- *
- *\li	If the chain parameter is non-NULL, then the path through the tree
- *	to the DNSSEC predecessor of the searched for name is maintained,
- *	unless the DNS_RBTFIND_NOPREDECESSOR or DNS_RBTFIND_NOEXACT option
- *	is used. (For more details on those options, see below.)
- *
- *\li	If there is no predecessor, then the chain will point to nowhere, as
- *	indicated by chain->end being NULL or dns_rbtnodechain_current
- *	returning ISC_R_NOTFOUND.  Note that in a normal Internet DNS RBT
- *	there will always be a predecessor for all names except the root
- *	name, because '.' will exist and '.' is the predecessor of
- *	everything.  But you can certainly construct a trivial tree and a
- *	search for it that has no predecessor.
- *
- *\li	Within the chain structure, the 'levels' member of the structure holds
- *	the root node of each level except the first.
- *
- *\li	The 'level_count' of the chain indicates how deep the chain to the
- *	predecessor name is, as an index into the 'levels[]' array.  It does
- *	not count name elements, per se, but only levels of the tree of trees,
- *	the distinction arrising because multiple labels from a name can be
- *	stored on only one level.  It is also does not include the level
- *	that has the node, since that level is not stored in levels[].
- *
- *\li	The chain's 'level_matches' is not directly related to the predecessor.
- *	It is the number of levels above the level of the found 'node',
- *	regardless of whether it was a partial match or exact match.  When
- *	the node is found in the top level tree, or no node is found at all,
- *	level_matches is 0.
- *
- *\li	When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
+ *\li   A node that has no data is considered not to exist for this function,
+ *      unless the DNS_RBTFIND_EMPTYDATA option is set.  This applies to both
+ *      exact matches and partial matches.
+ *
+ *\li   If the chain parameter is non-NULL, then the path through the tree
+ *      to the DNSSEC predecessor of the searched for name is maintained,
+ *      unless the DNS_RBTFIND_NOPREDECESSOR or DNS_RBTFIND_NOEXACT option
+ *      is used. (For more details on those options, see below.)
+ *
+ *\li   If there is no predecessor, then the chain will point to nowhere, as
+ *      indicated by chain->end being NULL or dns_rbtnodechain_current
+ *      returning ISC_R_NOTFOUND.  Note that in a normal Internet DNS RBT
+ *      there will always be a predecessor for all names except the root
+ *      name, because '.' will exist and '.' is the predecessor of
+ *      everything.  But you can certainly construct a trivial tree and a
+ *      search for it that has no predecessor.
+ *
+ *\li   Within the chain structure, the 'levels' member of the structure holds
+ *      the root node of each level except the first.
+ *
+ *\li   The 'level_count' of the chain indicates how deep the chain to the
+ *      predecessor name is, as an index into the 'levels[]' array.  It does
+ *      not count name elements, per se, but only levels of the tree of trees,
+ *      the distinction arising because multiple labels from a name can be
+ *      stored on only one level.  It is also does not include the level
+ *      that has the node, since that level is not stored in levels[].
+ *
+ *\li   The chain's 'level_matches' is not directly related to the predecessor.
+ *      It is the number of levels above the level of the found 'node',
+ *      regardless of whether it was a partial match or exact match.  When
+ *      the node is found in the top level tree, or no node is found at all,
+ *      level_matches is 0.
+ *
+ *\li   When DNS_RBTFIND_NOEXACT is set, the closest matching superdomain is
  *      returned (also subject to DNS_RBTFIND_EMPTYDATA), even when
  *      there is an exact match in the tree.  In this case, the chain
- *	will not point to the DNSSEC predecessor, but will instead point
- *	to the exact match, if there was any.  Thus the preceding paragraphs
- *	should have "exact match" substituted for "predecessor" to describe
- *	how the various elements of the chain are set.  This was done to
- * 	ensure that the chain's state was sane, and to prevent problems that
- *	occurred when running the predecessor location code under conditions
- *	it was not designed for.  It is not clear *where* the chain should
- *	point when DNS_RBTFIND_NOEXACT is set, so if you end up using a chain
- *	with this option because you want a particular node, let us know
- *	where you want the chain pointed, so this can be made more firm.
+ *      will not point to the DNSSEC predecessor, but will instead point
+ *      to the exact match, if there was any.  Thus the preceding paragraphs
+ *      should have "exact match" substituted for "predecessor" to describe
+ *      how the various elements of the chain are set.  This was done to
+ *      ensure that the chain's state was sane, and to prevent problems that
+ *      occurred when running the predecessor location code under conditions
+ *      it was not designed for.  It is not clear *where* the chain should
+ *      point when DNS_RBTFIND_NOEXACT is set, so if you end up using a chain
+ *      with this option because you want a particular node, let us know
+ *      where you want the chain pointed, so this can be made more firm.
  *
  * Requires:
- *\li	rbt is a valid rbt manager.
- *\li	dns_name_isabsolute(name) == TRUE.
- *\li	node != NULL && *node == NULL.
- *\li	#DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutally
- *		exclusive.
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE.
+ *\li   node != NULL && *node == NULL.
+ *\li   #DNS_RBTFIND_NOEXACT and DNS_RBTFIND_NOPREDECESSOR are mutually
+ *              exclusive.
  *
  * Ensures:
- *\li	'name' and the tree are not altered in any way.
+ *\li   'name' and the tree are not altered in any way.
  *
- *\li	If result is ISC_R_SUCCESS:
+ *\li   If result is ISC_R_SUCCESS:
  *\verbatim
- *		*node is the terminal node for 'name'.
+ *              *node is the terminal node for 'name'.
 
- *		'foundname' and 'name' represent the same name (though not
- *		the same memory).
+ *              'foundname' and 'name' represent the same name (though not
+ *              the same memory).
 
- *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
  *
- *		chain->level_matches and chain->level_count are equal.
+ *              chain->level_matches and chain->level_count are equal.
  *\endverbatim
  *
- * 	If result is DNS_R_PARTIALMATCH:
+ *      If result is DNS_R_PARTIALMATCH:
  *\verbatim
- *		*node is the data associated with the deepest superdomain
- * 		of 'name' which has data.
+ *              *node is the data associated with the deepest superdomain
+ *              of 'name' which has data.
  *
- *		'foundname' is the name of deepest superdomain (which has
- *		data, unless the DNS_RBTFIND_EMPTYDATA option is set).
+ *              'foundname' is the name of deepest superdomain (which has
+ *              data, unless the DNS_RBTFIND_EMPTYDATA option is set).
  *
- *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
  *\endverbatim
  *
- *\li	If result is ISC_R_NOTFOUND:
+ *\li   If result is ISC_R_NOTFOUND:
  *\verbatim
- *		Neither the name nor a superdomain was found.  *node is NULL.
+ *              Neither the name nor a superdomain was found.  *node is NULL.
  *
- *		'chain' points to the DNSSEC predecessor, if any, of 'name'.
+ *              'chain' points to the DNSSEC predecessor, if any, of 'name'.
  *
- *		chain->level_matches is 0.
+ *              chain->level_matches is 0.
  *\endverbatim
  *
  * Returns:
- *\li	#ISC_R_SUCCESS		Success
- *\li	#DNS_R_PARTIALMATCH	Superdomain found with data
- *\li	#ISC_R_NOTFOUND		No match, or superdomain with no data
- *\li	#ISC_R_NOSPACE Concatenating nodes to form foundname failed
+ *\li   #ISC_R_SUCCESS          Success
+ *\li   #DNS_R_PARTIALMATCH     Superdomain found with data
+ *\li   #ISC_R_NOTFOUND         No match, or superdomain with no data
+ *\li   #ISC_R_NOSPACE Concatenating nodes to form foundname failed
  */
 
 isc_result_t
@@ -476,41 +486,41 @@ dns_rbt_deletename(dns_rbt_t *rbt, dns_name_t *name, isc_boolean_t recurse);
  * Delete 'name' from the tree of trees.
  *
  * Notes:
- *\li	When 'name' is removed, if recurse is ISC_TRUE then all of its
+ *\li   When 'name' is removed, if recurse is ISC_TRUE then all of its
  *      subnames are removed too.
  *
  * Requires:
- *\li	rbt is a valid rbt manager.
- *\li	dns_name_isabsolute(name) == TRUE
+ *\li   rbt is a valid rbt manager.
+ *\li   dns_name_isabsolute(name) == TRUE
  *
  * Ensures:
- *\li	'name' is not altered in any way.
+ *\li   'name' is not altered in any way.
  *
- *\li	Does NOT ensure that any external references to nodes in the tree
- *	are unaffected by node joins.
+ *\li   Does NOT ensure that any external references to nodes in the tree
+ *      are unaffected by node joins.
  *
- *\li	If result is ISC_R_SUCCESS:
- *		'name' does not appear in the tree with data; however,
- *		the node for the name might still exist which can be
- *		found with dns_rbt_findnode (but not dns_rbt_findname).
+ *\li   If result is ISC_R_SUCCESS:
+ *              'name' does not appear in the tree with data; however,
+ *              the node for the name might still exist which can be
+ *              found with dns_rbt_findnode (but not dns_rbt_findname).
  *
- *\li	If result is ISC_R_NOTFOUND:
- *		'name' does not appear in the tree with data, because
- *		it did not appear in the tree before the function was called.
+ *\li   If result is ISC_R_NOTFOUND:
+ *              'name' does not appear in the tree with data, because
+ *              it did not appear in the tree before the function was called.
  *
- *\li	If result is something else:
- *		See result codes for dns_rbt_findnode (if it fails, the
- *		node is not deleted) or dns_rbt_deletenode (if it fails,
- *		the node is deleted, but the tree is not optimized when
- *		it could have been).
+ *\li   If result is something else:
+ *              See result codes for dns_rbt_findnode (if it fails, the
+ *              node is not deleted) or dns_rbt_deletenode (if it fails,
+ *              the node is deleted, but the tree is not optimized when
+ *              it could have been).
  *
  * Returns:
- *\li	#ISC_R_SUCCESS	Success
- *\li	#ISC_R_NOTFOUND	No match
- *\li	something_else	Any return code from dns_rbt_findnode except
- *			DNS_R_PARTIALMATCH (which causes ISC_R_NOTFOUND
- *			to be returned instead), and any code from
- *			dns_rbt_deletenode.
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_NOTFOUND No match
+ *\li   something_else  Any return code from dns_rbt_findnode except
+ *                      DNS_R_PARTIALMATCH (which causes ISC_R_NOTFOUND
+ *                      to be returned instead), and any code from
+ *                      dns_rbt_deletenode.
  */
 
 isc_result_t
@@ -519,32 +529,32 @@ dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse);
  * Delete 'node' from the tree of trees.
  *
  * Notes:
- *\li	When 'node' is removed, if recurse is ISC_TRUE then all nodes
- *	in levels down from it are removed too.
+ *\li   When 'node' is removed, if recurse is ISC_TRUE then all nodes
+ *      in levels down from it are removed too.
  *
  * Requires:
- *\li	rbt is a valid rbt manager.
- *\li	node != NULL.
+ *\li   rbt is a valid rbt manager.
+ *\li   node != NULL.
  *
  * Ensures:
- *\li	Does NOT ensure that any external references to nodes in the tree
- *	are unaffected by node joins.
+ *\li   Does NOT ensure that any external references to nodes in the tree
+ *      are unaffected by node joins.
  *
- *\li	If result is ISC_R_SUCCESS:
- *		'node' does not appear in the tree with data; however,
- *		the node might still exist if it serves as a pointer to
- *		a lower tree level as long as 'recurse' was false, hence
- *		the node could can be found with dns_rbt_findnode whem
- *		that function's empty_data_ok parameter is true.
+ *\li   If result is ISC_R_SUCCESS:
+ *              'node' does not appear in the tree with data; however,
+ *              the node might still exist if it serves as a pointer to
+ *              a lower tree level as long as 'recurse' was false, hence
+ *              the node could can be found with dns_rbt_findnode when
+ *              that function's empty_data_ok parameter is true.
  *
- *\li	If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
- *		The node was deleted, but the tree structure was not
- *		optimized.
+ *\li   If result is ISC_R_NOMEMORY or ISC_R_NOSPACE:
+ *              The node was deleted, but the tree structure was not
+ *              optimized.
  *
  * Returns:
- *\li	#ISC_R_SUCCESS	Success
- *\li	#ISC_R_NOMEMORY	Resource Limit: Out of Memory when joining nodes.
- *\li	#ISC_R_NOSPACE	dns_name_concatenate failed when joining nodes.
+ *\li   #ISC_R_SUCCESS  Success
+ *\li   #ISC_R_NOMEMORY Resource Limit: Out of Memory when joining nodes.
+ *\li   #ISC_R_NOSPACE  dns_name_concatenate failed when joining nodes.
  */
 
 void
@@ -553,24 +563,24 @@ dns_rbt_namefromnode(dns_rbtnode_t *node, dns_name_t *name);
  * Convert the sequence of labels stored at 'node' into a 'name'.
  *
  * Notes:
- *\li	This function does not return the full name, from the root, but
- *	just the labels at the indicated node.
+ *\li   This function does not return the full name, from the root, but
+ *      just the labels at the indicated node.
  *
- *\li	The name data pointed to by 'name' is the information stored
- *	in the node, not a copy.  Altering the data at this pointer
- *	will likely cause grief.
+ *\li   The name data pointed to by 'name' is the information stored
+ *      in the node, not a copy.  Altering the data at this pointer
+ *      will likely cause grief.
  *
  * Requires:
- * \li	name->offsets == NULL
+ * \li  name->offsets == NULL
  *
  * Ensures:
- * \li	'name' is DNS_NAMEATTR_READONLY.
+ * \li  'name' is DNS_NAMEATTR_READONLY.
  *
- * \li	'name' will point directly to the labels stored after the
- *	dns_rbtnode_t struct.
+ * \li  'name' will point directly to the labels stored after the
+ *      dns_rbtnode_t struct.
  *
- * \li	'name' will have offsets that also point to the information stored
- *	as part of the node.
+ * \li  'name' will have offsets that also point to the information stored
+ *      as part of the node.
  */
 
 isc_result_t
@@ -579,18 +589,18 @@ dns_rbt_fullnamefromnode(dns_rbtnode_t *node, dns_name_t *name);
  * Like dns_rbt_namefromnode, but returns the full name from the root.
  *
  * Notes:
- * \li	Unlike dns_rbt_namefromnode, the name will not point directly
- *	to node data.  Rather, dns_name_concatenate will be used to copy
- *	the name data from each node into the 'name' argument.
+ * \li  Unlike dns_rbt_namefromnode, the name will not point directly
+ *      to node data.  Rather, dns_name_concatenate will be used to copy
+ *      the name data from each node into the 'name' argument.
  *
  * Requires:
- * \li	name != NULL
- * \li	name has a dedicated buffer.
+ * \li  name != NULL
+ * \li  name has a dedicated buffer.
  *
  * Returns:
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_NOSPACE		(possible via dns_name_concatenate)
- * \li	DNS_R_NAMETOOLONG	(possible via dns_name_concatenate)
+ * \li  ISC_R_SUCCESS
+ * \li  ISC_R_NOSPACE           (possible via dns_name_concatenate)
+ * \li  DNS_R_NAMETOOLONG       (possible via dns_name_concatenate)
  */
 
 char *
@@ -600,14 +610,14 @@ dns_rbt_formatnodename(dns_rbtnode_t *node, char *printname,
  * Format the full name of a node for printing, using dns_name_format().
  *
  * Notes:
- * \li	'size' is the length of the printname buffer.  This should be
- *	DNS_NAME_FORMATSIZE or larger.
+ * \li  'size' is the length of the printname buffer.  This should be
+ *      DNS_NAME_FORMATSIZE or larger.
  *
  * Requires:
- * \li	node and printname are not NULL.
+ * \li  node and printname are not NULL.
  *
  * Returns:
- * \li	The 'printname' pointer.
+ * \li  The 'printname' pointer.
  */
 
 unsigned int
@@ -616,7 +626,7 @@ dns_rbt_nodecount(dns_rbt_t *rbt);
  * Obtain the number of nodes in the tree of trees.
  *
  * Requires:
- * \li	rbt is a valid rbt manager.
+ * \li  rbt is a valid rbt manager.
  */
 
 void
@@ -624,25 +634,25 @@ dns_rbt_destroy(dns_rbt_t **rbtp);
 isc_result_t
 dns_rbt_destroy2(dns_rbt_t **rbtp, unsigned int quantum);
 /*%<
- * Stop working with a red-black tree of trees. 
+ * Stop working with a red-black tree of trees.
  * If 'quantum' is zero then the entire tree will be destroyed.
  * If 'quantum' is non zero then up to 'quantum' nodes will be destroyed
  * allowing the rbt to be incrementally destroyed by repeated calls to
  * dns_rbt_destroy2().  Once dns_rbt_destroy2() has been called no other
  * operations than dns_rbt_destroy()/dns_rbt_destroy2() should be
  * performed on the tree of trees.
- * 
+ *
  * Requires:
- * \li	*rbt is a valid rbt manager.
+ * \li  *rbt is a valid rbt manager.
  *
  * Ensures on ISC_R_SUCCESS:
- * \li	All space allocated by the RBT library has been returned.
+ * \li  All space allocated by the RBT library has been returned.
  *
- * \li	*rbt is invalidated as an rbt manager.
+ * \li  *rbt is invalidated as an rbt manager.
  *
  * Returns:
- * \li	ISC_R_SUCCESS
- * \li	ISC_R_QUOTA if 'quantum' nodes have been destroyed.
+ * \li  ISC_R_SUCCESS
+ * \li  ISC_R_QUOTA if 'quantum' nodes have been destroyed.
  */
 
 void
@@ -652,10 +662,10 @@ dns_rbt_printall(dns_rbt_t *rbt);
  * tree of trees.
  *
  * Notes:
- * \li	The name stored at each node, along with the node's color, is printed.
- *	Then the down pointer, left and right pointers are displayed
- *	recursively in turn.  NULL down pointers are silently omitted;
- *	NULL left and right pointers are printed.
+ * \li  The name stored at each node, along with the node's color, is printed.
+ *      Then the down pointer, left and right pointers are displayed
+ *      recursively in turn.  NULL down pointers are silently omitted;
+ *      NULL left and right pointers are printed.
  */
 
 /*****
@@ -668,12 +678,12 @@ dns_rbtnodechain_init(dns_rbtnodechain_t *chain, isc_mem_t *mctx);
  * Initialize 'chain'.
  *
  * Requires:
- *\li	'chain' is a valid pointer.
+ *\li   'chain' is a valid pointer.
  *
- *\li	'mctx' is a valid memory context.
+ *\li   'mctx' is a valid memory context.
  *
  * Ensures:
- *\li	'chain' is suitable for use.
+ *\li   'chain' is suitable for use.
  */
 
 void
@@ -683,10 +693,10 @@ dns_rbtnodechain_reset(dns_rbtnodechain_t *chain);
  * 'chain'.
  *
  * Requires:
- *\li	'chain' is a valid pointer.
+ *\li   'chain' is a valid pointer.
  *
  * Ensures:
- *\li	'chain' is suitable for use, and uses no dynamic storage.
+ *\li   'chain' is suitable for use, and uses no dynamic storage.
  */
 
 void
@@ -695,15 +705,15 @@ dns_rbtnodechain_invalidate(dns_rbtnodechain_t *chain);
  * Free any dynamic storage associated with 'chain', and then invalidates it.
  *
  * Notes:
- *\li 	Future calls to any dns_rbtnodechain_ function will need to call
- * 	dns_rbtnodechain_init on the chain first (except, of course,
- *	dns_rbtnodechain_init itself).
+ *\li   Future calls to any dns_rbtnodechain_ function will need to call
+ *      dns_rbtnodechain_init on the chain first (except, of course,
+ *      dns_rbtnodechain_init itself).
  *
  * Requires:
- *\li	'chain' is a valid chain.
+ *\li   'chain' is a valid chain.
  *
  * Ensures:
- *\li	'chain' is no longer suitable for use, and uses no dynamic storage.
+ *\li   'chain' is no longer suitable for use, and uses no dynamic storage.
  */
 
 isc_result_t
@@ -713,37 +723,37 @@ dns_rbtnodechain_current(dns_rbtnodechain_t *chain, dns_name_t *name,
  * Provide the name, origin and node to which the chain is currently pointed.
  *
  * Notes:
- *\li	The tree need not have be locked against additions for the chain
- *	to remain valid, however there are no guarantees if any deletion
- *	has been made since the chain was established.
+ *\li   The tree need not have be locked against additions for the chain
+ *      to remain valid, however there are no guarantees if any deletion
+ *      has been made since the chain was established.
  *
  * Requires:
- *\li	'chain' is a valid chain.
+ *\li   'chain' is a valid chain.
  *
  * Ensures:
- *\li	'node', if non-NULL, is the node to which the chain was pointed
- *	by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
- *	If none were called for the chain since it was initialized or reset,
- *	or if the was no predecessor to the name searched for with
- *	dns_rbt_findnode, then '*node' is NULL and ISC_R_NOTFOUND is returned.
+ *\li   'node', if non-NULL, is the node to which the chain was pointed
+ *      by dns_rbt_findnode, dns_rbtnodechain_first or dns_rbtnodechain_last.
+ *      If none were called for the chain since it was initialized or reset,
+ *      or if the was no predecessor to the name searched for with
+ *      dns_rbt_findnode, then '*node' is NULL and ISC_R_NOTFOUND is returned.
  *
- *\li	'name', if non-NULL, is the name stored at the terminal level of
- *	the chain.  This is typically a single label, like the "www" of
- *	"www.isc.org", but need not be so.  At the root of the tree of trees,
- *	if the node is "." then 'name' is ".", otherwise it is relative to ".".
- *	(Minimalist and atypical case:  if the tree has just the name
- *	"isc.org." then the root node's stored name is "isc.org." but 'name'
- *	will be "isc.org".)
+ *\li   'name', if non-NULL, is the name stored at the terminal level of
+ *      the chain.  This is typically a single label, like the "www" of
+ *      "www.isc.org", but need not be so.  At the root of the tree of trees,
+ *      if the node is "." then 'name' is ".", otherwise it is relative to ".".
+ *      (Minimalist and atypical case:  if the tree has just the name
+ *      "isc.org." then the root node's stored name is "isc.org." but 'name'
+ *      will be "isc.org".)
  *
- *\li	'origin', if non-NULL, is the sequence of labels in the levels
- *	above the terminal level, such as "isc.org." in the above example.
- *	'origin' is always "." for the root node.
+ *\li   'origin', if non-NULL, is the sequence of labels in the levels
+ *      above the terminal level, such as "isc.org." in the above example.
+ *      'origin' is always "." for the root node.
  *
  *
  * Returns:
- *\li	#ISC_R_SUCCESS		name, origin & node were successfully set.
- *\li	#ISC_R_NOTFOUND		The chain does not point to any node.
- *\li	&lt;something_else>	Any error return from dns_name_concatenate.
+ *\li   #ISC_R_SUCCESS          name, origin & node were successfully set.
+ *\li   #ISC_R_NOTFOUND         The chain does not point to any node.
+ *\li   &lt;something_else>     Any error return from dns_name_concatenate.
  */
 
 isc_result_t
@@ -753,23 +763,23 @@ dns_rbtnodechain_first(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
  * Set the chain to the lexically first node in the tree of trees.
  *
  * Notes:
- *\li	By the definition of ordering for DNS names, the root of the tree of
- *	trees is the very first node, since everything else in the megatree
- *	uses it as a common suffix.
+ *\li   By the definition of ordering for DNS names, the root of the tree of
+ *      trees is the very first node, since everything else in the megatree
+ *      uses it as a common suffix.
  *
  * Requires:
- *\li	'chain' is a valid chain.
- *\li	'rbt' is a valid rbt manager.
+ *\li   'chain' is a valid chain.
+ *\li   'rbt' is a valid rbt manager.
  *
  * Ensures:
- *\li	The chain points to the very first node of the tree.
+ *\li   The chain points to the very first node of the tree.
  *
- *\li	'name' and 'origin', if non-NULL, are set as described for
- *	dns_rbtnodechain_current.  Thus 'origin' will always be ".".
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.  Thus 'origin' will always be ".".
  *
  * Returns:
- *\li	#DNS_R_NEWORIGIN		The name & origin were successfully set.
- *\li	&lt;something_else>	Any error result from dns_rbtnodechain_current.
+ *\li   #DNS_R_NEWORIGIN                The name & origin were successfully set.
+ *\li   &lt;something_else>     Any error result from dns_rbtnodechain_current.
  */
 
 isc_result_t
@@ -779,19 +789,19 @@ dns_rbtnodechain_last(dns_rbtnodechain_t *chain, dns_rbt_t *rbt,
  * Set the chain to the lexically last node in the tree of trees.
  *
  * Requires:
- *\li	'chain' is a valid chain.
- *\li	'rbt' is a valid rbt manager.
+ *\li   'chain' is a valid chain.
+ *\li   'rbt' is a valid rbt manager.
  *
  * Ensures:
- *\li	The chain points to the very last node of the tree.
+ *\li   The chain points to the very last node of the tree.
  *
- *\li	'name' and 'origin', if non-NULL, are set as described for
- *	dns_rbtnodechain_current.
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.
  *
  * Returns:
- *\li	#DNS_R_NEWORIGIN		The name & origin were successfully set.
- *\li	#ISC_R_NOMEMORY		Resource Limit: Out of Memory building chain.
- *\li	&lt;something_else>	Any error result from dns_name_concatenate.
+ *\li   #DNS_R_NEWORIGIN                The name & origin were successfully set.
+ *\li   #ISC_R_NOMEMORY         Resource Limit: Out of Memory building chain.
+ *\li   &lt;something_else>     Any error result from dns_name_concatenate.
  */
 
 isc_result_t
@@ -802,26 +812,26 @@ dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
  * is currently pointed.
  *
  * Requires:
- *\li	'chain' is a valid chain.
- *\li	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
- *	dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
- *	dns_rbt_findnode is not guaranteed to point the chain somewhere,
- *	since there may have been no predecessor to the searched for name.
+ *\li   'chain' is a valid chain.
+ *\li   'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *      dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ *      dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ *      since there may have been no predecessor to the searched for name.
  *
  * Ensures:
- *\li	The chain is pointed to the predecessor of its current target.
+ *\li   The chain is pointed to the predecessor of its current target.
  *
- *\li	'name' and 'origin', if non-NULL, are set as described for
- *	dns_rbtnodechain_current.
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.
  *
- *\li	'origin' is only if a new origin was found.
+ *\li   'origin' is only if a new origin was found.
  *
  * Returns:
- *\li	#ISC_R_SUCCESS		The predecessor was found and 'name' was set.
- *\li	#DNS_R_NEWORIGIN		The predecessor was found with a different
- *				origin and 'name' and 'origin' were set.
- *\li	#ISC_R_NOMORE		There was no predecessor.
- *\li	&lt;something_else>	Any error result from dns_rbtnodechain_current.
+ *\li   #ISC_R_SUCCESS          The predecessor was found and 'name' was set.
+ *\li   #DNS_R_NEWORIGIN                The predecessor was found with a different
+ *                              origin and 'name' and 'origin' were set.
+ *\li   #ISC_R_NOMORE           There was no predecessor.
+ *\li   &lt;something_else>     Any error result from dns_rbtnodechain_current.
  */
 
 isc_result_t
@@ -832,26 +842,39 @@ dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
  * is currently pointed.
  *
  * Requires:
- *\li	'chain' is a valid chain.
- *\li	'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
- *	dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
- *	dns_rbt_findnode is not guaranteed to point the chain somewhere,
- *	since there may have been no predecessor to the searched for name.
+ *\li   'chain' is a valid chain.
+ *\li   'chain' has been pointed somewhere in the tree with dns_rbt_findnode,
+ *      dns_rbtnodechain_first or dns_rbtnodechain_last -- and remember that
+ *      dns_rbt_findnode is not guaranteed to point the chain somewhere,
+ *      since there may have been no predecessor to the searched for name.
  *
  * Ensures:
- *\li	The chain is pointed to the successor of its current target.
+ *\li   The chain is pointed to the successor of its current target.
  *
- *\li	'name' and 'origin', if non-NULL, are set as described for
- *	dns_rbtnodechain_current.
+ *\li   'name' and 'origin', if non-NULL, are set as described for
+ *      dns_rbtnodechain_current.
  *
- *\li	'origin' is only if a new origin was found.
+ *\li   'origin' is only if a new origin was found.
  *
  * Returns:
- *\li	#ISC_R_SUCCESS		The successor was found and 'name' was set.
- *\li	#DNS_R_NEWORIGIN		The successor was found with a different
- *				origin and 'name' and 'origin' were set.
- *\li	#ISC_R_NOMORE		There was no successor.
- *\li	&lt;something_else>	Any error result from dns_name_concatenate.
+ *\li   #ISC_R_SUCCESS          The successor was found and 'name' was set.
+ *\li   #DNS_R_NEWORIGIN                The successor was found with a different
+ *                              origin and 'name' and 'origin' were set.
+ *\li   #ISC_R_NOMORE           There was no successor.
+ *\li   &lt;something_else>     Any error result from dns_name_concatenate.
+ */
+
+isc_result_t
+dns_rbtnodechain_down(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin);
+/*%<
+ * Descend down if possible.
+ */
+
+isc_result_t
+dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name);
+/*%<
+ * Find the next node at the current depth in DNSSEC order.
  */
 
 /*
@@ -862,53 +885,53 @@ dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
  *   hiding the back-end.  The usage is the same as that of isc_refcount_xxx().
  */
 #ifdef DNS_RBT_USEISCREFCOUNT
-#define dns_rbtnode_refinit(node, n)				\
-	do {							\
- 		isc_refcount_init(&(node)->references, (n));	\
-	} while (0) 
-#define dns_rbtnode_refdestroy(node)				\
-	do {							\
-		isc_refcount_destroy(&(node)->references);	\
-	} while (0) 
-#define dns_rbtnode_refcurrent(node)				\
+#define dns_rbtnode_refinit(node, n)                            \
+	do {                                                    \
+		isc_refcount_init(&(node)->references, (n));    \
+	} while (0)
+#define dns_rbtnode_refdestroy(node)                            \
+	do {                                                    \
+		isc_refcount_destroy(&(node)->references);      \
+	} while (0)
+#define dns_rbtnode_refcurrent(node)                            \
 	isc_refcount_current(&(node)->references)
-#define dns_rbtnode_refincrement0(node, refs)			\
-	do {							\
+#define dns_rbtnode_refincrement0(node, refs)                   \
+	do {                                                    \
 		isc_refcount_increment0(&(node)->references, (refs)); \
-	} while (0) 
-#define dns_rbtnode_refincrement(node, refs)			\
-	do {							\
+	} while (0)
+#define dns_rbtnode_refincrement(node, refs)                    \
+	do {                                                    \
 		isc_refcount_increment(&(node)->references, (refs)); \
-	} while (0) 
-#define dns_rbtnode_refdecrement(node, refs)			\
-	do {							\
+	} while (0)
+#define dns_rbtnode_refdecrement(node, refs)                    \
+	do {                                                    \
 		isc_refcount_decrement(&(node)->references, (refs)); \
-	} while (0) 
+	} while (0)
 #else  /* DNS_RBT_USEISCREFCOUNT */
-#define dns_rbtnode_refinit(node, n)	((node)->references = (n))
-#define dns_rbtnode_refdestroy(node)	(REQUIRE((node)->references == 0))
-#define dns_rbtnode_refcurrent(node)	((node)->references)
-#define dns_rbtnode_refincrement0(node, refs)			\
-	do {							\
-		unsigned int *_tmp = (unsigned int *)(refs);	\
-		(node)->references++;				\
-		if ((_tmp) != NULL)				\
-			(*_tmp) = (node)->references;		\
-	} while (0) 
-#define dns_rbtnode_refincrement(node, refs)			\
-	do {							\
-		REQUIRE((node)->references > 0);		\
-		(node)->references++;				\
-		if ((refs) != NULL)				\
-			(*refs) = (node)->references;		\
-	} while (0) 
-#define dns_rbtnode_refdecrement(node, refs)			\
-	do {							\
-		REQUIRE((node)->references > 0);		\
-		(node)->references--;				\
-		if ((refs) != NULL)				\
-			(*refs) = (node)->references;		\
-	} while (0) 
+#define dns_rbtnode_refinit(node, n)    ((node)->references = (n))
+#define dns_rbtnode_refdestroy(node)    (REQUIRE((node)->references == 0))
+#define dns_rbtnode_refcurrent(node)    ((node)->references)
+#define dns_rbtnode_refincrement0(node, refs)                   \
+	do {                                                    \
+		unsigned int *_tmp = (unsigned int *)(refs);    \
+		(node)->references++;                           \
+		if ((_tmp) != NULL)                             \
+			(*_tmp) = (node)->references;           \
+	} while (0)
+#define dns_rbtnode_refincrement(node, refs)                    \
+	do {                                                    \
+		REQUIRE((node)->references > 0);                \
+		(node)->references++;                           \
+		if ((refs) != NULL)                             \
+			(*refs) = (node)->references;           \
+	} while (0)
+#define dns_rbtnode_refdecrement(node, refs)                    \
+	do {                                                    \
+		REQUIRE((node)->references > 0);                \
+		(node)->references--;                           \
+		if ((refs) != NULL)                             \
+			(*refs) = (node)->references;           \
+	} while (0)
 #endif /* DNS_RBT_USEISCREFCOUNT */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/rcode.h b/lib/dns/include/dns/rcode.h
index 03c145b..94e831b 100644
--- a/lib/dns/include/dns/rcode.h
+++ b/lib/dns/include/dns/rcode.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.h,v 1.13.18.2 2005/04/29 00:16:18 marka Exp $ */
+/* $Id: rcode.h,v 1.21 2008/09/25 04:02:39 tbox Exp $ */
 
 #ifndef DNS_RCODE_H
 #define DNS_RCODE_H 1
 
-/*! \file */
+/*! \file dns/rcode.h */
 
 #include <isc/lang.h>
 
@@ -93,6 +93,21 @@ isc_result_t dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target);
  *\li	#ISC_R_NOSPACE			target buffer is too small
  */
 
+isc_result_t
+dns_hashalg_fromtext(unsigned char *hashalg, isc_textregion_t *source);
+/*%<
+ * Convert the text 'source' refers to into a has algorithm value.
+ *
+ * Requires:
+ *\li	'hashalg' is a valid pointer.
+ *
+ *\li	'source' is a valid text region.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS			on success
+ *\li	#DNS_R_UNKNOWN			type is unknown
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RCODE_H */
diff --git a/lib/dns/include/dns/rdata.h b/lib/dns/include/dns/rdata.h
index a14bde7..126bc96 100644
--- a/lib/dns/include/dns/rdata.h
+++ b/lib/dns/include/dns/rdata.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.h,v 1.60.18.3 2005/05/19 04:59:56 marka Exp $ */
+/* $Id: rdata.h,v 1.70.120.3 2009/02/16 00:29:27 marka Exp $ */
 
 #ifndef DNS_RDATA_H
 #define DNS_RDATA_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/rdata.h
  * \brief
  * Provides facilities for manipulating DNS rdata, including conversions to
  * and from wire format and text format.
@@ -49,7 +49,7 @@
  *	build process from a set of source files, one per rdata type.  For
  *	portability, it's probably best that the building be done by a C
  *	program.  Adding a new rdata type will be a simple matter of adding
- *	a file to a directory and rebuilding the server.  *All* knowlege of
+ *	a file to a directory and rebuilding the server.  *All* knowledge of
  *	the format of a particular rdata type is in this file.
  *
  * MP:
@@ -124,7 +124,8 @@ struct dns_rdata {
 
 #define DNS_RDATA_INIT { NULL, 0, 0, 0, 0, {(void*)(-1), (void *)(-1)}}
 
-#define DNS_RDATA_UPDATE	0x0001		/*%< update pseudo record */
+#define DNS_RDATA_UPDATE	0x0001		/*%< update pseudo record. */
+#define DNS_RDATA_OFFLINE	0x0002		/*%< RRSIG has a offline key. */
 
 /*
  * Flags affecting rdata formatting style.  Flags 0xFFFF0000
@@ -327,11 +328,11 @@ dns_rdata_fromtext(dns_rdata_t *rdata, dns_rdataclass_t rdclass,
  *\li	'target' is a valid region.
  *
  *\li	'origin' if non NULL it must be absolute.
- *	
+ *
  *\li	'callbacks' to be NULL or callbacks->warn and callbacks->error be
  *	initialized.
  *
- * Ensures, 
+ * Ensures,
  *	if result is success:
  *\li	 	If 'rdata' is not NULL, it is attached to the target.
 
@@ -384,7 +385,8 @@ dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target);
 
 isc_result_t
 dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin, unsigned int flags,
-		    unsigned int width, char *linebreak, isc_buffer_t *target);
+		    unsigned int width, const char *linebreak,
+		    isc_buffer_t *target);
 /*%<
  * Like dns_rdata_totext, but do formatted output suitable for
  * database dumps.  This is intended for use by dns_db_dump();
diff --git a/lib/dns/include/dns/rdataclass.h b/lib/dns/include/dns/rdataclass.h
index fc622bf..786eb6a 100644
--- a/lib/dns/include/dns/rdataclass.h
+++ b/lib/dns/include/dns/rdataclass.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataclass.h,v 1.18.18.2 2005/04/29 00:16:18 marka Exp $ */
+/* $Id: rdataclass.h,v 1.24 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_RDATACLASS_H
 #define DNS_RDATACLASS_H 1
 
-/*! \file */
+/*! \file dns/rdataclass.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/rdatalist.h b/lib/dns/include/dns/rdatalist.h
index 697386f..57debc3 100644
--- a/lib/dns/include/dns/rdatalist.h
+++ b/lib/dns/include/dns/rdatalist.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist.h,v 1.14.18.2 2005/04/29 00:16:19 marka Exp $ */
+/* $Id: rdatalist.h,v 1.22 2008/04/03 06:09:05 tbox Exp $ */
 
 #ifndef DNS_RDATALIST_H
 #define DNS_RDATALIST_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/rdatalist.h
  * \brief
  * A DNS rdatalist is a list of rdata of a common type and class.
  *
@@ -98,6 +98,27 @@ dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
  *\li	#ISC_R_SUCCESS
  */
 
+isc_result_t
+dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset,
+			   dns_rdatalist_t **rdatalist);
+/*%<
+ * Point 'rdatalist' to the rdatalist in 'rdataset'.
+ *
+ * Requires:
+ *
+ *\li	'rdatalist' is a pointer to a NULL dns_rdatalist_t pointer.
+ *
+ *\li	'rdataset' is a valid rdataset associated with an rdatalist.
+ *
+ * Ensures,
+ *	on success,
+ *
+ *\li		'rdatalist' is pointed to the rdatalist in rdataset.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RDATALIST_H */
diff --git a/lib/dns/include/dns/rdataset.h b/lib/dns/include/dns/rdataset.h
index 5597591..baff146 100644
--- a/lib/dns/include/dns/rdataset.h
+++ b/lib/dns/include/dns/rdataset.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.h,v 1.51.18.7 2006/03/03 00:56:53 marka Exp $ */
+/* $Id: rdataset.h,v 1.65.50.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_RDATASET_H
 #define DNS_RDATASET_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/rdataset.h
  * \brief
  * A DNS rdataset is a handle that can be associated with a collection of
  * rdata all having a common owner name, class, and type.
@@ -78,8 +78,14 @@ typedef struct dns_rdatasetmethods {
 					      dns_name_t *name);
 	isc_result_t		(*getnoqname)(dns_rdataset_t *rdataset,
 					      dns_name_t *name,
-					      dns_rdataset_t *nsec,
-					      dns_rdataset_t *nsecsig);
+					      dns_rdataset_t *neg,
+					      dns_rdataset_t *negsig);
+	isc_result_t		(*addclosest)(dns_rdataset_t *rdataset,
+					      dns_name_t *name);
+	isc_result_t		(*getclosest)(dns_rdataset_t *rdataset,
+					      dns_name_t *name,
+					      dns_rdataset_t *neg,
+					      dns_rdataset_t *negsig);
 	isc_result_t		(*getadditional)(dns_rdataset_t *rdataset,
 						 dns_rdatasetadditional_t type,
 						 dns_rdatatype_t qtype,
@@ -140,6 +146,11 @@ struct dns_rdataset {
 	 * increment the counter.
 	 */
 	isc_uint32_t			count;
+	/*
+	 * This RRSIG RRset should be re-generated around this time.
+	 * Only valid if DNS_RDATASETATTR_RESIGN is set in attributes.
+	 */
+	isc_stdtime_t			resign;
 	/*@{*/
 	/*%
 	 * These are for use by the rdataset implementation, and MUST NOT
@@ -151,7 +162,9 @@ struct dns_rdataset {
 	unsigned int			privateuint4;
 	void *				private5;
 	void *				private6;
+	void *				private7;
 	/*@}*/
+
 };
 
 /*!
@@ -184,6 +197,9 @@ struct dns_rdataset {
 #define DNS_RDATASETATTR_CHECKNAMES	0x00008000	/*%< Used by resolver. */
 #define DNS_RDATASETATTR_REQUIREDGLUE	0x00010000
 #define DNS_RDATASETATTR_LOADORDER	0x00020000
+#define DNS_RDATASETATTR_RESIGN		0x00040000
+#define DNS_RDATASETATTR_CLOSEST	0x00080000
+#define DNS_RDATASETATTR_OPTOUT		0x00100000	/*%< OPTOUT proof */
 
 /*%
  * _OMITDNSSEC:
@@ -348,8 +364,8 @@ dns_rdataset_totext(dns_rdataset_t *rdataset,
  * Notes:
  *\li	The rdata cursor position will be changed.
  *
- *\li	The 'question' flag should normally be #ISC_FALSE.  If it is 
- *	#ISC_TRUE, the TTL and rdata fields are not printed.  This is 
+ *\li	The 'question' flag should normally be #ISC_FALSE.  If it is
+ *	#ISC_TRUE, the TTL and rdata fields are not printed.  This is
  *	for use when printing an rdata representing a question section.
  *
  *\li	This interface is deprecated; use dns_master_rdatasettottext()
@@ -411,7 +427,7 @@ dns_rdataset_towiresorted(dns_rdataset_t *rdataset,
 			  unsigned int *countp);
 /*%<
  * Like dns_rdataset_towire(), but sorting the rdatasets according to
- * the integer value returned by 'order' when called witih the rdataset
+ * the integer value returned by 'order' when called with the rdataset
  * and 'order_arg' as arguments.
  *
  * Requires:
@@ -477,14 +493,14 @@ dns_rdataset_additionaldata(dns_rdataset_t *rdataset,
 
 isc_result_t
 dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-			dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
+			dns_rdataset_t *neg, dns_rdataset_t *negsig);
 /*%<
  * Return the noqname proof for this record.
  *
  * Requires:
  *\li	'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
  *\li	'name' to be valid.
- *\li	'nsec' and 'nsecsig' to be valid and not associated.
+ *\li	'neg' and 'negsig' to be valid and not associated.
  */
 
 isc_result_t
@@ -493,11 +509,37 @@ dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
  * Associate a noqname proof with this record.
  * Sets #DNS_RDATASETATTR_NOQNAME if successful.
  * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
- * the 'nsec' and 'rrsig(nsec)' ttl.
+ * the 'nsec'/'nsec3' and 'rrsig(nsec)'/'rrsig(nsec3)' ttl.
  *
  * Requires:
  *\li	'rdataset' to be valid and #DNS_RDATASETATTR_NOQNAME to be set.
- *\li	'name' to be valid and have NSEC and RRSIG(NSEC) rdatasets.
+ *\li	'name' to be valid and have NSEC or NSEC3 and associated RRSIG
+ *	 rdatasets.
+ */
+
+isc_result_t
+dns_rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
+/*%<
+ * Return the closest encloser for this record.
+ *
+ * Requires:
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set.
+ *\li	'name' to be valid.
+ *\li	'nsec' and 'nsecsig' to be valid and not associated.
+ */
+
+isc_result_t
+dns_rdataset_addclosest(dns_rdataset_t *rdataset, dns_name_t *name);
+/*%<
+ * Associate a closest encloset proof with this record.
+ * Sets #DNS_RDATASETATTR_CLOSEST if successful.
+ * Adjusts the 'rdataset->ttl' to minimum of the 'rdataset->ttl' and
+ * the 'nsec' and 'rrsig(nsec)' ttl.
+ *
+ * Requires:
+ *\li	'rdataset' to be valid and #DNS_RDATASETATTR_CLOSEST to be set.
+ *\li	'name' to be valid and have NSEC3 and RRSIG(NSEC3) rdatasets.
  */
 
 isc_result_t
diff --git a/lib/dns/include/dns/rdatasetiter.h b/lib/dns/include/dns/rdatasetiter.h
index b2e13f8..dcde367 100644
--- a/lib/dns/include/dns/rdatasetiter.h
+++ b/lib/dns/include/dns/rdatasetiter.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatasetiter.h,v 1.15.18.2 2005/04/29 00:16:19 marka Exp $ */
+/* $Id: rdatasetiter.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_RDATASETITER_H
 #define DNS_RDATASETITER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/rdatasetiter.h
  * \brief
  * The DNS Rdataset Iterator interface allows iteration of all of the
  * rdatasets at a node.
diff --git a/lib/dns/include/dns/rdataslab.h b/lib/dns/include/dns/rdataslab.h
index b693a71..3ac44b8 100644
--- a/lib/dns/include/dns/rdataslab.h
+++ b/lib/dns/include/dns/rdataslab.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.h,v 1.25.18.2 2005/04/29 00:16:19 marka Exp $ */
+/* $Id: rdataslab.h,v 1.33 2008/04/01 23:47:10 tbox Exp $ */
 
 #ifndef DNS_RDATASLAB_H
 #define DNS_RDATASLAB_H 1
 
-/*! \file
+/*! \file dns/rdataslab.h
  * \brief
  * Implements storage of rdatasets into slabs of memory.
  *
@@ -57,6 +57,13 @@ ISC_LANG_BEGINDECLS
 #define DNS_RDATASLAB_FORCE 0x1
 #define DNS_RDATASLAB_EXACT 0x2
 
+#define DNS_RDATASLAB_OFFLINE 0x01 	/* RRSIG is for offline DNSKEY */
+#define DNS_RDATASLAB_WARNMASK 0x0E	/*%< RRSIG(DNSKEY) expired
+					 * warnings number mask. */
+#define DNS_RDATASLAB_WARNSHIFT 1	/*%< How many bits to shift to find
+					 * remaining expired warning number. */
+
+
 /***
  *** Functions
  ***/
@@ -146,10 +153,10 @@ dns_rdataslab_equal(unsigned char *slab1, unsigned char *slab2,
  */
 isc_boolean_t
 dns_rdataslab_equalx(unsigned char *slab1, unsigned char *slab2,
-		     unsigned int reservelen, dns_rdataclass_t rdclass, 
+		     unsigned int reservelen, dns_rdataclass_t rdclass,
 		     dns_rdatatype_t type);
 /*%<
- * Compare two rdataslabs for DNSSEC equality. 
+ * Compare two rdataslabs for DNSSEC equality.
  *
  * Requires:
  *\li	'slab1' and 'slab2' point to slabs.
diff --git a/lib/dns/include/dns/rdatatype.h b/lib/dns/include/dns/rdatatype.h
index 40a884d..ba9a92c 100644
--- a/lib/dns/include/dns/rdatatype.h
+++ b/lib/dns/include/dns/rdatatype.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatatype.h,v 1.18.18.2 2005/04/29 00:16:20 marka Exp $ */
+/* $Id: rdatatype.h,v 1.26 2008/09/25 04:02:39 tbox Exp $ */
 
 #ifndef DNS_RDATATYPE_H
 #define DNS_RDATATYPE_H 1
 
-/*! \file */
+/*! \file dns/rdatatype.h */
 
 #include <isc/lang.h>
 
@@ -71,7 +71,8 @@ dns_rdatatype_format(dns_rdatatype_t rdtype,
  * The resulting string is guaranteed to be null-terminated.
  */
 
-#define DNS_RDATATYPE_FORMATSIZE sizeof("TYPE65535")
+#define DNS_RDATATYPE_FORMATSIZE sizeof("NSEC3PARAM")
+
 /*%<
  * Minimum size of array to pass to dns_rdatatype_format().
  * May need to be adjusted if a new RR type with a very long
diff --git a/lib/dns/include/dns/request.h b/lib/dns/include/dns/request.h
index b858a9e..62a83ca 100644
--- a/lib/dns/include/dns/request.h
+++ b/lib/dns/include/dns/request.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.h,v 1.21.18.2 2005/04/29 00:16:20 marka Exp $ */
+/* $Id: request.h,v 1.27.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_REQUEST_H
 #define DNS_REQUEST_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/request.h
  *
  * \brief
  * The request module provides simple request/response services useful for
@@ -49,7 +49,7 @@
 #define DNS_REQUESTOPT_TCP 0x00000001U
 
 typedef struct dns_requestevent {
-        ISC_EVENT_COMMON(struct dns_requestevent);
+	ISC_EVENT_COMMON(struct dns_requestevent);
 	isc_result_t result;
 	dns_request_t *request;
 } dns_requestevent_t;
@@ -217,7 +217,7 @@ dns_request_createvia3(dns_requestmgr_t *requestmgr, dns_message_t *message,
 		       unsigned int udpretries, isc_task_t *task,
 		       isc_taskaction_t action, void *arg,
 		       dns_request_t **requestp);
-/*%< 
+/*%<
  * Create and send a request.
  *
  * Notes:
@@ -271,7 +271,7 @@ dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
 		       unsigned int udptimeout, unsigned int udpretries,
 		       isc_task_t *task, isc_taskaction_t action, void *arg,
 		       dns_request_t **requestp);
-/*!< 
+/*!<
  * \brief Create and send a request.
  *
  * Notes:
@@ -280,7 +280,7 @@ dns_request_createraw3(dns_requestmgr_t *requestmgr, isc_buffer_t *msgbuf,
  *	#DNS_REQUESTOPT_TCP option is set, TCP will be used.  The request
  *	will timeout after 'timeout' seconds.   UDP requests will be resent
  *	at 'udptimeout' intervals if non-zero or if 'udpretries' is not zero.
- *	
+ *
  *\li	When the request completes, successfully, due to a timeout, or
  *	because it was canceled, a completion event will be sent to 'task'.
  *
@@ -344,7 +344,7 @@ dns_request_usedtcp(dns_request_t *request);
 /*%<
  * Return whether this query used TCP or not.  Setting #DNS_REQUESTOPT_TCP
  * in the call to dns_request_create() will cause the function to return
- * #ISC_TRUE, othewise the result is based on the query message size.
+ * #ISC_TRUE, otherwise the result is based on the query message size.
  *
  * Requires:
  *\li	'request' is a valid request.
diff --git a/lib/dns/include/dns/resolver.h b/lib/dns/include/dns/resolver.h
index 4e0e6a0..fa837c1 100644
--- a/lib/dns/include/dns/resolver.h
+++ b/lib/dns/include/dns/resolver.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.h,v 1.40.18.11 2006/02/01 22:39:17 marka Exp $ */
+/* $Id: resolver.h,v 1.60.56.3 2009/01/29 22:40:35 jinmei Exp $ */
 
 #ifndef DNS_RESOLVER_H
 #define DNS_RESOLVER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/resolver.h
  *
  * \brief
  * This is the BIND 9 resolver, the module responsible for resolving DNS
@@ -93,13 +93,29 @@ typedef struct dns_fetchevent {
 #define DNS_FETCHOPT_FORWARDONLY	0x10	     /*%< Only use forwarders. */
 #define DNS_FETCHOPT_NOVALIDATE		0x20	     /*%< Disable validation. */
 #define DNS_FETCHOPT_EDNS512		0x40	     /*%< Advertise a 512 byte
-						          UDP buffer. */
+							  UDP buffer. */
+#define DNS_FETCHOPT_WANTNSID           0x80         /*%< Request NSID */
 
 #define	DNS_FETCHOPT_EDNSVERSIONSET	0x00800000
 #define	DNS_FETCHOPT_EDNSVERSIONMASK	0xff000000
 #define	DNS_FETCHOPT_EDNSVERSIONSHIFT	24
 
 /*
+ * Upper bounds of class of query RTT (ms).  Corresponds to
+ * dns_resstatscounter_queryrttX statistics counters.
+ */
+#define DNS_RESOLVER_QRYRTTCLASS0	10
+#define DNS_RESOLVER_QRYRTTCLASS0STR	"10"
+#define DNS_RESOLVER_QRYRTTCLASS1	100
+#define DNS_RESOLVER_QRYRTTCLASS1STR	"100"
+#define DNS_RESOLVER_QRYRTTCLASS2	500
+#define DNS_RESOLVER_QRYRTTCLASS2STR	"500"
+#define DNS_RESOLVER_QRYRTTCLASS3	800
+#define DNS_RESOLVER_QRYRTTCLASS3STR	"800"
+#define DNS_RESOLVER_QRYRTTCLASS4	1600
+#define DNS_RESOLVER_QRYRTTCLASS4STR	"1600"
+
+/*
  * XXXRTH  Should this API be made semi-private?  (I.e.
  * _dns_resolver_create()).
  */
@@ -126,8 +142,6 @@ dns_resolver_create(dns_view_t *view,
  *\li	Generally, applications should not create a resolver directly, but
  *	should instead call dns_view_createresolver().
  *
- *\li	No options are currently defined.
- *
  * Requires:
  *
  *\li	'view' is a valid view.
@@ -348,6 +362,23 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp);
  *\li	*fetchp == NULL.
  */
 
+void
+dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
+		      isc_logcategory_t *category, isc_logmodule_t *module,
+		      int level, isc_boolean_t duplicateok);
+/*%<
+ * Dump a log message on internal state at the completion of given 'fetch'.
+ * 'lctx', 'category', 'module', and 'level' are used to write the log message.
+ * By default, only one log message is written even if the corresponding fetch
+ * context serves multiple clients; if 'duplicateok' is true the suppression
+ * is disabled and the message can be written every time this function is
+ * called.
+ *
+ * Requires:
+ *
+ *\li	'fetch' is a valid fetch, and has completed.
+ */
+
 dns_dispatchmgr_t *
 dns_resolver_dispatchmgr(dns_resolver_t *resolver);
 
@@ -470,10 +501,13 @@ dns_resolver_getclientsperquery(dns_resolver_t *resolver, isc_uint32_t *cur,
 
 isc_boolean_t
 dns_resolver_getzeronosoattl(dns_resolver_t *resolver);
- 
+
 void
 dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state);
 
+unsigned int
+dns_resolver_getoptions(dns_resolver_t *resolver);
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_RESOLVER_H */
diff --git a/lib/dns/include/dns/result.h b/lib/dns/include/dns/result.h
index db5481b..ed29bcd 100644
--- a/lib/dns/include/dns/result.h
+++ b/lib/dns/include/dns/result.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.104.10.6 2005/06/17 02:04:32 marka Exp $ */
+/* $Id: result.h,v 1.116 2008/09/25 04:02:39 tbox Exp $ */
 
 #ifndef DNS_RESULT_H
 #define DNS_RESULT_H 1
 
-/*! \file */
+/*! \file dns/result.h */
 
 #include <isc/lang.h>
 #include <isc/resultclass.h>
@@ -147,8 +147,9 @@
 #define DNS_R_COVERINGNSEC		(ISC_RESULTCLASS_DNS + 101)
 #define DNS_R_MXISADDRESS		(ISC_RESULTCLASS_DNS + 102)
 #define DNS_R_DUPLICATE			(ISC_RESULTCLASS_DNS + 103)
+#define DNS_R_INVALIDNSEC3		(ISC_RESULTCLASS_DNS + 104)
 
-#define DNS_R_NRESULTS			104	/*%< Number of results */
+#define DNS_R_NRESULTS			105	/*%< Number of results */
 
 /*
  * DNS wire format rcodes.
diff --git a/lib/dns/include/dns/rootns.h b/lib/dns/include/dns/rootns.h
index a3ddc48..6da3f79 100644
--- a/lib/dns/include/dns/rootns.h
+++ b/lib/dns/include/dns/rootns.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rootns.h,v 1.9.18.3 2005/04/27 05:01:38 sra Exp $ */
+/* $Id: rootns.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_ROOTNS_H
 #define DNS_ROOTNS_H 1
 
-/*! \file */
+/*! \file dns/rootns.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/sdb.h b/lib/dns/include/dns/sdb.h
index de849f9..c850028 100644
--- a/lib/dns/include/dns/sdb.h
+++ b/lib/dns/include/dns/sdb.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.h,v 1.15.18.2 2005/04/29 00:16:21 marka Exp $ */
+/* $Id: sdb.h,v 1.21.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_SDB_H
 #define DNS_SDB_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/sdb.h
  * \brief
  * Simple database API.
  */
@@ -127,12 +127,12 @@ dns_sdb_register(const char *drivername, const dns_sdbmethods_t *methods,
  * The allnodes function, if non-NULL, fills in an opaque structure to be
  * used by a database iterator.  This allows the zone to be transferred.
  * This may use a considerable amount of memory for large zones, and the
- * zone transfer may not be fully RFC1035 compliant if the zone is 
+ * zone transfer may not be fully RFC1035 compliant if the zone is
  * frequently changed.
  *
  * The create function will be called for each zone configured
  * into the name server using this database type.  It can be used
- * to create a "database object" containg zone specific data,
+ * to create a "database object" containing zone specific data,
  * which can make use of the database arguments specified in the
  * name server configuration.
  *
diff --git a/lib/dns/include/dns/sdlz.h b/lib/dns/include/dns/sdlz.h
index 13ba14a..acb0437 100644
--- a/lib/dns/include/dns/sdlz.h
+++ b/lib/dns/include/dns/sdlz.h
@@ -1,8 +1,8 @@
 /*
- * Portions Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -50,9 +50,9 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdlz.h,v 1.2.2.2 2005/09/06 03:47:19 marka Exp $ */
+/* $Id: sdlz.h,v 1.7.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
-/*! \file */
+/*! \file dns/sdlz.h */
 
 #ifndef SDLZ_H
 #define SDLZ_H 1
@@ -148,7 +148,7 @@ typedef void
 /*%<
  * Method prototype.  Drivers implementing the SDLZ interface may
  * supply a destroy method.  This method is called when the DNS server
- * is shuting down and no longer needs the driver.  A SDLZ driver does
+ * is shutting down and no longer needs the driver.  A SDLZ driver does
  * not have to implement a destroy method.
  */
 
@@ -173,7 +173,7 @@ typedef isc_result_t
  * \li	3) we run out of domain name labels. I.E. we have tried the
  *	   shortest domain name
  *
- * \li	4) the number of labels in the domain name is less than min_lables
+ * \li	4) the number of labels in the domain name is less than min_labels
  *	   for dns_dlzfindzone
  *
  * The driver's find zone method should return ISC_R_SUCCESS if the
diff --git a/lib/dns/include/dns/secalg.h b/lib/dns/include/dns/secalg.h
index 0466d91..2e4fe3e 100644
--- a/lib/dns/include/dns/secalg.h
+++ b/lib/dns/include/dns/secalg.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secalg.h,v 1.13.18.2 2005/04/29 00:16:21 marka Exp $ */
+/* $Id: secalg.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_SECALG_H
 #define DNS_SECALG_H 1
 
-/*! \file */
+/*! \file dns/secalg.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/secproto.h b/lib/dns/include/dns/secproto.h
index a6cfd5c..b9179c0 100644
--- a/lib/dns/include/dns/secproto.h
+++ b/lib/dns/include/dns/secproto.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: secproto.h,v 1.10.18.2 2005/04/29 00:16:21 marka Exp $ */
+/* $Id: secproto.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_SECPROTO_H
 #define DNS_SECPROTO_H 1
 
-/*! \file */
+/*! \file dns/secproto.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/soa.h b/lib/dns/include/dns/soa.h
index 70c6725..bb56365 100644
--- a/lib/dns/include/dns/soa.h
+++ b/lib/dns/include/dns/soa.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.h,v 1.3.18.2 2005/04/29 00:16:22 marka Exp $ */
+/* $Id: soa.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_SOA_H
 #define DNS_SOA_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/soa.h
  * \brief
  * SOA utilities.
  */
diff --git a/lib/dns/include/dns/ssu.h b/lib/dns/include/dns/ssu.h
index b709030..f013bd0 100644
--- a/lib/dns/include/dns/ssu.h
+++ b/lib/dns/include/dns/ssu.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ssu.h,v 1.13.18.4 2006/02/16 23:51:32 marka Exp $ */
+/* $Id: ssu.h,v 1.24 2008/01/18 23:46:58 tbox Exp $ */
 
 #ifndef DNS_SSU_H
 #define DNS_SSU_H 1
 
-/*! \file */
+/*! \file dns/ssu.h */
 
 #include <isc/lang.h>
 
@@ -28,14 +28,19 @@
 
 ISC_LANG_BEGINDECLS
 
-#define DNS_SSUMATCHTYPE_NAME 0
-#define DNS_SSUMATCHTYPE_SUBDOMAIN 1
-#define DNS_SSUMATCHTYPE_WILDCARD 2
-#define DNS_SSUMATCHTYPE_SELF 3
-#define DNS_SSUMATCHTYPE_SELFSUB 4
-#define DNS_SSUMATCHTYPE_SELFWILD 5
-#define DNS_SSUMATCHTYPE_MAX 5		/* maximum defined value */
-
+#define DNS_SSUMATCHTYPE_NAME		0
+#define DNS_SSUMATCHTYPE_SUBDOMAIN	1
+#define DNS_SSUMATCHTYPE_WILDCARD	2
+#define DNS_SSUMATCHTYPE_SELF		3
+#define DNS_SSUMATCHTYPE_SELFSUB	4
+#define DNS_SSUMATCHTYPE_SELFWILD	5
+#define DNS_SSUMATCHTYPE_SELFKRB5	6
+#define DNS_SSUMATCHTYPE_SELFMS		7
+#define DNS_SSUMATCHTYPE_SUBDOMAINMS	8
+#define DNS_SSUMATCHTYPE_SUBDOMAINKRB5	9
+#define DNS_SSUMATCHTYPE_TCPSELF	10
+#define DNS_SSUMATCHTYPE_6TO4SELF	11
+#define DNS_SSUMATCHTYPE_MAX 		11  /* max value */
 
 isc_result_t
 dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **table);
@@ -91,8 +96,8 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
  *	at that name.
  *
  *	Notes:
- *\li		If 'matchtype' is SELF, this rule only matches if the name
- *		to be updated matches the signing identity.
+ *\li		If 'matchtype' is of SELF type, this rule only matches if the
+ *              name to be updated matches the signing identity.
  *
  *\li		If 'ntypes' is 0, this rule applies to all types except
  *		NS, SOA, RRSIG, and NSEC.
@@ -114,16 +119,35 @@ dns_ssutable_addrule(dns_ssutable_t *table, isc_boolean_t grant,
 
 isc_boolean_t
 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
-			dns_name_t *name, dns_rdatatype_t type);
+			dns_name_t *name, isc_netaddr_t *tcpaddr,
+			dns_rdatatype_t type);
 /*%<
  *	Checks that the attempted update of (name, type) is allowed according
  *	to the rules specified in the simple-secure-update rule table.  If
- *	no rules are matched, access is denied.  If signer is NULL, access
- *	is denied.
+ *	no rules are matched, access is denied.
+ *
+ *	Notes:
+ *		'tcpaddr' should only be set if the request received
+ *		via TCP.  This provides a weak assurance that the
+ *		request was not spoofed.  'tcpaddr' is to to validate
+ *		DNS_SSUMATCHTYPE_TCPSELF and DNS_SSUMATCHTYPE_6TO4SELF
+ *		rules.
+ *
+ *		For DNS_SSUMATCHTYPE_TCPSELF the addresses are mapped to
+ *		the standard reverse names under IN-ADDR.ARPA and IP6.ARPA.
+ *		RFC 1035, Section 3.5, "IN-ADDR.ARPA domain" and RFC 3596,
+ *		Section 2.5, "IP6.ARPA Domain".
+ *
+ *		For DNS_SSUMATCHTYPE_6TO4SELF, IPv4 address are converted
+ *		to a 6to4 prefix (48 bits) per the rules in RFC 3056.  Only
+ *		the top	48 bits of the IPv6 address are mapped to the reverse
+ *		name. This is independent of whether the most significant 16
+ *		bits match 2002::/16, assigned for 6to4 prefixes, or not.
  *
  *	Requires:
  *\li		'table' is a valid SSU table
  *\li		'signer' is NULL or a valid absolute name
+ *\li		'tcpaddr' is NULL or a valid network address.
  *\li		'name' is a valid absolute name
  */
 
diff --git a/lib/dns/include/dns/stats.h b/lib/dns/include/dns/stats.h
index 6cd95ac..0b35aa8 100644
--- a/lib/dns/include/dns/stats.h
+++ b/lib/dns/include/dns/stats.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,19 +15,77 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.h,v 1.5.18.4 2005/06/27 00:20:03 marka Exp $ */
+/* $Id: stats.h,v 1.18.56.2 2009/01/29 23:47:44 tbox Exp $ */
 
 #ifndef DNS_STATS_H
 #define DNS_STATS_H 1
 
-/*! \file */
+/*! \file dns/stats.h */
 
 #include <dns/types.h>
 
 /*%
- * Query statistics counter types.
+ * Statistics counters.  Used as isc_statscounter_t values.
  */
-typedef enum {
+enum {
+	/*%
+	 * Resolver statistics counters.
+	 */
+	dns_resstatscounter_queryv4 = 0,
+	dns_resstatscounter_queryv6 = 1,
+	dns_resstatscounter_responsev4 = 2,
+	dns_resstatscounter_responsev6 = 3,
+	dns_resstatscounter_nxdomain = 4,
+	dns_resstatscounter_servfail = 5,
+	dns_resstatscounter_formerr = 6,
+	dns_resstatscounter_othererror = 7,
+	dns_resstatscounter_edns0fail = 8,
+	dns_resstatscounter_mismatch = 9,
+	dns_resstatscounter_truncated = 10,
+	dns_resstatscounter_lame = 11,
+	dns_resstatscounter_retry = 12,
+	dns_resstatscounter_gluefetchv4 = 13,
+	dns_resstatscounter_gluefetchv6 = 14,
+	dns_resstatscounter_gluefetchv4fail = 15,
+	dns_resstatscounter_gluefetchv6fail = 16,
+	dns_resstatscounter_val = 17,
+	dns_resstatscounter_valsuccess = 18,
+	dns_resstatscounter_valnegsuccess = 19,
+	dns_resstatscounter_valfail = 20,
+	dns_resstatscounter_dispabort = 21,
+	dns_resstatscounter_dispsockfail = 22,
+	dns_resstatscounter_querytimeout = 23,
+	dns_resstatscounter_queryrtt0 = 24,
+	dns_resstatscounter_queryrtt1 = 25,
+	dns_resstatscounter_queryrtt2 = 26,
+	dns_resstatscounter_queryrtt3 = 27,
+	dns_resstatscounter_queryrtt4 = 28,
+	dns_resstatscounter_queryrtt5 = 29,
+
+	dns_resstatscounter_max = 30,
+
+	/*%
+	 * Zone statistics counters.
+	 */
+	dns_zonestatscounter_notifyoutv4 = 0,
+	dns_zonestatscounter_notifyoutv6 = 1,
+	dns_zonestatscounter_notifyinv4 = 2,
+	dns_zonestatscounter_notifyinv6 = 3,
+	dns_zonestatscounter_notifyrej = 4,
+	dns_zonestatscounter_soaoutv4 = 5,
+	dns_zonestatscounter_soaoutv6 = 6,
+	dns_zonestatscounter_axfrreqv4 = 7,
+	dns_zonestatscounter_axfrreqv6 = 8,
+	dns_zonestatscounter_ixfrreqv4 = 9,
+	dns_zonestatscounter_ixfrreqv6 = 10,
+	dns_zonestatscounter_xfrsuccess = 11,
+	dns_zonestatscounter_xfrfail = 12,
+
+	dns_zonestatscounter_max = 13,
+
+	/*%
+	* Query statistics counters (obsolete).
+	*/
 	dns_statscounter_success = 0,    /*%< Successful lookup */
 	dns_statscounter_referral = 1,   /*%< Referral result */
 	dns_statscounter_nxrrset = 2,    /*%< NXRRSET result */
@@ -35,18 +93,261 @@ typedef enum {
 	dns_statscounter_recursion = 4,  /*%< Recursion was used */
 	dns_statscounter_failure = 5,    /*%< Some other failure */
 	dns_statscounter_duplicate = 6,  /*%< Duplicate query */
-	dns_statscounter_dropped = 7     /*%< Duplicate query */
-} dns_statscounter_t;
+	dns_statscounter_dropped = 7	 /*%< Duplicate query (dropped) */
+};
 
 #define DNS_STATS_NCOUNTERS 8
 
+#if 0
+/*%<
+ * Flag(s) for dns_xxxstats_dump().  DNS_STATSDUMP_VERBOSE is obsolete.
+ * ISC_STATSDUMP_VERBOSE should be used instead.  These two values are
+ * intentionally defined to be the same value to ensure binary compatibility.
+ */
+#define DNS_STATSDUMP_VERBOSE	0x00000001 /*%< dump 0-value counters */
+#endif
+
+/*%<
+ * (Obsoleted)
+ */
 LIBDNS_EXTERNAL_DATA extern const char *dns_statscounter_names[];
 
+/*%
+ * Attributes for statistics counters of RRset and Rdatatype types.
+ *
+ * _OTHERTYPE
+ *	The rdata type is not explicitly supported and the corresponding counter
+ *	is counted for other such types, too.  When this attribute is set,
+ *	the base type is of no use.
+ *
+ * _NXRRSET
+ * 	RRset type counters only.  Indicates the RRset is non existent.
+ *
+ * _NXDOMAIN
+ *	RRset type counters only.  Indicates a non existent name.  When this
+ *	attribute is set, the base type is of no use.
+ */
+#define DNS_RDATASTATSTYPE_ATTR_OTHERTYPE	0x0001
+#define DNS_RDATASTATSTYPE_ATTR_NXRRSET		0x0002
+#define DNS_RDATASTATSTYPE_ATTR_NXDOMAIN	0x0004
+
+/*%<
+ * Conversion macros among dns_rdatatype_t, attributes and isc_statscounter_t.
+ */
+#define DNS_RDATASTATSTYPE_BASE(type)	((dns_rdatatype_t)((type) & 0xFFFF))
+#define DNS_RDATASTATSTYPE_ATTR(type)	((type) >> 16)
+#define DNS_RDATASTATSTYPE_VALUE(b, a)	(((a) << 16) | (b))
+
+/*%<
+ * Types of dump callbacks.
+ */
+typedef void (*dns_generalstats_dumper_t)(isc_statscounter_t, isc_uint64_t,
+					  void *);
+typedef void (*dns_rdatatypestats_dumper_t)(dns_rdatastatstype_t, isc_uint64_t,
+					    void *);
+typedef void (*dns_opcodestats_dumper_t)(dns_opcode_t, isc_uint64_t, void *);
+
+isc_result_t
+dns_generalstats_create(isc_mem_t *mctx, dns_stats_t **statsp, int ncounters);
+/*%<
+ * Create a statistics counter structure of general type.  It counts a general
+ * set of counters indexed by an ID between 0 and ncounters -1.
+ * This function is obsolete.  A more general function, isc_stats_create(),
+ * should be used.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_rdatatypestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per rdatatype.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_rdatasetstats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per RRset.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+isc_result_t
+dns_opcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp);
+/*%<
+ * Create a statistics counter structure per opcode.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+void
+dns_stats_attach(dns_stats_t *stats, dns_stats_t **statsp);
+/*%<
+ * Attach to a statistics set.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL
+ */
+
+void
+dns_stats_detach(dns_stats_t **statsp);
+/*%<
+ * Detaches from the statistics set.
+ *
+ * Requires:
+ *\li	'statsp' != NULL and '*statsp' is a valid dns_stats_t.
+ */
+
+void
+dns_generalstats_increment(dns_stats_t *stats, isc_statscounter_t counter);
+/*%<
+ * Increment the counter-th counter of stats.  This function is obsolete.
+ * A more general function, isc_stats_increment(), should be used.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ *
+ *\li	counter is less than the maximum available ID for the stats specified
+ *	on creation.
+ */
+
+void
+dns_rdatatypestats_increment(dns_stats_t *stats, dns_rdatatype_t type);
+/*%<
+ * Increment the statistics counter for 'type'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_rdatatypestats_create().
+ */
+
+void
+dns_rdatasetstats_increment(dns_stats_t *stats, dns_rdatastatstype_t rrsettype);
+/*%<
+ * Increment the statistics counter for 'rrsettype'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_rdatasetstats_create().
+ */
+
+void
+dns_rdatasetstats_decrement(dns_stats_t *stats, dns_rdatastatstype_t rrsettype);
+/*%<
+ * Decrement the statistics counter for 'rrsettype'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_rdatasetstats_create().
+ */
+
+void
+dns_opcodestats_increment(dns_stats_t *stats, dns_opcode_t code);
+/*%<
+ * Increment the statistics counter for 'code'.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_opcodestats_create().
+ */
+
+void
+dns_generalstats_dump(dns_stats_t *stats, dns_generalstats_dumper_t dump_fn,
+		      void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with its current value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * This function is obsolete.  A more general function, isc_stats_dump(),
+ * should be used.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_rdatatypestats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+			void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding type in the form of
+ * dns_rdatastatstype_t, the current counter value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_rdatasetstats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+		       void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding type in the form of
+ * dns_rdatastatstype_t, the current counter value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
+void
+dns_opcodestats_dump(dns_stats_t *stats, dns_opcodestats_dumper_t dump_fn,
+		     void *arg, unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with the corresponding opcode, the current
+ * counter value and the given argument arg.  By default counters that have a
+ * value of 0 is skipped; if options has the ISC_STATSDUMP_VERBOSE flag, even
+ * such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid dns_stats_t created by dns_generalstats_create().
+ */
+
 isc_result_t
 dns_stats_alloccounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
 /*%<
  * Allocate an array of query statistics counters from the memory
  * context 'mctx'.
+ *
+ * This function is obsoleted.  Use dns_xxxstats_create() instead.
  */
 
 void
@@ -54,6 +355,8 @@ dns_stats_freecounters(isc_mem_t *mctx, isc_uint64_t **ctrp);
 /*%<
  * Free an array of query statistics counters allocated from the memory
  * context 'mctx'.
+ *
+ * This function is obsoleted.  Use dns_stats_destroy() instead.
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dns/tcpmsg.h b/lib/dns/include/dns/tcpmsg.h
index 075f463..fe83c53 100644
--- a/lib/dns/include/dns/tcpmsg.h
+++ b/lib/dns/include/dns/tcpmsg.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcpmsg.h,v 1.16.18.2 2005/04/29 00:16:22 marka Exp $ */
+/* $Id: tcpmsg.h,v 1.22 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_TCPMSG_H
 #define DNS_TCPMSG_H 1
 
-/*! \file */
+/*! \file dns/tcpmsg.h */
 
 #include <isc/buffer.h>
 #include <isc/lang.h>
diff --git a/lib/dns/include/dns/time.h b/lib/dns/include/dns/time.h
index 9e8f5cc..5b47d11 100644
--- a/lib/dns/include/dns/time.h
+++ b/lib/dns/include/dns/time.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.11.18.2 2005/04/29 00:16:23 marka Exp $ */
+/* $Id: time.h,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_TIME_H
 #define DNS_TIME_H 1
 
-/*! \file */
+/*! \file dns/time.h */
 
 /***
  ***	Imports
diff --git a/lib/dns/include/dns/timer.h b/lib/dns/include/dns/timer.h
index cd936a0..48d6d56 100644
--- a/lib/dns/include/dns/timer.h
+++ b/lib/dns/include/dns/timer.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.3.18.2 2005/04/29 00:16:23 marka Exp $ */
+/* $Id: timer.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_TIMER_H
 #define DNS_TIMER_H 1
 
-/*! \file */
+/*! \file dns/timer.h */
 
 /***
  ***	Imports
diff --git a/lib/dns/include/dns/tkey.h b/lib/dns/include/dns/tkey.h
index 4e3e80a..3511f2f 100644
--- a/lib/dns/include/dns/tkey.h
+++ b/lib/dns/include/dns/tkey.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,18 +15,19 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkey.h,v 1.19.18.2 2005/04/29 00:16:23 marka Exp $ */
+/* $Id: tkey.h,v 1.26.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_TKEY_H
 #define DNS_TKEY_H 1
 
-/*! \file */
+/*! \file dns/tkey.h */
 
 #include <isc/lang.h>
 
 #include <dns/types.h>
 
 #include <dst/dst.h>
+#include <dst/gssapi.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -40,13 +41,14 @@ ISC_LANG_BEGINDECLS
 struct dns_tkeyctx {
 	dst_key_t *dhkey;
 	dns_name_t *domain;
-	void *gsscred;
+	gss_cred_id_t gsscred;
 	isc_mem_t *mctx;
 	isc_entropy_t *ectx;
 };
 
 isc_result_t
-dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp);
+dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx,
+		   dns_tkeyctx_t **tctxp);
 /*%<
  *	Create an empty TKEY context.
  *
@@ -119,13 +121,29 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
  */
 
 isc_result_t
-dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
-		       dns_name_t *gname, void *cred,
-		       isc_uint32_t lifetime, void **context);
+dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
+		       isc_buffer_t *intoken, isc_uint32_t lifetime,
+		       gss_ctx_id_t *context, isc_boolean_t win2k);
 /*%<
- * XXX
+ *	Builds a query containing a TKEY that will generate a GSSAPI context.
+ *	The key is requested to have the specified lifetime (in seconds).
+ *
+ *	Requires:
+ *\li		'msg'	  is a valid message
+ *\li		'name'	  is a valid name
+ *\li		'gname'	  is a valid name
+ *\li		'context' is a pointer to a valid gss_ctx_id_t
+ *			  (which may have the value GSS_C_NO_CONTEXT)
+ *\li		'win2k'   when true says to turn on some hacks to work
+ *			  with the non-standard GSS-TSIG of Windows 2000
+ *
+ *	Returns:
+ *\li		ISC_R_SUCCESS	msg was successfully updated to include the
+ *				query to be sent
+ *\li		other		an error occurred while building the message
  */
 
+
 isc_result_t
 dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
 /*%<
@@ -144,7 +162,7 @@ dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key);
 
 isc_result_t
 dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-                           dst_key_t *key, isc_buffer_t *nonce,
+			   dst_key_t *key, isc_buffer_t *nonce,
 			   dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
 /*%<
  *	Processes a response to a query containing a TKEY that was
@@ -167,8 +185,9 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 
 isc_result_t
 dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			    dns_name_t *gname, void *cred, void **context,
-			    dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring);
+			    dns_name_t *gname, gss_ctx_id_t *context,
+			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
+			    dns_tsig_keyring_t *ring);
 /*%<
  * XXX
  */
@@ -193,6 +212,39 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
  */
 
 
+isc_result_t
+dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
+		      dns_name_t *server, gss_ctx_id_t *context,
+		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
+		      isc_boolean_t win2k);
+
+/*
+ *	Client side negotiation of GSS-TSIG.  Process the response
+ *	to a TKEY, and establish a TSIG key if negotiation was successful.
+ *	Build a response to the input TKEY message.  Can take multiple
+ *	calls to successfully establish the context.
+ *
+ *	Requires:
+ *		'qmsg'    is a valid message, the original TKEY request;
+ *			     it will be filled with the new message to send
+ *		'rmsg'    is a valid message, the incoming TKEY message
+ *		'server'  is the server name
+ *		'context' is the input context handle
+ *		'outkey'  receives the established key, if non-NULL;
+ *			      if non-NULL must point to NULL
+ *		'ring'	  is the keyring in which to establish the key,
+ *			      or NULL
+ *		'win2k'   when true says to turn on some hacks to work
+ *			      with the non-standard GSS-TSIG of Windows 2000
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS	context was successfully established
+ *		ISC_R_NOTFOUND  couldn't find a needed part of the query
+ *					or response
+ *		DNS_R_CONTINUE  additional context negotiation is required;
+ *					send the new qmsg to the server
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_TKEY_H */
diff --git a/lib/dns/include/dns/tsig.h b/lib/dns/include/dns/tsig.h
index b3fd6cc..e8c0e2c 100644
--- a/lib/dns/include/dns/tsig.h
+++ b/lib/dns/include/dns/tsig.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig.h,v 1.43.18.4 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: tsig.h,v 1.51 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_TSIG_H
 #define DNS_TSIG_H 1
 
-/*! \file */
+/*! \file dns/tsig.h */
 
 #include <isc/lang.h>
 #include <isc/refcount.h>
@@ -59,6 +59,7 @@ LIBDNS_EXTERNAL_DATA extern dns_name_t *dns_tsig_hmacsha512_name;
 
 struct dns_tsig_keyring {
 	dns_rbt_t *keys;
+	unsigned int writecount;
 	isc_rwlock_t lock;
 	isc_mem_t *mctx;
 };
@@ -79,7 +80,9 @@ struct dns_tsigkey {
 };
 
 #define dns_tsigkey_identity(tsigkey) \
-	((tsigkey)->generated ? ((tsigkey)->creator) : (&((tsigkey)->name)))
+	((tsigkey) == NULL ? NULL : \
+         (tsigkey)->generated ? ((tsigkey)->creator) : \
+         (&((tsigkey)->name)))
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/dns/include/dns/ttl.h b/lib/dns/include/dns/ttl.h
index ad01578..c252518 100644
--- a/lib/dns/include/dns/ttl.h
+++ b/lib/dns/include/dns/ttl.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ttl.h,v 1.13.18.2 2005/04/29 00:16:24 marka Exp $ */
+/* $Id: ttl.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_TTL_H
 #define DNS_TTL_H 1
 
-/*! \file */
+/*! \file dns/ttl.h */
 
 /***
  ***	Imports
diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 8dcbe57..e07a796 100644
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.109.18.12 2006/05/02 12:55:31 shane Exp $ */
+/* $Id: types.h,v 1.130.50.3 2009/01/29 22:40:35 jinmei Exp $ */
 
 #ifndef DNS_TYPES_H
 #define DNS_TYPES_H 1
 
-/*! \file
+/*! \file dns/types.h
  * \brief
  * Including this file gives you type declarations suitable for use in
  * .h files, which lets us avoid circular type reference problems.
@@ -68,6 +68,8 @@ typedef struct dns_fetch			dns_fetch_t;
 typedef struct dns_fixedname			dns_fixedname_t;
 typedef struct dns_forwarders			dns_forwarders_t;
 typedef struct dns_fwdtable			dns_fwdtable_t;
+typedef struct dns_iptable			dns_iptable_t;
+typedef isc_uint32_t				dns_iterations_t;
 typedef isc_uint16_t				dns_keyflags_t;
 typedef struct dns_keynode			dns_keynode_t;
 typedef struct dns_keytable			dns_keytable_t;
@@ -105,6 +107,8 @@ typedef isc_uint8_t				dns_secproto_t;
 typedef struct dns_signature			dns_signature_t;
 typedef struct dns_ssurule			dns_ssurule_t;
 typedef struct dns_ssutable			dns_ssutable_t;
+typedef struct dns_stats			dns_stats_t;
+typedef isc_uint32_t				dns_rdatastatstype_t;
 typedef struct dns_tkeyctx			dns_tkeyctx_t;
 typedef isc_uint16_t				dns_trust_t;
 typedef struct dns_tsig_keyring			dns_tsig_keyring_t;
@@ -118,6 +122,19 @@ typedef ISC_LIST(dns_zone_t)			dns_zonelist_t;
 typedef struct dns_zonemgr			dns_zonemgr_t;
 typedef struct dns_zt				dns_zt_t;
 
+/*
+ * If we are not using GSSAPI, define the types we use as opaque types here.
+ */
+#ifndef GSSAPI
+typedef struct not_defined_gss_cred_id *gss_cred_id_t;
+typedef struct not_defined_gss_ctx *gss_ctx_id_t;
+#endif
+typedef struct dst_gssapi_signverifyctx dst_gssapi_signverifyctx_t;
+
+typedef enum {
+	dns_hash_sha1 = 1
+} dns_hash_t;
+
 typedef enum {
 	dns_fwdpolicy_none = 0,
 	dns_fwdpolicy_first = 1,
@@ -249,11 +266,11 @@ enum {
 	dns_trust_additional = 2,
 #define dns_trust_additional		((dns_trust_t)dns_trust_additional)
 
-	/* Received in a referral response. */ 
+	/* Received in a referral response. */
 	dns_trust_glue = 3,
 #define dns_trust_glue			((dns_trust_t)dns_trust_glue)
 
-	/* Answser from a non-authoritative server */
+	/* Answer from a non-authoritative server */
 	dns_trust_answer = 4,
 #define dns_trust_answer		((dns_trust_t)dns_trust_answer)
 
@@ -262,11 +279,11 @@ enum {
 	dns_trust_authauthority = 5,
 #define dns_trust_authauthority		((dns_trust_t)dns_trust_authauthority)
 
-	/* Answser from an authoritative server */
+	/* Answer from an authoritative server */
 	dns_trust_authanswer = 6,
 #define dns_trust_authanswer		((dns_trust_t)dns_trust_authanswer)
 
-	/* Successfully DNSSEC validated */	
+	/* Successfully DNSSEC validated */
 	dns_trust_secure = 7,
 #define dns_trust_secure		((dns_trust_t)dns_trust_secure)
 
@@ -276,7 +293,7 @@ enum {
 };
 
 /*%
- * Name checking severites.
+ * Name checking severities.
  */
 typedef enum {
 	dns_severity_ignore,
@@ -308,7 +325,7 @@ typedef void
 typedef void
 (*dns_updatecallback_t)(void *, isc_result_t, dns_message_t *);
 
-typedef int 
+typedef int
 (*dns_rdatasetorderfunc_t)(const dns_rdata_t *, const void *);
 
 typedef isc_boolean_t
diff --git a/lib/dns/include/dns/validator.h b/lib/dns/include/dns/validator.h
index c94fc3a..2555214 100644
--- a/lib/dns/include/dns/validator.h
+++ b/lib/dns/include/dns/validator.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.h,v 1.27.18.10 2007/09/26 04:39:45 each Exp $ */
+/* $Id: validator.h,v 1.41.48.3 2009/01/18 23:25:17 marka Exp $ */
 
 #ifndef DNS_VALIDATOR_H
 #define DNS_VALIDATOR_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/validator.h
  *
  * \brief
  * DNS Validator
@@ -74,7 +74,7 @@
  * caller so that they may be freed.
  *
  * If the RESULT is ISC_R_SUCCESS and the answer is secure then
- * proofs[] will contain the the names of the NSEC records that hold the
+ * proofs[] will contain the names of the NSEC records that hold the
  * various proofs.  Note the same name may appear multiple times.
  */
 typedef struct dns_validatorevent {
@@ -99,12 +99,17 @@ typedef struct dns_validatorevent {
 	/*
 	 * Proofs to be cached.
 	 */
-	dns_name_t *			proofs[3];
+	dns_name_t *			proofs[4];
+	/*
+	 * Optout proof seen.
+	 */
+	isc_boolean_t			optout;
 } dns_validatorevent_t;
 
 #define DNS_VALIDATOR_NOQNAMEPROOF 0
 #define DNS_VALIDATOR_NODATAPROOF 1
 #define DNS_VALIDATOR_NOWILDCARDPROOF 2
+#define DNS_VALIDATOR_CLOSESTENCLOSER 3
 
 /*%
  * A validator object represents a validation in progress.
@@ -139,11 +144,14 @@ struct dns_validator {
 	dns_rdataset_t *		dsset;
 	dns_rdataset_t *		soaset;
 	dns_rdataset_t *		nsecset;
+	dns_rdataset_t *		nsec3set;
 	dns_name_t *			soaname;
 	dns_rdataset_t			frdataset;
 	dns_rdataset_t			fsigrdataset;
 	dns_fixedname_t			fname;
 	dns_fixedname_t			wild;
+	dns_fixedname_t			nearest;
+	dns_fixedname_t			closest;
 	ISC_LINK(dns_validator_t)	link;
 	dns_rdataset_t 			dlv;
 	dns_fixedname_t			dlvsep;
@@ -202,7 +210,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
  * options:
  * If DNS_VALIDATOR_DLV is set the caller knows there is not a
  * trusted key and the validator should immediately attempt to validate
- * the answer by looking for a appopriate DLV RRset.
+ * the answer by looking for an appropriate DLV RRset.
  */
 
 void
diff --git a/lib/dns/include/dns/version.h b/lib/dns/include/dns/version.h
index bb254534..2a33dcf 100644
--- a/lib/dns/include/dns/version.h
+++ b/lib/dns/include/dns/version.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:16:25 marka Exp $ */
+/* $Id: version.h,v 1.9 2007/06/19 23:47:17 tbox Exp $ */
 
-/*! \file */
+/*! \file dns/version.h */
 
 #include <isc/platform.h>
 
diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h
index ea3d4c7..5b53c16 100644
--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.91.18.9 2006/03/09 23:38:21 marka Exp $ */
+/* $Id: view.h,v 1.111.88.4 2009/01/29 22:40:35 jinmei Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file dns/view.h
  * \brief
  * DNS View
  *
@@ -100,6 +100,9 @@ struct dns_view {
 	isc_event_t			resevent;
 	isc_event_t			adbevent;
 	isc_event_t			reqevent;
+	isc_stats_t *			resstats;
+	dns_stats_t *			resquerystats;
+
 	/* Configurable data. */
 	dns_tsig_keyring_t *		statickeys;
 	dns_tsig_keyring_t *		dynamickeys;
@@ -116,10 +119,17 @@ struct dns_view {
 	isc_boolean_t			acceptexpired;
 	dns_transfer_format_t		transfer_format;
 	dns_acl_t *			queryacl;
+	dns_acl_t *			queryonacl;
 	dns_acl_t *			recursionacl;
+	dns_acl_t *			recursiononacl;
 	dns_acl_t *			sortlist;
+	dns_acl_t *			notifyacl;
+	dns_acl_t *			transferacl;
+	dns_acl_t *			updateacl;
+	dns_acl_t *			upfwdacl;
 	isc_boolean_t			requestixfr;
 	isc_boolean_t			provideixfr;
+	isc_boolean_t			requestnsid;
 	dns_ttl_t			maxcachettl;
 	dns_ttl_t			maxncachettl;
 	in_port_t			dstport;
@@ -224,7 +234,7 @@ void
 dns_view_flushanddetach(dns_view_t **viewp);
 /*%<
  * Detach '*viewp' from its view.  If this was the last reference
- * uncommited changed in zones will be flushed to disk.
+ * uncommitted changed in zones will be flushed to disk.
  *
  * Requires:
  *
@@ -363,7 +373,7 @@ dns_view_setdstport(dns_view_t *view, in_port_t dstport);
  *\li      'dstport' is a valid TCP/UDP port number.
  *
  * Ensures:
- *\li	External name servers will be assumed to be listning
+ *\li	External name servers will be assumed to be listening
  *	on 'dstport'.  For servers whose address has already
  *	obtained obtained at the time of the call, the view may
  *	continue to use the previously set port until the address
@@ -591,6 +601,19 @@ dns_viewlist_find(dns_viewlist_t *list, const char *name,
  */
 
 isc_result_t
+dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name, isc_boolean_t allclasses,
+		      dns_rdataclass_t rdclass, dns_zone_t **zonep);
+
+/*%<
+ * Search zone with 'name' in view with 'rdclass' in viewlist 'list'
+ * If found, zone is returned in *zonep. If allclasses is set rdclass is ignored
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS          A matching zone was found.
+ *\li	#ISC_R_NOTFOUND         No matching zone was found.
+ */
+
+isc_result_t
 dns_view_findzone(dns_view_t *view, dns_name_t *name, dns_zone_t **zonep);
 /*%<
  * Search for the zone 'name' in the zone table of 'view'.
@@ -615,7 +638,7 @@ dns_view_loadnew(dns_view_t *view, isc_boolean_t stop);
 /*%<
  * Load zones attached to this view.  dns_view_load() loads
  * all zones whose master file has changed since the last
- * load; dns_view_loadnew() loads only zones that have never 
+ * load; dns_view_loadnew() loads only zones that have never
  * been loaded.
  *
  * If 'stop' is ISC_TRUE, stop on the first error and return it.
@@ -633,7 +656,7 @@ dns_view_gettsig(dns_view_t *view, dns_name_t *keyname,
  * Find the TSIG key configured in 'view' with name 'keyname',
  * if any.
  *
- * Reqires:
+ * Requires:
  *\li	keyp points to a NULL dns_tsigkey_t *.
  *
  * Returns:
@@ -649,7 +672,7 @@ dns_view_getpeertsig(dns_view_t *view, isc_netaddr_t *peeraddr,
  * Find the TSIG key configured in 'view' for the server whose
  * address is 'peeraddr', if any.
  *
- * Reqires:
+ * Requires:
  *	keyp points to a NULL dns_tsigkey_t *.
  *
  * Returns:
@@ -691,7 +714,7 @@ dns_view_dumpdbtostream(dns_view_t *view, FILE *fp);
  * easily obtainable by other means.
  *
  * Requires:
- * 	
+ *
  *\li	'view' is valid.
  *
  *\li	'fp' refers to a file open for writing.
@@ -734,7 +757,7 @@ isc_result_t
 dns_view_adddelegationonly(dns_view_t *view, dns_name_t *name);
 /*%<
  * Add the given name to the delegation only table.
- * 
+ *
  *
  * Requires:
  *\li	'view' is valid.
@@ -749,7 +772,7 @@ isc_result_t
 dns_view_excludedelegationonly(dns_view_t *view, dns_name_t *name);
 /*%<
  * Add the given name to be excluded from the root-delegation-only.
- * 
+ *
  *
  * Requires:
  *\li	'view' is valid.
@@ -771,8 +794,8 @@ dns_view_isdelegationonly(dns_view_t *view, dns_name_t *name);
  *\li	'name' is valid.
  *
  * Returns:
- *\li	#ISC_TRUE if the name is is the table.
- *\li	#ISC_FALSE othewise.
+ *\li	#ISC_TRUE if the name is the table.
+ *\li	#ISC_FALSE otherwise.
  */
 
 void
@@ -801,4 +824,56 @@ dns_view_freezezones(dns_view_t *view, isc_boolean_t freeze);
  * Requires:
  * \li	'view' is valid.
  */
+
+void
+dns_view_setresstats(dns_view_t *view, isc_stats_t *stats);
+/*%<
+ * Set a general resolver statistics counter set 'stats' for 'view'.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	stats is a valid statistics supporting resolver statistics counters
+ *	(see dns/stats.h).
+ */
+
+void
+dns_view_getresstats(dns_view_t *view, isc_stats_t **statsp);
+/*%<
+ * Get the general statistics counter set for 'view'.  If a statistics set is
+ * set '*statsp' will be attached to the set; otherwise, '*statsp' will be
+ * untouched.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	'statsp' != NULL && '*statsp' != NULL
+ */
+
+void
+dns_view_setresquerystats(dns_view_t *view, dns_stats_t *stats);
+/*%<
+ * Set a statistics counter set of rdata type, 'stats', for 'view'.  Once the
+ * statistic set is installed, view's resolver will count outgoing queries
+ * per rdata type.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	stats is a valid statistics created by dns_rdatatypestats_create().
+ */
+
+void
+dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp);
+/*%<
+ * Get the rdatatype statistics counter set for 'view'.  If a statistics set is
+ * set '*statsp' will be attached to the set; otherwise, '*statsp' will be
+ * untouched.
+ *
+ * Requires:
+ * \li	'view' is valid and is not frozen.
+ *
+ *\li	'statsp' != NULL && '*statsp' != NULL
+ */
+
 #endif /* DNS_VIEW_H */
diff --git a/lib/dns/include/dns/xfrin.h b/lib/dns/include/dns/xfrin.h
index fcd482e..04866ee 100644
--- a/lib/dns/include/dns/xfrin.h
+++ b/lib/dns/include/dns/xfrin.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.h,v 1.20.18.5 2006/07/20 01:10:30 marka Exp $ */
+/* $Id: xfrin.h,v 1.28.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DNS_XFRIN_H
 #define DNS_XFRIN_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file 
+/*! \file dns/xfrin.h
  * \brief
  * Incoming zone transfers (AXFR + IXFR).
  */
@@ -90,7 +90,7 @@ dns_xfrin_shutdown(dns_xfrin_ctx_t *xfr);
 /*%<
  * If the zone transfer 'xfr' has already finished,
  * do nothing.  Otherwise, abort it and cause it to call
- * its done callback with a status of ISC_R_CANCELLED.
+ * its done callback with a status of ISC_R_CANCELED.
  */
 
 void
diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index 7cb8272..e2859ae 100644
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.h,v 1.126.18.19 2006/08/01 03:45:21 marka Exp $ */
+/* $Id: zone.h,v 1.160.50.4 2009/01/29 22:40:35 jinmei Exp $ */
 
 #ifndef DNS_ZONE_H
 #define DNS_ZONE_H 1
 
-/*! \file */
+/*! \file dns/zone.h */
 
 /***
  ***	Imports
@@ -33,6 +33,7 @@
 #include <isc/rwlock.h>
 
 #include <dns/masterdump.h>
+#include <dns/rdatastruct.h>
 #include <dns/types.h>
 
 typedef enum {
@@ -66,6 +67,9 @@ typedef enum {
 #define DNS_ZONEOPT_WARNSRVCNAME  0x00200000U	/*%< warn on SRV CNAME check */
 #define DNS_ZONEOPT_IGNORESRVCNAME 0x00400000U	/*%< ignore SRV CNAME check */
 #define DNS_ZONEOPT_UPDATECHECKKSK 0x00800000U	/*%< check dnskey KSK flag */
+#define DNS_ZONEOPT_TRYTCPREFRESH 0x01000000U	/*%< try tcp refresh on udp failure */
+#define DNS_ZONEOPT_NOTIFYTOSOA	  0x02000000U	/*%< Notify the SOA MNAME */
+#define DNS_ZONEOPT_NSEC3TESTZONE 0x04000000U	/*%< nsec3-test-zone */
 
 #ifndef NOMINUM_PUBLIC
 /*
@@ -145,6 +149,15 @@ dns_zone_getclass(dns_zone_t *zone);
  *\li	'zone' to be a valid zone.
  */
 
+isc_uint32_t
+dns_zone_getserial(dns_zone_t *zone);
+/*%<
+ *	Returns the current serial number of the zone.
+ *
+ * Requires:
+ *\li	'zone' to be a valid zone.
+ */
+
 void
 dns_zone_settype(dns_zone_t *zone, dns_zonetype_t type);
 /*%<
@@ -406,7 +419,7 @@ dns_zone_refresh(dns_zone_t *zone);
 isc_result_t
 dns_zone_flush(dns_zone_t *zone);
 /*%<
- *	Write the zone to database if there are uncommited changes.
+ *	Write the zone to database if there are uncommitted changes.
  *
  * Require:
  *\li	'zone' to be a valid zone.
@@ -458,7 +471,7 @@ dns_zone_fulldumptostream(dns_zone_t *zone, FILE *fd);
 void
 dns_zone_maintenance(dns_zone_t *zone);
 /*%<
- *	Perform regular maintenace on the zone.  This is called as a
+ *	Perform regular maintenance on the zone.  This is called as a
  *	result of a zone being managed.
  *
  * Require
@@ -503,7 +516,7 @@ dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
  * Require:
  *\li	'zone' to be a valid zone.
  *\li	'notify' to be non-NULL if count != 0.
- *\li	'count' to be the number of notifyees.
+ *\li	'count' to be the number of notifiees.
  *
  * Returns:
  *\li	#ISC_R_SUCCESS
@@ -701,6 +714,16 @@ dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl);
  */
 
 void
+dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl);
+/*%<
+ *	Sets the query-on acl list for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'acl' to be a valid acl.
+ */
+
+void
 dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl);
 /*%<
  *	Sets the update acl list for the zone.
@@ -757,6 +780,19 @@ dns_zone_getqueryacl(dns_zone_t *zone);
  */
 
 dns_acl_t *
+dns_zone_getqueryonacl(dns_zone_t *zone);
+/*%<
+ * 	Returns the current query-on acl or NULL.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *
+ * Returns:
+ *\li	acl a pointer to the acl.
+ *\li	NULL
+ */
+
+dns_acl_t *
 dns_zone_getupdateacl(dns_zone_t *zone);
 /*%<
  * 	Returns the current update acl or NULL.
@@ -832,6 +868,15 @@ dns_zone_clearqueryacl(dns_zone_t *zone);
  */
 
 void
+dns_zone_clearqueryonacl(dns_zone_t *zone);
+/*%<
+ *	Clear the current query-on acl.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ */
+
+void
 dns_zone_clearxfracl(dns_zone_t *zone);
 /*%<
  *	Clear the current transfer acl.
@@ -844,12 +889,16 @@ isc_boolean_t
 dns_zone_getupdatedisabled(dns_zone_t *zone);
 /*%<
  * Return update disabled.
+ * Transient unless called when running in isc_task_exclusive() mode.
  */
 
 void
 dns_zone_setupdatedisabled(dns_zone_t *zone, isc_boolean_t state);
 /*%<
  * Set update disabled.
+ * Should only be called only when running in isc_task_exclusive() mode.
+ * Failure to do so may result in updates being committed after the
+ * call has been made.
  */
 
 isc_boolean_t
@@ -905,13 +954,13 @@ isc_result_t
 dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 		       dns_message_t *msg);
 /*%<
- *	Tell the zone that it has recieved a NOTIFY message from another
- *	server.  This may cause some zone maintainence activity to occur.
+ *	Tell the zone that it has received a NOTIFY message from another
+ *	server.  This may cause some zone maintenance activity to occur.
  *
  * Requires:
  *\li	'zone' to be a valid zone.
  *\li	'*from' to contain the address of the server from which 'msg'
- *		was recieved.
+ *		was received.
  *\li	'msg' a message with opcode NOTIFY and qr clear.
  *
  * Returns:
@@ -1036,7 +1085,7 @@ dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump);
  * If "dump" is ISC_TRUE, then the new zone contents are dumped
  * into to the zone's master file for persistence.  When replacing
  * a zone database by one just loaded from a master file, set
- * "dump" to ISC_FALSE to avoid a redunant redump of the data just
+ * "dump" to ISC_FALSE to avoid a redundant redump of the data just
  * loaded.  Otherwise, it should be set to ISC_TRUE.
  *
  * If the "diff-on-reload" option is enabled in the configuration file,
@@ -1048,7 +1097,7 @@ dns_zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump);
  *
  * Returns:
  * \li	DNS_R_SUCCESS
- * \li	DNS_R_BADZONE	zone failed basic consistancy checks:
+ * \li	DNS_R_BADZONE	zone failed basic consistency checks:
  *			* a single SOA must exist
  *			* some NS records must exist.
  *	Others
@@ -1134,7 +1183,7 @@ dns_zone_getmgr(dns_zone_t *zone);
 void
 dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval);
 /*%<
- * Set the zone's SIG validity interval.  This is the length of time
+ * Set the zone's RRSIG validity interval.  This is the length of time
  * for which DNSSEC signatures created as a result of dynamic updates
  * to secure zones will remain valid, in seconds.
  *
@@ -1145,7 +1194,26 @@ dns_zone_setsigvalidityinterval(dns_zone_t *zone, isc_uint32_t interval);
 isc_uint32_t
 dns_zone_getsigvalidityinterval(dns_zone_t *zone);
 /*%<
- * Get the zone's SIG validity interval.
+ * Get the zone's RRSIG validity interval.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+void
+dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval);
+/*%<
+ * Set the zone's RRSIG re-signing interval.  A dynamic zone's RRSIG's
+ * will be re-signed 'interval' amount of time before they expire.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ */
+
+isc_uint32_t
+dns_zone_getsigresigninginterval(dns_zone_t *zone);
+/*%<
+ * Get the zone's RRSIG re-signing interval.
  *
  * Requires:
  * \li	'zone' to be a valid zone.
@@ -1159,10 +1227,10 @@ dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype);
 
 isc_result_t
 dns_zone_forwardupdate(dns_zone_t *zone, dns_message_t *msg,
-                       dns_updatecallback_t callback, void *callback_arg);
+		       dns_updatecallback_t callback, void *callback_arg);
 /*%<
  * Forward 'msg' to each master in turn until we get an answer or we
- * have exausted the list of masters. 'callback' will be called with
+ * have exhausted the list of masters. 'callback' will be called with
  * ISC_R_SUCCESS if we get an answer and the returned message will be
  * passed as 'answer_message', otherwise a non ISC_R_SUCCESS result code
  * will be passed and answer_message will be NULL.  The callback function
@@ -1195,6 +1263,8 @@ dns_zone_next(dns_zone_t *zone, dns_zone_t **next);
  *	(result ISC_R_NOMORE).
  */
 
+
+
 isc_result_t
 dns_zone_first(dns_zonemgr_t *zmgr, dns_zone_t **first);
 /*%<
@@ -1267,7 +1337,7 @@ isc_result_t
 dns_zonemgr_forcemaint(dns_zonemgr_t *zmgr);
 /*%<
  * Force zone maintenance of all zones managed by 'zmgr' at its
- * earliest conveniene.
+ * earliest convenience.
  */
 
 void
@@ -1336,7 +1406,7 @@ dns_zonemgr_settransfersin(dns_zonemgr_t *zmgr, isc_uint32_t value);
 isc_uint32_t
 dns_zonemgr_getttransfersin(dns_zonemgr_t *zmgr);
 /*%<
- *	Return the the maximum number of simultaneous transfers in allowed.
+ *	Return the maximum number of simultaneous transfers in allowed.
  *
  * Requires:
  *\li	'zmgr' to be a valid zone manager.
@@ -1363,7 +1433,7 @@ dns_zonemgr_getttransfersperns(dns_zonemgr_t *zmgr);
 void
 dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, isc_uint32_t iolimit);
 /*%<
- *	Set the number of simultaneous file descriptors available for 
+ *	Set the number of simultaneous file descriptors available for
  *	reading and writing masterfiles.
  *
  * Requires:
@@ -1374,7 +1444,7 @@ dns_zonemgr_setiolimit(dns_zonemgr_t *zmgr, isc_uint32_t iolimit);
 isc_uint32_t
 dns_zonemgr_getiolimit(dns_zonemgr_t *zmgr);
 /*%<
- *	Get the number of simultaneous file descriptors available for 
+ *	Get the number of simultaneous file descriptors available for
  *	reading and writing masterfiles.
  *
  * Requires:
@@ -1410,6 +1480,18 @@ dns_zonemgr_getcount(dns_zonemgr_t *zmgr, int state);
  */
 
 void
+dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local, isc_time_t *now);
+/*%<
+ *	Add the pair of addresses to the unreachable cache.
+ *
+ * Requires:
+ *\li	'zmgr' to be a valid zone manager.
+ *\li	'remote' to be a valid sockaddr.
+ *\li	'local' to be a valid sockaddr.
+ */
+
+void
 dns_zone_forcereload(dns_zone_t *zone);
 /*%<
  *      Force a reload of specified zone.
@@ -1430,22 +1512,55 @@ dns_zone_isforced(dns_zone_t *zone);
 isc_result_t
 dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on);
 /*%<
- *      Make the zone keep or not keep an array of statistics
- * 	counter.
- *
- * Requires:
- *   \li   zone be a valid zone.
+ * This function is obsoleted by dns_zone_setrequeststats().
  */
 
 isc_uint64_t *
 dns_zone_getstatscounters(dns_zone_t *zone);
 /*%<
+ * This function is obsoleted by dns_zone_getrequeststats().
+ */
+
+void
+dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats);
+/*%<
+ * Set a general zone-maintenance statistics set 'stats' for 'zone'.  This
+ * function is expected to be called only on zone creation (when necessary).
+ * Once installed, it cannot be removed or replaced.  Also, there is no
+ * interface to get the installed stats from the zone; the caller must keep the
+ * stats to reference (e.g. dump) it later.
+ *
  * Requires:
- *      zone be a valid zone.
+ * \li	'zone' to be a valid zone and does not have a statistics set already
+ *	installed.
+ *
+ *\li	stats is a valid statistics supporting zone statistics counters
+ *	(see dns/stats.h).
+ */
+
+void
+dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats);
+/*%<
+ * Set an additional statistics set to zone.  It is attached in the zone
+ * but is not counted in the zone module; only the caller updates the counters.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
+ *
+ *\li	stats is a valid statistics.
+ */
+
+isc_stats_t *
+dns_zone_getrequeststats(dns_zone_t *zone);
+/*%<
+ * Get the additional statistics for zone, if one is installed.
+ *
+ * Requires:
+ * \li	'zone' to be a valid zone.
  *
  * Returns:
- * \li     A pointer to the zone's array of statistics counters,
- *	or NULL if it has none.
+ * \li	when available, a pointer to the statistics set installed in zone;
+ *	otherwise NULL.
  */
 
 void
@@ -1484,7 +1599,7 @@ void
 dns_zone_name(dns_zone_t *zone, char *buf, size_t len);
 /*%<
  * Return the name of the zone with class and view.
- * 
+ *
  * Requires:
  *\li	'zone' to be valid.
  *\li	'buf' to be non NULL.
@@ -1492,7 +1607,7 @@ dns_zone_name(dns_zone_t *zone, char *buf, size_t len);
 
 isc_result_t
 dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata);
-/*
+/*%<
  * Check if this record meets the check-names policy.
  *
  * Requires:
@@ -1508,7 +1623,7 @@ dns_zone_checknames(dns_zone_t *zone, dns_name_t *name, dns_rdata_t *rdata);
 
 void
 dns_zone_setacache(dns_zone_t *zone, dns_acache_t *acache);
-/*
+/*%<
  *	Associate the zone with an additional cache.
  *
  * Require:
@@ -1521,7 +1636,7 @@ dns_zone_setacache(dns_zone_t *zone, dns_acache_t *acache);
 
 void
 dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx);
-/*
+/*%<
  *	Set the post load integrity callback function 'checkmx'.
  *	'checkmx' will be called if the MX is not within the zone.
  *
@@ -1531,7 +1646,7 @@ dns_zone_setcheckmx(dns_zone_t *zone, dns_checkmxfunc_t checkmx);
 
 void
 dns_zone_setchecksrv(dns_zone_t *zone, dns_checkmxfunc_t checksrv);
-/*
+/*%<
  *	Set the post load integrity callback function 'checksrv'.
  *	'checksrv' will be called if the SRV TARGET is not within the zone.
  *
@@ -1541,7 +1656,7 @@ dns_zone_setchecksrv(dns_zone_t *zone, dns_checkmxfunc_t checksrv);
 
 void
 dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns);
-/*
+/*%<
  *	Set the post load integrity callback function 'checkmx'.
  *	'checkmx' will be called if the MX is not within the zone.
  *
@@ -1551,7 +1666,7 @@ dns_zone_setcheckns(dns_zone_t *zone, dns_checknsfunc_t checkns);
 
 void
 dns_zone_setnotifydelay(dns_zone_t *zone, isc_uint32_t delay);
-/*
+/*%<
  * Set the minimum delay between sets of notify messages.
  *
  * Requires:
@@ -1560,7 +1675,7 @@ dns_zone_setnotifydelay(dns_zone_t *zone, isc_uint32_t delay);
 
 isc_uint32_t
 dns_zone_getnotifydelay(dns_zone_t *zone);
-/*
+/*%<
  * Get the minimum delay between sets of notify messages.
  *
  * Requires:
@@ -1569,7 +1684,7 @@ dns_zone_getnotifydelay(dns_zone_t *zone);
 
 void
 dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg);
-/*
+/*%<
  * Set the isself callback function and argument.
  *
  * isc_boolean_t
@@ -1581,6 +1696,41 @@ dns_zone_setisself(dns_zone_t *zone, dns_isselffunc_t isself, void *arg);
  * delivered to 'myview'.
  */
 
+void
+dns_zone_setnodes(dns_zone_t *zone, isc_uint32_t nodes);
+/*%<
+ * Set the number of nodes that will be checked per quantum.
+ */
+
+void
+dns_zone_setsignatures(dns_zone_t *zone, isc_uint32_t signatures);
+/*%<
+ * Set the number of signatures that will be generated per quantum.
+ */
+
+isc_result_t
+dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
+		     isc_uint16_t keyid, isc_boolean_t delete);
+/*%<
+ * Initiate/resume signing of the entire zone with the zone DNSKEY(s)
+ * that match the given algorithm and keyid.
+ */
+
+isc_result_t
+dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param);
+/*%<
+ * Incrementally add a NSEC3 chain that corresponds to 'nsec3param'.
+ */
+
+void
+dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type);
+dns_rdatatype_t
+dns_zone_getprivatetype(dns_zone_t *zone);
+/*
+ * Get/Set the private record type.  It is expected that these interfaces
+ * will not be permanent.
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_ZONE_H */
diff --git a/lib/dns/include/dns/zonekey.h b/lib/dns/include/dns/zonekey.h
index ba4e076..d9ba862 100644
--- a/lib/dns/include/dns/zonekey.h
+++ b/lib/dns/include/dns/zonekey.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonekey.h,v 1.4.18.2 2005/04/29 00:16:26 marka Exp $ */
+/* $Id: zonekey.h,v 1.10 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_ZONEKEY_H
 #define DNS_ZONEKEY_H 1
 
-/*! \file */
+/*! \file dns/zonekey.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dns/zt.h b/lib/dns/include/dns/zt.h
index 436ef4c..6cfe3d3 100644
--- a/lib/dns/include/dns/zt.h
+++ b/lib/dns/include/dns/zt.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zt.h,v 1.30.18.3 2005/04/27 05:01:42 sra Exp $ */
+/* $Id: zt.h,v 1.38 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_ZT_H
 #define DNS_ZT_H 1
 
-/*! \file */
+/*! \file dns/zt.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/dns/include/dst/Makefile.in b/lib/dns/include/dst/Makefile.in
index deaa221..4ed4ec0 100644
--- a/lib/dns/include/dst/Makefile.in
+++ b/lib/dns/include/dst/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.1.6.1 2004/12/09 04:41:47 marka Exp $
+# $Id: Makefile.in,v 1.4 2007/12/11 20:28:55 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -21,7 +21,7 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_VERSION@
 
-HEADERS =	dst.h lib.h result.h
+HEADERS =	dst.h gssapi.h lib.h result.h
 
 SUBDIRS =
 TARGETS =
diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h
index 8d99186..702ad71 100644
--- a/lib/dns/include/dst/dst.h
+++ b/lib/dns/include/dst/dst.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,17 +15,19 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.1.6.5 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: dst.h,v 1.12 2008/09/24 02:46:23 marka Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
 
-/*! \file */
+/*! \file dst/dst.h */
 
 #include <isc/lang.h>
 
 #include <dns/types.h>
 
+#include <dst/gssapi.h>
+
 ISC_LANG_BEGINDECLS
 
 /***
@@ -49,6 +51,8 @@ typedef struct dst_context 	dst_context_t;
 #define DST_ALG_DSA		3
 #define DST_ALG_ECC		4
 #define DST_ALG_RSASHA1		5
+#define DST_ALG_NSEC3DSA	6
+#define DST_ALG_NSEC3RSASHA1	7
 #define DST_ALG_HMACMD5		157
 #define DST_ALG_GSSAPI		160
 #define DST_ALG_HMACSHA1	161	/* XXXMPA */
@@ -398,16 +402,28 @@ dst_key_privatefrombuffer(dst_key_t *key, isc_buffer_t *buffer);
  *\li	If successful, key will contain a valid private key.
  */
 
+gss_ctx_id_t
+dst_key_getgssctx(const dst_key_t *key);
+/*%<
+ * Returns the opaque key data.
+ * Be cautions when using this value unless you know what you are doing.
+ *
+ * Requires:
+ *\li	"key" is not NULL.
+ *
+ * Returns:
+ *\li	gssctx key data, possibly NULL.
+ */
 
 isc_result_t
-dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
-		                   dst_key_t **keyp);
+dst_key_fromgssapi(dns_name_t *name, gss_ctx_id_t gssctx, isc_mem_t *mctx,
+		   dst_key_t **keyp);
 /*%<
  * Converts a GSSAPI opaque context id into a DST key.
  *
  * Requires:
  *\li	"name" is a valid absolute dns name.
- *\li	"opaque" is a GSSAPI context id.
+ *\li	"gssctx" is a GSSAPI context id.
  *\li	"mctx" is a valid memory context.
  *\li	"keyp" is not NULL and "*keyp" is NULL.
  *
@@ -421,6 +437,12 @@ dst_key_fromgssapi(dns_name_t *name, void *opaque, isc_mem_t *mctx,
  */
 
 isc_result_t
+dst_key_fromlabel(dns_name_t *name, int alg, unsigned int flags,
+		  unsigned int protocol, dns_rdataclass_t rdclass,
+		  const char *engine, const char *label, const char *pin,
+		  isc_mem_t *mctx, dst_key_t **keyp);
+
+isc_result_t
 dst_key_generate(dns_name_t *name, unsigned int alg,
 		 unsigned int bits, unsigned int param,
 		 unsigned int flags, unsigned int protocol,
diff --git a/lib/dns/include/dst/gssapi.h b/lib/dns/include/dst/gssapi.h
index e30fb0c..446b76d 100644
--- a/lib/dns/include/dst/gssapi.h
+++ b/lib/dns/include/dst/gssapi.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,16 +15,32 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gssapi.h,v 1.1.6.3 2005/04/29 00:16:28 marka Exp $ */
+/* $Id: gssapi.h,v 1.9.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef DST_GSSAPI_H
 #define DST_GSSAPI_H 1
 
-/*! \file */
+/*! \file dst/gssapi.h */
 
+#include <isc/formatcheck.h>
 #include <isc/lang.h>
-
+#include <isc/platform.h>
 #include <isc/types.h>
+#include <dns/types.h>
+
+#ifdef GSSAPI
+#ifdef _WINDOWS
+/*
+ * MSVC does not like macros in #include lines.
+ */
+#include <gssapi/gssapi.h>
+#else
+#include ISC_PLATFORM_GSSAPIHEADER
+#endif
+#ifndef GSS_SPNEGO_MECHANISM
+#define GSS_SPNEGO_MECHANISM ((void*)0)
+#endif
+#endif
 
 ISC_LANG_BEGINDECLS
 
@@ -37,20 +53,153 @@ ISC_LANG_BEGINDECLS
  ***/
 
 isc_result_t
-dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, void **cred);
+dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
+		       gss_cred_id_t *cred);
+/*
+ *	Acquires GSS credentials.
+ *
+ *	Requires:
+ * 	'name' 	    is a valid name, preferably one known by the GSS provider
+ * 	'initiate'  indicates whether the credentials are for initiating or
+ *		    accepting contexts
+ *      'cred'      is a pointer to NULL, which will be allocated with the
+ *		    credential handle.  Call dst_gssapi_releasecred to free
+ *		    the memory.
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS msg was successfully updated to include the
+ *				      query to be sent
+ *		other		  an error occurred while building the message
+ */
+
+isc_result_t
+dst_gssapi_releasecred(gss_cred_id_t *cred);
+/*
+ *	Releases GSS credentials.  Calling this function does release the
+ *  memory allocated for the credential in dst_gssapi_acquirecred()
+ *
+ *	Requires:
+ *      'mctx'  is a valid memory context
+ *      'cred'  is a pointer to the credential to be released
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS 	credential was released successfully
+ *		other		an error occurred while releaseing
+ *				the credential
+ */
+
+isc_result_t
+dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
+		   isc_buffer_t *outtoken, gss_ctx_id_t *gssctx);
+/*
+ *	Initiates a GSS context.
+ *
+ *	Requires:
+ * 	'name'     is a valid name, preferably one known by the GSS
+ * 	provider
+ * 	'intoken'  is a token received from the acceptor, or NULL if
+ *		   there isn't one
+ * 	'outtoken' is a buffer to receive the token generated by
+ *		   gss_init_sec_context() to be sent to the acceptor
+ *      'context'  is a pointer to a valid gss_ctx_id_t
+ *                 (which may have the value GSS_C_NO_CONTEXT)
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS   msg was successfully updated to include the
+ * 				query to be sent
+ *		other		an error occurred while building the message
+ */
 
 isc_result_t
-dst_gssapi_initctx(dns_name_t *name, void *cred,
-		   isc_region_t *intoken, isc_buffer_t *outtoken,
-		   void **context);
+dst_gssapi_acceptctx(gss_cred_id_t cred,
+		     isc_region_t *intoken, isc_buffer_t **outtoken,
+		     gss_ctx_id_t *context, dns_name_t *principal,
+		     isc_mem_t *mctx);
+/*
+ *	Accepts a GSS context.
+ *
+ *	Requires:
+ * 	'mctx'     is a valid memory context
+ *      'cred'     is the acceptor's valid GSS credential handle
+ * 	'intoken'  is a token received from the initiator
+ * 	'outtoken' is a pointer a buffer pointer used to return the token
+ *		   generated by gss_accept_sec_context() to be sent to the
+ *		   initiator
+ *      'context'  is a valid pointer to receive the generated context handle.
+ *                 On the initial call, it should be a pointer to NULL, which
+ *		   will be allocated as a gss_ctx_id_t.  Subsequent calls
+ *		   should pass in the handle generated on the first call.
+ *		   Call dst_gssapi_releasecred to delete the context and free
+ *		   the memory.
+ *
+ *	Requires:
+ *		'outtoken' to != NULL && *outtoken == NULL.
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS   msg was successfully updated to include the
+ * 				query to be sent
+ *		other 		an error occurred while building the message
+ */
 
 isc_result_t
-dst_gssapi_acceptctx(dns_name_t *name, void *cred,
-		     isc_region_t *intoken, isc_buffer_t *outtoken,
-		     void **context);
+dst_gssapi_deletectx(isc_mem_t *mctx, gss_ctx_id_t *gssctx);
+/*
+ *	Destroys a GSS context.  This function deletes the context from the GSS
+ *  	provider and then frees the memory used by the context pointer.
+ *
+ *	Requires:
+ *      'mctx'    is a valid memory context
+ *	'context' is a valid GSS context
+ *
+ *	Returns:
+ *		ISC_R_SUCCESS
+ */
+
+
+void
+gss_log(int level, const char *fmt, ...)
+ISC_FORMAT_PRINTF(2, 3);
+/*
+ * Logging function for GSS.
+ *
+ *  Requires
+ *      'level' is the log level to be used, as an integer
+ *      'fmt'   is a printf format specifier
+ */
+
+char *
+gss_error_tostring(isc_uint32_t major, isc_uint32_t minor,
+		   char *buf, size_t buflen);
+/*
+ *	Render a GSS major status/minor status pair into a string
+ *
+ *	Requires:
+ *      'major' is a GSS major status code
+ * 	'minor' is a GSS minor status code
+ *
+ *	Returns:
+ *		A string containing the text representation of the error codes.
+ *      	Users should copy the string if they wish to keep it.
+ */
 
+isc_boolean_t
+dst_gssapi_identitymatchesrealmkrb5(dns_name_t *signer, dns_name_t *name,
+			      dns_name_t *realm);
 /*
- * XXX
+ *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
+ *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
+ *	in "name" (which represents the realm name).
+ *
+ */
+
+isc_boolean_t
+dst_gssapi_identitymatchesrealmms(dns_name_t *signer, dns_name_t *name,
+			    dns_name_t *realm);
+/*
+ *	Compare a "signer" (in the format of a Kerberos-format Kerberos5
+ *	principal: host/example.com@EXAMPLE.COM) to the realm name stored
+ *	in "name" (which represents the realm name).
+ *
  */
 
 ISC_LANG_ENDDECLS
diff --git a/lib/dns/include/dst/lib.h b/lib/dns/include/dst/lib.h
index bd71261..886575e 100644
--- a/lib/dns/include/dst/lib.h
+++ b/lib/dns/include/dst/lib.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.1.6.3 2005/04/29 00:16:29 marka Exp $ */
+/* $Id: lib.h,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DST_LIB_H
 #define DST_LIB_H 1
 
-/*! \file */
+/*! \file dst/lib.h */
 
 #include <isc/types.h>
 #include <isc/lang.h>
diff --git a/lib/dns/include/dst/result.h b/lib/dns/include/dst/result.h
index aa03b73..d77b72e 100644
--- a/lib/dns/include/dst/result.h
+++ b/lib/dns/include/dst/result.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.1.6.3 2005/04/29 00:16:29 marka Exp $ */
+/* $Id: result.h,v 1.9 2008/04/01 23:47:10 tbox Exp $ */
 
 #ifndef DST_RESULT_H
 #define DST_RESULT_H 1
 
-/*! \file */
+/*! \file dst/result.h */
 
 #include <isc/lang.h>
 #include <isc/resultclass.h>
@@ -54,8 +54,9 @@
 #define DST_R_COMPUTESECRETFAILURE	(ISC_RESULTCLASS_DST + 18)
 #define DST_R_NORANDOMNESS		(ISC_RESULTCLASS_DST + 19)
 #define DST_R_BADKEYTYPE		(ISC_RESULTCLASS_DST + 20)
+#define DST_R_NOENGINE			(ISC_RESULTCLASS_DST + 21)
 
-#define DST_R_NRESULTS			21	/* Number of results */
+#define DST_R_NRESULTS			22	/* Number of results */
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/dns/iptable.c b/lib/dns/iptable.c
new file mode 100644
index 0000000..55a5351
--- /dev/null
+++ b/lib/dns/iptable.c
@@ -0,0 +1,188 @@
+/*
+ * Copyright (C) 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: iptable.c,v 1.12.44.3 2009/02/18 23:47:12 tbox Exp $ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/radix.h>
+
+#include <dns/acl.h>
+
+static void destroy_iptable(dns_iptable_t *dtab);
+
+/*
+ * Create a new IP table and the underlying radix structure
+ */
+isc_result_t
+dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target) {
+	isc_result_t result;
+	dns_iptable_t *tab;
+
+	tab = isc_mem_get(mctx, sizeof(*tab));
+	if (tab == NULL)
+		return (ISC_R_NOMEMORY);
+	tab->mctx = mctx;
+	isc_refcount_init(&tab->refcount, 1);
+	tab->radix = NULL;
+	tab->magic = DNS_IPTABLE_MAGIC;
+
+	result = isc_radix_create(mctx, &tab->radix, RADIX_MAXBITS);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	*target = tab;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_iptable_detach(&tab);
+	return (result);
+}
+
+isc_boolean_t dns_iptable_neg = ISC_FALSE;
+isc_boolean_t dns_iptable_pos = ISC_TRUE;
+
+/*
+ * Add an IP prefix to an existing IP table
+ */
+isc_result_t
+dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr,
+		      isc_uint16_t bitlen, isc_boolean_t pos)
+{
+	isc_result_t result;
+	isc_prefix_t pfx;
+	isc_radix_node_t *node = NULL;
+	int family;
+
+	INSIST(DNS_IPTABLE_VALID(tab));
+	INSIST(tab->radix);
+
+	NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
+
+	result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
+	if (result != ISC_R_SUCCESS) {
+		isc_refcount_destroy(&pfx.refcount);
+		return(result);
+	}
+
+	/* If a node already contains data, don't overwrite it */
+	family = pfx.family;
+	if (family == AF_UNSPEC) {
+		/* "any" or "none" */
+		INSIST(pfx.bitlen == 0);
+		if (pos) {
+			if (node->data[0] == NULL)
+				node->data[0] = &dns_iptable_pos;
+			if (node->data[1] == NULL)
+				node->data[1] = &dns_iptable_pos;
+		} else {
+			if (node->data[0] == NULL)
+				node->data[0] = &dns_iptable_neg;
+			if (node->data[1] == NULL)
+				node->data[1] = &dns_iptable_neg;
+		}
+	} else {
+		/* any other prefix */
+		if (node->data[ISC_IS6(family)] == NULL) {
+			if (pos)
+				node->data[ISC_IS6(family)] = &dns_iptable_pos;
+			else
+				node->data[ISC_IS6(family)] = &dns_iptable_neg;
+		}
+	}
+
+	isc_refcount_destroy(&pfx.refcount);
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * Merge one IP table into another one.
+ */
+isc_result_t
+dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, isc_boolean_t pos)
+{
+	isc_result_t result;
+	isc_radix_node_t *node, *new_node;
+	int max_node = 0;
+
+	RADIX_WALK (source->radix->head, node) {
+		new_node = NULL;
+		result = isc_radix_insert (tab->radix, &new_node, node, NULL);
+
+		if (result != ISC_R_SUCCESS)
+			return(result);
+
+		/*
+		 * If we're negating a nested ACL, then we should
+		 * reverse the sense of every node.  However, this
+		 * could lead to a negative node in a nested ACL
+		 * becoming a positive match in the parent, which
+		 * could be a security risk.  To prevent this, we
+		 * just leave the negative nodes negative.
+		 */
+		if (!pos) {
+			if (node->data[0] &&
+			    *(isc_boolean_t *) node->data[0] == ISC_TRUE)
+				new_node->data[0] = &dns_iptable_neg;
+
+			if (node->data[1] &&
+			    *(isc_boolean_t *) node->data[1] == ISC_TRUE)
+				new_node->data[1] = &dns_iptable_neg;
+		}
+
+		if (node->node_num[0] > max_node)
+			max_node = node->node_num[0];
+		if (node->node_num[1] > max_node)
+			max_node = node->node_num[1];
+	} RADIX_WALK_END;
+
+	tab->radix->num_added_node += max_node;
+	return (ISC_R_SUCCESS);
+}
+
+void
+dns_iptable_attach(dns_iptable_t *source, dns_iptable_t **target) {
+	REQUIRE(DNS_IPTABLE_VALID(source));
+	isc_refcount_increment(&source->refcount, NULL);
+	*target = source;
+}
+
+void
+dns_iptable_detach(dns_iptable_t **tabp) {
+	dns_iptable_t *tab = *tabp;
+	unsigned int refs;
+	REQUIRE(DNS_IPTABLE_VALID(tab));
+	isc_refcount_decrement(&tab->refcount, &refs);
+	if (refs == 0)
+		destroy_iptable(tab);
+	*tabp = NULL;
+}
+
+static void
+destroy_iptable(dns_iptable_t *dtab) {
+
+	REQUIRE(DNS_IPTABLE_VALID(dtab));
+
+	if (dtab->radix != NULL) {
+		isc_radix_destroy(dtab->radix, NULL);
+		dtab->radix = NULL;
+	}
+
+	isc_refcount_destroy(&dtab->refcount);
+	dtab->magic = 0;
+	isc_mem_put(dtab->mctx, dtab, sizeof(*dtab));
+}
diff --git a/lib/dns/journal.c b/lib/dns/journal.c
index 4e4010f..8c21f1e 100644
--- a/lib/dns/journal.c
+++ b/lib/dns/journal.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: journal.c,v 1.86.18.14 2008/09/25 04:01:36 tbox Exp $ */
+/* $Id: journal.c,v 1.103.48.2 2009/01/18 23:47:37 tbox Exp $ */
 
 #include <config.h>
 
@@ -42,7 +42,7 @@
 #include <dns/soa.h>
 
 /*! \file
- * \brief Journalling.
+ * \brief Journaling.
  *
  * A journal file consists of
  *
@@ -172,7 +172,7 @@ dns_db_createsoatuple(dns_db_t *db, dns_dbversion_t *ver, isc_mem_t *mctx,
 	return (result);
 }
 
-/* Journalling */
+/* Journaling */
 
 /*%
  * On-disk representation of a "pointer" to a journal entry.
@@ -641,7 +641,7 @@ journal_open(isc_mem_t *mctx, const char *filename, isc_boolean_t write,
 	dns_rdata_init(&j->it.rdata);
 
 	/*
-	 * Set up empty initial buffers for uncheched and checked
+	 * Set up empty initial buffers for unchecked and checked
 	 * wire format RR data.  They will be reallocated
 	 * later.
 	 */
@@ -709,8 +709,35 @@ ixfr_order(const void *av, const void *bv) {
 	dns_difftuple_t const *a = *ap;
 	dns_difftuple_t const *b = *bp;
 	int r;
+	int bop = 0, aop = 0;
+
+	switch (a->op) {
+	case DNS_DIFFOP_DEL:
+	case DNS_DIFFOP_DELRESIGN:
+		aop = 1;
+		break;
+	case DNS_DIFFOP_ADD:
+	case DNS_DIFFOP_ADDRESIGN:
+		aop = 0;
+		break;
+	default:
+		INSIST(0);
+	}
+
+	switch (b->op) {
+	case DNS_DIFFOP_DEL:
+	case DNS_DIFFOP_DELRESIGN:
+		bop = 1;
+		break;
+	case DNS_DIFFOP_ADD:
+	case DNS_DIFFOP_ADDRESIGN:
+		bop = 0;
+		break;
+	default:
+		INSIST(0);
+	}
 
-	r = (b->op == DNS_DIFFOP_DEL) - (a->op == DNS_DIFFOP_DEL);
+	r = bop - aop;
 	if (r != 0)
 		return (r);
 
@@ -1191,7 +1218,7 @@ dns_journal_destroy(dns_journal_t **journalp) {
 /* XXX Share code with incoming IXFR? */
 
 static isc_result_t
-roll_forward(dns_journal_t *j, dns_db_t *db) {
+roll_forward(dns_journal_t *j, dns_db_t *db, unsigned int options) {
 	isc_buffer_t source;		/* Transaction data from disk */
 	isc_buffer_t target;		/* Ditto after _fromwire check */
 	isc_uint32_t db_serial;		/* Database SOA serial */
@@ -1202,6 +1229,7 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 	dns_diff_t diff;
 	unsigned int n_soa = 0;
 	unsigned int n_put = 0;
+	dns_diffop_t op;
 
 	REQUIRE(DNS_JOURNAL_VALID(j));
 	REQUIRE(DNS_DB_VALID(db));
@@ -1209,7 +1237,7 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 	dns_diff_init(j->mctx, &diff);
 
 	/*
-	 * Set up empty initial buffers for uncheched and checked
+	 * Set up empty initial buffers for unchecked and checked
 	 * wire format transaction data.  They will be reallocated
 	 * later.
 	 */
@@ -1273,9 +1301,14 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 					 "initial SOA", j->filename);
 			FAIL(ISC_R_UNEXPECTED);
 		}
-		CHECK(dns_difftuple_create(diff.mctx, n_soa == 1 ?
-					   DNS_DIFFOP_DEL : DNS_DIFFOP_ADD,
-					   name, ttl, rdata, &tuple));
+		if ((options & DNS_JOURNALOPT_RESIGN) != 0)
+			op = (n_soa == 1) ? DNS_DIFFOP_DELRESIGN :
+					    DNS_DIFFOP_ADDRESIGN;
+		else
+			op = (n_soa == 1) ? DNS_DIFFOP_DEL : DNS_DIFFOP_ADD;
+
+		CHECK(dns_difftuple_create(diff.mctx, op, name, ttl, rdata,
+					   &tuple));
 		dns_diff_append(&diff, &tuple);
 
 		if (++n_put > 100)  {
@@ -1317,7 +1350,9 @@ roll_forward(dns_journal_t *j, dns_db_t *db) {
 }
 
 isc_result_t
-dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename) {
+dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db,
+			unsigned int options, const char *filename)
+{
 	dns_journal_t *j;
 	isc_result_t result;
 
@@ -1336,7 +1371,7 @@ dns_journal_rollforward(isc_mem_t *mctx, dns_db_t *db, const char *filename) {
 	if (JOURNAL_EMPTY(&j->header))
 		result = DNS_R_UPTODATE;
 	else
-		result = roll_forward(j, db);
+		result = roll_forward(j, db, options);
 
 	dns_journal_destroy(&j);
 
@@ -1374,7 +1409,7 @@ dns_journal_print(isc_mem_t *mctx, const char *filename, FILE *file) {
 	dns_diff_init(j->mctx, &diff);
 
 	/*
-	 * Set up empty initial buffers for uncheched and checked
+	 * Set up empty initial buffers for unchecked and checked
 	 * wire format transaction data.  They will be reallocated
 	 * later.
 	 */
@@ -1852,10 +1887,10 @@ dns_db_diff(isc_mem_t *mctx,
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-	result = dns_db_createiterator(db[0], ISC_FALSE, &dbit[0]);
+	result = dns_db_createiterator(db[0], 0, &dbit[0]);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_journal;
-	result = dns_db_createiterator(db[1], ISC_FALSE, &dbit[1]);
+	result = dns_db_createiterator(db[1], 0, &dbit[1]);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_interator0;
 
diff --git a/lib/dns/key.c b/lib/dns/key.c
index b0f2c0a..5cf4442 100644
--- a/lib/dns/key.c
+++ b/lib/dns/key.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: key.c,v 1.1.6.6 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: key.c,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/dns/keytable.c b/lib/dns/keytable.c
index ec0f8e4..bffd2d3 100644
--- a/lib/dns/keytable.c
+++ b/lib/dns/keytable.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keytable.c,v 1.28.18.4 2005/12/05 00:00:03 marka Exp $ */
+/* $Id: keytable.c,v 1.34 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/lib.c b/lib/dns/lib.c
index 423908a..6f98b537 100644
--- a/lib/dns/lib.c
+++ b/lib/dns/lib.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.11.18.3 2005/08/15 01:46:50 marka Exp $ */
+/* $Id: lib.c,v 1.16 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/log.c b/lib/dns/log.c
index 939ea36..7551e15 100644
--- a/lib/dns/log.c
+++ b/lib/dns/log.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.36.18.4 2005/09/05 00:18:24 marka Exp $ */
+/* $Id: log.c,v 1.45 2007/06/18 23:47:40 tbox Exp $ */
 
 /*! \file */
 
@@ -29,7 +29,7 @@
 
 /*%
  * When adding a new category, be sure to add the appropriate
- * #define to <dns/log.h>.
+ * \#define to <dns/log.h>.
  */
 LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
 	{ "notify", 	0 },
@@ -43,12 +43,13 @@ LIBDNS_EXTERNAL_DATA isc_logcategory_t dns_categories[] = {
 	{ "dispatch",	0 },
 	{ "lame-servers", 0 },
 	{ "delegation-only", 0 },
+	{ "edns-disabled", 0 },
 	{ NULL, 	0 }
 };
 
 /*%
  * When adding a new module, be sure to add the appropriate
- * #define to <dns/log.h>.
+ * \#define to <dns/log.h>.
  */
 LIBDNS_EXTERNAL_DATA isc_logmodule_t dns_modules[] = {
 	{ "dns/db",	 	0 },
diff --git a/lib/dns/lookup.c b/lib/dns/lookup.c
index a3ddad4..d5fc7aa 100644
--- a/lib/dns/lookup.c
+++ b/lib/dns/lookup.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lookup.c,v 1.14.18.7 2007/08/28 07:20:04 tbox Exp $ */
+/* $Id: lookup.c,v 1.21 2007/06/18 23:47:40 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/master.c b/lib/dns/master.c
index b04f2eb..462269e 100644
--- a/lib/dns/master.c
+++ b/lib/dns/master.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: master.c,v 1.148.18.21 2008/01/17 23:45:58 tbox Exp $ */
+/* $Id: master.c,v 1.171.120.2 2009/01/18 23:47:40 tbox Exp $ */
 
 /*! \file */
 
@@ -139,6 +139,7 @@ struct dns_loadctx {
 	/* locked by lock */
 	isc_uint32_t		references;
 	dns_incctx_t		*inc;
+	isc_uint32_t		resign;
 };
 
 struct dns_incctx {
@@ -503,7 +504,7 @@ incctx_create(isc_mem_t *mctx, dns_name_t *origin, dns_incctx_t **ictxp) {
 
 static isc_result_t
 loadctx_create(dns_masterformat_t format, isc_mem_t *mctx,
-	       unsigned int options, dns_name_t *top,
+	       unsigned int options, isc_uint32_t resign, dns_name_t *top,
 	       dns_rdataclass_t zclass, dns_name_t *origin,
 	       dns_rdatacallbacks_t *callbacks, isc_task_t *task,
 	       dns_loaddonefunc_t done, void *done_arg, isc_lex_t *lex,
@@ -580,6 +581,7 @@ loadctx_create(dns_masterformat_t format, isc_mem_t *mctx,
 	lctx->options = options;
 	lctx->seen_include = ISC_FALSE;
 	lctx->zclass = zclass;
+	lctx->resign = resign;
 	lctx->result = ISC_R_SUCCESS;
 
 	dns_fixedname_init(&lctx->fixed_top);
@@ -1738,8 +1740,7 @@ load_text(dns_loadctx_t *lctx) {
 			char namebuf[DNS_NAME_FORMATSIZE];
 			dns_name_format(ictx->current, namebuf,
 					sizeof(namebuf));
-			(*callbacks->error)(callbacks,
-					    "%s:%lu: SOA "
+			(*callbacks->error)(callbacks, "%s:%lu: SOA "
 					    "record not at top of zone (%s)",
 					    source, line, namebuf);
 			result = DNS_R_NOTZONETOP;
@@ -1834,7 +1835,7 @@ load_text(dns_loadctx_t *lctx) {
 		/*
 		 * Find type in rdatalist.
 		 * If it does not exist create new one and prepend to list
-		 * as this will mimimise list traversal.
+		 * as this will minimise list traversal.
 		 */
 		if (ictx->glue != NULL)
 			this = ISC_LIST_HEAD(glue_list);
@@ -2324,8 +2325,8 @@ dns_master_loadfile(const char *master_file, dns_name_t *top,
 		    dns_rdataclass_t zclass, unsigned int options,
 		    dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx)
 {
-	return (dns_master_loadfile2(master_file, top, origin, zclass, options,
-				     callbacks, mctx, dns_masterformat_text));
+	return (dns_master_loadfile3(master_file, top, origin, zclass, options,
+				     0, callbacks, mctx, dns_masterformat_text));
 }
 
 isc_result_t
@@ -2335,11 +2336,23 @@ dns_master_loadfile2(const char *master_file, dns_name_t *top,
 		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx,
 		     dns_masterformat_t format)
 {
+	return (dns_master_loadfile3(master_file, top, origin, zclass, options,
+				     0, callbacks, mctx, format));
+}
+
+isc_result_t
+dns_master_loadfile3(const char *master_file, dns_name_t *top,
+		     dns_name_t *origin, dns_rdataclass_t zclass,
+		     unsigned int options, isc_uint32_t resign,
+		     dns_rdatacallbacks_t *callbacks, isc_mem_t *mctx,
+		     dns_masterformat_t format)
+{
 	dns_loadctx_t *lctx = NULL;
 	isc_result_t result;
 
-	result = loadctx_create(format, mctx, options, top, zclass, origin,
-				callbacks, NULL, NULL, NULL, NULL, &lctx);
+	result = loadctx_create(format, mctx, options, resign, top, zclass,
+				origin, callbacks, NULL, NULL, NULL, NULL,
+				&lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -2362,8 +2375,8 @@ dns_master_loadfileinc(const char *master_file, dns_name_t *top,
 		       isc_task_t *task, dns_loaddonefunc_t done,
 		       void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx)
 {
-	return (dns_master_loadfileinc2(master_file, top, origin, zclass,
-					options, callbacks, task, done,
+	return (dns_master_loadfileinc3(master_file, top, origin, zclass,
+					options, 0, callbacks, task, done,
 					done_arg, lctxp, mctx,
 					dns_masterformat_text));
 }
@@ -2376,14 +2389,29 @@ dns_master_loadfileinc2(const char *master_file, dns_name_t *top,
 			void *done_arg, dns_loadctx_t **lctxp, isc_mem_t *mctx,
 			dns_masterformat_t format)
 {
+	return (dns_master_loadfileinc3(master_file, top, origin, zclass,
+					options, 0, callbacks, task, done,
+					done_arg, lctxp, mctx, format));
+}
+
+isc_result_t
+dns_master_loadfileinc3(const char *master_file, dns_name_t *top,
+			dns_name_t *origin, dns_rdataclass_t zclass,
+			unsigned int options, isc_uint32_t resign,
+			dns_rdatacallbacks_t *callbacks, isc_task_t *task,
+			dns_loaddonefunc_t done, void *done_arg,
+			dns_loadctx_t **lctxp, isc_mem_t *mctx,
+			dns_masterformat_t format)
+{
 	dns_loadctx_t *lctx = NULL;
 	isc_result_t result;
 
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(format, mctx, options, top, zclass, origin,
-				callbacks, task, done, done_arg, NULL, &lctx);
+	result = loadctx_create(format, mctx, options, resign, top, zclass,
+				origin, callbacks, task, done, done_arg, NULL,
+				&lctx);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -2412,7 +2440,7 @@ dns_master_loadstream(FILE *stream, dns_name_t *top, dns_name_t *origin,
 
 	REQUIRE(stream != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, NULL, NULL, NULL,
 				NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2445,7 +2473,7 @@ dns_master_loadstreaminc(FILE *stream, dns_name_t *top, dns_name_t *origin,
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, task, done,
 				done_arg, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2478,7 +2506,7 @@ dns_master_loadbuffer(isc_buffer_t *buffer, dns_name_t *top,
 
 	REQUIRE(buffer != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, NULL, NULL, NULL,
 				NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2511,7 +2539,7 @@ dns_master_loadbufferinc(isc_buffer_t *buffer, dns_name_t *top,
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, task, done,
 				done_arg, NULL, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2543,7 +2571,7 @@ dns_master_loadlexer(isc_lex_t *lex, dns_name_t *top,
 
 	REQUIRE(lex != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, NULL, NULL, NULL,
 				lex, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2571,7 +2599,7 @@ dns_master_loadlexerinc(isc_lex_t *lex, dns_name_t *top,
 	REQUIRE(task != NULL);
 	REQUIRE(done != NULL);
 
-	result = loadctx_create(dns_masterformat_text, mctx, options, top,
+	result = loadctx_create(dns_masterformat_text, mctx, options, 0, top,
 				zclass, origin, callbacks, task, done,
 				done_arg, lex, &lctx);
 	if (result != ISC_R_SUCCESS)
@@ -2700,6 +2728,27 @@ grow_rdata(int new_len, dns_rdata_t *old, int old_len,
 	return (new);
 }
 
+static isc_uint32_t
+resign_fromlist(dns_rdatalist_t *this, isc_uint32_t resign) {
+	dns_rdata_t *rdata;
+	dns_rdata_rrsig_t sig;
+	isc_uint32_t when;
+
+	rdata = ISC_LIST_HEAD(this->rdata);
+	INSIST(rdata != NULL);
+	(void)dns_rdata_tostruct(rdata, &sig, NULL);
+	when = sig.timeexpire - resign;
+
+	rdata = ISC_LIST_NEXT(rdata, link);
+	while (rdata != NULL) {
+		(void)dns_rdata_tostruct(rdata, &sig, NULL);
+		if (sig.timeexpire - resign < when)
+			when = sig.timeexpire - resign;
+		rdata = ISC_LIST_NEXT(rdata, link);
+	}
+	return (when);
+}
+
 /*
  * Convert each element from a rdatalist_t to rdataset then call commit.
  * Unlink each element as we go.
@@ -2726,14 +2775,22 @@ commit(dns_rdatacallbacks_t *callbacks, dns_loadctx_t *lctx,
 		RUNTIME_CHECK(dns_rdatalist_tordataset(this, &dataset)
 			      == ISC_R_SUCCESS);
 		dataset.trust = dns_trust_ultimate;
+		/*
+		 * If this is a secure dynamic zone set the re-signing time.
+		 */
+		if (dataset.type == dns_rdatatype_rrsig &&
+		    (lctx->options & DNS_MASTER_RESIGN) != 0) {
+			dataset.attributes |= DNS_RDATASETATTR_RESIGN;
+			dns_name_format(owner, namebuf, sizeof(namebuf));
+			dataset.resign = resign_fromlist(this, lctx->resign);
+		}
 		result = ((*callbacks->add)(callbacks->add_private, owner,
 					    &dataset));
 		if (result == ISC_R_NOMEMORY) {
 			(*error)(callbacks, "dns_master_load: %s",
 				 dns_result_totext(result));
 		} else if (result != ISC_R_SUCCESS) {
-			dns_name_format(owner, namebuf,
-					sizeof(namebuf));
+			dns_name_format(owner, namebuf, sizeof(namebuf));
 			if (source != NULL) {
 				(*error)(callbacks, "%s: %s:%lu: %s: %s",
 					 "dns_master_load", source, line,
diff --git a/lib/dns/masterdump.c b/lib/dns/masterdump.c
index 1ffdfcb..5eac96f 100644
--- a/lib/dns/masterdump.c
+++ b/lib/dns/masterdump.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: masterdump.c,v 1.73.18.16 2008/08/13 23:46:04 tbox Exp $ */
+/* $Id: masterdump.c,v 1.94.50.2 2009/01/18 23:47:40 tbox Exp $ */
 
 /*! \file */
 
@@ -108,7 +108,8 @@ dns_master_style_default = {
 
 LIBDNS_EXTERNAL_DATA const dns_master_style_t
 dns_master_style_full = {
-	DNS_STYLEFLAG_COMMENT,
+	DNS_STYLEFLAG_COMMENT |
+	DNS_STYLEFLAG_RESIGN,
 	46, 46, 46, 64, 120, 8
 };
 
@@ -283,7 +284,7 @@ totext_ctx_init(const dns_master_style_t *style, dns_totext_ctx_t *ctx) {
 		/*
 		 * Do not return ISC_R_NOSPACE if the line break string
 		 * buffer is too small, because that would just make
-		 * dump_rdataset() retry indenfinitely with ever
+		 * dump_rdataset() retry indefinitely with ever
 		 * bigger target buffers.  That's a different buffer,
 		 * so it won't help.  Use DNS_R_TEXTTOOLONG as a substitute.
 		 */
@@ -784,6 +785,13 @@ static const char *trustnames[] = {
 	"local" /* aka ultimate */
 };
 
+const char *
+dns_trust_totext(dns_trust_t trust) {
+	if (trust >= sizeof(trustnames)/sizeof(*trustnames))
+		return ("bad");
+	return (trustnames[trust]);
+}
+
 static isc_result_t
 dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name,
 		    dns_rdatasetiter_t *rdsiter, dns_totext_ctx_t *ctx,
@@ -840,6 +848,15 @@ dump_rdatasets_text(isc_mem_t *mctx, dns_name_t *name,
 			if ((ctx->style.flags & DNS_STYLEFLAG_OMIT_OWNER) != 0)
 				name = NULL;
 		}
+		if (ctx->style.flags & DNS_STYLEFLAG_RESIGN &&
+		    rds->attributes & DNS_RDATASETATTR_RESIGN) {
+			isc_buffer_t b;
+			char buf[sizeof("YYYYMMDDHHMMSS")];
+			memset(buf, 0, sizeof(buf));
+			isc_buffer_init(&b, buf, sizeof(buf) - 1);
+			dns_time64_totext((isc_uint64_t)rds->resign, &b);
+			fprintf(f, "; resign=%s\n", buf);
+		}
 		dns_rdataset_disassociate(rds);
 	}
 
@@ -1020,9 +1037,9 @@ dumpctx_destroy(dns_dumpctx_t *dctx) {
 
 	dctx->magic = 0;
 	DESTROYLOCK(&dctx->lock);
+	dns_dbiterator_destroy(&dctx->dbiter);
 	if (dctx->version != NULL)
 		dns_db_closeversion(dctx->db, &dctx->version, ISC_FALSE);
-	dns_dbiterator_destroy(&dctx->dbiter);
 	dns_db_detach(&dctx->db);
 	if (dctx->task != NULL)
 		isc_task_detach(&dctx->task);
@@ -1177,7 +1194,7 @@ dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 {
 	dns_dumpctx_t *dctx;
 	isc_result_t result;
-	isc_boolean_t relative;
+	unsigned int options;
 
 	dctx = isc_mem_get(mctx, sizeof(*dctx));
 	if (dctx == NULL)
@@ -1224,10 +1241,10 @@ dumpctx_create(isc_mem_t *mctx, dns_db_t *db, dns_dbversion_t *version,
 
 	if (dctx->format == dns_masterformat_text &&
 	    (dctx->tctx.style.flags & DNS_STYLEFLAG_REL_OWNER) != 0) {
-		relative = ISC_TRUE;
+		options = DNS_DB_RELATIVENAMES;
 	} else
-		relative = ISC_FALSE;
-	result = dns_db_createiterator(dctx->db, relative, &dctx->dbiter);
+		options = 0;
+	result = dns_db_createiterator(dctx->db, options, &dctx->dbiter);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 
diff --git a/lib/dns/message.c b/lib/dns/message.c
index 8c56377..b541635 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.222.18.16 2008/07/28 23:46:20 tbox Exp $ */
+/* $Id: message.c,v 1.245.50.2 2009/01/18 23:47:40 tbox Exp $ */
 
 /*! \file */
 
@@ -24,6 +24,7 @@
  ***/
 
 #include <config.h>
+#include <ctype.h>
 
 #include <isc/buffer.h>
 #include <isc/mem.h>
@@ -45,6 +46,35 @@
 #include <dns/tsig.h>
 #include <dns/view.h>
 
+#ifdef SKAN_MSG_DEBUG
+static void
+hexdump(const char *msg, const char *msg2, void *base, size_t len) {
+	unsigned char *p;
+	unsigned int cnt;
+
+	p = base;
+	cnt = 0;
+
+	printf("*** %s [%s] (%u bytes @ %p)\n", msg, msg2, len, base);
+
+	while (cnt < len) {
+		if (cnt % 16 == 0)
+			printf("%p: ", p);
+		else if (cnt % 8 == 0)
+			printf(" |");
+		printf(" %02x %c", *p, (isprint(*p) ? *p : ' '));
+		p++;
+		cnt++;
+
+		if (cnt % 16 == 0)
+			printf("\n");
+	}
+
+	if (cnt % 16 != 0)
+		printf("\n");
+}
+#endif
+
 #define DNS_MESSAGE_OPCODE_MASK		0x7800U
 #define DNS_MESSAGE_OPCODE_SHIFT	11
 #define DNS_MESSAGE_RCODE_MASK		0x000fU
@@ -65,6 +95,8 @@
 #define VALID_PSEUDOSECTION(s)	(((s) >= DNS_PSEUDOSECTION_ANY) \
 				 && ((s) < DNS_PSEUDOSECTION_MAX))
 
+#define OPTOUT(x) (((x)->attributes & DNS_RDATASETATTR_OPTOUT) != 0)
+
 /*%
  * This is the size of each individual scratchpad buffer, and the numbers
  * of various block allocations used within the server.
@@ -138,7 +170,7 @@ static const char *rcodetext[] = {
 /*%
  * "helper" type, which consists of a block of some type, and is linkable.
  * For it to work, sizeof(dns_msgblock_t) must be a multiple of the pointer
- * size, or the allocated elements will not be alligned correctly.
+ * size, or the allocated elements will not be aligned correctly.
  */
 struct dns_msgblock {
 	unsigned int			count;
@@ -1462,14 +1494,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
 				rdataset->ttl = ttl;
 		}
 
-		/*
-		 * XXXMLG Perform a totally ugly hack here to pull
-		 * the rdatalist out of the private field in the rdataset,
-		 * and append this rdata to the rdatalist's linked list
-		 * of rdata.
-		 */
-		rdatalist = (dns_rdatalist_t *)(rdataset->private1);
-
+		/* Append this rdata to the rdataset. */
+		dns_rdatalist_fromrdataset(rdataset, &rdatalist);
 		ISC_LIST_APPEND(rdatalist->rdata, rdata, link);
 
 		/*
@@ -1934,7 +1960,7 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 				 *
 				 * XXXMLG Need to change this when
 				 * dns_rdataset_towire() can render partial
-				 * sets starting at some arbitary point in the
+				 * sets starting at some arbitrary point in the
 				 * set.  This will include setting a bit in the
 				 * rdataset to indicate that a partial
 				 * rendering was done, and some state saved
@@ -1964,6 +1990,8 @@ dns_message_rendersection(dns_message_t *msg, dns_section_t sectionid,
 				    (sectionid == DNS_SECTION_ANSWER ||
 				     sectionid == DNS_SECTION_AUTHORITY))
 					msg->flags &= ~DNS_MESSAGEFLAG_AD;
+				if (OPTOUT(rdataset))
+					msg->flags &= ~DNS_MESSAGEFLAG_AD;
 
 				rdataset->attributes |=
 					DNS_RDATASETATTR_RENDERED;
@@ -2899,6 +2927,35 @@ dns_message_rechecksig(dns_message_t *msg, dns_view_t *view) {
 	return (dns_message_checksig(msg, view));
 }
 
+#ifdef SKAN_MSG_DEBUG
+void
+dns_message_dumpsig(dns_message_t *msg, char *txt1) {
+	dns_rdata_t querytsigrdata = DNS_RDATA_INIT;
+	dns_rdata_any_tsig_t querytsig;
+	isc_result_t result;
+
+	if (msg->tsig != NULL) {
+		result = dns_rdataset_first(msg->tsig);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->tsig, &querytsigrdata);
+		result = dns_rdata_tostruct(&querytsigrdata, &querytsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		hexdump(txt1, "TSIG", querytsig.signature,
+			querytsig.siglen);
+	}
+
+	if (msg->querytsig != NULL) {
+		result = dns_rdataset_first(msg->querytsig);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		dns_rdataset_current(msg->querytsig, &querytsigrdata);
+		result = dns_rdata_tostruct(&querytsigrdata, &querytsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		hexdump(txt1, "QUERYTSIG", querytsig.signature,
+			querytsig.siglen);
+	}
+}
+#endif
+
 isc_result_t
 dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 	isc_buffer_t b, msgb;
@@ -2907,10 +2964,14 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 
 	if (msg->tsigkey == NULL && msg->tsig == NULL && msg->sig0 == NULL)
 		return (ISC_R_SUCCESS);
+
 	INSIST(msg->saved.base != NULL);
 	isc_buffer_init(&msgb, msg->saved.base, msg->saved.length);
 	isc_buffer_add(&msgb, msg->saved.length);
 	if (msg->tsigkey != NULL || msg->tsig != NULL) {
+#ifdef SKAN_MSG_DEBUG
+		dns_message_dumpsig(msg, "dns_message_checksig#1");
+#endif
 		if (view != NULL)
 			return (dns_view_checksig(view, &msgb, msg));
 		else
@@ -2963,6 +3024,7 @@ dns_message_checksig(dns_message_t *msg, dns_view_t *view) {
 		{
 			dst_key_t *key = NULL;
 
+			dns_rdata_reset(&rdata);
 			dns_rdataset_current(&keyset, &rdata);
 			isc_buffer_init(&b, rdata.data, rdata.length);
 			isc_buffer_add(&b, rdata.length);
@@ -3068,6 +3130,10 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
 	isc_result_t result;
 	char buf[sizeof("1234567890")];
 	isc_uint32_t mbz;
+	dns_rdata_t rdata;
+	isc_buffer_t optbuf;
+	isc_uint16_t optcode, optlen;
+	unsigned char *optdata;
 
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	REQUIRE(target != NULL);
@@ -3097,6 +3163,50 @@ dns_message_pseudosectiontotext(dns_message_t *msg,
 			ADD_STRING(target, "; udp: ");
 		snprintf(buf, sizeof(buf), "%u\n", (unsigned int)ps->rdclass);
 		ADD_STRING(target, buf);
+
+		result = dns_rdataset_first(ps);
+		if (result != ISC_R_SUCCESS)
+			return (ISC_R_SUCCESS);
+
+		/* Print EDNS info, if any */
+		dns_rdata_init(&rdata);
+		dns_rdataset_current(ps, &rdata);
+		if (rdata.length < 4)
+			return (ISC_R_SUCCESS);
+
+		isc_buffer_init(&optbuf, rdata.data, rdata.length);
+		isc_buffer_add(&optbuf, rdata.length);
+		optcode = isc_buffer_getuint16(&optbuf);
+		optlen = isc_buffer_getuint16(&optbuf);
+
+		if (optcode == DNS_OPT_NSID) {
+			ADD_STRING(target, "; NSID");
+		} else {
+			ADD_STRING(target, "; OPT=");
+			sprintf(buf, "%u", optcode);
+			ADD_STRING(target, buf);
+		}
+
+		if (optlen != 0) {
+			int i;
+			ADD_STRING(target, ": ");
+
+			optdata = rdata.data + 4;
+			for (i = 0; i < optlen; i++) {
+				sprintf(buf, "%02x ", optdata[i]);
+				ADD_STRING(target, buf);
+			}
+			for (i = 0; i < optlen; i++) {
+				ADD_STRING(target, " (");
+				if (isprint(optdata[i]))
+					isc_buffer_putmem(target, &optdata[i],
+							  1);
+				else
+					isc_buffer_putstr(target, ".");
+				ADD_STRING(target, ")");
+			}
+		}
+		ADD_STRING(target, "\n");
 		return (ISC_R_SUCCESS);
 	case DNS_PSEUDOSECTION_TSIG:
 		ps = dns_message_gettsig(msg, &name);
diff --git a/lib/dns/name.c b/lib/dns/name.c
index 7f5d4e9..f4ea3e9 100644
--- a/lib/dns/name.c
+++ b/lib/dns/name.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: name.c,v 1.144.18.16 2006/12/07 07:03:10 marka Exp $ */
+/* $Id: name.c,v 1.165 2008/04/01 23:47:10 tbox Exp $ */
 
 /*! \file */
 
@@ -155,7 +155,7 @@ do { \
 static unsigned char root_ndata[] = { '\0' };
 static unsigned char root_offsets[] = { 0 };
 
-static dns_name_t root = 
+static dns_name_t root =
 {
 	DNS_NAME_MAGIC,
 	root_ndata, 1, 1,
@@ -298,7 +298,7 @@ dns_name_ismailbox(const dns_name_t *name) {
 	REQUIRE(name->labels > 0);
 	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
 
-	/* 
+	/*
 	 * Root label.
 	 */
 	if (name->length == 1)
@@ -312,7 +312,7 @@ dns_name_ismailbox(const dns_name_t *name) {
 		if (!domainchar(ch))
 			return (ISC_FALSE);
 	}
-	
+
 	if (ndata == name->ndata + name->length)
 		return (ISC_FALSE);
 
@@ -347,8 +347,8 @@ dns_name_ishostname(const dns_name_t *name, isc_boolean_t wildcard) {
 	REQUIRE(VALID_NAME(name));
 	REQUIRE(name->labels > 0);
 	REQUIRE(name->attributes & DNS_NAMEATTR_ABSOLUTE);
-	
-	/* 
+
+	/*
 	 * Root label.
 	 */
 	if (name->length == 1)
@@ -918,7 +918,7 @@ dns_name_getlabelsequence(const dns_name_t *source,
 
 	target->ndata = &source->ndata[firstoffset];
 	target->length = endoffset - firstoffset;
-	
+
 	if (first + n == source->labels && n > 0 &&
 	    (source->attributes & DNS_NAMEATTR_ABSOLUTE) != 0)
 		target->attributes |= DNS_NAMEATTR_ABSOLUTE;
@@ -991,7 +991,7 @@ dns_name_fromregion(dns_name_t *name, const isc_region_t *r) {
 		name->length = len;
 	} else {
 		name->ndata = r->base;
-		name->length = (r->length <= DNS_NAME_MAXWIRE) ? 
+		name->length = (r->length <= DNS_NAME_MAXWIRE) ?
 			r->length : DNS_NAME_MAXWIRE;
 	}
 
@@ -1049,7 +1049,7 @@ dns_name_fromtext(dns_name_t *name, isc_buffer_t *source,
 	REQUIRE(ISC_BUFFER_VALID(source));
 	REQUIRE((target != NULL && ISC_BUFFER_VALID(target)) ||
 		(target == NULL && ISC_BUFFER_VALID(name->buffer)));
-	
+
 	downcase = ISC_TF((options & DNS_NAME_DOWNCASE) != 0);
 
 	if (target == NULL && name->buffer != NULL) {
@@ -1297,24 +1297,25 @@ totext_filter_proc_key_init(void) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
-        if (!thread_key_initialized) {
+	if (!thread_key_initialized) {
 		LOCK(&thread_key_mutex);
 		if (thread_key_mctx == NULL)
 			result = isc_mem_create2(0, 0, &thread_key_mctx, 0);
 		if (result != ISC_R_SUCCESS)
 			goto unlock;
+		isc_mem_setname(thread_key_mctx, "threadkey", NULL);
 		isc_mem_setdestroycheck(thread_key_mctx, ISC_FALSE);
-		
+
 		if (!thread_key_initialized &&
 		     isc_thread_key_create(&totext_filter_proc_key,
-					    free_specific) != 0) {
+					   free_specific) != 0) {
 			result = ISC_R_FAILURE;
 			isc_mem_detach(&thread_key_mctx);
 		} else
 			thread_key_initialized = 1;
  unlock:
 		UNLOCK(&thread_key_mutex);
-        }
+	}
 	return (result);
 }
 #endif
@@ -1930,7 +1931,8 @@ dns_name_towire(const dns_name_t *name, dns_compress_t *cctx,
 
 	methods = dns_compress_getmethods(cctx);
 
-	if ((methods & DNS_COMPRESS_GLOBAL14) != 0)
+	if ((name->attributes & DNS_NAMEATTR_NOCOMPRESS) == 0 &&
+	    (methods & DNS_COMPRESS_GLOBAL14) != 0)
 		gf = dns_compress_findglobal(cctx, name, &gp, &go);
 	else
 		gf = ISC_FALSE;
@@ -2298,7 +2300,7 @@ dns_name_settotextfilter(dns_name_totextfilter_t proc) {
 			result = ISC_R_UNEXPECTED;
 		return (result);
 	}
-	
+
 	mem = isc_mem_get(thread_key_mctx, sizeof(*mem));
 	if (mem == NULL)
 		return (ISC_R_NOMEMORY);
diff --git a/lib/dns/ncache.c b/lib/dns/ncache.c
index 1fdc5c8..af0450b 100644
--- a/lib/dns/ncache.c
+++ b/lib/dns/ncache.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ncache.c,v 1.36.18.3 2005/04/29 00:15:59 marka Exp $ */
+/* $Id: ncache.c,v 1.43 2008/09/25 04:02:38 tbox Exp $ */
 
 /*! \file */
 
@@ -30,6 +30,9 @@
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
+#include <dns/rdatastruct.h>
+
+#define DNS_NCACHE_RDATA 20U
 
 /*
  * The format of an ncache rdata is a sequence of one or more records of
@@ -92,6 +95,16 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	       dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
 	       dns_rdataset_t *addedrdataset)
 {
+	return (dns_ncache_addoptout(message, cache, node, covers, now, maxttl,
+				    ISC_FALSE, addedrdataset));
+}
+
+isc_result_t
+dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache,
+		     dns_dbnode_t *node, dns_rdatatype_t covers,
+		     isc_stdtime_t now, dns_ttl_t maxttl,
+		     isc_boolean_t optout, dns_rdataset_t *addedrdataset)
+{
 	isc_result_t result;
 	isc_buffer_t buffer;
 	isc_region_t r;
@@ -100,10 +113,11 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	dns_name_t *name;
 	dns_ttl_t ttl;
 	dns_trust_t trust;
-	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_t rdata[DNS_NCACHE_RDATA];
 	dns_rdataset_t ncrdataset;
 	dns_rdatalist_t ncrdatalist;
 	unsigned char data[4096];
+	unsigned int next = 0;
 
 	/*
 	 * Convert the authority data from 'message' into a negative cache
@@ -118,7 +132,17 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	 */
 
 	/*
-	 * First, build an ncache rdata in buffer.
+	 * Initialize the list.
+	 */
+	ncrdatalist.rdclass = dns_db_class(cache);
+	ncrdatalist.type = 0;
+	ncrdatalist.covers = covers;
+	ncrdatalist.ttl = maxttl;
+	ISC_LIST_INIT(ncrdatalist.rdata);
+	ISC_LINK_INIT(&ncrdatalist, link);
+
+	/*
+	 * Build an ncache rdatas into buffer.
 	 */
 	ttl = maxttl;
 	trust = 0xffff;
@@ -142,7 +166,8 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 				if (type == dns_rdatatype_rrsig)
 					type = rdataset->covers;
 				if (type == dns_rdatatype_soa ||
-				    type == dns_rdatatype_nsec) {
+				    type == dns_rdatatype_nsec ||
+				    type == dns_rdatatype_nsec3) {
 					if (ttl > rdataset->ttl)
 						ttl = rdataset->ttl;
 					if (trust > rdataset->trust)
@@ -171,6 +196,21 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 							       &buffer);
 					if (result != ISC_R_SUCCESS)
 						return (result);
+
+					if (next >= DNS_NCACHE_RDATA)
+						return (ISC_R_NOSPACE);
+					dns_rdata_init(&rdata[next]);
+					isc_buffer_remainingregion(&buffer, &r);
+					rdata[next].data = r.base;
+					rdata[next].length = r.length;
+					rdata[next].rdclass =
+						ncrdatalist.rdclass;
+					rdata[next].type = 0;
+					rdata[next].flags = 0;
+					ISC_LIST_APPEND(ncrdatalist.rdata,
+							&rdata[next], link);
+					isc_buffer_forward(&buffer, r.length);
+					next++;
 				}
 			}
 		}
@@ -226,27 +266,24 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 			trust = dns_trust_authauthority;
 		} else
 			trust = dns_trust_additional;
+		/*
+		 * Now add it to the cache.
+		 */
+		if (next >= DNS_NCACHE_RDATA)
+			return (ISC_R_NOSPACE);
+		dns_rdata_init(&rdata[next]);
+		isc_buffer_remainingregion(&buffer, &r);
+		rdata[next].data = r.base;
+		rdata[next].length = r.length;
+		rdata[next].rdclass = ncrdatalist.rdclass;
+		rdata[next].type = 0;
+		rdata[next].flags = 0;
+		ISC_LIST_APPEND(ncrdatalist.rdata, &rdata[next], link);
 	}
 
-	/*
-	 * Now add it to the cache.
-	 */
 	INSIST(trust != 0xffff);
-	isc_buffer_usedregion(&buffer, &r);
-	rdata.data = r.base;
-	rdata.length = r.length;
-	rdata.rdclass = dns_db_class(cache);
-	rdata.type = 0;
-	rdata.flags = 0;
-
-	ncrdatalist.rdclass = rdata.rdclass;
-	ncrdatalist.type = 0;
-	ncrdatalist.covers = covers;
-	ncrdatalist.ttl = ttl;
-	ISC_LIST_INIT(ncrdatalist.rdata);
-	ISC_LINK_INIT(&ncrdatalist, link);
 
-	ISC_LIST_APPEND(ncrdatalist.rdata, &rdata, link);
+	ncrdatalist.ttl = ttl;
 
 	dns_rdataset_init(&ncrdataset);
 	RUNTIME_CHECK(dns_rdatalist_tordataset(&ncrdatalist, &ncrdataset)
@@ -254,6 +291,8 @@ dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 	ncrdataset.trust = trust;
 	if (message->rcode == dns_rcode_nxdomain)
 		ncrdataset.attributes |= DNS_RDATASETATTR_NXDOMAIN;
+	if (optout)
+		ncrdataset.attributes |= DNS_RDATASETATTR_OPTOUT;
 
 	return (dns_db_addrdataset(cache, node, NULL, now, &ncrdataset,
 				   0, addedrdataset));
@@ -281,18 +320,14 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 	REQUIRE(rdataset != NULL);
 	REQUIRE(rdataset->type == 0);
 
-	result = dns_rdataset_first(rdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(rdataset, &rdata);
-	INSIST(dns_rdataset_next(rdataset) == ISC_R_NOMORE);
-	isc_buffer_init(&source, rdata.data, rdata.length);
-	isc_buffer_add(&source, rdata.length);
-
 	savedbuffer = *target;
-
 	count = 0;
-	do {
+
+	result = dns_rdataset_first(rdataset);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(rdataset, &rdata);
+		isc_buffer_init(&source, rdata.data, rdata.length);
+		isc_buffer_add(&source, rdata.length);
 		dns_name_init(&name, NULL);
 		isc_buffer_remainingregion(&source, &remaining);
 		dns_name_fromregion(&name, &remaining);
@@ -370,8 +405,12 @@ dns_ncache_towire(dns_rdataset_t *rdataset, dns_compress_t *cctx,
 
 			count++;
 		}
-		isc_buffer_remainingregion(&source, &remaining);
-	} while (remaining.length > 0);
+		INSIST(isc_buffer_remaininglength(&source) == 0);
+		result = dns_rdataset_next(rdataset);
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto rollback;
 
 	*countp = count;
 
@@ -478,6 +517,8 @@ static dns_rdatasetmethods_t rdataset_methods = {
 	NULL,
 	NULL,
 	NULL,
+	NULL,
+	NULL,
 	NULL
 };
 
@@ -491,8 +532,6 @@ dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
 	isc_buffer_t source;
 	dns_name_t tname;
 	dns_rdatatype_t ttype;
-	unsigned int i, rcount;
-	isc_uint16_t length;
 
 	REQUIRE(ncacherdataset != NULL);
 	REQUIRE(ncacherdataset->type == 0);
@@ -501,14 +540,10 @@ dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
 	REQUIRE(type != dns_rdatatype_rrsig);
 
 	result = dns_rdataset_first(ncacherdataset);
-	if (result != ISC_R_SUCCESS)
-		return (result);
-	dns_rdataset_current(ncacherdataset, &rdata);
-	INSIST(dns_rdataset_next(ncacherdataset) == ISC_R_NOMORE);
-	isc_buffer_init(&source, rdata.data, rdata.length);
-	isc_buffer_add(&source, rdata.length);
-
-	do {
+	while (result == ISC_R_SUCCESS) {
+		dns_rdataset_current(ncacherdataset, &rdata);
+		isc_buffer_init(&source, rdata.data, rdata.length);
+		isc_buffer_add(&source, rdata.length);
 		dns_name_init(&tname, NULL);
 		isc_buffer_remainingregion(&source, &remaining);
 		dns_name_fromregion(&tname, &remaining);
@@ -523,21 +558,15 @@ dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
 			isc_buffer_remainingregion(&source, &remaining);
 			break;
 		}
-
-		rcount = isc_buffer_getuint16(&source);
-		for (i = 0; i < rcount; i++) {
-			isc_buffer_remainingregion(&source, &remaining);
-			INSIST(remaining.length >= 2);
-			length = isc_buffer_getuint16(&source);
-			isc_buffer_remainingregion(&source, &remaining);
-			INSIST(remaining.length >= length);
-			isc_buffer_forward(&source, length);
-		}
-		isc_buffer_remainingregion(&source, &remaining);
-	} while (remaining.length > 0);
-
-	if (remaining.length == 0)
+		result = dns_rdataset_next(ncacherdataset);
+		dns_rdata_reset(&rdata);
+	}
+	if (result == ISC_R_NOMORE)
 		return (ISC_R_NOTFOUND);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	INSIST(remaining.length != 0);
 
 	rdataset->methods = &rdataset_methods;
 	rdataset->rdclass = ncacherdataset->rdclass;
@@ -555,5 +584,75 @@ dns_ncache_getrdataset(dns_rdataset_t *ncacherdataset, dns_name_t *name,
 	 */
 	rdataset->privateuint4 = 0;
 	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
 	return (ISC_R_SUCCESS);
 }
+
+void
+dns_ncache_current(dns_rdataset_t *ncacherdataset, dns_name_t *found,
+		   dns_rdataset_t *rdataset)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t remaining, sigregion;
+	isc_buffer_t source;
+	dns_name_t tname;
+	dns_rdatatype_t type;
+	unsigned int count;
+	dns_rdata_rrsig_t rrsig;
+	unsigned char *raw;
+
+	REQUIRE(ncacherdataset != NULL);
+	REQUIRE(ncacherdataset->type == 0);
+	REQUIRE(found != NULL);
+	REQUIRE(!dns_rdataset_isassociated(rdataset));
+
+	dns_rdataset_current(ncacherdataset, &rdata);
+	isc_buffer_init(&source, rdata.data, rdata.length);
+	isc_buffer_add(&source, rdata.length);
+
+	dns_name_init(&tname, NULL);
+	isc_buffer_remainingregion(&source, &remaining);
+	dns_name_fromregion(found, &remaining);
+	INSIST(remaining.length >= found->length);
+	isc_buffer_forward(&source, found->length);
+	remaining.length -= found->length;
+
+	INSIST(remaining.length >= 4);
+	type = isc_buffer_getuint16(&source);
+	isc_buffer_remainingregion(&source, &remaining);
+
+	rdataset->methods = &rdataset_methods;
+	rdataset->rdclass = ncacherdataset->rdclass;
+	rdataset->type = type;
+	if (type == dns_rdatatype_rrsig) {
+		/*
+		 * Extract covers from RRSIG.
+		 */
+		raw = remaining.base;
+		count = raw[0] * 256 + raw[1];
+		INSIST(count > 0);
+		raw += 2;
+		sigregion.length = raw[0] * 256 + raw[1];
+		raw += 2;
+		sigregion.base = raw;
+		dns_rdata_reset(&rdata);
+		dns_rdata_fromregion(&rdata, rdataset->rdclass,
+				     rdataset->type, &sigregion);
+		(void)dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		rdataset->covers = rrsig.covered;
+	} else
+		rdataset->covers = 0;
+	rdataset->ttl = ncacherdataset->ttl;
+	rdataset->trust = ncacherdataset->trust;
+	rdataset->private1 = NULL;
+	rdataset->private2 = NULL;
+
+	rdataset->private3 = remaining.base;
+
+	/*
+	 * Reset iterator state.
+	 */
+	rdataset->privateuint4 = 0;
+	rdataset->private5 = NULL;
+	rdataset->private6 = NULL;
+}
diff --git a/lib/dns/nsec.c b/lib/dns/nsec.c
index c1de67e..39f409c 100644
--- a/lib/dns/nsec.c
+++ b/lib/dns/nsec.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec.c,v 1.5.20.2 2005/04/29 00:15:59 marka Exp $ */
+/* $Id: nsec.c,v 1.11.48.2 2009/01/06 23:47:26 tbox Exp $ */
 
 /*! \file */
 
@@ -33,6 +33,8 @@
 #include <dns/rdatastruct.h>
 #include <dns/result.h>
 
+#include <dst/dst.h>
+
 #define RETERR(x) do { \
 	result = (x); \
 	if (result != ISC_R_SUCCESS) \
@@ -88,6 +90,7 @@ dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	 */
 	bm = r.base + r.length + 512;
 	nsec_bits = r.base + r.length;
+	set_bit(bm, dns_rdatatype_rrsig, 1);
 	set_bit(bm, dns_rdatatype_nsec, 1);
 	max_type = dns_rdatatype_nsec;
 	dns_rdataset_init(&rdataset);
@@ -100,7 +103,9 @@ dns_nsec_buildrdata(dns_db_t *db, dns_dbversion_t *version,
 	     result = dns_rdatasetiter_next(rdsiter))
 	{
 		dns_rdatasetiter_current(rdsiter, &rdataset);
-		if (rdataset.type != dns_rdatatype_nsec) {
+		if (rdataset.type != dns_rdatatype_nsec &&
+		    rdataset.type != dns_rdatatype_nsec3 &&
+		    rdataset.type != dns_rdatatype_rrsig) {
 			if (rdataset.type > max_type)
 				max_type = rdataset.type;
 			set_bit(bm, rdataset.type, 1);
@@ -197,7 +202,7 @@ dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
 	/* This should never fail */
 	result = dns_rdata_tostruct(nsec, &nsecstruct, NULL);
 	INSIST(result == ISC_R_SUCCESS);
-	
+
 	present = ISC_FALSE;
 	for (i = 0; i < nsecstruct.len; i += len) {
 		INSIST(i + 2 <= nsecstruct.len);
@@ -215,6 +220,58 @@ dns_nsec_typepresent(dns_rdata_t *nsec, dns_rdatatype_t type) {
 						   type % 256));
 		break;
 	}
-	dns_rdata_freestruct(&nsec);
+	dns_rdata_freestruct(&nsecstruct);
 	return (present);
 }
+
+isc_result_t
+dns_nsec_nseconly(dns_db_t *db, dns_dbversion_t *version,
+		  isc_boolean_t *answer)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_dnskey_t dnskey;
+	isc_result_t result;
+
+	REQUIRE(answer != NULL);
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
+				     0, 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+
+	if (result == ISC_R_NOTFOUND) {
+		*answer = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &dnskey, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (dnskey.algorithm == DST_ALG_RSAMD5 ||
+		    dnskey.algorithm == DST_ALG_RSASHA1 ||
+		    dnskey.algorithm == DST_ALG_DSA ||
+		    dnskey.algorithm == DST_ALG_ECC)
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS)
+		*answer = ISC_TRUE;
+	if (result == ISC_R_NOMORE) {
+		*answer = ISC_FALSE;
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
diff --git a/lib/dns/nsec3.c b/lib/dns/nsec3.c
new file mode 100644
index 0000000..54a6993
--- /dev/null
+++ b/lib/dns/nsec3.c
@@ -0,0 +1,1377 @@
+/*
+ * Copyright (C) 2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsec3.c,v 1.6 2008/11/17 23:46:42 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/base32.h>
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/iterated_hash.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dst/dst.h>
+
+#include <dns/db.h>
+#include <dns/dbiterator.h>
+#include <dns/diff.h>
+#include <dns/fixedname.h>
+#include <dns/nsec3.h>
+#include <dns/rdata.h>
+#include <dns/rdatalist.h>
+#include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
+#include <dns/rdatastruct.h>
+#include <dns/result.h>
+
+#define CHECK(x) do { \
+	result = (x); \
+	if (result != ISC_R_SUCCESS) \
+		goto failure; \
+	} while (0)
+
+#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
+#define CREATE(x) (((x) & DNS_NSEC3FLAG_CREATE) != 0)
+#define REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
+
+static void
+set_bit(unsigned char *array, unsigned int index, unsigned int bit) {
+	unsigned int shift, mask;
+
+	shift = 7 - (index % 8);
+	mask = 1 << shift;
+
+	if (bit != 0)
+		array[index / 8] |= mask;
+	else
+		array[index / 8] &= (~mask & 0xFF);
+}
+
+static unsigned int
+bit_isset(unsigned char *array, unsigned int index) {
+	unsigned int byte, shift, mask;
+
+	byte = array[index / 8];
+	shift = 7 - (index % 8);
+	mask = 1 << shift;
+
+	return ((byte & mask) != 0);
+}
+
+isc_result_t
+dns_nsec3_buildrdata(dns_db_t *db, dns_dbversion_t *version,
+		     dns_dbnode_t *node, unsigned int hashalg,
+		     unsigned int flags, unsigned int iterations,
+		     const unsigned char *salt, size_t salt_length,
+		     const unsigned char *nexthash, size_t hash_length,
+		     unsigned char *buffer, dns_rdata_t *rdata)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	isc_region_t r;
+	unsigned int i, window;
+	int octet;
+	isc_boolean_t found;
+
+	unsigned char *nsec_bits, *bm;
+	unsigned int max_type;
+	dns_rdatasetiter_t *rdsiter;
+	unsigned char *p;
+
+	REQUIRE(salt_length < 256U);
+	REQUIRE(hash_length < 256U);
+	REQUIRE(flags <= 0xffU);
+	REQUIRE(hashalg <= 0xffU);
+	REQUIRE(iterations <= 0xffffU);
+
+	switch (hashalg) {
+	case dns_hash_sha1:
+		REQUIRE(hash_length == ISC_SHA1_DIGESTLENGTH);
+		break;
+	}
+
+	memset(buffer, 0, DNS_NSEC3_BUFFERSIZE);
+
+	p = buffer;
+
+	*p++ = hashalg;
+	*p++ = flags;
+
+	*p++ = iterations >> 8;
+	*p++ = iterations;
+
+	*p++ = salt_length;
+	memcpy(p, salt, salt_length);
+	p += salt_length;
+
+	*p++ = hash_length;
+	memcpy(p, nexthash, hash_length);
+	p += hash_length;
+
+	r.length = p - buffer;
+	r.base = buffer;
+
+	/*
+	 * Use the end of the space for a raw bitmap leaving enough
+	 * space for the window identifiers and length octets.
+	 */
+	bm = r.base + r.length + 512;
+	nsec_bits = r.base + r.length;
+	max_type = 0;
+	if (node == NULL)
+		goto collapse_bitmap;
+	dns_rdataset_init(&rdataset);
+	rdsiter = NULL;
+	result = dns_db_allrdatasets(db, node, version, 0, &rdsiter);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	found = ISC_FALSE;
+	for (result = dns_rdatasetiter_first(rdsiter);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(rdsiter))
+	{
+		dns_rdatasetiter_current(rdsiter, &rdataset);
+		if (rdataset.type != dns_rdatatype_nsec &&
+		    rdataset.type != dns_rdatatype_nsec3 &&
+		    rdataset.type != dns_rdatatype_rrsig) {
+			if (rdataset.type > max_type)
+				max_type = rdataset.type;
+			set_bit(bm, rdataset.type, 1);
+			/* Don't set RRSIG for insecure delegation. */
+			if (rdataset.type != dns_rdatatype_ns)
+				found = ISC_TRUE;
+		}
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (found) {
+		if (dns_rdatatype_rrsig > max_type)
+			max_type = dns_rdatatype_rrsig;
+		set_bit(bm, dns_rdatatype_rrsig, 1);
+	}
+
+	/*
+	 * At zone cuts, deny the existence of glue in the parent zone.
+	 */
+	if (bit_isset(bm, dns_rdatatype_ns) &&
+	    ! bit_isset(bm, dns_rdatatype_soa)) {
+		for (i = 0; i <= max_type; i++) {
+			if (bit_isset(bm, i) &&
+			    ! dns_rdatatype_iszonecutauth((dns_rdatatype_t)i))
+				set_bit(bm, i, 0);
+		}
+	}
+
+	dns_rdatasetiter_destroy(&rdsiter);
+	if (result != ISC_R_NOMORE)
+		return (result);
+
+ collapse_bitmap:
+	for (window = 0; window < 256; window++) {
+		if (window * 256 > max_type)
+			break;
+		for (octet = 31; octet >= 0; octet--)
+			if (bm[window * 32 + octet] != 0)
+				break;
+		if (octet < 0)
+			continue;
+		nsec_bits[0] = window;
+		nsec_bits[1] = octet + 1;
+		/*
+		 * Note: potentially overlapping move.
+		 */
+		memmove(&nsec_bits[2], &bm[window * 32], octet + 1);
+		nsec_bits += 3 + octet;
+	}
+	r.length = nsec_bits - r.base;
+	INSIST(r.length <= DNS_NSEC3_BUFFERSIZE);
+	dns_rdata_fromregion(rdata, dns_db_class(db), dns_rdatatype_nsec3, &r);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_boolean_t
+dns_nsec3_typepresent(dns_rdata_t *rdata, dns_rdatatype_t type) {
+	dns_rdata_nsec3_t nsec3;
+	isc_result_t result;
+	isc_boolean_t present;
+	unsigned int i, len, window;
+
+	REQUIRE(rdata != NULL);
+	REQUIRE(rdata->type == dns_rdatatype_nsec3);
+
+	/* This should never fail */
+	result = dns_rdata_tostruct(rdata, &nsec3, NULL);
+	INSIST(result == ISC_R_SUCCESS);
+
+	present = ISC_FALSE;
+	for (i = 0; i < nsec3.len; i += len) {
+		INSIST(i + 2 <= nsec3.len);
+		window = nsec3.typebits[i];
+		len = nsec3.typebits[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= nsec3.len);
+		if (window * 256 > type)
+			break;
+		if ((window + 1) * 256 <= type)
+			continue;
+		if (type < (window * 256) + len * 8)
+			present = ISC_TF(bit_isset(&nsec3.typebits[i],
+						   type % 256));
+		break;
+	}
+	dns_rdata_freestruct(&nsec3);
+	return (present);
+}
+
+isc_result_t
+dns_nsec3_hashname(dns_fixedname_t *result,
+		   unsigned char rethash[NSEC3_MAX_HASH_LENGTH],
+		   size_t *hash_length, dns_name_t *name, dns_name_t *origin,
+		   dns_hash_t hashalg, unsigned int iterations,
+		   const unsigned char *salt, size_t saltlength)
+{
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char nametext[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fixed;
+	dns_name_t *downcased;
+	isc_buffer_t namebuffer;
+	isc_region_t region;
+	size_t len;
+
+	if (rethash == NULL)
+		rethash = hash;
+
+	memset(rethash, 0, NSEC3_MAX_HASH_LENGTH);
+
+	dns_fixedname_init(&fixed);
+	downcased = dns_fixedname_name(&fixed);
+	dns_name_downcase(name, downcased, NULL);
+
+	/* hash the node name */
+	len = isc_iterated_hash(rethash, hashalg, iterations, salt, saltlength,
+				downcased->ndata, downcased->length);
+	if (len == 0U)
+		return (DNS_R_BADALG);
+
+	if (hash_length != NULL)
+		*hash_length = len;
+
+	/* convert the hash to base32hex */
+	region.base = rethash;
+	region.length = len;
+	isc_buffer_init(&namebuffer, nametext, sizeof nametext);
+	isc_base32hex_totext(&region, 1, "", &namebuffer);
+
+	/* convert the hex to a domain name */
+	dns_fixedname_init(result);
+	return (dns_name_fromtext(dns_fixedname_name(result), &namebuffer,
+				  origin, 0, NULL));
+}
+
+unsigned int
+dns_nsec3_hashlength(dns_hash_t hash) {
+
+	switch (hash) {
+	case dns_hash_sha1: return(ISC_SHA1_DIGESTLENGTH);
+	}
+	return (0);
+}
+
+isc_boolean_t
+dns_nsec3_supportedhash(dns_hash_t hash) {
+	switch (hash) {
+	case dns_hash_sha1: return (ISC_TRUE);
+	}
+	return (ISC_FALSE);
+}
+
+/*%
+ * Update a single RR in version 'ver' of 'db' and log the
+ * update in 'diff'.
+ *
+ * Ensures:
+ * \li  '*tuple' == NULL.  Either the tuple is freed, or its
+ *      ownership has been transferred to the diff.
+ */
+static isc_result_t
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
+	     dns_diff_t *diff)
+{
+	dns_diff_t temp_diff;
+	isc_result_t result;
+
+	/*
+	 * Create a singleton diff.
+	 */
+	dns_diff_init(diff->mctx, &temp_diff);
+	temp_diff.resign = diff->resign;
+	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
+
+	/*
+	 * Apply it to the database.
+	 */
+	result = dns_diff_apply(&temp_diff, db, ver);
+	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
+	if (result != ISC_R_SUCCESS) {
+		dns_difftuple_free(tuple);
+		return (result);
+	}
+
+	/*
+	 * Merge it into the current pending journal entry.
+	 */
+	dns_diff_appendminimal(diff, tuple);
+
+	/*
+	 * Do not clear temp_diff.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+/*%
+ * Set '*exists' to true iff the given name exists, to false otherwise.
+ */
+static isc_result_t
+name_exists(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	    isc_boolean_t *exists)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdatasetiter_t *iter = NULL;
+
+	result = dns_db_findnode(db, name, ISC_FALSE, &node);
+	if (result == ISC_R_NOTFOUND) {
+		*exists = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_allrdatasets(db, node, version,
+				     (isc_stdtime_t) 0, &iter);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	result = dns_rdatasetiter_first(iter);
+	if (result == ISC_R_SUCCESS) {
+		*exists = ISC_TRUE;
+	} else if (result == ISC_R_NOMORE) {
+		*exists = ISC_FALSE;
+		result = ISC_R_SUCCESS;
+	} else
+		*exists = ISC_FALSE;
+	dns_rdatasetiter_destroy(&iter);
+
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static isc_boolean_t
+match_nsec3param(const dns_rdata_nsec3_t *nsec3,
+		 const dns_rdata_nsec3param_t *nsec3param)
+{
+	if (nsec3->hash == nsec3param->hash &&
+	    nsec3->iterations == nsec3param->iterations &&
+	    nsec3->salt_length == nsec3param->salt_length &&
+	    !memcmp(nsec3->salt, nsec3param->salt, nsec3->salt_length))
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+/*%
+ * Delete NSEC3 records at "name" which match "param", recording the
+ * change in "diff".
+ */
+static isc_result_t
+delete(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+       const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL ;
+	dns_difftuple_t *tuple = NULL;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		goto cleanup_node;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_node;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
+
+		if (!match_nsec3param(&nsec3, nsec3param))
+			continue;
+
+		result = dns_difftuple_create(diff->mctx, DNS_DIFFOP_DEL, name,
+					      rdataset.ttl, &rdata, &tuple);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+		result = do_one_tuple(&tuple, db, version, diff);
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+	result = ISC_R_SUCCESS;
+
+ failure:
+	dns_rdataset_disassociate(&rdataset);
+ cleanup_node:
+	dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+#ifndef RFC5155_STRICT
+static isc_boolean_t
+better_param(dns_rdataset_t *nsec3paramset, dns_rdata_t *param) {
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	if (REMOVE(param->data[1]))
+		return (ISC_TRUE);
+
+	dns_rdataset_init(&rdataset);
+	dns_rdataset_clone(nsec3paramset, &rdataset);
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata =  DNS_RDATA_INIT;
+		dns_rdataset_current(&rdataset, &rdata);
+		if (rdata.length != param->length)
+			continue;
+		if (rdata.data[0] != param->data[0] ||
+		    REMOVE(rdata.data[1]) ||
+		    rdata.data[2] != param->data[2] ||
+		    rdata.data[3] != param->data[3] ||
+		    rdata.data[4] != param->data[4] ||
+		    memcmp(&rdata.data[5], &param->data[5], param->data[4]))
+			continue;
+		if (CREATE(rdata.data[1]) && !CREATE(param->data[1])) {
+			dns_rdataset_disassociate(&rdataset);
+			return (ISC_TRUE);
+		}
+	}
+	dns_rdataset_disassociate(&rdataset);
+	return (ISC_FALSE);
+}
+#endif
+
+static isc_result_t
+find_nsec3(dns_rdata_nsec3_t *nsec3, dns_rdataset_t *rdataset,
+	   const dns_rdata_nsec3param_t *nsec3param)
+{
+	isc_result_t result;
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, nsec3, NULL));
+		dns_rdata_reset(&rdata);
+		if (match_nsec3param(nsec3, nsec3param))
+			break;
+	}
+ failure:
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_addnsec3(dns_db_t *db, dns_dbversion_t *version,
+		   dns_name_t *name, const dns_rdata_nsec3param_t *nsec3param,
+		   dns_ttl_t nsecttl, isc_boolean_t unsecure, dns_diff_t *diff)
+{
+	dns_dbiterator_t *dbit = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbnode_t *newnode = NULL;
+	dns_difftuple_t *tuple = NULL;
+	dns_fixedname_t fixed;
+	dns_fixedname_t fprev;
+	dns_hash_t hash;
+	dns_name_t *hashname;
+	dns_name_t *origin;
+	dns_name_t *prev;
+	dns_name_t empty;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	int pass;
+	isc_boolean_t exists;
+	isc_boolean_t remove_unsecure = ISC_FALSE;
+	isc_uint8_t flags;
+	isc_buffer_t buffer;
+	isc_result_t result;
+	unsigned char *old_next;
+	unsigned char *salt;
+	unsigned char nexthash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE];
+	unsigned int iterations;
+	unsigned int labels;
+	size_t next_length;
+	unsigned int old_length;
+	unsigned int salt_length;
+
+	dns_fixedname_init(&fixed);
+	hashname = dns_fixedname_name(&fixed);
+	dns_fixedname_init(&fprev);
+	prev = dns_fixedname_name(&fprev);
+
+	dns_rdataset_init(&rdataset);
+
+	origin = dns_db_origin(db);
+
+	/*
+	 * Chain parameters.
+	 */
+	hash = nsec3param->hash;
+	iterations = nsec3param->iterations;
+	salt_length = nsec3param->salt_length;
+	salt = nsec3param->salt;
+
+	/*
+	 * Default flags for a new chain.
+	 */
+	flags = nsec3param->flags & DNS_NSEC3FLAG_OPTOUT;
+
+	/*
+	 * If this is the first NSEC3 in the chain nexthash will
+	 * remain pointing to itself.
+	 */
+	next_length = sizeof(nexthash);
+	CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
+				 name, origin, hash, iterations,
+				 salt, salt_length));
+
+	/*
+	 * Create the node if it doesn't exist and hold
+	 * a reference to it until we have added the NSEC3.
+	 */
+	CHECK(dns_db_findnsec3node(db, hashname, ISC_TRUE, &newnode));
+
+	/*
+	 * Seek the iterator to the 'newnode'.
+	 */
+	CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
+	CHECK(dns_dbiterator_seek(dbit, hashname));
+	CHECK(dns_dbiterator_pause(dbit));
+	result = dns_db_findrdataset(db, newnode, version, dns_rdatatype_nsec3,
+				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	/*
+	 * If we updating a existing NSEC3 then find its
+	 * next field.
+	 */
+	if (result == ISC_R_SUCCESS) {
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_SUCCESS) {
+			if (!CREATE(nsec3param->flags))
+				flags = nsec3.flags;
+			next_length = nsec3.next_length;
+			INSIST(next_length <= sizeof(nexthash));
+			memcpy(nexthash, nsec3.next, next_length);
+			dns_rdataset_disassociate(&rdataset);
+			/*
+			 * If the NSEC3 is not for a unsecure delegation then
+			 * we are just updating it.  If it is for a unsecure
+			 * delegation then we need find out if we need to
+			 * remove the NSEC3 record or not by examining the
+			 * previous NSEC3 record.
+			 */
+			if (!unsecure)
+				goto addnsec3;
+			else
+				remove_unsecure = ISC_TRUE;
+		} else {
+			dns_rdataset_disassociate(&rdataset);
+			if (result != ISC_R_NOMORE)
+				goto failure;
+		}
+	}
+
+	/*
+	 * Find the previous NSEC3 (if any) and update it if required.
+	 */
+	pass = 0;
+	do {
+		result = dns_dbiterator_prev(dbit);
+		if (result == ISC_R_NOMORE) {
+			pass++;
+			CHECK(dns_dbiterator_last(dbit));
+		}
+		CHECK(dns_dbiterator_current(dbit, &node, prev));
+		CHECK(dns_dbiterator_pause(dbit));
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t) 0, &rdataset,
+					     NULL);
+		dns_db_detachnode(db, &node);
+		if (result != ISC_R_SUCCESS)
+			continue;
+
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_NOMORE) {
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		if (remove_unsecure) {
+			dns_rdataset_disassociate(&rdataset);
+			/*
+			 * We have found the previous NSEC3 record and can now
+			 * see if the existing NSEC3 record needs to be
+			 * updated or deleted.
+			 */
+			if (!OPTOUT(nsec3.flags)) {
+				/*
+				 * Just update the NSEC3 record.
+				 */
+				goto addnsec3;
+			} else {
+				/*
+				 * This is actually a deletion not a add.
+				 */
+				result = dns_nsec3_delnsec3(db, version, name,
+							    nsec3param, diff);
+				goto failure;
+			}
+		} else {
+			/*
+			 * Is this is a unsecure delegation we are adding?
+			 * If so no change is required.
+			 */
+			if (OPTOUT(nsec3.flags) && unsecure) {
+				dns_rdataset_disassociate(&rdataset);
+				goto failure;
+			}
+		}
+
+		old_next = nsec3.next;
+		old_length = nsec3.next_length;
+
+		/*
+		 * Delete the old previous NSEC3.
+		 */
+		CHECK(delete(db, version, prev, nsec3param, diff));
+
+		/*
+		 * Fixup the previous NSEC3.
+		 */
+		nsec3.next = nexthash;
+		nsec3.next_length = next_length;
+		isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
+		CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+					   dns_rdatatype_nsec3, &nsec3,
+					   &buffer));
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev,
+					   rdataset.ttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, version, diff));
+		INSIST(old_length <= sizeof(nexthash));
+		memcpy(nexthash, old_next, old_length);
+		if (!CREATE(nsec3param->flags))
+			flags = nsec3.flags;
+		dns_rdata_reset(&rdata);
+		dns_rdataset_disassociate(&rdataset);
+		break;
+	} while (pass < 2);
+
+ addnsec3:
+	/*
+	 * Create the NSEC3 RDATA.
+	 */
+	CHECK(dns_db_findnode(db, name, ISC_FALSE, &node));
+	CHECK(dns_nsec3_buildrdata(db, version, node, hash, flags, iterations,
+				   salt, salt_length, nexthash, next_length,
+				   nsec3buf, &rdata));
+	dns_db_detachnode(db, &node);
+
+	/*
+	 * Delete the old NSEC3 and record the change.
+	 */
+	CHECK(delete(db, version, hashname, nsec3param, diff));
+	/*
+	 * Add the new NSEC3 and record the change.
+	 */
+	CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+				   hashname, nsecttl, &rdata, &tuple));
+	CHECK(do_one_tuple(&tuple, db, version, diff));
+	INSIST(tuple == NULL);
+	dns_rdata_reset(&rdata);
+	dns_db_detachnode(db, &newnode);
+
+	/*
+	 * Add missing NSEC3 records for empty nodes
+	 */
+	dns_name_init(&empty, NULL);
+	dns_name_clone(name, &empty);
+	do {
+		labels = dns_name_countlabels(&empty) - 1;
+		if (labels <= dns_name_countlabels(origin))
+			break;
+		dns_name_getlabelsequence(&empty, 1, labels, &empty);
+		CHECK(name_exists(db, version, &empty, &exists));
+		if (exists)
+			break;
+		CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
+					 &empty, origin, hash, iterations,
+					 salt, salt_length));
+
+		/*
+		 * Create the node if it doesn't exist and hold
+		 * a reference to it until we have added the NSEC3
+		 * or we discover we don't need to add make a change.
+		 */
+		CHECK(dns_db_findnsec3node(db, hashname, ISC_TRUE, &newnode));
+		result = dns_db_findrdataset(db, newnode, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t) 0, &rdataset,
+					     NULL);
+		if (result == ISC_R_SUCCESS) {
+			result = find_nsec3(&nsec3, &rdataset, nsec3param);
+			dns_rdataset_disassociate(&rdataset);
+			if (result == ISC_R_SUCCESS) {
+				dns_db_detachnode(db, &newnode);
+				break;
+			}
+			if (result != ISC_R_NOMORE)
+				goto failure;
+		}
+
+		/*
+		 * Find the previous NSEC3 and update it.
+		 */
+		CHECK(dns_dbiterator_seek(dbit, hashname));
+		pass = 0;
+		do {
+			result = dns_dbiterator_prev(dbit);
+			if (result == ISC_R_NOMORE) {
+				pass++;
+				CHECK(dns_dbiterator_last(dbit));
+			}
+			CHECK(dns_dbiterator_current(dbit, &node, prev));
+			CHECK(dns_dbiterator_pause(dbit));
+			result = dns_db_findrdataset(db, node, version,
+						     dns_rdatatype_nsec3, 0,
+						     (isc_stdtime_t) 0,
+						     &rdataset, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			result = find_nsec3(&nsec3, &rdataset, nsec3param);
+			if (result == ISC_R_NOMORE) {
+				dns_rdataset_disassociate(&rdataset);
+				continue;
+			}
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+
+			old_next = nsec3.next;
+			old_length = nsec3.next_length;
+
+			/*
+			 * Delete the old previous NSEC3.
+			 */
+			CHECK(delete(db, version, prev, nsec3param, diff));
+
+			/*
+			 * Fixup the previous NSEC3.
+			 */
+			nsec3.next = nexthash;
+			nsec3.next_length = next_length;
+			isc_buffer_init(&buffer, nsec3buf,
+					sizeof(nsec3buf));
+			CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+						   dns_rdatatype_nsec3, &nsec3,
+						   &buffer));
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   prev, rdataset.ttl, &rdata,
+						   &tuple));
+			CHECK(do_one_tuple(&tuple, db, version, diff));
+			INSIST(old_length <= sizeof(nexthash));
+			memcpy(nexthash, old_next, old_length);
+			if (!CREATE(nsec3param->flags))
+				flags = nsec3.flags;
+			dns_rdata_reset(&rdata);
+			dns_rdataset_disassociate(&rdataset);
+			break;
+		} while (pass < 2);
+
+		INSIST(pass < 2);
+
+		/*
+		 * Create the NSEC3 RDATA for the empty node.
+		 */
+		CHECK(dns_nsec3_buildrdata(db, version, NULL, hash, flags,
+					   iterations, salt, salt_length,
+					   nexthash, next_length, nsec3buf,
+					   &rdata));
+		/*
+		 * Delete the old NSEC3 and record the change.
+		 */
+		CHECK(delete(db, version, hashname, nsec3param, diff));
+
+		/*
+		 * Add the new NSEC3 and record the change.
+		 */
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+					   hashname, nsecttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, version, diff));
+		INSIST(tuple == NULL);
+		dns_rdata_reset(&rdata);
+		dns_db_detachnode(db, &newnode);
+	} while (1);
+
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ failure:
+	if (dbit != NULL)
+		dns_dbiterator_destroy(&dbit);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (newnode != NULL)
+		dns_db_detachnode(db, &newnode);
+	return (result);
+}
+
+/*%
+ * Add NSEC3 records for "name", recording the change in "diff".
+ * The existing NSEC3 records are removed.
+ */
+isc_result_t
+dns_nsec3_addnsec3s(dns_db_t *db, dns_dbversion_t *version,
+		    dns_name_t *name, dns_ttl_t nsecttl,
+		    isc_boolean_t unsecure, dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+
+	/*
+	 * Find the NSEC3 parameters for this zone.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0,
+				     &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+
+#ifdef RFC5155_STRICT
+		if (nsec3param.flags != 0)
+			continue;
+#else
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
+			continue;
+		if (better_param(&rdataset, &rdata))
+			continue;
+#endif
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_addnsec3(db, version, name, &nsec3param,
+					 nsecttl, unsecure, diff));
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_delnsec3(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		   const dns_rdata_nsec3param_t *nsec3param, dns_diff_t *diff)
+{
+	dns_dbiterator_t *dbit = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_difftuple_t *tuple = NULL;
+	dns_fixedname_t fixed;
+	dns_fixedname_t fprev;
+	dns_hash_t hash;
+	dns_name_t *hashname;
+	dns_name_t *origin;
+	dns_name_t *prev;
+	dns_name_t empty;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	int pass;
+	isc_boolean_t exists;
+	isc_buffer_t buffer;
+	isc_result_t result;
+	unsigned char *salt;
+	unsigned char nexthash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char nsec3buf[DNS_NSEC3_BUFFERSIZE];
+	unsigned int iterations;
+	unsigned int labels;
+	size_t next_length;
+	unsigned int salt_length;
+
+	dns_fixedname_init(&fixed);
+	hashname = dns_fixedname_name(&fixed);
+	dns_fixedname_init(&fprev);
+	prev = dns_fixedname_name(&fprev);
+
+	dns_rdataset_init(&rdataset);
+
+	origin = dns_db_origin(db);
+
+	/*
+	 * Chain parameters.
+	 */
+	hash = nsec3param->hash;
+	iterations = nsec3param->iterations;
+	salt_length = nsec3param->salt_length;
+	salt = nsec3param->salt;
+
+	/*
+	 * If this is the first NSEC3 in the chain nexthash will
+	 * remain pointing to itself.
+	 */
+	next_length = sizeof(nexthash);
+	CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
+				 name, origin, hash, iterations,
+				 salt, salt_length));
+
+	CHECK(dns_db_createiterator(db, DNS_DB_NSEC3ONLY, &dbit));
+
+	result = dns_dbiterator_seek(dbit, hashname);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	CHECK(dns_dbiterator_current(dbit, &node, NULL));
+	CHECK(dns_dbiterator_pause(dbit));
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec3,
+				     0, (isc_stdtime_t) 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * If we find a existing NSEC3 for this chain then save the
+	 * next field.
+	 */
+	result = find_nsec3(&nsec3, &rdataset, nsec3param);
+	if (result == ISC_R_SUCCESS) {
+		next_length = nsec3.next_length;
+		INSIST(next_length <= sizeof(nexthash));
+		memcpy(nexthash, nsec3.next, next_length);
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_NOMORE)
+		goto success;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Find the previous NSEC3 and update it.
+	 */
+	pass = 0;
+	do {
+		result = dns_dbiterator_prev(dbit);
+		if (result == ISC_R_NOMORE) {
+			pass++;
+			CHECK(dns_dbiterator_last(dbit));
+		}
+		CHECK(dns_dbiterator_current(dbit, &node, prev));
+		CHECK(dns_dbiterator_pause(dbit));
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t) 0, &rdataset,
+					     NULL);
+		dns_db_detachnode(db, &node);
+		if (result != ISC_R_SUCCESS)
+			continue;
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_NOMORE) {
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		/*
+		 * Delete the old previous NSEC3.
+		 */
+		CHECK(delete(db, version, prev, nsec3param, diff));
+
+		/*
+		 * Fixup the previous NSEC3.
+		 */
+		nsec3.next = nexthash;
+		nsec3.next_length = next_length;
+		isc_buffer_init(&buffer, nsec3buf, sizeof(nsec3buf));
+		CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+					   dns_rdatatype_nsec3, &nsec3,
+					   &buffer));
+		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, prev,
+					   rdataset.ttl, &rdata, &tuple));
+		CHECK(do_one_tuple(&tuple, db, version, diff));
+		dns_rdata_reset(&rdata);
+		dns_rdataset_disassociate(&rdataset);
+		break;
+	} while (pass < 2);
+
+	/*
+	 * Delete the old NSEC3 and record the change.
+	 */
+	CHECK(delete(db, version, hashname, nsec3param, diff));
+
+	/*
+	 *  Delete NSEC3 records for now non active nodes.
+	 */
+	dns_name_init(&empty, NULL);
+	dns_name_clone(name, &empty);
+	do {
+		labels = dns_name_countlabels(&empty) - 1;
+		if (labels <= dns_name_countlabels(origin))
+			break;
+		dns_name_getlabelsequence(&empty, 1, labels, &empty);
+		CHECK(name_exists(db, version, &empty, &exists));
+		if (exists)
+			break;
+
+		CHECK(dns_nsec3_hashname(&fixed, nexthash, &next_length,
+					 &empty, origin, hash, iterations,
+					 salt, salt_length));
+		result = dns_dbiterator_seek(dbit, hashname);
+		if (result == ISC_R_NOTFOUND)
+			goto success;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		CHECK(dns_dbiterator_current(dbit, &node, NULL));
+		CHECK(dns_dbiterator_pause(dbit));
+		result = dns_db_findrdataset(db, node, version,
+					     dns_rdatatype_nsec3, 0,
+					     (isc_stdtime_t) 0, &rdataset,
+					     NULL);
+		dns_db_detachnode(db, &node);
+		if (result == ISC_R_NOTFOUND)
+			goto success;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		result = find_nsec3(&nsec3, &rdataset, nsec3param);
+		if (result == ISC_R_SUCCESS) {
+			next_length = nsec3.next_length;
+			INSIST(next_length <= sizeof(nexthash));
+			memcpy(nexthash, nsec3.next, next_length);
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result == ISC_R_NOMORE)
+			goto success;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		pass = 0;
+		do {
+			result = dns_dbiterator_prev(dbit);
+			if (result == ISC_R_NOMORE) {
+				pass++;
+				CHECK(dns_dbiterator_last(dbit));
+			}
+			CHECK(dns_dbiterator_current(dbit, &node, prev));
+			CHECK(dns_dbiterator_pause(dbit));
+			result = dns_db_findrdataset(db, node, version,
+						     dns_rdatatype_nsec3, 0,
+						     (isc_stdtime_t) 0,
+						     &rdataset, NULL);
+			dns_db_detachnode(db, &node);
+			if (result != ISC_R_SUCCESS)
+				continue;
+			result = find_nsec3(&nsec3, &rdataset, nsec3param);
+			if (result == ISC_R_NOMORE) {
+				dns_rdataset_disassociate(&rdataset);
+				continue;
+			}
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+
+			/*
+			 * Delete the old previous NSEC3.
+			 */
+			CHECK(delete(db, version, prev, nsec3param, diff));
+
+			/*
+			 * Fixup the previous NSEC3.
+			 */
+			nsec3.next = nexthash;
+			nsec3.next_length = next_length;
+			isc_buffer_init(&buffer, nsec3buf,
+					sizeof(nsec3buf));
+			CHECK(dns_rdata_fromstruct(&rdata, rdataset.rdclass,
+						   dns_rdatatype_nsec3, &nsec3,
+						   &buffer));
+			CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD,
+						   prev, rdataset.ttl, &rdata,
+						   &tuple));
+			CHECK(do_one_tuple(&tuple, db, version, diff));
+			dns_rdata_reset(&rdata);
+			dns_rdataset_disassociate(&rdataset);
+			break;
+		} while (pass < 2);
+
+		INSIST(pass < 2);
+
+		/*
+		 * Delete the old NSEC3 and record the change.
+		 */
+		CHECK(delete(db, version, hashname, nsec3param, diff));
+	} while (1);
+
+ success:
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (dbit != NULL)
+		dns_dbiterator_destroy(&dbit);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_delnsec3s(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+		    dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+
+	/*
+	 * Find the NSEC3 parameters for this zone.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0,
+				     &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * Update each active NSEC3 chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+
+#ifdef RFC5155_STRICT
+		if (nsec3param.flags != 0)
+			continue;
+#else
+		if ((nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0)
+			continue;
+		if (better_param(&rdataset, &rdata))
+			continue;
+#endif
+
+		/*
+		 * We have a active chain.  Update it.
+		 */
+		CHECK(dns_nsec3_delnsec3(db, version, name, &nsec3param, diff));
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_active(dns_db_t *db, dns_dbversion_t *version,
+		 isc_boolean_t complete, isc_boolean_t *answer)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3param_t nsec3param;
+	isc_result_t result;
+
+	REQUIRE(answer != NULL);
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param, 0, 0,
+				     &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+
+	if (result == ISC_R_NOTFOUND) {
+		*answer = ISC_FALSE;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if ((nsec3param.flags) == 0 ||
+		    (!complete && CREATE(nsec3param.flags)))
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_SUCCESS)
+		*answer = ISC_TRUE;
+	if (result == ISC_R_NOMORE) {
+		*answer = ISC_FALSE;
+		result = ISC_R_SUCCESS;
+	}
+	return (result);
+}
+
+isc_result_t
+dns_nsec3_maxiterations(dns_db_t *db, dns_dbversion_t *version,
+			isc_mem_t *mctx, unsigned int *iterationsp)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dst_key_t *key = NULL;
+	isc_buffer_t buffer;
+	isc_result_t result;
+	isc_uint16_t bits, minbits = 4096;
+
+	result = dns_db_getoriginnode(db, &node);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_dnskey,
+				     0, 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND) {
+		*iterationsp = 0;
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		isc_buffer_init(&buffer, rdata.data, rdata.length);
+		isc_buffer_add(&buffer, rdata.length);
+		CHECK(dst_key_fromdns(dns_db_origin(db), rdataset.rdclass,
+				      &buffer, mctx, &key));
+		bits = dst_key_getbits(key);
+		dst_key_free(&key);
+		if (minbits > bits)
+			minbits = bits;
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+	if (minbits <= 1024)
+		*iterationsp = 150;
+	else if (minbits <= 2048)
+		*iterationsp = 500;
+	else
+		*iterationsp = 2500;
+	result = ISC_R_SUCCESS;
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index bb76e0e..2dc7d7e 100644
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -1,6 +1,19 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.1.6.12 2007/08/28 07:20:04 tbox Exp $
+ * $Id: openssl_link.c,v 1.22.112.3 2009/02/11 03:07:01 jinmei Exp $
  */
 #ifdef OPENSSL
 
@@ -41,22 +54,36 @@
 #include <openssl/conf.h>
 #include <openssl/crypto.h>
 
-#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER != 0x00907000L)
+#if defined(CRYPTO_LOCK_ENGINE) && (OPENSSL_VERSION_NUMBER >= 0x0090707f)
 #define USE_ENGINE 1
 #endif
 
 #ifdef USE_ENGINE
 #include <openssl/engine.h>
+
+#ifdef ENGINE_ID
+const char *engine_id = ENGINE_ID;
+#else
+const char *engine_id;
+#endif
 #endif
 
 static RAND_METHOD *rm = NULL;
+
 static isc_mutex_t *locks = NULL;
 static int nlocks;
 
 #ifdef USE_ENGINE
 static ENGINE *e;
+static ENGINE *he;
 #endif
 
+#ifdef USE_PKCS11
+static isc_result_t
+dst__openssl_load_engine(const char *name, const char *engine_id,
+			 const char **pre_cmds, int pre_num,
+			 const char **post_cmds, int post_num);
+#endif
 
 static int
 entropy_get(unsigned char *buf, int num) {
@@ -68,6 +95,11 @@ entropy_get(unsigned char *buf, int num) {
 }
 
 static int
+entropy_status(void) {
+	return (dst__entropy_status() > 32);
+}
+
+static int
 entropy_getpseudo(unsigned char *buf, int num) {
 	isc_result_t result;
 	if (num < 0)
@@ -116,23 +148,17 @@ mem_free(void *ptr) {
 
 static void *
 mem_realloc(void *ptr, size_t size) {
-	void *p;
-
 	INSIST(dst__memory_pool != NULL);
-	p = NULL;
-	if (size > 0U) {
-		p = mem_alloc(size);
-		if (p != NULL && ptr != NULL)
-			memcpy(p, ptr, size);
-	}
-	if (ptr != NULL)
-		mem_free(ptr);
-	return (p);
+	return (isc_mem_reallocate(dst__memory_pool, ptr, size));
 }
 
 isc_result_t
 dst__openssl_init() {
 	isc_result_t result;
+#ifdef USE_ENGINE
+	/* const char  *name; */
+	ENGINE *re;
+#endif
 
 #ifdef  DNS_CRYPTO_LEAKS
 	CRYPTO_malloc_debug_init();
@@ -149,6 +175,7 @@ dst__openssl_init() {
 		goto cleanup_mutexalloc;
 	CRYPTO_set_locking_callback(lock_callback);
 	CRYPTO_set_id_callback(id_callback);
+
 	rm = mem_alloc(sizeof(RAND_METHOD));
 	if (rm == NULL) {
 		result = ISC_R_NOMEMORY;
@@ -159,18 +186,87 @@ dst__openssl_init() {
 	rm->cleanup = NULL;
 	rm->add = entropy_add;
 	rm->pseudorand = entropy_getpseudo;
-	rm->status = NULL;
+	rm->status = entropy_status;
 #ifdef USE_ENGINE
-	e = ENGINE_new();
-	if (e == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto cleanup_rm;
+	OPENSSL_config(NULL);
+#ifdef USE_PKCS11
+#ifndef PKCS11_SO_PATH
+#define PKCS11_SO_PATH		"/usr/local/lib/engines/engine_pkcs11.so"
+#endif
+#ifndef PKCS11_MODULE_PATH
+#define PKCS11_MODULE_PATH	"/usr/lib/libpkcs11.so"
+#endif
+	{
+		/*
+		 * to use this to config the PIN, add in openssl.cnf:
+		 *  - at the beginning: "openssl_conf = openssl_def"
+		 *  - at any place these sections:
+		 * [ openssl_def ]
+		 * engines = engine_section
+		 * [ engine_section ]
+		 * pkcs11 = pkcs11_section
+		 * [ pkcs11_section ]
+		 * PIN = my___pin
+		 */
+
+		const char *pre_cmds[] = {
+			"SO_PATH", PKCS11_SO_PATH,
+			"LOAD", NULL,
+			"MODULE_PATH", PKCS11_MODULE_PATH
+		};
+		const char *post_cmds[] = {
+			/* "PIN", "my___pin" */
+		};
+		result = dst__openssl_load_engine("pkcs11", "pkcs11",
+						  pre_cmds, 0,
+						  post_cmds, /*1*/ 0);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_rm;
 	}
-	ENGINE_set_RAND(e, rm);
-	RAND_set_rand_method(rm);
+#endif /* USE_PKCS11 */
+	if (engine_id != NULL) {
+		e = ENGINE_by_id(engine_id);
+		if (e == NULL) {
+			result = ISC_R_NOTFOUND;
+			goto cleanup_rm;
+		}
+		if (!ENGINE_init(e)) {
+			result = ISC_R_FAILURE;
+			ENGINE_free(e);
+			goto cleanup_rm;
+		}
+		ENGINE_set_default(e, ENGINE_METHOD_ALL);
+		ENGINE_free(e);
+	} else {
+		ENGINE_register_all_complete();
+		for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
+
+			/*
+			 * Something weird here. If we call ENGINE_finish()
+			 * ENGINE_get_default_RAND() will fail.
+			 */
+			if (ENGINE_init(e)) {
+				if (he == NULL)
+					he = e;
+			}
+		}
+	}
+	re = ENGINE_get_default_RAND();
+	if (re == NULL) {
+		re = ENGINE_new();
+		if (re == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup_rm;
+		}
+		ENGINE_set_RAND(re, rm);
+		ENGINE_set_default_RAND(re);
+		ENGINE_free(re);
+	} else
+		ENGINE_finish(re);
+
 #else
 	RAND_set_rand_method(rm);
-#endif
+#endif /* USE_ENGINE */
 	return (ISC_R_SUCCESS);
 
 #ifdef USE_ENGINE
@@ -195,9 +291,15 @@ dst__openssl_destroy() {
 	CONF_modules_unload(1);
 #endif
 	EVP_cleanup();
+#if defined(USE_ENGINE)
+	if (e != NULL) {
+		ENGINE_finish(e);
+		e = NULL;
+	}
 #if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
 	ENGINE_cleanup();
 #endif
+#endif
 #if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 	CRYPTO_cleanup_all_ex_data();
 #endif
@@ -209,19 +311,6 @@ dst__openssl_destroy() {
 	CRYPTO_mem_leaks_fp(stderr);
 #endif
 
-#if 0
-	/*
-	 * The old error sequence that leaked.  Remove for 9.4.1 if
-	 * there are no issues by then.
-	 */
-	ERR_clear_error();
-#ifdef USE_ENGINE
-	if (e != NULL) {
-		ENGINE_free(e);
-		e = NULL;
-	}
-#endif
-#endif
 	if (rm != NULL) {
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 		RAND_cleanup();
@@ -251,6 +340,93 @@ dst__openssl_toresult(isc_result_t fallback) {
 	return (result);
 }
 
+ENGINE *
+dst__openssl_getengine(const char *name) {
+
+	UNUSED(name);
+
+
+#if defined(USE_ENGINE)
+	return (he);
+#else
+	return (NULL);
+#endif
+}
+
+isc_result_t
+dst__openssl_setdefault(const char *name) {
+
+	UNUSED(name);
+
+#if defined(USE_ENGINE)
+	ENGINE_set_default(e, ENGINE_METHOD_ALL);
+#endif
+	/*
+	 * XXXMPA If the engine does not have a default RAND method
+	 * restore our method.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+#ifdef USE_PKCS11
+/*
+ * 'name' is the name the engine is known by to the dst library.
+ * This may or may not match the name the engine is known by to
+ * openssl.  It is the name that is stored in the private key file.
+ *
+ * 'engine_id' is the openssl engine name.
+ *
+ * pre_cmds and post_cmds a sequence if command argument pairs
+ * pre_num and post_num are a count of those pairs.
+ *
+ * "SO_PATH", PKCS11_SO_PATH ("/usr/local/lib/engines/engine_pkcs11.so")
+ * "LOAD", NULL
+ * "MODULE_PATH", PKCS11_MODULE_PATH ("/usr/lib/libpkcs11.so")
+ */
+static isc_result_t
+dst__openssl_load_engine(const char *name, const char *engine_id,
+			 const char **pre_cmds, int pre_num,
+			 const char **post_cmds, int post_num)
+{
+	ENGINE *e;
+
+	UNUSED(name);
+
+	if (!strcasecmp(engine_id, "dynamic"))
+		ENGINE_load_dynamic();
+	e = ENGINE_by_id(engine_id);
+	if (e == NULL)
+		return (ISC_R_NOTFOUND);
+	while (pre_num--) {
+		if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) {
+			ENGINE_free(e);
+			return (ISC_R_FAILURE);
+		}
+		pre_cmds += 2;
+	}
+	if (!ENGINE_init(e)) {
+		ENGINE_free(e);
+		return (ISC_R_FAILURE);
+	}
+	/*
+	 * ENGINE_init() returned a functional reference, so free the
+	 * structural reference from ENGINE_by_id().
+	 */
+	ENGINE_free(e);
+	while (post_num--) {
+		if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) {
+			ENGINE_free(e);
+			return (ISC_R_FAILURE);
+		}
+		post_cmds += 2;
+	}
+	if (he != NULL)
+		ENGINE_finish(he);
+	he = e;
+	return (ISC_R_SUCCESS);
+}
+#endif /* USE_PKCS11 */
+
 #else /* OPENSSL */
 
 #include <isc/util.h>
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 8f47482..abc3b7c 100644
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -1,6 +1,19 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssldh_link.c,v 1.1.6.10 2007/08/28 07:20:04 tbox Exp $
+ * $Id: openssldh_link.c,v 1.14 2008/04/01 23:47:10 tbox Exp $
  */
 
 #ifdef OPENSSL
@@ -37,8 +50,6 @@
 #include "dst_openssl.h"
 #include "dst_parse.h"
 
-#include <openssl/dh.h>
-
 #define PRIME768 "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088" \
 	"A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25" \
 	"F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF"
@@ -71,11 +82,11 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
 	isc_region_t r;
 	unsigned int len;
 
-	REQUIRE(pub->opaque != NULL);
-	REQUIRE(priv->opaque != NULL);
+	REQUIRE(pub->keydata.dh != NULL);
+	REQUIRE(priv->keydata.dh != NULL);
 
-	dhpub = (DH *) pub->opaque;
-	dhpriv = (DH *) priv->opaque;
+	dhpub = pub->keydata.dh;
+	dhpriv = priv->keydata.dh;
 
 	len = DH_size(dhpriv);
 	isc_buffer_availableregion(secret, &r);
@@ -93,8 +104,8 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
 	DH *dh1, *dh2;
 
-	dh1 = (DH *) key1->opaque;
-	dh2 = (DH *) key2->opaque;
+	dh1 = key1->keydata.dh;
+	dh2 = key2->keydata.dh;
 
 	if (dh1 == NULL && dh2 == NULL)
 		return (ISC_TRUE);
@@ -122,8 +133,8 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
 	DH *dh1, *dh2;
 
-	dh1 = (DH *) key1->opaque;
-	dh2 = (DH *) key2->opaque;
+	dh1 = key1->keydata.dh;
+	dh2 = key2->keydata.dh;
 
 	if (dh1 == NULL && dh2 == NULL)
 		return (ISC_TRUE);
@@ -141,7 +152,7 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
 static isc_result_t
 openssldh_generate(dst_key_t *key, int generator) {
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
-        BN_GENCB cb;
+	BN_GENCB cb;
 #endif
 	DH *dh = NULL;
 
@@ -192,20 +203,20 @@ openssldh_generate(dst_key_t *key, int generator) {
 	}
 	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
 
-	key->opaque = dh;
+	key->keydata.dh = dh;
 
 	return (ISC_R_SUCCESS);
 }
 
 static isc_boolean_t
 openssldh_isprivate(const dst_key_t *key) {
-	DH *dh = (DH *) key->opaque;
+	DH *dh = key->keydata.dh;
 	return (ISC_TF(dh != NULL && dh->priv_key != NULL));
 }
 
 static void
 openssldh_destroy(dst_key_t *key) {
-	DH *dh = key->opaque;
+	DH *dh = key->keydata.dh;
 
 	if (dh == NULL)
 		return;
@@ -215,7 +226,7 @@ openssldh_destroy(dst_key_t *key) {
 	if (dh->g == &bn2)
 		dh->g = NULL;
 	DH_free(dh);
-	key->opaque = NULL;
+	key->keydata.dh = NULL;
 }
 
 static void
@@ -242,9 +253,9 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
 	isc_region_t r;
 	isc_uint16_t dnslen, plen, glen, publen;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.dh != NULL);
 
-	dh = (DH *) key->opaque;
+	dh = key->keydata.dh;
 
 	isc_buffer_availableregion(data, &r);
 
@@ -401,7 +412,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_forward(data, plen + glen + publen + 6);
 
-	key->opaque = (void *) dh;
+	key->keydata.dh = dh;
 
 	return (ISC_R_SUCCESS);
 }
@@ -414,10 +425,10 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
 	unsigned char *bufs[4];
 	isc_result_t result;
 
-	if (key->opaque == NULL)
+	if (key->keydata.dh == NULL)
 		return (DST_R_NULLKEY);
 
-	dh = (DH *) key->opaque;
+	dh = key->keydata.dh;
 
 	for (i = 0; i < 4; i++) {
 		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(dh->p));
@@ -484,7 +495,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer) {
 	if (dh == NULL)
 		DST_RET(ISC_R_NOMEMORY);
 	dh->flags &= ~DH_FLAG_CACHE_MONT_P;
-	key->opaque = dh;
+	key->keydata.dh = dh;
 
 	for (i = 0; i < priv.nelements; i++) {
 		BIGNUM *bn;
@@ -597,6 +608,7 @@ static dst_func_t openssldh_functions = {
 	openssldh_tofile,
 	openssldh_parse,
 	openssldh_cleanup,
+	NULL, /*%< fromlabel */
 };
 
 isc_result_t
diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
index 2ff33f32..14e89e1 100644
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -1,6 +1,19 @@
 /*
- * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2002  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 1995-2000 by Network Associates, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,9 +29,12 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: openssldsa_link.c,v 1.1.6.9.28.1 2008/12/24 00:21:22 marka Exp $ */
+/* $Id: openssldsa_link.c,v 1.13.120.2 2009/01/14 23:47:26 tbox Exp $ */
 
 #ifdef OPENSSL
+#ifndef USE_EVP
+#define USE_EVP 1
+#endif
 
 #include <config.h>
 
@@ -41,32 +57,68 @@ static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);
 
 static isc_result_t
 openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx;
+
+	UNUSED(key);
+
+	evp_md_ctx = EVP_MD_CTX_create();
+	if (evp_md_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (!EVP_DigestInit_ex(evp_md_ctx, EVP_dss1(), NULL)) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+			return (ISC_R_FAILURE);
+	}
+
+	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
+
+	return (ISC_R_SUCCESS);
+#else
 	isc_sha1_t *sha1ctx;
 
 	UNUSED(key);
 
 	sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
 	isc_sha1_init(sha1ctx);
-	dctx->opaque = sha1ctx;
+	dctx->ctxdata.sha1ctx = sha1ctx;
 	return (ISC_R_SUCCESS);
+#endif
 }
 
 static void
 openssldsa_destroyctx(dst_context_t *dctx) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	if (evp_md_ctx != NULL) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		dctx->ctxdata.evp_md_ctx = NULL;
+	}
+#else
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 
 	if (sha1ctx != NULL) {
 		isc_sha1_invalidate(sha1ctx);
 		isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
-		dctx->opaque = NULL;
+		dctx->ctxdata.sha1ctx = NULL;
 	}
+#endif
 }
 
 static isc_result_t
 openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+
+	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
+		return (ISC_R_FAILURE);
+	}
+#else
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 
 	isc_sha1_update(sha1ctx, data->base, data->length);
+#endif
 	return (ISC_R_SUCCESS);
 }
 
@@ -81,23 +133,72 @@ BN_bn2bin_fixed(BIGNUM *bn, unsigned char *buf, int size) {
 
 static isc_result_t
 openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
 	dst_key_t *key = dctx->key;
-	DSA *dsa = key->opaque;
-	DSA_SIG *dsasig;
+	DSA *dsa = key->keydata.dsa;
 	isc_region_t r;
+	DSA_SIG *dsasig;
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey;
+	unsigned char *sigbuf;
+	const unsigned char *sb;
+	unsigned int siglen;
+#else
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
+#endif
 
 	isc_buffer_availableregion(sig, &r);
 	if (r.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
 		return (ISC_R_NOSPACE);
 
+#if USE_EVP
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		return (ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
+		EVP_PKEY_free(pkey);
+		return (ISC_R_FAILURE);
+	}
+	sigbuf = malloc(EVP_PKEY_size(pkey));
+	if (sigbuf == NULL) {
+		EVP_PKEY_free(pkey);
+		return (ISC_R_NOMEMORY);
+	}
+	if (!EVP_SignFinal(evp_md_ctx, sigbuf, &siglen, pkey)) {
+		EVP_PKEY_free(pkey);
+		free(sigbuf);
+		return (ISC_R_FAILURE);
+	}
+	INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
+	EVP_PKEY_free(pkey);
+	/* Convert from Dss-Sig-Value (RFC2459). */
+	dsasig = DSA_SIG_new();
+	if (dsasig == NULL) {
+		free(sigbuf);
+		return (ISC_R_NOMEMORY);
+	}
+	sb = sigbuf;
+	if (d2i_DSA_SIG(&dsasig, &sb, (long) siglen) == NULL) {
+		free(sigbuf);
+		return (ISC_R_FAILURE);
+	}
+	free(sigbuf);
+#elif 0
+	/* Only use EVP for the Digest */
+	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
+		return (ISC_R_FAILURE);
+	}
+	dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
+	if (dsasig == NULL)
+		return (dst__openssl_toresult(DST_R_SIGNFAILURE));
+#else
 	isc_sha1_final(sha1ctx, digest);
 
 	dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
 	if (dsasig == NULL)
 		return (dst__openssl_toresult(DST_R_SIGNFAILURE));
-
+#endif
 	*r.base++ = (key->key_size - 512)/64;
 	BN_bn2bin_fixed(dsasig->r, r.base, ISC_SHA1_DIGESTLENGTH);
 	r.base += ISC_SHA1_DIGESTLENGTH;
@@ -111,27 +212,70 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
 static isc_result_t
 openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_sha1_t *sha1ctx = dctx->opaque;
 	dst_key_t *key = dctx->key;
-	DSA *dsa = key->opaque;
-	DSA_SIG *dsasig;
+	DSA *dsa = key->keydata.dsa;
 	int status = 0;
-	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
 	unsigned char *cp = sig->base;
+	DSA_SIG *dsasig;
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+#if 0
+	EVP_PKEY *pkey;
+	unsigned char *sigbuf;
+#endif
+	unsigned int siglen;
+#else
+	isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
+#endif
+	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
 
+
+#if USE_EVP
+#if 1
+	/* Only use EVP for the digest */
+	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
+		return (ISC_R_FAILURE);
+	}
+#endif
+#else
 	isc_sha1_final(sha1ctx, digest);
+#endif
 
-	if (sig->length < 2 * ISC_SHA1_DIGESTLENGTH + 1)
+	if (sig->length != 2 * ISC_SHA1_DIGESTLENGTH + 1) {
 		return (DST_R_VERIFYFAILURE);
+	}
 
 	cp++;	/*%< Skip T */
 	dsasig = DSA_SIG_new();
+	if (dsasig == NULL)
+		return (ISC_R_NOMEMORY);
 	dsasig->r = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
 	cp += ISC_SHA1_DIGESTLENGTH;
 	dsasig->s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
 	cp += ISC_SHA1_DIGESTLENGTH;
 
+#if 0
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		return (ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
+		EVP_PKEY_free(pkey);
+		return (ISC_R_FAILURE);
+	}
+	/* Convert to Dss-Sig-Value (RFC2459). */
+	sigbuf = malloc(EVP_PKEY_size(pkey) + 50);
+	if (sigbuf == NULL) {
+		EVP_PKEY_free(pkey);
+		return (ISC_R_NOMEMORY);
+	}
+	siglen = (unsigned) i2d_DSA_SIG(dsasig, &sigbuf);
+	INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
+	status = EVP_VerifyFinal(evp_md_ctx, sigbuf, siglen, pkey);
+	EVP_PKEY_free(pkey);
+	free(sigbuf);
+#else
 	status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
+#endif
 	DSA_SIG_free(dsasig);
 	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
@@ -144,8 +288,8 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
 	DSA *dsa1, *dsa2;
 
-	dsa1 = (DSA *) key1->opaque;
-	dsa2 = (DSA *) key2->opaque;
+	dsa1 = key1->keydata.dsa;
+	dsa2 = key2->keydata.dsa;
 
 	if (dsa1 == NULL && dsa2 == NULL)
 		return (ISC_TRUE);
@@ -172,7 +316,7 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 static isc_result_t
 openssldsa_generate(dst_key_t *key, int unused) {
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
-        BN_GENCB cb;
+	BN_GENCB cb;
 #endif
 	DSA *dsa;
 	unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
@@ -186,12 +330,12 @@ openssldsa_generate(dst_key_t *key, int unused) {
 		return (result);
 
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
-        dsa = DSA_new();
+	dsa = DSA_new();
 	if (dsa == NULL)
 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 
 	BN_GENCB_set_old(&cb, NULL, NULL);
-  
+
 	if (!DSA_generate_parameters_ex(dsa, key->key_size, rand_array,
 					ISC_SHA1_DIGESTLENGTH,  NULL, NULL,
 					&cb))
@@ -213,22 +357,22 @@ openssldsa_generate(dst_key_t *key, int unused) {
 	}
 	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
 
-	key->opaque = dsa;
+	key->keydata.dsa = dsa;
 
 	return (ISC_R_SUCCESS);
 }
 
 static isc_boolean_t
 openssldsa_isprivate(const dst_key_t *key) {
-	DSA *dsa = (DSA *) key->opaque;
+	DSA *dsa = key->keydata.dsa;
 	return (ISC_TF(dsa != NULL && dsa->priv_key != NULL));
 }
 
 static void
 openssldsa_destroy(dst_key_t *key) {
-	DSA *dsa = key->opaque;
+	DSA *dsa = key->keydata.dsa;
 	DSA_free(dsa);
-	key->opaque = NULL;
+	key->keydata.dsa = NULL;
 }
 
 
@@ -239,9 +383,9 @@ openssldsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 	int dnslen;
 	unsigned int t, p_bytes;
 
-	REQUIRE(key->opaque != NULL);
+	REQUIRE(key->keydata.dsa != NULL);
 
-	dsa = (DSA *) key->opaque;
+	dsa = key->keydata.dsa;
 
 	isc_buffer_availableregion(data, &r);
 
@@ -315,7 +459,7 @@ openssldsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_forward(data, 1 + ISC_SHA1_DIGESTLENGTH + 3 * p_bytes);
 
-	key->opaque = (void *) dsa;
+	key->keydata.dsa = dsa;
 
 	return (ISC_R_SUCCESS);
 }
@@ -328,10 +472,10 @@ openssldsa_tofile(const dst_key_t *key, const char *directory) {
 	dst_private_t priv;
 	unsigned char bufs[5][128];
 
-	if (key->opaque == NULL)
+	if (key->keydata.dsa == NULL)
 		return (DST_R_NULLKEY);
 
-	dsa = (DSA *) key->opaque;
+	dsa = key->keydata.dsa;
 
 	priv.elements[cnt].tag = TAG_DSA_PRIME;
 	priv.elements[cnt].length = BN_num_bytes(dsa->p);
@@ -385,7 +529,7 @@ openssldsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	if (dsa == NULL)
 		DST_RET(ISC_R_NOMEMORY);
 	dsa->flags &= ~DSA_FLAG_CACHE_MONT_P;
-	key->opaque = dsa;
+	key->keydata.dsa = dsa;
 
 	for (i=0; i < priv.nelements; i++) {
 		BIGNUM *bn;
@@ -442,6 +586,7 @@ static dst_func_t openssldsa_functions = {
 	openssldsa_tofile,
 	openssldsa_parse,
 	NULL, /*%< cleanup */
+	NULL, /*%< fromlabel */
 };
 
 isc_result_t
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index aacba45..d557c43 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -17,9 +17,15 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.1.6.11.58.1 2008/12/24 00:21:22 marka Exp $
+ * $Id: opensslrsa_link.c,v 1.20.50.3 2009/01/18 23:25:16 marka Exp $
  */
 #ifdef OPENSSL
+#ifndef USE_EVP
+#define USE_EVP 1
+#endif
+#if USE_EVP
+#define USE_EVP_RSA 1
+#endif
 
 #include <config.h>
 
@@ -42,6 +48,7 @@
 #if OPENSSL_VERSION_NUMBER > 0x00908000L
 #include <openssl/bn.h>
 #endif
+#include <openssl/engine.h>
 
 /*
  * We don't use configure for windows so enforce the OpenSSL version
@@ -57,8 +64,8 @@
 
 
 	/*
-	 * XXXMPA  Temporarially disable RSA_BLINDING as it requires
-	 * good quality random data that cannot currently be guarenteed.
+	 * XXXMPA  Temporarily disable RSA_BLINDING as it requires
+	 * good quality random data that cannot currently be guaranteed.
 	 * XXXMPA  Find which versions of openssl use pseudo random data
 	 * and set RSA_FLAG_BLINDING for those.
 	 */
@@ -97,14 +104,38 @@
 	} while (0)
 #endif
 
+#define DST_RET(a) {ret = a; goto err;}
+
 static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
 
 static isc_result_t
 opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx;
+	const EVP_MD *type;
+#endif
+
 	UNUSED(key);
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1);
+		dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
 
+#if USE_EVP
+	evp_md_ctx = EVP_MD_CTX_create();
+	if (evp_md_ctx == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (dctx->key->key_alg == DST_ALG_RSAMD5)
+		type = EVP_md5();	/* MD5 + RSA */
+	else
+		type = EVP_sha1();	/* SHA1 + RSA */
+
+	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		return (ISC_R_FAILURE);
+	}
+	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
+#else
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
 		isc_md5_t *md5ctx;
 
@@ -112,7 +143,7 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 		if (md5ctx == NULL)
 			return (ISC_R_NOMEMORY);
 		isc_md5_init(md5ctx);
-		dctx->opaque = md5ctx;
+		dctx->ctxdata.md5ctx = md5ctx;
 	} else {
 		isc_sha1_t *sha1ctx;
 
@@ -120,58 +151,87 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
 		if (sha1ctx == NULL)
 			return (ISC_R_NOMEMORY);
 		isc_sha1_init(sha1ctx);
-		dctx->opaque = sha1ctx;
+		dctx->ctxdata.sha1ctx = sha1ctx;
 	}
+#endif
 
 	return (ISC_R_SUCCESS);
 }
 
 static void
 opensslrsa_destroyctx(dst_context_t *dctx) {
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+#endif
+
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1);
+		dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
 
+#if USE_EVP
+	if (evp_md_ctx != NULL) {
+		EVP_MD_CTX_destroy(evp_md_ctx);
+		dctx->ctxdata.evp_md_ctx = NULL;
+	}
+#else
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
+		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
 
 		if (md5ctx != NULL) {
 			isc_md5_invalidate(md5ctx);
 			isc_mem_put(dctx->mctx, md5ctx, sizeof(isc_md5_t));
+			dctx->ctxdata.md5ctx = NULL;
 		}
 	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
+		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 
 		if (sha1ctx != NULL) {
 			isc_sha1_invalidate(sha1ctx);
 			isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
+			dctx->ctxdata.sha1ctx = NULL;
 		}
 	}
-	dctx->opaque = NULL;
+#endif
 }
 
 static isc_result_t
 opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+#endif
+
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1);
+		dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
 
+#if USE_EVP
+	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
+		return (ISC_R_FAILURE);
+	}
+#else
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
+		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
 		isc_md5_update(md5ctx, data->base, data->length);
 	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
+		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 		isc_sha1_update(sha1ctx, data->base, data->length);
 	}
+#endif
 	return (ISC_R_SUCCESS);
 }
 
 static isc_result_t
 opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	dst_key_t *key = dctx->key;
-	RSA *rsa = key->opaque;
 	isc_region_t r;
+	unsigned int siglen = 0;
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+#else
+	RSA *rsa = key->keydata.rsa;
 	/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
 	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-	unsigned int siglen = 0;
 	int status;
 	int type;
 	unsigned int digestlen;
@@ -179,22 +239,32 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 	unsigned long err;
 	const char* file;
 	int line;
+#endif
 
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1);
+		dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
 
 	isc_buffer_availableregion(sig, &r);
 
+#if USE_EVP
+	if (r.length < (unsigned int) EVP_PKEY_size(pkey))
+		return (ISC_R_NOSPACE);
+
+	if (!EVP_SignFinal(evp_md_ctx, r.base, &siglen, pkey)) {
+		return (ISC_R_FAILURE);
+	}
+#else
 	if (r.length < (unsigned int) RSA_size(rsa))
 		return (ISC_R_NOSPACE);
 
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
+		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
 		isc_md5_final(md5ctx, digest);
 		type = NID_md5;
 		digestlen = ISC_MD5_DIGESTLENGTH;
 	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
+		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 		isc_sha1_final(sha1ctx, digest);
 		type = NID_sha1;
 		digestlen = ISC_SHA1_DIGESTLENGTH;
@@ -205,11 +275,10 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 		err = ERR_peek_error_line(&file, &line);
 		if (err != 0U) {
 			message = ERR_error_string(err, NULL);
-			fprintf(stderr, "%s:%s:%d\n", message,
-				file ? file : "", line);
 		}
 		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
+#endif
 
 	isc_buffer_add(sig, siglen);
 
@@ -219,23 +288,32 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 static isc_result_t
 opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 	dst_key_t *key = dctx->key;
-	RSA *rsa = key->opaque;
+	int status = 0;
+#if USE_EVP
+	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
+	EVP_PKEY *pkey = key->keydata.pkey;
+#else
 	/* note: ISC_SHA1_DIGESTLENGTH > ISC_MD5_DIGESTLENGTH */
 	unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-	int status = 0;
 	int type;
 	unsigned int digestlen;
+	RSA *rsa = key->keydata.rsa;
+#endif
 
 	REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
-		dctx->key->key_alg == DST_ALG_RSASHA1);
+		dctx->key->key_alg == DST_ALG_RSASHA1 ||
+		dctx->key->key_alg == DST_ALG_NSEC3RSASHA1);
 
+#if USE_EVP
+	status = EVP_VerifyFinal(evp_md_ctx, sig->base, sig->length, pkey);
+#else
 	if (dctx->key->key_alg == DST_ALG_RSAMD5) {
-		isc_md5_t *md5ctx = dctx->opaque;
+		isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
 		isc_md5_final(md5ctx, digest);
 		type = NID_md5;
 		digestlen = ISC_MD5_DIGESTLENGTH;
 	} else {
-		isc_sha1_t *sha1ctx = dctx->opaque;
+		isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
 		isc_sha1_final(sha1ctx, digest);
 		type = NID_sha1;
 		digestlen = ISC_SHA1_DIGESTLENGTH;
@@ -246,6 +324,7 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 
 	status = RSA_verify(type, digest, digestlen, sig->base,
 			    RSA_size(rsa), rsa);
+#endif
 	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
@@ -255,10 +334,30 @@ opensslrsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
 static isc_boolean_t
 opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	int status;
-	RSA *rsa1, *rsa2;
+	RSA *rsa1 = NULL, *rsa2 = NULL;
+#if USE_EVP
+	EVP_PKEY *pkey1, *pkey2;
+#endif
 
-	rsa1 = (RSA *) key1->opaque;
-	rsa2 = (RSA *) key2->opaque;
+#if USE_EVP
+	pkey1 = key1->keydata.pkey;
+	pkey2 = key2->keydata.pkey;
+	/*
+	 * The pkey reference will keep these around after
+	 * the RSA_free() call.
+	 */
+	if (pkey1 != NULL) {
+		rsa1 = EVP_PKEY_get1_RSA(pkey1);
+		RSA_free(rsa1);
+	}
+	if (pkey2 != NULL) {
+		rsa2 = EVP_PKEY_get1_RSA(pkey2);
+		RSA_free(rsa2);
+	}
+#else
+	rsa1 = key1->keydata.rsa;
+	rsa2 = key2->keydata.rsa;
+#endif
 
 	if (rsa1 == NULL && rsa2 == NULL)
 		return (ISC_TRUE);
@@ -271,6 +370,19 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
 	if (status != 0)
 		return (ISC_FALSE);
 
+#if USE_EVP
+	if ((rsa1->flags & RSA_FLAG_EXT_PKEY) != 0 ||
+	    (rsa2->flags & RSA_FLAG_EXT_PKEY) != 0) {
+		if ((rsa1->flags & RSA_FLAG_EXT_PKEY) == 0 ||
+		    (rsa2->flags & RSA_FLAG_EXT_PKEY) == 0)
+			return (ISC_FALSE);
+		/*
+		 * Can't compare private parameters, BTW does it make sense?
+		 */
+		return (ISC_TRUE);
+	}
+#endif
+
 	if (rsa1->d != NULL || rsa2->d != NULL) {
 		if (rsa1->d == NULL || rsa2->d == NULL)
 			return (ISC_FALSE);
@@ -290,9 +402,18 @@ opensslrsa_generate(dst_key_t *key, int exp) {
 	BN_GENCB cb;
 	RSA *rsa = RSA_new();
 	BIGNUM *e = BN_new();
+#if USE_EVP
+	EVP_PKEY *pkey = EVP_PKEY_new();
+#endif
 
 	if (rsa == NULL || e == NULL)
 		goto err;
+#if USE_EVP
+	if (pkey == NULL)
+		goto err;
+	if (!EVP_PKEY_set1_RSA(pkey, rsa))
+		goto err;
+#endif
 
 	if (exp == 0) {
 		/* RSA_F4 0x10001 */
@@ -309,11 +430,21 @@ opensslrsa_generate(dst_key_t *key, int exp) {
 	if (RSA_generate_key_ex(rsa, key->key_size, e, &cb)) {
 		BN_free(e);
 		SET_FLAGS(rsa);
-		key->opaque = rsa;
+#if USE_EVP
+		key->keydata.pkey = pkey;
+
+		RSA_free(rsa);
+#else
+		key->keydata.rsa = rsa;
+#endif
 		return (ISC_R_SUCCESS);
 	}
 
 err:
+#if USE_EVP
+	if (pkey != NULL)
+		EVP_PKEY_free(pkey);
+#endif
 	if (e != NULL)
 		BN_free(e);
 	if (rsa != NULL)
@@ -322,16 +453,36 @@ err:
 #else
 	RSA *rsa;
 	unsigned long e;
+#if USE_EVP
+	EVP_PKEY *pkey = EVP_PKEY_new();
+
+	if (pkey == NULL)
+		return (ISC_R_NOMEMORY);
+#endif
 
 	if (exp == 0)
 	       e = RSA_F4;
 	else
 	       e = 0x40000003;
 	rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
-	if (rsa == NULL)
-	       return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	if (rsa == NULL) {
+#if USE_EVP
+		EVP_PKEY_free(pkey);
+#endif
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
 	SET_FLAGS(rsa);
-	key->opaque = rsa;
+#if USE_EVP
+	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
+		EVP_PKEY_free(pkey);
+		RSA_free(rsa);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	key->keydata.pkey = pkey;
+	RSA_free(rsa);
+#else
+	key->keydata.rsa = rsa;
+#endif
 
 	return (ISC_R_SUCCESS);
 #endif
@@ -339,28 +490,58 @@ err:
 
 static isc_boolean_t
 opensslrsa_isprivate(const dst_key_t *key) {
-	RSA *rsa = (RSA *) key->opaque;
+#if USE_EVP
+	RSA *rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
+	INSIST(rsa != NULL);
+	RSA_free(rsa);
+	/* key->keydata.pkey still has a reference so rsa is still valid. */
+#else
+	RSA *rsa = key->keydata.rsa;
+#endif
+	if (rsa != NULL && (rsa->flags & RSA_FLAG_EXT_PKEY) != 0)
+		return (ISC_TRUE);
 	return (ISC_TF(rsa != NULL && rsa->d != NULL));
 }
 
 static void
 opensslrsa_destroy(dst_key_t *key) {
-	RSA *rsa = key->opaque;
+#if USE_EVP
+	EVP_PKEY *pkey = key->keydata.pkey;
+	EVP_PKEY_free(pkey);
+	key->keydata.pkey = NULL;
+#else
+	RSA *rsa = key->keydata.rsa;
 	RSA_free(rsa);
-	key->opaque = NULL;
+	key->keydata.rsa = NULL;
+#endif
 }
 
 
 static isc_result_t
 opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
-	RSA *rsa;
 	isc_region_t r;
 	unsigned int e_bytes;
 	unsigned int mod_bytes;
+	isc_result_t ret;
+	RSA *rsa;
+#if USE_EVP
+	EVP_PKEY *pkey;
+#endif
 
-	REQUIRE(key->opaque != NULL);
+#if USE_EVP
+	REQUIRE(key->keydata.pkey != NULL);
+#else
+	REQUIRE(key->keydata.rsa != NULL);
+#endif
 
-	rsa = (RSA *) key->opaque;
+#if USE_EVP
+	pkey = key->keydata.pkey;
+	rsa = EVP_PKEY_get1_RSA(pkey);
+	if (rsa == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+#else
+	rsa = key->keydata.rsa;
+#endif
 
 	isc_buffer_availableregion(data, &r);
 
@@ -369,11 +550,11 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 	if (e_bytes < 256) {	/*%< key exponent is <= 2040 bits */
 		if (r.length < 1)
-			return (ISC_R_NOSPACE);
+			DST_RET(ISC_R_NOSPACE);
 		isc_buffer_putuint8(data, (isc_uint8_t) e_bytes);
 	} else {
 		if (r.length < 3)
-			return (ISC_R_NOSPACE);
+			DST_RET(ISC_R_NOSPACE);
 		isc_buffer_putuint8(data, 0);
 		isc_buffer_putuint16(data, (isc_uint16_t) e_bytes);
 	}
@@ -388,7 +569,13 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_add(data, e_bytes + mod_bytes);
 
-	return (ISC_R_SUCCESS);
+	ret = ISC_R_SUCCESS;
+ err:
+#if USE_EVP
+	if (rsa != NULL)
+		RSA_free(rsa);
+#endif
+	return (ret);
 }
 
 static isc_result_t
@@ -396,6 +583,9 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 	RSA *rsa;
 	isc_region_t r;
 	unsigned int e_bytes;
+#if USE_EVP
+	EVP_PKEY *pkey;
+#endif
 
 	isc_buffer_remainingregion(data, &r);
 	if (r.length == 0)
@@ -437,12 +627,26 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
 	isc_buffer_forward(data, r.length);
 
-	key->opaque = (void *) rsa;
+#if USE_EVP
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL) {
+		RSA_free(rsa);
+		return (ISC_R_NOMEMORY);
+	}
+	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
+		EVP_PKEY_free(pkey);
+		RSA_free(rsa);
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+	}
+	key->keydata.pkey = pkey;
+	RSA_free(rsa);
+#else
+	key->keydata.rsa = rsa;
+#endif
 
 	return (ISC_R_SUCCESS);
 }
 
-
 static isc_result_t
 opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	int i;
@@ -451,10 +655,17 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	unsigned char *bufs[8];
 	isc_result_t result;
 
-	if (key->opaque == NULL)
+#if USE_EVP
+	if (key->keydata.pkey == NULL)
 		return (DST_R_NULLKEY);
-
-	rsa = (RSA *) key->opaque;
+	rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
+	if (rsa == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+#else
+	if (key->keydata.rsa == NULL)
+		return (DST_R_NULLKEY);
+	rsa = key->keydata.rsa;
+#endif
 
 	for (i = 0; i < 8; i++) {
 		bufs[i] = isc_mem_get(key->mctx, BN_num_bytes(rsa->n));
@@ -478,45 +689,74 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
 	priv.elements[i].data = bufs[i];
 	i++;
 
-	priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
-	priv.elements[i].length = BN_num_bytes(rsa->d);
-	BN_bn2bin(rsa->d, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
+	if (rsa->d != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIVATEEXPONENT;
+		priv.elements[i].length = BN_num_bytes(rsa->d);
+		BN_bn2bin(rsa->d, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
 
-	priv.elements[i].tag = TAG_RSA_PRIME1;
-	priv.elements[i].length = BN_num_bytes(rsa->p);
-	BN_bn2bin(rsa->p, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
+	if (rsa->p != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIME1;
+		priv.elements[i].length = BN_num_bytes(rsa->p);
+		BN_bn2bin(rsa->p, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
 
-	priv.elements[i].tag = TAG_RSA_PRIME2;
-	priv.elements[i].length = BN_num_bytes(rsa->q);
-	BN_bn2bin(rsa->q, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
+	if (rsa->q != NULL) {
+		priv.elements[i].tag = TAG_RSA_PRIME2;
+		priv.elements[i].length = BN_num_bytes(rsa->q);
+		BN_bn2bin(rsa->q, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
 
-	priv.elements[i].tag = TAG_RSA_EXPONENT1;
-	priv.elements[i].length = BN_num_bytes(rsa->dmp1);
-	BN_bn2bin(rsa->dmp1, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
+	if (rsa->dmp1 != NULL) {
+		priv.elements[i].tag = TAG_RSA_EXPONENT1;
+		priv.elements[i].length = BN_num_bytes(rsa->dmp1);
+		BN_bn2bin(rsa->dmp1, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
 
-	priv.elements[i].tag = TAG_RSA_EXPONENT2;
-	priv.elements[i].length = BN_num_bytes(rsa->dmq1);
-	BN_bn2bin(rsa->dmq1, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
+	if (rsa->dmq1 != NULL) {
+		priv.elements[i].tag = TAG_RSA_EXPONENT2;
+		priv.elements[i].length = BN_num_bytes(rsa->dmq1);
+		BN_bn2bin(rsa->dmq1, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
 
-	priv.elements[i].tag = TAG_RSA_COEFFICIENT;
-	priv.elements[i].length = BN_num_bytes(rsa->iqmp);
-	BN_bn2bin(rsa->iqmp, bufs[i]);
-	priv.elements[i].data = bufs[i];
-	i++;
+	if (rsa->iqmp != NULL) {
+		priv.elements[i].tag = TAG_RSA_COEFFICIENT;
+		priv.elements[i].length = BN_num_bytes(rsa->iqmp);
+		BN_bn2bin(rsa->iqmp, bufs[i]);
+		priv.elements[i].data = bufs[i];
+		i++;
+	}
+
+	if (key->engine != NULL) {
+		priv.elements[i].tag = TAG_RSA_ENGINE;
+		priv.elements[i].length = strlen(key->engine) + 1;
+		priv.elements[i].data = (unsigned char *)key->engine;
+		i++;
+	}
+
+	if (key->label != NULL) {
+		priv.elements[i].tag = TAG_RSA_LABEL;
+		priv.elements[i].length = strlen(key->label) + 1;
+		priv.elements[i].data = (unsigned char *)key->label;
+		i++;
+	}
 
 	priv.nelements = i;
 	result =  dst__privstruct_writefile(key, &priv, directory);
  fail:
+#if USE_EVP
+	RSA_free(rsa);
+#endif
 	for (i = 0; i < 8; i++) {
 		if (bufs[i] == NULL)
 			break;
@@ -531,26 +771,94 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	isc_result_t ret;
 	int i;
 	RSA *rsa = NULL;
+	ENGINE *e = NULL;
 	isc_mem_t *mctx = key->mctx;
-#define DST_RET(a) {ret = a; goto err;}
+	const char *name = NULL, *label = NULL;
+	EVP_PKEY *pkey = NULL;
 
 	/* read private key file */
 	ret = dst__privstruct_parse(key, DST_ALG_RSA, lexer, mctx, &priv);
 	if (ret != ISC_R_SUCCESS)
 		return (ret);
 
+	for (i = 0; i < priv.nelements; i++) {
+		switch (priv.elements[i].tag) {
+		case TAG_RSA_ENGINE:
+			name = (char *)priv.elements[i].data;
+			break;
+		case TAG_RSA_LABEL:
+			label = (char *)priv.elements[i].data;
+			break;
+		default:
+			break;
+		}
+	}
+	/*
+	 * Is this key is stored in a HSM?
+	 * See if we can fetch it.
+	 */
+	if (name != NULL || label != NULL) {
+		INSIST(name != NULL);
+		INSIST(label != NULL);
+		e = dst__openssl_getengine(name);
+		if (e == NULL)
+			DST_RET(DST_R_NOENGINE);
+		pkey = ENGINE_load_private_key(e, label, NULL, NULL);
+		if (pkey == NULL) {
+			ERR_print_errors_fp(stderr);
+			DST_RET(ISC_R_FAILURE);
+		}
+		key->engine = isc_mem_strdup(key->mctx, name);
+		if (key->engine == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		key->label = isc_mem_strdup(key->mctx, label);
+		if (key->label == NULL)
+			DST_RET(ISC_R_NOMEMORY);
+		key->key_size = EVP_PKEY_bits(pkey);
+#if USE_EVP
+		key->keydata.pkey = pkey;
+#else
+		key->keydata.rsa = EVP_PKEY_get1_RSA(pkey);
+		if (rsa == NULL)
+			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+		EVP_PKEY_free(pkey);
+#endif
+		dst__privstruct_free(&priv, mctx);
+		return (ISC_R_SUCCESS);
+	}
+
 	rsa = RSA_new();
 	if (rsa == NULL)
 		DST_RET(ISC_R_NOMEMORY);
 	SET_FLAGS(rsa);
-	key->opaque = rsa;
+
+#if USE_EVP
+	pkey = EVP_PKEY_new();
+	if (pkey == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
+		DST_RET(ISC_R_FAILURE);
+	}
+	key->keydata.pkey = pkey;
+#else
+	key->keydata.rsa = rsa;
+#endif
 
 	for (i = 0; i < priv.nelements; i++) {
 		BIGNUM *bn;
-		bn = BN_bin2bn(priv.elements[i].data,
-			       priv.elements[i].length, NULL);
-		if (bn == NULL)
-			DST_RET(ISC_R_NOMEMORY);
+		switch (priv.elements[i].tag) {
+		case TAG_RSA_ENGINE:
+			continue;
+		case TAG_RSA_LABEL:
+			continue;
+		case TAG_RSA_PIN:
+			continue;
+		default:
+			bn = BN_bin2bn(priv.elements[i].data,
+				       priv.elements[i].length, NULL);
+			if (bn == NULL)
+				DST_RET(ISC_R_NOMEMORY);
+		}
 
 		switch (priv.elements[i].tag) {
 			case TAG_RSA_MODULUS:
@@ -582,16 +890,64 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer) {
 	dst__privstruct_free(&priv, mctx);
 
 	key->key_size = BN_num_bits(rsa->n);
+#if USE_EVP
+	RSA_free(rsa);
+#endif
 
 	return (ISC_R_SUCCESS);
 
  err:
+#if USE_EVP
+	if (pkey != NULL)
+		EVP_PKEY_free(pkey);
+#endif
+	if (rsa != NULL)
+		RSA_free(rsa);
 	opensslrsa_destroy(key);
 	dst__privstruct_free(&priv, mctx);
 	memset(&priv, 0, sizeof(priv));
 	return (ret);
 }
 
+static isc_result_t
+opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
+		     const char *pin)
+{
+	ENGINE *e = NULL;
+	isc_result_t ret;
+	EVP_PKEY *pkey = NULL;
+
+	UNUSED(pin);
+
+	e = dst__openssl_getengine(engine);
+	if (e == NULL)
+		DST_RET(DST_R_NOENGINE);
+	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
+	if (pkey == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	key->engine = isc_mem_strdup(key->mctx, label);
+	if (key->engine == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	key->label = isc_mem_strdup(key->mctx, label);
+	if (key->label == NULL)
+		DST_RET(ISC_R_NOMEMORY);
+	key->key_size = EVP_PKEY_bits(pkey);
+#if USE_EVP
+	key->keydata.pkey = pkey;
+#else
+	key->keydata.rsa = EVP_PKEY_get1_RSA(pkey);
+	EVP_PKEY_free(pkey);
+	if (key->keydata.rsa == NULL)
+		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
+#endif
+	return (ISC_R_SUCCESS);
+
+ err:
+	if (pkey != NULL)
+		EVP_PKEY_free(pkey);
+	return (ret);
+}
+
 static dst_func_t opensslrsa_functions = {
 	opensslrsa_createctx,
 	opensslrsa_destroyctx,
@@ -609,6 +965,7 @@ static dst_func_t opensslrsa_functions = {
 	opensslrsa_tofile,
 	opensslrsa_parse,
 	NULL, /*%< cleanup */
+	opensslrsa_fromlabel,
 };
 
 isc_result_t
diff --git a/lib/dns/order.c b/lib/dns/order.c
index 1d216b7..853b001 100644
--- a/lib/dns/order.c
+++ b/lib/dns/order.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: order.c,v 1.5.18.3 2005/07/12 01:22:21 marka Exp $ */
+/* $Id: order.c,v 1.10 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/peer.c b/lib/dns/peer.c
index 7d878b5..12474cb 100644
--- a/lib/dns/peer.c
+++ b/lib/dns/peer.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: peer.c,v 1.19.18.8 2006/02/28 03:10:48 marka Exp $ */
+/* $Id: peer.c,v 1.31 2008/04/03 06:09:04 tbox Exp $ */
 
 /*! \file */
 
@@ -42,6 +42,7 @@
 #define SUPPORT_EDNS_BIT		5
 #define SERVER_UDPSIZE_BIT		6
 #define SERVER_MAXUDP_BIT		7
+#define REQUEST_NSID_BIT                8
 
 static void
 peerlist_delete(dns_peerlist_t **list);
@@ -146,7 +147,7 @@ dns_peerlist_addpeer(dns_peerlist_t *peers, dns_peer_t *peer) {
 		ISC_LIST_INSERTBEFORE(peers->elements, p, peer, next);
 	else
 		ISC_LIST_APPEND(peers->elements, peer, next);
-		
+
 }
 
 isc_result_t
@@ -213,7 +214,7 @@ dns_peer_new(isc_mem_t *mem, isc_netaddr_t *addr, dns_peer_t **peerptr) {
 isc_result_t
 dns_peer_newprefix(isc_mem_t *mem, isc_netaddr_t *addr, unsigned int prefixlen,
 		   dns_peer_t **peerptr)
-{ 
+{
 	dns_peer_t *peer;
 
 	REQUIRE(peerptr != NULL);
@@ -416,6 +417,32 @@ dns_peer_getsupportedns(dns_peer_t *peer, isc_boolean_t *retval) {
 }
 
 isc_result_t
+dns_peer_setrequestnsid(dns_peer_t *peer, isc_boolean_t newval) {
+	isc_boolean_t existed;
+
+	REQUIRE(DNS_PEER_VALID(peer));
+
+	existed = DNS_BIT_CHECK(REQUEST_NSID_BIT, &peer->bitflags);
+
+	peer->request_nsid = newval;
+	DNS_BIT_SET(REQUEST_NSID_BIT, &peer->bitflags);
+
+	return (existed ? ISC_R_EXISTS : ISC_R_SUCCESS);
+}
+
+isc_result_t
+dns_peer_getrequestnsid(dns_peer_t *peer, isc_boolean_t *retval) {
+	REQUIRE(DNS_PEER_VALID(peer));
+	REQUIRE(retval != NULL);
+
+	if (DNS_BIT_CHECK(REQUEST_NSID_BIT, &peer->bitflags)) {
+		*retval = peer->request_nsid;
+		return (ISC_R_SUCCESS);
+	} else
+		return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
 dns_peer_settransfers(dns_peer_t *peer, isc_uint32_t newval) {
 	isc_boolean_t existed;
 
@@ -544,7 +571,7 @@ dns_peer_settransfersource(dns_peer_t *peer,
 	}
 	if (transfer_source != NULL) {
 		peer->transfer_source = isc_mem_get(peer->mem,
-					        sizeof(*peer->transfer_source));
+						sizeof(*peer->transfer_source));
 		if (peer->transfer_source == NULL)
 			return (ISC_R_NOMEMORY);
 
@@ -577,7 +604,7 @@ dns_peer_setnotifysource(dns_peer_t *peer,
 	}
 	if (notify_source != NULL) {
 		peer->notify_source = isc_mem_get(peer->mem,
-					        sizeof(*peer->notify_source));
+						sizeof(*peer->notify_source));
 		if (peer->notify_source == NULL)
 			return (ISC_R_NOMEMORY);
 
@@ -608,7 +635,7 @@ dns_peer_setquerysource(dns_peer_t *peer, const isc_sockaddr_t *query_source) {
 	}
 	if (query_source != NULL) {
 		peer->query_source = isc_mem_get(peer->mem,
-					        sizeof(*peer->query_source));
+						sizeof(*peer->query_source));
 		if (peer->query_source == NULL)
 			return (ISC_R_NOMEMORY);
 
@@ -649,11 +676,11 @@ dns_peer_getudpsize(dns_peer_t *peer, isc_uint16_t *udpsize) {
 	REQUIRE(udpsize != NULL);
 
 	if (DNS_BIT_CHECK(SERVER_UDPSIZE_BIT, &peer->bitflags)) {
-                *udpsize = peer->udpsize;
-                return (ISC_R_SUCCESS);
-        } else {
-                return (ISC_R_NOTFOUND);
-        }
+		*udpsize = peer->udpsize;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
 }
 
 isc_result_t
@@ -677,9 +704,9 @@ dns_peer_getmaxudp(dns_peer_t *peer, isc_uint16_t *maxudp) {
 	REQUIRE(maxudp != NULL);
 
 	if (DNS_BIT_CHECK(SERVER_MAXUDP_BIT, &peer->bitflags)) {
-                *maxudp = peer->maxudp;
-                return (ISC_R_SUCCESS);
-        } else {
-                return (ISC_R_NOTFOUND);
-        }
+		*maxudp = peer->maxudp;
+		return (ISC_R_SUCCESS);
+	} else {
+		return (ISC_R_NOTFOUND);
+	}
 }
diff --git a/lib/dns/portlist.c b/lib/dns/portlist.c
index 7e76171..5bc89f4 100644
--- a/lib/dns/portlist.c
+++ b/lib/dns/portlist.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portlist.c,v 1.6.18.5 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: portlist.c,v 1.13 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rbt.c b/lib/dns/rbt.c
index 4d3ca3a..ff8b3a3 100644
--- a/lib/dns/rbt.c
+++ b/lib/dns/rbt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbt.c,v 1.128.18.10 2008/03/31 13:32:59 fdupont Exp $ */
+/* $Id: rbt.c,v 1.142.50.2 2009/01/18 23:47:40 tbox Exp $ */
 
 /*! \file */
 
@@ -37,36 +37,37 @@
 #define DNS_NAME_USEINLINE 1
 
 #include <dns/fixedname.h>
+#include <dns/log.h>
 #include <dns/rbt.h>
 #include <dns/result.h>
 
-#define RBT_MAGIC		ISC_MAGIC('R', 'B', 'T', '+')
-#define VALID_RBT(rbt)		ISC_MAGIC_VALID(rbt, RBT_MAGIC)
+#define RBT_MAGIC               ISC_MAGIC('R', 'B', 'T', '+')
+#define VALID_RBT(rbt)          ISC_MAGIC_VALID(rbt, RBT_MAGIC)
 
 /*
  * XXXDCL Since parent pointers were added in again, I could remove all of the
  * chain junk, and replace with dns_rbt_firstnode, _previousnode, _nextnode,
  * _lastnode.  This would involve pretty major change to the API.
  */
-#define CHAIN_MAGIC		ISC_MAGIC('0', '-', '0', '-')
-#define VALID_CHAIN(chain)	ISC_MAGIC_VALID(chain, CHAIN_MAGIC)
+#define CHAIN_MAGIC             ISC_MAGIC('0', '-', '0', '-')
+#define VALID_CHAIN(chain)      ISC_MAGIC_VALID(chain, CHAIN_MAGIC)
 
-#define RBT_HASH_SIZE		64
+#define RBT_HASH_SIZE           64
 
 #ifdef RBT_MEM_TEST
 #undef RBT_HASH_SIZE
-#define RBT_HASH_SIZE 2	/*%< To give the reallocation code a workout. */
+#define RBT_HASH_SIZE 2 /*%< To give the reallocation code a workout. */
 #endif
 
 struct dns_rbt {
-	unsigned int		magic;
-	isc_mem_t *		mctx;
-	dns_rbtnode_t *		root;
-	void			(*data_deleter)(void *, void *);
-	void *			deleter_arg;
-	unsigned int		nodecount;
-	unsigned int		hashsize;
-	dns_rbtnode_t **	hashtable;
+	unsigned int            magic;
+	isc_mem_t *             mctx;
+	dns_rbtnode_t *         root;
+	void                    (*data_deleter)(void *, void *);
+	void *                  deleter_arg;
+	unsigned int            nodecount;
+	unsigned int            hashsize;
+	dns_rbtnode_t **        hashtable;
 };
 
 #define RED 0
@@ -75,51 +76,51 @@ struct dns_rbt {
 /*%
  * Elements of the rbtnode structure.
  */
-#define PARENT(node)		((node)->parent)
-#define LEFT(node)	 	((node)->left)
-#define RIGHT(node)		((node)->right)
-#define DOWN(node)		((node)->down)
-#define DATA(node)		((node)->data)
-#define HASHNEXT(node)		((node)->hashnext)
-#define HASHVAL(node)		((node)->hashval)
-#define COLOR(node) 		((node)->color)
-#define NAMELEN(node)		((node)->namelen)
-#define OFFSETLEN(node)		((node)->offsetlen)
-#define ATTRS(node)		((node)->attributes)
-#define PADBYTES(node)		((node)->padbytes)
-#define IS_ROOT(node)		ISC_TF((node)->is_root == 1)
-#define FINDCALLBACK(node)	ISC_TF((node)->find_callback == 1)
+#define PARENT(node)            ((node)->parent)
+#define LEFT(node)              ((node)->left)
+#define RIGHT(node)             ((node)->right)
+#define DOWN(node)              ((node)->down)
+#define DATA(node)              ((node)->data)
+#define HASHNEXT(node)          ((node)->hashnext)
+#define HASHVAL(node)           ((node)->hashval)
+#define COLOR(node)             ((node)->color)
+#define NAMELEN(node)           ((node)->namelen)
+#define OFFSETLEN(node)         ((node)->offsetlen)
+#define ATTRS(node)             ((node)->attributes)
+#define PADBYTES(node)          ((node)->padbytes)
+#define IS_ROOT(node)           ISC_TF((node)->is_root == 1)
+#define FINDCALLBACK(node)      ISC_TF((node)->find_callback == 1)
 
 /*%
  * Structure elements from the rbtdb.c, not
  * used as part of the rbt.c algorithms.
  */
-#define DIRTY(node)	((node)->dirty)
-#define WILD(node)	((node)->wild)
-#define LOCKNUM(node)	((node)->locknum)
+#define DIRTY(node)     ((node)->dirty)
+#define WILD(node)      ((node)->wild)
+#define LOCKNUM(node)   ((node)->locknum)
 
 /*%
  * The variable length stuff stored after the node.
  */
-#define NAME(node)	((unsigned char *)((node) + 1))
-#define OFFSETS(node)	(NAME(node) + NAMELEN(node))
+#define NAME(node)      ((unsigned char *)((node) + 1))
+#define OFFSETS(node)   (NAME(node) + NAMELEN(node))
 
-#define NODE_SIZE(node)	(sizeof(*node) + \
+#define NODE_SIZE(node) (sizeof(*node) + \
 			 NAMELEN(node) + OFFSETLEN(node) + PADBYTES(node))
 
 /*%
  * Color management.
  */
-#define IS_RED(node)		((node) != NULL && (node)->color == RED)
-#define IS_BLACK(node)		((node) == NULL || (node)->color == BLACK)
-#define MAKE_RED(node)		((node)->color = RED)
-#define MAKE_BLACK(node)	((node)->color = BLACK)
+#define IS_RED(node)            ((node) != NULL && (node)->color == RED)
+#define IS_BLACK(node)          ((node) == NULL || (node)->color == BLACK)
+#define MAKE_RED(node)          ((node)->color = RED)
+#define MAKE_BLACK(node)        ((node)->color = BLACK)
 
 /*%
  * Chain management.
  *
  * The "ancestors" member of chains were removed, with their job now
- * being wholy handled by parent pointers (which didn't exist, because
+ * being wholly handled by parent pointers (which didn't exist, because
  * of memory concerns, when chains were first implemented).
  */
 #define ADD_LEVEL(chain, node) \
@@ -244,6 +245,7 @@ dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
 	rbt->nodecount = 0;
 	rbt->hashtable = NULL;
 	rbt->hashsize = 0;
+
 #ifdef DNS_RBT_USEHASH
 	result = inithash(rbt);
 	if (result != ISC_R_SUCCESS) {
@@ -251,6 +253,7 @@ dns_rbt_create(isc_mem_t *mctx, void (*deleter)(void *, void *),
 		return (result);
 	}
 #endif
+
 	rbt->magic = RBT_MAGIC;
 
 	*rbtp = rbt;
@@ -524,6 +527,7 @@ dns_rbt_addnode(dns_rbt_t *rbt, dns_name_t *name, dns_rbtnode_t **nodep) {
 				 * current node.
 				 */
 				new_current->is_root = current->is_root;
+				new_current->nsec3 = current->nsec3;
 				PARENT(new_current)  = PARENT(current);
 				LEFT(new_current)    = LEFT(current);
 				RIGHT(new_current)   = RIGHT(current);
@@ -1142,7 +1146,7 @@ dns_rbt_findnode(dns_rbt_t *rbt, dns_name_t *name, dns_name_t *foundname,
 									NULL);
 					if (result2 == ISC_R_SUCCESS ||
 					    result2 == DNS_R_NEWORIGIN)
-						; 	/* Nothing. */
+						;       /* Nothing. */
 					else if (result2 == ISC_R_NOMORE)
 						/*
 						 * There is no predecessor.
@@ -1274,8 +1278,7 @@ dns_rbt_deletenode(dns_rbt_t *rbt, dns_rbtnode_t *node, isc_boolean_t recurse)
 				      == ISC_R_SUCCESS);
 		else {
 			if (DATA(node) != NULL && rbt->data_deleter != NULL)
-				rbt->data_deleter(DATA(node),
-						  rbt->deleter_arg);
+				rbt->data_deleter(DATA(node), rbt->deleter_arg);
 			DATA(node) = NULL;
 
 			/*
@@ -1436,11 +1439,14 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 	HASHVAL(node) = 0;
 #endif
 
+	ISC_LINK_INIT(node, deadlink);
+
 	LOCKNUM(node) = 0;
 	WILD(node) = 0;
 	DIRTY(node) = 0;
 	dns_rbtnode_refinit(node, 0);
 	node->find_callback = 0;
+	node->nsec3 = 0;
 
 	MAKE_BLACK(node);
 
@@ -1451,9 +1457,9 @@ create_node(isc_mem_t *mctx, dns_name_t *name, dns_rbtnode_t **nodep) {
 	 * and the name's offsets table.
 	 *
 	 * XXX RTH
-	 *	The offsets table could be made smaller by eliminating the
-	 *	first offset, which is always 0.  This requires changes to
-	 * 	lib/dns/name.c.
+	 *      The offsets table could be made smaller by eliminating the
+	 *      first offset, which is always 0.  This requires changes to
+	 *      lib/dns/name.c.
 	 */
 	NAMELEN(node) = region.length;
 	PADBYTES(node) = 0;
@@ -1934,7 +1940,7 @@ dns_rbt_deletefromlevel(dns_rbtnode_t *delete, dns_rbtnode_t **rootp) {
 			} else {
 				/*
 				 * Child is parent's right child.
-				 * Everything is doen the same as above,
+				 * Everything is done the same as above,
 				 * except mirrored.
 				 */
 				sibling = LEFT(parent);
@@ -2027,6 +2033,7 @@ dns_rbt_deletetree(dns_rbt_t *rbt, dns_rbtnode_t *node) {
 #if DNS_RBT_USEMAGIC
 	node->magic = 0;
 #endif
+
 	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
 	rbt->nodecount--;
 	return (result);
@@ -2076,6 +2083,7 @@ dns_rbt_deletetreeflat(dns_rbt_t *rbt, unsigned int quantum,
 			DOWN(parent) = RIGHT(node);
 	} else
 		parent = RIGHT(node);
+
 	isc_mem_put(rbt->mctx, node, NODE_SIZE(node));
 	rbt->nodecount--;
 	node = parent;
@@ -2354,6 +2362,113 @@ dns_rbtnodechain_prev(dns_rbtnodechain_t *chain, dns_name_t *name,
 }
 
 isc_result_t
+dns_rbtnodechain_down(dns_rbtnodechain_t *chain, dns_name_t *name,
+		      dns_name_t *origin)
+{
+	dns_rbtnode_t *current, *successor;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_boolean_t new_origin = ISC_FALSE;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	successor = NULL;
+
+	current = chain->end;
+
+	if (DOWN(current) != NULL) {
+		/*
+		 * Don't declare an origin change when the new origin is "."
+		 * at the second level tree, because "." is already declared
+		 * as the origin for the top level tree.
+		 */
+		if (chain->level_count > 0 ||
+		    OFFSETLEN(current) > 1)
+			new_origin = ISC_TRUE;
+
+		ADD_LEVEL(chain, current);
+		current = DOWN(current);
+
+		while (LEFT(current) != NULL)
+			current = LEFT(current);
+
+		successor = current;
+	}
+
+	if (successor != NULL) {
+		chain->end = successor;
+
+		/*
+		 * It is not necessary to use dns_rbtnodechain_current like
+		 * the other functions because this function will never
+		 * find a node in the topmost level.  This is because the
+		 * root level will never be more than one name, and everything
+		 * in the megatree is a successor to that node, down at
+		 * the second level or below.
+		 */
+
+		if (name != NULL)
+			NODENAME(chain->end, name);
+
+		if (new_origin) {
+			if (origin != NULL)
+				result = chain_name(chain, origin, ISC_FALSE);
+
+			if (result == ISC_R_SUCCESS)
+				result = DNS_R_NEWORIGIN;
+
+		} else
+			result = ISC_R_SUCCESS;
+
+	} else
+		result = ISC_R_NOMORE;
+
+	return (result);
+}
+
+isc_result_t
+dns_rbtnodechain_nextflat(dns_rbtnodechain_t *chain, dns_name_t *name) {
+	dns_rbtnode_t *current, *previous, *successor;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(VALID_CHAIN(chain) && chain->end != NULL);
+
+	successor = NULL;
+
+	current = chain->end;
+
+	if (RIGHT(current) == NULL) {
+		while (! IS_ROOT(current)) {
+			previous = current;
+			current = PARENT(current);
+
+			if (LEFT(current) == previous) {
+				successor = current;
+				break;
+			}
+		}
+	} else {
+		current = RIGHT(current);
+
+		while (LEFT(current) != NULL)
+			current = LEFT(current);
+
+		successor = current;
+	}
+
+	if (successor != NULL) {
+		chain->end = successor;
+
+		if (name != NULL)
+			NODENAME(chain->end, name);
+
+		result = ISC_R_SUCCESS;
+	} else
+		result = ISC_R_NOMORE;
+
+	return (result);
+}
+
+isc_result_t
 dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
 		      dns_name_t *origin)
 {
@@ -2398,7 +2513,7 @@ dns_rbtnodechain_next(dns_rbtnodechain_t *chain, dns_name_t *name,
 		 * reached without having traversed any left links, ascend one
 		 * level and look for either a right link off the point of
 		 * ascent, or search for a left link upward again, repeating
-		 * ascents until either case is true.
+		 * ascends until either case is true.
 		 */
 		do {
 			while (! IS_ROOT(current)) {
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 462a718..9741c15 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.c,v 1.196.18.53 2008/01/31 23:46:05 tbox Exp $ */
+/* $Id: rbtdb.c,v 1.270.12.6 2009/05/06 23:34:30 jinmei Exp $ */
 
 /*! \file */
 
@@ -25,13 +25,18 @@
 
 #include <config.h>
 
+/* #define inline */
+
 #include <isc/event.h>
+#include <isc/heap.h>
 #include <isc/mem.h>
-#include <isc/print.h>
 #include <isc/mutex.h>
+#include <isc/platform.h>
+#include <isc/print.h>
 #include <isc/random.h>
 #include <isc/refcount.h>
 #include <isc/rwlock.h>
+#include <isc/serial.h>
 #include <isc/string.h>
 #include <isc/task.h>
 #include <isc/time.h>
@@ -45,12 +50,16 @@
 #include <dns/lib.h>
 #include <dns/log.h>
 #include <dns/masterdump.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
 #include <dns/rbt.h>
 #include <dns/rdata.h>
 #include <dns/rdataset.h>
 #include <dns/rdatasetiter.h>
 #include <dns/rdataslab.h>
+#include <dns/rdatastruct.h>
 #include <dns/result.h>
+#include <dns/stats.h>
 #include <dns/view.h>
 #include <dns/zone.h>
 #include <dns/zonekey.h>
@@ -62,20 +71,20 @@
 #endif
 
 #ifdef DNS_RBTDB_VERSION64
-#define RBTDB_MAGIC			ISC_MAGIC('R', 'B', 'D', '8')
+#define RBTDB_MAGIC                     ISC_MAGIC('R', 'B', 'D', '8')
 #else
-#define RBTDB_MAGIC			ISC_MAGIC('R', 'B', 'D', '4')
+#define RBTDB_MAGIC                     ISC_MAGIC('R', 'B', 'D', '4')
 #endif
 
 /*%
  * Note that "impmagic" is not the first four bytes of the struct, so
  * ISC_MAGIC_VALID cannot be used.
  */
-#define VALID_RBTDB(rbtdb)	((rbtdb) != NULL && \
+#define VALID_RBTDB(rbtdb)      ((rbtdb) != NULL && \
 				 (rbtdb)->common.impmagic == RBTDB_MAGIC)
 
 #ifdef DNS_RBTDB_VERSION64
-typedef isc_uint64_t			rbtdb_serial_t;
+typedef isc_uint64_t                    rbtdb_serial_t;
 /*%
  * Make casting easier in symbolic debuggers by using different names
  * for the 64 bit version.
@@ -84,17 +93,19 @@ typedef isc_uint64_t			rbtdb_serial_t;
 #define rdatasetheader_t rdatasetheader64_t
 #define rbtdb_version_t rbtdb_version64_t
 #else
-typedef isc_uint32_t			rbtdb_serial_t;
+typedef isc_uint32_t                    rbtdb_serial_t;
 #endif
 
-typedef isc_uint32_t			rbtdb_rdatatype_t;
+typedef isc_uint32_t                    rbtdb_rdatatype_t;
 
-#define RBTDB_RDATATYPE_BASE(type)	((dns_rdatatype_t)((type) & 0xFFFF))
-#define RBTDB_RDATATYPE_EXT(type)	((dns_rdatatype_t)((type) >> 16))
-#define RBTDB_RDATATYPE_VALUE(b, e)	(((e) << 16) | (b))
+#define RBTDB_RDATATYPE_BASE(type)      ((dns_rdatatype_t)((type) & 0xFFFF))
+#define RBTDB_RDATATYPE_EXT(type)       ((dns_rdatatype_t)((type) >> 16))
+#define RBTDB_RDATATYPE_VALUE(b, e)     ((rbtdb_rdatatype_t)((e) << 16) | (b))
 
 #define RBTDB_RDATATYPE_SIGNSEC \
 		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec)
+#define RBTDB_RDATATYPE_SIGNSEC3 \
+		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_nsec3)
 #define RBTDB_RDATATYPE_SIGNS \
 		RBTDB_RDATATYPE_VALUE(dns_rdatatype_rrsig, dns_rdatatype_ns)
 #define RBTDB_RDATATYPE_SIGCNAME \
@@ -119,15 +130,15 @@ typedef isc_uint32_t			rbtdb_rdatatype_t;
 #endif
 
 #if DNS_RBTDB_USERWLOCK
-#define RBTDB_INITLOCK(l)	isc_rwlock_init((l), 0, 0)
-#define RBTDB_DESTROYLOCK(l)	isc_rwlock_destroy(l)
-#define RBTDB_LOCK(l, t)	RWLOCK((l), (t))
-#define RBTDB_UNLOCK(l, t)	RWUNLOCK((l), (t))
+#define RBTDB_INITLOCK(l)       isc_rwlock_init((l), 0, 0)
+#define RBTDB_DESTROYLOCK(l)    isc_rwlock_destroy(l)
+#define RBTDB_LOCK(l, t)        RWLOCK((l), (t))
+#define RBTDB_UNLOCK(l, t)      RWUNLOCK((l), (t))
 #else
-#define RBTDB_INITLOCK(l)	isc_mutex_init(l)
-#define RBTDB_DESTROYLOCK(l)	DESTROYLOCK(l)
-#define RBTDB_LOCK(l, t)	LOCK(l)
-#define RBTDB_UNLOCK(l, t)	UNLOCK(l)
+#define RBTDB_INITLOCK(l)       isc_mutex_init(l)
+#define RBTDB_DESTROYLOCK(l)    DESTROYLOCK(l)
+#define RBTDB_LOCK(l, t)        LOCK(l)
+#define RBTDB_UNLOCK(l, t)      UNLOCK(l)
 #endif
 
 /*
@@ -152,47 +163,53 @@ typedef isc_uint32_t			rbtdb_rdatatype_t;
 #if defined(ISC_RWLOCK_USEATOMIC) && defined(DNS_RBT_USEISCREFCOUNT)
 typedef isc_rwlock_t nodelock_t;
 
-#define NODE_INITLOCK(l)	isc_rwlock_init((l), 0, 0)
-#define NODE_DESTROYLOCK(l)	isc_rwlock_destroy(l)
-#define NODE_LOCK(l, t)		RWLOCK((l), (t))
-#define NODE_UNLOCK(l, t)	RWUNLOCK((l), (t))
-#define NODE_TRYUPGRADE(l)	isc_rwlock_tryupgrade(l)
-
-#define NODE_STRONGLOCK(l)	((void)0)
-#define NODE_STRONGUNLOCK(l)	((void)0)
-#define NODE_WEAKLOCK(l, t)	NODE_LOCK(l, t)
-#define NODE_WEAKUNLOCK(l, t)	NODE_UNLOCK(l, t)
-#define NODE_WEAKDOWNGRADE(l)	isc_rwlock_downgrade(l)
+#define NODE_INITLOCK(l)        isc_rwlock_init((l), 0, 0)
+#define NODE_DESTROYLOCK(l)     isc_rwlock_destroy(l)
+#define NODE_LOCK(l, t)         RWLOCK((l), (t))
+#define NODE_UNLOCK(l, t)       RWUNLOCK((l), (t))
+#define NODE_TRYUPGRADE(l)      isc_rwlock_tryupgrade(l)
+
+#define NODE_STRONGLOCK(l)      ((void)0)
+#define NODE_STRONGUNLOCK(l)    ((void)0)
+#define NODE_WEAKLOCK(l, t)     NODE_LOCK(l, t)
+#define NODE_WEAKUNLOCK(l, t)   NODE_UNLOCK(l, t)
+#define NODE_WEAKDOWNGRADE(l)   isc_rwlock_downgrade(l)
 #else
 typedef isc_mutex_t nodelock_t;
 
-#define NODE_INITLOCK(l)	isc_mutex_init(l)
-#define NODE_DESTROYLOCK(l)	DESTROYLOCK(l)
-#define NODE_LOCK(l, t)		LOCK(l)
-#define NODE_UNLOCK(l, t)	UNLOCK(l)
-#define NODE_TRYUPGRADE(l)	ISC_R_SUCCESS
-
-#define NODE_STRONGLOCK(l)	LOCK(l)
-#define NODE_STRONGUNLOCK(l)	UNLOCK(l)
-#define NODE_WEAKLOCK(l, t)	((void)0)
-#define NODE_WEAKUNLOCK(l, t)	((void)0)
-#define NODE_WEAKDOWNGRADE(l)	((void)0)
+#define NODE_INITLOCK(l)        isc_mutex_init(l)
+#define NODE_DESTROYLOCK(l)     DESTROYLOCK(l)
+#define NODE_LOCK(l, t)         LOCK(l)
+#define NODE_UNLOCK(l, t)       UNLOCK(l)
+#define NODE_TRYUPGRADE(l)      ISC_R_SUCCESS
+
+#define NODE_STRONGLOCK(l)      LOCK(l)
+#define NODE_STRONGUNLOCK(l)    UNLOCK(l)
+#define NODE_WEAKLOCK(l, t)     ((void)0)
+#define NODE_WEAKUNLOCK(l, t)   ((void)0)
+#define NODE_WEAKDOWNGRADE(l)   ((void)0)
 #endif
 
-#ifndef DNS_RDATASET_FIXED
-#define DNS_RDATASET_FIXED 1
+/*%
+ * Whether to rate-limit updating the LRU to avoid possible thread contention.
+ * Our performance measurement has shown the cost is marginal, so it's defined
+ * to be 0 by default either with or without threads.
+ */
+#ifndef DNS_RBTDB_LIMITLRUUPDATE
+#define DNS_RBTDB_LIMITLRUUPDATE 0
 #endif
 
 /*
- * Allow clients with a virtual time of upto 5 minutes in the past to see
+ * Allow clients with a virtual time of up to 5 minutes in the past to see
  * records that would have otherwise have expired.
  */
 #define RBTDB_VIRTUAL 300
 
 struct noqname {
-	dns_name_t name;
-	void *	   nsec;
-	void *	   nsecsig;
+	dns_name_t 	name;
+	void *     	neg;
+	void *     	negsig;
+	dns_rdatatype_t	type;
 };
 
 typedef struct acachectl acachectl_t;
@@ -201,18 +218,19 @@ typedef struct rdatasetheader {
 	/*%
 	 * Locked by the owning node's lock.
 	 */
-	rbtdb_serial_t			serial;
-	dns_ttl_t			ttl;
-	rbtdb_rdatatype_t		type;
-	isc_uint16_t			attributes;
-	dns_trust_t			trust;
-	struct noqname			*noqname;
+	rbtdb_serial_t                  serial;
+	dns_ttl_t                       rdh_ttl;
+	rbtdb_rdatatype_t               type;
+	isc_uint16_t                    attributes;
+	dns_trust_t                     trust;
+	struct noqname                  *noqname;
+	struct noqname                  *closest;
 	/*%<
 	 * We don't use the LIST macros, because the LIST structure has
 	 * both head and tail pointers, and is doubly linked.
 	 */
 
-	struct rdatasetheader		*next;
+	struct rdatasetheader           *next;
 	/*%<
 	 * If this is the top header for an rdataset, 'next' points
 	 * to the top header for the next rdataset (i.e., the next type).
@@ -220,13 +238,13 @@ typedef struct rdatasetheader {
 	 * at this header.
 	 */
 
-	struct rdatasetheader		*down;
+	struct rdatasetheader           *down;
 	/*%<
 	 * Points to the header for the next older version of
 	 * this rdataset.
 	 */
 
-	isc_uint32_t			count;
+	isc_uint32_t                    count;
 	/*%<
 	 * Monotonously increased every time this rdataset is bound so that
 	 * it is used as the base of the starting point in DNS responses
@@ -235,27 +253,56 @@ typedef struct rdatasetheader {
 	 * performance reasons.
 	 */
 
-	acachectl_t			*additional_auth;
-	acachectl_t			*additional_glue;
+	acachectl_t                     *additional_auth;
+	acachectl_t                     *additional_glue;
+
+	dns_rbtnode_t                   *node;
+	isc_stdtime_t                   last_used;
+	ISC_LINK(struct rdatasetheader) lru_link;
+	/*%<
+	 * Used for LRU-based cache management.  We should probably make
+	 * these cache-DB specific.  We might also make it a pointer and
+	 * ensure only the top header has a valid link to save memory.
+	 * The linked-list is locked by the rbtdb->lrulock.
+	 */
+
+	/*
+	 * It's possible this should not be here anymore, but instead
+	 * referenced from the bucket's heap directly.
+	 */
+#if 0
+	isc_heap_t                      *heap;
+#endif
+	unsigned int                    heap_index;
+	/*%<
+	 * Used for TTL-based cache cleaning.
+	 */
+	isc_stdtime_t                   resign;
 } rdatasetheader_t;
 
-#define RDATASET_ATTR_NONEXISTENT	0x0001
-#define RDATASET_ATTR_STALE		0x0002
-#define RDATASET_ATTR_IGNORE		0x0004
-#define RDATASET_ATTR_RETAIN		0x0008
-#define RDATASET_ATTR_NXDOMAIN		0x0010
+typedef ISC_LIST(rdatasetheader_t)      rdatasetheaderlist_t;
+typedef ISC_LIST(dns_rbtnode_t)         rbtnodelist_t;
+
+#define RDATASET_ATTR_NONEXISTENT       0x0001
+#define RDATASET_ATTR_STALE             0x0002
+#define RDATASET_ATTR_IGNORE            0x0004
+#define RDATASET_ATTR_RETAIN            0x0008
+#define RDATASET_ATTR_NXDOMAIN          0x0010
+#define RDATASET_ATTR_RESIGN            0x0020
+#define RDATASET_ATTR_STATCOUNT         0x0040
+#define RDATASET_ATTR_OPTOUT		0x0080
 
 typedef struct acache_cbarg {
-	dns_rdatasetadditional_t	type;
-	unsigned int			count;
-	dns_db_t			*db;
-	dns_dbnode_t			*node;
-	rdatasetheader_t		*header;
+	dns_rdatasetadditional_t        type;
+	unsigned int                    count;
+	dns_db_t                        *db;
+	dns_dbnode_t                    *node;
+	rdatasetheader_t                *header;
 } acache_cbarg_t;
 
 struct acachectl {
-	dns_acacheentry_t		*entry;
-	acache_cbarg_t			*cbarg;
+	dns_acacheentry_t               *entry;
+	acache_cbarg_t                  *cbarg;
 };
 
 /*
@@ -266,7 +313,7 @@ struct acachectl {
  * expired.
  */
 
-#undef IGNORE			/* WIN32 winbase.h defines this. */
+#undef IGNORE                   /* WIN32 winbase.h defines this. */
 
 #define EXISTS(header) \
 	(((header)->attributes & RDATASET_ATTR_NONEXISTENT) == 0)
@@ -278,106 +325,164 @@ struct acachectl {
 	(((header)->attributes & RDATASET_ATTR_RETAIN) != 0)
 #define NXDOMAIN(header) \
 	(((header)->attributes & RDATASET_ATTR_NXDOMAIN) != 0)
+#define RESIGN(header) \
+	(((header)->attributes & RDATASET_ATTR_RESIGN) != 0)
+#define OPTOUT(header) \
+	(((header)->attributes & RDATASET_ATTR_OPTOUT) != 0)
+
+#define DEFAULT_NODE_LOCK_COUNT         7       /*%< Should be prime. */
 
-#define DEFAULT_NODE_LOCK_COUNT		7	/*%< Should be prime. */
-#define DEFAULT_CACHE_NODE_LOCK_COUNT	1009	/*%< Should be prime. */
+/*%
+ * Number of buckets for cache DB entries (locks, LRU lists, TTL heaps).
+ * There is a tradeoff issue about configuring this value: if this is too
+ * small, it may cause heavier contention between threads; if this is too large,
+ * LRU purge algorithm won't work well (entries tend to be purged prematurely).
+ * The default value should work well for most environments, but this can
+ * also be configurable at compilation time via the
+ * DNS_RBTDB_CACHE_NODE_LOCK_COUNT variable.  This value must be larger than
+ * 1 due to the assumption of overmem_purge().
+ */
+#ifdef DNS_RBTDB_CACHE_NODE_LOCK_COUNT
+#if DNS_RBTDB_CACHE_NODE_LOCK_COUNT <= 1
+#error "DNS_RBTDB_CACHE_NODE_LOCK_COUNT must be larger than 1"
+#else
+#define DEFAULT_CACHE_NODE_LOCK_COUNT DNS_RBTDB_CACHE_NODE_LOCK_COUNT
+#endif
+#else
+#define DEFAULT_CACHE_NODE_LOCK_COUNT   16
+#endif	/* DNS_RBTDB_CACHE_NODE_LOCK_COUNT */
 
 typedef struct {
-	nodelock_t			lock;
+	nodelock_t                      lock;
 	/* Protected in the refcount routines. */
-	isc_refcount_t			references;
+	isc_refcount_t                  references;
 	/* Locked by lock. */
-	isc_boolean_t			exiting;
+	isc_boolean_t                   exiting;
 } rbtdb_nodelock_t;
 
 typedef struct rbtdb_changed {
-	dns_rbtnode_t *			node;
-	isc_boolean_t			dirty;
-	ISC_LINK(struct rbtdb_changed)	link;
+	dns_rbtnode_t *                 node;
+	isc_boolean_t                   dirty;
+	ISC_LINK(struct rbtdb_changed)  link;
 } rbtdb_changed_t;
 
-typedef ISC_LIST(rbtdb_changed_t)	rbtdb_changedlist_t;
+typedef ISC_LIST(rbtdb_changed_t)       rbtdb_changedlist_t;
+
+typedef enum {
+	dns_db_insecure,
+	dns_db_partial,
+	dns_db_secure
+} dns_db_secure_t;
 
 typedef struct rbtdb_version {
 	/* Not locked */
-	rbtdb_serial_t			serial;
+	rbtdb_serial_t                  serial;
 	/*
 	 * Protected in the refcount routines.
 	 * XXXJT: should we change the lock policy based on the refcount
 	 * performance?
 	 */
-	isc_refcount_t			references;
+	isc_refcount_t                  references;
 	/* Locked by database lock. */
-	isc_boolean_t			writer;
-	isc_boolean_t			commit_ok;
-	rbtdb_changedlist_t		changed_list;
-	ISC_LINK(struct rbtdb_version)	link;
+	isc_boolean_t                   writer;
+	isc_boolean_t                   commit_ok;
+	rbtdb_changedlist_t             changed_list;
+	rdatasetheaderlist_t		resigned_list;
+	ISC_LINK(struct rbtdb_version)  link;
+	dns_db_secure_t			secure;
+	isc_boolean_t			havensec3;
+	/* NSEC3 parameters */
+	dns_hash_t			hash;
+	isc_uint8_t			flags;
+	isc_uint16_t			iterations;
+	isc_uint8_t			salt_length;
+	unsigned char			salt[NSEC3_MAX_HASH_LENGTH];
 } rbtdb_version_t;
 
-typedef ISC_LIST(rbtdb_version_t)	rbtdb_versionlist_t;
+typedef ISC_LIST(rbtdb_version_t)       rbtdb_versionlist_t;
 
 typedef struct {
 	/* Unlocked. */
-	dns_db_t			common;
+	dns_db_t                        common;
 #if DNS_RBTDB_USERWLOCK
-	isc_rwlock_t			lock;
+	isc_rwlock_t                    lock;
 #else
-	isc_mutex_t			lock;
+	isc_mutex_t                     lock;
 #endif
-	isc_rwlock_t			tree_lock;
-	unsigned int			node_lock_count;
-	rbtdb_nodelock_t *	       	node_locks;
-	dns_rbtnode_t *			origin_node;
+	isc_rwlock_t                    tree_lock;
+	unsigned int                    node_lock_count;
+	rbtdb_nodelock_t *              node_locks;
+	dns_rbtnode_t *                 origin_node;
+	dns_stats_t *			rrsetstats; /* cache DB only */
 	/* Locked by lock. */
-	unsigned int			active;
-	isc_refcount_t			references;
-	unsigned int			attributes;
-	rbtdb_serial_t			current_serial;
-	rbtdb_serial_t			least_serial;
-	rbtdb_serial_t			next_serial;
-	rbtdb_version_t *		current_version;
-	rbtdb_version_t *		future_version;
-	rbtdb_versionlist_t		open_versions;
-	isc_boolean_t			overmem;
-	isc_task_t *			task;
-	dns_dbnode_t			*soanode;
-	dns_dbnode_t			*nsnode;
+	unsigned int                    active;
+	isc_refcount_t                  references;
+	unsigned int                    attributes;
+	rbtdb_serial_t                  current_serial;
+	rbtdb_serial_t                  least_serial;
+	rbtdb_serial_t                  next_serial;
+	rbtdb_version_t *               current_version;
+	rbtdb_version_t *               future_version;
+	rbtdb_versionlist_t             open_versions;
+	isc_boolean_t                   overmem;
+	isc_task_t *                    task;
+	dns_dbnode_t                    *soanode;
+	dns_dbnode_t                    *nsnode;
+
+	/*
+	 * This is a linked list used to implement the LRU cache.  There will
+	 * be node_lock_count linked lists here.  Nodes in bucket 1 will be
+	 * placed on the linked list rdatasets[1].
+	 */
+	rdatasetheaderlist_t            *rdatasets;
+
+	/*%
+	 * Temporary storage for stale cache nodes and dynamically deleted
+	 * nodes that await being cleaned up.
+	 */
+	rbtnodelist_t                   *deadnodes;
+
+	/*
+	 * Heaps.  Each of these is used for TTL based expiry.
+	 */
+	isc_heap_t                      **heaps;
+
 	/* Locked by tree_lock. */
-	dns_rbt_t *			tree;
-	isc_boolean_t			secure;
+	dns_rbt_t *                     tree;
+	dns_rbt_t *			nsec3;
 
 	/* Unlocked */
-	unsigned int			quantum;
+	unsigned int                    quantum;
 } dns_rbtdb_t;
 
-#define RBTDB_ATTR_LOADED		0x01
-#define RBTDB_ATTR_LOADING		0x02
+#define RBTDB_ATTR_LOADED               0x01
+#define RBTDB_ATTR_LOADING              0x02
 
 /*%
  * Search Context
  */
 typedef struct {
-	dns_rbtdb_t *		rbtdb;
-	rbtdb_version_t *	rbtversion;
-	rbtdb_serial_t		serial;
-	unsigned int		options;
-	dns_rbtnodechain_t	chain;
-	isc_boolean_t		copy_name;
-	isc_boolean_t		need_cleanup;
-	isc_boolean_t		wild;
-	dns_rbtnode_t *	       	zonecut;
-	rdatasetheader_t *	zonecut_rdataset;
-	rdatasetheader_t *	zonecut_sigrdataset;
-	dns_fixedname_t		zonecut_name;
-	isc_stdtime_t		now;
+	dns_rbtdb_t *           rbtdb;
+	rbtdb_version_t *       rbtversion;
+	rbtdb_serial_t          serial;
+	unsigned int            options;
+	dns_rbtnodechain_t      chain;
+	isc_boolean_t           copy_name;
+	isc_boolean_t           need_cleanup;
+	isc_boolean_t           wild;
+	dns_rbtnode_t *         zonecut;
+	rdatasetheader_t *      zonecut_rdataset;
+	rdatasetheader_t *      zonecut_sigrdataset;
+	dns_fixedname_t         zonecut_name;
+	isc_stdtime_t           now;
 } rbtdb_search_t;
 
 /*%
  * Load Context
  */
 typedef struct {
-	dns_rbtdb_t *		rbtdb;
-	isc_stdtime_t		now;
+	dns_rbtdb_t *           rbtdb;
+	isc_stdtime_t           now;
 } rbtdb_load_t;
 
 static void rdataset_disassociate(dns_rdataset_t *rdataset);
@@ -388,8 +493,12 @@ static void rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target);
 static unsigned int rdataset_count(dns_rdataset_t *rdataset);
 static isc_result_t rdataset_getnoqname(dns_rdataset_t *rdataset,
 					dns_name_t *name,
-					dns_rdataset_t *nsec,
-					dns_rdataset_t *nsecsig);
+					dns_rdataset_t *neg,
+					dns_rdataset_t *negsig);
+static isc_result_t rdataset_getclosest(dns_rdataset_t *rdataset,
+					dns_name_t *name,
+					dns_rdataset_t *neg,
+					dns_rdataset_t *negsig);
 static isc_result_t rdataset_getadditional(dns_rdataset_t *rdataset,
 					   dns_rdatasetadditional_t type,
 					   dns_rdatatype_t qtype,
@@ -414,6 +523,17 @@ static isc_result_t rdataset_putadditional(dns_acache_t *acache,
 					   dns_rdataset_t *rdataset,
 					   dns_rdatasetadditional_t type,
 					   dns_rdatatype_t qtype);
+static inline isc_boolean_t need_headerupdate(rdatasetheader_t *header,
+					      isc_stdtime_t now);
+static void update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+			  isc_stdtime_t now);
+static void expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+			  isc_boolean_t tree_locked);
+static void overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+			  isc_stdtime_t now, isc_boolean_t tree_locked);
+static isc_result_t resign_insert(dns_rbtdb_t *rbtdb, int idx,
+				  rdatasetheader_t *newheader);
+static void prune_tree(isc_task_t *task, isc_event_t *event);
 
 static dns_rdatasetmethods_t rdataset_methods = {
 	rdataset_disassociate,
@@ -424,6 +544,8 @@ static dns_rdatasetmethods_t rdataset_methods = {
 	rdataset_count,
 	NULL,
 	rdataset_getnoqname,
+	NULL,
+	rdataset_getclosest,
 	rdataset_getadditional,
 	rdataset_setadditional,
 	rdataset_putadditional
@@ -443,22 +565,22 @@ static dns_rdatasetitermethods_t rdatasetiter_methods = {
 };
 
 typedef struct rbtdb_rdatasetiter {
-	dns_rdatasetiter_t		common;
-	rdatasetheader_t *		current;
+	dns_rdatasetiter_t              common;
+	rdatasetheader_t *              current;
 } rbtdb_rdatasetiter_t;
 
-static void		dbiterator_destroy(dns_dbiterator_t **iteratorp);
-static isc_result_t	dbiterator_first(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_last(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_seek(dns_dbiterator_t *iterator,
+static void             dbiterator_destroy(dns_dbiterator_t **iteratorp);
+static isc_result_t     dbiterator_first(dns_dbiterator_t *iterator);
+static isc_result_t     dbiterator_last(dns_dbiterator_t *iterator);
+static isc_result_t     dbiterator_seek(dns_dbiterator_t *iterator,
 					dns_name_t *name);
-static isc_result_t	dbiterator_prev(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_next(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_current(dns_dbiterator_t *iterator,
+static isc_result_t     dbiterator_prev(dns_dbiterator_t *iterator);
+static isc_result_t     dbiterator_next(dns_dbiterator_t *iterator);
+static isc_result_t     dbiterator_current(dns_dbiterator_t *iterator,
 					   dns_dbnode_t **nodep,
 					   dns_name_t *name);
-static isc_result_t	dbiterator_pause(dns_dbiterator_t *iterator);
-static isc_result_t	dbiterator_origin(dns_dbiterator_t *iterator,
+static isc_result_t     dbiterator_pause(dns_dbiterator_t *iterator);
+static isc_result_t     dbiterator_origin(dns_dbiterator_t *iterator,
 					  dns_name_t *name);
 
 static dns_dbiteratormethods_t dbiterator_methods = {
@@ -479,17 +601,21 @@ static dns_dbiteratormethods_t dbiterator_methods = {
  * If 'paused' is ISC_TRUE, then the tree lock is not being held.
  */
 typedef struct rbtdb_dbiterator {
-	dns_dbiterator_t		common;
-	isc_boolean_t			paused;
-	isc_boolean_t			new_origin;
-	isc_rwlocktype_t		tree_locked;
-	isc_result_t			result;
-	dns_fixedname_t			name;
-	dns_fixedname_t			origin;
-	dns_rbtnodechain_t		chain;
-	dns_rbtnode_t			*node;
-	dns_rbtnode_t			*deletions[DELETION_BATCH_MAX];
-	int				delete;
+	dns_dbiterator_t                common;
+	isc_boolean_t                   paused;
+	isc_boolean_t                   new_origin;
+	isc_rwlocktype_t                tree_locked;
+	isc_result_t                    result;
+	dns_fixedname_t                 name;
+	dns_fixedname_t                 origin;
+	dns_rbtnodechain_t              chain;
+	dns_rbtnodechain_t		nsec3chain;
+	dns_rbtnodechain_t		*current;
+	dns_rbtnode_t                   *node;
+	dns_rbtnode_t                   *deletions[DELETION_BATCH_MAX];
+	int                             delete;
+	isc_boolean_t			nsec3only;
+	isc_boolean_t			nonsec3;
 } rbtdb_dbiterator_t;
 
 
@@ -498,17 +624,20 @@ typedef struct rbtdb_dbiterator {
 
 static void free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log,
 		       isc_event_t *event);
+static void overmem(dns_db_t *db, isc_boolean_t overmem);
+static void setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
+			       isc_boolean_t *nsec3createflag);
 
 /*%
  * 'init_count' is used to initialize 'newheader->count' which inturn
  * is used to determine where in the cycle rrset-order cyclic starts.
- * We don't lock this as we don't care about simultanious updates.
+ * We don't lock this as we don't care about simultaneous updates.
  *
  * Note:
- *	Both init_count and header->count can be ISC_UINT32_MAX.
+ *      Both init_count and header->count can be ISC_UINT32_MAX.
  *      The count on the returned rdataset however can't be as
- *	that indicates that the database does not implement cyclic
- *	processing.
+ *      that indicates that the database does not implement cyclic
+ *      processing.
  */
 static unsigned int init_count;
 
@@ -518,12 +647,12 @@ static unsigned int init_count;
  * If a routine is going to lock more than one lock in this module, then
  * the locking must be done in the following order:
  *
- *	Tree Lock
+ *      Tree Lock
  *
- *	Node Lock	(Only one from the set may be locked at one time by
- *			 any caller)
+ *      Node Lock       (Only one from the set may be locked at one time by
+ *                       any caller)
  *
- *	Database Lock
+ *      Database Lock
  *
  * Failure to follow this hierarchy can result in deadlock.
  */
@@ -531,11 +660,7 @@ static unsigned int init_count;
 /*
  * Deleting Nodes
  *
- * Currently there is no deletion of nodes from the database, except when
- * the database is being destroyed.
- *
- * If node deletion is added in the future, then for zone databases the node
- * for the origin of the zone MUST NOT be deleted.
+ * For zone databases the node for the origin of the zone MUST NOT be deleted.
  */
 
 
@@ -563,6 +688,96 @@ free_rbtdb_callback(isc_task_t *task, isc_event_t *event) {
 	free_rbtdb(rbtdb, ISC_TRUE, event);
 }
 
+static void
+update_rrsetstats(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+		  isc_boolean_t increment)
+{
+	dns_rdatastatstype_t statattributes = 0;
+	dns_rdatastatstype_t base = 0;
+	dns_rdatastatstype_t type;
+
+	/* At the moment we count statistics only for cache DB */
+	INSIST(IS_CACHE(rbtdb));
+
+	if (NXDOMAIN(header))
+		statattributes = DNS_RDATASTATSTYPE_ATTR_NXDOMAIN;
+	else if (RBTDB_RDATATYPE_BASE(header->type) == 0) {
+		statattributes = DNS_RDATASTATSTYPE_ATTR_NXRRSET;
+		base = RBTDB_RDATATYPE_EXT(header->type);
+	} else
+		base = RBTDB_RDATATYPE_BASE(header->type);
+
+	type = DNS_RDATASTATSTYPE_VALUE(base, statattributes);
+	if (increment)
+		dns_rdatasetstats_increment(rbtdb->rrsetstats, type);
+	else
+		dns_rdatasetstats_decrement(rbtdb->rrsetstats, type);
+}
+
+static void
+set_ttl(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, dns_ttl_t newttl) {
+	int idx;
+	isc_heap_t *heap;
+	dns_ttl_t oldttl;
+
+	oldttl = header->rdh_ttl;
+	header->rdh_ttl = newttl;
+
+	if (!IS_CACHE(rbtdb))
+		return;
+
+	/*
+	 * It's possible the rbtdb is not a cache.  If this is the case,
+	 * we will not have a heap, and we move on.  If we do, though,
+	 * we might need to adjust things.
+	 */
+	if (header->heap_index == 0 || newttl == oldttl)
+		return;
+	idx = header->node->locknum;
+	if (rbtdb->heaps == NULL || rbtdb->heaps[idx] == NULL)
+	    return;
+	heap = rbtdb->heaps[idx];
+
+	if (newttl < oldttl)
+		isc_heap_increased(heap, header->heap_index);
+	else
+		isc_heap_decreased(heap, header->heap_index);
+}
+
+/*%
+ * These functions allow the heap code to rank the priority of each
+ * element.  It returns ISC_TRUE if v1 happens "sooner" than v2.
+ */
+static isc_boolean_t
+ttl_sooner(void *v1, void *v2) {
+	rdatasetheader_t *h1 = v1;
+	rdatasetheader_t *h2 = v2;
+
+	if (h1->rdh_ttl < h2->rdh_ttl)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+static isc_boolean_t
+resign_sooner(void *v1, void *v2) {
+	rdatasetheader_t *h1 = v1;
+	rdatasetheader_t *h2 = v2;
+
+	if (h1->resign < h2->resign)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
+
+/*%
+ * This function sets the heap index into the header.
+ */
+static void
+set_index(void *what, unsigned int index) {
+	rdatasetheader_t *h = what;
+
+	h->heap_index = index;
+}
+
 /*%
  * Work out how many nodes can be deleted in the time between two
  * requests to the nameserver.  Smooth the resulting number and use it
@@ -571,7 +786,7 @@ free_rbtdb_callback(isc_task_t *task, isc_event_t *event) {
  */
 static unsigned int
 adjust_quantum(unsigned int old, isc_time_t *start) {
-	unsigned int pps = dns_pps;	/* packets per second */
+	unsigned int pps = dns_pps;     /* packets per second */
 	unsigned int interval;
 	isc_uint64_t usecs;
 	isc_time_t end;
@@ -581,7 +796,7 @@ adjust_quantum(unsigned int old, isc_time_t *start) {
 		pps = 100;
 	isc_time_now(&end);
 
-	interval = 1000000 / pps;	/* interval in usec */
+	interval = 1000000 / pps;       /* interval in usec */
 	if (interval == 0)
 		interval = 1;
 	usecs = isc_time_microdiff(&end, start);
@@ -619,6 +834,9 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 	char buf[DNS_NAME_FORMATSIZE];
 	isc_time_t start;
 
+	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in)
+		overmem((dns_db_t *)rbtdb, (isc_boolean_t)-1);
+
 	REQUIRE(rbtdb->current_version != NULL || EMPTY(rbtdb->open_versions));
 	REQUIRE(rbtdb->future_version == NULL);
 
@@ -633,6 +851,21 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 		isc_mem_put(rbtdb->common.mctx, rbtdb->current_version,
 			    sizeof(rbtdb_version_t));
 	}
+
+	/*
+	 * We assume the number of remaining dead nodes is reasonably small;
+	 * the overhead of unlinking all nodes here should be negligible.
+	 */
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		dns_rbtnode_t *node;
+
+		node = ISC_LIST_HEAD(rbtdb->deadnodes[i]);
+		while (node != NULL) {
+			ISC_LIST_UNLINK(rbtdb->deadnodes[i], node, deadlink);
+			node = ISC_LIST_HEAD(rbtdb->deadnodes[i]);
+		}
+	}
+
 	if (event == NULL)
 		rbtdb->quantum = (rbtdb->task != NULL) ? 100 : 0;
  again:
@@ -658,6 +891,30 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 		}
 		INSIST(result == ISC_R_SUCCESS && rbtdb->tree == NULL);
 	}
+
+	if (rbtdb->nsec3 != NULL) {
+		isc_time_now(&start);
+		result = dns_rbt_destroy2(&rbtdb->nsec3, rbtdb->quantum);
+		if (result == ISC_R_QUOTA) {
+			INSIST(rbtdb->task != NULL);
+			if (rbtdb->quantum != 0)
+				rbtdb->quantum = adjust_quantum(rbtdb->quantum,
+								&start);
+			if (event == NULL)
+				event = isc_event_allocate(rbtdb->common.mctx,
+							   NULL,
+							 DNS_EVENT_FREESTORAGE,
+							   free_rbtdb_callback,
+							   rbtdb,
+							   sizeof(isc_event_t));
+			if (event == NULL)
+				goto again;
+			isc_task_send(rbtdb->task, &event);
+			return;
+		}
+		INSIST(result == ISC_R_SUCCESS && rbtdb->nsec3 == NULL);
+	}
+
 	if (event != NULL)
 		isc_event_free(&event);
 	if (log) {
@@ -676,12 +933,47 @@ free_rbtdb(dns_rbtdb_t *rbtdb, isc_boolean_t log, isc_event_t *event) {
 		isc_refcount_destroy(&rbtdb->node_locks[i].references);
 		NODE_DESTROYLOCK(&rbtdb->node_locks[i].lock);
 	}
+
+	/*
+	 * Clean up LRU / re-signing order lists.
+	 */
+	if (rbtdb->rdatasets != NULL) {
+		for (i = 0; i < rbtdb->node_lock_count; i++)
+			INSIST(ISC_LIST_EMPTY(rbtdb->rdatasets[i]));
+		isc_mem_put(rbtdb->common.mctx, rbtdb->rdatasets,
+			    rbtdb->node_lock_count *
+			    sizeof(rdatasetheaderlist_t));
+	}
+	/*
+	 * Clean up dead node buckets.
+	 */
+	if (rbtdb->deadnodes != NULL) {
+		for (i = 0; i < rbtdb->node_lock_count; i++)
+			INSIST(ISC_LIST_EMPTY(rbtdb->deadnodes[i]));
+		isc_mem_put(rbtdb->common.mctx, rbtdb->deadnodes,
+		    rbtdb->node_lock_count * sizeof(rbtnodelist_t));
+	}
+	/*
+	 * Clean up heap objects.
+	 */
+	if (rbtdb->heaps != NULL) {
+		for (i = 0; i < rbtdb->node_lock_count; i++)
+			isc_heap_destroy(&rbtdb->heaps[i]);
+		isc_mem_put(rbtdb->common.mctx, rbtdb->heaps,
+			    rbtdb->node_lock_count *
+			    sizeof(isc_heap_t *));
+	}
+
+	if (rbtdb->rrsetstats != NULL)
+		dns_stats_detach(&rbtdb->rrsetstats);
+
 	isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks,
 		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
 	isc_rwlock_destroy(&rbtdb->tree_lock);
 	isc_refcount_destroy(&rbtdb->references);
 	if (rbtdb->task != NULL)
 		isc_task_detach(&rbtdb->task);
+
 	RBTDB_DESTROYLOCK(&rbtdb->lock);
 	rbtdb->common.magic = 0;
 	rbtdb->common.impmagic = 0;
@@ -788,6 +1080,7 @@ allocate_version(isc_mem_t *mctx, rbtdb_serial_t serial,
 	version->writer = writer;
 	version->commit_ok = ISC_FALSE;
 	ISC_LIST_INIT(version->changed_list);
+	ISC_LIST_INIT(version->resigned_list);
 	ISC_LINK_INIT(version, link);
 
 	return (version);
@@ -803,11 +1096,29 @@ newversion(dns_db_t *db, dns_dbversion_t **versionp) {
 	REQUIRE(rbtdb->future_version == NULL);
 
 	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write);
-	RUNTIME_CHECK(rbtdb->next_serial != 0);		/* XXX Error? */
+	RUNTIME_CHECK(rbtdb->next_serial != 0);         /* XXX Error? */
 	version = allocate_version(rbtdb->common.mctx, rbtdb->next_serial, 1,
 				   ISC_TRUE);
 	if (version != NULL) {
 		version->commit_ok = ISC_TRUE;
+		version->secure = rbtdb->current_version->secure;
+		version->havensec3 = rbtdb->current_version->havensec3;
+		if (version->havensec3) {
+			version->flags = rbtdb->current_version->flags;
+			version->iterations =
+				rbtdb->current_version->iterations;
+			version->hash = rbtdb->current_version->hash;
+			version->salt_length =
+				rbtdb->current_version->salt_length;
+			memcpy(version->salt, rbtdb->current_version->salt,
+			       version->salt_length);
+		} else {
+			version->flags = 0;
+			version->iterations = 0;
+			version->hash = 0;
+			version->salt_length = 0;
+			memset(version->salt, 0, sizeof(version->salt));
+		}
 		rbtdb->next_serial++;
 		rbtdb->future_version = version;
 	}
@@ -875,7 +1186,7 @@ free_acachearray(isc_mem_t *mctx, rdatasetheader_t *header,
 {
 	unsigned int count;
 	unsigned int i;
-	unsigned char *raw;	/* RDATASLAB */
+	unsigned char *raw;     /* RDATASLAB */
 
 	/*
 	 * The caller must be holding the corresponding node lock.
@@ -903,22 +1214,69 @@ free_noqname(isc_mem_t *mctx, struct noqname **noqname) {
 
 	if (dns_name_dynamic(&(*noqname)->name))
 		dns_name_free(&(*noqname)->name, mctx);
-	if ((*noqname)->nsec != NULL)
-		isc_mem_put(mctx, (*noqname)->nsec,
-			    dns_rdataslab_size((*noqname)->nsec, 0));
-	if ((*noqname)->nsecsig != NULL)
-		isc_mem_put(mctx, (*noqname)->nsecsig,
-			    dns_rdataslab_size((*noqname)->nsecsig, 0));
+	if ((*noqname)->neg != NULL)
+		isc_mem_put(mctx, (*noqname)->neg,
+			    dns_rdataslab_size((*noqname)->neg, 0));
+	if ((*noqname)->negsig != NULL)
+		isc_mem_put(mctx, (*noqname)->negsig,
+			    dns_rdataslab_size((*noqname)->negsig, 0));
 	isc_mem_put(mctx, *noqname, sizeof(**noqname));
 	*noqname = NULL;
 }
 
 static inline void
-free_rdataset(isc_mem_t *mctx, rdatasetheader_t *rdataset) {
+init_rdataset(dns_rbtdb_t *rbtdb, rdatasetheader_t *h)
+{
+	ISC_LINK_INIT(h, lru_link);
+	h->heap_index = 0;
+
+#if TRACE_HEADER
+	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in)
+		fprintf(stderr, "initialized header: %p\n", h);
+#else
+	UNUSED(rbtdb);
+#endif
+}
+
+static inline rdatasetheader_t *
+new_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx)
+{
+	rdatasetheader_t *h;
+
+	h = isc_mem_get(mctx, sizeof(*h));
+	if (h == NULL)
+		return (NULL);
+
+#if TRACE_HEADER
+	if (IS_CACHE(rbtdb) && rbtdb->common.rdclass == dns_rdataclass_in)
+		fprintf(stderr, "allocated header: %p\n", h);
+#endif
+	init_rdataset(rbtdb, h);
+	return (h);
+}
+
+static inline void
+free_rdataset(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *rdataset)
+{
 	unsigned int size;
+	int idx;
+
+	if (EXISTS(rdataset) &&
+	    (rdataset->attributes & RDATASET_ATTR_STATCOUNT) != 0) {
+		update_rrsetstats(rbtdb, rdataset, ISC_FALSE);
+	}
+
+	idx = rdataset->node->locknum;
+	if (ISC_LINK_LINKED(rdataset, lru_link))
+		ISC_LIST_UNLINK(rbtdb->rdatasets[idx], rdataset, lru_link);
+	if (rdataset->heap_index != 0)
+		isc_heap_delete(rbtdb->heaps[idx], rdataset->heap_index);
+	rdataset->heap_index = 0;
 
 	if (rdataset->noqname != NULL)
 		free_noqname(mctx, &rdataset->noqname);
+	if (rdataset->closest != NULL)
+		free_noqname(mctx, &rdataset->closest);
 
 	free_acachearray(mctx, rdataset, rdataset->additional_auth);
 	free_acachearray(mctx, rdataset, rdataset->additional_glue);
@@ -964,12 +1322,13 @@ rollback_node(dns_rbtnode_t *node, rbtdb_serial_t serial) {
 }
 
 static inline void
-clean_stale_headers(isc_mem_t *mctx, rdatasetheader_t *top) {
+clean_stale_headers(dns_rbtdb_t *rbtdb, isc_mem_t *mctx, rdatasetheader_t *top)
+{
 	rdatasetheader_t *d, *down_next;
 
 	for (d = top->down; d != NULL; d = down_next) {
 		down_next = d->down;
-		free_rdataset(mctx, d);
+		free_rdataset(rbtdb, mctx, d);
 	}
 	top->down = NULL;
 }
@@ -986,7 +1345,7 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
 	top_prev = NULL;
 	for (current = node->data; current != NULL; current = top_next) {
 		top_next = current->next;
-		clean_stale_headers(mctx, current);
+		clean_stale_headers(rbtdb, mctx, current);
 		/*
 		 * If current is nonexistent or stale, we can clean it up.
 		 */
@@ -996,7 +1355,7 @@ clean_cache_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
 				top_prev->next = current->next;
 			else
 				node->data = current->next;
-			free_rdataset(mctx, current);
+			free_rdataset(rbtdb, mctx, current);
 		} else
 			top_prev = current;
 	}
@@ -1037,7 +1396,7 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 				if (down_next != NULL)
 					down_next->next = dparent;
 				dparent->down = down_next;
-				free_rdataset(mctx, dcurrent);
+				free_rdataset(rbtdb, mctx, dcurrent);
 			} else
 				dparent = dcurrent;
 		}
@@ -1053,7 +1412,7 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 					top_prev->next = current->next;
 				else
 					node->data = current->next;
-				free_rdataset(mctx, current);
+				free_rdataset(rbtdb, mctx, current);
 				/*
 				 * current no longer exists, so we can
 				 * just continue with the loop.
@@ -1069,7 +1428,7 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 				else
 					node->data = down_next;
 				down_next->next = top_next;
-				free_rdataset(mctx, current);
+				free_rdataset(rbtdb, mctx, current);
 				current = down_next;
 			}
 		}
@@ -1096,7 +1455,7 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 			do {
 				down_next = dcurrent->down;
 				INSIST(dcurrent->serial <= least_serial);
-				free_rdataset(mctx, dcurrent);
+				free_rdataset(rbtdb, mctx, dcurrent);
 				dcurrent = down_next;
 			} while (dcurrent != NULL);
 			dparent->down = NULL;
@@ -1120,7 +1479,7 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 					top_prev->next = current->next;
 				else
 					node->data = current->next;
-				free_rdataset(mctx, current);
+				free_rdataset(rbtdb, mctx, current);
 			} else
 				top_prev = current;
 		}
@@ -1129,6 +1488,49 @@ clean_zone_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 		node->dirty = 0;
 }
 
+/*%
+ * Clean up dead nodes.  These are nodes which have no references, and
+ * have no data.  They are dead but we could not or chose not to delete
+ * them when we deleted all the data at that node because we did not want
+ * to wait for the tree write lock.
+ *
+ * The caller must hold a tree write lock and bucketnum'th node (write) lock.
+ */
+static void
+cleanup_dead_nodes(dns_rbtdb_t *rbtdb, int bucketnum) {
+	dns_rbtnode_t *node;
+	isc_result_t result;
+	int count = 10;         /* XXXJT: should be adjustable */
+
+	node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
+	while (node != NULL && count > 0) {
+		ISC_LIST_UNLINK(rbtdb->deadnodes[bucketnum], node, deadlink);
+
+		/*
+		 * Since we're holding a tree write lock, it should be
+		 * impossible for this node to be referenced by others.
+		 */
+		INSIST(dns_rbtnode_refcurrent(node) == 0 &&
+		       node->data == NULL);
+
+		INSIST(!ISC_LINK_LINKED(node, deadlink));
+		if (node->nsec3)
+			result = dns_rbt_deletenode(rbtdb->nsec3, node,
+						    ISC_FALSE);
+		else
+			result = dns_rbt_deletenode(rbtdb->tree, node,
+						    ISC_FALSE);
+		if (result != ISC_R_SUCCESS)
+			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
+				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
+				      "cleanup_dead_nodes: "
+				      "dns_rbt_deletenode: %s",
+				      isc_result_totext(result));
+		node = ISC_LIST_HEAD(rbtdb->deadnodes[bucketnum]);
+		count--;
+	}
+}
+
 /*
  * Caller must be holding the node lock if its reference must be protected
  * by the lock.
@@ -1139,7 +1541,7 @@ new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
 	isc_refcount_t *lockref;
 
 	dns_rbtnode_refincrement0(node, &noderefs);
-	if (noderefs == 1) {	/* this is the first reference to the node */
+	if (noderefs == 1) {    /* this is the first reference to the node */
 		lockref = &rbtdb->node_locks[node->locknum].references;
 		isc_refcount_increment0(lockref, &lockrefs);
 		INSIST(lockrefs != 0);
@@ -1148,6 +1550,49 @@ new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
 }
 
 /*
+ * This function is assumed to be called when a node is newly referenced
+ * and can be in the deadnode list.  In that case the node must be retrieved
+ * from the list because it is going to be used.  In addition, if the caller
+ * happens to hold a write lock on the tree, it's a good chance to purge dead
+ * nodes.
+ * Note: while a new reference is gained in multiple places, there are only very
+ * few cases where the node can be in the deadnode list (only empty nodes can
+ * have been added to the list).
+ */
+static inline void
+reactivate_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+		isc_rwlocktype_t treelocktype)
+{
+	isc_boolean_t need_relock = ISC_FALSE;
+
+	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
+	new_reference(rbtdb, node);
+
+	NODE_WEAKLOCK(&rbtdb->node_locks[node->locknum].lock,
+		      isc_rwlocktype_read);
+	if (ISC_LINK_LINKED(node, deadlink))
+		need_relock = ISC_TRUE;
+	else if (!ISC_LIST_EMPTY(rbtdb->deadnodes[node->locknum]) &&
+		 treelocktype == isc_rwlocktype_write)
+		need_relock = ISC_TRUE;
+	NODE_WEAKUNLOCK(&rbtdb->node_locks[node->locknum].lock,
+			isc_rwlocktype_read);
+	if (need_relock) {
+		NODE_WEAKLOCK(&rbtdb->node_locks[node->locknum].lock,
+			      isc_rwlocktype_write);
+		if (ISC_LINK_LINKED(node, deadlink))
+			ISC_LIST_UNLINK(rbtdb->deadnodes[node->locknum],
+					node, deadlink);
+		if (treelocktype == isc_rwlocktype_write)
+			cleanup_dead_nodes(rbtdb, node->locknum);
+		NODE_WEAKUNLOCK(&rbtdb->node_locks[node->locknum].lock,
+				isc_rwlocktype_write);
+	}
+
+	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
+}
+
+/*
  * Caller must be holding the node lock; either the "strong", read or write
  * lock.  Note that the lock must be held even when node references are
  * atomically modified; in that case the decrement operation itself does not
@@ -1160,14 +1605,17 @@ new_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
 static isc_boolean_t
 decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 		    rbtdb_serial_t least_serial,
-		    isc_rwlocktype_t nlock, isc_rwlocktype_t tlock)
+		    isc_rwlocktype_t nlock, isc_rwlocktype_t tlock,
+		    isc_boolean_t pruning)
 {
 	isc_result_t result;
 	isc_boolean_t write_locked;
 	rbtdb_nodelock_t *nodelock;
 	unsigned int refs, nrefs;
+	int bucket = node->locknum;
+	isc_boolean_t no_reference;
 
-	nodelock = &rbtdb->node_locks[node->locknum];
+	nodelock = &rbtdb->node_locks[bucket];
 
 	/* Handle easy and typical case first. */
 	if (!node->dirty && (node->data != NULL || node->down != NULL)) {
@@ -1226,7 +1674,9 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	}
 
 	/*
-	 * XXXDCL need to add a deferred delete method for ISC_R_LOCKBUSY.
+	 * Attempt to switch to a write lock on the tree.  If this fails,
+	 * we will add this node to a linked list of nodes in this locking
+	 * bucket which we will free later.
 	 */
 	if (tlock != isc_rwlocktype_write) {
 		/*
@@ -1246,6 +1696,7 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	} else
 		write_locked = ISC_TRUE;
 
+	no_reference = ISC_TRUE;
 	if (write_locked && dns_rbtnode_refcurrent(node) == 0) {
 		/*
 		 * We can now delete the node if the reference counter is
@@ -1254,26 +1705,97 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 		 * current thread locks the tree (e.g., in findnode()).
 		 */
 
-		if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
-			char printname[DNS_NAME_FORMATSIZE];
+		/*
+		 * If this node is the only one in the level it's in, deleting
+		 * this node may recursively make its parent the only node in
+		 * the parent level; if so, and if no one is currently using
+		 * the parent node, this is almost the only opportunity to
+		 * clean it up.  But the recursive cleanup is not that trivial
+		 * since the child and parent may be in different lock buckets,
+		 * which would cause a lock order reversal problem.  To avoid
+		 * the trouble, we'll dispatch a separate event for batch
+		 * cleaning.  We need to check whether we're deleting the node
+		 * as a result of pruning to avoid infinite dispatching.
+		 * Note: pruning happens only when a task has been set for the
+		 * rbtdb.  If the user of the rbtdb chooses not to set a task,
+		 * it's their responsibility to purge stale leaves (e.g. by
+		 * periodic walk-through).
+		 */
+		if (!pruning && node->parent != NULL &&
+		    node->parent->down == node && node->left == NULL &&
+		    node->right == NULL && rbtdb->task != NULL) {
+			isc_event_t *ev;
+			dns_db_t *db;
+
+			ev = isc_event_allocate(rbtdb->common.mctx, NULL,
+						DNS_EVENT_RBTPRUNE,
+						prune_tree, node,
+						sizeof(isc_event_t));
+			if (ev != NULL) {
+				new_reference(rbtdb, node);
+				db = NULL;
+				attach((dns_db_t *)rbtdb, &db);
+				ev->ev_sender = db;
+				isc_task_send(rbtdb->task, &ev);
+				no_reference = ISC_FALSE;
+			} else {
+				/*
+				 * XXX: this is a weird situation.  We could
+				 * ignore this error case, but then the stale
+				 * node will unlikely be purged except via a
+				 * rare condition such as manual cleanup.  So
+				 * we queue it in the deadnodes list, hoping
+				 * the memory shortage is temporary and the node
+				 * will be deleted later.
+				 */
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_CACHE,
+					      ISC_LOG_INFO,
+					      "decrement_reference: failed to "
+					      "allocate pruning event");
+				INSIST(!ISC_LINK_LINKED(node, deadlink));
+				ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node,
+						deadlink);
+			}
+		} else {
+			if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(1))) {
+				char printname[DNS_NAME_FORMATSIZE];
+
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_CACHE,
+					      ISC_LOG_DEBUG(1),
+					      "decrement_reference: "
+					      "delete from rbt: %p %s",
+					      node,
+					      dns_rbt_formatnodename(node,
+							printname,
+							sizeof(printname)));
+			}
 
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_DEBUG(1),
-				      "decrement_reference: "
-				      "delete from rbt: %p %s",
-				      node,
-				      dns_rbt_formatnodename(node, printname,
-							   sizeof(printname)));
+			INSIST(!ISC_LINK_LINKED(node, deadlink));
+			if (node->nsec3)
+				result = dns_rbt_deletenode(rbtdb->nsec3, node,
+							    ISC_FALSE);
+			else
+				result = dns_rbt_deletenode(rbtdb->tree, node,
+							    ISC_FALSE);
+			if (result != ISC_R_SUCCESS) {
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_DATABASE,
+					      DNS_LOGMODULE_CACHE,
+					      ISC_LOG_WARNING,
+					      "decrement_reference: "
+					      "dns_rbt_deletenode: %s",
+					      isc_result_totext(result));
+			}
 		}
-
-		result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
-		if (result != ISC_R_SUCCESS)
-			isc_log_write(dns_lctx, DNS_LOGCATEGORY_DATABASE,
-				      DNS_LOGMODULE_CACHE, ISC_LOG_WARNING,
-				      "decrement_reference: "
-				      "dns_rbt_deletenode: %s",
-				      isc_result_totext(result));
-	}
+	} else if (dns_rbtnode_refcurrent(node) == 0) {
+		INSIST(!ISC_LINK_LINKED(node, deadlink));
+		ISC_LIST_APPEND(rbtdb->deadnodes[bucket], node, deadlink);
+	} else
+		no_reference = ISC_FALSE;
 
 	/* Restore the lock? */
 	if (nlock == isc_rwlocktype_read)
@@ -1290,7 +1812,71 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 		if (write_locked)
 			isc_rwlock_downgrade(&rbtdb->tree_lock);
 
-	return (ISC_TRUE);
+	return (no_reference);
+}
+
+/*
+ * Prune the tree by recursively cleaning-up single leaves.  In the worst
+ * case, the number of iteration is the number of tree levels, which is at
+ * most the maximum number of domain name labels, i.e, 127.  In practice, this
+ * should be much smaller (only a few times), and even the worst case would be
+ * acceptable for a single event.
+ */
+static void
+prune_tree(isc_task_t *task, isc_event_t *event) {
+	dns_rbtdb_t *rbtdb = event->ev_sender;
+	dns_rbtnode_t *node = event->ev_arg;
+	dns_rbtnode_t *parent;
+	unsigned int locknum;
+
+	UNUSED(task);
+
+	isc_event_free(&event);
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	locknum = node->locknum;
+	NODE_LOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+	do {
+		parent = node->parent;
+		decrement_reference(rbtdb, node, 0, isc_rwlocktype_write,
+				    isc_rwlocktype_write, ISC_TRUE);
+
+		if (parent != NULL && parent->down == NULL) {
+			/*
+			 * node was the only down child of the parent and has
+			 * just been removed.  We'll then need to examine the
+			 * parent.  Keep the lock if possible; otherwise,
+			 * release the old lock and acquire one for the parent.
+			 */
+			if (parent->locknum != locknum) {
+				NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+					    isc_rwlocktype_write);
+				locknum = parent->locknum;
+				NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+					  isc_rwlocktype_write);
+			}
+
+			/*
+			 * We need to gain a reference to the node before
+			 * decrementing it in the next iteration.  In addition,
+			 * if the node is in the dead-nodes list, extract it
+			 * from the list beforehand as we do in
+			 * reactivate_node().
+			 */
+			new_reference(rbtdb, parent);
+			if (ISC_LINK_LINKED(parent, deadlink)) {
+				ISC_LIST_UNLINK(rbtdb->deadnodes[locknum],
+						parent, deadlink);
+			}
+		} else
+			parent = NULL;
+
+		node = parent;
+	} while (node != NULL);
+	NODE_UNLOCK(&rbtdb->node_locks[locknum].lock, isc_rwlocktype_write);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+
+	detach((dns_db_t **)&rbtdb);
 }
 
 static inline void
@@ -1337,17 +1923,20 @@ cleanup_nondirty(rbtdb_version_t *version, rbtdb_changedlist_t *cleanup_list) {
 	}
 }
 
-static isc_boolean_t
-iszonesecure(dns_db_t *db, dns_dbnode_t *origin) {
+static void
+iszonesecure(dns_db_t *db, rbtdb_version_t *version, dns_dbnode_t *origin) {
 	dns_rdataset_t keyset;
 	dns_rdataset_t nsecset, signsecset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
 	isc_boolean_t haszonekey = ISC_FALSE;
 	isc_boolean_t hasnsec = ISC_FALSE;
+	isc_boolean_t hasoptbit = ISC_FALSE;
+	isc_boolean_t nsec3createflag = ISC_FALSE;
 	isc_result_t result;
 
 	dns_rdataset_init(&keyset);
-	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_dnskey, 0,
-				     0, &keyset, NULL);
+	result = dns_db_findrdataset(db, origin, version, dns_rdatatype_dnskey,
+				     0, 0, &keyset, NULL);
 	if (result == ISC_R_SUCCESS) {
 		dns_rdata_t keyrdata = DNS_RDATA_INIT;
 		result = dns_rdataset_first(&keyset);
@@ -1361,21 +1950,153 @@ iszonesecure(dns_db_t *db, dns_dbnode_t *origin) {
 		}
 		dns_rdataset_disassociate(&keyset);
 	}
-	if (!haszonekey)
-		return (ISC_FALSE);
+	if (!haszonekey) {
+		version->secure = dns_db_insecure;
+		version->havensec3 = ISC_FALSE;
+		return;
+	}
 
 	dns_rdataset_init(&nsecset);
 	dns_rdataset_init(&signsecset);
-	result = dns_db_findrdataset(db, origin, NULL, dns_rdatatype_nsec, 0,
-				     0, &nsecset, &signsecset);
+	result = dns_db_findrdataset(db, origin, version, dns_rdatatype_nsec,
+				     0, 0, &nsecset, &signsecset);
 	if (result == ISC_R_SUCCESS) {
 		if (dns_rdataset_isassociated(&signsecset)) {
 			hasnsec = ISC_TRUE;
+			result = dns_rdataset_first(&nsecset);
+			if (result == ISC_R_SUCCESS) {
+				dns_rdataset_current(&nsecset, &rdata);
+				hasoptbit = dns_nsec_typepresent(&rdata,
+							     dns_rdatatype_opt);
+			}
 			dns_rdataset_disassociate(&signsecset);
 		}
 		dns_rdataset_disassociate(&nsecset);
 	}
-	return (hasnsec);
+
+	setnsec3parameters(db, version, &nsec3createflag);
+
+	/*
+	 * Do we have a valid NSEC/NSEC3 chain?
+	 */
+	if (version->havensec3 || (hasnsec && !hasoptbit))
+		version->secure = dns_db_secure;
+	/*
+	 * Do we have a NSEC/NSEC3 chain under creation?
+	 */
+	else if (hasoptbit || nsec3createflag)
+		version->secure = dns_db_partial;
+	else
+		version->secure = dns_db_insecure;
+}
+
+/*%<
+ * Walk the origin node looking for NSEC3PARAM records.
+ * Cache the nsec3 parameters.
+ */
+static void
+setnsec3parameters(dns_db_t *db, rbtdb_version_t *version,
+		   isc_boolean_t *nsec3createflag)
+{
+	dns_rbtnode_t *node;
+	dns_rdata_nsec3param_t nsec3param;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_region_t region;
+	isc_result_t result;
+	rdatasetheader_t *header, *header_next;
+	unsigned char *raw;             /* RDATASLAB */
+	unsigned int count, length;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	version->havensec3 = ISC_FALSE;
+	node = rbtdb->origin_node;
+	NODE_LOCK(&(rbtdb->node_locks[node->locknum].lock),
+		  isc_rwlocktype_read);
+	for (header = node->data;
+	     header != NULL;
+	     header = header_next) {
+		header_next = header->next;
+		do {
+			if (header->serial <= version->serial &&
+			    !IGNORE(header)) {
+				if (NONEXISTENT(header))
+					header = NULL;
+				break;
+			} else
+				header = header->down;
+		} while (header != NULL);
+
+		if (header != NULL &&
+		    header->type == dns_rdatatype_nsec3param) {
+			/*
+			 * Find A NSEC3PARAM with a supported algorithm.
+			 */
+			raw = (unsigned char *)header + sizeof(*header);
+			count = raw[0] * 256 + raw[1]; /* count */
+#if DNS_RDATASET_FIXED
+			raw += count * 4 + 2;
+#else
+			raw += 2;
+#endif
+			while (count-- > 0U) {
+				length = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+				raw += 4;
+#else
+				raw += 2;
+#endif
+				region.base = raw;
+				region.length = length;
+				raw += length;
+				dns_rdata_fromregion(&rdata,
+						     rbtdb->common.rdclass,
+						     dns_rdatatype_nsec3param,
+						     &region);
+				result = dns_rdata_tostruct(&rdata,
+							    &nsec3param,
+							    NULL);
+				INSIST(result == ISC_R_SUCCESS);
+				dns_rdata_reset(&rdata);
+
+				if (nsec3param.hash != DNS_NSEC3_UNKNOWNALG &&
+				    !dns_nsec3_supportedhash(nsec3param.hash))
+					continue;
+
+#ifdef RFC5155_STRICT
+				if (nsec3param.flags != 0)
+					continue;
+#else
+				if ((nsec3param.flags & DNS_NSEC3FLAG_CREATE)
+				    != 0)
+					*nsec3createflag = ISC_TRUE;
+				if ((nsec3param.flags & ~DNS_NSEC3FLAG_OPTOUT)
+				    != 0)
+					continue;
+#endif
+
+				INSIST(nsec3param.salt_length <=
+				       sizeof(version->salt));
+				memcpy(version->salt, nsec3param.salt,
+				       nsec3param.salt_length);
+				version->hash = nsec3param.hash;
+				version->salt_length = nsec3param.salt_length;
+				version->iterations = nsec3param.iterations;
+				version->flags = nsec3param.flags;
+				version->havensec3 = ISC_TRUE;
+				/*
+				 * Look for a better algorithm than the
+				 * unknown test algorithm.
+				 */
+				if (nsec3param.hash != DNS_NSEC3_UNKNOWNALG)
+					goto unlock;
+			}
+		}
+	}
+ unlock:
+	NODE_UNLOCK(&(rbtdb->node_locks[node->locknum].lock),
+		    isc_rwlocktype_read);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
 }
 
 static void
@@ -1384,10 +2105,12 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 	rbtdb_version_t *version, *cleanup_version, *least_greater;
 	isc_boolean_t rollback = ISC_FALSE;
 	rbtdb_changedlist_t cleanup_list;
+	rdatasetheaderlist_t resigned_list;
 	rbtdb_changed_t *changed, *next_changed;
 	rbtdb_serial_t serial, least_serial;
 	dns_rbtnode_t *rbtnode;
 	unsigned int refs;
+	rdatasetheader_t *header;
 	isc_boolean_t writer;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
@@ -1395,9 +2118,10 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 
 	cleanup_version = NULL;
 	ISC_LIST_INIT(cleanup_list);
+	ISC_LIST_INIT(resigned_list);
 
 	isc_refcount_decrement(&version->references, &refs);
-	if (refs > 0) {		/* typical and easy case first */
+	if (refs > 0) {         /* typical and easy case first */
 		if (commit) {
 			RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
 			INSIST(!version->writer);
@@ -1484,12 +2208,16 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 			INSIST(cur_ref == 1);
 			PREPEND(rbtdb->open_versions,
 				rbtdb->current_version, link);
+			resigned_list = version->resigned_list;
+			ISC_LIST_INIT(version->resigned_list);
 		} else {
 			/*
 			 * We're rolling back this transaction.
 			 */
 			cleanup_list = version->changed_list;
 			ISC_LIST_INIT(version->changed_list);
+			resigned_list = version->resigned_list;
+			ISC_LIST_INIT(version->resigned_list);
 			rollback = ISC_TRUE;
 			cleanup_version = version;
 			rbtdb->future_version = NULL;
@@ -1542,7 +2270,7 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 	 * Update the zone's secure status.
 	 */
 	if (writer && commit && !IS_CACHE(rbtdb))
-		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
+		iszonesecure(db, version, rbtdb->origin_node);
 
 	if (cleanup_version != NULL) {
 		INSIST(EMPTY(cleanup_version->changed_list));
@@ -1550,7 +2278,35 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 			    sizeof(*cleanup_version));
 	}
 
+	/*
+	 * Commit/rollback re-signed headers.
+	 */
+	for (header = HEAD(resigned_list);
+	     header != NULL;
+	     header = HEAD(resigned_list)) {
+		ISC_LIST_UNLINK(resigned_list, header, lru_link);
+		if (rollback) {
+			nodelock_t *lock;
+			lock = &rbtdb->node_locks[header->node->locknum].lock;
+			NODE_LOCK(lock, isc_rwlocktype_write);
+			resign_insert(rbtdb, header->node->locknum, header);
+			NODE_UNLOCK(lock, isc_rwlocktype_write);
+		}
+		decrement_reference(rbtdb, header->node, least_serial,
+				    isc_rwlocktype_write, isc_rwlocktype_none,
+				    ISC_FALSE);
+	}
+
 	if (!EMPTY(cleanup_list)) {
+		/*
+		 * We acquire a tree write lock here in order to make sure
+		 * that stale nodes will be removed in decrement_reference().
+		 * If we didn't have the lock, those nodes could miss the
+		 * chance to be removed until the server stops.  The write lock
+		 * is expensive, but this event should be rare enough to justify
+		 * the cost.
+		 */
+		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 		for (changed = HEAD(cleanup_list);
 		     changed != NULL;
 		     changed = next_changed) {
@@ -1561,19 +2317,27 @@ closeversion(dns_db_t *db, dns_dbversion_t **versionp, isc_boolean_t commit) {
 			lock = &rbtdb->node_locks[rbtnode->locknum].lock;
 
 			NODE_LOCK(lock, isc_rwlocktype_write);
+			/*
+			 * This is a good opportunity to purge any dead nodes,
+			 * so use it.
+			 */
+			cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+
 			if (rollback)
 				rollback_node(rbtnode, serial);
 			decrement_reference(rbtdb, rbtnode, least_serial,
 					    isc_rwlocktype_write,
-					    isc_rwlocktype_none);
+					    isc_rwlocktype_write, ISC_FALSE);
+
 			NODE_UNLOCK(lock, isc_rwlocktype_write);
 
 			isc_mem_put(rbtdb->common.mctx, changed,
 				    sizeof(*changed));
 		}
+		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 	}
 
-  end:
+ end:
 	*versionp = NULL;
 }
 
@@ -1606,6 +2370,7 @@ add_wildcard_magic(dns_rbtdb_t *rbtdb, dns_name_t *name) {
 	result = dns_rbt_addnode(rbtdb->tree, &foundname, &node);
 	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 		return (result);
+	node->nsec3 = 0;
 	node->find_callback = 1;
 	node->wild = 1;
 	return (ISC_R_SUCCESS);
@@ -1623,7 +2388,7 @@ add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) {
 	l = dns_name_countlabels(&rbtdb->common.origin);
 	i = l + 1;
 	while (i < n) {
-		dns_rbtnode_t *node = NULL;	/* dummy */
+		dns_rbtnode_t *node = NULL;     /* dummy */
 		dns_name_getlabelsequence(name, n - i, i, &foundname);
 		if (dns_name_iswildcard(&foundname)) {
 			result = add_wildcard_magic(rbtdb, &foundname);
@@ -1633,6 +2398,7 @@ add_empty_wildcards(dns_rbtdb_t *rbtdb, dns_name_t *name) {
 						 &node);
 			if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 				return (result);
+			node->nsec3 = 0;
 		}
 		i++;
 	}
@@ -1678,6 +2444,7 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 			node->locknum = dns_name_hash(&nodename, ISC_TRUE) %
 				rbtdb->node_lock_count;
 #endif
+			node->nsec3 = 0;
 			add_empty_wildcards(rbtdb, name);
 
 			if (dns_name_iswildcard(name)) {
@@ -1692,6 +2459,60 @@ findnode(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
 			return (result);
 		}
 	}
+	reactivate_node(rbtdb, node, locktype);
+	RWUNLOCK(&rbtdb->tree_lock, locktype);
+
+	*nodep = (dns_dbnode_t *)node;
+
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+findnsec3node(dns_db_t *db, dns_name_t *name, isc_boolean_t create,
+	      dns_dbnode_t **nodep)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *node = NULL;
+	dns_name_t nodename;
+	isc_result_t result;
+	isc_rwlocktype_t locktype = isc_rwlocktype_read;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	dns_name_init(&nodename, NULL);
+	RWLOCK(&rbtdb->tree_lock, locktype);
+	result = dns_rbt_findnode(rbtdb->nsec3, name, NULL, &node, NULL,
+				  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	if (result != ISC_R_SUCCESS) {
+		RWUNLOCK(&rbtdb->tree_lock, locktype);
+		if (!create) {
+			if (result == DNS_R_PARTIALMATCH)
+				result = ISC_R_NOTFOUND;
+			return (result);
+		}
+		/*
+		 * It would be nice to try to upgrade the lock instead of
+		 * unlocking then relocking.
+		 */
+		locktype = isc_rwlocktype_write;
+		RWLOCK(&rbtdb->tree_lock, locktype);
+		node = NULL;
+		result = dns_rbt_addnode(rbtdb->nsec3, name, &node);
+		if (result == ISC_R_SUCCESS) {
+			dns_rbt_namefromnode(node, &nodename);
+#ifdef DNS_RBT_USEHASH
+			node->locknum = node->hashval % rbtdb->node_lock_count;
+#else
+			node->locknum = dns_name_hash(&nodename, ISC_TRUE) %
+				rbtdb->node_lock_count;
+#endif
+			node->nsec3 = 1U;
+		} else if (result != ISC_R_EXISTS) {
+			RWUNLOCK(&rbtdb->tree_lock, locktype);
+			return (result);
+		}
+	} else
+		INSIST(node->nsec3);
 	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
 	new_reference(rbtdb, node);
 	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
@@ -1846,7 +2667,7 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	      rdatasetheader_t *header, isc_stdtime_t now,
 	      dns_rdataset_t *rdataset)
 {
-	unsigned char *raw;	/* RDATASLAB */
+	unsigned char *raw;     /* RDATASLAB */
 
 	/*
 	 * Caller must be holding the node reader lock.
@@ -1861,16 +2682,18 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 
 	new_reference(rbtdb, node);
 
-	INSIST(rdataset->methods == NULL);	/* We must be disassociated. */
+	INSIST(rdataset->methods == NULL);      /* We must be disassociated. */
 
 	rdataset->methods = &rdataset_methods;
 	rdataset->rdclass = rbtdb->common.rdclass;
 	rdataset->type = RBTDB_RDATATYPE_BASE(header->type);
 	rdataset->covers = RBTDB_RDATATYPE_EXT(header->type);
-	rdataset->ttl = header->ttl - now;
+	rdataset->ttl = header->rdh_ttl - now;
 	rdataset->trust = header->trust;
 	if (NXDOMAIN(header))
 		rdataset->attributes |= DNS_RDATASETATTR_NXDOMAIN;
+	if (OPTOUT(header))
+		rdataset->attributes |= DNS_RDATASETATTR_OPTOUT;
 	rdataset->private1 = rbtdb;
 	rdataset->private2 = node;
 	raw = (unsigned char *)header + sizeof(*header);
@@ -1891,6 +2714,18 @@ bind_rdataset(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
 	rdataset->private6 = header->noqname;
 	if (rdataset->private6 != NULL)
 		rdataset->attributes |=  DNS_RDATASETATTR_NOQNAME;
+	rdataset->private7 = header->closest;
+	if (rdataset->private7 != NULL)
+		rdataset->attributes |=  DNS_RDATASETATTR_CLOSEST;
+
+	/*
+	 * Copy out re-signing information.
+	 */
+	if (RESIGN(header)) {
+		rdataset->attributes |=  DNS_RDATASETATTR_RESIGN;
+		rdataset->resign = header->resign;
+	} else
+		rdataset->resign = 0;
 }
 
 static inline isc_result_t
@@ -1954,7 +2789,7 @@ static inline isc_boolean_t
 valid_glue(rbtdb_search_t *search, dns_name_t *name, rbtdb_rdatatype_t type,
 	   dns_rbtnode_t *node)
 {
-	unsigned char *raw;	/* RDATASLAB */
+	unsigned char *raw;     /* RDATASLAB */
 	unsigned int count, size;
 	dns_name_t ns_name;
 	isc_boolean_t valid = ISC_FALSE;
@@ -2338,10 +3173,55 @@ find_wildcard(rbtdb_search_t *search, dns_rbtnode_t **nodep,
 	return (result);
 }
 
+static isc_boolean_t
+matchparams(rdatasetheader_t *header, rbtdb_search_t *search)
+{
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3_t nsec3;
+	unsigned char *raw;                     /* RDATASLAB */
+	unsigned int rdlen, count;
+	isc_region_t region;
+	isc_result_t result;
+
+	REQUIRE(header->type == dns_rdatatype_nsec3);
+
+	raw = (unsigned char *)header + sizeof(*header);
+	count = raw[0] * 256 + raw[1]; /* count */
+#if DNS_RDATASET_FIXED
+	raw += count * 4 + 2;
+#else
+	raw += 2;
+#endif
+	while (count-- > 0) {
+		rdlen = raw[0] * 256 + raw[1];
+#if DNS_RDATASET_FIXED
+		raw += 4;
+#else
+		raw += 2;
+#endif
+		region.base = raw;
+		region.length = rdlen;
+		dns_rdata_fromregion(&rdata, search->rbtdb->common.rdclass,
+				     dns_rdatatype_nsec3, &region);
+		raw += rdlen;
+		result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+		if (nsec3.hash == search->rbtversion->hash &&
+		    nsec3.iterations == search->rbtversion->iterations &&
+		    nsec3.salt_length == search->rbtversion->salt_length &&
+		    memcmp(nsec3.salt, search->rbtversion->salt,
+			   nsec3.salt_length) == 0)
+			return (ISC_TRUE);
+		dns_rdata_reset(&rdata);
+	}
+	return (ISC_FALSE);
+}
+
 static inline isc_result_t
 find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		  dns_name_t *foundname, dns_rdataset_t *rdataset,
-		  dns_rdataset_t *sigrdataset, isc_boolean_t need_sig)
+		  dns_rdataset_t *sigrdataset, dns_rbt_t *tree,
+		  dns_db_secure_t secure)
 {
 	dns_rbtnode_t *node;
 	rdatasetheader_t *header, *header_next, *found, *foundsig;
@@ -2349,7 +3229,22 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 	isc_result_t result;
 	dns_fixedname_t fname, forigin;
 	dns_name_t *name, *origin;
+	dns_rdatatype_t type;
+	rbtdb_rdatatype_t sigtype;
+	isc_boolean_t wraps;
+	isc_boolean_t need_sig = ISC_TF(secure == dns_db_secure);
 
+	if (tree == search->rbtdb->nsec3) {
+		type = dns_rdatatype_nsec3;
+		sigtype = RBTDB_RDATATYPE_SIGNSEC3;
+		wraps = ISC_TRUE;
+	} else {
+		type = dns_rdatatype_nsec;
+		sigtype = RBTDB_RDATATYPE_SIGNSEC;
+		wraps = ISC_FALSE;
+	}
+
+ again:
 	do {
 		node = NULL;
 		dns_fixedname_init(&fname);
@@ -2391,12 +3286,11 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 				 * active rdataset at this node.
 				 */
 				empty_node = ISC_FALSE;
-				if (header->type == dns_rdatatype_nsec) {
+				if (header->type == type) {
 					found = header;
 					if (foundsig != NULL)
 						break;
-				} else if (header->type ==
-					   RBTDB_RDATATYPE_SIGNSEC) {
+				} else if (header->type == sigtype) {
 					foundsig = header;
 					if (found != NULL)
 						break;
@@ -2404,11 +3298,19 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 			}
 		}
 		if (!empty_node) {
-			if (found != NULL &&
-			    (foundsig != NULL || !need_sig))
+			if (found != NULL && search->rbtversion->havensec3 &&
+			    found->type == dns_rdatatype_nsec3 &&
+			    !matchparams(found, search)) {
+				empty_node = ISC_TRUE;
+				found = NULL;
+				foundsig = NULL;
+				result = dns_rbtnodechain_prev(&search->chain,
+							       NULL, NULL);
+			} else if (found != NULL &&
+				   (foundsig != NULL || !need_sig))
 			{
 				/*
-				 * We've found the right NSEC record.
+				 * We've found the right NSEC/NSEC3 record.
 				 *
 				 * Note: for this to really be the right
 				 * NSEC record, it's essential that the NSEC
@@ -2465,6 +3367,15 @@ find_closest_nsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 			    isc_rwlocktype_read);
 	} while (empty_node && result == ISC_R_SUCCESS);
 
+	if (result == ISC_R_NOMORE && wraps) {
+		result = dns_rbtnodechain_last(&search->chain, tree,
+					       NULL, NULL);
+		if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
+			wraps = ISC_FALSE;
+			goto again;
+		}
+	}
+
 	/*
 	 * If the result is ISC_R_NOMORE, then we got to the beginning of
 	 * the database and didn't find a NSEC record.  This shouldn't
@@ -2497,7 +3408,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	isc_boolean_t active;
 	dns_rbtnodechain_t chain;
 	nodelock_t *lock;
-
+	dns_rbt_t *tree;
 
 	search.rbtdb = (dns_rbtdb_t *)db;
 
@@ -2540,7 +3451,9 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	 * encounter a callback node, zone_zonecut_callback() will search the
 	 * rdatasets at the zone cut for active DNAME or NS rdatasets.
 	 */
-	result = dns_rbt_findnode(search.rbtdb->tree, name, foundname, &node,
+	tree =  (options & DNS_DBFIND_FORCENSEC3) != 0 ? search.rbtdb->nsec3 :
+							 search.rbtdb->tree;
+	result = dns_rbt_findnode(tree, name, foundname, &node,
 				  &search.chain, DNS_RBTFIND_EMPTYDATA,
 				  zone_zonecut_callback, &search);
 
@@ -2578,12 +3491,14 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 * If we're here, then the name does not exist, is not
 		 * beneath a zonecut, and there's no matching wildcard.
 		 */
-		if (search.rbtdb->secure ||
-		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
+		if ((search.rbtversion->secure == dns_db_secure &&
+		     !search.rbtversion->havensec3) ||
+		    (search.options & DNS_DBFIND_FORCENSEC) != 0 ||
+		    (search.options & DNS_DBFIND_FORCENSEC3) != 0)
 		{
 			result = find_closest_nsec(&search, nodep, foundname,
-						  rdataset, sigrdataset,
-						  search.rbtdb->secure);
+						   rdataset, sigrdataset, tree,
+						   search.rbtversion->secure);
 			if (result == ISC_R_SUCCESS)
 				result = active ? DNS_R_EMPTYNAME :
 						  DNS_R_NXDOMAIN;
@@ -2704,6 +3619,14 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 					break;
 			}
 
+
+			/*
+			 * If the NSEC3 record doesn't match the chain
+			 * we are using behave as if it isn't here.
+			 */
+			if (header->type == dns_rdatatype_nsec3 &&
+			    !matchparams(header, &search))
+				goto partial_match;
 			/*
 			 * If we found a type we were looking for,
 			 * remember it.
@@ -2748,14 +3671,16 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				 */
 				if (!maybe_zonecut && found != NULL)
 					break;
-			} else if (header->type == dns_rdatatype_nsec) {
+			} else if (header->type == dns_rdatatype_nsec &&
+				   !search.rbtversion->havensec3) {
 				/*
 				 * Remember a NSEC rdataset even if we're
 				 * not specifically looking for it, because
 				 * we might need it later.
 				 */
 				nsecheader = header;
-			} else if (header->type == RBTDB_RDATATYPE_SIGNSEC) {
+			} else if (header->type == RBTDB_RDATATYPE_SIGNSEC &&
+				   !search.rbtversion->havensec3) {
 				/*
 				 * If we need the NSEC rdataset, we'll also
 				 * need its signature.
@@ -2807,7 +3732,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		 * The desired type doesn't exist.
 		 */
 		result = DNS_R_NXRRSET;
-		if (search.rbtdb->secure &&
+		if (search.rbtversion->secure == dns_db_secure &&
+		    !search.rbtversion->havensec3 &&
 		    (nsecheader == NULL || nsecsig == NULL)) {
 			/*
 			 * The zone is secure but there's no NSEC,
@@ -2822,7 +3748,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 			NODE_UNLOCK(lock, isc_rwlocktype_read);
 			result = find_closest_nsec(&search, nodep, foundname,
 						   rdataset, sigrdataset,
-						   search.rbtdb->secure);
+						   search.rbtdb->tree,
+						   search.rbtversion->secure);
 			if (result == ISC_R_SUCCESS)
 				result = DNS_R_EMPTYWILD;
 			goto tree_exit;
@@ -2841,7 +3768,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 			new_reference(search.rbtdb, node);
 			*nodep = node;
 		}
-		if (search.rbtdb->secure ||
+		if ((search.rbtversion->secure == dns_db_secure &&
+		     !search.rbtversion->havensec3) ||
 		    (search.options & DNS_DBFIND_FORCENSEC) != 0)
 		{
 			bind_rdataset(search.rbtdb, node, nsecheader,
@@ -2882,6 +3810,7 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 			 * validated updates.
 			 */
 			if (type == dns_rdatatype_nsec ||
+			    type == dns_rdatatype_nsec3 ||
 			    type == dns_rdatatype_key)
 				result = ISC_R_SUCCESS;
 			else if (type == dns_rdatatype_any)
@@ -2948,7 +3877,8 @@ zone_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 		NODE_LOCK(lock, isc_rwlocktype_read);
 		decrement_reference(search.rbtdb, node, 0,
-				    isc_rwlocktype_read, isc_rwlocktype_none);
+				    isc_rwlocktype_read, isc_rwlocktype_none,
+				    ISC_FALSE);
 		NODE_UNLOCK(lock, isc_rwlocktype_read);
 	}
 
@@ -3010,7 +3940,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 	header_prev = NULL;
 	for (header = node->data; header != NULL; header = header_next) {
 		header_next = header->next;
-		if (header->ttl <= search->now) {
+		if (header->rdh_ttl <= search->now) {
 			/*
 			 * This rdataset is stale.  If no one else is
 			 * using the node, we can clean it up right
@@ -3018,7 +3948,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 			 * the node as dirty, so it will get cleaned
 			 * up later.
 			 */
-			if ((header->ttl <= search->now - RBTDB_VIRTUAL) &&
+			if ((header->rdh_ttl <= search->now - RBTDB_VIRTUAL) &&
 			    (locktype == isc_rwlocktype_write ||
 			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
 				/*
@@ -3044,13 +3974,16 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 					 * stale headers first.
 					 */
 					mctx = search->rbtdb->common.mctx;
-					clean_stale_headers(mctx, header);
+					clean_stale_headers(search->rbtdb,
+							    mctx,
+							    header);
 					if (header_prev != NULL)
 						header_prev->next =
 							header->next;
 					else
 						node->data = header->next;
-					free_rdataset(mctx, header);
+					free_rdataset(search->rbtdb, mctx,
+						      header);
 				} else {
 					header->attributes |=
 						RDATASET_ATTR_STALE;
@@ -3079,6 +4012,7 @@ cache_zonecut_callback(dns_rbtnode_t *node, dns_name_t *name, void *arg) {
 		 * search->zonecut_rdataset will still be valid later.
 		 */
 		new_reference(search->rbtdb, node);
+		INSIST(!ISC_LINK_LINKED(node, deadlink));
 		search->zonecut = node;
 		search->zonecut_rdataset = dname_header;
 		search->zonecut_sigrdataset = sigdname_header;
@@ -3130,7 +4064,7 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 		     header != NULL;
 		     header = header_next) {
 			header_next = header->next;
-			if (header->ttl <= search->now) {
+			if (header->rdh_ttl <= search->now) {
 				/*
 				 * This rdataset is stale.  If no one else is
 				 * using the node, we can clean it up right
@@ -3138,7 +4072,7 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 				 * the node as dirty, so it will get cleaned
 				 * up later.
 				 */
-				if ((header->ttl <= search->now -
+				if ((header->rdh_ttl <= search->now -
 						    RBTDB_VIRTUAL) &&
 				    (locktype == isc_rwlocktype_write ||
 				     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
@@ -3153,14 +4087,17 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 						isc_mem_t *m;
 
 						m = search->rbtdb->common.mctx;
-						clean_stale_headers(m, header);
+						clean_stale_headers(
+							search->rbtdb,
+							m, header);
 						if (header_prev != NULL)
 							header_prev->next =
 								header->next;
 						else
 							node->data =
 								header->next;
-						free_rdataset(m, header);
+						free_rdataset(rbtdb, m,
+							      header);
 					} else {
 						header->attributes |=
 							RDATASET_ATTR_STALE;
@@ -3229,6 +4166,23 @@ find_deepest_zonecut(rbtdb_search_t *search, dns_rbtnode_t *node,
 			if (foundsig != NULL)
 				bind_rdataset(search->rbtdb, node, foundsig,
 					      search->now, sigrdataset);
+			if (need_headerupdate(found, search->now) ||
+			    (foundsig != NULL &&
+			     need_headerupdate(foundsig, search->now))) {
+				if (locktype != isc_rwlocktype_write) {
+					NODE_UNLOCK(lock, locktype);
+					NODE_LOCK(lock, isc_rwlocktype_write);
+					locktype = isc_rwlocktype_write;
+				}
+				if (need_headerupdate(found, search->now))
+					update_header(search->rbtdb, found,
+						      search->now);
+				if (foundsig != NULL &&
+				    need_headerupdate(foundsig, search->now)) {
+					update_header(search->rbtdb, foundsig,
+						      search->now);
+				}
+			}
 		}
 
 	node_exit:
@@ -3286,7 +4240,7 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 		     header != NULL;
 		     header = header_next) {
 			header_next = header->next;
-			if (header->ttl <= now) {
+			if (header->rdh_ttl <= now) {
 				/*
 				 * This rdataset is stale.  If no one else is
 				 * using the node, we can clean it up right
@@ -3294,7 +4248,7 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 				 * node as dirty, so it will get cleaned up
 				 * later.
 				 */
-				if ((header->ttl <= now - RBTDB_VIRTUAL) &&
+				if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) &&
 				    (locktype == isc_rwlocktype_write ||
 				     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
 					/*
@@ -3308,13 +4262,16 @@ find_coveringnsec(rbtdb_search_t *search, dns_dbnode_t **nodep,
 						isc_mem_t *m;
 
 						m = search->rbtdb->common.mctx;
-						clean_stale_headers(m, header);
+						clean_stale_headers(
+							search->rbtdb,
+							m, header);
 						if (header_prev != NULL)
 							header_prev->next =
 								header->next;
 						else
 							node->data = header->next;
-						free_rdataset(m, header);
+						free_rdataset(search->rbtdb, m,
+							      header);
 					} else {
 						header->attributes |=
 							RDATASET_ATTR_STALE;
@@ -3377,6 +4334,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	rdatasetheader_t *header, *header_prev, *header_next;
 	rdatasetheader_t *found, *nsheader;
 	rdatasetheader_t *foundsig, *nssig, *cnamesig;
+	rdatasetheader_t *update, *updatesig;
 	rbtdb_rdatatype_t sigtype, negtype;
 
 	UNUSED(version);
@@ -3399,6 +4357,8 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	dns_fixedname_init(&search.zonecut_name);
 	dns_rbtnodechain_init(&search.chain, search.rbtdb->common.mctx);
 	search.now = now;
+	update = NULL;
+	updatesig = NULL;
 
 	RWLOCK(&search.rbtdb->tree_lock, isc_rwlocktype_read);
 
@@ -3462,14 +4422,14 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	header_prev = NULL;
 	for (header = node->data; header != NULL; header = header_next) {
 		header_next = header->next;
-		if (header->ttl <= now) {
+		if (header->rdh_ttl <= now) {
 			/*
 			 * This rdataset is stale.  If no one else is using the
 			 * node, we can clean it up right now, otherwise we
 			 * mark it as stale, and the node as dirty, so it will
 			 * get cleaned up later.
 			 */
-			if ((header->ttl <= now - RBTDB_VIRTUAL) &&
+			if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) &&
 			    (locktype == isc_rwlocktype_write ||
 			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
 				/*
@@ -3482,13 +4442,15 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 					isc_mem_t *mctx;
 
 					mctx = search.rbtdb->common.mctx;
-					clean_stale_headers(mctx, header);
+					clean_stale_headers(search.rbtdb, mctx,
+							    header);
 					if (header_prev != NULL)
 						header_prev->next =
 							header->next;
 					else
 						node->data = header->next;
-					free_rdataset(mctx, header);
+					free_rdataset(search.rbtdb, mctx,
+						      header);
 				} else {
 					header->attributes |=
 						RDATASET_ATTR_STALE;
@@ -3595,13 +4557,19 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 		if (nsheader != NULL) {
 			if (nodep != NULL) {
 				new_reference(search.rbtdb, node);
+				INSIST(!ISC_LINK_LINKED(node, deadlink));
 				*nodep = node;
 			}
 			bind_rdataset(search.rbtdb, node, nsheader, search.now,
 				      rdataset);
-			if (nssig != NULL)
+			if (need_headerupdate(nsheader, search.now))
+				update = nsheader;
+			if (nssig != NULL) {
 				bind_rdataset(search.rbtdb, node, nssig,
 					      search.now, sigrdataset);
+				if (need_headerupdate(nssig, search.now))
+					updatesig = nssig;
+			}
 			result = DNS_R_DELEGATION;
 			goto node_exit;
 		}
@@ -3619,6 +4587,7 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 	if (nodep != NULL) {
 		new_reference(search.rbtdb, node);
+		INSIST(!ISC_LINK_LINKED(node, deadlink));
 		*nodep = node;
 	}
 
@@ -3650,12 +4619,28 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 	    result == DNS_R_NCACHENXRRSET) {
 		bind_rdataset(search.rbtdb, node, found, search.now,
 			      rdataset);
-		if (foundsig != NULL)
+		if (need_headerupdate(found, search.now))
+			update = found;
+		if (foundsig != NULL) {
 			bind_rdataset(search.rbtdb, node, foundsig, search.now,
 				      sigrdataset);
+			if (need_headerupdate(foundsig, search.now))
+				updatesig = foundsig;
+		}
 	}
 
  node_exit:
+	if ((update != NULL || updatesig != NULL) &&
+	    locktype != isc_rwlocktype_write) {
+		NODE_UNLOCK(lock, locktype);
+		NODE_LOCK(lock, isc_rwlocktype_write);
+		locktype = isc_rwlocktype_write;
+	}
+	if (update != NULL && need_headerupdate(update, search.now))
+		update_header(search.rbtdb, update, search.now);
+	if (updatesig != NULL && need_headerupdate(updatesig, search.now))
+		update_header(search.rbtdb, updatesig, search.now);
+
 	NODE_UNLOCK(lock, locktype);
 
  tree_exit:
@@ -3671,7 +4656,8 @@ cache_find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 
 		NODE_LOCK(lock, isc_rwlocktype_read);
 		decrement_reference(search.rbtdb, node, 0,
-				    isc_rwlocktype_read, isc_rwlocktype_none);
+				    isc_rwlocktype_read, isc_rwlocktype_none,
+				    ISC_FALSE);
 		NODE_UNLOCK(lock, isc_rwlocktype_read);
 	}
 
@@ -3745,14 +4731,14 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 	header_prev = NULL;
 	for (header = node->data; header != NULL; header = header_next) {
 		header_next = header->next;
-		if (header->ttl <= now) {
+		if (header->rdh_ttl <= now) {
 			/*
 			 * This rdataset is stale.  If no one else is using the
 			 * node, we can clean it up right now, otherwise we
 			 * mark it as stale, and the node as dirty, so it will
 			 * get cleaned up later.
 			 */
-			if ((header->ttl <= now - RBTDB_VIRTUAL) &&
+			if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) &&
 			    (locktype == isc_rwlocktype_write ||
 			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
 				/*
@@ -3765,13 +4751,15 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 					isc_mem_t *mctx;
 
 					mctx = search.rbtdb->common.mctx;
-					clean_stale_headers(mctx, header);
+					clean_stale_headers(search.rbtdb, mctx,
+							    header);
 					if (header_prev != NULL)
 						header_prev->next =
 							header->next;
 					else
 						node->data = header->next;
-					free_rdataset(mctx, header);
+					free_rdataset(search.rbtdb, mctx,
+						      header);
 				} else {
 					header->attributes |=
 						RDATASET_ATTR_STALE;
@@ -3814,6 +4802,7 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 
 	if (nodep != NULL) {
 		new_reference(search.rbtdb, node);
+		INSIST(!ISC_LINK_LINKED(node, deadlink));
 		*nodep = node;
 	}
 
@@ -3822,6 +4811,21 @@ cache_findzonecut(dns_db_t *db, dns_name_t *name, unsigned int options,
 		bind_rdataset(search.rbtdb, node, foundsig, search.now,
 			      sigrdataset);
 
+	if (need_headerupdate(found, search.now) ||
+	    (foundsig != NULL &&  need_headerupdate(foundsig, search.now))) {
+		if (locktype != isc_rwlocktype_write) {
+			NODE_UNLOCK(lock, locktype);
+			NODE_LOCK(lock, isc_rwlocktype_write);
+			locktype = isc_rwlocktype_write;
+		}
+		if (need_headerupdate(found, search.now))
+			update_header(search.rbtdb, found, search.now);
+		if (foundsig != NULL &&
+		    need_headerupdate(foundsig, search.now)) {
+			update_header(search.rbtdb, foundsig, search.now);
+		}
+	}
+
 	NODE_UNLOCK(lock, locktype);
 
  tree_exit:
@@ -3871,7 +4875,7 @@ detachnode(dns_db_t *db, dns_dbnode_t **targetp) {
 	NODE_LOCK(&nodelock->lock, isc_rwlocktype_read);
 
 	if (decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
-				isc_rwlocktype_none)) {
+				isc_rwlocktype_none, ISC_FALSE)) {
 		if (isc_refcount_current(&nodelock->references) == 0 &&
 		    nodelock->exiting) {
 			inactive = ISC_TRUE;
@@ -3938,8 +4942,8 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
 
 		/*
 		 * Note that 'log' can be true IFF rbtdb->overmem is also true.
-		 * rbtdb->ovemem can currently only be true for cache databases
-		 * -- hence all of the "overmem cache" log strings.
+		 * rbtdb->overmem can currently only be true for cache
+		 * databases -- hence all of the "overmem cache" log strings.
 		 */
 		log = ISC_TF(isc_log_wouldlog(dns_lctx, level));
 		if (log)
@@ -3959,7 +4963,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
 		  isc_rwlocktype_write);
 
 	for (header = rbtnode->data; header != NULL; header = header->next)
-		if (header->ttl <= now - RBTDB_VIRTUAL) {
+		if (header->rdh_ttl <= now - RBTDB_VIRTUAL) {
 			/*
 			 * We don't check if refcurrent(rbtnode) == 0 and try
 			 * to free like we do in cache_find(), because
@@ -3974,7 +4978,7 @@ expirenode(dns_db_t *db, dns_dbnode_t *node, isc_stdtime_t now) {
 					      printname);
 		} else if (force_expire) {
 			if (! RETAIN(header)) {
-				header->ttl = 0;
+				set_ttl(rbtdb, header, 0);
 				header->attributes |= RDATASET_ATTR_STALE;
 				rbtnode->dirty = 1;
 			} else if (log) {
@@ -3997,9 +5001,8 @@ static void
 overmem(dns_db_t *db, isc_boolean_t overmem) {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 
-	if (IS_CACHE(rbtdb)) {
+	if (IS_CACHE(rbtdb))
 		rbtdb->overmem = overmem;
-	}
 }
 
 static void
@@ -4030,11 +5033,13 @@ printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
 				first = ISC_FALSE;
 				fprintf(out,
 					"\tserial = %lu, ttl = %u, "
-					"trust = %u, attributes = %u\n",
+					"trust = %u, attributes = %u, "
+					"resign = %u\n",
 					(unsigned long)current->serial,
-					current->ttl,
+					current->rdh_ttl,
 					current->trust,
-					current->attributes);
+					current->attributes,
+					current->resign);
 				current = current->down;
 			} while (current != NULL);
 		}
@@ -4046,8 +5051,7 @@ printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
 }
 
 static isc_result_t
-createiterator(dns_db_t *db, isc_boolean_t relative_names,
-	       dns_dbiterator_t **iteratorp)
+createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp)
 {
 	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
 	rbtdb_dbiterator_t *rbtdbiter;
@@ -4061,7 +5065,8 @@ createiterator(dns_db_t *db, isc_boolean_t relative_names,
 	rbtdbiter->common.methods = &dbiterator_methods;
 	rbtdbiter->common.db = NULL;
 	dns_db_attach(db, &rbtdbiter->common.db);
-	rbtdbiter->common.relative_names = relative_names;
+	rbtdbiter->common.relative_names =
+			ISC_TF((options & DNS_DB_RELATIVENAMES) != 0);
 	rbtdbiter->common.magic = DNS_DBITERATOR_MAGIC;
 	rbtdbiter->common.cleaning = ISC_FALSE;
 	rbtdbiter->paused = ISC_TRUE;
@@ -4071,8 +5076,15 @@ createiterator(dns_db_t *db, isc_boolean_t relative_names,
 	dns_fixedname_init(&rbtdbiter->origin);
 	rbtdbiter->node = NULL;
 	rbtdbiter->delete = 0;
+	rbtdbiter->nsec3only = ISC_TF((options & DNS_DB_NSEC3ONLY) != 0);
+	rbtdbiter->nonsec3 = ISC_TF((options & DNS_DB_NONSEC3) != 0);
 	memset(rbtdbiter->deletions, 0, sizeof(rbtdbiter->deletions));
 	dns_rbtnodechain_init(&rbtdbiter->chain, db->mctx);
+	dns_rbtnodechain_init(&rbtdbiter->nsec3chain, db->mctx);
+	if (rbtdbiter->nsec3only)
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+	else
+		rbtdbiter->current = &rbtdbiter->chain;
 
 	*iteratorp = (dns_dbiterator_t *)rbtdbiter;
 
@@ -4204,8 +5216,8 @@ cache_findrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	for (header = rbtnode->data; header != NULL; header = header_next) {
 		header_next = header->next;
-		if (header->ttl <= now) {
-			if ((header->ttl <= now - RBTDB_VIRTUAL) &&
+		if (header->rdh_ttl <= now) {
+			if ((header->rdh_ttl <= now - RBTDB_VIRTUAL) &&
 			    (locktype == isc_rwlocktype_write ||
 			     NODE_TRYUPGRADE(lock) == ISC_R_SUCCESS)) {
 				/*
@@ -4355,19 +5367,15 @@ cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
 			 * Look for active extant "other data".
 			 *
 			 * "Other data" is any rdataset whose type is not
-			 * KEY, RRSIG KEY, NSEC, RRSIG NSEC or RRSIG CNAME.
+			 * KEY, NSEC, SIG or RRSIG.
 			 */
 			rdtype = RBTDB_RDATATYPE_BASE(header->type);
-			if (rdtype == dns_rdatatype_rrsig ||
-			    rdtype == dns_rdatatype_sig)
-				rdtype = RBTDB_RDATATYPE_EXT(header->type);
-			if (rdtype != dns_rdatatype_nsec &&
-			    rdtype != dns_rdatatype_key &&
-			    rdtype != dns_rdatatype_cname) {
+			if (rdtype != dns_rdatatype_key &&
+			    rdtype != dns_rdatatype_sig &&
+			    rdtype != dns_rdatatype_nsec &&
+			    rdtype != dns_rdatatype_rrsig) {
 				/*
-				 * We've found a type that isn't
-				 * NSEC, KEY, CNAME, or one of their
-				 * signatures.  Is it active and extant?
+				 * Is it active and extant?
 				 */
 				do {
 					if (header->serial <= serial &&
@@ -4395,6 +5403,16 @@ cname_and_other_data(dns_rbtnode_t *node, rbtdb_serial_t serial) {
 }
 
 static isc_result_t
+resign_insert(dns_rbtdb_t *rbtdb, int idx, rdatasetheader_t *newheader) {
+	isc_result_t result;
+
+	INSIST(newheader->heap_index == 0);
+	INSIST(!ISC_LINK_LINKED(newheader, lru_link));
+	result = isc_heap_insert(rbtdb->heaps[idx], newheader);
+	return (result);
+}
+
+static isc_result_t
 add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
     rdatasetheader_t *newheader, unsigned int options, isc_boolean_t loading,
     dns_rdataset_t *addedrdataset, isc_stdtime_t now)
@@ -4409,6 +5427,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 	dns_rdatatype_t rdtype, covers;
 	rbtdb_rdatatype_t negtype;
 	dns_trust_t trust;
+	int idx;
 
 	/*
 	 * Add an rdatasetheader_t to a node.
@@ -4437,7 +5456,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 		 */
 		changed = add_changed(rbtdb, rbtversion, rbtnode);
 		if (changed == NULL) {
-			free_rdataset(rbtdb->common.mctx, newheader);
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 			return (ISC_R_NOMEMORY);
 		}
 	}
@@ -4466,7 +5485,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				for (topheader = rbtnode->data;
 				     topheader != NULL;
 				     topheader = topheader->next) {
-					topheader->ttl = 0;
+					set_ttl(rbtdb, topheader, 0);
 					topheader->attributes |=
 						RDATASET_ATTR_STALE;
 				}
@@ -4489,7 +5508,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 					break;
 			}
 			if (topheader != NULL && EXISTS(topheader) &&
-			    topheader->ttl > now) {
+			    topheader->rdh_ttl > now) {
 				/*
 				 * Found one.
 				 */
@@ -4498,8 +5517,8 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 					 * The NXDOMAIN/NODATA(QTYPE=ANY)
 					 * is more trusted.
 					 */
-
-					free_rdataset(rbtdb->common.mctx,
+					free_rdataset(rbtdb,
+						      rbtdb->common.mctx,
 						      newheader);
 					if (addedrdataset != NULL)
 						bind_rdataset(rbtdb, rbtnode,
@@ -4511,7 +5530,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				 * The new rdataset is better.  Expire the
 				 * NXDOMAIN/NODATA(QTYPE=ANY).
 				 */
-				topheader->ttl = 0;
+				set_ttl(rbtdb, topheader, 0);
 				topheader->attributes |= RDATASET_ATTR_STALE;
 				rbtnode->dirty = 1;
 				topheader = NULL;
@@ -4546,7 +5565,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 		 * Deleting an already non-existent rdataset has no effect.
 		 */
 		if (header_nx && newheader_nx) {
-			free_rdataset(rbtdb->common.mctx, newheader);
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 			return (DNS_R_UNCHANGED);
 		}
 
@@ -4555,8 +5574,8 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 		 * has no effect, provided that the cache data isn't stale.
 		 */
 		if (rbtversion == NULL && trust < header->trust &&
-		    (header->ttl > now || header_nx)) {
-			free_rdataset(rbtdb->common.mctx, newheader);
+		    (header->rdh_ttl > now || header_nx)) {
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 			if (addedrdataset != NULL)
 				bind_rdataset(rbtdb, rbtnode, header, now,
 					      addedrdataset);
@@ -4582,9 +5601,9 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			if ((options & DNS_DBADD_EXACT) != 0)
 				flags |= DNS_RDATASLAB_EXACT;
 			if ((options & DNS_DBADD_EXACTTTL) != 0 &&
-			     newheader->ttl != header->ttl)
+			     newheader->rdh_ttl != header->rdh_ttl)
 					result = DNS_R_NOTEXACT;
-			else if (newheader->ttl != header->ttl)
+			else if (newheader->rdh_ttl != header->rdh_ttl)
 				flags |= DNS_RDATASLAB_FORCE;
 			if (result == ISC_R_SUCCESS)
 				result = dns_rdataslab_merge(
@@ -4604,10 +5623,16 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 				 * alone.  It will get cleaned up when
 				 * clean_zone_node() runs.
 				 */
-				free_rdataset(rbtdb->common.mctx, newheader);
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
 				newheader = (rdatasetheader_t *)merged;
+				if (loading && RESIGN(newheader) &&
+				    RESIGN(header) &&
+				    header->resign < newheader->resign)
+					newheader->resign = header->resign;
 			} else {
-				free_rdataset(rbtdb->common.mctx, newheader);
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
 				return (result);
 			}
 		}
@@ -4618,7 +5643,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 		 * Don't lower trust of existing record if the
 		 * update is forced.
 		 */
-		if (IS_CACHE(rbtdb) && header->ttl > now &&
+		if (IS_CACHE(rbtdb) && header->rdh_ttl > now &&
 		    header->type == dns_rdatatype_ns &&
 		    !header_nx && !newheader_nx &&
 		    header->trust >= newheader->trust &&
@@ -4631,20 +5656,25 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			 * Honour the new ttl if it is less than the
 			 * older one.
 			 */
-			if (header->ttl > newheader->ttl)
-				header->ttl = newheader->ttl;
+			if (header->rdh_ttl > newheader->rdh_ttl)
+				set_ttl(rbtdb, header, newheader->rdh_ttl);
 			if (header->noqname == NULL &&
 			    newheader->noqname != NULL) {
 				header->noqname = newheader->noqname;
 				newheader->noqname = NULL;
 			}
-			free_rdataset(rbtdb->common.mctx, newheader);
+			if (header->closest == NULL &&
+			    newheader->closest != NULL) {
+				header->closest = newheader->closest;
+				newheader->closest = NULL;
+			}
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 			if (addedrdataset != NULL)
 				bind_rdataset(rbtdb, rbtnode, header, now,
 					      addedrdataset);
 			return (ISC_R_SUCCESS);
 		}
-		if (IS_CACHE(rbtdb) && header->ttl > now &&
+		if (IS_CACHE(rbtdb) && header->rdh_ttl > now &&
 		    (header->type == dns_rdatatype_a ||
 		     header->type == dns_rdatatype_aaaa) &&
 		    !header_nx && !newheader_nx &&
@@ -4656,14 +5686,19 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			 * Honour the new ttl if it is less than the
 			 * older one.
 			 */
-			if (header->ttl > newheader->ttl)
-				header->ttl = newheader->ttl;
+			if (header->rdh_ttl > newheader->rdh_ttl)
+				set_ttl(rbtdb, header, newheader->rdh_ttl);
 			if (header->noqname == NULL &&
 			    newheader->noqname != NULL) {
 				header->noqname = newheader->noqname;
 				newheader->noqname = NULL;
 			}
-			free_rdataset(rbtdb->common.mctx, newheader);
+			if (header->closest == NULL &&
+			    newheader->closest != NULL) {
+				header->closest = newheader->closest;
+				newheader->closest = NULL;
+			}
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 			if (addedrdataset != NULL)
 				bind_rdataset(rbtdb, rbtnode, header, now,
 					      addedrdataset);
@@ -4684,7 +5719,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			 * loading, we MUST clean up 'header' now.
 			 */
 			newheader->down = NULL;
-			free_rdataset(rbtdb->common.mctx, header);
+			free_rdataset(rbtdb, rbtdb->common.mctx, header);
 		} else {
 			newheader->down = topheader;
 			topheader->next = newheader;
@@ -4692,9 +5727,23 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			if (changed != NULL)
 				changed->dirty = ISC_TRUE;
 			if (rbtversion == NULL) {
-				header->ttl = 0;
+				set_ttl(rbtdb, header, 0);
 				header->attributes |= RDATASET_ATTR_STALE;
 			}
+			idx = newheader->node->locknum;
+			if (IS_CACHE(rbtdb)) {
+				ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+						 newheader, lru_link);
+				/*
+				 * XXXMLG We don't check the return value
+				 * here.  If it fails, we will not do TTL
+				 * based expiry on this node.  However, we
+				 * will do it on the LRU side, so memory
+				 * will not leak... for long.
+				 */
+				isc_heap_insert(rbtdb->heaps[idx], newheader);
+			} else if (RESIGN(newheader))
+				resign_insert(rbtdb, idx, newheader);
 		}
 	} else {
 		/*
@@ -4706,7 +5755,7 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 		 * If we're trying to delete the type, don't bother.
 		 */
 		if (newheader_nx) {
-			free_rdataset(rbtdb->common.mctx, newheader);
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 			return (DNS_R_UNCHANGED);
 		}
 
@@ -4740,6 +5789,14 @@ add(dns_rbtdb_t *rbtdb, dns_rbtnode_t *rbtnode, rbtdb_version_t *rbtversion,
 			newheader->down = NULL;
 			rbtnode->data = newheader;
 		}
+		idx = newheader->node->locknum;
+		if (IS_CACHE(rbtdb)) {
+			ISC_LIST_PREPEND(rbtdb->rdatasets[idx],
+					 newheader, lru_link);
+			isc_heap_insert(rbtdb->heaps[idx], newheader);
+		} else if (RESIGN(newheader)) {
+			resign_insert(rbtdb, idx, newheader);
+		}
 	}
 
 	/*
@@ -4778,15 +5835,15 @@ addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
 	struct noqname *noqname;
 	isc_mem_t *mctx = rbtdb->common.mctx;
 	dns_name_t name;
-	dns_rdataset_t nsec, nsecsig;
+	dns_rdataset_t neg, negsig;
 	isc_result_t result;
 	isc_region_t r;
 
 	dns_name_init(&name, NULL);
-	dns_rdataset_init(&nsec);
-	dns_rdataset_init(&nsecsig);
+	dns_rdataset_init(&neg);
+	dns_rdataset_init(&negsig);
 
-	result = dns_rdataset_getnoqname(rdataset, &name, &nsec, &nsecsig);
+	result = dns_rdataset_getnoqname(rdataset, &name, &neg, &negsig);
 	RUNTIME_CHECK(result == ISC_R_SUCCESS);
 
 	noqname = isc_mem_get(mctx, sizeof(*noqname));
@@ -4795,31 +5852,84 @@ addnoqname(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
 		goto cleanup;
 	}
 	dns_name_init(&noqname->name, NULL);
-	noqname->nsec = NULL;
-	noqname->nsecsig = NULL;
+	noqname->neg = NULL;
+	noqname->negsig = NULL;
+	noqname->type = neg.type;
 	result = dns_name_dup(&name, mctx, &noqname->name);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
-	result = dns_rdataslab_fromrdataset(&nsec, mctx, &r, 0);
+	result = dns_rdataslab_fromrdataset(&neg, mctx, &r, 0);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
-	noqname->nsec = r.base;
-	result = dns_rdataslab_fromrdataset(&nsecsig, mctx, &r, 0);
+	noqname->neg = r.base;
+	result = dns_rdataslab_fromrdataset(&negsig, mctx, &r, 0);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
-	noqname->nsecsig = r.base;
-	dns_rdataset_disassociate(&nsec);
-	dns_rdataset_disassociate(&nsecsig);
+	noqname->negsig = r.base;
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
 	newheader->noqname = noqname;
 	return (ISC_R_SUCCESS);
 
 cleanup:
-	dns_rdataset_disassociate(&nsec);
-	dns_rdataset_disassociate(&nsecsig);
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
 	free_noqname(mctx, &noqname);
 	return(result);
 }
 
+static inline isc_result_t
+addclosest(dns_rbtdb_t *rbtdb, rdatasetheader_t *newheader,
+	   dns_rdataset_t *rdataset)
+{
+	struct noqname *closest;
+	isc_mem_t *mctx = rbtdb->common.mctx;
+	dns_name_t name;
+	dns_rdataset_t neg, negsig;
+	isc_result_t result;
+	isc_region_t r;
+
+	dns_name_init(&name, NULL);
+	dns_rdataset_init(&neg);
+	dns_rdataset_init(&negsig);
+
+	result = dns_rdataset_getclosest(rdataset, &name, &neg, &negsig);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	closest = isc_mem_get(mctx, sizeof(*closest));
+	if (closest == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup;
+	}
+	dns_name_init(&closest->name, NULL);
+	closest->neg = NULL;
+	closest->negsig = NULL;
+	closest->type = neg.type;
+	result = dns_name_dup(&name, mctx, &closest->name);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	result = dns_rdataslab_fromrdataset(&neg, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	closest->neg = r.base;
+	result = dns_rdataslab_fromrdataset(&negsig, mctx, &r, 0);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+	closest->negsig = r.base;
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
+	newheader->closest = closest;
+	return (ISC_R_SUCCESS);
+
+ cleanup:
+	dns_rdataset_disassociate(&neg);
+	dns_rdataset_disassociate(&negsig);
+	free_noqname(mctx, &closest);
+	return(result);
+}
+
+static dns_dbmethods_t zone_methods;
+
 static isc_result_t
 addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	    isc_stdtime_t now, dns_rdataset_t *rdataset, unsigned int options,
@@ -4830,11 +5940,21 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	rbtdb_version_t *rbtversion = version;
 	isc_region_t region;
 	rdatasetheader_t *newheader;
+	rdatasetheader_t *header;
 	isc_result_t result;
 	isc_boolean_t delegating;
+	isc_boolean_t tree_locked = ISC_FALSE;
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
+	if (rbtdb->common.methods == &zone_methods)
+		REQUIRE(((rbtnode->nsec3 &&
+			  (rdataset->type == dns_rdatatype_nsec3 ||
+			   rdataset->covers == dns_rdatatype_nsec3)) ||
+			 (!rbtnode->nsec3 &&
+			   rdataset->type != dns_rdatatype_nsec3 &&
+			   rdataset->covers != dns_rdatatype_nsec3)));
+
 	if (rbtversion == NULL) {
 		if (now == 0)
 			isc_stdtime_get(&now);
@@ -4848,26 +5968,48 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		return (result);
 
 	newheader = (rdatasetheader_t *)region.base;
-	newheader->ttl = rdataset->ttl + now;
+	init_rdataset(rbtdb, newheader);
+	set_ttl(rbtdb, newheader, rdataset->ttl + now);
 	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
 						rdataset->covers);
 	newheader->attributes = 0;
 	newheader->noqname = NULL;
+	newheader->closest = NULL;
 	newheader->count = init_count++;
 	newheader->trust = rdataset->trust;
 	newheader->additional_auth = NULL;
 	newheader->additional_glue = NULL;
+	newheader->last_used = now;
+	newheader->node = rbtnode;
 	if (rbtversion != NULL) {
 		newheader->serial = rbtversion->serial;
 		now = 0;
+
+		if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
+			newheader->attributes |= RDATASET_ATTR_RESIGN;
+			newheader->resign = rdataset->resign;
+		} else
+			newheader->resign = 0;
 	} else {
 		newheader->serial = 1;
+		newheader->resign = 0;
 		if ((rdataset->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
 			newheader->attributes |= RDATASET_ATTR_NXDOMAIN;
+		if ((rdataset->attributes & DNS_RDATASETATTR_OPTOUT) != 0)
+			newheader->attributes |= RDATASET_ATTR_OPTOUT;
 		if ((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0) {
 			result = addnoqname(rbtdb, newheader, rdataset);
 			if (result != ISC_R_SUCCESS) {
-				free_rdataset(rbtdb->common.mctx, newheader);
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
+				return (result);
+			}
+		}
+		if ((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0) {
+			result = addclosest(rbtdb, newheader, rdataset);
+			if (result != ISC_R_SUCCESS) {
+				free_rdataset(rbtdb, rbtdb->common.mctx,
+					      newheader);
 				return (result);
 			}
 		}
@@ -4876,18 +6018,54 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	/*
 	 * If we're adding a delegation type (e.g. NS or DNAME for a zone,
 	 * just DNAME for the cache), then we need to set the callback bit
-	 * on the node, and to do that we must be holding an exclusive lock
-	 * on the tree.
+	 * on the node.
 	 */
-	if (delegating_type(rbtdb, rbtnode, rdataset->type)) {
+	if (delegating_type(rbtdb, rbtnode, rdataset->type))
 		delegating = ISC_TRUE;
-		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
-	} else
+	else
 		delegating = ISC_FALSE;
 
+	/*
+	 * If we're adding a delegation type or the DB is a cache in an overmem
+	 * state, hold an exclusive lock on the tree.  In the latter case
+	 * the lock does not necessarily have to be acquired but it will help
+	 * purge stale entries more effectively.
+	 */
+	if (delegating || (IS_CACHE(rbtdb) && rbtdb->overmem)) {
+		tree_locked = ISC_TRUE;
+		RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+	}
+
+	if (IS_CACHE(rbtdb) && rbtdb->overmem)
+		overmem_purge(rbtdb, rbtnode->locknum, now, tree_locked);
+
 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
 		  isc_rwlocktype_write);
 
+	if (rbtdb->rrsetstats != NULL) {
+		newheader->attributes |= RDATASET_ATTR_STATCOUNT;
+		update_rrsetstats(rbtdb, newheader, ISC_TRUE);
+	}
+
+	if (IS_CACHE(rbtdb)) {
+		if (tree_locked)
+			cleanup_dead_nodes(rbtdb, rbtnode->locknum);
+
+		header = isc_heap_element(rbtdb->heaps[rbtnode->locknum], 1);
+		if (header && header->rdh_ttl <= now - RBTDB_VIRTUAL)
+			expire_header(rbtdb, header, tree_locked);
+
+		/*
+		 * If we've been holding a write lock on the tree just for
+		 * cleaning, we can release it now.  However, we still need the
+		 * node lock.
+		 */
+		if (tree_locked && !delegating) {
+			RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
+			tree_locked = ISC_FALSE;
+		}
+	}
+
 	result = add(rbtdb, rbtnode, rbtversion, newheader, options, ISC_FALSE,
 		     addedrdataset, now);
 	if (result == ISC_R_SUCCESS && delegating)
@@ -4896,15 +6074,15 @@ addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
 		    isc_rwlocktype_write);
 
-	if (delegating)
+	if (tree_locked)
 		RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write);
 
 	/*
 	 * Update the zone's secure status.  If version is non-NULL
-	 * this is defered until closeversion() is called.
+	 * this is deferred until closeversion() is called.
 	 */
 	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
-		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
+		iszonesecure(db, version, rbtdb->origin_node);
 
 	return (result);
 }
@@ -4925,29 +6103,46 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	REQUIRE(VALID_RBTDB(rbtdb));
 
+	if (rbtdb->common.methods == &zone_methods)
+		REQUIRE(((rbtnode->nsec3 &&
+			  (rdataset->type == dns_rdatatype_nsec3 ||
+			   rdataset->covers == dns_rdatatype_nsec3)) ||
+			 (!rbtnode->nsec3 &&
+			   rdataset->type != dns_rdatatype_nsec3 &&
+			   rdataset->covers != dns_rdatatype_nsec3)));
+
 	result = dns_rdataslab_fromrdataset(rdataset, rbtdb->common.mctx,
 					    &region,
 					    sizeof(rdatasetheader_t));
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	newheader = (rdatasetheader_t *)region.base;
-	newheader->ttl = rdataset->ttl;
+	init_rdataset(rbtdb, newheader);
+	set_ttl(rbtdb, newheader, rdataset->ttl);
 	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
 						rdataset->covers);
 	newheader->attributes = 0;
 	newheader->serial = rbtversion->serial;
 	newheader->trust = 0;
 	newheader->noqname = NULL;
+	newheader->closest = NULL;
 	newheader->count = init_count++;
 	newheader->additional_auth = NULL;
 	newheader->additional_glue = NULL;
+	newheader->last_used = 0;
+	newheader->node = rbtnode;
+	if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
+		newheader->attributes |= RDATASET_ATTR_RESIGN;
+		newheader->resign = rdataset->resign;
+	} else
+		newheader->resign = 0;
 
 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
 		  isc_rwlocktype_write);
 
 	changed = add_changed(rbtdb, rbtversion, rbtnode);
 	if (changed == NULL) {
-		free_rdataset(rbtdb->common.mctx, newheader);
+		free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 		NODE_UNLOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
 			    isc_rwlocktype_write);
 		return (ISC_R_NOMEMORY);
@@ -4975,7 +6170,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		result = ISC_R_SUCCESS;
 		if ((options & DNS_DBSUB_EXACT) != 0) {
 			flags |= DNS_RDATASLAB_EXACT;
-			if (newheader->ttl != header->ttl)
+			if (newheader->rdh_ttl != header->rdh_ttl)
 				result = DNS_R_NOTEXACT;
 		}
 		if (result == ISC_R_SUCCESS)
@@ -4988,8 +6183,9 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 					(dns_rdatatype_t)header->type,
 					flags, &subresult);
 		if (result == ISC_R_SUCCESS) {
-			free_rdataset(rbtdb->common.mctx, newheader);
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 			newheader = (rdatasetheader_t *)subresult;
+			init_rdataset(rbtdb, newheader);
 			/*
 			 * We have to set the serial since the rdataslab
 			 * subtraction routine copies the reserved portion of
@@ -5008,24 +6204,27 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 			 * This subtraction would remove all of the rdata;
 			 * add a nonexistent header instead.
 			 */
-			free_rdataset(rbtdb->common.mctx, newheader);
-			newheader = isc_mem_get(rbtdb->common.mctx,
-						sizeof(*newheader));
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
+			newheader = new_rdataset(rbtdb, rbtdb->common.mctx);
 			if (newheader == NULL) {
 				result = ISC_R_NOMEMORY;
 				goto unlock;
 			}
-			newheader->ttl = 0;
+			set_ttl(rbtdb, newheader, 0);
 			newheader->type = topheader->type;
 			newheader->attributes = RDATASET_ATTR_NONEXISTENT;
 			newheader->trust = 0;
 			newheader->serial = rbtversion->serial;
 			newheader->noqname = NULL;
+			newheader->closest = NULL;
 			newheader->count = 0;
 			newheader->additional_auth = NULL;
 			newheader->additional_glue = NULL;
+			newheader->node = rbtnode;
+			newheader->resign = 0;
+			newheader->last_used = 0;
 		} else {
-			free_rdataset(rbtdb->common.mctx, newheader);
+			free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 			goto unlock;
 		}
 
@@ -5048,7 +6247,7 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		 * The rdataset doesn't exist, so we don't need to do anything
 		 * to satisfy the deletion request.
 		 */
-		free_rdataset(rbtdb->common.mctx, newheader);
+		free_rdataset(rbtdb, rbtdb->common.mctx, newheader);
 		if ((options & DNS_DBSUB_EXACT) != 0)
 			result = DNS_R_NOTEXACT;
 		else
@@ -5064,10 +6263,10 @@ subtractrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	/*
 	 * Update the zone's secure status.  If version is non-NULL
-	 * this is defered until closeversion() is called.
+	 * this is deferred until closeversion() is called.
 	 */
 	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
-		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
+		iszonesecure(db, rbtdb->current_version, rbtdb->origin_node);
 
 	return (result);
 }
@@ -5089,14 +6288,15 @@ deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	if (type == dns_rdatatype_rrsig && covers == 0)
 		return (ISC_R_NOTIMPLEMENTED);
 
-	newheader = isc_mem_get(rbtdb->common.mctx, sizeof(*newheader));
+	newheader = new_rdataset(rbtdb, rbtdb->common.mctx);
 	if (newheader == NULL)
 		return (ISC_R_NOMEMORY);
-	newheader->ttl = 0;
+	set_ttl(rbtdb, newheader, 0);
 	newheader->type = RBTDB_RDATATYPE_VALUE(type, covers);
 	newheader->attributes = RDATASET_ATTR_NONEXISTENT;
 	newheader->trust = 0;
 	newheader->noqname = NULL;
+	newheader->closest = NULL;
 	newheader->additional_auth = NULL;
 	newheader->additional_glue = NULL;
 	if (rbtversion != NULL)
@@ -5104,6 +6304,8 @@ deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 	else
 		newheader->serial = 0;
 	newheader->count = 0;
+	newheader->last_used = 0;
+	newheader->node = rbtnode;
 
 	NODE_LOCK(&rbtdb->node_locks[rbtnode->locknum].lock,
 		  isc_rwlocktype_write);
@@ -5116,10 +6318,10 @@ deleterdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 
 	/*
 	 * Update the zone's secure status.  If version is non-NULL
-	 * this is defered until closeversion() is called.
+	 * this is deferred until closeversion() is called.
 	 */
 	if (result == ISC_R_SUCCESS && version == NULL && !IS_CACHE(rbtdb))
-		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
+		iszonesecure(db, rbtdb->current_version, rbtdb->origin_node);
 
 	return (result);
 }
@@ -5147,7 +6349,9 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 	    !IS_CACHE(rbtdb) && !dns_name_equal(name, &rbtdb->common.origin))
 		return (DNS_R_NOTZONETOP);
 
-	add_empty_wildcards(rbtdb, name);
+	if (rdataset->type != dns_rdatatype_nsec3 &&
+	    rdataset->covers != dns_rdatatype_nsec3)
+		add_empty_wildcards(rbtdb, name);
 
 	if (dns_name_iswildcard(name)) {
 		/*
@@ -5155,13 +6359,27 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 		 */
 		if (rdataset->type == dns_rdatatype_ns)
 			return (DNS_R_INVALIDNS);
+		/*
+		 * NSEC3 record owners cannot legally be wild cards.
+		 */
+		if (rdataset->type == dns_rdatatype_nsec3)
+			return (DNS_R_INVALIDNSEC3);
 		result = add_wildcard_magic(rbtdb, name);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 
 	node = NULL;
-	result = dns_rbt_addnode(rbtdb->tree, name, &node);
+	if (rdataset->type == dns_rdatatype_nsec3 ||
+	    rdataset->covers == dns_rdatatype_nsec3) {
+		result = dns_rbt_addnode(rbtdb->nsec3, name, &node);
+		if (result == ISC_R_SUCCESS)
+			node->nsec3 = 1;
+	} else {
+		result = dns_rbt_addnode(rbtdb->tree, name, &node);
+		if (result == ISC_R_SUCCESS)
+			node->nsec3 = 0;
+	}
 	if (result != ISC_R_SUCCESS && result != ISC_R_EXISTS)
 		return (result);
 	if (result != ISC_R_EXISTS) {
@@ -5182,16 +6400,26 @@ loading_addrdataset(void *arg, dns_name_t *name, dns_rdataset_t *rdataset) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	newheader = (rdatasetheader_t *)region.base;
-	newheader->ttl = rdataset->ttl + loadctx->now; /* XXX overflow check */
+	init_rdataset(rbtdb, newheader);
+	set_ttl(rbtdb, newheader,
+		rdataset->ttl + loadctx->now); /* XXX overflow check */
 	newheader->type = RBTDB_RDATATYPE_VALUE(rdataset->type,
 						rdataset->covers);
 	newheader->attributes = 0;
 	newheader->trust = rdataset->trust;
 	newheader->serial = 1;
 	newheader->noqname = NULL;
+	newheader->closest = NULL;
 	newheader->count = init_count++;
 	newheader->additional_auth = NULL;
 	newheader->additional_glue = NULL;
+	newheader->last_used = 0;
+	newheader->node = node;
+	if ((rdataset->attributes & DNS_RDATASETATTR_RESIGN) != 0) {
+		newheader->attributes |= RDATASET_ATTR_RESIGN;
+		newheader->resign = rdataset->resign;
+	} else
+		newheader->resign = 0;
 
 	result = add(rbtdb, node, rbtdb->current_version, newheader,
 		     DNS_DBADD_MERGE, ISC_TRUE, NULL, 0);
@@ -5262,7 +6490,7 @@ endload(dns_db_t *db, dns_dbload_t **dbloadp) {
 	 * zone key, we consider the zone secure.
 	 */
 	if (! IS_CACHE(rbtdb))
-		rbtdb->secure = iszonesecure(db, rbtdb->origin_node);
+		iszonesecure(db, rbtdb->current_version, rbtdb->origin_node);
 
 	*dbloadp = NULL;
 
@@ -5292,7 +6520,7 @@ delete_callback(void *data, void *arg) {
 
 	for (current = data; current != NULL; current = next) {
 		next = current->next;
-		free_rdataset(rbtdb->common.mctx, current);
+		free_rdataset(rbtdb, rbtdb->common.mctx, current);
 	}
 }
 
@@ -5306,12 +6534,28 @@ issecure(dns_db_t *db) {
 	REQUIRE(VALID_RBTDB(rbtdb));
 
 	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
-	secure = rbtdb->secure;
+	secure = ISC_TF(rbtdb->current_version->secure == dns_db_secure);
 	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
 
 	return (secure);
 }
 
+static isc_boolean_t
+isdnssec(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb;
+	isc_boolean_t dnssec;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+	dnssec = ISC_TF(rbtdb->current_version->secure != dns_db_insecure);
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (dnssec);
+}
+
 static unsigned int
 nodecount(dns_db_t *db) {
 	dns_rbtdb_t *rbtdb;
@@ -5368,13 +6612,180 @@ getoriginnode(dns_db_t *db, dns_dbnode_t **nodep) {
 
 		*nodep = rbtdb->origin_node;
 	} else {
-		INSIST(!IS_CACHE(rbtdb));
+		INSIST(IS_CACHE(rbtdb));
 		result = ISC_R_NOTFOUND;
 	}
 
 	return (result);
 }
 
+static isc_result_t
+getnsec3parameters(dns_db_t *db, dns_dbversion_t *version, dns_hash_t *hash,
+		   isc_uint8_t *flags, isc_uint16_t *iterations,
+		   unsigned char *salt, size_t *salt_length)
+{
+	dns_rbtdb_t *rbtdb;
+	isc_result_t result = ISC_R_NOTFOUND;
+	rbtdb_version_t *rbtversion = version;
+
+	rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	if (rbtversion == NULL)
+		rbtversion = rbtdb->current_version;
+
+	if (rbtversion->havensec3) {
+		if (hash != NULL)
+			*hash = rbtversion->hash;
+		if (salt != NULL && salt_length != 0) {
+			REQUIRE(*salt_length > rbtversion->salt_length);
+			memcpy(salt, rbtversion->salt, rbtversion->salt_length);
+		}
+		if (salt_length != NULL)
+			*salt_length = rbtversion->salt_length;
+		if (iterations != NULL)
+			*iterations = rbtversion->iterations;
+		if (flags != NULL)
+			*flags = rbtversion->flags;
+		result = ISC_R_SUCCESS;
+	}
+	RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static isc_result_t
+setsigningtime(dns_db_t *db, dns_rdataset_t *rdataset, isc_stdtime_t resign) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	isc_stdtime_t oldresign;
+	isc_result_t result = ISC_R_SUCCESS;
+	rdatasetheader_t *header;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(!IS_CACHE(rbtdb));
+	REQUIRE(rdataset != NULL);
+
+	header = rdataset->private3;
+	header--;
+
+	NODE_LOCK(&rbtdb->node_locks[header->node->locknum].lock,
+		  isc_rwlocktype_write);
+
+	oldresign = header->resign;
+	header->resign = resign;
+	if (header->heap_index != 0) {
+		INSIST(RESIGN(header));
+		if (resign == 0) {
+			isc_heap_delete(rbtdb->heaps[header->node->locknum],
+					header->heap_index);
+			header->heap_index = 0;
+		} else if (resign < oldresign)
+			isc_heap_increased(rbtdb->heaps[header->node->locknum],
+					   header->heap_index);
+		else
+			isc_heap_decreased(rbtdb->heaps[header->node->locknum],
+					   header->heap_index);
+	} else if (resign && header->heap_index == 0) {
+		header->attributes |= RDATASET_ATTR_RESIGN;
+		result = resign_insert(rbtdb, header->node->locknum, header);
+	}
+	NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock,
+		    isc_rwlocktype_write);
+	return (result);
+}
+
+static isc_result_t
+getsigningtime(dns_db_t *db, dns_rdataset_t *rdataset,
+	       dns_name_t *foundname)
+{
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	rdatasetheader_t *header = NULL, *this;
+	unsigned int i;
+	isc_result_t result = ISC_R_NOTFOUND;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+
+	for (i = 0; i < rbtdb->node_lock_count; i++) {
+		this = isc_heap_element(rbtdb->heaps[i], 1);
+		if (this == NULL)
+			continue;
+		if (header == NULL)
+			header = this;
+		else if (isc_serial_lt(this->resign, header->resign))
+			header = this;
+	}
+
+	if (header == NULL)
+		goto unlock;
+
+	NODE_LOCK(&rbtdb->node_locks[header->node->locknum].lock,
+		  isc_rwlocktype_read);
+
+	bind_rdataset(rbtdb, header->node, header, 0, rdataset);
+
+	if (foundname != NULL)
+		dns_rbt_fullnamefromnode(header->node, foundname);
+
+	NODE_UNLOCK(&rbtdb->node_locks[header->node->locknum].lock,
+		    isc_rwlocktype_read);
+
+	result = ISC_R_SUCCESS;
+
+ unlock:
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+
+	return (result);
+}
+
+static void
+resigned(dns_db_t *db, dns_rdataset_t *rdataset, dns_dbversion_t *version)
+{
+	rbtdb_version_t *rbtversion = (rbtdb_version_t *)version;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+	dns_rbtnode_t *node;
+	rdatasetheader_t *header;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(rdataset != NULL);
+	REQUIRE(rbtdb->future_version == rbtversion);
+	REQUIRE(rbtversion->writer);
+
+	node = rdataset->private2;
+	header = rdataset->private3;
+	header--;
+
+	RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_read);
+	NODE_LOCK(&rbtdb->node_locks[node->locknum].lock,
+		  isc_rwlocktype_write);
+	/*
+	 * Delete from heap and save to re-signed list so that it can
+	 * be restored if we backout of this change.
+	 */
+	new_reference(rbtdb, node);
+	isc_heap_delete(rbtdb->heaps[node->locknum], header->heap_index);
+	header->heap_index = 0;
+	ISC_LIST_APPEND(rbtversion->resigned_list, header, lru_link);
+
+	NODE_UNLOCK(&rbtdb->node_locks[node->locknum].lock,
+		    isc_rwlocktype_write);
+	RBTDB_UNLOCK(&rbtdb->lock, isc_rwlocktype_read);
+}
+
+static dns_stats_t *
+getrrsetstats(dns_db_t *db) {
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)db;
+
+	REQUIRE(VALID_RBTDB(rbtdb));
+	REQUIRE(IS_CACHE(rbtdb)); /* current restriction */
+
+	return (rbtdb->rrsetstats);
+}
+
 static dns_dbmethods_t zone_methods = {
 	attach,
 	detach,
@@ -5403,7 +6814,15 @@ static dns_dbmethods_t zone_methods = {
 	ispersistent,
 	overmem,
 	settask,
-	getoriginnode
+	getoriginnode,
+	NULL,
+	getnsec3parameters,
+	findnsec3node,
+	setsigningtime,
+	getsigningtime,
+	resigned,
+	isdnssec,
+	NULL
 };
 
 static dns_dbmethods_t cache_methods = {
@@ -5434,7 +6853,15 @@ static dns_dbmethods_t cache_methods = {
 	ispersistent,
 	overmem,
 	settask,
-	getoriginnode
+	getoriginnode,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	isdnssec,
+	getrrsetstats
 };
 
 isc_result_t
@@ -5451,6 +6878,7 @@ dns_rbtdb_create
 	isc_result_t result;
 	int i;
 	dns_name_t name;
+	isc_boolean_t (*sooner)(void *, void *);
 
 	/* Keep the compiler happy. */
 	UNUSED(argc);
@@ -5483,11 +6911,20 @@ dns_rbtdb_create
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_lock;
 
+	/*
+	 * Initialize node_lock_count in a generic way to support future
+	 * extension which allows the user to specify this value on creation.
+	 * Note that when specified for a cache DB it must be larger than 1
+	 * as commented with the definition of DEFAULT_CACHE_NODE_LOCK_COUNT.
+	 */
 	if (rbtdb->node_lock_count == 0) {
 		if (IS_CACHE(rbtdb))
 			rbtdb->node_lock_count = DEFAULT_CACHE_NODE_LOCK_COUNT;
 		else
 			rbtdb->node_lock_count = DEFAULT_NODE_LOCK_COUNT;
+	} else if (rbtdb->node_lock_count < 2 && IS_CACHE(rbtdb)) {
+		result = ISC_R_RANGE;
+		goto cleanup_tree_lock;
 	}
 	INSIST(rbtdb->node_lock_count < (1 << DNS_RBT_LOCKLENGTH));
 	rbtdb->node_locks = isc_mem_get(mctx, rbtdb->node_lock_count *
@@ -5497,6 +6934,53 @@ dns_rbtdb_create
 		goto cleanup_tree_lock;
 	}
 
+	rbtdb->rrsetstats = NULL;
+	if (IS_CACHE(rbtdb)) {
+		result = dns_rdatasetstats_create(mctx, &rbtdb->rrsetstats);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_node_locks;
+		rbtdb->rdatasets = isc_mem_get(mctx, rbtdb->node_lock_count *
+					       sizeof(rdatasetheaderlist_t));
+		if (rbtdb->rdatasets == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto cleanup_rrsetstats;
+		}
+		for (i = 0; i < (int)rbtdb->node_lock_count; i++)
+			ISC_LIST_INIT(rbtdb->rdatasets[i]);
+	} else
+		rbtdb->rdatasets = NULL;
+
+	/*
+	 * Create the heaps.
+	 */
+	rbtdb->heaps = isc_mem_get(mctx, rbtdb->node_lock_count *
+				   sizeof(isc_heap_t *));
+	if (rbtdb->heaps == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_rdatasets;
+	}
+	for (i = 0; i < (int)rbtdb->node_lock_count; i++)
+		rbtdb->heaps[i] = NULL;
+	sooner = IS_CACHE(rbtdb) ? ttl_sooner : resign_sooner;
+	for (i = 0; i < (int)rbtdb->node_lock_count; i++) {
+		result = isc_heap_create(mctx, sooner, set_index, 0,
+					 &rbtdb->heaps[i]);
+		if (result != ISC_R_SUCCESS)
+			goto cleanup_heaps;
+	}
+
+	/*
+	 * Create deadnode lists.
+	 */
+	rbtdb->deadnodes = isc_mem_get(mctx, rbtdb->node_lock_count *
+				       sizeof(rbtnodelist_t));
+	if (rbtdb->deadnodes == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto cleanup_heaps;
+	}
+	for (i = 0; i < (int)rbtdb->node_lock_count; i++)
+		ISC_LIST_INIT(rbtdb->deadnodes[i]);
+
 	rbtdb->active = rbtdb->node_lock_count;
 
 	for (i = 0; i < (int)(rbtdb->node_lock_count); i++) {
@@ -5512,7 +6996,7 @@ dns_rbtdb_create
 				isc_refcount_decrement(&rbtdb->node_locks[i].references, NULL);
 				isc_refcount_destroy(&rbtdb->node_locks[i].references);
 			}
-			goto cleanup_node_locks;
+			goto cleanup_deadnodes;
 		}
 		rbtdb->node_locks[i].exiting = ISC_FALSE;
 	}
@@ -5525,7 +7009,7 @@ dns_rbtdb_create
 	isc_mem_attach(mctx, &rbtdb->common.mctx);
 
 	/*
-	 * Must be initalized before free_rbtdb() is called.
+	 * Must be initialized before free_rbtdb() is called.
 	 */
 	isc_ondestroy_init(&rbtdb->common.ondest);
 
@@ -5539,13 +7023,20 @@ dns_rbtdb_create
 	}
 
 	/*
-	 * Make the Red-Black Tree.
+	 * Make the Red-Black Trees.
 	 */
 	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->tree);
 	if (result != ISC_R_SUCCESS) {
 		free_rbtdb(rbtdb, ISC_FALSE, NULL);
 		return (result);
 	}
+
+	result = dns_rbt_create(mctx, delete_callback, rbtdb, &rbtdb->nsec3);
+	if (result != ISC_R_SUCCESS) {
+		free_rbtdb(rbtdb, ISC_FALSE, NULL);
+		return (result);
+	}
+
 	/*
 	 * In order to set the node callback bit correctly in zone databases,
 	 * we need to know if the node has the origin name of the zone.
@@ -5568,6 +7059,7 @@ dns_rbtdb_create
 			free_rbtdb(rbtdb, ISC_FALSE, NULL);
 			return (result);
 		}
+		rbtdb->origin_node->nsec3 = 0;
 		/*
 		 * We need to give the origin node the right locknum.
 		 */
@@ -5593,7 +7085,6 @@ dns_rbtdb_create
 		return (result);
 	}
 	rbtdb->attributes = 0;
-	rbtdb->secure = ISC_FALSE;
 	rbtdb->overmem = ISC_FALSE;
 	rbtdb->task = NULL;
 
@@ -5610,6 +7101,14 @@ dns_rbtdb_create
 		free_rbtdb(rbtdb, ISC_FALSE, NULL);
 		return (ISC_R_NOMEMORY);
 	}
+	rbtdb->current_version->secure = dns_db_insecure;
+	rbtdb->current_version->havensec3 = ISC_FALSE;
+	rbtdb->current_version->flags = 0;
+	rbtdb->current_version->iterations = 0;
+	rbtdb->current_version->hash = 0;
+	rbtdb->current_version->salt_length = 0;
+	memset(rbtdb->current_version->salt, 0,
+	       sizeof(rbtdb->current_version->salt));
 	rbtdb->future_version = NULL;
 	ISC_LIST_INIT(rbtdb->open_versions);
 	/*
@@ -5625,6 +7124,27 @@ dns_rbtdb_create
 
 	return (ISC_R_SUCCESS);
 
+ cleanup_deadnodes:
+	isc_mem_put(mctx, rbtdb->deadnodes,
+		    rbtdb->node_lock_count * sizeof(rbtnodelist_t));
+
+ cleanup_heaps:
+	if (rbtdb->heaps != NULL) {
+		for (i = 0 ; i < (int)rbtdb->node_lock_count ; i++)
+			if (rbtdb->heaps[i] != NULL)
+				isc_heap_destroy(&rbtdb->heaps[i]);
+		isc_mem_put(mctx, rbtdb->heaps,
+			    rbtdb->node_lock_count * sizeof(isc_heap_t *));
+	}
+
+ cleanup_rdatasets:
+	if (rbtdb->rdatasets != NULL)
+		isc_mem_put(mctx, rbtdb->rdatasets, rbtdb->node_lock_count *
+			    sizeof(rdatasetheaderlist_t));
+ cleanup_rrsetstats:
+	if (rbtdb->rrsetstats != NULL)
+		dns_stats_detach(&rbtdb->rrsetstats);
+
  cleanup_node_locks:
 	isc_mem_put(mctx, rbtdb->node_locks,
 		    rbtdb->node_lock_count * sizeof(rbtdb_nodelock_t));
@@ -5655,7 +7175,7 @@ rdataset_disassociate(dns_rdataset_t *rdataset) {
 
 static isc_result_t
 rdataset_first(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
+	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
 	unsigned int count;
 
 	count = raw[0] * 256 + raw[1];
@@ -5691,7 +7211,7 @@ static isc_result_t
 rdataset_next(dns_rdataset_t *rdataset) {
 	unsigned int count;
 	unsigned int length;
-	unsigned char *raw;	/* RDATASLAB */
+	unsigned char *raw;     /* RDATASLAB */
 
 	count = rdataset->privateuint4;
 	if (count == 0)
@@ -5710,9 +7230,9 @@ rdataset_next(dns_rdataset_t *rdataset) {
 		raw += length;
 #if DNS_RDATASET_FIXED
 	}
-	rdataset->private5 = raw + 4;		/* length(2) + order(2) */
+	rdataset->private5 = raw + 4;           /* length(2) + order(2) */
 #else
-	rdataset->private5 = raw + 2;		/* length(2) */
+	rdataset->private5 = raw + 2;           /* length(2) */
 #endif
 
 	return (ISC_R_SUCCESS);
@@ -5720,11 +7240,13 @@ rdataset_next(dns_rdataset_t *rdataset) {
 
 static void
 rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
-	unsigned char *raw = rdataset->private5;	/* RDATASLAB */
+	unsigned char *raw = rdataset->private5;        /* RDATASLAB */
 #if DNS_RDATASET_FIXED
 	unsigned int offset;
 #endif
+	unsigned int length;
 	isc_region_t r;
+	unsigned int flags = 0;
 
 	REQUIRE(raw != NULL);
 
@@ -5740,15 +7262,22 @@ rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 		raw += offset;
 	}
 #endif
-	r.length = raw[0] * 256 + raw[1];
-
+	length = raw[0] * 256 + raw[1];
 #if DNS_RDATASET_FIXED
 	raw += 4;
 #else
 	raw += 2;
 #endif
+	if (rdataset->type == dns_rdatatype_rrsig) {
+		if (*raw & DNS_RDATASLAB_OFFLINE)
+			flags |= DNS_RDATA_OFFLINE;
+		length--;
+		raw++;
+	}
+	r.length = length;
 	r.base = raw;
 	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+	rdata->flags |= flags;
 }
 
 static void
@@ -5769,7 +7298,7 @@ rdataset_clone(dns_rdataset_t *source, dns_rdataset_t *target) {
 
 static unsigned int
 rdataset_count(dns_rdataset_t *rdataset) {
-	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
+	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
 	unsigned int count;
 
 	count = raw[0] * 256 + raw[1];
@@ -5790,37 +7319,85 @@ rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
 	attachnode(db, node, &cloned_node);
 	nsec->methods = &rdataset_methods;
 	nsec->rdclass = db->rdclass;
-	nsec->type = dns_rdatatype_nsec;
+	nsec->type = noqname->type;
 	nsec->covers = 0;
 	nsec->ttl = rdataset->ttl;
 	nsec->trust = rdataset->trust;
 	nsec->private1 = rdataset->private1;
 	nsec->private2 = rdataset->private2;
-	nsec->private3 = noqname->nsec;
+	nsec->private3 = noqname->neg;
 	nsec->privateuint4 = 0;
 	nsec->private5 = NULL;
 	nsec->private6 = NULL;
+	nsec->private7 = NULL;
 
 	cloned_node = NULL;
 	attachnode(db, node, &cloned_node);
 	nsecsig->methods = &rdataset_methods;
 	nsecsig->rdclass = db->rdclass;
 	nsecsig->type = dns_rdatatype_rrsig;
-	nsecsig->covers = dns_rdatatype_nsec;
+	nsecsig->covers = noqname->type;
 	nsecsig->ttl = rdataset->ttl;
 	nsecsig->trust = rdataset->trust;
 	nsecsig->private1 = rdataset->private1;
 	nsecsig->private2 = rdataset->private2;
-	nsecsig->private3 = noqname->nsecsig;
+	nsecsig->private3 = noqname->negsig;
 	nsecsig->privateuint4 = 0;
 	nsecsig->private5 = NULL;
 	nsec->private6 = NULL;
+	nsec->private7 = NULL;
 
 	dns_name_clone(&noqname->name, name);
 
 	return (ISC_R_SUCCESS);
 }
 
+static isc_result_t
+rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+		    dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
+{
+	dns_db_t *db = rdataset->private1;
+	dns_dbnode_t *node = rdataset->private2;
+	dns_dbnode_t *cloned_node;
+	struct noqname *closest = rdataset->private7;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsec->methods = &rdataset_methods;
+	nsec->rdclass = db->rdclass;
+	nsec->type = closest->type;
+	nsec->covers = 0;
+	nsec->ttl = rdataset->ttl;
+	nsec->trust = rdataset->trust;
+	nsec->private1 = rdataset->private1;
+	nsec->private2 = rdataset->private2;
+	nsec->private3 = closest->neg;
+	nsec->privateuint4 = 0;
+	nsec->private5 = NULL;
+	nsec->private6 = NULL;
+	nsec->private7 = NULL;
+
+	cloned_node = NULL;
+	attachnode(db, node, &cloned_node);
+	nsecsig->methods = &rdataset_methods;
+	nsecsig->rdclass = db->rdclass;
+	nsecsig->type = dns_rdatatype_rrsig;
+	nsecsig->covers = closest->type;
+	nsecsig->ttl = rdataset->ttl;
+	nsecsig->trust = rdataset->trust;
+	nsecsig->private1 = rdataset->private1;
+	nsecsig->private2 = rdataset->private2;
+	nsecsig->private3 = closest->negsig;
+	nsecsig->privateuint4 = 0;
+	nsecsig->private5 = NULL;
+	nsec->private6 = NULL;
+	nsec->private7 = NULL;
+
+	dns_name_clone(&closest->name, name);
+
+	return (ISC_R_SUCCESS);
+}
+
 /*
  * Rdataset Iterator Methods
  */
@@ -5871,13 +7448,13 @@ rdatasetiter_first(dns_rdatasetiter_t *iterator) {
 				 * record?  Or is it too old in the cache?
 				 *
 				 * Note: unlike everywhere else, we
-				 * check for now > header->ttl instead
-				 * of now >= header->ttl.  This allows
+				 * check for now > header->rdh_ttl instead
+				 * of now >= header->rdh_ttl.  This allows
 				 * ANY and RRSIG queries for 0 TTL
 				 * rdatasets to work.
 				 */
 				if (NONEXISTENT(header) ||
-				    (now != 0 && now > header->ttl))
+				    (now != 0 && now > header->rdh_ttl))
 					header = NULL;
 				break;
 			} else
@@ -5953,7 +7530,7 @@ rdatasetiter_next(dns_rdatasetiter_t *iterator) {
 					 */
 					if ((header->attributes &
 					     RDATASET_ATTR_NONEXISTENT) != 0 ||
-					    (now != 0 && now > header->ttl))
+					    (now != 0 && now > header->rdh_ttl))
 						header = NULL;
 					break;
 				} else
@@ -6009,9 +7586,7 @@ reference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
 		return;
 
 	INSIST(rbtdbiter->tree_locked != isc_rwlocktype_none);
-	NODE_STRONGLOCK(&rbtdb->node_locks[node->locknum].lock);
-	new_reference(rbtdb, node);
-	NODE_STRONGUNLOCK(&rbtdb->node_locks[node->locknum].lock);
+	reactivate_node(rbtdb, node, rbtdbiter->tree_locked);
 }
 
 static inline void
@@ -6026,7 +7601,7 @@ dereference_iter_node(rbtdb_dbiterator_t *rbtdbiter) {
 	lock = &rbtdb->node_locks[node->locknum].lock;
 	NODE_LOCK(lock, isc_rwlocktype_read);
 	decrement_reference(rbtdb, node, 0, isc_rwlocktype_read,
-			    rbtdbiter->tree_locked);
+			    rbtdbiter->tree_locked, ISC_FALSE);
 	NODE_UNLOCK(lock, isc_rwlocktype_read);
 
 	rbtdbiter->node = NULL;
@@ -6067,7 +7642,7 @@ flush_deletions(rbtdb_dbiterator_t *rbtdbiter) {
 			NODE_LOCK(lock, isc_rwlocktype_read);
 			decrement_reference(rbtdb, node, 0,
 					    isc_rwlocktype_read,
-					    rbtdbiter->tree_locked);
+					    rbtdbiter->tree_locked, ISC_FALSE);
 			NODE_UNLOCK(lock, isc_rwlocktype_read);
 		}
 
@@ -6117,6 +7692,7 @@ dbiterator_destroy(dns_dbiterator_t **iteratorp) {
 	dns_db_detach(&rbtdbiter->common.db);
 
 	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
 	isc_mem_put(db->mctx, rbtdbiter, sizeof(*rbtdbiter));
 	dns_db_detach(&db);
 
@@ -6142,12 +7718,25 @@ dbiterator_first(dns_dbiterator_t *iterator) {
 	name = dns_fixedname_name(&rbtdbiter->name);
 	origin = dns_fixedname_name(&rbtdbiter->origin);
 	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
 
-	result = dns_rbtnodechain_first(&rbtdbiter->chain, rbtdb->tree, name,
-					origin);
-
+	if (rbtdbiter->nsec3only) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		result = dns_rbtnodechain_first(rbtdbiter->current,
+						rbtdb->nsec3, name, origin);
+	} else {
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbtnodechain_first(rbtdbiter->current,
+						rbtdb->tree, name, origin);
+		if (!rbtdbiter->nonsec3 && result == ISC_R_NOTFOUND) {
+			rbtdbiter->current = &rbtdbiter->nsec3chain;
+			result = dns_rbtnodechain_first(rbtdbiter->current,
+							rbtdb->nsec3, name,
+							origin);
+		}
+	}
 	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
-		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
 						  NULL, &rbtdbiter->node);
 		if (result == ISC_R_SUCCESS) {
 			rbtdbiter->new_origin = ISC_TRUE;
@@ -6182,11 +7771,21 @@ dbiterator_last(dns_dbiterator_t *iterator) {
 	name = dns_fixedname_name(&rbtdbiter->name);
 	origin = dns_fixedname_name(&rbtdbiter->origin);
 	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
 
-	result = dns_rbtnodechain_last(&rbtdbiter->chain, rbtdb->tree, name,
-				       origin);
+	result = ISC_R_NOTFOUND;
+	if (rbtdbiter->nsec3only && !rbtdbiter->nonsec3) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		result = dns_rbtnodechain_last(rbtdbiter->current,
+					       rbtdb->nsec3, name, origin);
+	}
+	if (!rbtdbiter->nsec3only && result == ISC_R_NOTFOUND) {
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->tree,
+					       name, origin);
+	}
 	if (result == ISC_R_SUCCESS || result == DNS_R_NEWORIGIN) {
-		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
 						  NULL, &rbtdbiter->node);
 		if (result == ISC_R_SUCCESS) {
 			rbtdbiter->new_origin = ISC_TRUE;
@@ -6210,6 +7809,7 @@ dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
 	dns_name_t *iname, *origin;
 
 	if (rbtdbiter->result != ISC_R_SUCCESS &&
+	    rbtdbiter->result != ISC_R_NOTFOUND &&
 	    rbtdbiter->result != ISC_R_NOMORE)
 		return (rbtdbiter->result);
 
@@ -6221,22 +7821,74 @@ dbiterator_seek(dns_dbiterator_t *iterator, dns_name_t *name) {
 	iname = dns_fixedname_name(&rbtdbiter->name);
 	origin = dns_fixedname_name(&rbtdbiter->origin);
 	dns_rbtnodechain_reset(&rbtdbiter->chain);
+	dns_rbtnodechain_reset(&rbtdbiter->nsec3chain);
+
+	if (rbtdbiter->nsec3only) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		result = dns_rbt_findnode(rbtdb->nsec3, name, NULL,
+					  &rbtdbiter->node,
+					  rbtdbiter->current,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	} else if (rbtdbiter->nonsec3) {
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbt_findnode(rbtdb->tree, name, NULL,
+					  &rbtdbiter->node,
+					  rbtdbiter->current,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+	} else {
+		/*
+		 * Stay on main chain if not found on either chain.
+		 */
+		rbtdbiter->current = &rbtdbiter->chain;
+		result = dns_rbt_findnode(rbtdb->tree, name, NULL,
+					  &rbtdbiter->node,
+					  rbtdbiter->current,
+					  DNS_RBTFIND_EMPTYDATA, NULL, NULL);
+		if (result == DNS_R_PARTIALMATCH) {
+			dns_rbtnode_t *node = NULL;
+			result = dns_rbt_findnode(rbtdb->nsec3, name, NULL,
+						  &node, &rbtdbiter->nsec3chain,
+						  DNS_RBTFIND_EMPTYDATA,
+						  NULL, NULL);
+			if (result == ISC_R_SUCCESS) {
+				rbtdbiter->node = node;
+				rbtdbiter->current = &rbtdbiter->nsec3chain;
+			}
+		}
+	}
 
-	result = dns_rbt_findnode(rbtdb->tree, name, NULL, &rbtdbiter->node,
-				  &rbtdbiter->chain, DNS_RBTFIND_EMPTYDATA,
-				  NULL, NULL);
+#if 1
 	if (result == ISC_R_SUCCESS) {
-		result = dns_rbtnodechain_current(&rbtdbiter->chain, iname,
+		result = dns_rbtnodechain_current(rbtdbiter->current, iname,
 						  origin, NULL);
 		if (result == ISC_R_SUCCESS) {
 			rbtdbiter->new_origin = ISC_TRUE;
 			reference_iter_node(rbtdbiter);
 		}
-
-	} else if (result == DNS_R_PARTIALMATCH)
+	} else if (result == DNS_R_PARTIALMATCH) {
 		result = ISC_R_NOTFOUND;
+		rbtdbiter->node = NULL;
+	}
 
 	rbtdbiter->result = result;
+#else
+	if (result == ISC_R_SUCCESS || result == DNS_R_PARTIALMATCH) {
+		isc_result_t tresult;
+		tresult = dns_rbtnodechain_current(rbtdbiter->current, iname,
+						   origin, NULL);
+		if (tresult == ISC_R_SUCCESS) {
+			rbtdbiter->new_origin = ISC_TRUE;
+			reference_iter_node(rbtdbiter);
+		} else {
+			result = tresult;
+			rbtdbiter->node = NULL;
+		}
+	} else
+		rbtdbiter->node = NULL;
+
+	rbtdbiter->result = (result == DNS_R_PARTIALMATCH) ?
+			    ISC_R_SUCCESS : result;
+#endif
 
 	return (result);
 }
@@ -6246,6 +7898,7 @@ dbiterator_prev(dns_dbiterator_t *iterator) {
 	isc_result_t result;
 	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
 	dns_name_t *name, *origin;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
 
 	REQUIRE(rbtdbiter->node != NULL);
 
@@ -6257,13 +7910,23 @@ dbiterator_prev(dns_dbiterator_t *iterator) {
 
 	name = dns_fixedname_name(&rbtdbiter->name);
 	origin = dns_fixedname_name(&rbtdbiter->origin);
-	result = dns_rbtnodechain_prev(&rbtdbiter->chain, name, origin);
+	result = dns_rbtnodechain_prev(rbtdbiter->current, name, origin);
+	if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only &&
+	    !rbtdbiter->nonsec3 &&
+	    &rbtdbiter->nsec3chain == rbtdbiter->current) {
+		rbtdbiter->current = &rbtdbiter->chain;
+		dns_rbtnodechain_reset(rbtdbiter->current);
+		result = dns_rbtnodechain_last(rbtdbiter->current, rbtdb->tree,
+					       name, origin);
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_NOMORE;
+	}
 
 	dereference_iter_node(rbtdbiter);
 
 	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
 		rbtdbiter->new_origin = ISC_TF(result == DNS_R_NEWORIGIN);
-		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
 						  NULL, &rbtdbiter->node);
 	}
 
@@ -6280,6 +7943,7 @@ dbiterator_next(dns_dbiterator_t *iterator) {
 	isc_result_t result;
 	rbtdb_dbiterator_t *rbtdbiter = (rbtdb_dbiterator_t *)iterator;
 	dns_name_t *name, *origin;
+	dns_rbtdb_t *rbtdb = (dns_rbtdb_t *)iterator->db;
 
 	REQUIRE(rbtdbiter->node != NULL);
 
@@ -6291,13 +7955,22 @@ dbiterator_next(dns_dbiterator_t *iterator) {
 
 	name = dns_fixedname_name(&rbtdbiter->name);
 	origin = dns_fixedname_name(&rbtdbiter->origin);
-	result = dns_rbtnodechain_next(&rbtdbiter->chain, name, origin);
+	result = dns_rbtnodechain_next(rbtdbiter->current, name, origin);
+	if (result == ISC_R_NOMORE && !rbtdbiter->nsec3only &&
+	    !rbtdbiter->nonsec3 && &rbtdbiter->chain == rbtdbiter->current) {
+		rbtdbiter->current = &rbtdbiter->nsec3chain;
+		dns_rbtnodechain_reset(rbtdbiter->current);
+		result = dns_rbtnodechain_first(rbtdbiter->current,
+						rbtdb->nsec3, name, origin);
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_NOMORE;
+	}
 
 	dereference_iter_node(rbtdbiter);
 
 	if (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
 		rbtdbiter->new_origin = ISC_TF(result == DNS_R_NEWORIGIN);
-		result = dns_rbtnodechain_current(&rbtdbiter->chain, NULL,
+		result = dns_rbtnodechain_current(rbtdbiter->current, NULL,
 						  NULL, &rbtdbiter->node);
 	}
 	if (result == ISC_R_SUCCESS)
@@ -6421,7 +8094,7 @@ rdataset_getadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 {
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
-	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
+	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
 	unsigned int current_count = rdataset->privateuint4;
 	unsigned int count;
 	rdatasetheader_t *header;
@@ -6567,7 +8240,7 @@ rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 {
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
-	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
+	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
 	unsigned int current_count = rdataset->privateuint4;
 	rdatasetheader_t *header;
 	unsigned int total_count, count;
@@ -6673,7 +8346,7 @@ rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 
 	return (ISC_R_SUCCESS);
 
-  fail:
+ fail:
 	if (newcbarg != NULL) {
 		if (newentry != NULL) {
 			acache_cancelentry(rbtdb->common.mctx, newentry,
@@ -6696,7 +8369,7 @@ rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
 {
 	dns_rbtdb_t *rbtdb = rdataset->private1;
 	dns_rbtnode_t *rbtnode = rdataset->private2;
-	unsigned char *raw = rdataset->private3;	/* RDATASLAB */
+	unsigned char *raw = rdataset->private3;        /* RDATASLAB */
 	unsigned int current_count = rdataset->privateuint4;
 	rdatasetheader_t *header;
 	nodelock_t *nodelock;
@@ -6705,7 +8378,7 @@ rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
 	dns_acacheentry_t *entry;
 	acache_cbarg_t *cbarg;
 
-	UNUSED(qtype);		/* we do not use this value at least for now */
+	UNUSED(qtype);          /* we do not use this value at least for now */
 	UNUSED(acache);
 
 	if (type == dns_rdatasetadditional_fromcache)
@@ -6752,9 +8425,159 @@ rdataset_putadditional(dns_acache_t *acache, dns_rdataset_t *rdataset,
 	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
 
 	if (entry != NULL) {
-		acache_cancelentry(rbtdb->common.mctx, entry, &cbarg);
+		if (cbarg != NULL)
+			acache_cancelentry(rbtdb->common.mctx, entry, &cbarg);
 		dns_acache_detachentry(&entry);
 	}
 
 	return (ISC_R_SUCCESS);
 }
+
+/*%
+ * Routines for LRU-based cache management.
+ */
+
+/*%
+ * See if a given cache entry that is being reused needs to be updated
+ * in the LRU-list.  From the LRU management point of view, this function is
+ * expected to return true for almost all cases.  When used with threads,
+ * however, this may cause a non-negligible performance penalty because a
+ * writer lock will have to be acquired before updating the list.
+ * If DNS_RBTDB_LIMITLRUUPDATE is defined to be non 0 at compilation time, this
+ * function returns true if the entry has not been updated for some period of
+ * time.  We differentiate the NS or glue address case and the others since
+ * experiments have shown that the former tends to be accessed relatively
+ * infrequently and the cost of cache miss is higher (e.g., a missing NS records
+ * may cause external queries at a higher level zone, involving more
+ * transactions).
+ *
+ * Caller must hold the node (read or write) lock.
+ */
+static inline isc_boolean_t
+need_headerupdate(rdatasetheader_t *header, isc_stdtime_t now) {
+	if ((header->attributes &
+	     (RDATASET_ATTR_NONEXISTENT|RDATASET_ATTR_STALE)) != 0)
+		return (ISC_FALSE);
+
+#if DNS_RBTDB_LIMITLRUUPDATE
+	if (header->type == dns_rdatatype_ns ||
+	    (header->trust == dns_trust_glue &&
+	     (header->type == dns_rdatatype_a ||
+	      header->type == dns_rdatatype_aaaa))) {
+		/*
+		 * Glue records are updated if at least 60 seconds have passed
+		 * since the previous update time.
+		 */
+		return (header->last_used + 60 <= now);
+	}
+
+	/* Other records are updated if 5 minutes have passed. */
+	return (header->last_used + 300 <= now);
+#else
+	UNUSED(now);
+
+	return (ISC_TRUE);
+#endif
+}
+
+/*%
+ * Update the timestamp of a given cache entry and move it to the head
+ * of the corresponding LRU list.
+ *
+ * Caller must hold the node (write) lock.
+ *
+ * Note that the we do NOT touch the heap here, as the TTL has not changed.
+ */
+static void
+update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+	      isc_stdtime_t now)
+{
+	INSIST(IS_CACHE(rbtdb));
+
+	/* To be checked: can we really assume this? XXXMLG */
+	INSIST(ISC_LINK_LINKED(header, lru_link));
+
+	ISC_LIST_UNLINK(rbtdb->rdatasets[header->node->locknum],
+			header, lru_link);
+	header->last_used = now;
+	ISC_LIST_PREPEND(rbtdb->rdatasets[header->node->locknum],
+			 header, lru_link);
+}
+
+/*%
+ * Purge some expired and/or stale (i.e. unused for some period) cache entries
+ * under an overmem condition.  To recover from this condition quickly, up to
+ * 2 entries will be purged.  This process is triggered while adding a new
+ * entry, and we specifically avoid purging entries in the same LRU bucket as
+ * the one to which the new entry will belong.  Otherwise, we might purge
+ * entries of the same name of different RR types while adding RRsets from a
+ * single response (consider the case where we're adding A and AAAA glue records
+ * of the same NS name).
+ */
+static void
+overmem_purge(dns_rbtdb_t *rbtdb, unsigned int locknum_start,
+	      isc_stdtime_t now, isc_boolean_t tree_locked)
+{
+	rdatasetheader_t *header, *header_prev;
+	unsigned int locknum;
+	int purgecount = 2;
+
+	for (locknum = (locknum_start + 1) % rbtdb->node_lock_count;
+	     locknum != locknum_start && purgecount > 0;
+	     locknum = (locknum + 1) % rbtdb->node_lock_count) {
+		NODE_LOCK(&rbtdb->node_locks[locknum].lock,
+			  isc_rwlocktype_write);
+
+		header = isc_heap_element(rbtdb->heaps[locknum], 1);
+		if (header && header->rdh_ttl <= now - RBTDB_VIRTUAL) {
+			expire_header(rbtdb, header, tree_locked);
+			purgecount--;
+		}
+
+		for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
+		     header != NULL && purgecount > 0;
+		     header = header_prev) {
+			header_prev = ISC_LIST_PREV(header, lru_link);
+			/*
+			 * Unlink the entry at this point to avoid checking it
+			 * again even if it's currently used someone else and
+			 * cannot be purged at this moment.  This entry won't be
+			 * referenced any more (so unlinking is safe) since the
+			 * TTL was reset to 0.
+			 */
+			ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header,
+					lru_link);
+			expire_header(rbtdb, header, tree_locked);
+			purgecount--;
+		}
+
+		NODE_UNLOCK(&rbtdb->node_locks[locknum].lock,
+				    isc_rwlocktype_write);
+	}
+}
+
+static void
+expire_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
+	      isc_boolean_t tree_locked)
+{
+	set_ttl(rbtdb, header, 0);
+	header->attributes |= RDATASET_ATTR_STALE;
+	header->node->dirty = 1;
+
+	/*
+	 * Caller must hold the node (write) lock.
+	 */
+
+	if (dns_rbtnode_refcurrent(header->node) == 0) {
+		/*
+		 * If no one else is using the node, we can clean it up now.
+		 * We first need to gain a new reference to the node to meet a
+		 * requirement of decrement_reference().
+		 */
+		new_reference(rbtdb, header->node);
+		decrement_reference(rbtdb, header->node, 0,
+				    isc_rwlocktype_write,
+				    tree_locked ? isc_rwlocktype_write :
+				    isc_rwlocktype_none, ISC_FALSE);
+	}
+}
diff --git a/lib/dns/rbtdb.h b/lib/dns/rbtdb.h
index f9fb50b..b024d13 100644
--- a/lib/dns/rbtdb.h
+++ b/lib/dns/rbtdb.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb.h,v 1.14.18.2 2005/04/29 00:16:02 marka Exp $ */
+/* $Id: rbtdb.h,v 1.18 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_RBTDB_H
 #define DNS_RBTDB_H 1
diff --git a/lib/dns/rbtdb64.c b/lib/dns/rbtdb64.c
index 773fe91..5e325fa 100644
--- a/lib/dns/rbtdb64.c
+++ b/lib/dns/rbtdb64.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb64.c,v 1.7.18.2 2005/04/29 00:16:02 marka Exp $ */
+/* $Id: rbtdb64.c,v 1.11 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rbtdb64.h b/lib/dns/rbtdb64.h
index e2de45c..fe11622 100644
--- a/lib/dns/rbtdb64.h
+++ b/lib/dns/rbtdb64.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rbtdb64.h,v 1.13.18.2 2005/04/29 00:16:02 marka Exp $ */
+/* $Id: rbtdb64.h,v 1.17 2007/06/19 23:47:16 tbox Exp $ */
 
 #ifndef DNS_RBTDB64_H
 #define DNS_RBTDB64_H 1
diff --git a/lib/dns/rcode.c b/lib/dns/rcode.c
index f61aa35..58ade85 100644
--- a/lib/dns/rcode.c
+++ b/lib/dns/rcode.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rcode.c,v 1.2.18.2 2006/01/27 23:57:44 marka Exp $ */
+/* $Id: rcode.c,v 1.8 2008/09/25 04:02:38 tbox Exp $ */
 
 #include <config.h>
 #include <ctype.h>
@@ -66,7 +66,7 @@
 #define ERCODENAMES \
 	/* extended rcodes */ \
 	{ dns_rcode_badvers, "BADVERS", 0}, \
-	{ 0, NULL, 0 } 
+	{ 0, NULL, 0 }
 
 #define TSIGRCODENAMES \
 	/* extended rcodes */ \
@@ -96,8 +96,10 @@
 	{ DNS_KEYALG_RSAMD5, "RSA", 0 }, \
 	{ DNS_KEYALG_DH, "DH", 0 }, \
 	{ DNS_KEYALG_DSA, "DSA", 0 }, \
+	{ DNS_KEYALG_NSEC3DSA, "NSEC3DSA", 0 }, \
 	{ DNS_KEYALG_ECC, "ECC", 0 }, \
 	{ DNS_KEYALG_RSASHA1, "RSASHA1", 0 }, \
+	{ DNS_KEYALG_NSEC3RSASHA1, "NSEC3RSASHA1", 0 }, \
 	{ DNS_KEYALG_INDIRECT, "INDIRECT", 0 }, \
 	{ DNS_KEYALG_PRIVATEDNS, "PRIVATEDNS", 0 }, \
 	{ DNS_KEYALG_PRIVATEOID, "PRIVATEOID", 0 }, \
@@ -114,6 +116,10 @@
 	{ 255,    "ALL", 0 }, \
 	{ 0, NULL, 0}
 
+#define HASHALGNAMES \
+	{ 1, "SHA-1", 0 }, \
+	{ 0, NULL, 0 }
+
 struct tbl {
 	unsigned int    value;
 	const char      *name;
@@ -125,6 +131,7 @@ static struct tbl tsigrcodes[] = { RCODENAMES TSIGRCODENAMES };
 static struct tbl certs[] = { CERTNAMES };
 static struct tbl secalgs[] = { SECALGNAMES };
 static struct tbl secprotos[] = { SECPROTONAMES };
+static struct tbl hashalgs[] = { HASHALGNAMES };
 
 static struct keyflag {
 	const char *name;
@@ -238,7 +245,7 @@ dns_mnemonic_fromtext(unsigned int *valuep, isc_textregion_t *source,
 
 static isc_result_t
 dns_mnemonic_totext(unsigned int value, isc_buffer_t *target,
-		    struct tbl *table) 
+		    struct tbl *table)
 {
 	int i = 0;
 	char buf[sizeof("4294967296")];
@@ -271,7 +278,7 @@ dns_tsigrcode_fromtext(dns_rcode_t *rcodep, isc_textregion_t *source) {
 	RETERR(dns_mnemonic_fromtext(&value, source, tsigrcodes, 0xffff));
 	*rcodep = value;
 	return (ISC_R_SUCCESS);
-} 
+}
 
 isc_result_t
 dns_tsigrcode_totext(dns_rcode_t rcode, isc_buffer_t *target) {
@@ -318,6 +325,14 @@ dns_secproto_totext(dns_secproto_t secproto, isc_buffer_t *target) {
 }
 
 isc_result_t
+dns_hashalg_fromtext(unsigned char *hashalg, isc_textregion_t *source) {
+	unsigned int value;
+	RETERR(dns_mnemonic_fromtext(&value, source, hashalgs, 0xff));
+	*hashalg = value;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
 dns_keyflags_fromtext(dns_keyflags_t *flagsp, isc_textregion_t *source)
 {
 	isc_result_t result;
diff --git a/lib/dns/rdata.c b/lib/dns/rdata.c
index 5641777..ab9df8b 100644
--- a/lib/dns/rdata.c
+++ b/lib/dns/rdata.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdata.c,v 1.184.18.9 2006/07/21 02:05:57 marka Exp $ */
+/* $Id: rdata.c,v 1.199.50.2 2009/02/16 23:47:15 tbox Exp $ */
 
 /*! \file */
 
@@ -111,7 +111,7 @@ typedef struct dns_rdata_textctx {
 	dns_name_t *origin;	/*%< Current origin, or NULL. */
 	unsigned int flags;	/*%< DNS_STYLEFLAG_*  */
 	unsigned int width;	/*%< Width of rdata column. */
-  	const char *linebreak;	/*%< Line break string. */
+	const char *linebreak;	/*%< Line break string. */
 } dns_rdata_textctx_t;
 
 static isc_result_t
@@ -162,6 +162,9 @@ uint16_fromregion(isc_region_t *region);
 static isc_uint8_t
 uint8_fromregion(isc_region_t *region);
 
+static isc_uint8_t
+uint8_consume_fromregion(isc_region_t *region);
+
 static isc_result_t
 mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
 
@@ -201,6 +204,9 @@ static void
 warn_badmx(isc_token_t *token, isc_lex_t *lexer,
 	   dns_rdatacallbacks_t *callbacks);
 
+static isc_uint16_t
+uint16_consume_fromregion(isc_region_t *region);
+
 static inline int
 getquad(const void *src, struct in_addr *dst,
 	isc_lex_t *lexer, dns_rdatacallbacks_t *callbacks)
@@ -269,7 +275,7 @@ dns_rdata_init(dns_rdata_t *rdata) {
 	/* ISC_LIST_INIT(rdata->list); */
 }
 
-#if 0
+#if 1
 #define DNS_RDATA_INITIALIZED(rdata) \
 	((rdata)->data == NULL && (rdata)->length == 0 && \
 	 (rdata)->rdclass == 0 && (rdata)->type == 0 && (rdata)->flags == 0 && \
@@ -282,8 +288,9 @@ dns_rdata_init(dns_rdata_t *rdata) {
 #define DNS_RDATA_INITIALIZED(rdata) ISC_TRUE
 #endif
 #endif
+
 #define DNS_RDATA_VALIDFLAGS(rdata) \
-	(((rdata)->flags & ~DNS_RDATA_UPDATE) == 0)
+	(((rdata)->flags & ~(DNS_RDATA_UPDATE|DNS_RDATA_OFFLINE)) == 0)
 
 void
 dns_rdata_reset(dns_rdata_t *rdata) {
@@ -532,7 +539,7 @@ unknown_fromtext(dns_rdataclass_t rdclass, dns_rdatatype_t type,
 	result = isc_buffer_allocate(mctx, &buf, token.value.as_ulong);
 	if (result != ISC_R_SUCCESS)
 		return (result);
-	
+
 	result = isc_hex_tobuffer(lexer, buf,
 				  (unsigned int)token.value.as_ulong);
 	if (result != ISC_R_SUCCESS)
@@ -728,7 +735,7 @@ dns_rdata_totext(dns_rdata_t *rdata, dns_name_t *origin, isc_buffer_t *target)
 isc_result_t
 dns_rdata_tofmttext(dns_rdata_t *rdata, dns_name_t *origin,
 		    unsigned int flags, unsigned int width,
-		    char *linebreak, isc_buffer_t *target)
+		    const char *linebreak, isc_buffer_t *target)
 {
 	dns_rdata_textctx_t tctx;
 
@@ -901,7 +908,7 @@ dns_rdatatype_fromtext(dns_rdatatype_t *typep, isc_textregion_t *source) {
 	hash = ((a + n) * b) % 256;
 
 	/*
-	 * This switch block is inlined via #define, and will use "return"
+	 * This switch block is inlined via \#define, and will use "return"
 	 * to return a result to the caller if it is a valid (known)
 	 * rdatatype name.
 	 */
@@ -1234,6 +1241,14 @@ uint32_fromregion(isc_region_t *region) {
 }
 
 static isc_uint16_t
+uint16_consume_fromregion(isc_region_t *region) {
+	isc_uint16_t r = uint16_fromregion(region);
+
+	isc_region_consume(region, 2);
+	return r;
+}
+
+static isc_uint16_t
 uint16_fromregion(isc_region_t *region) {
 
 	REQUIRE(region->length >= 2);
@@ -1249,6 +1264,14 @@ uint8_fromregion(isc_region_t *region) {
 	return (region->base[0]);
 }
 
+static isc_uint8_t
+uint8_consume_fromregion(isc_region_t *region) {
+	isc_uint8_t r = uint8_fromregion(region);
+
+	isc_region_consume(region, 1);
+	return r;
+}
+
 static isc_result_t
 mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
 	isc_region_t tr;
@@ -1504,16 +1527,16 @@ byte_btoa(int c, isc_buffer_t *target, struct state *state) {
 			   /*
 			    * Because some don't support u_long.
 			    */
-		    	tmp = 32;
-		    	tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
+			tmp = 32;
+			tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
 		    }
 		    if (tmpword < 0) {
-		    	tmp = 64;
-		    	tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
+			tmp = 64;
+			tmpword -= (isc_int32_t)(85 * 85 * 85 * 85 * 32);
 		    }
 			if (tr.length < 5)
 				return (ISC_R_NOSPACE);
-		    	tr.base[0] = atob_digits[(tmpword /
+			tr.base[0] = atob_digits[(tmpword /
 					      (isc_int32_t)(85 * 85 * 85 * 85))
 						+ tmp];
 			tmpword %= (isc_int32_t)(85 * 85 * 85 * 85);
@@ -1596,7 +1619,7 @@ warn_badmx(isc_token_t *token, isc_lex_t *lexer,
 	if (lexer != NULL) {
 		file = isc_lex_getsourcename(lexer);
 		line = isc_lex_getsourceline(lexer);
-		(*callbacks->warn)(callbacks, "%s:%u: warning: '%s': %s", 
+		(*callbacks->warn)(callbacks, "%s:%u: warning: '%s': %s",
 				   file, line, DNS_AS_STR(*token),
 				   dns_result_totext(DNS_R_MXISADDRESS));
 	}
@@ -1609,12 +1632,12 @@ warn_badname(dns_name_t *name, isc_lex_t *lexer,
 	const char *file;
 	unsigned long line;
 	char namebuf[DNS_NAME_FORMATSIZE];
-	
+
 	if (lexer != NULL) {
 		file = isc_lex_getsourcename(lexer);
 		line = isc_lex_getsourceline(lexer);
 		dns_name_format(name, namebuf, sizeof(namebuf));
-		(*callbacks->warn)(callbacks, "%s:%u: warning: %s: %s", 
+		(*callbacks->warn)(callbacks, "%s:%u: warning: %s: %s",
 				   file, line, namebuf,
 				   dns_result_totext(DNS_R_BADNAME));
 	}
diff --git a/lib/dns/rdata/any_255/tsig_250.c b/lib/dns/rdata/any_255/tsig_250.c
index 4fdadd3..3121f78 100644
--- a/lib/dns/rdata/any_255/tsig_250.c
+++ b/lib/dns/rdata/any_255/tsig_250.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig_250.c,v 1.59.18.2 2005/03/20 22:34:32 marka Exp $ */
+/* $Id: tsig_250.c,v 1.63 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 13:39:43 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/any_255/tsig_250.h b/lib/dns/rdata/any_255/tsig_250.h
index b84a715..0c01667 100644
--- a/lib/dns/rdata/any_255/tsig_250.h
+++ b/lib/dns/rdata/any_255/tsig_250.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tsig_250.h,v 1.21.18.2 2005/04/29 00:16:29 marka Exp $ */
+/* $Id: tsig_250.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef ANY_255_TSIG_250_H
 #define ANY_255_TSIG_250_H 1
diff --git a/lib/dns/rdata/ch_3/a_1.c b/lib/dns/rdata/ch_3/a_1.c
index 6a9b70c..78d4ecd 100644
--- a/lib/dns/rdata/ch_3/a_1.c
+++ b/lib/dns/rdata/ch_3/a_1.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.2.2.3 2005/08/23 04:10:09 marka Exp $ */
+/* $Id: a_1.c,v 1.6 2007/06/19 23:47:17 tbox Exp $ */
 
 /* by Bjorn.Victor@it.uu.se, 2005-05-07 */
 /* Based on generic/soa_6.c and generic/mx_15.c */
diff --git a/lib/dns/rdata/ch_3/a_1.h b/lib/dns/rdata/ch_3/a_1.h
index 9f67977..a279d0e 100644
--- a/lib/dns/rdata/ch_3/a_1.h
+++ b/lib/dns/rdata/ch_3/a_1.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.h,v 1.2.2.2 2005/06/05 00:02:22 marka Exp $ */
+/* $Id: a_1.h,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
 
 /* by Bjorn.Victor@it.uu.se, 2005-05-07 */
 /* Based on generic/mx_15.h */
diff --git a/lib/dns/rdata/generic/afsdb_18.c b/lib/dns/rdata/generic/afsdb_18.c
index 24a63e6..2230efb 100644
--- a/lib/dns/rdata/generic/afsdb_18.c
+++ b/lib/dns/rdata/generic/afsdb_18.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: afsdb_18.c,v 1.43.18.2 2005/04/29 00:16:30 marka Exp $ */
+/* $Id: afsdb_18.c,v 1.47 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 14:59:00 PST 2000 by explorer */
 
diff --git a/lib/dns/rdata/generic/afsdb_18.h b/lib/dns/rdata/generic/afsdb_18.h
index 1532da1..ccccc11 100644
--- a/lib/dns/rdata/generic/afsdb_18.h
+++ b/lib/dns/rdata/generic/afsdb_18.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_AFSDB_18_H
 #define GENERIC_AFSDB_18_H 1
 
-/* $Id: afsdb_18.h,v 1.16.18.2 2005/04/29 00:16:30 marka Exp $ */
+/* $Id: afsdb_18.h,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
diff --git a/lib/dns/rdata/generic/cert_37.c b/lib/dns/rdata/generic/cert_37.c
index c6ba3a8..2c45230 100644
--- a/lib/dns/rdata/generic/cert_37.c
+++ b/lib/dns/rdata/generic/cert_37.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert_37.c,v 1.46.18.2 2005/04/29 00:16:30 marka Exp $ */
+/* $Id: cert_37.c,v 1.50 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 21:14:32 EST 2000 by tale */
 
diff --git a/lib/dns/rdata/generic/cert_37.h b/lib/dns/rdata/generic/cert_37.h
index 2af25b7..ddfaa4f 100644
--- a/lib/dns/rdata/generic/cert_37.h
+++ b/lib/dns/rdata/generic/cert_37.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cert_37.h,v 1.16.18.2 2005/04/29 00:16:31 marka Exp $ */
+/* $Id: cert_37.h,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef GENERIC_CERT_37_H
 #define GENERIC_CERT_37_H 1
diff --git a/lib/dns/rdata/generic/cname_5.c b/lib/dns/rdata/generic/cname_5.c
index 6ea1db1..28c3d60 100644
--- a/lib/dns/rdata/generic/cname_5.c
+++ b/lib/dns/rdata/generic/cname_5.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cname_5.c,v 1.45 2004/03/05 05:10:10 marka Exp $ */
+/* $Id: cname_5.c,v 1.47 2007/06/19 23:47:17 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/cname_5.h b/lib/dns/rdata/generic/cname_5.h
index dc24383..516f8d3 100644
--- a/lib/dns/rdata/generic/cname_5.h
+++ b/lib/dns/rdata/generic/cname_5.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cname_5.h,v 1.24 2004/03/05 05:10:10 marka Exp $ */
+/* $Id: cname_5.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef GENERIC_CNAME_5_H
 #define GENERIC_CNAME_5_H 1
diff --git a/lib/dns/rdata/generic/dlv_32769.c b/lib/dns/rdata/generic/dlv_32769.c
index c0bb348..957f038 100644
--- a/lib/dns/rdata/generic/dlv_32769.c
+++ b/lib/dns/rdata/generic/dlv_32769.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlv_32769.c,v 1.2.2.5 2007/08/28 07:20:06 tbox Exp $ */
+/* $Id: dlv_32769.c,v 1.6 2007/06/18 23:47:43 tbox Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 
diff --git a/lib/dns/rdata/generic/dlv_32769.h b/lib/dns/rdata/generic/dlv_32769.h
index bd03c73..2313c57 100644
--- a/lib/dns/rdata/generic/dlv_32769.h
+++ b/lib/dns/rdata/generic/dlv_32769.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dlv_32769.h,v 1.2.2.2 2006/02/19 06:50:47 marka Exp $ */
+/* $Id: dlv_32769.h,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 #ifndef GENERIC_DLV_32769_H
diff --git a/lib/dns/rdata/generic/dname_39.c b/lib/dns/rdata/generic/dname_39.c
index ed3133c..c399f1e 100644
--- a/lib/dns/rdata/generic/dname_39.c
+++ b/lib/dns/rdata/generic/dname_39.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dname_39.c,v 1.36 2004/03/05 05:10:10 marka Exp $ */
+/* $Id: dname_39.c,v 1.38 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 16:52:38 PST 2000 by explorer */
 
diff --git a/lib/dns/rdata/generic/dname_39.h b/lib/dns/rdata/generic/dname_39.h
index 93ec709..f8aca27 100644
--- a/lib/dns/rdata/generic/dname_39.h
+++ b/lib/dns/rdata/generic/dname_39.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_DNAME_39_H
 #define GENERIC_DNAME_39_H 1
 
-/* $Id: dname_39.h,v 1.17.18.2 2005/04/29 00:16:31 marka Exp $ */
+/* $Id: dname_39.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! 
  *  \brief per RFC2672 */
diff --git a/lib/dns/rdata/generic/dnskey_48.c b/lib/dns/rdata/generic/dnskey_48.c
index 5a4e453..2e11cba 100644
--- a/lib/dns/rdata/generic/dnskey_48.c
+++ b/lib/dns/rdata/generic/dnskey_48.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnskey_48.c,v 1.4.20.2 2005/04/29 00:16:31 marka Exp $ */
+/* $Id: dnskey_48.c,v 1.8 2007/06/19 23:47:17 tbox Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
diff --git a/lib/dns/rdata/generic/dnskey_48.h b/lib/dns/rdata/generic/dnskey_48.h
index 9b3d262..ce88cd1 100644
--- a/lib/dns/rdata/generic/dnskey_48.h
+++ b/lib/dns/rdata/generic/dnskey_48.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_DNSKEY_48_H
 #define GENERIC_DNSKEY_48_H 1
 
-/* $Id: dnskey_48.h,v 1.3.20.2 2005/04/29 00:16:32 marka Exp $ */
+/* $Id: dnskey_48.h,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief per RFC2535 */
diff --git a/lib/dns/rdata/generic/ds_43.c b/lib/dns/rdata/generic/ds_43.c
index 212a56f..08e5d5f 100644
--- a/lib/dns/rdata/generic/ds_43.c
+++ b/lib/dns/rdata/generic/ds_43.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds_43.c,v 1.7.18.5 2007/08/28 07:20:06 tbox Exp $ */
+/* $Id: ds_43.c,v 1.12 2007/06/18 23:47:43 tbox Exp $ */
 
 /* draft-ietf-dnsext-delegation-signer-05.txt */
 
diff --git a/lib/dns/rdata/generic/ds_43.h b/lib/dns/rdata/generic/ds_43.h
index dae7bef..3a409a1 100644
--- a/lib/dns/rdata/generic/ds_43.h
+++ b/lib/dns/rdata/generic/ds_43.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ds_43.h,v 1.3.20.2 2005/04/29 00:16:32 marka Exp $ */
+/* $Id: ds_43.h,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef GENERIC_DS_43_H
 #define GENERIC_DS_43_H 1
diff --git a/lib/dns/rdata/generic/gpos_27.c b/lib/dns/rdata/generic/gpos_27.c
index 9b37905..18effb5 100644
--- a/lib/dns/rdata/generic/gpos_27.c
+++ b/lib/dns/rdata/generic/gpos_27.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gpos_27.c,v 1.37.18.2 2005/04/29 00:16:32 marka Exp $ */
+/* $Id: gpos_27.c,v 1.41 2007/06/19 23:47:17 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 16:48:45 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/gpos_27.h b/lib/dns/rdata/generic/gpos_27.h
index 4949bde..f5df4fa 100644
--- a/lib/dns/rdata/generic/gpos_27.h
+++ b/lib/dns/rdata/generic/gpos_27.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_GPOS_27_H
 #define GENERIC_GPOS_27_H 1
 
-/* $Id: gpos_27.h,v 1.13.18.2 2005/04/29 00:16:32 marka Exp $ */
+/* $Id: gpos_27.h,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief per RFC1712 */
diff --git a/lib/dns/rdata/generic/hinfo_13.c b/lib/dns/rdata/generic/hinfo_13.c
index 70c433c..5321357 100644
--- a/lib/dns/rdata/generic/hinfo_13.c
+++ b/lib/dns/rdata/generic/hinfo_13.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hinfo_13.c,v 1.42 2004/03/05 05:10:11 marka Exp $ */
+/* $Id: hinfo_13.c,v 1.44 2007/06/19 23:47:17 tbox Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
diff --git a/lib/dns/rdata/generic/hinfo_13.h b/lib/dns/rdata/generic/hinfo_13.h
index e542c48..66766df 100644
--- a/lib/dns/rdata/generic/hinfo_13.h
+++ b/lib/dns/rdata/generic/hinfo_13.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_HINFO_13_H
 #define GENERIC_HINFO_13_H 1
 
-/* $Id: hinfo_13.h,v 1.23 2004/03/05 05:10:12 marka Exp $ */
+/* $Id: hinfo_13.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_hinfo {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/ipseckey_45.c b/lib/dns/rdata/generic/ipseckey_45.c
index 3c3736e..bc2b4e8 100644
--- a/lib/dns/rdata/generic/ipseckey_45.c
+++ b/lib/dns/rdata/generic/ipseckey_45.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipseckey_45.c,v 1.2.2.1 2005/07/07 03:17:36 marka Exp $ */
+/* $Id: ipseckey_45.c,v 1.4.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef RDATA_GENERIC_IPSECKEY_45_C
 #define RDATA_GENERIC_IPSECKEY_45_C
@@ -131,15 +131,15 @@ totext_ipseckey(ARGS_TOTEXT) {
 
 	dns_name_init(&name, NULL);
 	dns_name_init(&prefix, NULL);
-	
+
 	if (rdata->data[1] > 3U)
 		return (ISC_R_NOTIMPLEMENTED);
 
-        if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-                RETERR(str_totext("( ", target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext("( ", target));
 
 	/*
-	 * Precendence.
+	 * Precedence.
 	 */
 	dns_rdata_toregion(rdata, &region);
 	num = uint8_fromregion(&region);
@@ -198,14 +198,14 @@ totext_ipseckey(ARGS_TOTEXT) {
 					 tctx->linebreak, target));
 	}
 
-        if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
-                RETERR(str_totext(" )", target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext(" )", target));
 	return (ISC_R_SUCCESS);
 }
 
 static inline isc_result_t
 fromwire_ipseckey(ARGS_FROMWIRE) {
-        dns_name_t name;
+	dns_name_t name;
 	isc_region_t region;
 
 	REQUIRE(type == 45);
@@ -215,7 +215,7 @@ fromwire_ipseckey(ARGS_FROMWIRE) {
 
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_NONE);
 
-        dns_name_init(&name, NULL);
+	dns_name_init(&name, NULL);
 
 	isc_buffer_activeregion(source, &region);
 	if (region.length < 3)
diff --git a/lib/dns/rdata/generic/ipseckey_45.h b/lib/dns/rdata/generic/ipseckey_45.h
index b766fa0..2a6201f 100644
--- a/lib/dns/rdata/generic/ipseckey_45.h
+++ b/lib/dns/rdata/generic/ipseckey_45.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipseckey_45.h,v 1.2.2.1 2005/07/07 03:17:36 marka Exp $ */
+/* $Id: ipseckey_45.h,v 1.4 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef GENERIC_IPSECKEY_45_H
 #define GENERIC_IPSECKEY_45_H 1
diff --git a/lib/dns/rdata/generic/isdn_20.c b/lib/dns/rdata/generic/isdn_20.c
index 1813759..d7333d1 100644
--- a/lib/dns/rdata/generic/isdn_20.c
+++ b/lib/dns/rdata/generic/isdn_20.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: isdn_20.c,v 1.34.18.2 2005/04/29 00:16:33 marka Exp $ */
+/* $Id: isdn_20.c,v 1.38 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 16:53:11 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/generic/isdn_20.h b/lib/dns/rdata/generic/isdn_20.h
index 6a51317..a1f65ca 100644
--- a/lib/dns/rdata/generic/isdn_20.h
+++ b/lib/dns/rdata/generic/isdn_20.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_ISDN_20_H
 #define GENERIC_ISDN_20_H 1
 
-/* $Id: isdn_20.h,v 1.14.18.2 2005/04/29 00:16:33 marka Exp $ */
+/* $Id: isdn_20.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  * \brief Per RFC1183 */
diff --git a/lib/dns/rdata/generic/key_25.c b/lib/dns/rdata/generic/key_25.c
index 24dc10f..9acfe95 100644
--- a/lib/dns/rdata/generic/key_25.c
+++ b/lib/dns/rdata/generic/key_25.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: key_25.c,v 1.47.18.2 2005/04/29 00:16:33 marka Exp $ */
+/* $Id: key_25.c,v 1.51 2007/06/19 23:47:17 tbox Exp $ */
 
 /*
  * Reviewed: Wed Mar 15 16:47:10 PST 2000 by halley.
diff --git a/lib/dns/rdata/generic/key_25.h b/lib/dns/rdata/generic/key_25.h
index 03400db..bcf9cb6 100644
--- a/lib/dns/rdata/generic/key_25.h
+++ b/lib/dns/rdata/generic/key_25.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_KEY_25_H
 #define GENERIC_KEY_25_H 1
 
-/* $Id: key_25.h,v 1.15.18.2 2005/04/29 00:16:33 marka Exp $ */
+/* $Id: key_25.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  * \brief Per RFC2535 */
diff --git a/lib/dns/rdata/generic/loc_29.c b/lib/dns/rdata/generic/loc_29.c
index c93ac90..a5d7f72 100644
--- a/lib/dns/rdata/generic/loc_29.c
+++ b/lib/dns/rdata/generic/loc_29.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: loc_29.c,v 1.41.18.2 2005/04/29 00:16:34 marka Exp $ */
+/* $Id: loc_29.c,v 1.45.332.4 2009/02/17 05:54:12 marka Exp $ */
 
 /* Reviewed: Wed Mar 15 18:13:09 PST 2000 by explorer */
 
@@ -482,16 +482,19 @@ totext_loc(ARGS_TOTEXT) {
 
 	/* version = sr.base[0]; */
 	size = sr.base[1];
+	INSIST((size&0x0f) < 10 && (size>>4) < 10);
 	if ((size&0x0f)> 1)
 		sprintf(sbuf, "%lum", (size>>4) * poweroften[(size&0x0f)-2]);
 	else
 		sprintf(sbuf, "0.%02lum", (size>>4) * poweroften[(size&0x0f)]);
 	hp = sr.base[2];
+	INSIST((hp&0x0f) < 10 && (hp>>4) < 10);
 	if ((hp&0x0f)> 1)
 		sprintf(hbuf, "%lum", (hp>>4) * poweroften[(hp&0x0f)-2]);
 	else
 		sprintf(hbuf, "0.%02lum", (hp>>4) * poweroften[(hp&0x0f)]);
 	vp = sr.base[3];
+	INSIST((vp&0x0f) < 10 && (vp>>4) < 10);
 	if ((vp&0x0f)> 1)
 		sprintf(vbuf, "%lum", (vp>>4) * poweroften[(vp&0x0f)-2]);
 	else
@@ -514,6 +517,7 @@ totext_loc(ARGS_TOTEXT) {
 	m1 = (int)(latitude % 60);
 	latitude /= 60;
 	d1 = (int)latitude;
+	INSIST(latitude <= 90U);
 
 	longitude = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
@@ -531,6 +535,7 @@ totext_loc(ARGS_TOTEXT) {
 	m2 = (int)(longitude % 60);
 	longitude /= 60;
 	d2 = (int)longitude;
+	INSIST(longitude <= 180U);
 
 	altitude = uint32_fromregion(&sr);
 	isc_region_consume(&sr, 4);
@@ -616,7 +621,7 @@ fromwire_loc(ARGS_FROMWIRE) {
 		return (ISC_R_RANGE);
 
 	/*
-	 * Altitiude.
+	 * Altitude.
 	 * All values possible.
 	 */
 
diff --git a/lib/dns/rdata/generic/loc_29.h b/lib/dns/rdata/generic/loc_29.h
index d8eae16..f053c60 100644
--- a/lib/dns/rdata/generic/loc_29.h
+++ b/lib/dns/rdata/generic/loc_29.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_LOC_29_H
 #define GENERIC_LOC_29_H 1
 
-/* $Id: loc_29.h,v 1.15.18.2 2005/04/29 00:16:34 marka Exp $ */
+/* $Id: loc_29.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  * \brief Per RFC1876 */
diff --git a/lib/dns/rdata/generic/mb_7.c b/lib/dns/rdata/generic/mb_7.c
index 94c622d..fc3a7b6 100644
--- a/lib/dns/rdata/generic/mb_7.c
+++ b/lib/dns/rdata/generic/mb_7.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mb_7.c,v 1.43 2004/03/05 05:10:13 marka Exp $ */
+/* $Id: mb_7.c,v 1.45 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 17:31:26 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/generic/mb_7.h b/lib/dns/rdata/generic/mb_7.h
index f6a8b35..b427ee9 100644
--- a/lib/dns/rdata/generic/mb_7.h
+++ b/lib/dns/rdata/generic/mb_7.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MB_7_H
 #define GENERIC_MB_7_H 1
 
-/* $Id: mb_7.h,v 1.23.18.2 2005/04/29 00:16:34 marka Exp $ */
+/* $Id: mb_7.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_mb {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/md_3.c b/lib/dns/rdata/generic/md_3.c
index 75e4970..0f8560f 100644
--- a/lib/dns/rdata/generic/md_3.c
+++ b/lib/dns/rdata/generic/md_3.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md_3.c,v 1.45 2004/03/05 05:10:13 marka Exp $ */
+/* $Id: md_3.c,v 1.47 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 17:48:20 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/generic/md_3.h b/lib/dns/rdata/generic/md_3.h
index 578ce66..ba70d18 100644
--- a/lib/dns/rdata/generic/md_3.h
+++ b/lib/dns/rdata/generic/md_3.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MD_3_H
 #define GENERIC_MD_3_H 1
 
-/* $Id: md_3.h,v 1.24.18.2 2005/04/29 00:16:35 marka Exp $ */
+/* $Id: md_3.h,v 1.28 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_md {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mf_4.c b/lib/dns/rdata/generic/mf_4.c
index 362d300..dffcec2 100644
--- a/lib/dns/rdata/generic/mf_4.c
+++ b/lib/dns/rdata/generic/mf_4.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mf_4.c,v 1.43 2004/03/05 05:10:14 marka Exp $ */
+/* $Id: mf_4.c,v 1.45 2007/06/19 23:47:17 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 17:47:33 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/mf_4.h b/lib/dns/rdata/generic/mf_4.h
index 2be0eec..32d2493 100644
--- a/lib/dns/rdata/generic/mf_4.h
+++ b/lib/dns/rdata/generic/mf_4.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MF_4_H
 #define GENERIC_MF_4_H 1
 
-/* $Id: mf_4.h,v 1.22.18.2 2005/04/29 00:16:35 marka Exp $ */
+/* $Id: mf_4.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_mf {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mg_8.c b/lib/dns/rdata/generic/mg_8.c
index 602d820..e4dca1d 100644
--- a/lib/dns/rdata/generic/mg_8.c
+++ b/lib/dns/rdata/generic/mg_8.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mg_8.c,v 1.41 2004/03/05 05:10:14 marka Exp $ */
+/* $Id: mg_8.c,v 1.43 2007/06/19 23:47:17 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 17:49:21 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/mg_8.h b/lib/dns/rdata/generic/mg_8.h
index 5679c17..8fa143a 100644
--- a/lib/dns/rdata/generic/mg_8.h
+++ b/lib/dns/rdata/generic/mg_8.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MG_8_H
 #define GENERIC_MG_8_H 1
 
-/* $Id: mg_8.h,v 1.22.18.2 2005/04/29 00:16:35 marka Exp $ */
+/* $Id: mg_8.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_mg {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/minfo_14.c b/lib/dns/rdata/generic/minfo_14.c
index b757480..6645bbc 100644
--- a/lib/dns/rdata/generic/minfo_14.c
+++ b/lib/dns/rdata/generic/minfo_14.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: minfo_14.c,v 1.43 2004/03/05 05:10:14 marka Exp $ */
+/* $Id: minfo_14.c,v 1.45 2007/06/19 23:47:17 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 17:45:32 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/minfo_14.h b/lib/dns/rdata/generic/minfo_14.h
index 754fe20..76195c5 100644
--- a/lib/dns/rdata/generic/minfo_14.h
+++ b/lib/dns/rdata/generic/minfo_14.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MINFO_14_H
 #define GENERIC_MINFO_14_H 1
 
-/* $Id: minfo_14.h,v 1.23.18.2 2005/04/29 00:16:35 marka Exp $ */
+/* $Id: minfo_14.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_minfo {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mr_9.c b/lib/dns/rdata/generic/mr_9.c
index ab4c6e0..289d739 100644
--- a/lib/dns/rdata/generic/mr_9.c
+++ b/lib/dns/rdata/generic/mr_9.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mr_9.c,v 1.40 2004/03/05 05:10:15 marka Exp $ */
+/* $Id: mr_9.c,v 1.42 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 21:30:35 EST 2000 by tale */
 
diff --git a/lib/dns/rdata/generic/mr_9.h b/lib/dns/rdata/generic/mr_9.h
index e255d70..3d81bdd 100644
--- a/lib/dns/rdata/generic/mr_9.h
+++ b/lib/dns/rdata/generic/mr_9.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MR_9_H
 #define GENERIC_MR_9_H 1
 
-/* $Id: mr_9.h,v 1.22.18.2 2005/04/29 00:16:36 marka Exp $ */
+/* $Id: mr_9.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_mr {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/mx_15.c b/lib/dns/rdata/generic/mx_15.c
index fd77ec8..086c043 100644
--- a/lib/dns/rdata/generic/mx_15.c
+++ b/lib/dns/rdata/generic/mx_15.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mx_15.c,v 1.52.18.2 2005/05/20 01:10:11 marka Exp $ */
+/* $Id: mx_15.c,v 1.56 2007/06/19 23:47:17 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 18:05:46 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/mx_15.h b/lib/dns/rdata/generic/mx_15.h
index 4d81b90..25d5ac5 100644
--- a/lib/dns/rdata/generic/mx_15.h
+++ b/lib/dns/rdata/generic/mx_15.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_MX_15_H
 #define GENERIC_MX_15_H 1
 
-/* $Id: mx_15.h,v 1.25.18.2 2005/04/29 00:16:36 marka Exp $ */
+/* $Id: mx_15.h,v 1.29 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_mx {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/ns_2.c b/lib/dns/rdata/generic/ns_2.c
index 2379433..9a2ee8c 100644
--- a/lib/dns/rdata/generic/ns_2.c
+++ b/lib/dns/rdata/generic/ns_2.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ns_2.c,v 1.44 2004/03/05 05:10:15 marka Exp $ */
+/* $Id: ns_2.c,v 1.46 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Wed Mar 15 18:15:00 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/generic/ns_2.h b/lib/dns/rdata/generic/ns_2.h
index ec8e771..546e71a 100644
--- a/lib/dns/rdata/generic/ns_2.h
+++ b/lib/dns/rdata/generic/ns_2.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_NS_2_H
 #define GENERIC_NS_2_H 1
 
-/* $Id: ns_2.h,v 1.23.18.2 2005/04/29 00:16:37 marka Exp $ */
+/* $Id: ns_2.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_ns {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/nsec3_50.c b/lib/dns/rdata/generic/nsec3_50.c
new file mode 100644
index 0000000..c5f0acb
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3_50.c
@@ -0,0 +1,481 @@
+/*
+ * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsec3_50.c,v 1.4.48.2 2009/01/18 23:47:41 tbox Exp $ */
+
+/*
+ * Copyright (C) 2004  Nominet, Ltd.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* RFC 5155 */
+
+#ifndef RDATA_GENERIC_NSEC3_50_C
+#define RDATA_GENERIC_NSEC3_50_C
+
+#include <isc/iterated_hash.h>
+#include <isc/base32.h>
+
+#define RRTYPE_NSEC3_ATTRIBUTES DNS_RDATATYPEATTR_DNSSEC
+
+static inline isc_result_t
+fromtext_nsec3(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned char bm[8*1024]; /* 64k bits */
+	dns_rdatatype_t covered;
+	int octet;
+	int window;
+	unsigned int flags;
+	unsigned char hashalg;
+	isc_buffer_t b;
+
+	REQUIRE(type == 50);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+	UNUSED(origin);
+	UNUSED(options);
+
+	/* Hash. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_hashalg_fromtext(&hashalg, &token.value.as_textregion));
+	RETERR(uint8_tobuffer(hashalg, target));
+
+	/* Flags. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	flags = token.value.as_ulong;
+	if (flags > 255U)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(flags, target));
+
+	/* Iterations. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/* salt */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	if (token.value.as_textregion.length > (255*2))
+		RETTOK(DNS_R_TEXTTOOLONG);
+	if (strcmp(DNS_AS_STR(token), "-") == 0) {
+		RETERR(uint8_tobuffer(0, target));
+	} else {
+		RETERR(uint8_tobuffer(strlen(DNS_AS_STR(token)) / 2, target));
+		RETERR(isc_hex_decodestring(DNS_AS_STR(token), target));
+	}
+
+	/*
+	 * Next hash a single base32hex word.
+	 */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	isc_buffer_init(&b, bm, sizeof(bm));
+	RETTOK(isc_base32hex_decodestring(DNS_AS_STR(token), &b));
+	if (isc_buffer_usedlength(&b) > 0xffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(isc_buffer_usedlength(&b), target));
+	RETERR(mem_tobuffer(target, &bm, isc_buffer_usedlength(&b)));
+
+	memset(bm, 0, sizeof(bm));
+	do {
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, ISC_TRUE));
+		if (token.type != isc_tokentype_string)
+			break;
+		RETTOK(dns_rdatatype_fromtext(&covered,
+					      &token.value.as_textregion));
+		bm[covered/8] |= (0x80>>(covered%8));
+	} while (1);
+	isc_lex_ungettoken(lexer, &token);
+	for (window = 0; window < 256 ; window++) {
+		/*
+		 * Find if we have a type in this window.
+		 */
+		for (octet = 31; octet >= 0; octet--)
+			if (bm[window * 32 + octet] != 0)
+				break;
+		if (octet < 0)
+			continue;
+		RETERR(uint8_tobuffer(window, target));
+		RETERR(uint8_tobuffer(octet + 1, target));
+		RETERR(mem_tobuffer(target, &bm[window * 32], octet + 1));
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_nsec3(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned int i, j, k;
+	unsigned int window, len;
+	unsigned char hash;
+	unsigned char flags;
+	char buf[sizeof("65535 ")];
+	isc_uint32_t iterations;
+
+	REQUIRE(rdata->type == 50);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	hash = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	flags = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	iterations = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	sprintf(buf, "%u ", hash);
+	RETERR(str_totext(buf, target));
+
+	sprintf(buf, "%u ", flags);
+	RETERR(str_totext(buf, target));
+
+	sprintf(buf, "%u ", iterations);
+	RETERR(str_totext(buf, target));
+
+	j = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	INSIST(j <= sr.length);
+
+	if (j != 0) {
+		i = sr.length;
+		sr.length = j;
+		RETERR(isc_hex_totext(&sr, 1, "", target));
+		sr.length = i - j;
+		RETERR(str_totext(" ", target));
+	} else
+		RETERR(str_totext("- ", target));
+
+	j = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	INSIST(j <= sr.length);
+
+	i = sr.length;
+	sr.length = j;
+	RETERR(isc_base32hex_totext(&sr, 1, "", target));
+	sr.length = i - j;
+
+	for (i = 0; i < sr.length; i += len) {
+		INSIST(i + 2 <= sr.length);
+		window = sr.base[i];
+		len = sr.base[i + 1];
+		INSIST(len > 0 && len <= 32);
+		i += 2;
+		INSIST(i + len <= sr.length);
+		for (j = 0; j < len; j++) {
+			dns_rdatatype_t t;
+			if (sr.base[i + j] == 0)
+				continue;
+			for (k = 0; k < 8; k++) {
+				if ((sr.base[i + j] & (0x80 >> k)) == 0)
+					continue;
+				t = window * 256 + j * 8 + k;
+				RETERR(str_totext(" ", target));
+				if (dns_rdatatype_isknown(t)) {
+					RETERR(dns_rdatatype_totext(t, target));
+				} else {
+					char buf[sizeof("TYPE65535")];
+					sprintf(buf, "TYPE%u", t);
+					RETERR(str_totext(buf, target));
+				}
+			}
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_nsec3(ARGS_FROMWIRE) {
+	isc_region_t sr, rr;
+	unsigned int window, lastwindow = 0;
+	unsigned int len;
+	unsigned int saltlen, hashlen;
+	isc_boolean_t first = ISC_TRUE;
+	unsigned int i;
+
+	REQUIRE(type == 50);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(options);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sr);
+	rr = sr;
+
+	/* hash(1), flags(1), iteration(2), saltlen(1) */
+	if (sr.length < 5U)
+		RETERR(DNS_R_FORMERR);
+	saltlen = sr.base[4];
+	isc_region_consume(&sr, 5);
+
+	if (sr.length < saltlen)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&sr, saltlen);
+
+	if (sr.length < 1U)
+		RETERR(DNS_R_FORMERR);
+	hashlen = sr.base[0];
+	isc_region_consume(&sr, 1);
+
+	if (sr.length < hashlen)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&sr, hashlen);
+
+	for (i = 0; i < sr.length; i += len) {
+		/*
+		 * Check for overflow.
+		 */
+		if (i + 2 > sr.length)
+			RETERR(DNS_R_FORMERR);
+		window = sr.base[i];
+		len = sr.base[i + 1];
+		i += 2;
+		/*
+		 * Check that bitmap windows are in the correct order.
+		 */
+		if (!first && window <= lastwindow)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * Check for legal lengths.
+		 */
+		if (len < 1 || len > 32)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * Check for overflow.
+		 */
+		if (i + len > sr.length)
+			RETERR(DNS_R_FORMERR);
+		/*
+		 * The last octet of the bitmap must be non zero.
+		 */
+		if (sr.base[i + len - 1] == 0)
+			RETERR(DNS_R_FORMERR);
+		lastwindow = window;
+		first = ISC_FALSE;
+	}
+	if (i != sr.length)
+		return (DNS_R_EXTRADATA);
+	RETERR(mem_tobuffer(target, rr.base, rr.length));
+	isc_buffer_forward(source, rr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_nsec3(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 50);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_nsec3(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 50);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_nsec3(ARGS_FROMSTRUCT) {
+	dns_rdata_nsec3_t *nsec3 = source;
+	unsigned int i, len, window, lastwindow = 0;
+	isc_boolean_t first = ISC_TRUE;
+
+	REQUIRE(type == 50);
+	REQUIRE(source != NULL);
+	REQUIRE(nsec3->common.rdtype == type);
+	REQUIRE(nsec3->common.rdclass == rdclass);
+	REQUIRE(nsec3->typebits != NULL || nsec3->len == 0);
+	REQUIRE(nsec3->hash == dns_hash_sha1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(nsec3->hash, target));
+	RETERR(uint8_tobuffer(nsec3->flags, target));
+	RETERR(uint16_tobuffer(nsec3->iterations, target));
+	RETERR(uint8_tobuffer(nsec3->salt_length, target));
+	RETERR(mem_tobuffer(target, nsec3->salt, nsec3->salt_length));
+	RETERR(uint8_tobuffer(nsec3->next_length, target));
+	RETERR(mem_tobuffer(target, nsec3->next, nsec3->next_length));
+
+	/*
+	 * Perform sanity check.
+	 */
+	for (i = 0; i < nsec3->len ; i += len) {
+		INSIST(i + 2 <= nsec3->len);
+		window = nsec3->typebits[i];
+		len = nsec3->typebits[i+1];
+		i += 2;
+		INSIST(first || window > lastwindow);
+		INSIST(len > 0 && len <= 32);
+		INSIST(i + len <= nsec3->len);
+		INSIST(nsec3->typebits[i + len - 1] != 0);
+		lastwindow = window;
+		first = ISC_FALSE;
+	}
+	return (mem_tobuffer(target, nsec3->typebits, nsec3->len));
+}
+
+static inline isc_result_t
+tostruct_nsec3(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nsec3_t *nsec3 = target;
+
+	REQUIRE(rdata->type == 50);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsec3->common.rdclass = rdata->rdclass;
+	nsec3->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsec3->common, link);
+
+	region.base = rdata->data;
+	region.length = rdata->length;
+	nsec3->hash = uint8_consume_fromregion(&region);
+	nsec3->flags = uint8_consume_fromregion(&region);
+	nsec3->iterations = uint16_consume_fromregion(&region);
+
+	nsec3->salt_length = uint8_consume_fromregion(&region);
+	nsec3->salt = mem_maybedup(mctx, region.base, nsec3->salt_length);
+	if (nsec3->salt == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_region_consume(&region, nsec3->salt_length);
+
+	nsec3->next_length = uint8_consume_fromregion(&region);
+	nsec3->next = mem_maybedup(mctx, region.base, nsec3->next_length);
+	if (nsec3->next == NULL)
+		goto cleanup;
+	isc_region_consume(&region, nsec3->next_length);
+
+	nsec3->len = region.length;
+	nsec3->typebits = mem_maybedup(mctx, region.base, region.length);
+	if (nsec3->typebits == NULL)
+		goto cleanup;
+
+	nsec3->mctx = mctx;
+	return (ISC_R_SUCCESS);
+
+  cleanup:
+	if (nsec3->next != NULL)
+		isc_mem_free(mctx, nsec3->next);
+	isc_mem_free(mctx, nsec3->salt);
+	return (ISC_R_NOMEMORY);
+}
+
+static inline void
+freestruct_nsec3(ARGS_FREESTRUCT) {
+	dns_rdata_nsec3_t *nsec3 = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nsec3->common.rdtype == 50);
+
+	if (nsec3->mctx == NULL)
+		return;
+
+	if (nsec3->salt != NULL)
+		isc_mem_free(nsec3->mctx, nsec3->salt);
+	if (nsec3->next != NULL)
+		isc_mem_free(nsec3->mctx, nsec3->next);
+	if (nsec3->typebits != NULL)
+		isc_mem_free(nsec3->mctx, nsec3->typebits);
+	nsec3->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_nsec3(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 50);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_nsec3(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 50);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_nsec3(ARGS_CHECKOWNER) {
+
+       REQUIRE(type == 50);
+
+       UNUSED(name);
+       UNUSED(type);
+       UNUSED(rdclass);
+       UNUSED(wildcard);
+
+       return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_nsec3(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 50);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_NSEC3_50_C */
diff --git a/lib/dns/rdata/generic/nsec3_50.h b/lib/dns/rdata/generic/nsec3_50.h
new file mode 100644
index 0000000..658dd9d
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3_50.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef GENERIC_NSEC3_50_H
+#define GENERIC_NSEC3_50_H 1
+
+/* $Id: nsec3_50.h,v 1.4 2008/09/25 04:02:39 tbox Exp $ */
+
+/*!
+ * \brief Per RFC 5155 */
+
+#include <isc/iterated_hash.h>
+
+typedef struct dns_rdata_nsec3 {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_hash_t		hash;
+	unsigned char		flags;
+	dns_iterations_t	iterations;
+	unsigned char		salt_length;
+	unsigned char		next_length;
+	isc_uint16_t		len;
+	unsigned char		*salt;
+	unsigned char		*next;
+	unsigned char		*typebits;
+} dns_rdata_nsec3_t;
+
+/*
+ * The corresponding NSEC3 interval is OPTOUT indicating possible
+ * insecure delegations.
+ */
+#define DNS_NSEC3FLAG_OPTOUT 0x01U
+
+/*%
+ * Non-standard, NSEC3PARAM only.
+ *
+ * Create a corresponding NSEC3 chain.
+ * Once the NSEC3 chain is complete this flag will be removed to signal
+ * that there is a complete chain.
+ *
+ * This flag is automatically set when a NSEC3PARAM record is added to
+ * the zone via UPDATE.
+ *
+ * NSEC3PARAM records with this flag set are supposed to be ignored by
+ * RFC 5155 compliant nameservers.
+ */
+#define DNS_NSEC3FLAG_CREATE 0x80U
+
+/*%
+ * Non-standard, NSEC3PARAM only.
+ *
+ * The corresponding NSEC3 set is to be removed once the NSEC chain
+ * has been generated.
+ *
+ * This flag is automatically set when the last active NSEC3PARAM record
+ * is removed from the zone via UPDATE.
+ *
+ * NSEC3PARAM records with this flag set are supposed to be ignored by
+ * RFC 5155 compliant nameservers.
+ */
+#define DNS_NSEC3FLAG_REMOVE 0x40U
+
+/*%
+ * Non-standard, NSEC3PARAM only.
+ *
+ * Used to identify NSEC3PARAM records added in this UPDATE request.
+ */
+#define DNS_NSEC3FLAG_UPDATE 0x20U
+
+/*%
+ * Non-standard, NSEC3PARAM only.
+ *
+ * Prevent the creation of a NSEC chain before the last NSEC3 chain
+ * is removed.  This will normally only be set when the zone is
+ * transitioning from secure with NSEC3 chains to insecure.
+ */
+#define DNS_NSEC3FLAG_NONSEC 0x10U
+
+#endif /* GENERIC_NSEC3_50_H */
diff --git a/lib/dns/rdata/generic/nsec3param_51.c b/lib/dns/rdata/generic/nsec3param_51.c
new file mode 100644
index 0000000..607ce6a
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3param_51.c
@@ -0,0 +1,314 @@
+/*
+ * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsec3param_51.c,v 1.4.48.2 2009/01/18 23:47:41 tbox Exp $ */
+
+/*
+ * Copyright (C) 2004  Nominet, Ltd.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND NOMINET DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* RFC 5155 */
+
+#ifndef RDATA_GENERIC_NSEC3PARAM_51_C
+#define RDATA_GENERIC_NSEC3PARAM_51_C
+
+#include <isc/iterated_hash.h>
+#include <isc/base32.h>
+
+#define RRTYPE_NSEC3PARAM_ATTRIBUTES (DNS_RDATATYPEATTR_DNSSEC)
+
+static inline isc_result_t
+fromtext_nsec3param(ARGS_FROMTEXT) {
+	isc_token_t token;
+	unsigned int flags = 0;
+	unsigned char hashalg;
+
+	REQUIRE(type == 51);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(callbacks);
+	UNUSED(origin);
+	UNUSED(options);
+
+	/* Hash. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	RETTOK(dns_hashalg_fromtext(&hashalg, &token.value.as_textregion));
+	RETERR(uint8_tobuffer(hashalg, target));
+
+	/* Flags. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	flags = token.value.as_ulong;
+	if (flags > 255U)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint8_tobuffer(flags, target));
+
+	/* Iterations. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_number,
+				      ISC_FALSE));
+	if (token.value.as_ulong > 0xffffU)
+		RETTOK(ISC_R_RANGE);
+	RETERR(uint16_tobuffer(token.value.as_ulong, target));
+
+	/* Salt. */
+	RETERR(isc_lex_getmastertoken(lexer, &token, isc_tokentype_string,
+				      ISC_FALSE));
+	if (token.value.as_textregion.length > (255*2))
+		RETTOK(DNS_R_TEXTTOOLONG);
+	if (strcmp(DNS_AS_STR(token), "-") == 0) {
+		RETERR(uint8_tobuffer(0, target));
+	} else {
+		RETERR(uint8_tobuffer(strlen(DNS_AS_STR(token)) / 2, target));
+		RETERR(isc_hex_decodestring(DNS_AS_STR(token), target));
+	}
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+totext_nsec3param(ARGS_TOTEXT) {
+	isc_region_t sr;
+	unsigned int i, j;
+	unsigned char hash;
+	unsigned char flags;
+	char buf[sizeof("65535 ")];
+	isc_uint32_t iterations;
+
+	REQUIRE(rdata->type == 51);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(tctx);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	hash = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	flags = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+
+	iterations = uint16_fromregion(&sr);
+	isc_region_consume(&sr, 2);
+
+	sprintf(buf, "%u ", hash);
+	RETERR(str_totext(buf, target));
+
+	sprintf(buf, "%u ", flags);
+	RETERR(str_totext(buf, target));
+
+	sprintf(buf, "%u ", iterations);
+	RETERR(str_totext(buf, target));
+
+	j = uint8_fromregion(&sr);
+	isc_region_consume(&sr, 1);
+	INSIST(j <= sr.length);
+
+	if (j != 0) {
+		i = sr.length;
+		sr.length = j;
+		RETERR(isc_hex_totext(&sr, 1, "", target));
+		sr.length = i - j;
+	} else
+		RETERR(str_totext("-", target));
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_nsec3param(ARGS_FROMWIRE) {
+	isc_region_t sr, rr;
+	unsigned int saltlen;
+
+	REQUIRE(type == 51);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(options);
+	UNUSED(dctx);
+
+	isc_buffer_activeregion(source, &sr);
+	rr = sr;
+
+	/* hash(1), flags(1), iterations(2), saltlen(1) */
+	if (sr.length < 5U)
+		RETERR(DNS_R_FORMERR);
+	saltlen = sr.base[4];
+	isc_region_consume(&sr, 5);
+
+	if (sr.length < saltlen)
+		RETERR(DNS_R_FORMERR);
+	isc_region_consume(&sr, saltlen);
+	RETERR(mem_tobuffer(target, rr.base, rr.length));
+	isc_buffer_forward(source, rr.length);
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+towire_nsec3param(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 51);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_nsec3param(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 51);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_nsec3param(ARGS_FROMSTRUCT) {
+	dns_rdata_nsec3param_t *nsec3param = source;
+
+	REQUIRE(type == 51);
+	REQUIRE(source != NULL);
+	REQUIRE(nsec3param->common.rdtype == type);
+	REQUIRE(nsec3param->common.rdclass == rdclass);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	RETERR(uint8_tobuffer(nsec3param->hash, target));
+	RETERR(uint8_tobuffer(nsec3param->flags, target));
+	RETERR(uint16_tobuffer(nsec3param->iterations, target));
+	RETERR(uint8_tobuffer(nsec3param->salt_length, target));
+	RETERR(mem_tobuffer(target, nsec3param->salt,
+			    nsec3param->salt_length));
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+tostruct_nsec3param(ARGS_TOSTRUCT) {
+	isc_region_t region;
+	dns_rdata_nsec3param_t *nsec3param = target;
+
+	REQUIRE(rdata->type == 51);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	nsec3param->common.rdclass = rdata->rdclass;
+	nsec3param->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&nsec3param->common, link);
+
+	region.base = rdata->data;
+	region.length = rdata->length;
+	nsec3param->hash = uint8_consume_fromregion(&region);
+	nsec3param->flags = uint8_consume_fromregion(&region);
+	nsec3param->iterations = uint16_consume_fromregion(&region);
+
+	nsec3param->salt_length = uint8_consume_fromregion(&region);
+	nsec3param->salt = mem_maybedup(mctx, region.base,
+					nsec3param->salt_length);
+	if (nsec3param->salt == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_region_consume(&region, nsec3param->salt_length);
+
+	nsec3param->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_nsec3param(ARGS_FREESTRUCT) {
+	dns_rdata_nsec3param_t *nsec3param = source;
+
+	REQUIRE(source != NULL);
+	REQUIRE(nsec3param->common.rdtype == 51);
+
+	if (nsec3param->mctx == NULL)
+		return;
+
+	if (nsec3param->salt != NULL)
+		isc_mem_free(nsec3param->mctx, nsec3param->salt);
+	nsec3param->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_nsec3param(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 51);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_nsec3param(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 51);
+
+	dns_rdata_toregion(rdata, &r);
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_nsec3param(ARGS_CHECKOWNER) {
+
+       REQUIRE(type == 51);
+
+       UNUSED(name);
+       UNUSED(type);
+       UNUSED(rdclass);
+       UNUSED(wildcard);
+
+       return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_nsec3param(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 51);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_GENERIC_NSEC3PARAM_51_C */
diff --git a/lib/dns/rdata/generic/nsec3param_51.h b/lib/dns/rdata/generic/nsec3param_51.h
new file mode 100644
index 0000000..2efd7e6
--- /dev/null
+++ b/lib/dns/rdata/generic/nsec3param_51.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+
+#ifndef GENERIC_NSEC3PARAM_51_H
+#define GENERIC_NSEC3PARAM_51_H 1
+
+/* $Id: nsec3param_51.h,v 1.4 2008/09/25 04:02:39 tbox Exp $ */
+
+/*!
+ * \brief Per RFC 5155 */
+
+#include <isc/iterated_hash.h>
+
+typedef struct dns_rdata_nsec3param {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	dns_hash_t		hash;
+	unsigned char		flags;		/* DNS_NSEC3FLAG_* */
+	dns_iterations_t	iterations;
+	unsigned char		salt_length;
+	unsigned char		*salt;
+} dns_rdata_nsec3param_t;
+
+#endif /* GENERIC_NSEC3PARAM_51_H */
diff --git a/lib/dns/rdata/generic/nsec_47.c b/lib/dns/rdata/generic/nsec_47.c
index dd39105..7e443d9 100644
--- a/lib/dns/rdata/generic/nsec_47.c
+++ b/lib/dns/rdata/generic/nsec_47.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsec_47.c,v 1.7.20.2 2008/07/15 23:46:14 tbox Exp $ */
+/* $Id: nsec_47.c,v 1.11 2008/07/15 23:47:21 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/nsec_47.h b/lib/dns/rdata/generic/nsec_47.h
index 5c52447..2b3c6b6 100644
--- a/lib/dns/rdata/generic/nsec_47.h
+++ b/lib/dns/rdata/generic/nsec_47.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -18,7 +18,7 @@
 #ifndef GENERIC_NSEC_47_H
 #define GENERIC_NSEC_47_H 1
 
-/* $Id: nsec_47.h,v 1.4.20.4 2008/07/15 23:46:14 tbox Exp $ */
+/* $Id: nsec_47.h,v 1.10 2008/07/15 23:47:21 tbox Exp $ */
 
 /*!
  * \brief Per RFC 3845 */
diff --git a/lib/dns/rdata/generic/null_10.c b/lib/dns/rdata/generic/null_10.c
index a6f8f9f4..00bb542 100644
--- a/lib/dns/rdata/generic/null_10.c
+++ b/lib/dns/rdata/generic/null_10.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: null_10.c,v 1.40 2004/03/05 05:10:16 marka Exp $ */
+/* $Id: null_10.c,v 1.42 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 13:57:50 PST 2000 by explorer */
 
diff --git a/lib/dns/rdata/generic/null_10.h b/lib/dns/rdata/generic/null_10.h
index 5afb1ae..ceeb018 100644
--- a/lib/dns/rdata/generic/null_10.h
+++ b/lib/dns/rdata/generic/null_10.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_NULL_10_H
 #define GENERIC_NULL_10_H 1
 
-/* $Id: null_10.h,v 1.21.18.2 2005/04/29 00:16:37 marka Exp $ */
+/* $Id: null_10.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_null {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/nxt_30.c b/lib/dns/rdata/generic/nxt_30.c
index b7358e0..7ffb86c 100644
--- a/lib/dns/rdata/generic/nxt_30.c
+++ b/lib/dns/rdata/generic/nxt_30.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nxt_30.c,v 1.59.18.2 2005/04/29 00:16:38 marka Exp $ */
+/* $Id: nxt_30.c,v 1.63 2007/06/19 23:47:17 tbox Exp $ */
 
 /* reviewed: Wed Mar 15 18:21:15 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/nxt_30.h b/lib/dns/rdata/generic/nxt_30.h
index 3700fb1..e2e8688 100644
--- a/lib/dns/rdata/generic/nxt_30.h
+++ b/lib/dns/rdata/generic/nxt_30.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_NXT_30_H
 #define GENERIC_NXT_30_H 1
 
-/* $Id: nxt_30.h,v 1.21.18.2 2005/04/29 00:16:38 marka Exp $ */
+/* $Id: nxt_30.h,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief RFC2535 */
diff --git a/lib/dns/rdata/generic/opt_41.c b/lib/dns/rdata/generic/opt_41.c
index e8f4816..d2cfc2e 100644
--- a/lib/dns/rdata/generic/opt_41.c
+++ b/lib/dns/rdata/generic/opt_41.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: opt_41.c,v 1.29.18.2 2005/04/29 00:16:38 marka Exp $ */
+/* $Id: opt_41.c,v 1.33 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 14:06:44 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/generic/opt_41.h b/lib/dns/rdata/generic/opt_41.h
index 827936e..d6539cf 100644
--- a/lib/dns/rdata/generic/opt_41.h
+++ b/lib/dns/rdata/generic/opt_41.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_OPT_41_H
 #define GENERIC_OPT_41_H 1
 
-/* $Id: opt_41.h,v 1.14.18.2 2005/04/29 00:16:38 marka Exp $ */
+/* $Id: opt_41.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief Per RFC2671 */
diff --git a/lib/dns/rdata/generic/proforma.c b/lib/dns/rdata/generic/proforma.c
index bf8b2fd..879b761 100644
--- a/lib/dns/rdata/generic/proforma.c
+++ b/lib/dns/rdata/generic/proforma.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: proforma.c,v 1.34 2004/03/05 05:10:17 marka Exp $ */
+/* $Id: proforma.c,v 1.36 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef RDATA_GENERIC_#_#_C
 #define RDATA_GENERIC_#_#_C
diff --git a/lib/dns/rdata/generic/proforma.h b/lib/dns/rdata/generic/proforma.h
index 89d1606..e5c420a 100644
--- a/lib/dns/rdata/generic/proforma.h
+++ b/lib/dns/rdata/generic/proforma.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_PROFORMA_H
 #define GENERIC_PROFORMA_H 1
 
-/* $Id: proforma.h,v 1.19.18.2 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: proforma.h,v 1.23 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_# {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/ptr_12.c b/lib/dns/rdata/generic/ptr_12.c
index 16d5706..fbabcbf 100644
--- a/lib/dns/rdata/generic/ptr_12.c
+++ b/lib/dns/rdata/generic/ptr_12.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ptr_12.c,v 1.41 2004/03/05 05:10:17 marka Exp $ */
+/* $Id: ptr_12.c,v 1.43 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 14:05:12 PST 2000 by explorer */
 
diff --git a/lib/dns/rdata/generic/ptr_12.h b/lib/dns/rdata/generic/ptr_12.h
index 4eb8fa7..304dcc4 100644
--- a/lib/dns/rdata/generic/ptr_12.h
+++ b/lib/dns/rdata/generic/ptr_12.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_PTR_12_H
 #define GENERIC_PTR_12_H 1
 
-/* $Id: ptr_12.h,v 1.23.18.2 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: ptr_12.h,v 1.27 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_ptr {
         dns_rdatacommon_t       common;
diff --git a/lib/dns/rdata/generic/rp_17.c b/lib/dns/rdata/generic/rp_17.c
index b153643..557cb04 100644
--- a/lib/dns/rdata/generic/rp_17.c
+++ b/lib/dns/rdata/generic/rp_17.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rp_17.c,v 1.38.18.2 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: rp_17.c,v 1.42 2007/06/19 23:47:17 tbox Exp $ */
 
 /* RFC1183 */
 
diff --git a/lib/dns/rdata/generic/rp_17.h b/lib/dns/rdata/generic/rp_17.h
index 533c7e7..6223038 100644
--- a/lib/dns/rdata/generic/rp_17.h
+++ b/lib/dns/rdata/generic/rp_17.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_RP_17_H
 #define GENERIC_RP_17_H 1
 
-/* $Id: rp_17.h,v 1.17.18.2 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: rp_17.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
diff --git a/lib/dns/rdata/generic/rrsig_46.c b/lib/dns/rdata/generic/rrsig_46.c
index 6561f28..a9af4bd 100644
--- a/lib/dns/rdata/generic/rrsig_46.c
+++ b/lib/dns/rdata/generic/rrsig_46.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rrsig_46.c,v 1.5.18.3 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: rrsig_46.c,v 1.10 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/generic/rrsig_46.h b/lib/dns/rdata/generic/rrsig_46.h
index b8b35a2..8e8dc4e 100644
--- a/lib/dns/rdata/generic/rrsig_46.h
+++ b/lib/dns/rdata/generic/rrsig_46.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_DNSSIG_46_H
 #define GENERIC_DNSSIG_46_H 1
 
-/* $Id: rrsig_46.h,v 1.3.20.2 2005/04/29 00:16:39 marka Exp $ */
+/* $Id: rrsig_46.h,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief Per RFC2535 */
diff --git a/lib/dns/rdata/generic/rt_21.c b/lib/dns/rdata/generic/rt_21.c
index 6977e98..6444102 100644
--- a/lib/dns/rdata/generic/rt_21.c
+++ b/lib/dns/rdata/generic/rt_21.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rt_21.c,v 1.41.18.3 2005/04/27 05:01:52 sra Exp $ */
+/* $Id: rt_21.c,v 1.46 2007/06/19 23:47:17 tbox Exp $ */
 
 /* reviewed: Thu Mar 16 15:02:31 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/generic/rt_21.h b/lib/dns/rdata/generic/rt_21.h
index b8ec969..2c0e9fc 100644
--- a/lib/dns/rdata/generic/rt_21.h
+++ b/lib/dns/rdata/generic/rt_21.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_RT_21_H
 #define GENERIC_RT_21_H 1
 
-/* $Id: rt_21.h,v 1.17.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: rt_21.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
diff --git a/lib/dns/rdata/generic/sig_24.c b/lib/dns/rdata/generic/sig_24.c
index 9842953..e79e1e4 100644
--- a/lib/dns/rdata/generic/sig_24.c
+++ b/lib/dns/rdata/generic/sig_24.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sig_24.c,v 1.62.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: sig_24.c,v 1.66 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Fri Mar 17 09:05:02 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/generic/sig_24.h b/lib/dns/rdata/generic/sig_24.h
index 96ed767..7212d4d 100644
--- a/lib/dns/rdata/generic/sig_24.h
+++ b/lib/dns/rdata/generic/sig_24.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_SIG_24_H
 #define GENERIC_SIG_24_H 1
 
-/* $Id: sig_24.h,v 1.22.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: sig_24.h,v 1.26 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief Per RFC2535 */
diff --git a/lib/dns/rdata/generic/soa_6.c b/lib/dns/rdata/generic/soa_6.c
index 8de678c..921aead 100644
--- a/lib/dns/rdata/generic/soa_6.c
+++ b/lib/dns/rdata/generic/soa_6.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa_6.c,v 1.59 2004/03/05 05:10:18 marka Exp $ */
+/* $Id: soa_6.c,v 1.61.332.2 2009/02/16 23:47:15 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 15:18:32 PST 2000 by explorer */
 
@@ -101,7 +101,11 @@ totext_soa(ARGS_TOTEXT) {
 	REQUIRE(rdata->length != 0);
 
 	multiline = ISC_TF((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0);
-	comment = ISC_TF((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0);
+	if (multiline)
+		comment = ISC_TF((tctx->flags & DNS_STYLEFLAG_COMMENT) != 0);
+	else
+		comment = ISC_FALSE;
+
 
 	dns_name_init(&mname, NULL);
 	dns_name_init(&rname, NULL);
@@ -128,16 +132,13 @@ totext_soa(ARGS_TOTEXT) {
 	RETERR(str_totext(tctx->linebreak, target));
 
 	for (i = 0; i < 5; i++) {
-		char buf[sizeof("2147483647")];
+		char buf[sizeof("0123456789 ; ")];
 		unsigned long num;
-		unsigned int numlen;
 		num = uint32_fromregion(&dregion);
 		isc_region_consume(&dregion, 4);
-		numlen = sprintf(buf, "%lu", num);
-		INSIST(numlen > 0 && numlen < sizeof("2147483647"));
+		sprintf(buf, comment ? "%-10lu ; " : "%lu", num);
 		RETERR(str_totext(buf, target));
-		if (multiline && comment) {
-			RETERR(str_totext("           ; " + numlen, target));
+		if (comment) {
 			RETERR(str_totext(soa_fieldnames[i], target));
 			/* Print times in week/day/hour/minute/second form */
 			if (i >= 1) {
@@ -147,7 +148,7 @@ totext_soa(ARGS_TOTEXT) {
 			}
 			RETERR(str_totext(tctx->linebreak, target));
 		} else if (i < 4) {
-			RETERR(str_totext(tctx->linebreak, target));			
+			RETERR(str_totext(tctx->linebreak, target));
 		}
 	}
 
@@ -159,8 +160,8 @@ totext_soa(ARGS_TOTEXT) {
 
 static inline isc_result_t
 fromwire_soa(ARGS_FROMWIRE) {
-        dns_name_t mname;
-        dns_name_t rname;
+	dns_name_t mname;
+	dns_name_t rname;
 	isc_region_t sregion;
 	isc_region_t tregion;
 
@@ -171,11 +172,11 @@ fromwire_soa(ARGS_FROMWIRE) {
 
 	dns_decompress_setmethods(dctx, DNS_COMPRESS_GLOBAL14);
 
-        dns_name_init(&mname, NULL);
-        dns_name_init(&rname, NULL);
+	dns_name_init(&mname, NULL);
+	dns_name_init(&rname, NULL);
 
-        RETERR(dns_name_fromwire(&mname, source, dctx, options, target));
-        RETERR(dns_name_fromwire(&rname, source, dctx, options, target));
+	RETERR(dns_name_fromwire(&mname, source, dctx, options, target));
+	RETERR(dns_name_fromwire(&rname, source, dctx, options, target));
 
 	isc_buffer_activeregion(source, &sregion);
 	isc_buffer_availableregion(target, &tregion);
diff --git a/lib/dns/rdata/generic/soa_6.h b/lib/dns/rdata/generic/soa_6.h
index 4211786..7443b04 100644
--- a/lib/dns/rdata/generic/soa_6.h
+++ b/lib/dns/rdata/generic/soa_6.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_SOA_6_H
 #define GENERIC_SOA_6_H 1
 
-/* $Id: soa_6.h,v 1.28.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: soa_6.h,v 1.32 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_soa {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/spf_99.c b/lib/dns/rdata/generic/spf_99.c
index b65f580..12e813e 100644
--- a/lib/dns/rdata/generic/spf_99.c
+++ b/lib/dns/rdata/generic/spf_99.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: spf_99.c,v 1.1.2.2 2005/07/16 00:40:54 marka Exp $ */
+/* $Id: spf_99.c,v 1.4 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/generic/spf_99.h b/lib/dns/rdata/generic/spf_99.h
index afe77ec..be5e978 100644
--- a/lib/dns/rdata/generic/spf_99.h
+++ b/lib/dns/rdata/generic/spf_99.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_SPF_99_H
 #define GENERIC_SPF_99_H 1
 
-/* $Id: spf_99.h,v 1.1.2.2 2005/07/16 00:40:54 marka Exp $ */
+/* $Id: spf_99.h,v 1.4 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_spf_string {
                 isc_uint8_t    length;
diff --git a/lib/dns/rdata/generic/sshfp_44.c b/lib/dns/rdata/generic/sshfp_44.c
index 64b51c7..570a3b7 100644
--- a/lib/dns/rdata/generic/sshfp_44.c
+++ b/lib/dns/rdata/generic/sshfp_44.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sshfp_44.c,v 1.3.18.1 2006/03/10 04:04:32 marka Exp $ */
+/* $Id: sshfp_44.c,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
 
 /* RFC 4255 */
 
diff --git a/lib/dns/rdata/generic/sshfp_44.h b/lib/dns/rdata/generic/sshfp_44.h
index 513eeac..daea74c 100644
--- a/lib/dns/rdata/generic/sshfp_44.h
+++ b/lib/dns/rdata/generic/sshfp_44.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sshfp_44.h,v 1.2.18.3 2006/03/10 04:04:32 marka Exp $ */
+/* $Id: sshfp_44.h,v 1.8 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief Per RFC 4255 */
diff --git a/lib/dns/rdata/generic/tkey_249.c b/lib/dns/rdata/generic/tkey_249.c
index cee16ab..2412c85 100644
--- a/lib/dns/rdata/generic/tkey_249.c
+++ b/lib/dns/rdata/generic/tkey_249.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tkey_249.c,v 1.55 2004/03/05 05:10:18 marka Exp $ */
+/* $Id: tkey_249.c,v 1.57 2007/06/19 23:47:17 tbox Exp $ */
 
 /*
  * Reviewed: Thu Mar 16 17:35:30 PST 2000 by halley.
diff --git a/lib/dns/rdata/generic/tkey_249.h b/lib/dns/rdata/generic/tkey_249.h
index c1d2f06..34d5646 100644
--- a/lib/dns/rdata/generic/tkey_249.h
+++ b/lib/dns/rdata/generic/tkey_249.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_TKEY_249_H
 #define GENERIC_TKEY_249_H 1
 
-/* $Id: tkey_249.h,v 1.20.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: tkey_249.h,v 1.24 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief Per draft-ietf-dnsind-tkey-00.txt */
diff --git a/lib/dns/rdata/generic/txt_16.c b/lib/dns/rdata/generic/txt_16.c
index 01ca87a..a158a59 100644
--- a/lib/dns/rdata/generic/txt_16.c
+++ b/lib/dns/rdata/generic/txt_16.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: txt_16.c,v 1.41.18.2 2008/02/15 23:45:53 tbox Exp $ */
+/* $Id: txt_16.c,v 1.45 2008/02/15 23:46:51 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 15:40:00 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/generic/txt_16.h b/lib/dns/rdata/generic/txt_16.h
index 57d986a..fc46486 100644
--- a/lib/dns/rdata/generic/txt_16.h
+++ b/lib/dns/rdata/generic/txt_16.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_TXT_16_H
 #define GENERIC_TXT_16_H 1
 
-/* $Id: txt_16.h,v 1.24.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: txt_16.h,v 1.28 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_txt_string {
                 isc_uint8_t    length;
diff --git a/lib/dns/rdata/generic/unspec_103.c b/lib/dns/rdata/generic/unspec_103.c
index f316ad9..384863e 100644
--- a/lib/dns/rdata/generic/unspec_103.c
+++ b/lib/dns/rdata/generic/unspec_103.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: unspec_103.c,v 1.33 2004/03/05 05:10:18 marka Exp $ */
+/* $Id: unspec_103.c,v 1.35 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef RDATA_GENERIC_UNSPEC_103_C
 #define RDATA_GENERIC_UNSPEC_103_C
diff --git a/lib/dns/rdata/generic/unspec_103.h b/lib/dns/rdata/generic/unspec_103.h
index 6575c1a..4b2d310 100644
--- a/lib/dns/rdata/generic/unspec_103.h
+++ b/lib/dns/rdata/generic/unspec_103.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef GENERIC_UNSPEC_103_H
 #define GENERIC_UNSPEC_103_H 1
 
-/* $Id: unspec_103.h,v 1.13.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: unspec_103.h,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_unspec_t {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/generic/x25_19.c b/lib/dns/rdata/generic/x25_19.c
index 1199195..c496aaf 100644
--- a/lib/dns/rdata/generic/x25_19.c
+++ b/lib/dns/rdata/generic/x25_19.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: x25_19.c,v 1.35.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: x25_19.c,v 1.39 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 16:15:57 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/generic/x25_19.h b/lib/dns/rdata/generic/x25_19.h
index 32320d0..5ebc230 100644
--- a/lib/dns/rdata/generic/x25_19.h
+++ b/lib/dns/rdata/generic/x25_19.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef GENERIC_X25_19_H
 #define GENERIC_X25_19_H 1
 
-/* $Id: x25_19.h,v 1.14.18.2 2005/04/29 00:16:40 marka Exp $ */
+/* $Id: x25_19.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  *  \brief Per RFC1183 */
diff --git a/lib/dns/rdata/hs_4/a_1.c b/lib/dns/rdata/hs_4/a_1.c
index 5d3ddae..487e8bc 100644
--- a/lib/dns/rdata/hs_4/a_1.c
+++ b/lib/dns/rdata/hs_4/a_1.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.29 2004/03/05 05:10:20 marka Exp $ */
+/* $Id: a_1.c,v 1.31 2007/06/19 23:47:17 tbox Exp $ */
 
 /* reviewed: Thu Mar 16 15:58:36 PST 2000 by brister */
 
diff --git a/lib/dns/rdata/hs_4/a_1.h b/lib/dns/rdata/hs_4/a_1.h
index 59f54b5..dee812f 100644
--- a/lib/dns/rdata/hs_4/a_1.h
+++ b/lib/dns/rdata/hs_4/a_1.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef HS_4_A_1_H
 #define HS_4_A_1_H 1
 
-/* $Id: a_1.h,v 1.8.18.2 2005/04/29 00:16:41 marka Exp $ */
+/* $Id: a_1.h,v 1.12 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_hs_a {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/in_1/a6_38.c b/lib/dns/rdata/in_1/a6_38.c
index 50017e1..d4d42bb 100644
--- a/lib/dns/rdata/in_1/a6_38.c
+++ b/lib/dns/rdata/in_1/a6_38.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a6_38.c,v 1.52 2004/03/05 05:10:23 marka Exp $ */
+/* $Id: a6_38.c,v 1.54 2007/06/19 23:47:17 tbox Exp $ */
 
 /* RFC2874 */
 
diff --git a/lib/dns/rdata/in_1/a6_38.h b/lib/dns/rdata/in_1/a6_38.h
index bb15dad..75e53f1 100644
--- a/lib/dns/rdata/in_1/a6_38.h
+++ b/lib/dns/rdata/in_1/a6_38.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef IN_1_A6_38_H
 #define IN_1_A6_38_H 1
 
-/* $Id: a6_38.h,v 1.20.18.2 2005/04/29 00:16:41 marka Exp $ */
+/* $Id: a6_38.h,v 1.24 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! 
  *  \brief Per RFC2874 */
diff --git a/lib/dns/rdata/in_1/a_1.c b/lib/dns/rdata/in_1/a_1.c
index e8cb8ce..d7644bc 100644
--- a/lib/dns/rdata/in_1/a_1.c
+++ b/lib/dns/rdata/in_1/a_1.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: a_1.c,v 1.51 2004/03/05 05:10:23 marka Exp $ */
+/* $Id: a_1.c,v 1.53 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/in_1/a_1.h b/lib/dns/rdata/in_1/a_1.h
index d92a973..c192d1a 100644
--- a/lib/dns/rdata/in_1/a_1.h
+++ b/lib/dns/rdata/in_1/a_1.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef IN_1_A_1_H
 #define IN_1_A_1_H 1
 
-/* $Id: a_1.h,v 1.24.18.2 2005/04/29 00:16:41 marka Exp $ */
+/* $Id: a_1.h,v 1.28 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_in_a {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/in_1/aaaa_28.c b/lib/dns/rdata/in_1/aaaa_28.c
index 1dd32cf..d0503a9 100644
--- a/lib/dns/rdata/in_1/aaaa_28.c
+++ b/lib/dns/rdata/in_1/aaaa_28.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aaaa_28.c,v 1.41.18.2 2005/04/29 00:16:41 marka Exp $ */
+/* $Id: aaaa_28.c,v 1.45 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/in_1/aaaa_28.h b/lib/dns/rdata/in_1/aaaa_28.h
index 31ad6a6..54a0cb3 100644
--- a/lib/dns/rdata/in_1/aaaa_28.h
+++ b/lib/dns/rdata/in_1/aaaa_28.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef IN_1_AAAA_28_H
 #define IN_1_AAAA_28_H 1
 
-/* $Id: aaaa_28.h,v 1.17.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: aaaa_28.h,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! 
  *  \brief Per RFC1886 */
diff --git a/lib/dns/rdata/in_1/apl_42.c b/lib/dns/rdata/in_1/apl_42.c
index 2fce328..28ca68e 100644
--- a/lib/dns/rdata/in_1/apl_42.c
+++ b/lib/dns/rdata/in_1/apl_42.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: apl_42.c,v 1.8.18.4 2008/01/22 23:27:06 tbox Exp $ */
+/* $Id: apl_42.c,v 1.14 2008/01/22 23:28:04 tbox Exp $ */
 
 /* RFC3123 */
 
diff --git a/lib/dns/rdata/in_1/apl_42.h b/lib/dns/rdata/in_1/apl_42.h
index d434ace..2d01040 100644
--- a/lib/dns/rdata/in_1/apl_42.h
+++ b/lib/dns/rdata/in_1/apl_42.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 #ifndef IN_1_APL_42_H
 #define IN_1_APL_42_H 1
 
-/* $Id: apl_42.h,v 1.2.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: apl_42.h,v 1.6 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef struct dns_rdata_apl_ent {
 	isc_boolean_t	negative;
diff --git a/lib/dns/rdata/in_1/dhcid_49.c b/lib/dns/rdata/in_1/dhcid_49.c
new file mode 100644
index 0000000..27c4e4e
--- /dev/null
+++ b/lib/dns/rdata/in_1/dhcid_49.c
@@ -0,0 +1,229 @@
+/*
+ * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dhcid_49.c,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
+
+/* RFC 4701 */
+
+#ifndef RDATA_IN_1_DHCID_49_C
+#define RDATA_IN_1_DHCID_49_C 1
+
+#define RRTYPE_DHCID_ATTRIBUTES 0
+
+static inline isc_result_t
+fromtext_in_dhcid(ARGS_FROMTEXT) {
+
+	REQUIRE(type == 49);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(origin);
+	UNUSED(options);
+	UNUSED(callbacks);
+
+	return (isc_base64_tobuffer(lexer, target, -1));
+}
+
+static inline isc_result_t
+totext_in_dhcid(ARGS_TOTEXT) {
+	isc_region_t sr;
+	char buf[sizeof(" ; 64000 255 64000")];
+	size_t n;
+
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	dns_rdata_toregion(rdata, &sr);
+
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0)
+		RETERR(str_totext("( " /*)*/, target)); 
+	RETERR(isc_base64_totext(&sr, tctx->width - 2, tctx->linebreak,
+				 target));
+	if ((tctx->flags & DNS_STYLEFLAG_MULTILINE) != 0) {
+		RETERR(str_totext(/* ( */ " )", target));
+		if (rdata->length > 2) {
+			n = snprintf(buf, sizeof(buf), " ; %u %u %u",
+				     sr.base[0] * 256 + sr.base[1],
+				     sr.base[2], rdata->length - 3);
+			INSIST(n < sizeof(buf));
+			RETERR(str_totext(buf, target));
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+fromwire_in_dhcid(ARGS_FROMWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(type == 49);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(dctx);
+	UNUSED(options);
+
+	isc_buffer_activeregion(source, &sr);
+	if (sr.length == 0)
+		return (ISC_R_UNEXPECTEDEND);
+
+	isc_buffer_forward(source, sr.length);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline isc_result_t
+towire_in_dhcid(ARGS_TOWIRE) {
+	isc_region_t sr;
+
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(rdata->length != 0);
+
+	UNUSED(cctx);
+
+	dns_rdata_toregion(rdata, &sr);
+	return (mem_tobuffer(target, sr.base, sr.length));
+}
+
+static inline int
+compare_in_dhcid(ARGS_COMPARE) {
+	isc_region_t r1;
+	isc_region_t r2;
+
+	REQUIRE(rdata1->type == rdata2->type);
+	REQUIRE(rdata1->rdclass == rdata2->rdclass);
+	REQUIRE(rdata1->type == 49);
+	REQUIRE(rdata1->rdclass == 1);
+	REQUIRE(rdata1->length != 0);
+	REQUIRE(rdata2->length != 0);
+
+	dns_rdata_toregion(rdata1, &r1);
+	dns_rdata_toregion(rdata2, &r2);
+	return (isc_region_compare(&r1, &r2));
+}
+
+static inline isc_result_t
+fromstruct_in_dhcid(ARGS_FROMSTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = source;
+
+	REQUIRE(type == 49);
+	REQUIRE(rdclass == 1);
+	REQUIRE(source != NULL);
+	REQUIRE(dhcid->common.rdtype == type);
+	REQUIRE(dhcid->common.rdclass == rdclass);
+	REQUIRE(dhcid->length != 0);
+
+	UNUSED(type);
+	UNUSED(rdclass);
+
+	return (mem_tobuffer(target, dhcid->dhcid, dhcid->length));
+}
+
+static inline isc_result_t
+tostruct_in_dhcid(ARGS_TOSTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = target;
+	isc_region_t region;
+
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+	REQUIRE(target != NULL);
+	REQUIRE(rdata->length != 0);
+
+	dhcid->common.rdclass = rdata->rdclass;
+	dhcid->common.rdtype = rdata->type;
+	ISC_LINK_INIT(&dhcid->common, link);
+
+	dns_rdata_toregion(rdata, &region);
+
+	dhcid->dhcid = mem_maybedup(mctx, region.base, region.length);
+	if (dhcid->dhcid == NULL)
+		return (ISC_R_NOMEMORY);
+
+	dhcid->mctx = mctx;
+	return (ISC_R_SUCCESS);
+}
+
+static inline void
+freestruct_in_dhcid(ARGS_FREESTRUCT) {
+	dns_rdata_in_dhcid_t *dhcid = source;
+
+	REQUIRE(dhcid != NULL);
+	REQUIRE(dhcid->common.rdtype == 49);
+	REQUIRE(dhcid->common.rdclass == 1);
+
+	if (dhcid->mctx == NULL)
+		return;
+
+	if (dhcid->dhcid != NULL)
+		isc_mem_free(dhcid->mctx, dhcid->dhcid);
+	dhcid->mctx = NULL;
+}
+
+static inline isc_result_t
+additionaldata_in_dhcid(ARGS_ADDLDATA) {
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(add);
+	UNUSED(arg);
+
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+digest_in_dhcid(ARGS_DIGEST) {
+	isc_region_t r;
+
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+
+	dns_rdata_toregion(rdata, &r);
+
+	return ((digest)(arg, &r));
+}
+
+static inline isc_boolean_t
+checkowner_in_dhcid(ARGS_CHECKOWNER) {
+
+	REQUIRE(type == 49);
+	REQUIRE(rdclass == 1);
+
+	UNUSED(name);
+	UNUSED(type);
+	UNUSED(rdclass);
+	UNUSED(wildcard);
+
+	return (ISC_TRUE);
+}
+
+static inline isc_boolean_t
+checknames_in_dhcid(ARGS_CHECKNAMES) {
+
+	REQUIRE(rdata->type == 49);
+	REQUIRE(rdata->rdclass == 1);
+
+	UNUSED(rdata);
+	UNUSED(owner);
+	UNUSED(bad);
+
+	return (ISC_TRUE);
+}
+
+#endif	/* RDATA_IN_1_DHCID_49_C */
diff --git a/lib/dns/rdata/in_1/dhcid_49.h b/lib/dns/rdata/in_1/dhcid_49.h
new file mode 100644
index 0000000..2797192
--- /dev/null
+++ b/lib/dns/rdata/in_1/dhcid_49.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* */
+#ifndef IN_1_DHCID_49_H
+#define IN_1_DHCID_49_H 1
+
+/* $Id: dhcid_49.h,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
+
+typedef struct dns_rdata_in_dhcid {
+	dns_rdatacommon_t	common;
+	isc_mem_t		*mctx;
+	unsigned char		*dhcid;
+	unsigned int		length;
+} dns_rdata_in_dhcid_t;
+
+#endif /* IN_1_DHCID_49_H */
diff --git a/lib/dns/rdata/in_1/kx_36.c b/lib/dns/rdata/in_1/kx_36.c
index 8a64aac..9df2e5e 100644
--- a/lib/dns/rdata/in_1/kx_36.c
+++ b/lib/dns/rdata/in_1/kx_36.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: kx_36.c,v 1.41.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: kx_36.c,v 1.45 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 17:24:54 PST 2000 by explorer */
 
diff --git a/lib/dns/rdata/in_1/kx_36.h b/lib/dns/rdata/in_1/kx_36.h
index c44883d..391ae27 100644
--- a/lib/dns/rdata/in_1/kx_36.h
+++ b/lib/dns/rdata/in_1/kx_36.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef IN_1_KX_36_H
 #define IN_1_KX_36_H 1
 
-/* $Id: kx_36.h,v 1.16.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: kx_36.h,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! 
  *  \brief Per RFC2230 */
diff --git a/lib/dns/rdata/in_1/naptr_35.c b/lib/dns/rdata/in_1/naptr_35.c
index 9a880ea..21ab44c 100644
--- a/lib/dns/rdata/in_1/naptr_35.c
+++ b/lib/dns/rdata/in_1/naptr_35.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: naptr_35.c,v 1.47.18.4 2008/02/15 23:45:53 tbox Exp $ */
+/* $Id: naptr_35.c,v 1.53 2008/02/15 23:46:51 tbox Exp $ */
 
 /* Reviewed: Thu Mar 16 16:52:50 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/in_1/naptr_35.h b/lib/dns/rdata/in_1/naptr_35.h
index 2578b48..503f7a8 100644
--- a/lib/dns/rdata/in_1/naptr_35.h
+++ b/lib/dns/rdata/in_1/naptr_35.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef IN_1_NAPTR_35_H
 #define IN_1_NAPTR_35_H 1
 
-/* $Id: naptr_35.h,v 1.19.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: naptr_35.h,v 1.23 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! 
  *  \brief Per RFC2915 */
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.c b/lib/dns/rdata/in_1/nsap-ptr_23.c
index 1a65cbe..2da7869 100644
--- a/lib/dns/rdata/in_1/nsap-ptr_23.c
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsap-ptr_23.c,v 1.34.18.2 2005/04/29 00:16:42 marka Exp $ */
+/* $Id: nsap-ptr_23.c,v 1.38 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Fri Mar 17 10:16:02 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/in_1/nsap-ptr_23.h b/lib/dns/rdata/in_1/nsap-ptr_23.h
index bd8e025..14a8b19 100644
--- a/lib/dns/rdata/in_1/nsap-ptr_23.h
+++ b/lib/dns/rdata/in_1/nsap-ptr_23.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef IN_1_NSAP_PTR_23_H
 #define IN_1_NSAP_PTR_23_H 1
 
-/* $Id: nsap-ptr_23.h,v 1.15.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: nsap-ptr_23.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! 
  *  \brief Per RFC1348.  Obsoleted in RFC 1706 - use PTR instead. */
diff --git a/lib/dns/rdata/in_1/nsap_22.c b/lib/dns/rdata/in_1/nsap_22.c
index a348a30..c25f560 100644
--- a/lib/dns/rdata/in_1/nsap_22.c
+++ b/lib/dns/rdata/in_1/nsap_22.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsap_22.c,v 1.38.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: nsap_22.c,v 1.42 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Fri Mar 17 10:41:07 PST 2000 by gson */
 
diff --git a/lib/dns/rdata/in_1/nsap_22.h b/lib/dns/rdata/in_1/nsap_22.h
index 583fbac..11e3f66 100644
--- a/lib/dns/rdata/in_1/nsap_22.h
+++ b/lib/dns/rdata/in_1/nsap_22.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef IN_1_NSAP_22_H
 #define IN_1_NSAP_22_H 1
 
-/* $Id: nsap_22.h,v 1.14.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: nsap_22.h,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! 
  *  \brief Per RFC1706 */
diff --git a/lib/dns/rdata/in_1/px_26.c b/lib/dns/rdata/in_1/px_26.c
index 3df9b99..1d17f2f 100644
--- a/lib/dns/rdata/in_1/px_26.c
+++ b/lib/dns/rdata/in_1/px_26.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: px_26.c,v 1.39.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: px_26.c,v 1.43 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Mon Mar 20 10:44:27 PST 2000 */
 
diff --git a/lib/dns/rdata/in_1/px_26.h b/lib/dns/rdata/in_1/px_26.h
index a38d5f81..69a7bae 100644
--- a/lib/dns/rdata/in_1/px_26.h
+++ b/lib/dns/rdata/in_1/px_26.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef IN_1_PX_26_H
 #define IN_1_PX_26_H 1
 
-/* $Id: px_26.h,v 1.15.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: px_26.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! 
  *  \brief Per RFC2163 */
diff --git a/lib/dns/rdata/in_1/srv_33.c b/lib/dns/rdata/in_1/srv_33.c
index 2925a77..7bc85cd 100644
--- a/lib/dns/rdata/in_1/srv_33.c
+++ b/lib/dns/rdata/in_1/srv_33.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: srv_33.c,v 1.41.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: srv_33.c,v 1.45 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/in_1/srv_33.h b/lib/dns/rdata/in_1/srv_33.h
index 7d9fef6..e019698 100644
--- a/lib/dns/rdata/in_1/srv_33.h
+++ b/lib/dns/rdata/in_1/srv_33.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef IN_1_SRV_33_H
 #define IN_1_SRV_33_H 1
 
-/* $Id: srv_33.h,v 1.15.18.2 2005/04/29 00:16:43 marka Exp $ */
+/* $Id: srv_33.h,v 1.19 2007/06/19 23:47:17 tbox Exp $ */
 
 /* Reviewed: Fri Mar 17 13:01:00 PST 2000 by bwelling */
 
diff --git a/lib/dns/rdata/in_1/wks_11.c b/lib/dns/rdata/in_1/wks_11.c
index 749b8fd..55859c4 100644
--- a/lib/dns/rdata/in_1/wks_11.c
+++ b/lib/dns/rdata/in_1/wks_11.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: wks_11.c,v 1.51.18.1 2004/09/16 01:02:19 marka Exp $ */
+/* $Id: wks_11.c,v 1.54.332.2 2009/02/16 23:47:15 tbox Exp $ */
 
 /* Reviewed: Fri Mar 17 15:01:49 PST 2000 by explorer */
 
@@ -158,6 +158,7 @@ totext_in_wks(ARGS_TOTEXT) {
 	RETERR(str_totext(buf, target));
 	isc_region_consume(&sr, 1);
 
+	INSIST(sr.length <= 8*1024);
 	for (i = 0; i < sr.length; i++) {
 		if (sr.base[i] != 0)
 			for (j = 0; j < 8; j++)
@@ -242,7 +243,8 @@ fromstruct_in_wks(ARGS_FROMSTRUCT) {
 	REQUIRE(source != NULL);
 	REQUIRE(wks->common.rdtype == type);
 	REQUIRE(wks->common.rdclass == rdclass);
-	REQUIRE(wks->map != NULL || wks->map_len == 0);
+	REQUIRE((wks->map != NULL && wks->map_len <= 8*1024) ||
+		 wks->map_len == 0);
 
 	UNUSED(type);
 	UNUSED(rdclass);
diff --git a/lib/dns/rdata/in_1/wks_11.h b/lib/dns/rdata/in_1/wks_11.h
index a0093b9..2fd26e8 100644
--- a/lib/dns/rdata/in_1/wks_11.h
+++ b/lib/dns/rdata/in_1/wks_11.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,7 +18,7 @@
 #ifndef IN_1_WKS_11_H
 #define IN_1_WKS_11_H 1
 
-/* $Id: wks_11.h,v 1.20 2004/03/05 05:10:25 marka Exp $ */
+/* $Id: wks_11.h,v 1.22 2007/06/19 23:47:17 tbox Exp $ */
 
 typedef	struct dns_rdata_in_wks {
 	dns_rdatacommon_t	common;
diff --git a/lib/dns/rdata/rdatastructpre.h b/lib/dns/rdata/rdatastructpre.h
index d641ef5..ab7e051 100644
--- a/lib/dns/rdata/rdatastructpre.h
+++ b/lib/dns/rdata/rdatastructpre.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatastructpre.h,v 1.14 2004/03/05 05:10:04 marka Exp $ */
+/* $Id: rdatastructpre.h,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef DNS_RDATASTRUCT_H
 #define DNS_RDATASTRUCT_H 1
diff --git a/lib/dns/rdata/rdatastructsuf.h b/lib/dns/rdata/rdatastructsuf.h
index 1ab1b0a..3ba1275 100644
--- a/lib/dns/rdata/rdatastructsuf.h
+++ b/lib/dns/rdata/rdatastructsuf.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatastructsuf.h,v 1.8 2004/03/05 05:10:04 marka Exp $ */
+/* $Id: rdatastructsuf.h,v 1.10 2007/06/19 23:47:17 tbox Exp $ */
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/dns/rdatalist.c b/lib/dns/rdatalist.c
index 7229fa3..d6f11ae 100644
--- a/lib/dns/rdatalist.c
+++ b/lib/dns/rdatalist.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist.c,v 1.28.18.3 2005/04/29 00:16:02 marka Exp $ */
+/* $Id: rdatalist.c,v 1.36 2008/09/24 02:46:22 marka Exp $ */
 
 /*! \file */
 
@@ -26,6 +26,7 @@
 #include <isc/util.h>
 
 #include <dns/name.h>
+#include <dns/nsec3.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
@@ -41,6 +42,8 @@ static dns_rdatasetmethods_t methods = {
 	isc__rdatalist_count,
 	isc__rdatalist_addnoqname,
 	isc__rdatalist_getnoqname,
+	isc__rdatalist_addclosest,
+	isc__rdatalist_getclosest,
 	NULL,
 	NULL,
 	NULL
@@ -63,8 +66,8 @@ dns_rdatalist_init(dns_rdatalist_t *rdatalist) {
 
 isc_result_t
 dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
-			 dns_rdataset_t *rdataset) {
-
+			 dns_rdataset_t *rdataset)
+{
 	/*
 	 * Make 'rdataset' refer to the rdata in 'rdatalist'.
 	 */
@@ -88,6 +91,16 @@ dns_rdatalist_tordataset(dns_rdatalist_t *rdatalist,
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+dns_rdatalist_fromrdataset(dns_rdataset_t *rdataset,
+			   dns_rdatalist_t **rdatalist)
+{
+	REQUIRE(rdatalist != NULL && rdataset != NULL);
+	*rdatalist = rdataset->private1;
+
+	return (ISC_R_SUCCESS);
+}
+
 void
 isc__rdatalist_disassociate(dns_rdataset_t *rdataset) {
 	UNUSED(rdataset);
@@ -161,8 +174,8 @@ isc__rdatalist_count(dns_rdataset_t *rdataset) {
 
 isc_result_t
 isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
-	dns_rdataset_t *nsec = NULL;
-	dns_rdataset_t *nsecsig = NULL;
+	dns_rdataset_t *neg = NULL;
+	dns_rdataset_t *negsig = NULL;
 	dns_rdataset_t *rdset;
 	dns_ttl_t ttl;
 
@@ -172,24 +185,33 @@ isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
 	{
 		if (rdset->rdclass != rdataset->rdclass)
 			continue;
-		if (rdset->type == dns_rdatatype_nsec)
-			nsec = rdset;
+		if (rdset->type == dns_rdatatype_nsec ||
+		    rdset->type == dns_rdatatype_nsec3)
+			neg = rdset;
+	}
+	if (neg == NULL)
+		return (ISC_R_NOTFOUND);
+
+	for (rdset = ISC_LIST_HEAD(name->list);
+	     rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
 		if (rdset->type == dns_rdatatype_rrsig &&
-		    rdset->covers == dns_rdatatype_nsec)
-			nsecsig = rdset;
+		    rdset->covers == neg->type)
+			negsig = rdset;
 	}
 
-	if (nsec == NULL || nsecsig == NULL)
+	if (negsig == NULL)
 		return (ISC_R_NOTFOUND);
 	/*
 	 * Minimise ttl.
 	 */
 	ttl = rdataset->ttl;
-	if (nsec->ttl < ttl)
-		ttl = nsec->ttl;
-	if (nsecsig->ttl < ttl)
-		ttl = nsecsig->ttl;
-	rdataset->ttl = nsec->ttl = nsecsig->ttl = ttl;
+	if (neg->ttl < ttl)
+		ttl = neg->ttl;
+	if (negsig->ttl < ttl)
+		ttl = negsig->ttl;
+	rdataset->ttl = neg->ttl = negsig->ttl = ttl;
 	rdataset->attributes |= DNS_RDATASETATTR_NOQNAME;
 	rdataset->private6 = name;
 	return (ISC_R_SUCCESS);
@@ -197,11 +219,11 @@ isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
 
 isc_result_t
 isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-			 dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig)
 {
 	dns_rdataclass_t rdclass = rdataset->rdclass;
-	dns_rdataset_t *tnsec = NULL;
-	dns_rdataset_t *tnsecsig = NULL;
+	dns_rdataset_t *tneg = NULL;
+	dns_rdataset_t *tnegsig = NULL;
 	dns_name_t *noqname = rdataset->private6;
 
 	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_NOQNAME) != 0);
@@ -213,17 +235,113 @@ isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
 	{
 		if (rdataset->rdclass != rdclass)
 			continue;
-		if (rdataset->type == dns_rdatatype_nsec)
-			tnsec = rdataset;
+		if (rdataset->type == dns_rdatatype_nsec ||
+		    rdataset->type == dns_rdatatype_nsec3)
+			tneg = rdataset;
+	}
+	if (tneg == NULL)
+		return (ISC_R_NOTFOUND);
+
+	for (rdataset = ISC_LIST_HEAD(noqname->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
 		if (rdataset->type == dns_rdatatype_rrsig &&
-		    rdataset->covers == dns_rdatatype_nsec)
-			tnsecsig = rdataset;
+		    rdataset->covers == tneg->type)
+			tnegsig = rdataset;
 	}
-	if (tnsec == NULL || tnsecsig == NULL)
+	if (tnegsig == NULL)
 		return (ISC_R_NOTFOUND);
 
 	dns_name_clone(noqname, name);
-	dns_rdataset_clone(tnsec, nsec);
-	dns_rdataset_clone(tnsecsig, nsecsig);
+	dns_rdataset_clone(tneg, neg);
+	dns_rdataset_clone(tnegsig, negsig);
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_addclosest(dns_rdataset_t *rdataset, dns_name_t *name) {
+	dns_rdataset_t *neg = NULL;
+	dns_rdataset_t *negsig = NULL;
+	dns_rdataset_t *rdset;
+	dns_ttl_t ttl;
+
+	for (rdset = ISC_LIST_HEAD(name->list);
+	     rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->rdclass != rdataset->rdclass)
+			continue;
+		if (rdset->type == dns_rdatatype_nsec ||
+		    rdset->type == dns_rdatatype_nsec3)
+			neg = rdset;
+	}
+	if (neg == NULL)
+		return (ISC_R_NOTFOUND);
+
+	for (rdset = ISC_LIST_HEAD(name->list);
+	     rdset != NULL;
+	     rdset = ISC_LIST_NEXT(rdset, link))
+	{
+		if (rdset->type == dns_rdatatype_rrsig &&
+		    rdset->covers == neg->type)
+			negsig = rdset;
+	}
+
+	if (negsig == NULL)
+		return (ISC_R_NOTFOUND);
+	/*
+	 * Minimise ttl.
+	 */
+	ttl = rdataset->ttl;
+	if (neg->ttl < ttl)
+		ttl = neg->ttl;
+	if (negsig->ttl < ttl)
+		ttl = negsig->ttl;
+	rdataset->ttl = neg->ttl = negsig->ttl = ttl;
+	rdataset->attributes |= DNS_RDATASETATTR_CLOSEST;
+	rdataset->private7 = name;
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc__rdatalist_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig)
+{
+	dns_rdataclass_t rdclass = rdataset->rdclass;
+	dns_rdataset_t *tneg = NULL;
+	dns_rdataset_t *tnegsig = NULL;
+	dns_name_t *closest = rdataset->private7;
+
+	REQUIRE((rdataset->attributes & DNS_RDATASETATTR_CLOSEST) != 0);
+	(void)dns_name_dynamic(closest);	/* Sanity Check. */
+
+	for (rdataset = ISC_LIST_HEAD(closest->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->rdclass != rdclass)
+			continue;
+		if (rdataset->type == dns_rdatatype_nsec ||
+		    rdataset->type == dns_rdatatype_nsec3)
+			tneg = rdataset;
+	}
+	if (tneg == NULL)
+		return (ISC_R_NOTFOUND);
+
+	for (rdataset = ISC_LIST_HEAD(closest->list);
+	     rdataset != NULL;
+	     rdataset = ISC_LIST_NEXT(rdataset, link))
+	{
+		if (rdataset->type == dns_rdatatype_rrsig &&
+		    rdataset->covers == tneg->type)
+			tnegsig = rdataset;
+	}
+	if (tnegsig == NULL)
+		return (ISC_R_NOTFOUND);
+
+	dns_name_clone(closest, name);
+	dns_rdataset_clone(tneg, neg);
+	dns_rdataset_clone(tnegsig, negsig);
 	return (ISC_R_SUCCESS);
 }
diff --git a/lib/dns/rdatalist_p.h b/lib/dns/rdatalist_p.h
index d697fec..3e73e20 100644
--- a/lib/dns/rdatalist_p.h
+++ b/lib/dns/rdatalist_p.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatalist_p.h,v 1.5.18.2 2005/04/29 00:16:03 marka Exp $ */
+/* $Id: rdatalist_p.h,v 1.11 2008/09/25 04:02:38 tbox Exp $ */
 
 #ifndef DNS_RDATALIST_P_H
 #define DNS_RDATALIST_P_H
@@ -50,7 +50,14 @@ isc__rdatalist_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name);
 
 isc_result_t
 isc__rdatalist_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-			  dns_rdataset_t *nsec, dns_rdataset_t *nsecsig);
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig);
+
+isc_result_t
+isc__rdatalist_addclosest(dns_rdataset_t *rdataset, dns_name_t *name);
+
+isc_result_t
+isc__rdatalist_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			  dns_rdataset_t *neg, dns_rdataset_t *negsig);
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/dns/rdataset.c b/lib/dns/rdataset.c
index c86b3c5..6088a06 100644
--- a/lib/dns/rdataset.c
+++ b/lib/dns/rdataset.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataset.c,v 1.72.18.5 2006/03/02 00:37:21 marka Exp $ */
+/* $Id: rdataset.c,v 1.82.50.2 2009/01/18 23:47:40 tbox Exp $ */
 
 /*! \file */
 
@@ -59,6 +59,7 @@ dns_rdataset_init(dns_rdataset_t *rdataset) {
 	rdataset->privateuint4 = 0;
 	rdataset->private5 = NULL;
 	rdataset->private6 = NULL;
+	rdataset->resign = 0;
 }
 
 void
@@ -137,7 +138,7 @@ question_disassociate(dns_rdataset_t *rdataset) {
 static isc_result_t
 question_cursor(dns_rdataset_t *rdataset) {
 	UNUSED(rdataset);
-	
+
 	return (ISC_R_NOMORE);
 }
 
@@ -148,7 +149,7 @@ question_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 	 */
 	UNUSED(rdataset);
 	UNUSED(rdata);
-	
+
 	REQUIRE(0);
 }
 
@@ -179,6 +180,8 @@ static dns_rdatasetmethods_t question_methods = {
 	NULL,
 	NULL,
 	NULL,
+	NULL,
+	NULL,
 	NULL
 };
 
@@ -339,7 +342,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 	}
 
 	/*
-	 * Do we want to shuffle this anwer?
+	 * Do we want to shuffle this answer?
 	 */
 	if (!question && count > 1 &&
 	    (!WANT_FIXED(rdataset) || order != NULL) &&
@@ -445,7 +448,7 @@ towiresorted(dns_rdataset_t *rdataset, const dns_name_t *owner_name,
 		/*
 		 * Copy out the name, type, class, ttl.
 		 */
-		
+
 		rrbuffer = *target;
 		dns_compress_setmethods(cctx, DNS_COMPRESS_GLOBAL14);
 		result = dns_name_towire(owner_name, cctx, target);
@@ -620,14 +623,36 @@ dns_rdataset_addnoqname(dns_rdataset_t *rdataset, dns_name_t *name) {
 
 isc_result_t
 dns_rdataset_getnoqname(dns_rdataset_t *rdataset, dns_name_t *name,
-		        dns_rdataset_t *nsec, dns_rdataset_t *nsecsig)
+			dns_rdataset_t *neg, dns_rdataset_t *negsig)
 {
 	REQUIRE(DNS_RDATASET_VALID(rdataset));
 	REQUIRE(rdataset->methods != NULL);
 
 	if (rdataset->methods->getnoqname == NULL)
 		return (ISC_R_NOTIMPLEMENTED);
-	return((rdataset->methods->getnoqname)(rdataset, name, nsec, nsecsig));
+	return((rdataset->methods->getnoqname)(rdataset, name, neg, negsig));
+}
+
+isc_result_t
+dns_rdataset_addclosest(dns_rdataset_t *rdataset, dns_name_t *name) {
+
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+	if (rdataset->methods->addclosest == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return((rdataset->methods->addclosest)(rdataset, name));
+}
+
+isc_result_t
+dns_rdataset_getclosest(dns_rdataset_t *rdataset, dns_name_t *name,
+			dns_rdataset_t *neg, dns_rdataset_t *negsig)
+{
+	REQUIRE(DNS_RDATASET_VALID(rdataset));
+	REQUIRE(rdataset->methods != NULL);
+
+	if (rdataset->methods->getclosest == NULL)
+		return (ISC_R_NOTIMPLEMENTED);
+	return((rdataset->methods->getclosest)(rdataset, name, neg, negsig));
 }
 
 /*
diff --git a/lib/dns/rdatasetiter.c b/lib/dns/rdatasetiter.c
index 8089e04..7ed3030 100644
--- a/lib/dns/rdatasetiter.c
+++ b/lib/dns/rdatasetiter.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdatasetiter.c,v 1.12.18.2 2005/04/29 00:16:03 marka Exp $ */
+/* $Id: rdatasetiter.c,v 1.16 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/rdataslab.c b/lib/dns/rdataslab.c
index 5d89d01..b22868d 100644
--- a/lib/dns/rdataslab.c
+++ b/lib/dns/rdataslab.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rdataslab.c,v 1.35.18.8 2007/08/28 07:20:05 tbox Exp $ */
+/* $Id: rdataslab.c,v 1.48.50.2 2009/01/18 23:47:40 tbox Exp $ */
 
 /*! \file */
 
@@ -33,10 +33,6 @@
 #include <dns/rdataset.h>
 #include <dns/rdataslab.h>
 
-#ifndef DNS_RDATASET_FIXED
-#define DNS_RDATASET_FIXED 1
-#endif
-
 /*
  * The rdataslab structure allows iteration to occur in both load order
  * and DNSSEC order.  The structure is as follows:
@@ -47,6 +43,7 @@
  *	data records
  *		data length	(2 bytes)
  *		order		(2 bytes)
+ *		meta data	(1 byte for RRSIG's)
  *		data		(data length bytes)
  *
  * If DNS_RDATASET_FIXED is defined to be zero (0) the format of a
@@ -65,7 +62,7 @@
  *
  * DNSSEC order traversal is performed by walking the data records.
  *
- * The order is stored with record to allow for efficient reconstuction of
+ * The order is stored with record to allow for efficient reconstruction
  * of the offset table following a merge or subtraction.
  *
  * The iterator methods here currently only support DNSSEC order iteration.
@@ -141,6 +138,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 #if DNS_RDATASET_FIXED
 	unsigned int   *offsettable;
 #endif
+	unsigned int	length;
 
 	buflen = reservelen + 2;
 
@@ -209,12 +207,18 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 				x[i].order = x[i-1].order;
 #endif
 			nitems--;
-		} else
+		} else {
 #if DNS_RDATASET_FIXED
 			buflen += (8 + x[i-1].rdata.length);
 #else
 			buflen += (2 + x[i-1].rdata.length);
 #endif
+			/*
+			 * Provide space to store the per RR meta data.
+			 */
+			if (rdataset->type == dns_rdatatype_rrsig)
+				buflen++;
+		}
 	}
 	/*
 	 * Don't forget the last item!
@@ -224,6 +228,11 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 #else
 	buflen += (2 + x[i-1].rdata.length);
 #endif
+	/*
+	 * Provide space to store the per RR meta data.
+	 */
+	if (rdataset->type == dns_rdatatype_rrsig)
+		buflen++;
 
 	/*
 	 * Ensure that singleton types are actually singletons.
@@ -246,7 +255,7 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 		result = ISC_R_NOMEMORY;
 		goto free_rdatas;
 	}
-	
+
 #if DNS_RDATASET_FIXED
 	/* Allocate temporary offset table. */
 	offsettable = isc_mem_get(mctx, nalloc * sizeof(unsigned int));
@@ -280,15 +289,25 @@ dns_rdataslab_fromrdataset(dns_rdataset_t *rdataset, isc_mem_t *mctx,
 #if DNS_RDATASET_FIXED
 		offsettable[x[i].order] = rawbuf - offsetbase;
 #endif
-		*rawbuf++ = (x[i].rdata.length & 0xff00) >> 8;
-		*rawbuf++ = (x[i].rdata.length & 0x00ff);
+		length = x[i].rdata.length;
+		if (rdataset->type == dns_rdatatype_rrsig)
+			length++;
+		*rawbuf++ = (length & 0xff00) >> 8;
+		*rawbuf++ = (length & 0x00ff);
 #if DNS_RDATASET_FIXED
 		rawbuf += 2;	/* filled in later */
 #endif
+		/*
+		 * Store the per RR meta data.
+		 */
+		if (rdataset->type == dns_rdatatype_rrsig) {
+			*rawbuf++ |= (x[i].rdata.flags & DNS_RDATA_OFFLINE) ?
+					    DNS_RDATASLAB_OFFLINE : 0;
+		}
 		memcpy(rawbuf, x[i].rdata.data, x[i].rdata.length);
 		rawbuf += x[i].rdata.length;
 	}
-	
+
 #if DNS_RDATASET_FIXED
 	fillin_offsets(offsetbase, offsettable, nalloc);
 	isc_mem_put(mctx, offsettable, nalloc * sizeof(unsigned int));
@@ -360,17 +379,27 @@ static void
 rdataset_current(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
 	unsigned char *raw = rdataset->private5;
 	isc_region_t r;
+	unsigned int length;
+	unsigned int flags = 0;
 
 	REQUIRE(raw != NULL);
 
-	r.length = raw[0] * 256 + raw[1];
+	length = raw[0] * 256 + raw[1];
 #if DNS_RDATASET_FIXED
 	raw += 4;
 #else
 	raw += 2;
-#endif 
+#endif
+	if (rdataset->type == dns_rdatatype_rrsig) {
+		if (*raw & DNS_RDATASLAB_OFFLINE)
+			flags |= DNS_RDATA_OFFLINE;
+		length--;
+		raw++;
+	}
+	r.length = length;
 	r.base = raw;
 	dns_rdata_fromregion(rdata, rdataset->rdclass, rdataset->type, &r);
+	rdata->flags |= flags;
 }
 
 static void
@@ -405,6 +434,8 @@ static dns_rdatasetmethods_t rdataset_methods = {
 	NULL,
 	NULL,
 	NULL,
+	NULL,
+	NULL,
 	NULL
 };
 
@@ -474,15 +505,27 @@ rdata_from_slab(unsigned char **current,
 {
 	unsigned char *tcurrent = *current;
 	isc_region_t region;
+	unsigned int length;
+	isc_boolean_t offline = ISC_FALSE;
 
-	region.length = *tcurrent++ * 256;
-	region.length += *tcurrent++;
+	length = *tcurrent++ * 256;
+	length += *tcurrent++;
+
+	if (type == dns_rdatatype_rrsig) {
+		if ((*tcurrent & DNS_RDATASLAB_OFFLINE) != 0)
+			offline = ISC_TRUE;
+		length--;
+		tcurrent++;
+	}
+	region.length = length;
 #if DNS_RDATASET_FIXED
 	tcurrent += 2;
 #endif
 	region.base = tcurrent;
 	tcurrent += region.length;
 	dns_rdata_fromregion(rdata, rdclass, type, &region);
+	if (offline)
+		rdata->flags |= DNS_RDATA_OFFLINE;
 	*current = tcurrent;
 }
 
@@ -511,7 +554,7 @@ rdata_in_slab(unsigned char *slab, unsigned int reservelen,
 
 	for (i = 0; i < count; i++) {
 		rdata_from_slab(&current, rdclass, type, &trdata);
-		
+
 		n = dns_rdata_compare(&trdata, rdata);
 		if (n == 0)
 			return (ISC_TRUE);
@@ -528,9 +571,8 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 		    dns_rdataclass_t rdclass, dns_rdatatype_t type,
 		    unsigned int flags, unsigned char **tslabp)
 {
-	unsigned char *ocurrent, *ostart, *ncurrent, *tstart, *tcurrent;
+	unsigned char *ocurrent, *ostart, *ncurrent, *tstart, *tcurrent, *data;
 	unsigned int ocount, ncount, count, olength, tlength, tcount, length;
-	isc_region_t nregion;
 	dns_rdata_t ordata = DNS_RDATA_INIT;
 	dns_rdata_t nrdata = DNS_RDATA_INIT;
 	isc_boolean_t added_something = ISC_FALSE;
@@ -603,29 +645,24 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 	 * the old slab.
 	 */
 	do {
-		nregion.length = *ncurrent++ * 256;
-		nregion.length += *ncurrent++;
-#if DNS_RDATASET_FIXED
-		ncurrent += 2;			/* Skip order. */
-#endif
-		nregion.base = ncurrent;
 		dns_rdata_init(&nrdata);
-		dns_rdata_fromregion(&nrdata, rdclass, type, &nregion);
+		rdata_from_slab(&ncurrent, rdclass, type, &nrdata);
 		if (!rdata_in_slab(oslab, reservelen, rdclass, type, &nrdata))
 		{
 			/*
 			 * This rdata isn't in the old slab.
 			 */
 #if DNS_RDATASET_FIXED
-			tlength += nregion.length + 8;
+			tlength += nrdata.length + 8;
 #else
-			tlength += nregion.length + 2;
+			tlength += nrdata.length + 2;
 #endif
+			if (type == dns_rdatatype_rrsig)
+				tlength++;
 			tcount++;
 			nncount++;
 			added_something = ISC_TRUE;
 		}
-		ncurrent += nregion.length;
 		ncount--;
 	} while (ncount > 0);
 	ncount = nncount;
@@ -726,12 +763,17 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 			offsettable[oorder] = tcurrent - offsetbase;
 #endif
 			length = ordata.length;
+			data = ordata.data;
+			if (type == dns_rdatatype_rrsig) {
+				length++;
+				data--;
+			}
 			*tcurrent++ = (length & 0xff00) >> 8;
 			*tcurrent++ = (length & 0x00ff);
 #if DNS_RDATASET_FIXED
 			tcurrent += 2;	/* fill in later */
 #endif
-			memcpy(tcurrent, ordata.data, length);
+			memcpy(tcurrent, data, length);
 			tcurrent += length;
 			oadded++;
 			if (oadded < ocount) {
@@ -748,12 +790,17 @@ dns_rdataslab_merge(unsigned char *oslab, unsigned char *nslab,
 			offsettable[ocount + norder] = tcurrent - offsetbase;
 #endif
 			length = nrdata.length;
+			data = nrdata.data;
+			if (type == dns_rdatatype_rrsig) {
+				length++;
+				data--;
+			}
 			*tcurrent++ = (length & 0xff00) >> 8;
 			*tcurrent++ = (length & 0x00ff);
 #if DNS_RDATASET_FIXED
 			tcurrent += 2;	/* fill in later */
 #endif
-			memcpy(tcurrent, nrdata.data, length);
+			memcpy(tcurrent, data, length);
 			tcurrent += length;
 			nadded++;
 			if (nadded < ncount) {
@@ -799,8 +846,8 @@ dns_rdataslab_subtract(unsigned char *mslab, unsigned char *sslab,
 #if DNS_RDATASET_FIXED
 	unsigned char *offsetbase;
 	unsigned int *offsettable;
-#endif
 	unsigned int order;
+#endif
 
 	REQUIRE(tslabp != NULL && *tslabp == NULL);
 	REQUIRE(mslab != NULL && sslab != NULL);
diff --git a/lib/dns/request.c b/lib/dns/request.c
index 64a3a4e..ac844e1 100644
--- a/lib/dns/request.c
+++ b/lib/dns/request.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: request.c,v 1.72.18.8 2008/07/22 03:51:44 marka Exp $ */
+/* $Id: request.c,v 1.82.72.2 2009/01/18 23:47:40 tbox Exp $ */
 
 /*! \file */
 
@@ -95,7 +95,7 @@ struct dns_request {
 #define DNS_REQUEST_F_SENDING 0x0002
 #define DNS_REQUEST_F_CANCELED 0x0004	/*%< ctlevent received, or otherwise
 					   synchronously canceled */
-#define DNS_REQUEST_F_TIMEDOUT 0x0008	/*%< cancelled due to a timeout */
+#define DNS_REQUEST_F_TIMEDOUT 0x0008	/*%< canceled due to a timeout */
 #define DNS_REQUEST_F_TCP 0x0010	/*%< This request used TCP */
 #define DNS_REQUEST_CANCELED(r) \
 	(((r)->flags & DNS_REQUEST_F_CANCELED) != 0)
@@ -197,7 +197,7 @@ dns_requestmgr_create(isc_mem_t *mctx,
 		dns_dispatch_attach(dispatchv6, &requestmgr->dispatchv6);
 	requestmgr->mctx = NULL;
 	isc_mem_attach(mctx, &requestmgr->mctx);
-	requestmgr->eref = 1;	/* implict attach */
+	requestmgr->eref = 1;	/* implicit attach */
 	requestmgr->iref = 0;
 	ISC_LIST_INIT(requestmgr->whenshutdown);
 	ISC_LIST_INIT(requestmgr->requests);
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index dc648c9..a1c263e 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,15 +15,18 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.284.18.79 2008/10/17 22:02:13 jinmei Exp $ */
+/* $Id: resolver.c,v 1.384.14.12 2009/05/11 02:38:03 tbox Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
+#include <isc/platform.h>
 #include <isc/print.h>
 #include <isc/string.h>
+#include <isc/random.h>
 #include <isc/task.h>
+#include <isc/stats.h>
 #include <isc/timer.h>
 #include <isc/util.h>
 
@@ -52,22 +55,23 @@
 #include <dns/resolver.h>
 #include <dns/result.h>
 #include <dns/rootns.h>
+#include <dns/stats.h>
 #include <dns/tsig.h>
 #include <dns/validator.h>
 
 #define DNS_RESOLVER_TRACE
 #ifdef DNS_RESOLVER_TRACE
-#define RTRACE(m)	isc_log_write(dns_lctx, \
+#define RTRACE(m)       isc_log_write(dns_lctx, \
 				      DNS_LOGCATEGORY_RESOLVER, \
 				      DNS_LOGMODULE_RESOLVER, \
 				      ISC_LOG_DEBUG(3), \
 				      "res %p: %s", res, (m))
-#define RRTRACE(r, m)	isc_log_write(dns_lctx, \
+#define RRTRACE(r, m)   isc_log_write(dns_lctx, \
 				      DNS_LOGCATEGORY_RESOLVER, \
 				      DNS_LOGMODULE_RESOLVER, \
 				      ISC_LOG_DEBUG(3), \
 				      "res %p: %s", (r), (m))
-#define FCTXTRACE(m)	isc_log_write(dns_lctx, \
+#define FCTXTRACE(m)    isc_log_write(dns_lctx, \
 				      DNS_LOGCATEGORY_RESOLVER, \
 				      DNS_LOGMODULE_RESOLVER, \
 				      ISC_LOG_DEBUG(3), \
@@ -79,14 +83,14 @@
 				      ISC_LOG_DEBUG(3), \
 				      "fctx %p(%s): %s %s", \
 				      fctx, fctx->info, (m1), (m2))
-#define FTRACE(m)	isc_log_write(dns_lctx, \
+#define FTRACE(m)       isc_log_write(dns_lctx, \
 				      DNS_LOGCATEGORY_RESOLVER, \
 				      DNS_LOGMODULE_RESOLVER, \
 				      ISC_LOG_DEBUG(3), \
 				      "fetch %p (fctx %p(%s)): %s", \
 				      fetch, fetch->private, \
 				      fetch->private->info, (m))
-#define QTRACE(m)	isc_log_write(dns_lctx, \
+#define QTRACE(m)       isc_log_write(dns_lctx, \
 				      DNS_LOGCATEGORY_RESOLVER, \
 				      DNS_LOGMODULE_RESOLVER, \
 				      ISC_LOG_DEBUG(3), \
@@ -104,13 +108,13 @@
 /*%
  * Maximum EDNS0 input packet size.
  */
-#define RECV_BUFFER_SIZE		4096		/* XXXRTH  Constant. */
+#define RECV_BUFFER_SIZE                4096            /* XXXRTH  Constant. */
 
 /*%
  * This defines the maximum number of timeouts we will permit before we
  * disable EDNS0 on the query.
  */
-#define MAX_EDNS0_TIMEOUTS	3
+#define MAX_EDNS0_TIMEOUTS      3
 
 typedef struct fetchctx fetchctx_t;
 
@@ -141,19 +145,25 @@ typedef struct query {
 #define QUERY_MAGIC			ISC_MAGIC('Q', '!', '!', '!')
 #define VALID_QUERY(query)		ISC_MAGIC_VALID(query, QUERY_MAGIC)
 
-#define RESQUERY_ATTR_CANCELED		0x02
+#define RESQUERY_ATTR_CANCELED          0x02
 
-#define RESQUERY_CONNECTING(q)		((q)->connects > 0)
-#define RESQUERY_CANCELED(q)		(((q)->attributes & \
+#define RESQUERY_CONNECTING(q)          ((q)->connects > 0)
+#define RESQUERY_CANCELED(q)            (((q)->attributes & \
 					  RESQUERY_ATTR_CANCELED) != 0)
-#define RESQUERY_SENDING(q)		((q)->sends > 0)
+#define RESQUERY_SENDING(q)             ((q)->sends > 0)
 
 typedef enum {
-	fetchstate_init = 0,		/*%< Start event has not run yet. */
+	fetchstate_init = 0,            /*%< Start event has not run yet. */
 	fetchstate_active,
-	fetchstate_done			/*%< FETCHDONE events posted. */
+	fetchstate_done                 /*%< FETCHDONE events posted. */
 } fetchstate;
 
+typedef enum {
+	badns_unreachable = 0,
+	badns_response,
+	badns_validation
+} badnstype_t;
+
 struct fetchctx {
 	/*% Not locked. */
 	unsigned int			magic;
@@ -162,7 +172,7 @@ struct fetchctx {
 	dns_rdatatype_t			type;
 	unsigned int			options;
 	unsigned int			bucketnum;
-	char *				info;
+	char *			info;
 	/*% Locked by appropriate bucket lock. */
 	fetchstate			state;
 	isc_boolean_t			want_shutdown;
@@ -170,8 +180,8 @@ struct fetchctx {
 	isc_boolean_t			spilled;
 	unsigned int			references;
 	isc_event_t			control_event;
-	ISC_LINK(struct fetchctx)	link;
-	ISC_LIST(dns_fetchevent_t)	events;
+	ISC_LINK(struct fetchctx)       link;
+	ISC_LIST(dns_fetchevent_t)      events;
 	/*% Locked by task event serialization. */
 	dns_name_t			domain;
 	dns_rdataset_t			nameservers;
@@ -194,7 +204,7 @@ struct fetchctx {
 	isc_sockaddrlist_t		edns;
 	isc_sockaddrlist_t		edns512;
 	dns_validator_t			*validator;
-	ISC_LIST(dns_validator_t)	validators;
+	ISC_LIST(dns_validator_t)       validators;
 	dns_db_t *			cache;
 	dns_adb_t *			adb;
 
@@ -219,6 +229,7 @@ struct fetchctx {
 	 * is used for EDNS0 black hole detection.
 	 */
 	unsigned int			timeouts;
+
 	/*%
 	 * Look aside state for DS lookups.
 	 */
@@ -230,34 +241,65 @@ struct fetchctx {
 	 * Number of queries that reference this context.
 	 */
 	unsigned int			nqueries;
+
+	/*%
+	 * The reason to print when logging a successful
+	 * response to a query.
+	 */
+	const char *			reason;
+
+	/*%
+	 * Random numbers to use for mixing up server addresses.
+	 */
+	isc_uint32_t                    rand_buf;
+	isc_uint32_t                    rand_bits;
+
+	/*%
+	 * Fetch-local statistics for detailed logging.
+	 */
+	isc_result_t			result; /*%< fetch result  */
+	isc_result_t			vresult; /*%< validation result  */
+	int				exitline;
+	isc_time_t			start;
+	isc_uint64_t			duration;
+	isc_boolean_t			logged;
+	unsigned int			querysent;
+	unsigned int			referrals;
+	unsigned int			lamecount;
+	unsigned int			neterr;
+	unsigned int			badresp;
+	unsigned int			adberr;
+	unsigned int			findfail;
+	unsigned int			valfail;
+	isc_boolean_t			timeout;
 };
 
 #define FCTX_MAGIC			ISC_MAGIC('F', '!', '!', '!')
 #define VALID_FCTX(fctx)		ISC_MAGIC_VALID(fctx, FCTX_MAGIC)
 
-#define FCTX_ATTR_HAVEANSWER		0x0001
-#define FCTX_ATTR_GLUING		0x0002
-#define FCTX_ATTR_ADDRWAIT		0x0004
-#define FCTX_ATTR_SHUTTINGDOWN		0x0008
-#define FCTX_ATTR_WANTCACHE		0x0010
-#define FCTX_ATTR_WANTNCACHE		0x0020
-#define FCTX_ATTR_NEEDEDNS0		0x0040
-#define FCTX_ATTR_TRIEDFIND		0x0080
-#define FCTX_ATTR_TRIEDALT		0x0100
-
-#define HAVE_ANSWER(f)		(((f)->attributes & FCTX_ATTR_HAVEANSWER) != \
+#define FCTX_ATTR_HAVEANSWER            0x0001
+#define FCTX_ATTR_GLUING                0x0002
+#define FCTX_ATTR_ADDRWAIT              0x0004
+#define FCTX_ATTR_SHUTTINGDOWN          0x0008
+#define FCTX_ATTR_WANTCACHE             0x0010
+#define FCTX_ATTR_WANTNCACHE            0x0020
+#define FCTX_ATTR_NEEDEDNS0             0x0040
+#define FCTX_ATTR_TRIEDFIND             0x0080
+#define FCTX_ATTR_TRIEDALT              0x0100
+
+#define HAVE_ANSWER(f)          (((f)->attributes & FCTX_ATTR_HAVEANSWER) != \
 				 0)
-#define GLUING(f)		(((f)->attributes & FCTX_ATTR_GLUING) != \
+#define GLUING(f)               (((f)->attributes & FCTX_ATTR_GLUING) != \
 				 0)
-#define ADDRWAIT(f)		(((f)->attributes & FCTX_ATTR_ADDRWAIT) != \
+#define ADDRWAIT(f)             (((f)->attributes & FCTX_ATTR_ADDRWAIT) != \
 				 0)
-#define SHUTTINGDOWN(f)		(((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \
+#define SHUTTINGDOWN(f)         (((f)->attributes & FCTX_ATTR_SHUTTINGDOWN) \
 				 != 0)
-#define WANTCACHE(f)		(((f)->attributes & FCTX_ATTR_WANTCACHE) != 0)
-#define WANTNCACHE(f)		(((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0)
-#define NEEDEDNS0(f)		(((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0)
-#define TRIEDFIND(f)		(((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0)
-#define TRIEDALT(f)		(((f)->attributes & FCTX_ATTR_TRIEDALT) != 0)
+#define WANTCACHE(f)            (((f)->attributes & FCTX_ATTR_WANTCACHE) != 0)
+#define WANTNCACHE(f)           (((f)->attributes & FCTX_ATTR_WANTNCACHE) != 0)
+#define NEEDEDNS0(f)            (((f)->attributes & FCTX_ATTR_NEEDEDNS0) != 0)
+#define TRIEDFIND(f)            (((f)->attributes & FCTX_ATTR_TRIEDFIND) != 0)
+#define TRIEDALT(f)             (((f)->attributes & FCTX_ATTR_TRIEDALT) != 0)
 
 typedef struct {
 	dns_adbaddrinfo_t *		addrinfo;
@@ -282,14 +324,14 @@ typedef struct fctxbucket {
 
 typedef struct alternate {
 	isc_boolean_t			isaddress;
-	union	{
+	union   {
 		isc_sockaddr_t		addr;
 		struct {
-			dns_name_t	name;
-			in_port_t	port;
+			dns_name_t      name;
+			in_port_t       port;
 		} _n;
 	} _u;
-	ISC_LINK(struct alternate)	link;
+	ISC_LINK(struct alternate)      link;
 } alternate_t;
 
 struct dns_resolver {
@@ -311,6 +353,7 @@ struct dns_resolver {
 	isc_boolean_t			exclusivev4;
 	dns_dispatch_t *		dispatchv6;
 	isc_boolean_t			exclusivev6;
+	unsigned int			ndisps;
 	unsigned int			nbuckets;
 	fctxbucket_t *			buckets;
 	isc_uint32_t			lame_ttl;
@@ -328,6 +371,7 @@ struct dns_resolver {
 	unsigned int			spillatmin;
 	isc_timer_t *			spillattimer;
 	isc_boolean_t			zero_no_soa_ttl;
+
 	/* Locked by lock. */
 	unsigned int			references;
 	isc_boolean_t			exiting;
@@ -335,6 +379,7 @@ struct dns_resolver {
 	unsigned int			activebuckets;
 	isc_boolean_t			priming;
 	unsigned int			spillat;	/* clients-per-query */
+	unsigned int			nextdisp;
 	/* Locked by primelock. */
 	dns_fetch_t *			primefetch;
 	/* Locked by nlock. */
@@ -348,34 +393,45 @@ struct dns_resolver {
  * Private addrinfo flags.  These must not conflict with DNS_FETCHOPT_NOEDNS0,
  * which we also use as an addrinfo flag.
  */
-#define FCTX_ADDRINFO_MARK		0x0001
-#define FCTX_ADDRINFO_FORWARDER		0x1000
-#define UNMARKED(a)			(((a)->flags & FCTX_ADDRINFO_MARK) \
+#define FCTX_ADDRINFO_MARK              0x0001
+#define FCTX_ADDRINFO_FORWARDER         0x1000
+#define FCTX_ADDRINFO_TRIED             0x2000
+#define UNMARKED(a)                     (((a)->flags & FCTX_ADDRINFO_MARK) \
 					 == 0)
-#define ISFORWARDER(a)			(((a)->flags & \
+#define ISFORWARDER(a)                  (((a)->flags & \
 					 FCTX_ADDRINFO_FORWARDER) != 0)
+#define TRIED(a)                        (((a)->flags & \
+					 FCTX_ADDRINFO_TRIED) != 0)
 
 #define NXDOMAIN(r) (((r)->attributes & DNS_RDATASETATTR_NXDOMAIN) != 0)
 
-#define dns_db_transfernode(a,b,c) do { (*c) = (*b); (*b) = NULL; } while (0)
-
 static void destroy(dns_resolver_t *res);
 static void empty_bucket(dns_resolver_t *res);
 static isc_result_t resquery_send(resquery_t *query);
 static void resquery_response(isc_task_t *task, isc_event_t *event);
 static void resquery_connected(isc_task_t *task, isc_event_t *event);
-static void fctx_try(fetchctx_t *fctx);
+static void fctx_try(fetchctx_t *fctx, isc_boolean_t retrying);
 static isc_boolean_t fctx_destroy(fetchctx_t *fctx);
 static isc_result_t ncache_adderesult(dns_message_t *message,
 				      dns_db_t *cache, dns_dbnode_t *node,
 				      dns_rdatatype_t covers,
 				      isc_stdtime_t now, dns_ttl_t maxttl,
+				      isc_boolean_t optout,
 				      dns_rdataset_t *ardataset,
 				      isc_result_t *eresultp);
 static void validated(isc_task_t *task, isc_event_t *event);
 static void maybe_destroy(fetchctx_t *fctx);
 static void add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
-		    isc_result_t reason);
+		    isc_result_t reason, badnstype_t badtype);
+
+/*%
+ * Increment resolver-related statistics counters.
+ */
+static inline void
+inc_stats(dns_resolver_t *res, isc_statscounter_t counter) {
+	if (res->view->resstats != NULL)
+		isc_stats_increment(res->view->resstats, counter);
+}
 
 static isc_result_t
 valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
@@ -403,6 +459,7 @@ valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
 				      valoptions, task, validated, valarg,
 				      &validator);
 	if (result == ISC_R_SUCCESS) {
+		inc_stats(fctx->res, dns_resstatscounter_val);
 		if ((valoptions & DNS_VALIDATOR_DEFER) == 0) {
 			INSIST(fctx->validator == NULL);
 			fctx->validator  = validator;
@@ -522,21 +579,20 @@ fctx_stoptimer(fetchctx_t *fctx) {
 
 
 static inline isc_result_t
-fctx_startidletimer(fetchctx_t *fctx) {
+fctx_startidletimer(fetchctx_t *fctx, isc_interval_t *interval) {
 	/*
 	 * Start the idle timer for fctx.  The lifetime timer continues
 	 * to be in effect.
 	 */
 	return (isc_timer_reset(fctx->timer, isc_timertype_once,
-				&fctx->expires, &fctx->interval,
-				ISC_FALSE));
+				&fctx->expires, interval, ISC_FALSE));
 }
 
 /*
  * Stopping the idle timer is equivalent to calling fctx_starttimer(), but
  * we use fctx_stopidletimer for readability in the code below.
  */
-#define fctx_stopidletimer	fctx_starttimer
+#define fctx_stopidletimer      fctx_starttimer
 
 
 static inline void
@@ -551,7 +607,7 @@ resquery_destroy(resquery_t **queryp) {
 
 	query->fctx->nqueries--;
 	if (SHUTTINGDOWN(query->fctx))
-		maybe_destroy(query->fctx);	/* Locks bucket. */
+		maybe_destroy(query->fctx);     /* Locks bucket. */
 	query->magic = 0;
 	isc_mem_put(query->mctx, query, sizeof(*query));
 	*queryp = NULL;
@@ -563,7 +619,7 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 {
 	fetchctx_t *fctx;
 	resquery_t *query;
-	unsigned int rtt;
+	unsigned int rtt, rttms;
 	unsigned int factor;
 	dns_adbfind_t *find;
 	dns_adbaddrinfo_t *addrinfo;
@@ -590,6 +646,27 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 			rtt = (unsigned int)isc_time_microdiff(finish,
 							       &query->start);
 			factor = DNS_ADB_RTTADJDEFAULT;
+
+			rttms = rtt / 1000;
+			if (rttms < DNS_RESOLVER_QRYRTTCLASS0) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt0);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS1) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt1);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS2) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt2);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS3) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt3);
+			} else if (rttms < DNS_RESOLVER_QRYRTTCLASS4) {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt4);
+			} else {
+				inc_stats(fctx->res,
+					  dns_resstatscounter_queryrtt5);
+			}
 		} else {
 			/*
 			 * We don't have an RTT for this query.  Maybe the
@@ -608,6 +685,12 @@ fctx_cancelquery(resquery_t **queryp, dns_dispatchevent_t **deventp,
 		dns_adb_adjustsrtt(fctx->adb, query->addrinfo, rtt, factor);
 	}
 
+	/* Remember that the server has been tried. */
+	if (!TRIED(query->addrinfo)) {
+		dns_adb_changeflags(fctx->adb, query->addrinfo,
+				    FCTX_ADDRINFO_TRIED, FCTX_ADDRINFO_TRIED);
+	}
+
 	/*
 	 * Age RTTs of servers not tried.
 	 */
@@ -790,14 +873,16 @@ fctx_stopeverything(fetchctx_t *fctx, isc_boolean_t no_response) {
 }
 
 static inline void
-fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
+fctx_sendevents(fetchctx_t *fctx, isc_result_t result, int line) {
 	dns_fetchevent_t *event, *next_event;
 	isc_task_t *task;
 	unsigned int count = 0;
 	isc_interval_t i;
 	isc_boolean_t logit = ISC_FALSE;
+	isc_time_t now;
 	unsigned int old_spillat;
-	unsigned int new_spillat = 0;	/* initialized to silence compiler warnings */
+	unsigned int new_spillat = 0;	/* initialized to silence
+					   compiler warnings */
 
 	/*
 	 * Caller must be holding the appropriate bucket lock.
@@ -806,6 +891,14 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
 
 	FCTXTRACE("sendevents");
 
+	/*
+	 * Keep some record of fetch result for logging later (if required).
+	 */
+	fctx->result = result;
+	fctx->exitline = line;
+	TIME_NOW(&now);
+	fctx->duration = isc_time_microdiff(&now, &fctx->start);
+
 	for (event = ISC_LIST_HEAD(fctx->events);
 	     event != NULL;
 	     event = next_event) {
@@ -864,26 +957,50 @@ fctx_sendevents(fetchctx_t *fctx, isc_result_t result) {
 	}
 }
 
+static inline void
+log_edns(fetchctx_t *fctx) {
+	char domainbuf[DNS_NAME_FORMATSIZE];
+
+	if (fctx->reason == NULL)
+		return;
+
+	dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_EDNS_DISABLED,
+		      DNS_LOGMODULE_RESOLVER, ISC_LOG_INFO,
+		      "success resolving '%s' (in '%s'?) after %s",
+		      fctx->info, domainbuf, fctx->reason);
+
+	fctx->reason = NULL;
+}
+
 static void
-fctx_done(fetchctx_t *fctx, isc_result_t result) {
+fctx_done(fetchctx_t *fctx, isc_result_t result, int line) {
 	dns_resolver_t *res;
 	isc_boolean_t no_response;
 
+	REQUIRE(line >= 0);
+
 	FCTXTRACE("done");
 
 	res = fctx->res;
 
-	if (result == ISC_R_SUCCESS)
+	if (result == ISC_R_SUCCESS) {
+		/*%
+		 * Log any deferred EDNS timeout messages.
+		 */
+		log_edns(fctx);
 		no_response = ISC_TRUE;
-	else
+	 } else
 		no_response = ISC_FALSE;
+
+	fctx->reason = NULL;
 	fctx_stopeverything(fctx, no_response);
 
 	LOCK(&res->buckets[fctx->bucketnum].lock);
 
 	fctx->state = fetchstate_done;
 	fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
-	fctx_sendevents(fctx, result);
+	fctx_sendevents(fctx, result, line);
 
 	UNLOCK(&res->buckets[fctx->bucketnum].lock);
 }
@@ -921,7 +1038,8 @@ process_sendevent(resquery_t *query, isc_event_t *event) {
 			/*
 			 * No route to remote.
 			 */
-			add_bad(fctx, query->addrinfo, sevent->result);
+			add_bad(fctx, query->addrinfo, sevent->result,
+				badns_unreachable);
 			fctx_cancelquery(&query, NULL, NULL, ISC_TRUE);
 			retry = ISC_TRUE;
 			break;
@@ -942,9 +1060,9 @@ process_sendevent(resquery_t *query, isc_event_t *event) {
 		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
 		result = fctx_stopidletimer(fctx);
 		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
+			fctx_done(fctx, result, __LINE__);
 		else
-			fctx_try(fctx);
+			fctx_try(fctx, ISC_TRUE);
 	}
 }
 
@@ -991,7 +1109,8 @@ resquery_senddone(isc_task_t *task, isc_event_t *event) {
 }
 
 static inline isc_result_t
-fctx_addopt(dns_message_t *message, unsigned int version, isc_uint16_t udpsize)
+fctx_addopt(dns_message_t *message, unsigned int version,
+	    isc_uint16_t udpsize, isc_boolean_t request_nsid)
 {
 	dns_rdataset_t *rdataset;
 	dns_rdatalist_t *rdatalist;
@@ -1027,10 +1146,23 @@ fctx_addopt(dns_message_t *message, unsigned int version, isc_uint16_t udpsize)
 	rdatalist->ttl |= DNS_MESSAGEEXTFLAG_DO;
 
 	/*
-	 * No EDNS options.
+	 * Set EDNS options if applicable
 	 */
-	rdata->data = NULL;
-	rdata->length = 0;
+	if (request_nsid) {
+		/* Send empty NSID option (RFC5001) */
+		unsigned char data[4];
+		isc_buffer_t buf;
+
+		isc_buffer_init(&buf, data, sizeof(data));
+		isc_buffer_putuint16(&buf, DNS_OPT_NSID);
+		isc_buffer_putuint16(&buf, 0);
+		rdata->data = data;
+		rdata->length = sizeof(data);
+	} else {
+		rdata->data = NULL;
+		rdata->length = 0;
+	}
+
 	rdata->rdclass = rdatalist->rdclass;
 	rdata->type = rdatalist->type;
 	rdata->flags = 0;
@@ -1048,7 +1180,7 @@ fctx_setretryinterval(fetchctx_t *fctx, unsigned int rtt) {
 	unsigned int us;
 
 	/*
-	 * We retry every .5 seconds the first two times through the address
+	 * We retry every .8 seconds the first two times through the address
 	 * list, and then we do exponential back-off.
 	 */
 	if (fctx->restarts < 3)
@@ -1088,14 +1220,19 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	resquery_t *query;
 	isc_sockaddr_t addr;
 	isc_boolean_t have_addr = ISC_FALSE;
+	unsigned int srtt;
 
 	FCTXTRACE("query");
 
 	res = fctx->res;
 	task = res->buckets[fctx->bucketnum].task;
 
-	fctx_setretryinterval(fctx, addrinfo->srtt);
-	result = fctx_startidletimer(fctx);
+	srtt = addrinfo->srtt;
+	if (ISFORWARDER(addrinfo) && srtt < 1000000)
+		srtt = 1000000;
+
+	fctx_setretryinterval(fctx, srtt);
+	result = fctx_startidletimer(fctx, &fctx->interval);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
@@ -1262,9 +1399,17 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 		if (result != ISC_R_SUCCESS)
 			goto cleanup_dispatch;
 	}
+	fctx->querysent++;
 
 	ISC_LIST_APPEND(fctx->queries, query, link);
 	query->fctx->nqueries++;
+	if (isc_sockaddr_pf(&addrinfo->sockaddr) == PF_INET)
+		inc_stats(res, dns_resstatscounter_queryv4);
+	else
+		inc_stats(res, dns_resstatscounter_queryv6);
+	if (res->view->resquerystats != NULL)
+		dns_rdatatypestats_increment(res->view->resquerystats,
+					     fctx->type);
 
 	return (ISC_R_SUCCESS);
 
@@ -1486,34 +1631,55 @@ resquery_send(resquery_t *query) {
 	    !useedns)
 	{
 		query->options |= DNS_FETCHOPT_NOEDNS0;
-		dns_adb_changeflags(fctx->adb,
-				    query->addrinfo,
+		dns_adb_changeflags(fctx->adb, query->addrinfo,
 				    DNS_FETCHOPT_NOEDNS0,
 				    DNS_FETCHOPT_NOEDNS0);
 	}
 
+	/* Sync NOEDNS0 flag in addrinfo->flags and options now. */
+	if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) != 0)
+		query->options |= DNS_FETCHOPT_NOEDNS0;
+
+	/*
+	 * Handle timeouts by reducing the UDP response size to 512 bytes
+	 * then if that doesn't work disabling EDNS (includes DO) and CD.
+	 *
+	 * These timeout can be due to:
+	 *	* broken nameservers that don't respond to EDNS queries.
+	 *	* broken/misconfigured firewalls and NAT implementations
+	 *	  that don't handle IP fragmentation.
+	 *	* broken/misconfigured firewalls that don't handle responses
+	 *	  greater than 512 bytes.
+	 *	* broken/misconfigured firewalls that don't handle EDNS, DO
+	 *	  or CD.
+	 *	* packet loss / link outage.
+	 */
+	if (fctx->timeout) {
+		if ((triededns512(fctx, &query->addrinfo->sockaddr) ||
+		     fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) &&
+		    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+			query->options |= DNS_FETCHOPT_NOEDNS0;
+			fctx->reason = "disabling EDNS";
+		} else if ((triededns(fctx, &query->addrinfo->sockaddr) ||
+			    fctx->timeouts >= MAX_EDNS0_TIMEOUTS) &&
+			   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
+			query->options |= DNS_FETCHOPT_EDNS512;
+			fctx->reason = "reducing the advertised EDNS UDP "
+				       "packet size to 512 octets";
+		}
+		fctx->timeout = ISC_FALSE;
+	}
+
 	/*
 	 * Use EDNS0, unless the caller doesn't want it, or we know that
 	 * the remote server doesn't like it.
 	 */
-
-	if ((triededns512(fctx, &query->addrinfo->sockaddr) ||
-	     fctx->timeouts >= (MAX_EDNS0_TIMEOUTS * 2)) &&
-	    (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-		query->options |= DNS_FETCHOPT_NOEDNS0;
-		FCTXTRACE("too many timeouts, disabling EDNS0");
-	} else if ((triededns(fctx, &query->addrinfo->sockaddr) ||
-		    fctx->timeouts >= MAX_EDNS0_TIMEOUTS) &&
-		   (query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
-		query->options |= DNS_FETCHOPT_EDNS512;
-		FCTXTRACE("too many timeouts, setting EDNS size to 512");
-	}
-
 	if ((query->options & DNS_FETCHOPT_NOEDNS0) == 0) {
 		if ((query->addrinfo->flags & DNS_FETCHOPT_NOEDNS0) == 0) {
-			unsigned int version = 0;	/* Default version. */
+			unsigned int version = 0;       /* Default version. */
 			unsigned int flags;
 			isc_uint16_t udpsize = res->udpsize;
+			isc_boolean_t reqnsid = res->view->requestnsid;
 
 			flags = query->addrinfo->flags;
 			if ((flags & DNS_FETCHOPT_EDNSVERSIONSET) != 0) {
@@ -1524,8 +1690,15 @@ resquery_send(resquery_t *query) {
 				udpsize = 512;
 			else if (peer != NULL)
 				(void)dns_peer_getudpsize(peer, &udpsize);
-			result = fctx_addopt(fctx->qmessage, version, udpsize);
-			if (result != ISC_R_SUCCESS) {
+
+			/* request NSID for current view or peer? */
+			if (peer != NULL)
+				(void) dns_peer_getrequestnsid(peer, &reqnsid);
+			result = fctx_addopt(fctx->qmessage, version,
+					     udpsize, reqnsid);
+			if (reqnsid && result == ISC_R_SUCCESS) {
+				query->options |= DNS_FETCHOPT_WANTNSID;
+			} else if (result != ISC_R_SUCCESS) {
 				/*
 				 * We couldn't add the OPT, but we'll press on.
 				 * We're not using EDNS0, so set the NOEDNS0
@@ -1636,13 +1809,15 @@ resquery_send(resquery_t *query) {
 
 	/*
 	 * XXXRTH  Make sure we don't send to ourselves!  We should probably
-	 *	   prune out these addresses when we get them from the ADB.
+	 *		prune out these addresses when we get them from the ADB.
 	 */
 	result = isc_socket_sendto(socket, &r, task, resquery_senddone,
 				   query, address, NULL);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_message;
+
 	query->sends++;
+
 	QTRACE("sent");
 
 	return (ISC_R_SUCCESS);
@@ -1672,6 +1847,7 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
 	resquery_t *query = event->ev_arg;
 	isc_boolean_t retry = ISC_FALSE;
+	isc_interval_t interval;
 	isc_result_t result;
 	unsigned int attrs;
 	fetchctx_t *fctx;
@@ -1704,6 +1880,20 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
 	} else {
 		switch (sevent->result) {
 		case ISC_R_SUCCESS:
+
+			/*
+			 * Extend the idle timer for TCP.  20 seconds
+			 * should be long enough for a TCP connection to be
+			 * established, a single DNS request to be sent,
+			 * and the response received.
+			 */
+			isc_interval_set(&interval, 20, 0);
+			result = fctx_startidletimer(query->fctx, &interval);
+			if (result != ISC_R_SUCCESS) {
+				fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
+				fctx_done(fctx, result, __LINE__);
+				break;
+			}
 			/*
 			 * We are connected.  Create a dispatcher and
 			 * send the query.
@@ -1736,9 +1926,8 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
 				result = resquery_send(query);
 
 			if (result != ISC_R_SUCCESS) {
-				fctx_cancelquery(&query, NULL, NULL,
-						 ISC_FALSE);
-				fctx_done(fctx, result);
+				fctx_cancelquery(&query, NULL, NULL, ISC_FALSE);
+				fctx_done(fctx, result, __LINE__);
 			}
 			break;
 
@@ -1773,9 +1962,9 @@ resquery_connected(isc_task_t *task, isc_event_t *event) {
 		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
 		result = fctx_stopidletimer(fctx);
 		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
+			fctx_done(fctx, result, __LINE__);
 		else
-			fctx_try(fctx);
+			fctx_try(fctx, ISC_TRUE);
 	}
 }
 
@@ -1809,13 +1998,16 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
 		fctx->attributes &= ~FCTX_ATTR_ADDRWAIT;
 		if (event->ev_type == DNS_EVENT_ADBMOREADDRESSES)
 			want_try = ISC_TRUE;
-		else if (fctx->pending == 0) {
-			/*
-			 * We've got nothing else to wait for and don't
-			 * know the answer.  There's nothing to do but
-			 * fail the fctx.
-			 */
-			want_done = ISC_TRUE;
+		else {
+			fctx->findfail++;
+			if (fctx->pending == 0) {
+				/*
+				 * We've got nothing else to wait for and don't
+				 * know the answer.  There's nothing to do but
+				 * fail the fctx.
+				 */
+				want_done = ISC_TRUE;
+			}
 		}
 	} else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
 		   fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
@@ -1834,9 +2026,9 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
 	dns_adb_destroyfind(&find);
 
 	if (want_try)
-		fctx_try(fctx);
+		fctx_try(fctx, ISC_TRUE);
 	else if (want_done)
-		fctx_done(fctx, ISC_R_FAILURE);
+		fctx_done(fctx, ISC_R_FAILURE, __LINE__);
 	else if (bucket_empty)
 		empty_bucket(res);
 }
@@ -1924,7 +2116,9 @@ mark_bad(fetchctx_t *fctx) {
 }
 
 static void
-add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason) {
+add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason,
+	badnstype_t badtype)
+{
 	char namebuf[DNS_NAME_FORMATSIZE];
 	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
 	char classbuf[64];
@@ -1935,6 +2129,21 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason) {
 	const char *sep1, *sep2;
 	isc_sockaddr_t *address = &addrinfo->sockaddr;
 
+	if (reason == DNS_R_LAME)
+		fctx->lamecount++;
+	else {
+		switch (badtype) {
+		case badns_unreachable:
+			fctx->neterr++;
+			break;
+		case badns_response:
+			fctx->badresp++;
+			break;
+		case badns_validation:
+			break;	/* counted as 'valfail' */
+		}
+	}
+
 	if (bad_server(fctx, address)) {
 		/*
 		 * We already know this server is bad.
@@ -1951,7 +2160,7 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason) {
 	*sa = *address;
 	ISC_LIST_INITANDAPPEND(fctx->bad, sa, link);
 
-	if (reason == DNS_R_LAME)	/* already logged */
+	if (reason == DNS_R_LAME)       /* already logged */
 		return;
 
 	if (reason == DNS_R_UNEXPECTEDRCODE &&
@@ -1987,15 +2196,79 @@ add_bad(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_result_t reason) {
 		      namebuf, typebuf, classbuf, addrbuf);
 }
 
+/*
+ * Return 'bits' bits of random entropy from fctx->rand_buf,
+ * refreshing it by calling isc_random_get() whenever the requested
+ * number of bits is greater than the number in the buffer.
+ */
+static inline isc_uint32_t
+random_bits(fetchctx_t *fctx, isc_uint32_t bits) {
+	isc_uint32_t ret = 0;
+
+	REQUIRE(VALID_FCTX(fctx));
+	REQUIRE(bits <= 32);
+	if (bits == 0)
+		return (0);
+
+	if (bits >= fctx->rand_bits) {
+		/* if rand_bits == 0, this is unnecessary but harmless */
+		bits -= fctx->rand_bits;
+		ret = fctx->rand_buf << bits;
+
+		/* refresh random buffer now */
+		isc_random_get(&fctx->rand_buf);
+		fctx->rand_bits = sizeof(fctx->rand_buf) * CHAR_BIT;
+	}
+
+	if (bits > 0) {
+		isc_uint32_t mask = 0xffffffff;
+		if (bits < 32) {
+			mask = (1 << bits) - 1;
+		}
+
+		ret |= fctx->rand_buf & mask;
+		fctx->rand_buf >>= bits;
+		fctx->rand_bits -= bits;
+	}
+
+	return (ret);
+}
+
+/*
+ * Add some random jitter to a server's RTT value so that the
+ * order of queries will be unpredictable.
+ *
+ * RTT values of servers which have been tried are fuzzed by 128 ms.
+ * Servers that haven't been tried yet have their RTT set to a random
+ * value between 0 ms and 7 ms; they should get to go first, but in
+ * unpredictable order.
+ */
+static inline void
+randomize_srtt(fetchctx_t *fctx, dns_adbaddrinfo_t *ai) {
+	if (TRIED(ai)) {
+		ai->srtt >>= 10; /* convert to milliseconds, near enough */
+		ai->srtt |= (ai->srtt & 0x80) | random_bits(fctx, 7);
+		ai->srtt <<= 10; /* now back to microseconds */
+	} else
+		ai->srtt = random_bits(fctx, 3) << 10;
+}
+
+/*
+ * Sort addrinfo list by RTT (with random jitter)
+ */
 static void
-sort_adbfind(dns_adbfind_t *find) {
+sort_adbfind(fetchctx_t *fctx, dns_adbfind_t *find) {
 	dns_adbaddrinfo_t *best, *curr;
 	dns_adbaddrinfolist_t sorted;
 
-	/*
-	 * Lame N^2 bubble sort.
-	 */
+	/* Add jitter to SRTT values */
+	curr = ISC_LIST_HEAD(find->list);
+	while (curr != NULL) {
+		randomize_srtt(fctx, curr);
+		curr = ISC_LIST_NEXT(curr, publink);
+	}
 
+	/* Lame N^2 bubble sort. */
 	ISC_LIST_INIT(sorted);
 	while (!ISC_LIST_EMPTY(find->list)) {
 		best = ISC_LIST_HEAD(find->list);
@@ -2011,39 +2284,25 @@ sort_adbfind(dns_adbfind_t *find) {
 	find->list = sorted;
 }
 
+/*
+ * Sort a list of finds by server RTT (with random jitter)
+ */
 static void
-sort_finds(fetchctx_t *fctx) {
+sort_finds(fetchctx_t *fctx, dns_adbfindlist_t *findlist) {
 	dns_adbfind_t *best, *curr;
 	dns_adbfindlist_t sorted;
 	dns_adbaddrinfo_t *addrinfo, *bestaddrinfo;
 
-	/*
-	 * Lame N^2 bubble sort.
-	 */
-
-	ISC_LIST_INIT(sorted);
-	while (!ISC_LIST_EMPTY(fctx->finds)) {
-		best = ISC_LIST_HEAD(fctx->finds);
-		bestaddrinfo = ISC_LIST_HEAD(best->list);
-		INSIST(bestaddrinfo != NULL);
-		curr = ISC_LIST_NEXT(best, publink);
-		while (curr != NULL) {
-			addrinfo = ISC_LIST_HEAD(curr->list);
-			INSIST(addrinfo != NULL);
-			if (addrinfo->srtt < bestaddrinfo->srtt) {
-				best = curr;
-				bestaddrinfo = addrinfo;
-			}
-			curr = ISC_LIST_NEXT(curr, publink);
-		}
-		ISC_LIST_UNLINK(fctx->finds, best, publink);
-		ISC_LIST_APPEND(sorted, best, publink);
-	}
-	fctx->finds = sorted;
+	/* Sort each find's addrinfo list by SRTT (after adding jitter) */
+	for (curr = ISC_LIST_HEAD(*findlist);
+	     curr != NULL;
+	     curr = ISC_LIST_NEXT(curr, publink))
+		sort_adbfind(fctx, curr);
 
+	/* Lame N^2 bubble sort. */
 	ISC_LIST_INIT(sorted);
-	while (!ISC_LIST_EMPTY(fctx->altfinds)) {
-		best = ISC_LIST_HEAD(fctx->altfinds);
+	while (!ISC_LIST_EMPTY(*findlist)) {
+		best = ISC_LIST_HEAD(*findlist);
 		bestaddrinfo = ISC_LIST_HEAD(best->list);
 		INSIST(bestaddrinfo != NULL);
 		curr = ISC_LIST_NEXT(best, publink);
@@ -2056,10 +2315,10 @@ sort_finds(fetchctx_t *fctx) {
 			}
 			curr = ISC_LIST_NEXT(curr, publink);
 		}
-		ISC_LIST_UNLINK(fctx->altfinds, best, publink);
+		ISC_LIST_UNLINK(*findlist, best, publink);
 		ISC_LIST_APPEND(sorted, best, publink);
 	}
-	fctx->altfinds = sorted;
+	*findlist = sorted;
 }
 
 static void
@@ -2103,6 +2362,7 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
 			 * XXXRTH  Follow the CNAME/DNAME chain?
 			 */
 			dns_adb_destroyfind(&find);
+			fctx->adberr++;
 		}
 	} else if (!ISC_LIST_EMPTY(find->list)) {
 		/*
@@ -2110,7 +2370,6 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
 		 * name.
 		 */
 		INSIST((find->options & DNS_ADBFIND_WANTEVENT) == 0);
-		sort_adbfind(find);
 		if (flags != 0 || port != 0) {
 			for (ai = ISC_LIST_HEAD(find->list);
 			     ai != NULL;
@@ -2147,6 +2406,11 @@ findname(fetchctx_t *fctx, dns_name_t *name, in_port_t port,
 			      find->result_v4 != DNS_R_NXDOMAIN)))
 				*need_alternate = ISC_TRUE;
 		} else {
+			if ((find->options & DNS_ADBFIND_LAMEPRUNED) != 0)
+				fctx->lamecount++; /* cached lame server */
+			else
+				fctx->adberr++; /* unreachable server, etc. */
+
 			/*
 			 * If we know there are no addresses for
 			 * the family we are using then try to add
@@ -2188,7 +2452,7 @@ fctx_getaddresses(fetchctx_t *fctx) {
 	}
 
 	res = fctx->res;
-	stdoptions = 0;		/* Keep compiler happy. */
+	stdoptions = 0;         /* Keep compiler happy. */
 
 	/*
 	 * Forwarders.
@@ -2379,7 +2643,8 @@ fctx_getaddresses(fetchctx_t *fctx) {
 		 * We've found some addresses.  We might still be looking
 		 * for more addresses.
 		 */
-		sort_finds(fctx);
+		sort_finds(fctx, &fctx->finds);
+		sort_finds(fctx, &fctx->altfinds);
 		result = ISC_R_SUCCESS;
 	}
 
@@ -2593,7 +2858,7 @@ fctx_nextaddress(fetchctx_t *fctx) {
 }
 
 static void
-fctx_try(fetchctx_t *fctx) {
+fctx_try(fetchctx_t *fctx, isc_boolean_t retrying) {
 	isc_result_t result;
 	dns_adbaddrinfo_t *addrinfo;
 
@@ -2623,7 +2888,7 @@ fctx_try(fetchctx_t *fctx) {
 			/*
 			 * Something bad happened.
 			 */
-			fctx_done(fctx, result);
+			fctx_done(fctx, result, __LINE__);
 			return;
 		}
 
@@ -2633,14 +2898,16 @@ fctx_try(fetchctx_t *fctx) {
 		 * might be bad ones.  In this case, return SERVFAIL.
 		 */
 		if (addrinfo == NULL) {
-			fctx_done(fctx, DNS_R_SERVFAIL);
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
 			return;
 		}
 	}
 
 	result = fctx_query(fctx, addrinfo, fctx->options);
 	if (result != ISC_R_SUCCESS)
-		fctx_done(fctx, result);
+		fctx_done(fctx, result, __LINE__);
+	else if (retrying)
+		inc_stats(fctx->res, dns_resstatscounter_retry);
 }
 
 static isc_boolean_t
@@ -2738,12 +3005,16 @@ fctx_timeout(isc_task_t *task, isc_event_t *event) {
 
 	FCTXTRACE("timeout");
 
+	inc_stats(fctx->res, dns_resstatscounter_querytimeout);
+
 	if (event->ev_type == ISC_TIMEREVENT_LIFE) {
-		fctx_done(fctx, ISC_R_TIMEDOUT);
+		fctx->reason = NULL;
+		fctx_done(fctx, ISC_R_TIMEDOUT, __LINE__);
 	} else {
 		isc_result_t result;
 
 		fctx->timeouts++;
+		fctx->timeout = ISC_TRUE;
 		/*
 		 * We could cancel the running queries here, or we could let
 		 * them keep going.  Since we normally use separate sockets for
@@ -2765,12 +3036,12 @@ fctx_timeout(isc_task_t *task, isc_event_t *event) {
 		 */
 		result = fctx_starttimer(fctx);
 		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
+			fctx_done(fctx, result, __LINE__);
 		else
 			/*
 			 * Keep trying.
 			 */
-			fctx_try(fctx);
+			fctx_try(fctx, ISC_TRUE);
 	}
 
 	isc_event_free(&event);
@@ -2860,7 +3131,7 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
 
 	if (fctx->state != fetchstate_done) {
 		fctx->state = fetchstate_done;
-		fctx_sendevents(fctx, ISC_R_CANCELED);
+		fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
 	}
 
 	if (fctx->references == 0 && fctx->pending == 0 &&
@@ -2899,7 +3170,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
 		 */
 		fctx->attributes |= FCTX_ATTR_SHUTTINGDOWN;
 		fctx->state = fetchstate_done;
-		fctx_sendevents(fctx, ISC_R_CANCELED);
+		fctx_sendevents(fctx, ISC_R_CANCELED, __LINE__);
 		/*
 		 * Since we haven't started, we INSIST that we have no
 		 * pending ADB finds and no pending validations.
@@ -2938,9 +3209,9 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
 		 */
 		result = fctx_starttimer(fctx);
 		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
+			fctx_done(fctx, result, __LINE__);
 		else
-			fctx_try(fctx);
+			fctx_try(fctx, ISC_FALSE);
 	} else if (bucket_empty)
 		empty_bucket(res);
 }
@@ -3026,8 +3297,8 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 		return (ISC_R_NOMEMORY);
 	dns_name_format(name, buf, sizeof(buf));
 	dns_rdatatype_format(type, typebuf, sizeof(typebuf));
-	strcat(buf, "/");	/* checked */
-	strcat(buf, typebuf);	/* checked */
+	strcat(buf, "/");       /* checked */
+	strcat(buf, typebuf);   /* checked */
 	fctx->info = isc_mem_strdup(res->buckets[bucketnum].mctx, buf);
 	if (fctx->info == NULL) {
 		result = ISC_R_NOMEMORY;
@@ -3070,10 +3341,27 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	fctx->altfind = NULL;
 	fctx->pending = 0;
 	fctx->restarts = 0;
+	fctx->querysent = 0;
+	fctx->referrals = 0;
+	TIME_NOW(&fctx->start);
 	fctx->timeouts = 0;
+	fctx->lamecount = 0;
+	fctx->adberr = 0;
+	fctx->neterr = 0;
+	fctx->badresp = 0;
+	fctx->findfail = 0;
+	fctx->valfail = 0;
+	fctx->result = ISC_R_FAILURE;
+	fctx->vresult = ISC_R_SUCCESS;
+	fctx->exitline = -1;	/* sentinel */
+	fctx->logged = ISC_FALSE;
 	fctx->attributes = 0;
 	fctx->spilled = ISC_FALSE;
 	fctx->nqueries = 0;
+	fctx->reason = NULL;
+	fctx->rand_buf = 0;
+	fctx->rand_bits = 0;
+	fctx->timeout = ISC_FALSE;
 
 	dns_name_init(&fctx->nsname, NULL);
 	fctx->nsfetch = NULL;
@@ -3162,7 +3450,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
 	/*
 	 * Compute an expiration time for the entire fetch.
 	 */
-	isc_interval_set(&interval, 30, 0);		/* XXXRTH constant */
+	isc_interval_set(&interval, 30, 0);             /* XXXRTH constant */
 	iresult = isc_time_nowplusinterval(&fctx->expires, &interval);
 	if (iresult != ISC_R_SUCCESS) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -3382,13 +3670,13 @@ clone_results(fetchctx_t *fctx) {
 	}
 }
 
-#define CACHE(r)	(((r)->attributes & DNS_RDATASETATTR_CACHE) != 0)
-#define ANSWER(r)	(((r)->attributes & DNS_RDATASETATTR_ANSWER) != 0)
-#define ANSWERSIG(r)	(((r)->attributes & DNS_RDATASETATTR_ANSWERSIG) != 0)
-#define EXTERNAL(r)	(((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
-#define CHAINING(r)	(((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
-#define CHASE(r)	(((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
-#define CHECKNAMES(r)	(((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
+#define CACHE(r)        (((r)->attributes & DNS_RDATASETATTR_CACHE) != 0)
+#define ANSWER(r)       (((r)->attributes & DNS_RDATASETATTR_ANSWER) != 0)
+#define ANSWERSIG(r)    (((r)->attributes & DNS_RDATASETATTR_ANSWERSIG) != 0)
+#define EXTERNAL(r)     (((r)->attributes & DNS_RDATASETATTR_EXTERNAL) != 0)
+#define CHAINING(r)     (((r)->attributes & DNS_RDATASETATTR_CHAINING) != 0)
+#define CHASE(r)        (((r)->attributes & DNS_RDATASETATTR_CHASE) != 0)
+#define CHECKNAMES(r)   (((r)->attributes & DNS_RDATASETATTR_CHECKNAMES) != 0)
 
 
 /*
@@ -3397,7 +3685,7 @@ clone_results(fetchctx_t *fctx) {
  * was the last fctx in the resolver, destroy the resolver.
  *
  * Requires:
- *	'*fctx' is shutting down.
+ *      '*fctx' is shutting down.
  */
 static void
 maybe_destroy(fetchctx_t *fctx) {
@@ -3494,7 +3782,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 	 * so, destroy the fctx.
 	 */
 	if (SHUTTINGDOWN(fctx) && !sentresponse) {
-		maybe_destroy(fctx);	/* Locks bucket. */
+		maybe_destroy(fctx);    /* Locks bucket. */
 		goto cleanup_event;
 	}
 
@@ -3543,6 +3831,9 @@ validated(isc_task_t *task, isc_event_t *event) {
 
 	if (vevent->result != ISC_R_SUCCESS) {
 		FCTXTRACE("validation failed");
+		inc_stats(fctx->res, dns_resstatscounter_valfail);
+		fctx->valfail++;
+		fctx->vresult = vevent->result;
 		result = ISC_R_NOTFOUND;
 		if (vevent->rdataset != NULL)
 			result = dns_db_findnode(fctx->cache, vevent->name,
@@ -3557,7 +3848,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 		if (result == ISC_R_SUCCESS)
 			dns_db_detachnode(fctx->cache, &node);
 		result = vevent->result;
-		add_bad(fctx, addrinfo, result);
+		add_bad(fctx, addrinfo, result, badns_validation);
 		isc_event_free(&event);
 		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
 		INSIST(fctx->validator == NULL);
@@ -3565,9 +3856,9 @@ validated(isc_task_t *task, isc_event_t *event) {
 		if (fctx->validator != NULL) {
 			dns_validator_send(fctx->validator);
 		} else if (sentresponse)
-			fctx_done(fctx, result);	/* Locks bucket. */
+			fctx_done(fctx, result, __LINE__); /* Locks bucket. */
 		else
-			fctx_try(fctx);			/* Locks bucket. */
+			fctx_try(fctx, ISC_TRUE);       /* Locks bucket. */
 		return;
 	}
 
@@ -3577,6 +3868,8 @@ validated(isc_task_t *task, isc_event_t *event) {
 		dns_rdatatype_t covers;
 		FCTXTRACE("nonexistence validation OK");
 
+		inc_stats(fctx->res, dns_resstatscounter_valnegsuccess);
+
 		if (fctx->rmessage->rcode == dns_rcode_nxdomain)
 			covers = dns_rdatatype_any;
 		else
@@ -3590,7 +3883,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 		/*
 		 * If we are asking for a SOA record set the cache time
 		 * to zero to facilitate locating the containing zone of
-		 * a arbitary zone.
+		 * a arbitrary zone.
 		 */
 		ttl = fctx->res->view->maxncachettl;
 		if (fctx->type == dns_rdatatype_soa &&
@@ -3599,12 +3892,13 @@ validated(isc_task_t *task, isc_event_t *event) {
 			ttl = 0;
 
 		result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
-					   covers, now, ttl,
+					   covers, now, ttl, vevent->optout,
 					   ardataset, &eresult);
 		if (result != ISC_R_SUCCESS)
 			goto noanswer_response;
 		goto answer_response;
-	}
+	} else
+		inc_stats(fctx->res, dns_resstatscounter_valsuccess);
 
 	FCTXTRACE("validation OK");
 
@@ -3615,6 +3909,11 @@ validated(isc_task_t *task, isc_event_t *event) {
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		INSIST(vevent->sigrdataset != NULL);
 		vevent->sigrdataset->ttl = vevent->rdataset->ttl;
+		if (vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER] != NULL) {
+			result = dns_rdataset_addclosest(vevent->rdataset,
+				 vevent->proofs[DNS_VALIDATOR_CLOSESTENCLOSER]);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		}
 	}
 
 	/*
@@ -3654,7 +3953,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 		dns_db_detachnode(fctx->cache, &node);
 		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
 		if (SHUTTINGDOWN(fctx))
-			maybe_destroy(fctx);	/* Locks bucket. */
+			maybe_destroy(fctx);    /* Locks bucket. */
 		goto cleanup_event;
 	}
 
@@ -3744,7 +4043,7 @@ validated(isc_task_t *task, isc_event_t *event) {
 
 	UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
 
-	fctx_done(fctx, result);	/* Locks bucket. */
+	fctx_done(fctx, result, __LINE__); /* Locks bucket. */
 
  cleanup_event:
 	INSIST(node == NULL);
@@ -3929,53 +4228,53 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 			rdataset->trust = dns_trust_pending;
 			if (sigrdataset != NULL)
 				sigrdataset->trust = dns_trust_pending;
-			if (!need_validation)
+			if (!need_validation || !ANSWER(rdataset)) {
 				addedrdataset = ardataset;
-			else
-				addedrdataset = NULL;
-			result = dns_db_addrdataset(fctx->cache, node, NULL,
-						    now, rdataset, 0,
-						    addedrdataset);
-			if (result == DNS_R_UNCHANGED) {
-				result = ISC_R_SUCCESS;
-				if (!need_validation &&
-				    ardataset != NULL &&
-				    ardataset->type == 0) {
-					/*
-					 * The answer in the cache is better
-					 * than the answer we found, and is
-					 * a negative cache entry, so we
-					 * must set eresult appropriately.
-					 */
-					if (NXDOMAIN(ardataset))
-						eresult = DNS_R_NCACHENXDOMAIN;
-					else
-						eresult = DNS_R_NCACHENXRRSET;
-					/*
-					 * We have a negative response from
-					 * the cache so don't attempt to
-					 * add the RRSIG rrset.
-					 */
-					continue;
-				}
-			}
-			if (result != ISC_R_SUCCESS)
-				break;
-			if (sigrdataset != NULL) {
-				if (!need_validation)
-					addedrdataset = asigrdataset;
-				else
-					addedrdataset = NULL;
-				result = dns_db_addrdataset(fctx->cache,
-							    node, NULL, now,
-							    sigrdataset, 0,
-							    addedrdataset);
-				if (result == DNS_R_UNCHANGED)
+				result = dns_db_addrdataset(fctx->cache, node,
+							    NULL, now, rdataset,
+							    0, addedrdataset);
+				if (result == DNS_R_UNCHANGED) {
 					result = ISC_R_SUCCESS;
+					if (!need_validation &&
+					    ardataset != NULL &&
+					    ardataset->type == 0) {
+						/*
+						 * The answer in the cache is
+						 * better than the answer we
+						 * found, and is a negative
+						 * cache entry, so we must set
+						 * eresult appropriately.
+						 */
+						if (NXDOMAIN(ardataset))
+							eresult =
+							   DNS_R_NCACHENXDOMAIN;
+						else
+							eresult =
+							   DNS_R_NCACHENXRRSET;
+						/*
+						 * We have a negative response
+						 * from the cache so don't
+						 * attempt to add the RRSIG
+						 * rrset.
+						 */
+						continue;
+					}
+				}
 				if (result != ISC_R_SUCCESS)
 					break;
-			} else if (!ANSWER(rdataset))
-				continue;
+				if (sigrdataset != NULL) {
+					addedrdataset = asigrdataset;
+					result = dns_db_addrdataset(fctx->cache,
+								node, NULL, now,
+								sigrdataset, 0,
+								addedrdataset);
+					if (result == DNS_R_UNCHANGED)
+						result = ISC_R_SUCCESS;
+					if (result != ISC_R_SUCCESS)
+						break;
+				} else if (!ANSWER(rdataset))
+					continue;
+			}
 
 			if (ANSWER(rdataset) && need_validation) {
 				if (fctx->type != dns_rdatatype_any &&
@@ -4011,7 +4310,7 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
 					 * Defer any further validations.
 					 * This prevents multiple validators
 					 * from manipulating fctx->rmessage
-					 * simultaniously.
+					 * simultaneously.
 					 */
 					valoptions |= DNS_VALIDATOR_DEFER;
 				}
@@ -4155,12 +4454,12 @@ cache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, isc_stdtime_t now)
 }
 
 /*
- * Do what dns_ncache_add() does, and then compute an appropriate eresult.
+ * Do what dns_ncache_addoptout() does, and then compute an appropriate eresult.
  */
 static isc_result_t
 ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 		  dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl,
-		  dns_rdataset_t *ardataset,
+		  isc_boolean_t optout, dns_rdataset_t *ardataset,
 		  isc_result_t *eresultp)
 {
 	isc_result_t result;
@@ -4170,8 +4469,8 @@ ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node,
 		dns_rdataset_init(&rdataset);
 		ardataset = &rdataset;
 	}
-	result = dns_ncache_add(message, cache, node, covers, now,
-				maxttl, ardataset);
+	result = dns_ncache_addoptout(message, cache, node, covers, now,
+				     maxttl, optout, ardataset);
 	if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) {
 		/*
 		 * If the cache now contains a negative entry and we
@@ -4327,15 +4626,17 @@ ncache_message(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	/*
 	 * If we are asking for a SOA record set the cache time
 	 * to zero to facilitate locating the containing zone of
-	 * a arbitary zone.
+	 * a arbitrary zone.
 	 */
 	ttl = fctx->res->view->maxncachettl;
 	if (fctx->type == dns_rdatatype_soa &&
-	    covers == dns_rdatatype_any)
+	    covers == dns_rdatatype_any &&
+	    fctx->res->zero_no_soa_ttl)
 		ttl = 0;
 
 	result = ncache_adderesult(fctx->rmessage, fctx->cache, node,
-				   covers, now, ttl, ardataset, &eresult);
+				   covers, now, ttl, ISC_FALSE,
+				   ardataset, &eresult);
 	if (result != ISC_R_SUCCESS)
 		goto unlock;
 
@@ -4710,7 +5011,8 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 				type = rdataset->type;
 				if (type == dns_rdatatype_rrsig)
 					type = rdataset->covers;
-				if (type == dns_rdatatype_nsec) {
+				if (type == dns_rdatatype_nsec ||
+				    type == dns_rdatatype_nsec3) {
 					/*
 					 * NSEC or RRSIG NSEC.
 					 */
@@ -4719,7 +5021,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 							DNS_NAMEATTR_NCACHE;
 						rdataset->attributes |=
 							DNS_RDATASETATTR_NCACHE;
-					} else {
+					} else if (type == dns_rdatatype_nsec) {
 						name->attributes |=
 							DNS_NAMEATTR_CACHE;
 						rdataset->attributes |=
@@ -4855,7 +5157,7 @@ noanswer_response(fetchctx_t *fctx, dns_name_t *oqname,
 		 * Set the current query domain to the referral name.
 		 *
 		 * XXXRTH  We should check if we're in forward-only mode, and
-		 *	   if so we should bail out.
+		 *		if so we should bail out.
 		 */
 		INSIST(dns_name_countlabels(&fctx->domain) > 0);
 		dns_name_free(&fctx->domain,
@@ -4931,6 +5233,13 @@ answer_response(fetchctx_t *fctx) {
 				found = ISC_FALSE;
 				want_chaining = ISC_FALSE;
 				aflag = 0;
+				if (rdataset->type == dns_rdatatype_nsec3) {
+					/*
+					 * NSEC3 records are not allowed to
+					 * appear in the answer section.
+					 */
+					return (DNS_R_FORMERR);
+				}
 				if (rdataset->type == type && !found_cname) {
 					/*
 					 * We've found an ordinary answer.
@@ -5157,7 +5466,7 @@ answer_response(fetchctx_t *fctx) {
 					 */
 					if (found_dname) {
 						/*
-						 * Copy the the dname into the
+						 * Copy the dname into the
 						 * qname fixed name.
 						 *
 						 * Although we check for
@@ -5311,7 +5620,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 	bucketnum = fctx->bucketnum;
 	if (fevent->result == ISC_R_CANCELED) {
 		dns_resolver_destroyfetch(&fctx->nsfetch);
-		fctx_done(fctx, ISC_R_CANCELED);
+		fctx_done(fctx, ISC_R_CANCELED, __LINE__);
 	} else if (fevent->result == ISC_R_SUCCESS) {
 
 		FCTXTRACE("resuming DS lookup");
@@ -5327,13 +5636,13 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 				      fctx->res->buckets[bucketnum].mctx,
 				      &fctx->domain);
 		if (result != ISC_R_SUCCESS) {
-			fctx_done(fctx, DNS_R_SERVFAIL);
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
 			goto cleanup;
 		}
 		/*
 		 * Try again.
 		 */
-		fctx_try(fctx);
+		fctx_try(fctx, ISC_TRUE);
 	} else {
 		unsigned int n;
 		dns_rdataset_t *nsrdataset = NULL;
@@ -5345,7 +5654,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 		domain = dns_fixedname_name(&fixed);
 		dns_name_copy(&fctx->nsfetch->private->domain, domain, NULL);
 		if (dns_name_equal(&fctx->nsname, domain)) {
-			fctx_done(fctx, DNS_R_SERVFAIL);
+			fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
 			dns_resolver_destroyfetch(&fctx->nsfetch);
 			goto cleanup;
 		}
@@ -5372,7 +5681,7 @@ resume_dslookup(isc_task_t *task, isc_event_t *event) {
 						  &fctx->nsrrset, NULL,
 						  &fctx->nsfetch);
 		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
+			fctx_done(fctx, result, __LINE__);
 		else {
 			LOCK(&res->buckets[bucketnum].lock);
 			locked = ISC_TRUE;
@@ -5439,6 +5748,65 @@ checknames(dns_message_t *message) {
 	checknamessection(message, DNS_SECTION_ADDITIONAL);
 }
 
+/*
+ * Log server NSID at log level 'level'
+ */
+static isc_result_t
+log_nsid(dns_rdataset_t *opt, resquery_t *query, int level, isc_mem_t *mctx)
+{
+	static const char hex[17] = "0123456789abcdef";
+	char addrbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_uint16_t optcode, nsid_len, buflen, i;
+	isc_result_t result;
+	isc_buffer_t nsidbuf;
+	dns_rdata_t rdata;
+	unsigned char *p, *buf, *nsid;
+
+	/* Extract rdata from OPT rdataset */
+	result = dns_rdataset_first(opt);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_R_FAILURE);
+
+	dns_rdata_init(&rdata);
+	dns_rdataset_current(opt, &rdata);
+	if (rdata.length < 4)
+		return (ISC_R_FAILURE);
+
+	/* Check for NSID */
+	isc_buffer_init(&nsidbuf, rdata.data, rdata.length);
+	isc_buffer_add(&nsidbuf, rdata.length);
+	optcode = isc_buffer_getuint16(&nsidbuf);
+	nsid_len = isc_buffer_getuint16(&nsidbuf);
+	if (optcode != DNS_OPT_NSID || nsid_len == 0)
+		return (ISC_R_FAILURE);
+
+	/* Allocate buffer for storing hex version of the NSID */
+	buflen = nsid_len * 2 + 1;
+	buf = isc_mem_get(mctx, buflen);
+	if (buf == NULL)
+		return (ISC_R_NOSPACE);
+
+	/* Convert to hex */
+	p = buf;
+	nsid = rdata.data + 4;
+	for (i = 0; i < nsid_len; i++) {
+		*p++ = hex[(nsid[0] >> 4) & 0xf];
+		*p++ = hex[nsid[0] & 0xf];
+		nsid++;
+	}
+	*p = '\0';
+
+	isc_sockaddr_format(&query->addrinfo->sockaddr, addrbuf,
+			    sizeof(addrbuf));
+	isc_log_write(dns_lctx, DNS_LOGCATEGORY_RESOLVER,
+		      DNS_LOGMODULE_RESOLVER, level,
+		      "received NSID '%s' from %s", buf, addrbuf);
+
+	/* Clean up */
+	isc_mem_put(mctx, buf, buflen);
+	return (ISC_R_SUCCESS);
+}
+
 static void
 log_packet(dns_message_t *message, int level, isc_mem_t *mctx) {
 	isc_buffer_t buffer;
@@ -5484,6 +5852,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	isc_boolean_t keep_trying, get_nameservers, resend;
 	isc_boolean_t truncated;
 	dns_message_t *message;
+	dns_rdataset_t *opt;
 	fetchctx_t *fctx;
 	dns_name_t *fname;
 	dns_fixedname_t foundname;
@@ -5493,6 +5862,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	unsigned int options;
 	unsigned int findoptions;
 	isc_result_t broken_server;
+	badnstype_t broken_type = badns_response;
 
 	REQUIRE(VALID_QUERY(query));
 	fctx = query->fctx;
@@ -5502,6 +5872,11 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 
 	QTRACE("response");
 
+	if (isc_sockaddr_pf(&query->addrinfo->sockaddr) == PF_INET)
+		inc_stats(fctx->res, dns_resstatscounter_responsev4);
+	else
+		inc_stats(fctx->res, dns_resstatscounter_responsev6);
+
 	(void)isc_timer_touch(fctx->timer);
 
 	keep_trying = ISC_FALSE;
@@ -5517,11 +5892,12 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	}
 
 	fctx->timeouts = 0;
+	fctx->timeout = ISC_FALSE;
 
 	/*
 	 * XXXRTH  We should really get the current time just once.  We
-	 *	   need a routine to convert from an isc_time_t to an
-	 *	   isc_stdtime_t.
+	 *		need a routine to convert from an isc_time_t to an
+	 *		isc_stdtime_t.
 	 */
 	TIME_NOW(&tnow);
 	finish = &tnow;
@@ -5564,6 +5940,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			     devent->result == ISC_R_CONNREFUSED ||
 			     devent->result == ISC_R_CANCELED)) {
 				    broken_server = devent->result;
+				    broken_type = badns_unreachable;
 			}
 		}
 		goto done;
@@ -5616,6 +5993,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 							query->addrinfo,
 							DNS_FETCHOPT_NOEDNS0,
 							DNS_FETCHOPT_NOEDNS0);
+					inc_stats(fctx->res,
+						 dns_resstatscounter_edns0fail);
 				} else {
 					broken_server = result;
 					keep_trying = ISC_TRUE;
@@ -5644,6 +6023,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 						    query->addrinfo,
 						    DNS_FETCHOPT_NOEDNS0,
 						    DNS_FETCHOPT_NOEDNS0);
+				inc_stats(fctx->res,
+						 dns_resstatscounter_edns0fail);
 			} else {
 				broken_server = DNS_R_UNEXPECTEDRCODE;
 				keep_trying = ISC_TRUE;
@@ -5657,12 +6038,21 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		}
 	}
 
+
 	/*
 	 * Log the incoming packet.
 	 */
 	log_packet(message, ISC_LOG_DEBUG(10), fctx->res->mctx);
 
 	/*
+	 * Did we request NSID?  If so, and if the response contains
+	 * NSID data, log it at INFO level.
+	 */
+	opt = dns_message_getopt(message);
+	if (opt != NULL && (query->options & DNS_FETCHOPT_WANTNSID) != 0)
+		log_nsid(opt, query, ISC_LOG_INFO, fctx->res->mctx);
+
+	/*
 	 * If the message is signed, check the signature.  If not, this
 	 * returns success anyway.
 	 */
@@ -5690,6 +6080,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		truncated = ISC_TRUE;
 
 	if (truncated) {
+		inc_stats(fctx->res, dns_resstatscounter_truncated);
 		if ((options & DNS_FETCHOPT_TCP) != 0) {
 			broken_server = DNS_R_TRUNCATEDTCP;
 			keep_trying = ISC_TRUE;
@@ -5711,6 +6102,26 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	}
 
 	/*
+	 * Update statistics about erroneous responses.
+	 */
+	if (message->rcode != dns_rcode_noerror) {
+		switch (message->rcode) {
+		case dns_rcode_nxdomain:
+			inc_stats(fctx->res, dns_resstatscounter_nxdomain);
+			break;
+		case dns_rcode_servfail:
+			inc_stats(fctx->res, dns_resstatscounter_servfail);
+			break;
+		case dns_rcode_formerr:
+			inc_stats(fctx->res, dns_resstatscounter_formerr);
+			break;
+		default:
+			inc_stats(fctx->res, dns_resstatscounter_othererror);
+			break;
+		}
+	}
+
+	/*
 	 * Is the remote server broken, or does it dislike us?
 	 */
 	if (message->rcode != dns_rcode_noerror &&
@@ -5728,8 +6139,8 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			 * reasons.
 			 *
 			 * XXXRTH  We should check if the question
-			 *	   we're asking requires EDNS0, and
-			 *	   if so, we should bail out.
+			 *		we're asking requires EDNS0, and
+			 *		if so, we should bail out.
 			 */
 			options |= DNS_FETCHOPT_NOEDNS0;
 			resend = ISC_TRUE;
@@ -5740,6 +6151,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				dns_adb_changeflags(fctx->adb, query->addrinfo,
 						    DNS_FETCHOPT_NOEDNS0,
 						    DNS_FETCHOPT_NOEDNS0);
+			inc_stats(fctx->res, dns_resstatscounter_edns0fail);
 		} else if (message->rcode == dns_rcode_formerr) {
 			if (ISFORWARDER(query->addrinfo)) {
 				/*
@@ -5767,12 +6179,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			 */
 			result = DNS_R_YXDOMAIN;
 		} else if (message->rcode == dns_rcode_badvers) {
-			dns_rdataset_t *opt;
 			unsigned int flags, mask;
 			unsigned int version;
 
 			resend = ISC_TRUE;
-			opt = dns_message_getopt(message);
 			version = (opt->ttl >> 16) & 0xff;
 			flags = (version << DNS_FETCHOPT_EDNSVERSIONSHIFT) |
 				DNS_FETCHOPT_EDNSVERSIONSET;
@@ -5815,6 +6225,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 	 */
 	if (fctx->res->lame_ttl != 0 && !ISFORWARDER(query->addrinfo) &&
 	    is_lame(fctx)) {
+		inc_stats(fctx->res, dns_resstatscounter_lame);
 		log_lame(fctx, query->addrinfo);
 		result = dns_adb_marklame(fctx->adb, query->addrinfo,
 					  &fctx->name, fctx->type,
@@ -5928,6 +6339,18 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			 * has not experienced any restarts yet.
 			 */
 			fctx->restarts = 0;
+
+			/*
+			 * Update local statistics counters collected for each
+			 * new zone.
+			 */
+			fctx->referrals++;
+			fctx->querysent = 0;
+			fctx->lamecount = 0;
+			fctx->neterr = 0;
+			fctx->badresp = 0;
+			fctx->adberr = 0;
+
 			result = ISC_R_SUCCESS;
 		} else if (result != ISC_R_SUCCESS) {
 			/*
@@ -6001,7 +6424,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			 * Add this server to the list of bad servers for
 			 * this fctx.
 			 */
-			add_bad(fctx, addrinfo, broken_server);
+			add_bad(fctx, addrinfo, broken_server, broken_type);
 		}
 
 		if (get_nameservers) {
@@ -6009,7 +6432,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 			dns_fixedname_init(&foundname);
 			fname = dns_fixedname_name(&foundname);
 			if (result != ISC_R_SUCCESS) {
-				fctx_done(fctx, DNS_R_SERVFAIL);
+				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
 				return;
 			}
 			findoptions = 0;
@@ -6027,7 +6450,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 						      NULL);
 			if (result != ISC_R_SUCCESS) {
 				FCTXTRACE("couldn't find a zonecut");
-				fctx_done(fctx, DNS_R_SERVFAIL);
+				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
 				return;
 			}
 			if (!dns_name_issubdomain(fname, &fctx->domain)) {
@@ -6036,7 +6459,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 				 * QDOMAIN.
 				 */
 				FCTXTRACE("nameservers now above QDOMAIN");
-				fctx_done(fctx, DNS_R_SERVFAIL);
+				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
 				return;
 			}
 			dns_name_free(&fctx->domain,
@@ -6046,7 +6469,7 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 					      fctx->res->buckets[fctx->bucketnum].mctx,
 					      &fctx->domain);
 			if (result != ISC_R_SUCCESS) {
-				fctx_done(fctx, DNS_R_SERVFAIL);
+				fctx_done(fctx, DNS_R_SERVFAIL, __LINE__);
 				return;
 			}
 			fctx_cancelqueries(fctx, ISC_TRUE);
@@ -6058,15 +6481,16 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		/*
 		 * Try again.
 		 */
-		fctx_try(fctx);
+		fctx_try(fctx, !get_nameservers);
 	} else if (resend) {
 		/*
 		 * Resend (probably with changed options).
 		 */
 		FCTXTRACE("resend");
+		inc_stats(fctx->res, dns_resstatscounter_retry);
 		result = fctx_query(fctx, addrinfo, options);
 		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
+			fctx_done(fctx, result, __LINE__);
 	} else if (result == ISC_R_SUCCESS && !HAVE_ANSWER(fctx)) {
 		/*
 		 * All has gone well so far, but we are waiting for the
@@ -6080,10 +6504,10 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 		 */
 		result = fctx_stopidletimer(fctx);
 		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
+			fctx_done(fctx, result, __LINE__);
 	} else if (result == DNS_R_CHASEDSSERVERS) {
 		unsigned int n;
-		add_bad(fctx, addrinfo, result);
+		add_bad(fctx, addrinfo, result, broken_type);
 		fctx_cancelqueries(fctx, ISC_TRUE);
 		fctx_cleanupfinds(fctx);
 		fctx_cleanupforwaddrs(fctx);
@@ -6100,18 +6524,18 @@ resquery_response(isc_task_t *task, isc_event_t *event) {
 						  &fctx->nsrrset, NULL,
 						  &fctx->nsfetch);
 		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
+			fctx_done(fctx, result, __LINE__);
 		LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
 		fctx->references++;
 		UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
 		result = fctx_stopidletimer(fctx);
 		if (result != ISC_R_SUCCESS)
-			fctx_done(fctx, result);
+			fctx_done(fctx, result, __LINE__);
 	} else {
 		/*
 		 * We're done.
 		 */
-		fctx_done(fctx, result);
+		fctx_done(fctx, result, __LINE__);
 	}
 }
 
@@ -6284,7 +6708,8 @@ dns_resolver_create(dns_view_t *view,
 	res->spillatmax = 100;
 	res->spillattimer = NULL;
 	res->zero_no_soa_ttl = ISC_FALSE;
-
+	res->ndisps = 0;
+	res->nextdisp = 0; /* meaningless at this point, but init it */
 	res->nbuckets = ntasks;
 	res->activebuckets = ntasks;
 	res->buckets = isc_mem_get(view->mctx,
@@ -6304,13 +6729,23 @@ dns_resolver_create(dns_view_t *view,
 			goto cleanup_buckets;
 		}
 		res->buckets[i].mctx = NULL;
+		snprintf(name, sizeof(name), "res%u", i);
+#ifdef ISC_PLATFORM_USETHREADS
+		/*
+		 * Use a separate memory context for each bucket to reduce
+		 * contention among multiple threads.  Do this only when
+		 * enabling threads because it will be require more memory.
+		 */
 		result = isc_mem_create(0, 0, &res->buckets[i].mctx);
 		if (result != ISC_R_SUCCESS) {
 			isc_task_detach(&res->buckets[i].task);
 			DESTROYLOCK(&res->buckets[i].lock);
 			goto cleanup_buckets;
 		}
-		snprintf(name, sizeof(name), "res%u", i);
+		isc_mem_setname(res->buckets[i].mctx, name, NULL);
+#else
+		isc_mem_attach(view->mctx, &res->buckets[i].mctx);
+#endif
 		isc_task_setname(res->buckets[i].task, name, res);
 		ISC_LIST_INIT(res->buckets[i].fctxs);
 		res->buckets[i].exiting = ISC_FALSE;
@@ -6356,14 +6791,14 @@ dns_resolver_create(dns_view_t *view,
 	task = NULL;
 	result = isc_task_create(taskmgr, 0, &task);
 	if (result != ISC_R_SUCCESS)
-		 goto cleanup_primelock;
+		goto cleanup_primelock;
 
 	result = isc_timer_create(timermgr, isc_timertype_inactive, NULL, NULL,
 				  task, spillattimer_countdown, res,
 				  &res->spillattimer);
 	isc_task_detach(&task);
 	if (result != ISC_R_SUCCESS)
-		 goto cleanup_primelock;
+		goto cleanup_primelock;
 
 #if USE_ALGLOCK
 	result = isc_rwlock_init(&res->alglock, 0, 0);
@@ -6973,6 +7408,47 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
 		empty_bucket(res);
 }
 
+void
+dns_resolver_logfetch(dns_fetch_t *fetch, isc_log_t *lctx,
+		      isc_logcategory_t *category, isc_logmodule_t *module,
+		      int level, isc_boolean_t duplicateok)
+{
+	fetchctx_t *fctx;
+	dns_resolver_t *res;
+	char domainbuf[DNS_NAME_FORMATSIZE];
+
+	REQUIRE(DNS_FETCH_VALID(fetch));
+	fctx = fetch->private;
+	REQUIRE(VALID_FCTX(fctx));
+	res = fctx->res;
+
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+
+	INSIST(fctx->exitline >= 0);
+	if (!fctx->logged || duplicateok) {
+		dns_name_format(&fctx->domain, domainbuf, sizeof(domainbuf));
+		isc_log_write(lctx, category, module, level,
+			      "fetch completed at %s:%d for %s in "
+			      "%" ISC_PRINT_QUADFORMAT "u."
+			      "%06" ISC_PRINT_QUADFORMAT "u: %s/%s "
+			      "[domain:%s,referral:%u,restart:%u,qrysent:%u,"
+			      "timeout:%u,lame:%u,neterr:%u,badresp:%u,"
+			      "adberr:%u,findfail:%u,valfail:%u]",
+			      __FILE__, fctx->exitline, fctx->info,
+			      fctx->duration / 1000000,
+			      fctx->duration % 1000000,
+			      isc_result_totext(fctx->result),
+			      isc_result_totext(fctx->vresult), domainbuf,
+			      fctx->referrals, fctx->restarts,
+			      fctx->querysent, fctx->timeouts, fctx->lamecount,
+			      fctx->neterr, fctx->badresp, fctx->adberr,
+			      fctx->findfail, fctx->valfail);
+		fctx->logged = ISC_TRUE;
+	}
+
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+}
+
 dns_dispatchmgr_t *
 dns_resolver_dispatchmgr(dns_resolver_t *resolver) {
 	REQUIRE(VALID_RESOLVER(resolver));
@@ -7296,3 +7772,10 @@ dns_resolver_setzeronosoattl(dns_resolver_t *resolver, isc_boolean_t state) {
 
 	resolver->zero_no_soa_ttl = state;
 }
+
+unsigned int
+dns_resolver_getoptions(dns_resolver_t *resolver) {
+	REQUIRE(VALID_RESOLVER(resolver));
+
+	return (resolver->options);
+}
diff --git a/lib/dns/result.c b/lib/dns/result.c
index fdb58e0..54c70e0 100644
--- a/lib/dns/result.c
+++ b/lib/dns/result.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.115.10.7 2005/06/17 02:04:31 marka Exp $ */
+/* $Id: result.c,v 1.125 2008/09/25 04:02:38 tbox Exp $ */
 
 /*! \file */
 
@@ -155,7 +155,8 @@ static const char *text[DNS_R_NRESULTS] = {
 	"must-be-secure",		       /*%< 100 DNS_R_MUSTBESECURE */
 	"covering NSEC record returned",       /*%< 101 DNS_R_COVERINGNSEC */
 	"MX is an address",		       /*%< 102 DNS_R_MXISADDRESS */
-	"duplicate query"		       /*%< 103 DNS_R_DUPLICATE */
+	"duplicate query",		       /*%< 103 DNS_R_DUPLICATE */
+	"invalid NSEC3 owner name (wildcard)", /*%< 104 DNS_R_INVALIDNSEC3 */
 };
 
 static const char *rcode_text[DNS_R_NRCODERESULTS] = {
diff --git a/lib/dns/rootns.c b/lib/dns/rootns.c
index a988bea..3c50a18 100644
--- a/lib/dns/rootns.c
+++ b/lib/dns/rootns.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rootns.c,v 1.26.18.7 2008/02/05 23:46:09 tbox Exp $ */
+/* $Id: rootns.c,v 1.36 2008/09/24 02:46:22 marka Exp $ */
 
 /*! \file */
 
@@ -97,6 +97,7 @@ in_rootns(dns_rdataset_t *rootns, dns_name_t *name) {
 		if (dns_name_compare(name, &ns.name) == 0)
 			return (ISC_R_SUCCESS);
 		result = dns_rdataset_next(rootns);
+		dns_rdata_reset(&rdata);
 	}
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_NOTFOUND;
@@ -158,7 +159,7 @@ check_hints(dns_db_t *db) {
 	dns_rdataset_init(&rootns);
 	(void)dns_db_find(db, dns_rootname, NULL, dns_rdatatype_ns, 0,
 			  now, NULL, name, &rootns, NULL);
-	result = dns_db_createiterator(db, ISC_FALSE, &dbiter);
+	result = dns_db_createiterator(db, 0, &dbiter);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup;
 	result = dns_dbiterator_first(dbiter);
@@ -338,6 +339,7 @@ check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
 	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
 		result = dns_rdataset_first(&rootrrset);
 		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
 			dns_rdataset_current(&rootrrset, &rdata);
 			if (!inrrset(&hintrrset, &rdata))
 				report(view, name, ISC_TRUE, &rdata);
@@ -345,6 +347,7 @@ check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
 		}
 		result = dns_rdataset_first(&hintrrset);
 		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
 			dns_rdataset_current(&hintrrset, &rdata);
 			if (!inrrset(&rootrrset, &rdata))
 				report(view, name, ISC_FALSE, &rdata);
@@ -355,6 +358,7 @@ check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
 	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
 		result = dns_rdataset_first(&rootrrset);
 		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
 			dns_rdataset_current(&rootrrset, &rdata);
 			report(view, name, ISC_TRUE, &rdata);
 			result = dns_rdataset_next(&rootrrset);
@@ -377,6 +381,7 @@ check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
 	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
 		result = dns_rdataset_first(&rootrrset);
 		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
 			dns_rdataset_current(&rootrrset, &rdata);
 			if (!inrrset(&hintrrset, &rdata))
 				report(view, name, ISC_TRUE, &rdata);
@@ -385,6 +390,7 @@ check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
 		}
 		result = dns_rdataset_first(&hintrrset);
 		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
 			dns_rdataset_current(&hintrrset, &rdata);
 			if (!inrrset(&rootrrset, &rdata))
 				report(view, name, ISC_FALSE, &rdata);
@@ -396,6 +402,7 @@ check_address_records(dns_view_t *view, dns_db_t *hints, dns_db_t *db,
 	    (rresult == ISC_R_SUCCESS || rresult == DNS_R_GLUE)) {
 		result = dns_rdataset_first(&rootrrset);
 		while (result == ISC_R_SUCCESS) {
+			dns_rdata_reset(&rdata);
 			dns_rdataset_current(&rootrrset, &rdata);
 			report(view, name, ISC_TRUE, &rdata);
 			dns_rdata_reset(&rdata);
diff --git a/lib/dns/sdb.c b/lib/dns/sdb.c
index effb2bf..03fca9e 100644
--- a/lib/dns/sdb.c
+++ b/lib/dns/sdb.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdb.c,v 1.45.18.16 2008/01/17 23:45:58 tbox Exp $ */
+/* $Id: sdb.c,v 1.66.48.2 2009/04/21 23:47:18 tbox Exp $ */
 
 /*! \file */
 
@@ -880,9 +880,12 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				{
 					result = DNS_R_ZONECUT;
 					dns_rdataset_disassociate(rdataset);
-					if (sigrdataset != NULL)
+					if (sigrdataset != NULL &&
+					    dns_rdataset_isassociated
+							(sigrdataset)) {
 						dns_rdataset_disassociate
 								(sigrdataset);
+					}
 				} else
 					result = DNS_R_DELEGATION;
 				break;
@@ -1035,8 +1038,7 @@ printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
 }
 
 static isc_result_t
-createiterator(dns_db_t *db, isc_boolean_t relative_names,
-	       dns_dbiterator_t **iteratorp)
+createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp)
 {
 	dns_sdb_t *sdb = (dns_sdb_t *)db;
 	sdb_dbiterator_t *sdbiter;
@@ -1048,6 +1050,10 @@ createiterator(dns_db_t *db, isc_boolean_t relative_names,
 	if (imp->methods->allnodes == NULL)
 		return (ISC_R_NOTIMPLEMENTED);
 
+	if ((options & DNS_DB_NSEC3ONLY) != 0 ||
+	    (options & DNS_DB_NONSEC3) != 0)
+		return (ISC_R_NOTIMPLEMENTED);
+
 	sdbiter = isc_mem_get(sdb->common.mctx, sizeof(sdb_dbiterator_t));
 	if (sdbiter == NULL)
 		return (ISC_R_NOMEMORY);
@@ -1055,7 +1061,7 @@ createiterator(dns_db_t *db, isc_boolean_t relative_names,
 	sdbiter->common.methods = &dbiterator_methods;
 	sdbiter->common.db = NULL;
 	dns_db_attach(db, &sdbiter->common.db);
-	sdbiter->common.relative_names = relative_names;
+	sdbiter->common.relative_names = ISC_TF(options & DNS_DB_RELATIVENAMES);
 	sdbiter->common.magic = DNS_DBITERATOR_MAGIC;
 	ISC_LIST_INIT(sdbiter->nodelist);
 	sdbiter->current = NULL;
@@ -1246,6 +1252,14 @@ static dns_dbmethods_t sdb_methods = {
 	ispersistent,
 	overmem,
 	settask,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
 	NULL
 };
 
@@ -1371,6 +1385,8 @@ static dns_rdatasetmethods_t methods = {
 	isc__rdatalist_getnoqname,
 	NULL,
 	NULL,
+	NULL,
+	NULL,
 	NULL
 };
 
diff --git a/lib/dns/sdlz.c b/lib/dns/sdlz.c
index b91f825..89cd0ee 100644
--- a/lib/dns/sdlz.c
+++ b/lib/dns/sdlz.c
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright (C) 2005-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2005-2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -50,7 +50,7 @@
  * USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sdlz.c,v 1.2.2.11 2007/08/28 07:20:05 tbox Exp $ */
+/* $Id: sdlz.c,v 1.18.50.2 2009/04/21 23:47:18 tbox Exp $ */
 
 /*! \file */
 
@@ -667,8 +667,7 @@ printnode(dns_db_t *db, dns_dbnode_t *node, FILE *out) {
 }
 
 static isc_result_t
-createiterator(dns_db_t *db, isc_boolean_t relative_names,
-	       dns_dbiterator_t **iteratorp)
+createiterator(dns_db_t *db, unsigned int options, dns_dbiterator_t **iteratorp)
 {
 	dns_sdlz_db_t *sdlz = (dns_sdlz_db_t *)db;
 	sdlz_dbiterator_t *sdlziter;
@@ -681,6 +680,10 @@ createiterator(dns_db_t *db, isc_boolean_t relative_names,
 	if (sdlz->dlzimp->methods->allnodes == NULL)
 		return (ISC_R_NOTIMPLEMENTED);
 
+	if ((options & DNS_DB_NSEC3ONLY) != 0 ||
+	    (options & DNS_DB_NONSEC3) != 0)
+		 return (ISC_R_NOTIMPLEMENTED);
+
 	isc_buffer_init(&b, zonestr, sizeof(zonestr));
 	result = dns_name_totext(&sdlz->common.origin, ISC_TRUE, &b);
 	if (result != ISC_R_SUCCESS)
@@ -694,7 +697,7 @@ createiterator(dns_db_t *db, isc_boolean_t relative_names,
 	sdlziter->common.methods = &dbiterator_methods;
 	sdlziter->common.db = NULL;
 	dns_db_attach(db, &sdlziter->common.db);
-	sdlziter->common.relative_names = relative_names;
+	sdlziter->common.relative_names = ISC_TF(options & DNS_DB_RELATIVENAMES);
 	sdlziter->common.magic = DNS_DBITERATOR_MAGIC;
 	ISC_LIST_INIT(sdlziter->nodelist);
 	sdlziter->current = NULL;
@@ -841,9 +844,12 @@ find(dns_db_t *db, dns_name_t *name, dns_dbversion_t *version,
 				{
 					result = DNS_R_ZONECUT;
 					dns_rdataset_disassociate(rdataset);
-					if (sigrdataset != NULL)
+					if (sigrdataset != NULL &&
+					    dns_rdataset_isassociated
+							(sigrdataset)) {
 						dns_rdataset_disassociate
 							(sigrdataset);
+					}
 				} else
 					result = DNS_R_DELEGATION;
 				break;
@@ -1051,6 +1057,14 @@ static dns_dbmethods_t sdlzdb_methods = {
 	overmem,
 	settask,
 	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL,
+	NULL
 };
 
 /*
@@ -1193,6 +1207,8 @@ static dns_rdatasetmethods_t rdataset_methods = {
 	isc__rdatalist_getnoqname,
 	NULL,
 	NULL,
+	NULL,
+	NULL,
 	NULL
 };
 
@@ -1327,7 +1343,7 @@ dns_sdlzallowzonexfr(void *driverarg, void *dbdata, isc_mem_t *mctx,
 		return (result);
 	isc_buffer_putuint8(&b2, 0);
 
-        /* make sure strings are always lowercase */
+	/* make sure strings are always lowercase */
 	dns_sdlz_tolower(namestr);
 	dns_sdlz_tolower(clientstr);
 
@@ -1440,7 +1456,7 @@ dns_sdlzfindzone(void *driverarg, void *dbdata, isc_mem_t *mctx,
 		return (result);
 	isc_buffer_putuint8(&b, 0);
 
-        /* make sure strings are always lowercase */
+	/* make sure strings are always lowercase */
 	dns_sdlz_tolower(namestr);
 
 	/* Call SDLZ driver's find zone method */
@@ -1571,7 +1587,7 @@ dns_sdlz_putrr(dns_sdlzlookup_t *lookup, const char *type, dns_ttl_t ttl,
 	return (ISC_R_SUCCESS);
 
  failure:
- 	if (rdatabuf != NULL)
+	if (rdatabuf != NULL)
 		isc_buffer_free(&rdatabuf);
 	if (lex != NULL)
 		isc_lex_destroy(&lex);
diff --git a/lib/dns/soa.c b/lib/dns/soa.c
index 20198c0..83a1c17 100644
--- a/lib/dns/soa.c
+++ b/lib/dns/soa.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: soa.c,v 1.4.18.2 2005/04/29 00:16:05 marka Exp $ */
+/* $Id: soa.c,v 1.8 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/spnego.asn1 b/lib/dns/spnego.asn1
new file mode 100644
index 0000000..43d152b
--- /dev/null
+++ b/lib/dns/spnego.asn1
@@ -0,0 +1,52 @@
+-- Copyright (C) The Internet Society 2005.  This version of
+-- this module is part of RFC 4178; see the RFC itself for
+-- full legal notices.
+
+-- (The above copyright notice is per RFC 3978 5.6 (a), q.v.)
+
+-- $Id: spnego.asn1,v 1.2 2006/12/04 01:52:46 marka Exp $
+
+-- This is the SPNEGO ASN.1 module from RFC 4178, tweaked
+-- to get the Heimdal ASN.1 compiler to accept it.
+
+SPNEGOASNOneSpec DEFINITIONS ::= BEGIN
+
+MechType ::= OBJECT IDENTIFIER
+
+MechTypeList ::= SEQUENCE OF MechType
+
+ContextFlags ::= BIT STRING {
+    delegFlag       (0),
+    mutualFlag      (1),
+    replayFlag      (2),
+    sequenceFlag    (3),
+    anonFlag        (4),
+    confFlag        (5),
+    integFlag       (6)
+}
+
+NegTokenInit ::= SEQUENCE {
+    mechTypes       [0] MechTypeList,
+    reqFlags        [1] ContextFlags  OPTIONAL,
+    mechToken       [2] OCTET STRING  OPTIONAL,
+    mechListMIC     [3] OCTET STRING  OPTIONAL
+}
+
+NegTokenResp ::= SEQUENCE {
+    negState       [0] ENUMERATED {
+	accept-completed    (0),
+	accept-incomplete   (1),
+	reject              (2),
+	request-mic         (3)
+    }                                 OPTIONAL,
+    supportedMech   [1] MechType      OPTIONAL,
+    responseToken   [2] OCTET STRING  OPTIONAL,
+    mechListMIC     [3] OCTET STRING  OPTIONAL
+}
+
+NegotiationToken ::= CHOICE {
+    negTokenInit    [0] NegTokenInit,
+    negTokenResp    [1] NegTokenResp
+}
+
+END
diff --git a/lib/dns/spnego.c b/lib/dns/spnego.c
new file mode 100644
index 0000000..0ae6ea2
--- /dev/null
+++ b/lib/dns/spnego.c
@@ -0,0 +1,1792 @@
+/*
+ * Copyright (C) 2006-2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: spnego.c,v 1.8.118.2 2009/01/18 23:47:40 tbox Exp $ */
+
+/*! \file
+ * \brief
+ * Portable SPNEGO implementation.
+ *
+ * This is part of a portable implementation of the SPNEGO protocol
+ * (RFCs 2478 and 4178).  This implementation uses the RFC 4178 ASN.1
+ * module but is not a full implementation of the RFC 4178 protocol;
+ * at the moment, we only support GSS-TSIG with Kerberos
+ * authentication, so we only need enough of the SPNEGO protocol to
+ * support that.
+ *
+ * The files that make up this portable SPNEGO implementation are:
+ * \li	spnego.c	(this file)
+ * \li	spnego.h	(API SPNEGO exports to the rest of lib/dns)
+ * \li	spnego.asn1	(SPNEGO ASN.1 module)
+ * \li	spnego_asn1.c	(routines generated from spngo.asn1)
+ * \li	spnego_asn1.pl	(perl script to generate spnego_asn1.c)
+ *
+ * Everything but the functions exported in spnego.h is static, to
+ * avoid possible conflicts with other libraries (particularly Heimdal,
+ * since much of this code comes from Heimdal by way of mod_auth_kerb).
+ *
+ * spnego_asn1.c is shipped as part of lib/dns because generating it
+ * requires both Perl and the Heimdal ASN.1 compiler.  See
+ * spnego_asn1.pl for further details.  We've tried to eliminate all
+ * compiler warnings from the generated code, but you may see a few
+ * when using a compiler version we haven't tested yet.
+ */
+
+/*
+ * Portions of this code were derived from mod_auth_kerb and Heimdal.
+ * These packages are available from:
+ *
+ *   http://modauthkerb.sourceforge.net/
+ *   http://www.pdc.kth.se/heimdal/
+ *
+ * and were released under the following licenses:
+ *
+ * ----------------------------------------------------------------
+ *
+ * Copyright (c) 2004 Masarykova universita
+ * (Masaryk University, Brno, Czech Republic)
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the University nor the names of its contributors may
+ *    be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * ----------------------------------------------------------------
+ *
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * XXXSRA We should omit this file entirely in Makefile.in via autoconf,
+ * but this will keep it from generating errors until that's written.
+ */
+
+#ifdef GSSAPI
+
+/*
+ * XXXSRA Some of the following files are almost certainly unnecessary,
+ * but using this list (borrowed from gssapictx.c) gets rid of some
+ * whacky compilation errors when building with MSVC and should be
+ * harmless in any case.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <errno.h>
+
+#include <isc/buffer.h>
+#include <isc/dir.h>
+#include <isc/entropy.h>
+#include <isc/lex.h>
+#include <isc/mem.h>
+#include <isc/once.h>
+#include <isc/random.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/rdata.h>
+#include <dns/rdataclass.h>
+#include <dns/result.h>
+#include <dns/types.h>
+#include <dns/keyvalues.h>
+#include <dns/log.h>
+
+#include <dst/gssapi.h>
+#include <dst/result.h>
+
+#include "dst_internal.h"
+
+/*
+ * The API we export
+ */
+#include "spnego.h"
+
+/* asn1_err.h */
+/* Generated from ../../../lib/asn1/asn1_err.et */
+
+typedef enum asn1_error_number {
+	ASN1_BAD_TIMEFORMAT = 1859794432,
+	ASN1_MISSING_FIELD = 1859794433,
+	ASN1_MISPLACED_FIELD = 1859794434,
+	ASN1_TYPE_MISMATCH = 1859794435,
+	ASN1_OVERFLOW = 1859794436,
+	ASN1_OVERRUN = 1859794437,
+	ASN1_BAD_ID = 1859794438,
+	ASN1_BAD_LENGTH = 1859794439,
+	ASN1_BAD_FORMAT = 1859794440,
+	ASN1_PARSE_ERROR = 1859794441
+} asn1_error_number;
+
+#define ERROR_TABLE_BASE_asn1 1859794432
+
+#define __asn1_common_definitions__
+
+typedef struct octet_string {
+	size_t length;
+	void *data;
+} octet_string;
+
+typedef char *general_string;
+
+typedef char *utf8_string;
+
+typedef struct oid {
+	size_t length;
+	unsigned *components;
+} oid;
+
+/* der.h */
+
+typedef enum {
+	ASN1_C_UNIV = 0, ASN1_C_APPL = 1,
+	ASN1_C_CONTEXT = 2, ASN1_C_PRIVATE = 3
+} Der_class;
+
+typedef enum {
+	PRIM = 0, CONS = 1
+} Der_type;
+
+/* Universal tags */
+
+enum {
+	UT_Boolean = 1,
+	UT_Integer = 2,
+	UT_BitString = 3,
+	UT_OctetString = 4,
+	UT_Null = 5,
+	UT_OID = 6,
+	UT_Enumerated = 10,
+	UT_Sequence = 16,
+	UT_Set = 17,
+	UT_PrintableString = 19,
+	UT_IA5String = 22,
+	UT_UTCTime = 23,
+	UT_GeneralizedTime = 24,
+	UT_VisibleString = 26,
+	UT_GeneralString = 27
+};
+
+#define ASN1_INDEFINITE 0xdce0deed
+
+static int
+der_get_length(const unsigned char *p, size_t len,
+	       size_t * val, size_t * size);
+
+static int
+der_get_octet_string(const unsigned char *p, size_t len,
+		     octet_string * data, size_t * size);
+static int
+der_get_oid(const unsigned char *p, size_t len,
+	    oid * data, size_t * size);
+static int
+der_get_tag(const unsigned char *p, size_t len,
+	    Der_class * class, Der_type * type,
+	    int *tag, size_t * size);
+
+static int
+der_match_tag(const unsigned char *p, size_t len,
+	      Der_class class, Der_type type,
+	      int tag, size_t * size);
+static int
+der_match_tag_and_length(const unsigned char *p, size_t len,
+			 Der_class class, Der_type type, int tag,
+			 size_t * length_ret, size_t * size);
+
+static int
+decode_oid(const unsigned char *p, size_t len,
+	   oid * k, size_t * size);
+
+static int
+decode_enumerated(const unsigned char *p, size_t len,
+		  unsigned *num, size_t *size);
+
+static int
+decode_octet_string(const unsigned char *, size_t, octet_string *, size_t *);
+
+static int
+der_put_int(unsigned char *p, size_t len, int val, size_t *);
+
+static int
+der_put_length(unsigned char *p, size_t len, size_t val, size_t *);
+
+static int
+der_put_octet_string(unsigned char *p, size_t len,
+		     const octet_string * data, size_t *);
+static int
+der_put_oid(unsigned char *p, size_t len,
+	    const oid * data, size_t * size);
+static int
+der_put_tag(unsigned char *p, size_t len, Der_class class, Der_type type,
+	    int tag, size_t *);
+static int
+der_put_length_and_tag(unsigned char *, size_t, size_t,
+		       Der_class, Der_type, int, size_t *);
+
+static int
+encode_enumerated(unsigned char *p, size_t len,
+		  const unsigned *data, size_t *);
+
+static int
+encode_octet_string(unsigned char *p, size_t len,
+		    const octet_string * k, size_t *);
+static int
+encode_oid(unsigned char *p, size_t len,
+	   const oid * k, size_t *);
+
+static void
+free_octet_string(octet_string * k);
+
+static void
+free_oid  (oid * k);
+
+static size_t
+length_len(size_t len);
+
+static int
+fix_dce(size_t reallen, size_t * len);
+
+/*
+ * Include stuff generated by the ASN.1 compiler.
+ */
+
+#include "spnego_asn1.c"
+
+static unsigned char gss_krb5_mech_oid_bytes[] = {
+	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
+};
+
+static gss_OID_desc gss_krb5_mech_oid_desc = {
+	sizeof(gss_krb5_mech_oid_bytes),
+	gss_krb5_mech_oid_bytes
+};
+
+static gss_OID GSS_KRB5_MECH = &gss_krb5_mech_oid_desc;
+
+static unsigned char gss_mskrb5_mech_oid_bytes[] = {
+	0x2a, 0x86, 0x48, 0x82, 0xf7, 0x12, 0x01, 0x02, 0x02
+};
+
+static gss_OID_desc gss_mskrb5_mech_oid_desc = {
+	sizeof(gss_mskrb5_mech_oid_bytes),
+	gss_mskrb5_mech_oid_bytes
+};
+
+static gss_OID GSS_MSKRB5_MECH = &gss_mskrb5_mech_oid_desc;
+
+static unsigned char gss_spnego_mech_oid_bytes[] = {
+	0x2b, 0x06, 0x01, 0x05, 0x05, 0x02
+};
+
+static gss_OID_desc gss_spnego_mech_oid_desc = {
+	sizeof(gss_spnego_mech_oid_bytes),
+	gss_spnego_mech_oid_bytes
+};
+
+static gss_OID GSS_SPNEGO_MECH = &gss_spnego_mech_oid_desc;
+
+/* spnegokrb5_locl.h */
+
+static OM_uint32
+gssapi_spnego_encapsulate(OM_uint32 *,
+			  unsigned char *,
+			  size_t,
+			  gss_buffer_t,
+			  const gss_OID);
+
+static OM_uint32
+gssapi_spnego_decapsulate(OM_uint32 *,
+			  gss_buffer_t,
+			  unsigned char **,
+			  size_t *,
+			  const gss_OID);
+
+/* mod_auth_kerb.c */
+
+static int
+cmp_gss_type(gss_buffer_t token, gss_OID oid)
+{
+	unsigned char *p;
+	size_t len;
+
+	if (token->length == 0)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	p = token->value;
+	if (*p++ != 0x60)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	len = *p++;
+	if (len & 0x80) {
+		if ((len & 0x7f) > 4)
+			return (GSS_S_DEFECTIVE_TOKEN);
+		p += len & 0x7f;
+	}
+	if (*p++ != 0x06)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	if (((OM_uint32) *p++) != oid->length)
+		return (GSS_S_DEFECTIVE_TOKEN);
+
+	return (memcmp(p, oid->elements, oid->length));
+}
+
+/* accept_sec_context.c */
+/*
+ * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
+ * based on Heimdal code)
+ */
+
+static OM_uint32
+code_NegTokenArg(OM_uint32 * minor_status,
+		 const NegTokenResp * resp,
+		 unsigned char **outbuf,
+		 size_t * outbuf_size)
+{
+	OM_uint32 ret;
+	u_char *buf;
+	size_t buf_size, buf_len;
+
+	buf_size = 1024;
+	buf = malloc(buf_size);
+	if (buf == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	do {
+		ret = encode_NegTokenResp(buf + buf_size - 1,
+					  buf_size,
+					  resp, &buf_len);
+		if (ret == 0) {
+			size_t tmp;
+
+			ret = der_put_length_and_tag(buf + buf_size - buf_len - 1,
+						     buf_size - buf_len,
+						     buf_len,
+						     ASN1_C_CONTEXT,
+						     CONS,
+						     1,
+						     &tmp);
+			if (ret == 0)
+				buf_len += tmp;
+		}
+		if (ret) {
+			if (ret == ASN1_OVERFLOW) {
+				u_char *tmp;
+
+				buf_size *= 2;
+				tmp = realloc(buf, buf_size);
+				if (tmp == NULL) {
+					*minor_status = ENOMEM;
+					free(buf);
+					return (GSS_S_FAILURE);
+				}
+				buf = tmp;
+			} else {
+				*minor_status = ret;
+				free(buf);
+				return (GSS_S_FAILURE);
+			}
+		}
+	} while (ret == ASN1_OVERFLOW);
+
+	*outbuf = malloc(buf_len);
+	if (*outbuf == NULL) {
+		*minor_status = ENOMEM;
+		free(buf);
+		return (GSS_S_FAILURE);
+	}
+	memcpy(*outbuf, buf + buf_size - buf_len, buf_len);
+	*outbuf_size = buf_len;
+
+	free(buf);
+
+	return (GSS_S_COMPLETE);
+}
+
+static OM_uint32
+send_reject(OM_uint32 * minor_status,
+	    gss_buffer_t output_token)
+{
+	NegTokenResp resp;
+	OM_uint32 ret;
+
+	resp.negState = malloc(sizeof(*resp.negState));
+	if (resp.negState == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	*(resp.negState) = reject;
+
+	resp.supportedMech = NULL;
+	resp.responseToken = NULL;
+	resp.mechListMIC = NULL;
+
+	ret = code_NegTokenArg(minor_status, &resp,
+			       (unsigned char **)&output_token->value,
+			       &output_token->length);
+	free_NegTokenResp(&resp);
+	if (ret)
+		return (ret);
+
+	return (GSS_S_BAD_MECH);
+}
+
+static OM_uint32
+send_accept(OM_uint32 * minor_status,
+	    gss_buffer_t output_token,
+	    gss_buffer_t mech_token,
+	    const gss_OID pref)
+{
+	NegTokenResp resp;
+	OM_uint32 ret;
+
+	memset(&resp, 0, sizeof(resp));
+	resp.negState = malloc(sizeof(*resp.negState));
+	if (resp.negState == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	*(resp.negState) = accept_completed;
+
+	resp.supportedMech = malloc(sizeof(*resp.supportedMech));
+	if (resp.supportedMech == NULL) {
+		free_NegTokenResp(&resp);
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	ret = der_get_oid(pref->elements,
+			  pref->length,
+			  resp.supportedMech,
+			  NULL);
+	if (ret) {
+		free_NegTokenResp(&resp);
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	if (mech_token != NULL && mech_token->length != 0) {
+		resp.responseToken = malloc(sizeof(*resp.responseToken));
+		if (resp.responseToken == NULL) {
+			free_NegTokenResp(&resp);
+			*minor_status = ENOMEM;
+			return (GSS_S_FAILURE);
+		}
+		resp.responseToken->length = mech_token->length;
+		resp.responseToken->data = mech_token->value;
+	}
+
+	ret = code_NegTokenArg(minor_status, &resp,
+			       (unsigned char **)&output_token->value,
+			       &output_token->length);
+	if (resp.responseToken != NULL) {
+		free(resp.responseToken);
+		resp.responseToken = NULL;
+	}
+	free_NegTokenResp(&resp);
+	if (ret)
+		return (ret);
+
+	return (GSS_S_COMPLETE);
+}
+
+OM_uint32
+gss_accept_sec_context_spnego(OM_uint32 *minor_status,
+			      gss_ctx_id_t *context_handle,
+			      const gss_cred_id_t acceptor_cred_handle,
+			      const gss_buffer_t input_token_buffer,
+			      const gss_channel_bindings_t input_chan_bindings,
+			      gss_name_t *src_name,
+			      gss_OID *mech_type,
+			      gss_buffer_t output_token,
+			      OM_uint32 *ret_flags,
+			      OM_uint32 *time_rec,
+			      gss_cred_id_t *delegated_cred_handle)
+{
+	NegTokenInit init_token;
+	OM_uint32 major_status;
+	OM_uint32 minor_status2;
+	gss_buffer_desc ibuf, obuf;
+	gss_buffer_t ot = NULL;
+	gss_OID pref = GSS_KRB5_MECH;
+	unsigned char *buf;
+	size_t buf_size;
+	size_t len, taglen, ni_len;
+	int found = 0;
+	int ret;
+	unsigned i;
+
+	/*
+	 * Before doing anything else, see whether this is a SPNEGO
+	 * PDU.  If not, dispatch to the GSSAPI library and get out.
+	 */
+
+	if (cmp_gss_type(input_token_buffer, GSS_SPNEGO_MECH))
+		return (gss_accept_sec_context(minor_status,
+					       context_handle,
+					       acceptor_cred_handle,
+					       input_token_buffer,
+					       input_chan_bindings,
+					       src_name,
+					       mech_type,
+					       output_token,
+					       ret_flags,
+					       time_rec,
+					       delegated_cred_handle));
+
+	/*
+	 * If we get here, it's SPNEGO.
+	 */
+
+	memset(&init_token, 0, sizeof(init_token));
+
+	ret = gssapi_spnego_decapsulate(minor_status, input_token_buffer,
+					&buf, &buf_size, GSS_SPNEGO_MECH);
+	if (ret)
+		return (ret);
+
+	ret = der_match_tag_and_length(buf, buf_size, ASN1_C_CONTEXT, CONS,
+				       0, &len, &taglen);
+	if (ret)
+		return (ret);
+
+	ret = decode_NegTokenInit(buf + taglen, len, &init_token, &ni_len);
+	if (ret) {
+		*minor_status = EINVAL;	/* XXX */
+		return (GSS_S_DEFECTIVE_TOKEN);
+	}
+
+	for (i = 0; !found && i < init_token.mechTypes.len; ++i) {
+		char mechbuf[17];
+		size_t mech_len;
+
+		ret = der_put_oid(mechbuf + sizeof(mechbuf) - 1,
+				  sizeof(mechbuf),
+				  &init_token.mechTypes.val[i],
+				  &mech_len);
+		if (ret)
+			return (GSS_S_DEFECTIVE_TOKEN);
+		if (mech_len == GSS_KRB5_MECH->length &&
+		    memcmp(GSS_KRB5_MECH->elements,
+			   mechbuf + sizeof(mechbuf) - mech_len,
+			   mech_len) == 0) {
+			found = 1;
+			break;
+		}
+		if (mech_len == GSS_MSKRB5_MECH->length &&
+		    memcmp(GSS_MSKRB5_MECH->elements,
+			   mechbuf + sizeof(mechbuf) - mech_len,
+			   mech_len) == 0) {
+			found = 1;
+			if (i == 0)
+				pref = GSS_MSKRB5_MECH;
+			break;
+		}
+	}
+
+	if (!found)
+		return (send_reject(minor_status, output_token));
+
+	if (i == 0 && init_token.mechToken != NULL) {
+		ibuf.length = init_token.mechToken->length;
+		ibuf.value = init_token.mechToken->data;
+
+		major_status = gss_accept_sec_context(minor_status,
+						      context_handle,
+						      acceptor_cred_handle,
+						      &ibuf,
+						      input_chan_bindings,
+						      src_name,
+						      mech_type,
+						      &obuf,
+						      ret_flags,
+						      time_rec,
+						      delegated_cred_handle);
+		if (GSS_ERROR(major_status)) {
+			send_reject(&minor_status2, output_token);
+			return (major_status);
+		}
+		ot = &obuf;
+	}
+	ret = send_accept(&minor_status2, output_token, ot, pref);
+	if (ot != NULL && ot->length != 0)
+		gss_release_buffer(&minor_status2, ot);
+
+	return (ret);
+}
+
+/* decapsulate.c */
+
+static OM_uint32
+gssapi_verify_mech_header(u_char ** str,
+			  size_t total_len,
+			  const gss_OID mech)
+{
+	size_t len, len_len, mech_len, foo;
+	int e;
+	u_char *p = *str;
+
+	if (total_len < 1)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	if (*p++ != 0x60)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	e = der_get_length(p, total_len - 1, &len, &len_len);
+	if (e || 1 + len_len + len != total_len)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	p += len_len;
+	if (*p++ != 0x06)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	e = der_get_length(p, total_len - 1 - len_len - 1,
+			   &mech_len, &foo);
+	if (e)
+		return (GSS_S_DEFECTIVE_TOKEN);
+	p += foo;
+	if (mech_len != mech->length)
+		return (GSS_S_BAD_MECH);
+	if (memcmp(p, mech->elements, mech->length) != 0)
+		return (GSS_S_BAD_MECH);
+	p += mech_len;
+	*str = p;
+	return (GSS_S_COMPLETE);
+}
+
+/*
+ * Remove the GSS-API wrapping from `in_token' giving `buf and buf_size' Does
+ * not copy data, so just free `in_token'.
+ */
+
+static OM_uint32
+gssapi_spnego_decapsulate(OM_uint32 *minor_status,
+			  gss_buffer_t input_token_buffer,
+			  unsigned char **buf,
+			  size_t *buf_len,
+			  const gss_OID mech)
+{
+	u_char *p;
+	OM_uint32 ret;
+
+	p = input_token_buffer->value;
+	ret = gssapi_verify_mech_header(&p,
+					input_token_buffer->length,
+					mech);
+	if (ret) {
+		*minor_status = ret;
+		return (GSS_S_FAILURE);
+	}
+	*buf_len = input_token_buffer->length -
+		(p - (u_char *) input_token_buffer->value);
+	*buf = p;
+	return (GSS_S_COMPLETE);
+}
+
+/* der_free.c */
+
+static void
+free_octet_string(octet_string *k)
+{
+	free(k->data);
+	k->data = NULL;
+}
+
+static void
+free_oid(oid *k)
+{
+	free(k->components);
+	k->components = NULL;
+}
+
+/* der_get.c */
+
+/*
+ * All decoding functions take a pointer `p' to first position in which to
+ * read, from the left, `len' which means the maximum number of characters we
+ * are able to read, `ret' were the value will be returned and `size' where
+ * the number of used bytes is stored. Either 0 or an error code is returned.
+ */
+
+static int
+der_get_unsigned(const unsigned char *p, size_t len,
+		 unsigned *ret, size_t *size)
+{
+	unsigned val = 0;
+	size_t oldlen = len;
+
+	while (len--)
+		val = val * 256 + *p++;
+	*ret = val;
+	if (size)
+		*size = oldlen;
+	return (0);
+}
+
+static int
+der_get_int(const unsigned char *p, size_t len,
+	    int *ret, size_t *size)
+{
+	int val = 0;
+	size_t oldlen = len;
+
+	if (len > 0) {
+		val = (signed char)*p++;
+		while (--len)
+			val = val * 256 + *p++;
+	}
+	*ret = val;
+	if (size)
+		*size = oldlen;
+	return (0);
+}
+
+static int
+der_get_length(const unsigned char *p, size_t len,
+	       size_t *val, size_t *size)
+{
+	size_t v;
+
+	if (len <= 0)
+		return (ASN1_OVERRUN);
+	--len;
+	v = *p++;
+	if (v < 128) {
+		*val = v;
+		if (size)
+			*size = 1;
+	} else {
+		int e;
+		size_t l;
+		unsigned tmp;
+
+		if (v == 0x80) {
+			*val = ASN1_INDEFINITE;
+			if (size)
+				*size = 1;
+			return (0);
+		}
+		v &= 0x7F;
+		if (len < v)
+			return (ASN1_OVERRUN);
+		e = der_get_unsigned(p, v, &tmp, &l);
+		if (e)
+			return (e);
+		*val = tmp;
+		if (size)
+			*size = l + 1;
+	}
+	return (0);
+}
+
+static int
+der_get_octet_string(const unsigned char *p, size_t len,
+		     octet_string *data, size_t *size)
+{
+	data->length = len;
+	data->data = malloc(len);
+	if (data->data == NULL && data->length != 0)
+		return (ENOMEM);
+	memcpy(data->data, p, len);
+	if (size)
+		*size = len;
+	return (0);
+}
+
+static int
+der_get_oid(const unsigned char *p, size_t len,
+	    oid *data, size_t *size)
+{
+	int n;
+	size_t oldlen = len;
+
+	if (len < 1)
+		return (ASN1_OVERRUN);
+
+	data->components = malloc(len * sizeof(*data->components));
+	if (data->components == NULL && len != 0)
+		return (ENOMEM);
+	data->components[0] = (*p) / 40;
+	data->components[1] = (*p) % 40;
+	--len;
+	++p;
+	for (n = 2; len > 0; ++n) {
+		unsigned u = 0;
+
+		do {
+			--len;
+			u = u * 128 + (*p++ % 128);
+		} while (len > 0 && p[-1] & 0x80);
+		data->components[n] = u;
+	}
+	if (p[-1] & 0x80) {
+		free_oid(data);
+		return (ASN1_OVERRUN);
+	}
+	data->length = n;
+	if (size)
+		*size = oldlen;
+	return (0);
+}
+
+static int
+der_get_tag(const unsigned char *p, size_t len,
+	    Der_class *class, Der_type *type,
+	    int *tag, size_t *size)
+{
+	if (len < 1)
+		return (ASN1_OVERRUN);
+	*class = (Der_class) (((*p) >> 6) & 0x03);
+	*type = (Der_type) (((*p) >> 5) & 0x01);
+	*tag = (*p) & 0x1F;
+	if (size)
+		*size = 1;
+	return (0);
+}
+
+static int
+der_match_tag(const unsigned char *p, size_t len,
+	      Der_class class, Der_type type,
+	      int tag, size_t *size)
+{
+	size_t l;
+	Der_class thisclass;
+	Der_type thistype;
+	int thistag;
+	int e;
+
+	e = der_get_tag(p, len, &thisclass, &thistype, &thistag, &l);
+	if (e)
+		return (e);
+	if (class != thisclass || type != thistype)
+		return (ASN1_BAD_ID);
+	if (tag > thistag)
+		return (ASN1_MISPLACED_FIELD);
+	if (tag < thistag)
+		return (ASN1_MISSING_FIELD);
+	if (size)
+		*size = l;
+	return (0);
+}
+
+static int
+der_match_tag_and_length(const unsigned char *p, size_t len,
+			 Der_class class, Der_type type, int tag,
+			 size_t *length_ret, size_t *size)
+{
+	size_t l, ret = 0;
+	int e;
+
+	e = der_match_tag(p, len, class, type, tag, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	e = der_get_length(p, len, length_ret, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+decode_enumerated(const unsigned char *p, size_t len,
+		  unsigned *num, size_t *size)
+{
+	size_t ret = 0;
+	size_t l, reallen;
+	int e;
+
+	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	e = der_get_length(p, len, &reallen, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	e = der_get_int(p, reallen, num, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+decode_octet_string(const unsigned char *p, size_t len,
+		    octet_string *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+	size_t slen;
+
+	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+
+	e = der_get_length(p, len, &slen, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (len < slen)
+		return (ASN1_OVERRUN);
+
+	e = der_get_octet_string(p, slen, k, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+decode_oid(const unsigned char *p, size_t len,
+	   oid *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+	size_t slen;
+
+	e = der_match_tag(p, len, ASN1_C_UNIV, PRIM, UT_OID, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+
+	e = der_get_length(p, len, &slen, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (len < slen)
+		return (ASN1_OVERRUN);
+
+	e = der_get_oid(p, slen, k, &l);
+	if (e)
+		return (e);
+	p += l;
+	len -= l;
+	ret += l;
+	if (size)
+		*size = ret;
+	return (0);
+}
+
+static int
+fix_dce(size_t reallen, size_t *len)
+{
+	if (reallen == ASN1_INDEFINITE)
+		return (1);
+	if (*len < reallen)
+		return (-1);
+	*len = reallen;
+	return (0);
+}
+
+/* der_length.c */
+
+static size_t
+len_unsigned(unsigned val)
+{
+	size_t ret = 0;
+
+	do {
+		++ret;
+		val /= 256;
+	} while (val);
+	return (ret);
+}
+
+static size_t
+length_len(size_t len)
+{
+	if (len < 128)
+		return (1);
+	else
+		return (len_unsigned(len) + 1);
+}
+
+
+/* der_put.c */
+
+/*
+ * All encoding functions take a pointer `p' to first position in which to
+ * write, from the right, `len' which means the maximum number of characters
+ * we are able to write.  The function returns the number of characters
+ * written in `size' (if non-NULL). The return value is 0 or an error.
+ */
+
+static int
+der_put_unsigned(unsigned char *p, size_t len, unsigned val, size_t *size)
+{
+	unsigned char *base = p;
+
+	if (val) {
+		while (len > 0 && val) {
+			*p-- = val % 256;
+			val /= 256;
+			--len;
+		}
+		if (val != 0)
+			return (ASN1_OVERFLOW);
+		else {
+			*size = base - p;
+			return (0);
+		}
+	} else if (len < 1)
+		return (ASN1_OVERFLOW);
+	else {
+		*p = 0;
+		*size = 1;
+		return (0);
+	}
+}
+
+static int
+der_put_int(unsigned char *p, size_t len, int val, size_t *size)
+{
+	unsigned char *base = p;
+
+	if (val >= 0) {
+		do {
+			if (len < 1)
+				return (ASN1_OVERFLOW);
+			*p-- = val % 256;
+			len--;
+			val /= 256;
+		} while (val);
+		if (p[1] >= 128) {
+			if (len < 1)
+				return (ASN1_OVERFLOW);
+			*p-- = 0;
+			len--;
+		}
+	} else {
+		val = ~val;
+		do {
+			if (len < 1)
+				return (ASN1_OVERFLOW);
+			*p-- = ~(val % 256);
+			len--;
+			val /= 256;
+		} while (val);
+		if (p[1] < 128) {
+			if (len < 1)
+				return (ASN1_OVERFLOW);
+			*p-- = 0xff;
+			len--;
+		}
+	}
+	*size = base - p;
+	return (0);
+}
+
+static int
+der_put_length(unsigned char *p, size_t len, size_t val, size_t *size)
+{
+	if (len < 1)
+		return (ASN1_OVERFLOW);
+	if (val < 128) {
+		*p = val;
+		*size = 1;
+		return (0);
+	} else {
+		size_t l;
+		int e;
+
+		e = der_put_unsigned(p, len - 1, val, &l);
+		if (e)
+			return (e);
+		p -= l;
+		*p = 0x80 | l;
+		*size = l + 1;
+		return (0);
+	}
+}
+
+static int
+der_put_octet_string(unsigned char *p, size_t len,
+		     const octet_string *data, size_t *size)
+{
+	if (len < data->length)
+		return (ASN1_OVERFLOW);
+	p -= data->length;
+	len -= data->length;
+	memcpy(p + 1, data->data, data->length);
+	*size = data->length;
+	return (0);
+}
+
+static int
+der_put_oid(unsigned char *p, size_t len,
+	    const oid *data, size_t *size)
+{
+	unsigned char *base = p;
+	int n;
+
+	for (n = data->length - 1; n >= 2; --n) {
+		unsigned	u = data->components[n];
+
+		if (len < 1)
+			return (ASN1_OVERFLOW);
+		*p-- = u % 128;
+		u /= 128;
+		--len;
+		while (u > 0) {
+			if (len < 1)
+				return (ASN1_OVERFLOW);
+			*p-- = 128 + u % 128;
+			u /= 128;
+			--len;
+		}
+	}
+	if (len < 1)
+		return (ASN1_OVERFLOW);
+	*p-- = 40 * data->components[0] + data->components[1];
+	*size = base - p;
+	return (0);
+}
+
+static int
+der_put_tag(unsigned char *p, size_t len, Der_class class, Der_type type,
+	    int tag, size_t *size)
+{
+	if (len < 1)
+		return (ASN1_OVERFLOW);
+	*p = (class << 6) | (type << 5) | tag;	/* XXX */
+	*size = 1;
+	return (0);
+}
+
+static int
+der_put_length_and_tag(unsigned char *p, size_t len, size_t len_val,
+		       Der_class class, Der_type type, int tag, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_length(p, len, len_val, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_tag(p, len, class, type, tag, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+static int
+encode_enumerated(unsigned char *p, size_t len, const unsigned *data,
+		  size_t *size)
+{
+	unsigned num = *data;
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_int(p, len, num, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_Enumerated, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+static int
+encode_octet_string(unsigned char *p, size_t len,
+		    const octet_string *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_octet_string(p, len, k, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OctetString, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+static int
+encode_oid(unsigned char *p, size_t len,
+	   const oid *k, size_t *size)
+{
+	size_t ret = 0;
+	size_t l;
+	int e;
+
+	e = der_put_oid(p, len, k, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	e = der_put_length_and_tag(p, len, l, ASN1_C_UNIV, PRIM, UT_OID, &l);
+	if (e)
+		return (e);
+	p -= l;
+	len -= l;
+	ret += l;
+	*size = ret;
+	return (0);
+}
+
+
+/* encapsulate.c */
+
+static void
+gssapi_encap_length(size_t data_len,
+		    size_t *len,
+		    size_t *total_len,
+		    const gss_OID mech)
+{
+	size_t len_len;
+
+	*len = 1 + 1 + mech->length + data_len;
+
+	len_len = length_len(*len);
+
+	*total_len = 1 + len_len + *len;
+}
+
+static u_char *
+gssapi_mech_make_header(u_char *p,
+			size_t len,
+			const gss_OID mech)
+{
+	int e;
+	size_t len_len, foo;
+
+	*p++ = 0x60;
+	len_len = length_len(len);
+	e = der_put_length(p + len_len - 1, len_len, len, &foo);
+	if (e || foo != len_len)
+		return (NULL);
+	p += len_len;
+	*p++ = 0x06;
+	*p++ = mech->length;
+	memcpy(p, mech->elements, mech->length);
+	p += mech->length;
+	return (p);
+}
+
+/*
+ * Give it a krb5_data and it will encapsulate with extra GSS-API wrappings.
+ */
+
+static OM_uint32
+gssapi_spnego_encapsulate(OM_uint32 * minor_status,
+			  unsigned char *buf,
+			  size_t buf_size,
+			  gss_buffer_t output_token,
+			  const gss_OID mech)
+{
+	size_t len, outer_len;
+	u_char *p;
+
+	gssapi_encap_length(buf_size, &len, &outer_len, mech);
+
+	output_token->length = outer_len;
+	output_token->value = malloc(outer_len);
+	if (output_token->value == NULL) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+	p = gssapi_mech_make_header(output_token->value, len, mech);
+	if (p == NULL) {
+		if (output_token->length != 0)
+			gss_release_buffer(minor_status, output_token);
+		return (GSS_S_FAILURE);
+	}
+	memcpy(p, buf, buf_size);
+	return (GSS_S_COMPLETE);
+}
+
+/* init_sec_context.c */
+/*
+ * SPNEGO wrapper for Kerberos5 GSS-API kouril@ics.muni.cz, 2003 (mostly
+ * based on Heimdal code)
+ */
+
+static int
+add_mech(MechTypeList * mech_list, gss_OID mech)
+{
+	MechType *tmp;
+	int ret;
+
+	tmp = realloc(mech_list->val, (mech_list->len + 1) * sizeof(*tmp));
+	if (tmp == NULL)
+		return (ENOMEM);
+	mech_list->val = tmp;
+
+	ret = der_get_oid(mech->elements, mech->length,
+			  &mech_list->val[mech_list->len], NULL);
+	if (ret)
+		return (ret);
+
+	mech_list->len++;
+	return (0);
+}
+
+/*
+ * return the length of the mechanism in token or -1
+ * (which implies that the token was bad - GSS_S_DEFECTIVE_TOKEN
+ */
+
+static ssize_t
+gssapi_krb5_get_mech(const u_char *ptr,
+		     size_t total_len,
+		     const u_char **mech_ret)
+{
+	size_t len, len_len, mech_len, foo;
+	const u_char *p = ptr;
+	int e;
+
+	if (total_len < 1)
+		return (-1);
+	if (*p++ != 0x60)
+		return (-1);
+	e = der_get_length (p, total_len - 1, &len, &len_len);
+	if (e || 1 + len_len + len != total_len)
+		return (-1);
+	p += len_len;
+	if (*p++ != 0x06)
+		return (-1);
+	e = der_get_length (p, total_len - 1 - len_len - 1,
+			    &mech_len, &foo);
+	if (e)
+		return (-1);
+	p += foo;
+	*mech_ret = p;
+	return (mech_len);
+}
+
+static OM_uint32
+spnego_initial(OM_uint32 *minor_status,
+	       const gss_cred_id_t initiator_cred_handle,
+	       gss_ctx_id_t *context_handle,
+	       const gss_name_t target_name,
+	       const gss_OID mech_type,
+	       OM_uint32 req_flags,
+	       OM_uint32 time_req,
+	       const gss_channel_bindings_t input_chan_bindings,
+	       const gss_buffer_t input_token,
+	       gss_OID *actual_mech_type,
+	       gss_buffer_t output_token,
+	       OM_uint32 *ret_flags,
+	       OM_uint32 *time_rec)
+{
+	NegTokenInit token_init;
+	OM_uint32 major_status, minor_status2;
+	gss_buffer_desc	krb5_output_token = GSS_C_EMPTY_BUFFER;
+	unsigned char *buf = NULL;
+	size_t buf_size;
+	size_t len;
+	int ret;
+
+	(void)mech_type;
+
+	memset(&token_init, 0, sizeof(token_init));
+
+	ret = add_mech(&token_init.mechTypes, GSS_KRB5_MECH);
+	if (ret) {
+		*minor_status = ret;
+		ret = GSS_S_FAILURE;
+		goto end;
+	}
+
+	major_status = gss_init_sec_context(minor_status,
+					    initiator_cred_handle,
+					    context_handle,
+					    target_name,
+					    GSS_KRB5_MECH,
+					    req_flags,
+					    time_req,
+					    input_chan_bindings,
+					    input_token,
+					    actual_mech_type,
+					    &krb5_output_token,
+					    ret_flags,
+					    time_rec);
+	if (GSS_ERROR(major_status)) {
+		ret = major_status;
+		goto end;
+	}
+	if (krb5_output_token.length > 0) {
+		token_init.mechToken = malloc(sizeof(*token_init.mechToken));
+		if (token_init.mechToken == NULL) {
+			*minor_status = ENOMEM;
+			ret = GSS_S_FAILURE;
+			goto end;
+		}
+		token_init.mechToken->data = krb5_output_token.value;
+		token_init.mechToken->length = krb5_output_token.length;
+	}
+	/*
+	 * The MS implementation of SPNEGO seems to not like the mechListMIC
+	 * field, so we omit it (it's optional anyway)
+	 */
+
+	buf_size = 1024;
+	buf = malloc(buf_size);
+
+	do {
+		ret = encode_NegTokenInit(buf + buf_size - 1,
+					  buf_size,
+					  &token_init, &len);
+		if (ret == 0) {
+			size_t tmp;
+
+			ret = der_put_length_and_tag(buf + buf_size - len - 1,
+						     buf_size - len,
+						     len,
+						     ASN1_C_CONTEXT,
+						     CONS,
+						     0,
+						     &tmp);
+			if (ret == 0)
+				len += tmp;
+		}
+		if (ret) {
+			if (ret == ASN1_OVERFLOW) {
+				u_char *tmp;
+
+				buf_size *= 2;
+				tmp = realloc(buf, buf_size);
+				if (tmp == NULL) {
+					*minor_status = ENOMEM;
+					ret = GSS_S_FAILURE;
+					goto end;
+				}
+				buf = tmp;
+			} else {
+				*minor_status = ret;
+				ret = GSS_S_FAILURE;
+				goto end;
+			}
+		}
+	} while (ret == ASN1_OVERFLOW);
+
+	ret = gssapi_spnego_encapsulate(minor_status,
+					buf + buf_size - len, len,
+					output_token, GSS_SPNEGO_MECH);
+	if (ret == GSS_S_COMPLETE)
+		ret = major_status;
+
+end:
+	if (token_init.mechToken != NULL) {
+		free(token_init.mechToken);
+		token_init.mechToken = NULL;
+	}
+	free_NegTokenInit(&token_init);
+	if (krb5_output_token.length != 0)
+		gss_release_buffer(&minor_status2, &krb5_output_token);
+	if (buf)
+		free(buf);
+
+	return (ret);
+}
+
+static OM_uint32
+spnego_reply(OM_uint32 *minor_status,
+	     const gss_cred_id_t initiator_cred_handle,
+	     gss_ctx_id_t *context_handle,
+	     const gss_name_t target_name,
+	     const gss_OID mech_type,
+	     OM_uint32 req_flags,
+	     OM_uint32 time_req,
+	     const gss_channel_bindings_t input_chan_bindings,
+	     const gss_buffer_t input_token,
+	     gss_OID *actual_mech_type,
+	     gss_buffer_t output_token,
+	     OM_uint32 *ret_flags,
+	     OM_uint32 *time_rec)
+{
+	OM_uint32 ret;
+	NegTokenResp resp;
+	unsigned char *buf;
+	size_t buf_size;
+	u_char oidbuf[17];
+	size_t oidlen;
+	gss_buffer_desc sub_token;
+	ssize_t mech_len;
+	const u_char *p;
+	size_t len, taglen;
+
+	(void)mech_type;
+
+	output_token->length = 0;
+	output_token->value  = NULL;
+
+	/*
+	 * SPNEGO doesn't include gss wrapping on SubsequentContextToken
+	 * like the Kerberos 5 mech does. But lets check for it anyway.
+	 */
+
+	mech_len = gssapi_krb5_get_mech(input_token->value,
+					input_token->length,
+					&p);
+
+	if (mech_len < 0) {
+		buf = input_token->value;
+		buf_size = input_token->length;
+	} else if ((size_t)mech_len == GSS_KRB5_MECH->length &&
+		   memcmp(GSS_KRB5_MECH->elements, p, mech_len) == 0)
+		return (gss_init_sec_context(minor_status,
+					     initiator_cred_handle,
+					     context_handle,
+					     target_name,
+					     GSS_KRB5_MECH,
+					     req_flags,
+					     time_req,
+					     input_chan_bindings,
+					     input_token,
+					     actual_mech_type,
+					     output_token,
+					     ret_flags,
+					     time_rec));
+	else if ((size_t)mech_len == GSS_SPNEGO_MECH->length &&
+		 memcmp(GSS_SPNEGO_MECH->elements, p, mech_len) == 0) {
+		ret = gssapi_spnego_decapsulate(minor_status,
+						input_token,
+						&buf,
+						&buf_size,
+						GSS_SPNEGO_MECH);
+		if (ret)
+			return (ret);
+	} else
+		return (GSS_S_BAD_MECH);
+
+	ret = der_match_tag_and_length(buf, buf_size,
+				       ASN1_C_CONTEXT, CONS, 1, &len, &taglen);
+	if (ret)
+		return (ret);
+
+	if(len > buf_size - taglen)
+		return (ASN1_OVERRUN);
+
+	ret = decode_NegTokenResp(buf + taglen, len, &resp, NULL);
+	if (ret) {
+		*minor_status = ENOMEM;
+		return (GSS_S_FAILURE);
+	}
+
+	if (resp.negState == NULL ||
+	    *(resp.negState) == reject ||
+	    resp.supportedMech == NULL) {
+		free_NegTokenResp(&resp);
+		return (GSS_S_BAD_MECH);
+	}
+
+	ret = der_put_oid(oidbuf + sizeof(oidbuf) - 1,
+			  sizeof(oidbuf),
+			  resp.supportedMech,
+			  &oidlen);
+	if (ret || oidlen != GSS_KRB5_MECH->length ||
+	    memcmp(oidbuf + sizeof(oidbuf) - oidlen,
+		   GSS_KRB5_MECH->elements,
+		   oidlen) != 0) {
+		free_NegTokenResp(&resp);
+		return GSS_S_BAD_MECH;
+	}
+
+	if (resp.responseToken != NULL) {
+		sub_token.length = resp.responseToken->length;
+		sub_token.value  = resp.responseToken->data;
+	} else {
+		sub_token.length = 0;
+		sub_token.value  = NULL;
+	}
+
+	ret = gss_init_sec_context(minor_status,
+				   initiator_cred_handle,
+				   context_handle,
+				   target_name,
+				   GSS_KRB5_MECH,
+				   req_flags,
+				   time_req,
+				   input_chan_bindings,
+				   &sub_token,
+				   actual_mech_type,
+				   output_token,
+				   ret_flags,
+				   time_rec);
+	if (ret) {
+		free_NegTokenResp(&resp);
+		return (ret);
+	}
+
+	/*
+	 * XXXSRA I don't think this limited implementation ever needs
+	 * to check the MIC -- our preferred mechanism (Kerberos)
+	 * authenticates its own messages and is the only mechanism
+	 * we'll accept, so if the mechanism negotiation completes
+	 * successfully, we don't need the MIC.  See RFC 4178.
+	 */
+
+	free_NegTokenResp(&resp);
+	return (ret);
+}
+
+
+
+OM_uint32
+gss_init_sec_context_spnego(OM_uint32 *minor_status,
+			    const gss_cred_id_t initiator_cred_handle,
+			    gss_ctx_id_t *context_handle,
+			    const gss_name_t target_name,
+			    const gss_OID mech_type,
+			    OM_uint32 req_flags,
+			    OM_uint32 time_req,
+			    const gss_channel_bindings_t input_chan_bindings,
+			    const gss_buffer_t input_token,
+			    gss_OID *actual_mech_type,
+			    gss_buffer_t output_token,
+			    OM_uint32 *ret_flags,
+			    OM_uint32 *time_rec)
+{
+	/* Dirty trick to suppress compiler warnings */
+
+	/* Figure out whether we're starting over or processing a reply */
+
+	if (input_token == GSS_C_NO_BUFFER || input_token->length == 0)
+		return (spnego_initial(minor_status,
+				       initiator_cred_handle,
+				       context_handle,
+				       target_name,
+				       mech_type,
+				       req_flags,
+				       time_req,
+				       input_chan_bindings,
+				       input_token,
+				       actual_mech_type,
+				       output_token,
+				       ret_flags,
+				       time_rec));
+	else
+		return (spnego_reply(minor_status,
+				     initiator_cred_handle,
+				     context_handle,
+				     target_name,
+				     mech_type,
+				     req_flags,
+				     time_req,
+				     input_chan_bindings,
+				     input_token,
+				     actual_mech_type,
+				     output_token,
+				     ret_flags,
+				     time_rec));
+}
+
+#endif /* GSSAPI */
diff --git a/lib/dns/spnego.h b/lib/dns/spnego.h
new file mode 100644
index 0000000..c44614b
--- /dev/null
+++ b/lib/dns/spnego.h
@@ -0,0 +1,71 @@
+/*
+ * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: spnego.h,v 1.4 2007/06/19 23:47:16 tbox Exp $ */
+
+/*! \file
+ * \brief
+ * Entry points into portable SPNEGO implementation.
+ * See spnego.c for information on the SPNEGO implementation itself.
+ */
+
+#ifndef _SPNEGO_H_
+#define _SPNEGO_H_
+
+/*%
+ * Wrapper for GSSAPI gss_init_sec_context(), using portable SPNEGO
+ * implementation instead of the one that's part of the GSSAPI
+ * library.  Takes arguments identical to the standard GSSAPI
+ * function, uses standard gss_init_sec_context() to handle
+ * everything inside the SPNEGO wrapper.
+ */
+OM_uint32
+gss_init_sec_context_spnego(OM_uint32 *,
+			    const gss_cred_id_t,
+			    gss_ctx_id_t *,
+			    const gss_name_t,
+			    const gss_OID,
+			    OM_uint32,
+			    OM_uint32,
+			    const gss_channel_bindings_t,
+			    const gss_buffer_t,
+			    gss_OID *,
+			    gss_buffer_t,
+			    OM_uint32 *,
+			    OM_uint32 *);
+
+/*%
+ * Wrapper for GSSAPI gss_accept_sec_context(), using portable SPNEGO
+ * implementation instead of the one that's part of the GSSAPI
+ * library.  Takes arguments identical to the standard GSSAPI
+ * function.  Checks the OID of the input token to see if it's SPNEGO;
+ * if so, processes it, otherwise hands the call off to the standard
+ * gss_accept_sec_context() function.
+ */
+OM_uint32 gss_accept_sec_context_spnego(OM_uint32 *,
+					gss_ctx_id_t *,
+					const gss_cred_id_t,
+					const gss_buffer_t,
+					const gss_channel_bindings_t,
+					gss_name_t *,
+					gss_OID *,
+					gss_buffer_t,
+					OM_uint32 *,
+					OM_uint32 *,
+					gss_cred_id_t *);
+
+
+#endif
diff --git a/lib/dns/spnego_asn1.c b/lib/dns/spnego_asn1.c
new file mode 100644
index 0000000..75c2304
--- /dev/null
+++ b/lib/dns/spnego_asn1.c
@@ -0,0 +1,885 @@
+/*
+ * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: spnego_asn1.c,v 1.4 2007/06/19 23:47:16 tbox Exp $ */
+
+/*! \file
+ * \brief Method routines generated from SPNEGO ASN.1 module.
+ * See spnego_asn1.pl for details.  Do not edit.
+ */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+#ifndef __asn1_h__
+#define __asn1_h__
+
+
+#ifndef __asn1_common_definitions__
+#define __asn1_common_definitions__
+
+typedef struct octet_string {
+	size_t length;
+	void *data;
+} octet_string;
+
+typedef char *general_string;
+
+typedef char *utf8_string;
+
+typedef struct oid {
+	size_t length;
+	unsigned *components;
+} oid;
+
+#define ASN1_MALLOC_ENCODE(T, B, BL, S, L, R)                  \
+  do {                                                         \
+    (BL) = length_##T((S));                                    \
+    (B) = malloc((BL));                                        \
+    if((B) == NULL) {                                          \
+      (R) = ENOMEM;                                            \
+    } else {                                                   \
+      (R) = encode_##T(((unsigned char*)(B)) + (BL) - 1, (BL), \
+                       (S), (L));                              \
+      if((R) != 0) {                                           \
+        free((B));                                             \
+        (B) = NULL;                                            \
+      }                                                        \
+    }                                                          \
+  } while (0)
+
+#endif
+
+/*
+ * MechType ::= OBJECT IDENTIFIER
+ */
+
+typedef oid MechType;
+
+static int encode_MechType(unsigned char *, size_t, const MechType *, size_t *);
+static int decode_MechType(const unsigned char *, size_t, MechType *, size_t *);
+static void free_MechType(MechType *);
+/* unused declaration: length_MechType */
+/* unused declaration: copy_MechType */
+
+
+/*
+ * MechTypeList ::= SEQUENCE OF MechType
+ */
+
+typedef struct MechTypeList {
+	unsigned int len;
+	MechType *val;
+} MechTypeList;
+
+static int encode_MechTypeList(unsigned char *, size_t, const MechTypeList *, size_t *);
+static int decode_MechTypeList(const unsigned char *, size_t, MechTypeList *, size_t *);
+static void free_MechTypeList(MechTypeList *);
+/* unused declaration: length_MechTypeList */
+/* unused declaration: copy_MechTypeList */
+
+
+/*
+ * ContextFlags ::= BIT STRING { delegFlag(0), mutualFlag(1), replayFlag(2),
+ * sequenceFlag(3), anonFlag(4), confFlag(5), integFlag(6) }
+ */
+
+typedef struct ContextFlags {
+	unsigned int delegFlag:1;
+	unsigned int mutualFlag:1;
+	unsigned int replayFlag:1;
+	unsigned int sequenceFlag:1;
+	unsigned int anonFlag:1;
+	unsigned int confFlag:1;
+	unsigned int integFlag:1;
+} ContextFlags;
+
+
+static int encode_ContextFlags(unsigned char *, size_t, const ContextFlags *, size_t *);
+static int decode_ContextFlags(const unsigned char *, size_t, ContextFlags *, size_t *);
+static void free_ContextFlags(ContextFlags *);
+/* unused declaration: length_ContextFlags */
+/* unused declaration: copy_ContextFlags */
+/* unused declaration: ContextFlags2int */
+/* unused declaration: int2ContextFlags */
+/* unused declaration: asn1_ContextFlags_units */
+
+/*
+ * NegTokenInit ::= SEQUENCE { mechTypes[0]    MechTypeList, reqFlags[1]
+ * ContextFlags OPTIONAL, mechToken[2]    OCTET STRING OPTIONAL,
+ * mechListMIC[3]  OCTET STRING OPTIONAL }
+ */
+
+typedef struct NegTokenInit {
+	MechTypeList mechTypes;
+	ContextFlags *reqFlags;
+	octet_string *mechToken;
+	octet_string *mechListMIC;
+} NegTokenInit;
+
+static int encode_NegTokenInit(unsigned char *, size_t, const NegTokenInit *, size_t *);
+static int decode_NegTokenInit(const unsigned char *, size_t, NegTokenInit *, size_t *);
+static void free_NegTokenInit(NegTokenInit *);
+/* unused declaration: length_NegTokenInit */
+/* unused declaration: copy_NegTokenInit */
+
+
+/*
+ * NegTokenResp ::= SEQUENCE { negState[0]       ENUMERATED {
+ * accept-completed(0), accept-incomplete(1), reject(2), request-mic(3) }
+ * OPTIONAL, supportedMech[1]  MechType OPTIONAL, responseToken[2]  OCTET
+ * STRING OPTIONAL, mechListMIC[3]    OCTET STRING OPTIONAL }
+ */
+
+typedef struct NegTokenResp {
+	enum {
+		accept_completed = 0,
+		accept_incomplete = 1,
+		reject = 2,
+		request_mic = 3
+	} *negState;
+
+	MechType *supportedMech;
+	octet_string *responseToken;
+	octet_string *mechListMIC;
+} NegTokenResp;
+
+static int encode_NegTokenResp(unsigned char *, size_t, const NegTokenResp *, size_t *);
+static int decode_NegTokenResp(const unsigned char *, size_t, NegTokenResp *, size_t *);
+static void free_NegTokenResp(NegTokenResp *);
+/* unused declaration: length_NegTokenResp */
+/* unused declaration: copy_NegTokenResp */
+
+
+
+
+#endif				/* __asn1_h__ */
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+#define BACK if (e) return e; p -= l; len -= l; ret += l
+
+static int
+encode_MechType(unsigned char *p, size_t len, const MechType * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int i, e;
+
+	i = 0;
+	e = encode_oid(p, len, data, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+#define FORW if(e) goto fail; p += l; len -= l; ret += l
+
+static int
+decode_MechType(const unsigned char *p, size_t len, MechType * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = decode_oid(p, len, data, &l);
+	FORW;
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_MechType(data);
+	return e;
+}
+
+static void
+free_MechType(MechType * data)
+{
+	free_oid(data);
+}
+
+/* unused function: length_MechType */
+
+
+/* unused function: copy_MechType */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+#define BACK if (e) return e; p -= l; len -= l; ret += l
+
+static int
+encode_MechTypeList(unsigned char *p, size_t len, const MechTypeList * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int i, e;
+
+	i = 0;
+	for (i = (data)->len - 1; i >= 0; --i) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_MechType(p, len, &(data)->val[i], &l);
+		BACK;
+		ret += oldret;
+	}
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+#define FORW if(e) goto fail; p += l; len -= l; ret += l
+
+static int
+decode_MechTypeList(const unsigned char *p, size_t len, MechTypeList * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
+	FORW;
+	if (len < reallen)
+		return ASN1_OVERRUN;
+	len = reallen;
+	{
+		size_t origlen = len;
+		int oldret = ret;
+		ret = 0;
+		(data)->len = 0;
+		(data)->val = NULL;
+		while (ret < origlen) {
+			(data)->len++;
+			(data)->val = realloc((data)->val, sizeof(*((data)->val)) * (data)->len);
+			e = decode_MechType(p, len, &(data)->val[(data)->len - 1], &l);
+			FORW;
+			len = origlen - ret;
+		}
+		ret += oldret;
+	}
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_MechTypeList(data);
+	return e;
+}
+
+static void
+free_MechTypeList(MechTypeList * data)
+{
+	while ((data)->len) {
+		free_MechType(&(data)->val[(data)->len - 1]);
+		(data)->len--;
+	}
+	free((data)->val);
+	(data)->val = NULL;
+}
+
+/* unused function: length_MechTypeList */
+
+
+/* unused function: copy_MechTypeList */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+#define BACK if (e) return e; p -= l; len -= l; ret += l
+
+static int
+encode_ContextFlags(unsigned char *p, size_t len, const ContextFlags * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int i, e;
+
+	i = 0;
+	{
+		unsigned char c = 0;
+		*p-- = c;
+		len--;
+		ret++;
+		c = 0;
+		*p-- = c;
+		len--;
+		ret++;
+		c = 0;
+		*p-- = c;
+		len--;
+		ret++;
+		c = 0;
+		if (data->integFlag)
+			c |= 1 << 1;
+		if (data->confFlag)
+			c |= 1 << 2;
+		if (data->anonFlag)
+			c |= 1 << 3;
+		if (data->sequenceFlag)
+			c |= 1 << 4;
+		if (data->replayFlag)
+			c |= 1 << 5;
+		if (data->mutualFlag)
+			c |= 1 << 6;
+		if (data->delegFlag)
+			c |= 1 << 7;
+		*p-- = c;
+		*p-- = 0;
+		len -= 2;
+		ret += 2;
+	}
+
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, PRIM, UT_BitString, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+#define FORW if(e) goto fail; p += l; len -= l; ret += l
+
+static int
+decode_ContextFlags(const unsigned char *p, size_t len, ContextFlags * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, PRIM, UT_BitString, &reallen, &l);
+	FORW;
+	if (len < reallen)
+		return ASN1_OVERRUN;
+	p++;
+	len--;
+	reallen--;
+	ret++;
+	data->delegFlag = (*p >> 7) & 1;
+	data->mutualFlag = (*p >> 6) & 1;
+	data->replayFlag = (*p >> 5) & 1;
+	data->sequenceFlag = (*p >> 4) & 1;
+	data->anonFlag = (*p >> 3) & 1;
+	data->confFlag = (*p >> 2) & 1;
+	data->integFlag = (*p >> 1) & 1;
+	p += reallen;
+	len -= reallen;
+	ret += reallen;
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_ContextFlags(data);
+	return e;
+}
+
+static void
+free_ContextFlags(ContextFlags * data)
+{
+	(void)data;
+}
+
+/* unused function: length_ContextFlags */
+
+
+/* unused function: copy_ContextFlags */
+
+
+/* unused function: ContextFlags2int */
+
+
+/* unused function: int2ContextFlags */
+
+
+/* unused variable: ContextFlags_units */
+
+/* unused function: asn1_ContextFlags_units */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+#define BACK if (e) return e; p -= l; len -= l; ret += l
+
+static int
+encode_NegTokenInit(unsigned char *p, size_t len, const NegTokenInit * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int i, e;
+
+	i = 0;
+	if ((data)->mechListMIC) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->mechListMIC, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 3, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->mechToken) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->mechToken, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 2, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->reqFlags) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_ContextFlags(p, len, (data)->reqFlags, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 1, &l);
+		BACK;
+		ret += oldret;
+	} {
+		int oldret = ret;
+		ret = 0;
+		e = encode_MechTypeList(p, len, &(data)->mechTypes, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 0, &l);
+		BACK;
+		ret += oldret;
+	}
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+#define FORW if(e) goto fail; p += l; len -= l; ret += l
+
+static int
+decode_NegTokenInit(const unsigned char *p, size_t len, NegTokenInit * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
+	FORW;
+	{
+		int dce_fix;
+		if ((dce_fix = fix_dce(reallen, &len)) < 0)
+			return ASN1_BAD_FORMAT;
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
+			if (e)
+				return e;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					e = decode_MechTypeList(p, len, &(data)->mechTypes, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 1, &l);
+			if (e)
+				(data)->reqFlags = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->reqFlags = malloc(sizeof(*(data)->reqFlags));
+					if ((data)->reqFlags == NULL)
+						return ENOMEM;
+					e = decode_ContextFlags(p, len, (data)->reqFlags, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 2, &l);
+			if (e)
+				(data)->mechToken = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->mechToken = malloc(sizeof(*(data)->mechToken));
+					if ((data)->mechToken == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->mechToken, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 3, &l);
+			if (e)
+				(data)->mechListMIC = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
+					if ((data)->mechListMIC == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->mechListMIC, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		if (dce_fix) {
+			e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+			FORW;
+		}
+	}
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_NegTokenInit(data);
+	return e;
+}
+
+static void
+free_NegTokenInit(NegTokenInit * data)
+{
+	free_MechTypeList(&(data)->mechTypes);
+	if ((data)->reqFlags) {
+		free_ContextFlags((data)->reqFlags);
+		free((data)->reqFlags);
+		(data)->reqFlags = NULL;
+	}
+	if ((data)->mechToken) {
+		free_octet_string((data)->mechToken);
+		free((data)->mechToken);
+		(data)->mechToken = NULL;
+	}
+	if ((data)->mechListMIC) {
+		free_octet_string((data)->mechListMIC);
+		free((data)->mechListMIC);
+		(data)->mechListMIC = NULL;
+	}
+}
+
+/* unused function: length_NegTokenInit */
+
+
+/* unused function: copy_NegTokenInit */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+#define BACK if (e) return e; p -= l; len -= l; ret += l
+
+static int
+encode_NegTokenResp(unsigned char *p, size_t len, const NegTokenResp * data, size_t * size)
+{
+	size_t ret = 0;
+	size_t l;
+	int i, e;
+
+	i = 0;
+	if ((data)->mechListMIC) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->mechListMIC, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 3, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->responseToken) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_octet_string(p, len, (data)->responseToken, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 2, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->supportedMech) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_MechType(p, len, (data)->supportedMech, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 1, &l);
+		BACK;
+		ret += oldret;
+	}
+	if ((data)->negState) {
+		int oldret = ret;
+		ret = 0;
+		e = encode_enumerated(p, len, (data)->negState, &l);
+		BACK;
+		e = der_put_length_and_tag(p, len, ret, ASN1_C_CONTEXT, CONS, 0, &l);
+		BACK;
+		ret += oldret;
+	}
+	e = der_put_length_and_tag(p, len, ret, ASN1_C_UNIV, CONS, UT_Sequence, &l);
+	BACK;
+	*size = ret;
+	return 0;
+}
+
+#define FORW if(e) goto fail; p += l; len -= l; ret += l
+
+static int
+decode_NegTokenResp(const unsigned char *p, size_t len, NegTokenResp * data, size_t * size)
+{
+	size_t ret = 0, reallen;
+	size_t l;
+	int e;
+
+	memset(data, 0, sizeof(*data));
+	reallen = 0;
+	e = der_match_tag_and_length(p, len, ASN1_C_UNIV, CONS, UT_Sequence, &reallen, &l);
+	FORW;
+	{
+		int dce_fix;
+		if ((dce_fix = fix_dce(reallen, &len)) < 0)
+			return ASN1_BAD_FORMAT;
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 0, &l);
+			if (e)
+				(data)->negState = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->negState = malloc(sizeof(*(data)->negState));
+					if ((data)->negState == NULL)
+						return ENOMEM;
+					e = decode_enumerated(p, len, (data)->negState, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 1, &l);
+			if (e)
+				(data)->supportedMech = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->supportedMech = malloc(sizeof(*(data)->supportedMech));
+					if ((data)->supportedMech == NULL)
+						return ENOMEM;
+					e = decode_MechType(p, len, (data)->supportedMech, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 2, &l);
+			if (e)
+				(data)->responseToken = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->responseToken = malloc(sizeof(*(data)->responseToken));
+					if ((data)->responseToken == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->responseToken, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		{
+			size_t newlen, oldlen;
+
+			e = der_match_tag(p, len, ASN1_C_CONTEXT, CONS, 3, &l);
+			if (e)
+				(data)->mechListMIC = NULL;
+			else {
+				p += l;
+				len -= l;
+				ret += l;
+				e = der_get_length(p, len, &newlen, &l);
+				FORW;
+				{
+					int dce_fix;
+					oldlen = len;
+					if ((dce_fix = fix_dce(newlen, &len)) < 0)
+						return ASN1_BAD_FORMAT;
+					(data)->mechListMIC = malloc(sizeof(*(data)->mechListMIC));
+					if ((data)->mechListMIC == NULL)
+						return ENOMEM;
+					e = decode_octet_string(p, len, (data)->mechListMIC, &l);
+					FORW;
+					if (dce_fix) {
+						e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+						FORW;
+					} else
+						len = oldlen - newlen;
+				}
+			}
+		}
+		if (dce_fix) {
+			e = der_match_tag_and_length(p, len, (Der_class) 0, (Der_type) 0, 0, &reallen, &l);
+			FORW;
+		}
+	}
+	if (size)
+		*size = ret;
+	return 0;
+fail:
+	free_NegTokenResp(data);
+	return e;
+}
+
+static void
+free_NegTokenResp(NegTokenResp * data)
+{
+	if ((data)->negState) {
+		free((data)->negState);
+		(data)->negState = NULL;
+	}
+	if ((data)->supportedMech) {
+		free_MechType((data)->supportedMech);
+		free((data)->supportedMech);
+		(data)->supportedMech = NULL;
+	}
+	if ((data)->responseToken) {
+		free_octet_string((data)->responseToken);
+		free((data)->responseToken);
+		(data)->responseToken = NULL;
+	}
+	if ((data)->mechListMIC) {
+		free_octet_string((data)->mechListMIC);
+		free((data)->mechListMIC);
+		(data)->mechListMIC = NULL;
+	}
+}
+
+/* unused function: length_NegTokenResp */
+
+
+/* unused function: copy_NegTokenResp */
+
+/* Generated from spnego.asn1 */
+/* Do not edit */
+
+
+/* CHOICE */
+/* unused variable: asn1_NegotiationToken_dummy_holder */
diff --git a/lib/dns/spnego_asn1.pl b/lib/dns/spnego_asn1.pl
new file mode 100755
index 0000000..93dd676
--- /dev/null
+++ b/lib/dns/spnego_asn1.pl
@@ -0,0 +1,200 @@
+#!/bin/bin/perl -w
+#
+# Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: spnego_asn1.pl,v 1.4 2007/06/19 23:47:16 tbox Exp $
+
+# Our SPNEGO implementation uses some functions generated by the
+# Heimdal ASN.1 compiler, which this script then whacks a bit to make
+# them work properly in this stripped down implementation.  We don't
+# want to require our users to have a copy of the compiler, so we ship
+# the output of this script, but we need to keep the script around in
+# any case to cope with future changes to the SPNEGO ASN.1 code, so we
+# might as well supply the script for users who want it.
+
+# Overall plan: run the ASN.1 compiler, run each of its output files
+# through indent, fix up symbols and whack everything to be static.
+# We use indent for two reasons: (1) to whack the Heimdal compiler's
+# output into something closer to ISC's coding standard, and (2) to
+# make it easier for this script to parse the result.
+
+# Output from this script is C code which we expect to be #included
+# into another C file, which is why everything generated by this
+# script is marked "static".  The intent is to minimize the number of
+# extern symbols exported by the SPNEGO implementation, to avoid
+# potential conflicts with the GSSAPI libraries.
+
+###
+
+# Filename of the ASN.1 specification.  Hardcoded for the moment
+# since this script is intended for compiling exactly one module.
+
+my $asn1_source = $ENV{ASN1_SOURCE} || "spnego.asn1";
+
+# Heimdal ASN.1 compiler.  This script was written using the version
+# from Heimdal 0.7.1.  To build this, download a copy of
+# heimdal-0.7.1.tar.gz, configure and build with the default options,
+# then look for the compiler in heimdal-0.7.1/lib/asn1/asn1_compile.
+
+my $asn1_compile = $ENV{ASN1_COMPILE} || "asn1_compile";
+
+# BSD indent program.  This script was written using the version of
+# indent that comes with FreeBSD 4.11-STABLE.  The GNU project, as
+# usual, couldn't resist the temptation to monkey with indent's
+# command line syntax, so this probably won't work with GNU indent.
+
+my $indent = $ENV{INDENT} || "indent";
+
+###
+
+# Step 1: run the compiler.  Input is the ASN.1 file.  Outputs are a
+# header file (name specified on command line without the .h suffix),
+# a file called "asn1_files" listing the names of the other output
+# files, and a set of files containing C code generated by the
+# compiler for each data type that the compiler found.
+
+if (! -r $asn1_source || system($asn1_compile, $asn1_source, "asn1")) {
+    die("Couldn't compile ASN.1 source file $asn1_source\n");
+}
+
+my @files = ("asn1.h");
+
+open(F, "asn1_files")
+    or die("Couldn't open asn1_files: $!\n");
+push(@files, split)
+    while (<F>);
+close(F);
+
+unlink("asn1_files");
+
+###
+
+# Step 2: generate header block.
+
+print(q~/*
+ * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: spnego_asn1.pl,v 1.4 2007/06/19 23:47:16 tbox Exp $ */
+
+/*! \file
+ * \brief Method routines generated from SPNEGO ASN.1 module.
+ * See spnego_asn1.pl for details.  Do not edit.
+ */
+
+~);
+
+###
+
+# Step 3: read and process each generated file, then delete it.
+
+my $output;
+
+for my $file (@files) {
+
+    my $is_static = 0;
+
+    system($indent, "-di1", "-ldi1", $file) == 0
+	or die("Couldn't indent $file");
+
+    unlink("$file.BAK");
+
+    open(F, $file)
+	or die("Couldn't open $file: $!");
+
+    while (<F>) {
+
+	# Symbol name fixups
+
+	s/heim_general_string/general_string/g;
+	s/heim_octet_string/octet_string/g;
+	s/heim_oid/oid/g;
+	s/heim_utf8_string/utf8_string/g;
+
+	# Convert all externs to statics
+
+	if (/^static/) {
+	    $is_static = 1;
+	}
+
+	if (!/^typedef/ &&
+	    !$is_static &&
+	    /^[A-Za-z_][0-9A-Za-z_]*[ \t]*($|[^:0-9A-Za-z_])/) {
+	    $_ = "static " . $_;
+	    $is_static = 1;
+	}
+
+	if (/[{};]/) {
+	    $is_static = 0;
+	}
+
+	# Suppress file inclusion, pass anything else through
+
+	if (!/#include/) {
+	    $output .= $_;
+	}
+    }
+
+    close(F);
+    unlink($file);
+}
+
+# Step 4: Delete unused stuff to avoid code bloat and compiler warnings.
+
+my @unused_functions = qw(ContextFlags2int
+			  int2ContextFlags
+			  asn1_ContextFlags_units
+			  length_NegTokenInit
+			  copy_NegTokenInit
+			  length_NegTokenResp
+			  copy_NegTokenResp
+			  length_MechTypeList
+			  length_MechType
+			  copy_MechTypeList
+			  length_ContextFlags
+			  copy_ContextFlags
+			  copy_MechType);
+
+$output =~ s<^static [^\n]+\n$_\(.+?^}></* unused function: $_ */\n>ms
+    foreach (@unused_functions);
+
+$output =~ s<^static .+$_\(.*\);$></* unused declaration: $_ */>m
+    foreach (@unused_functions);
+
+$output =~ s<^static struct units ContextFlags_units\[\].+?^};>
+            </* unused variable: ContextFlags_units */>ms;
+
+$output =~ s<^static int asn1_NegotiationToken_dummy_holder = 1;>
+            </* unused variable: asn1_NegotiationToken_dummy_holder */>ms;
+
+$output =~ s<^static void\nfree_ContextFlags\(ContextFlags \* data\)\n{\n>
+            <$&\t(void)data;\n>ms;
+
+# Step 5: Write the result.
+
+print($output);
+
diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c
index fa3011c..ab69242 100644
--- a/lib/dns/ssu.c
+++ b/lib/dns/ssu.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -17,7 +17,7 @@
 
 /*! \file */
 /*
- * $Id: ssu.c,v 1.24.18.4 2006/02/16 23:51:32 marka Exp $
+ * $Id: ssu.c,v 1.34 2008/01/18 23:46:58 tbox Exp $
  * Principal Author: Brian Wellington
  */
 
@@ -25,14 +25,17 @@
 
 #include <isc/magic.h>
 #include <isc/mem.h>
+#include <isc/netaddr.h>
 #include <isc/result.h>
-#include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/string.h>
 #include <isc/util.h>
 
 #include <dns/fixedname.h>
 #include <dns/name.h>
 #include <dns/ssu.h>
 
+#include <dst/gssapi.h>
+
 #define SSUTABLEMAGIC		ISC_MAGIC('S', 'S', 'U', 'T')
 #define VALID_SSUTABLE(table)	ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
 
@@ -245,50 +248,178 @@ isusertype(dns_rdatatype_t type) {
 		       type != dns_rdatatype_rrsig));
 }
 
+static void
+reverse_from_address(dns_name_t *tcpself, isc_netaddr_t *tcpaddr) {
+	char buf[16 * 4 + sizeof("IP6.ARPA.")];
+	isc_result_t result;
+	unsigned char *ap;
+	isc_buffer_t b;
+	unsigned long l;
+
+	switch (tcpaddr->family) {
+	case AF_INET:
+		l = ntohl(tcpaddr->type.in.s_addr);
+		result = isc_string_printf(buf, sizeof(buf),
+					   "%lu.%lu.%lu.%lu.IN-ADDR.ARPA.",
+					   (l >> 0) & 0xff, (l >> 8) & 0xff,
+					   (l >> 16) & 0xff, (l >> 24) & 0xff);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		break;
+	case AF_INET6:
+		ap = tcpaddr->type.in6.s6_addr;
+		result = isc_string_printf(buf, sizeof(buf),
+					   "%x.%x.%x.%x.%x.%x.%x.%x."
+					   "%x.%x.%x.%x.%x.%x.%x.%x."
+					   "%x.%x.%x.%x.%x.%x.%x.%x."
+					   "%x.%x.%x.%x.%x.%x.%x.%x."
+					   "IP6.ARPA.",
+					   ap[15] & 0x0f, (ap[15] >> 4) & 0x0f,
+					   ap[14] & 0x0f, (ap[14] >> 4) & 0x0f,
+					   ap[13] & 0x0f, (ap[13] >> 4) & 0x0f,
+					   ap[12] & 0x0f, (ap[12] >> 4) & 0x0f,
+					   ap[11] & 0x0f, (ap[11] >> 4) & 0x0f,
+					   ap[10] & 0x0f, (ap[10] >> 4) & 0x0f,
+					   ap[9] & 0x0f, (ap[9] >> 4) & 0x0f,
+					   ap[8] & 0x0f, (ap[8] >> 4) & 0x0f,
+					   ap[7] & 0x0f, (ap[7] >> 4) & 0x0f,
+					   ap[6] & 0x0f, (ap[6] >> 4) & 0x0f,
+					   ap[5] & 0x0f, (ap[5] >> 4) & 0x0f,
+					   ap[4] & 0x0f, (ap[4] >> 4) & 0x0f,
+					   ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
+					   ap[2] & 0x0f, (ap[2] >> 4) & 0x0f,
+					   ap[1] & 0x0f, (ap[1] >> 4) & 0x0f,
+					   ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		break;
+	default:
+		INSIST(0);
+	}
+	isc_buffer_init(&b, buf, strlen(buf));
+	isc_buffer_add(&b, strlen(buf));
+	result = dns_name_fromtext(tcpself, &b, dns_rootname, 0, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+}
+
+static void
+stf_from_address(dns_name_t *stfself, isc_netaddr_t *tcpaddr) {
+	char buf[sizeof("X.X.X.X.Y.Y.Y.Y.2.0.0.2.IP6.ARPA.")];
+	isc_result_t result;
+	unsigned char *ap;
+	isc_buffer_t b;
+	unsigned long l;
+
+	switch(tcpaddr->family) {
+	case AF_INET:
+		l = ntohl(tcpaddr->type.in.s_addr);
+		result = isc_string_printf(buf, sizeof(buf),
+					   "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx"
+					   "2.0.0.2.IP6.ARPA.",
+					   l & 0xf, (l >> 4) & 0xf,
+					   (l >> 8) & 0xf, (l >> 12) & 0xf,
+					   (l >> 16) & 0xf, (l >> 20) & 0xf,
+					   (l >> 24) & 0xf, (l >> 28) & 0xf);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		break;
+	case AF_INET6:
+		ap = tcpaddr->type.in6.s6_addr;
+		result = isc_string_printf(buf, sizeof(buf),
+					   "%x.%x.%x.%x.%x.%x.%x.%x."
+					   "%x.%x.%x.%x.IP6.ARPA.",
+					   ap[5] & 0x0f, (ap[5] >> 4) & 0x0f,
+					   ap[4] & 0x0f, (ap[4] >> 4) & 0x0f,
+					   ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
+					   ap[2] & 0x0f, (ap[2] >> 4) & 0x0f,
+					   ap[1] & 0x0f, (ap[1] >> 4) & 0x0f,
+					   ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		break;
+	default:
+		INSIST(0);
+	}
+	isc_buffer_init(&b, buf, strlen(buf));
+	isc_buffer_add(&b, strlen(buf));
+	result = dns_name_fromtext(stfself, &b, dns_rootname, 0, NULL);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+}
+
 isc_boolean_t
 dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
-			dns_name_t *name, dns_rdatatype_t type)
+			dns_name_t *name, isc_netaddr_t *tcpaddr,
+			dns_rdatatype_t type)
 {
 	dns_ssurule_t *rule;
 	unsigned int i;
 	dns_fixedname_t fixed;
 	dns_name_t *wildcard;
+	dns_name_t *tcpself;
+	dns_name_t *stfself;
 	isc_result_t result;
 
 	REQUIRE(VALID_SSUTABLE(table));
 	REQUIRE(signer == NULL || dns_name_isabsolute(signer));
 	REQUIRE(dns_name_isabsolute(name));
 
-	if (signer == NULL)
+	if (signer == NULL && tcpaddr == NULL)
 		return (ISC_FALSE);
-	rule = ISC_LIST_HEAD(table->rules);
-		rule = ISC_LIST_NEXT(rule, link);
+
 	for (rule = ISC_LIST_HEAD(table->rules);
 	     rule != NULL;
 	     rule = ISC_LIST_NEXT(rule, link))
 	{
-		if (dns_name_iswildcard(rule->identity)) {
-			if (!dns_name_matcheswildcard(signer, rule->identity))
+		switch (rule->matchtype) {
+		case DNS_SSUMATCHTYPE_NAME:
+		case DNS_SSUMATCHTYPE_SUBDOMAIN:
+		case DNS_SSUMATCHTYPE_WILDCARD:
+		case DNS_SSUMATCHTYPE_SELF:
+		case DNS_SSUMATCHTYPE_SELFSUB:
+		case DNS_SSUMATCHTYPE_SELFWILD:
+			if (signer == NULL)
 				continue;
-		} else if (!dns_name_equal(signer, rule->identity))
+			if (dns_name_iswildcard(rule->identity)) {
+				if (!dns_name_matcheswildcard(signer,
+							      rule->identity))
+					continue;
+			} else {
+				if (!dns_name_equal(signer, rule->identity))
+					continue;
+			}
+			break;
+		case DNS_SSUMATCHTYPE_SELFKRB5:
+		case DNS_SSUMATCHTYPE_SELFMS:
+		case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
+		case DNS_SSUMATCHTYPE_SUBDOMAINMS:
+			if (signer == NULL)
 				continue;
+			break;
+		case DNS_SSUMATCHTYPE_TCPSELF:
+		case DNS_SSUMATCHTYPE_6TO4SELF:
+			if (tcpaddr == NULL)
+				continue;
+			break;
+		}
 
-		if (rule->matchtype == DNS_SSUMATCHTYPE_NAME) {
+		switch (rule->matchtype) {
+		case DNS_SSUMATCHTYPE_NAME:
 			if (!dns_name_equal(name, rule->name))
 				continue;
-		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SUBDOMAIN) {
+			break;
+		case DNS_SSUMATCHTYPE_SUBDOMAIN:
 			if (!dns_name_issubdomain(name, rule->name))
 				continue;
-		} else if (rule->matchtype == DNS_SSUMATCHTYPE_WILDCARD) {
+			break;
+		case DNS_SSUMATCHTYPE_WILDCARD:
 			if (!dns_name_matcheswildcard(name, rule->name))
 				continue;
-		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SELF) {
+			break;
+		case DNS_SSUMATCHTYPE_SELF:
 			if (!dns_name_equal(signer, name))
 				continue;
-		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SELFSUB) {
+			break;
+		case DNS_SSUMATCHTYPE_SELFSUB:
 			if (!dns_name_issubdomain(name, signer))
 				continue;
-		} else if (rule->matchtype == DNS_SSUMATCHTYPE_SELFWILD) {
+			break;
+		case DNS_SSUMATCHTYPE_SELFWILD:
 			dns_fixedname_init(&fixed);
 			wildcard = dns_fixedname_name(&fixed);
 			result = dns_name_concatenate(dns_wildcardname, signer,
@@ -297,6 +428,61 @@ dns_ssutable_checkrules(dns_ssutable_t *table, dns_name_t *signer,
 				continue;
 			if (!dns_name_matcheswildcard(name, wildcard))
 				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SELFKRB5:
+			if (!dst_gssapi_identitymatchesrealmkrb5(signer, name,
+							       rule->identity))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SELFMS:
+			if (!dst_gssapi_identitymatchesrealmms(signer, name,
+							       rule->identity))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
+			if (!dns_name_issubdomain(name, rule->name))
+				continue;
+			if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
+							       rule->identity))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_SUBDOMAINMS:
+			if (!dns_name_issubdomain(name, rule->name))
+				continue;
+			if (!dst_gssapi_identitymatchesrealmms(signer, NULL,
+							       rule->identity))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_TCPSELF:
+			dns_fixedname_init(&fixed);
+			tcpself = dns_fixedname_name(&fixed);
+			reverse_from_address(tcpself, tcpaddr);
+			if (dns_name_iswildcard(rule->identity)) {
+				if (!dns_name_matcheswildcard(tcpself,
+							      rule->identity))
+					continue;
+			} else {
+				if (!dns_name_equal(tcpself, rule->identity))
+					continue;
+			}
+			if (!dns_name_equal(tcpself, name))
+				continue;
+			break;
+		case DNS_SSUMATCHTYPE_6TO4SELF:
+			dns_fixedname_init(&fixed);
+			stfself = dns_fixedname_name(&fixed);
+			stf_from_address(stfself, tcpaddr);
+			if (dns_name_iswildcard(rule->identity)) {
+				if (!dns_name_matcheswildcard(stfself,
+							      rule->identity))
+					continue;
+			} else {
+				if (!dns_name_equal(stfself, rule->identity))
+					continue;
+			}
+			if (!dns_name_equal(stfself, name))
+				continue;
+			break;
 		}
 
 		if (rule->ntypes == 0) {
diff --git a/lib/dns/stats.c b/lib/dns/stats.c
index 660046f..60fed35 100644
--- a/lib/dns/stats.c
+++ b/lib/dns/stats.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,16 +15,363 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stats.c,v 1.6.18.4 2005/06/27 00:20:02 marka Exp $ */
+/* $Id: stats.c,v 1.16.118.2 2009/01/29 23:47:44 tbox Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
+#include <isc/magic.h>
 #include <isc/mem.h>
+#include <isc/stats.h>
+#include <isc/util.h>
 
+#include <dns/opcode.h>
+#include <dns/rdatatype.h>
 #include <dns/stats.h>
 
+#define DNS_STATS_MAGIC			ISC_MAGIC('D', 's', 't', 't')
+#define DNS_STATS_VALID(x)		ISC_MAGIC_VALID(x, DNS_STATS_MAGIC)
+
+/*%
+ * Statistics types.
+ */
+typedef enum {
+	dns_statstype_general = 0,
+	dns_statstype_rdtype = 1,
+	dns_statstype_rdataset = 2,
+	dns_statstype_opcode = 3
+} dns_statstype_t;
+
+/*%
+ * It doesn't make sense to have 2^16 counters for all possible types since
+ * most of them won't be used.  We have counters for the first 256 types and
+ * those explicitly supported in the rdata implementation.
+ * XXXJT: this introduces tight coupling with the rdata implementation.
+ * Ideally, we should have rdata handle this type of details.
+ */
+enum {
+	/* For 0-255, we use the rdtype value as counter indices */
+	rdtypecounter_dlv = 256,	/* for dns_rdatatype_dlv */
+	rdtypecounter_others = 257,	/* anything else */
+	rdtypecounter_max = 258,
+	/* The following are used for rdataset */
+	rdtypenxcounter_max = rdtypecounter_max * 2,
+	rdtypecounter_nxdomain = rdtypenxcounter_max,
+	rdatasettypecounter_max = rdtypecounter_nxdomain + 1
+};
+
+struct dns_stats {
+	/*% Unlocked */
+	unsigned int	magic;
+	dns_statstype_t	type;
+	isc_mem_t	*mctx;
+	isc_mutex_t	lock;
+	isc_stats_t	*counters;
+
+	/*%  Locked by lock */
+	unsigned int	references;
+};
+
+typedef struct rdatadumparg {
+	dns_rdatatypestats_dumper_t	fn;
+	void				*arg;
+} rdatadumparg_t;
+
+typedef struct opcodedumparg {
+	dns_opcodestats_dumper_t	fn;
+	void				*arg;
+} opcodedumparg_t;
+
+void
+dns_stats_attach(dns_stats_t *stats, dns_stats_t **statsp) {
+	REQUIRE(DNS_STATS_VALID(stats));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	LOCK(&stats->lock);
+	stats->references++;
+	UNLOCK(&stats->lock);
+
+	*statsp = stats;
+}
+
+void
+dns_stats_detach(dns_stats_t **statsp) {
+	dns_stats_t *stats;
+
+	REQUIRE(statsp != NULL && DNS_STATS_VALID(*statsp));
+
+	stats = *statsp;
+	*statsp = NULL;
+
+	LOCK(&stats->lock);
+	stats->references--;
+	UNLOCK(&stats->lock);
+
+	if (stats->references == 0) {
+		isc_stats_detach(&stats->counters);
+		DESTROYLOCK(&stats->lock);
+		isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats));
+	}
+}
+
+/*%
+ * Create methods
+ */
+static isc_result_t
+create_stats(isc_mem_t *mctx, dns_statstype_t	type, int ncounters,
+	     dns_stats_t **statsp)
+{
+	dns_stats_t *stats;
+	isc_result_t result;
+
+	stats = isc_mem_get(mctx, sizeof(*stats));
+	if (stats == NULL)
+		return (ISC_R_NOMEMORY);
+
+	stats->counters = NULL;
+	stats->references = 1;
+
+	result = isc_mutex_init(&stats->lock);
+	if (result != ISC_R_SUCCESS)
+		goto clean_stats;
+
+	result = isc_stats_create(mctx, &stats->counters, ncounters);
+	if (result != ISC_R_SUCCESS)
+		goto clean_mutex;
+
+	stats->magic = DNS_STATS_MAGIC;
+	stats->type = type;
+	stats->mctx = NULL;
+	isc_mem_attach(mctx, &stats->mctx);
+	*statsp = stats;
+
+	return (ISC_R_SUCCESS);
+
+  clean_mutex:
+	DESTROYLOCK(&stats->lock);
+  clean_stats:
+	isc_mem_put(mctx, stats, sizeof(*stats));
+
+	return (result);
+}
+
+isc_result_t
+dns_generalstats_create(isc_mem_t *mctx, dns_stats_t **statsp, int ncounters) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_general, ncounters, statsp));
+}
+
+isc_result_t
+dns_rdatatypestats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_rdtype, rdtypecounter_max,
+			     statsp));
+}
+
+isc_result_t
+dns_rdatasetstats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_rdataset,
+			     (rdtypecounter_max * 2) + 1, statsp));
+}
+
+isc_result_t
+dns_opcodestats_create(isc_mem_t *mctx, dns_stats_t **statsp) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, dns_statstype_opcode, 16, statsp));
+}
+
+/*%
+ * Increment/Decrement methods
+ */
+void
+dns_generalstats_increment(dns_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_general);
+
+	isc_stats_increment(stats->counters, counter);
+}
+
+void
+dns_rdatatypestats_increment(dns_stats_t *stats, dns_rdatatype_t type) {
+	int counter;
+
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rdtype);
+
+	if (type == dns_rdatatype_dlv)
+		counter = rdtypecounter_dlv;
+	else if (type > dns_rdatatype_any)
+		counter = rdtypecounter_others;
+	else
+		counter = (int)type;
+
+	isc_stats_increment(stats->counters, (isc_statscounter_t)counter);
+}
+
+static inline void
+update_rdatasetstats(dns_stats_t *stats, dns_rdatastatstype_t rrsettype,
+		     isc_boolean_t increment)
+{
+	int counter;
+	dns_rdatatype_t rdtype;
+
+	if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+	     DNS_RDATASTATSTYPE_ATTR_NXDOMAIN) != 0) {
+		counter = rdtypecounter_nxdomain;
+	} else {
+		rdtype = DNS_RDATASTATSTYPE_BASE(rrsettype);
+		if (rdtype == dns_rdatatype_dlv)
+			counter = (int)rdtypecounter_dlv;
+		else if (rdtype > dns_rdatatype_any)
+			counter = (int)rdtypecounter_others;
+		else
+			counter = (int)rdtype;
+
+		if ((DNS_RDATASTATSTYPE_ATTR(rrsettype) &
+		     DNS_RDATASTATSTYPE_ATTR_NXRRSET) != 0)
+			counter += rdtypecounter_max;
+	}
+
+	if (increment)
+		isc_stats_increment(stats->counters, counter);
+	else
+		isc_stats_decrement(stats->counters, counter);
+}
+
+void
+dns_rdatasetstats_increment(dns_stats_t *stats, dns_rdatastatstype_t rrsettype)
+{
+	REQUIRE(DNS_STATS_VALID(stats) &&
+		stats->type == dns_statstype_rdataset);
+
+	update_rdatasetstats(stats, rrsettype, ISC_TRUE);
+}
+
+void
+dns_rdatasetstats_decrement(dns_stats_t *stats, dns_rdatastatstype_t rrsettype)
+{
+	REQUIRE(DNS_STATS_VALID(stats) &&
+		stats->type == dns_statstype_rdataset);
+
+	update_rdatasetstats(stats, rrsettype, ISC_FALSE);
+}
+void
+dns_opcodestats_increment(dns_stats_t *stats, dns_opcode_t code) {
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_opcode);
+
+	isc_stats_increment(stats->counters, (isc_statscounter_t)code);
+}
+
+/*%
+ * Dump methods
+ */
+void
+dns_generalstats_dump(dns_stats_t *stats, dns_generalstats_dumper_t dump_fn,
+		      void *arg, unsigned int options)
+{
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_general);
+
+	isc_stats_dump(stats->counters, (isc_stats_dumper_t)dump_fn,
+		       arg, options);
+}
+
+static void
+dump_rdentry(int rdcounter, isc_uint64_t value, dns_rdatastatstype_t attributes,
+	     dns_rdatatypestats_dumper_t dump_fn, void * arg)
+{
+	dns_rdatatype_t rdtype = dns_rdatatype_none; /* sentinel */
+	dns_rdatastatstype_t type;
+
+	if (rdcounter == rdtypecounter_others)
+		attributes |= DNS_RDATASTATSTYPE_ATTR_OTHERTYPE;
+	else {
+		if (rdcounter == rdtypecounter_dlv)
+			rdtype = dns_rdatatype_dlv;
+		else
+			rdtype = (dns_rdatatype_t)rdcounter;
+	}
+	type = DNS_RDATASTATSTYPE_VALUE((dns_rdatastatstype_t)rdtype,
+					attributes);
+	dump_fn(type, value, arg);
+}
+
+static void
+rdatatype_dumpcb(isc_statscounter_t counter, isc_uint64_t value, void *arg) {
+	rdatadumparg_t *rdatadumparg = arg;
+
+	dump_rdentry(counter, value, 0, rdatadumparg->fn, rdatadumparg->arg);
+}
+
+void
+dns_rdatatypestats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+			void *arg0, unsigned int options)
+{
+	rdatadumparg_t arg;
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_rdtype);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+	isc_stats_dump(stats->counters, rdatatype_dumpcb, &arg, options);
+}
+
+static void
+rdataset_dumpcb(isc_statscounter_t counter, isc_uint64_t value, void *arg) {
+	rdatadumparg_t *rdatadumparg = arg;
+
+	if (counter < rdtypecounter_max) {
+		dump_rdentry(counter, value, 0, rdatadumparg->fn,
+			     rdatadumparg->arg);
+	} else if (counter < rdtypenxcounter_max) {
+		dump_rdentry(counter - rdtypecounter_max, value,
+			     DNS_RDATASTATSTYPE_ATTR_NXRRSET,
+			     rdatadumparg->fn, rdatadumparg->arg);
+	} else {
+		dump_rdentry(0, value, DNS_RDATASTATSTYPE_ATTR_NXDOMAIN,
+			     rdatadumparg->fn, rdatadumparg->arg);
+	}
+}
+
+void
+dns_rdatasetstats_dump(dns_stats_t *stats, dns_rdatatypestats_dumper_t dump_fn,
+		       void *arg0, unsigned int options)
+{
+	rdatadumparg_t arg;
+
+	REQUIRE(DNS_STATS_VALID(stats) &&
+		stats->type == dns_statstype_rdataset);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+	isc_stats_dump(stats->counters, rdataset_dumpcb, &arg, options);
+}
+
+static void
+opcode_dumpcb(isc_statscounter_t counter, isc_uint64_t value, void *arg) {
+	opcodedumparg_t *opcodearg = arg;
+
+	opcodearg->fn((dns_opcode_t)counter, value, opcodearg->arg);
+}
+
+void
+dns_opcodestats_dump(dns_stats_t *stats, dns_opcodestats_dumper_t dump_fn,
+		     void *arg0, unsigned int options)
+{
+	opcodedumparg_t arg;
+
+	REQUIRE(DNS_STATS_VALID(stats) && stats->type == dns_statstype_opcode);
+
+	arg.fn = dump_fn;
+	arg.arg = arg0;
+	isc_stats_dump(stats->counters, opcode_dumpcb, &arg, options);
+}
+
+/***
+ *** Obsolete variables and functions follow:
+ ***/
 LIBDNS_EXTERNAL_DATA const char *dns_statscounter_names[DNS_STATS_NCOUNTERS] =
 	{
 	"success",
diff --git a/lib/dns/tcpmsg.c b/lib/dns/tcpmsg.c
index 018c4ce..49add56 100644
--- a/lib/dns/tcpmsg.c
+++ b/lib/dns/tcpmsg.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: tcpmsg.c,v 1.25.18.4 2006/08/10 23:59:29 marka Exp $ */
+/* $Id: tcpmsg.c,v 1.31 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/time.c b/lib/dns/time.c
index b4e7bee..62414dd 100644
--- a/lib/dns/time.c
+++ b/lib/dns/time.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.26.18.3 2005/04/29 00:16:06 marka Exp $ */
+/* $Id: time.c,v 1.31.332.2 2009/01/18 23:47:40 tbox Exp $ */
 
 /*! \file */
 
@@ -145,7 +145,7 @@ dns_time64_fromtext(const char *source, isc_int64_t *target) {
 	RANGE(0, 60, second);		/* 60 == leap second. */
 
 	/*
-	 * Calulate seconds since epoch.
+	 * Calculate seconds since epoch.
 	 */
 	value = second + (60 * minute) + (3600 * hour) + ((day - 1) * 86400);
 	for (i = 0; i < (month - 1); i++)
diff --git a/lib/dns/timer.c b/lib/dns/timer.c
index b225722..39e4551 100644
--- a/lib/dns/timer.c
+++ b/lib/dns/timer.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.3.18.2 2005/04/29 00:16:06 marka Exp $ */
+/* $Id: timer.c,v 1.7 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 998ea36..9e59dfa 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tkey.c,v 1.76.18.7 2008/01/02 23:46:02 tbox Exp $
+ * $Id: tkey.c,v 1.90 2008/04/03 00:45:23 marka Exp $
  */
 /*! \file */
 #include <config.h>
@@ -66,6 +66,20 @@ tkey_log(const char *fmt, ...) {
 	va_end(ap);
 }
 
+static void
+_dns_tkey_dumpmessage(dns_message_t *msg) {
+	isc_buffer_t outbuf;
+	unsigned char output[4096];
+	isc_result_t result;
+
+	isc_buffer_init(&outbuf, output, sizeof(output));
+	result = dns_message_totext(msg, &dns_master_style_debug, 0,
+				    &outbuf);
+	/* XXXMLG ignore result */
+	fprintf(stderr, "%.*s\n", (int)isc_buffer_usedlength(&outbuf),
+		(char *)isc_buffer_base(&outbuf));
+}
+
 isc_result_t
 dns_tkeyctx_create(isc_mem_t *mctx, isc_entropy_t *ectx, dns_tkeyctx_t **tctxp)
 {
@@ -107,6 +121,8 @@ dns_tkeyctx_destroy(dns_tkeyctx_t **tctxp) {
 			dns_name_free(tctx->domain, mctx);
 		isc_mem_put(mctx, tctx->domain, sizeof(dns_name_t));
 	}
+	if (tctx->gsscred != NULL)
+		dst_gssapi_releasecred(&tctx->gsscred);
 	isc_entropy_detach(&tctx->ectx);
 	isc_mem_put(mctx, tctx, sizeof(dns_tkeyctx_t));
 	isc_mem_detach(&mctx);
@@ -280,8 +296,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	 */
 	for (result = dns_message_firstname(msg, DNS_SECTION_ADDITIONAL);
 	     result == ISC_R_SUCCESS && !found_key;
-	     result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL))
-	{
+	     result = dns_message_nextname(msg, DNS_SECTION_ADDITIONAL)) {
 		keyname = NULL;
 		dns_message_currentname(msg, DNS_SECTION_ADDITIONAL, &keyname);
 		keyset = NULL;
@@ -292,8 +307,7 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 
 		for (result = dns_rdataset_first(keyset);
 		     result == ISC_R_SUCCESS && !found_key;
-		     result = dns_rdataset_next(keyset))
-		{
+		     result = dns_rdataset_next(keyset)) {
 			dns_rdataset_current(keyset, &keyrdata);
 			pubkey = NULL;
 			result = dns_dnssec_keyfromrdata(keyname, &keyrdata,
@@ -410,13 +424,15 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	dst_key_t *dstkey = NULL;
-	void *gssctx = NULL;
+	dns_tsigkey_t *tsigkey = NULL;
+	dns_fixedname_t principal;
 	isc_stdtime_t now;
 	isc_region_t intoken;
-	unsigned char array[1024];
-	isc_buffer_t outtoken;
+	isc_buffer_t *outtoken = NULL;
+	gss_ctx_id_t gss_ctx = NULL;
 
 	UNUSED(namelist);
+	UNUSED(signer);
 
 	if (tctx->gsscred == NULL)
 		return (ISC_R_NOPERM);
@@ -424,55 +440,95 @@ process_gsstkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
 	if (!dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPI_NAME) &&
 	    !dns_name_equal(&tkeyin->algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
 		tkeyout->error = dns_tsigerror_badalg;
+		tkey_log("process_gsstkey(): dns_tsigerror_badalg");	/* XXXSRA */
 		return (ISC_R_SUCCESS);
 	}
 
+	/*
+	 * XXXDCL need to check for key expiry per 4.1.1
+	 * XXXDCL need a way to check fully established, perhaps w/key_flags
+	 */
+
 	intoken.base = tkeyin->key;
 	intoken.length = tkeyin->keylen;
 
-	isc_buffer_init(&outtoken, array, sizeof(array));
-	RETERR(dst_gssapi_acceptctx(name, tctx->gsscred, &intoken,
-				    &outtoken, &gssctx));
+	result = dns_tsigkey_find(&tsigkey, name, &tkeyin->algorithm, ring);
+	if (result == ISC_R_SUCCESS)
+		gss_ctx = dst_key_getgssctx(tsigkey->key);
 
-	dstkey = NULL;
-	RETERR(dst_key_fromgssapi(name, gssctx, msg->mctx, &dstkey));
 
-	result = dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
-					   dstkey, ISC_TRUE, signer,
-					   tkeyin->inception, tkeyin->expire,
-					   ring->mctx, ring, NULL);
-#if 1
-	if (result != ISC_R_SUCCESS)
-		goto failure;
-#else
-	if (result == ISC_R_NOTFOUND) {
-		tkeyout->error = dns_tsigerror_badalg;
+	dns_fixedname_init(&principal);
+
+	result = dst_gssapi_acceptctx(tctx->gsscred, &intoken,
+				      &outtoken, &gss_ctx,
+				      dns_fixedname_name(&principal),
+				      tctx->mctx);
+
+	if (tsigkey != NULL)
+		dns_tsigkey_detach(&tsigkey);
+
+	if (result == DNS_R_INVALIDTKEY) {
+		tkeyout->error = dns_tsigerror_badkey;
+		tkey_log("process_gsstkey(): dns_tsigerror_badkey");    /* XXXSRA */
 		return (ISC_R_SUCCESS);
-	}
-	if (result != ISC_R_SUCCESS)
+	} else if (result == ISC_R_FAILURE)
 		goto failure;
-#endif
+	ENSURE(result == DNS_R_CONTINUE || result == ISC_R_SUCCESS);
+	/*
+	 * XXXDCL Section 4.1.3: Limit GSS_S_CONTINUE_NEEDED to 10 times.
+	 */
+
+	if (tsigkey == NULL) {
+		RETERR(dst_key_fromgssapi(name, gss_ctx, msg->mctx, &dstkey));
+		RETERR(dns_tsigkey_createfromkey(name, &tkeyin->algorithm,
+						 dstkey, ISC_TRUE,
+						 dns_fixedname_name(&principal),
+						 tkeyin->inception,
+						 tkeyin->expire,
+						 ring->mctx, ring, NULL));
+	}
 
-	/* This key is good for a long time */
 	isc_stdtime_get(&now);
 	tkeyout->inception = tkeyin->inception;
 	tkeyout->expire = tkeyin->expire;
 
-	tkeyout->key = isc_mem_get(msg->mctx,
-				   isc_buffer_usedlength(&outtoken));
-	if (tkeyout->key == NULL) {
-		result = ISC_R_NOMEMORY;
-		goto failure;
+	if (outtoken) {
+		tkeyout->key = isc_mem_get(tkeyout->mctx,
+					   isc_buffer_usedlength(outtoken));
+		if (tkeyout->key == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		tkeyout->keylen = isc_buffer_usedlength(outtoken);
+		memcpy(tkeyout->key, isc_buffer_base(outtoken),
+		       isc_buffer_usedlength(outtoken));
+		isc_buffer_free(&outtoken);
+	} else {
+		tkeyout->key = isc_mem_get(tkeyout->mctx, tkeyin->keylen);
+		if (tkeyout->key == NULL) {
+			result = ISC_R_NOMEMORY;
+			goto failure;
+		}
+		tkeyout->keylen = tkeyin->keylen;
+		memcpy(tkeyout->key, tkeyin->key, tkeyin->keylen);
 	}
-	tkeyout->keylen = isc_buffer_usedlength(&outtoken);
-	memcpy(tkeyout->key, isc_buffer_base(&outtoken), tkeyout->keylen);
+
+	tkeyout->error = dns_rcode_noerror;
+
+	tkey_log("process_gsstkey(): dns_tsigerror_noerror");   /* XXXSRA */
 
 	return (ISC_R_SUCCESS);
 
- failure:
+failure:
 	if (dstkey != NULL)
 		dst_key_free(&dstkey);
 
+	if (outtoken != NULL)
+		isc_buffer_free(&outtoken);
+
+	tkey_log("process_gsstkey(): %s",
+		isc_result_totext(result));	/* XXXSRA */
+
 	return (result);
 }
 
@@ -564,8 +620,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 		 */
 		if (dns_message_findname(msg, DNS_SECTION_ANSWER, qname,
 					 dns_rdatatype_tkey, 0, &name,
-					 &tkeyset) != ISC_R_SUCCESS)
-		{
+					 &tkeyset) != ISC_R_SUCCESS) {
 			result = DNS_R_FORMERR;
 			tkey_log("dns_tkey_processquery: couldn't find a TKEY "
 				 "matching the question");
@@ -632,7 +687,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 	if (tkeyin.mode != DNS_TKEYMODE_DELETE) {
 		dns_tsigkey_t *tsigkey = NULL;
 
-		if (tctx->domain == NULL) {
+		if (tctx->domain == NULL && tkeyin.mode != DNS_TKEYMODE_GSSAPI) {
 			tkey_log("dns_tkey_processquery: tkey-domain not set");
 			result = DNS_R_REFUSED;
 			goto failure;
@@ -674,12 +729,22 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 			if (result != ISC_R_SUCCESS)
 				goto failure;
 		}
-		result = dns_name_concatenate(keyname, tctx->domain,
-					      keyname, NULL);
-		if (result != ISC_R_SUCCESS)
-			goto failure;
+
+		if (tkeyin.mode == DNS_TKEYMODE_GSSAPI) {
+			/* Yup.  This is a hack */
+			result = dns_name_concatenate(keyname, dns_rootname,
+						      keyname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+		} else {
+			result = dns_name_concatenate(keyname, tctx->domain,
+						      keyname, NULL);
+			if (result != ISC_R_SUCCESS)
+				goto failure;
+		}
 
 		result = dns_tsigkey_find(&tsigkey, keyname, NULL, ring);
+
 		if (result == ISC_R_SUCCESS) {
 			tkeyout.error = dns_tsigerror_badname;
 			dns_tsigkey_detach(&tsigkey);
@@ -701,6 +766,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 			RETERR(process_gsstkey(msg, signer, keyname, &tkeyin,
 					       tctx, &tkeyout, ring,
 					       &namelist));
+
 			break;
 		case DNS_TKEYMODE_DELETE:
 			tkeyout.error = dns_rcode_noerror;
@@ -729,9 +795,9 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 	}
 
 	if (tkeyout.key != NULL)
-		isc_mem_put(msg->mctx, tkeyout.key, tkeyout.keylen);
+		isc_mem_put(tkeyout.mctx, tkeyout.key, tkeyout.keylen);
 	if (tkeyout.other != NULL)
-		isc_mem_put(msg->mctx, tkeyout.other, tkeyout.otherlen);
+		isc_mem_put(tkeyout.mctx, tkeyout.other, tkeyout.otherlen);
 	if (result != ISC_R_SUCCESS)
 		goto failure;
 
@@ -759,7 +825,7 @@ dns_tkey_processquery(dns_message_t *msg, dns_tkeyctx_t *tctx,
 
 static isc_result_t
 buildquery(dns_message_t *msg, dns_name_t *name,
-	   dns_rdata_tkey_t *tkey)
+	   dns_rdata_tkey_t *tkey, isc_boolean_t win2k)
 {
 	dns_name_t *qname = NULL, *aname = NULL;
 	dns_rdataset_t *question = NULL, *tkeyset = NULL;
@@ -780,8 +846,9 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 	dns_rdataset_makequestion(question, dns_rdataclass_any,
 				  dns_rdatatype_tkey);
 
-	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 512));
+	RETERR(isc_buffer_allocate(msg->mctx, &dynbuf, 4096));
 	RETERR(dns_message_gettemprdata(msg, &rdata));
+
 	RETERR(dns_rdata_fromstruct(rdata, dns_rdataclass_any,
 				    dns_rdatatype_tkey, tkey, dynbuf));
 	dns_message_takebuffer(msg, &dynbuf);
@@ -808,7 +875,15 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 	ISC_LIST_APPEND(aname->list, tkeyset, link);
 
 	dns_message_addname(msg, qname, DNS_SECTION_QUESTION);
-	dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
+
+	/*
+	 * Windows 2000 needs this in the answer section, not the additional
+	 * section where the RFC specifies.
+	 */
+	if (win2k)
+		dns_message_addname(msg, aname, DNS_SECTION_ANSWER);
+	else
+		dns_message_addname(msg, aname, DNS_SECTION_ADDITIONAL);
 
 	return (ISC_R_SUCCESS);
 
@@ -823,6 +898,7 @@ buildquery(dns_message_t *msg, dns_name_t *name,
 	}
 	if (dynbuf != NULL)
 		isc_buffer_free(&dynbuf);
+	printf("buildquery error\n");
 	return (result);
 }
 
@@ -869,7 +945,7 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 	tkey.other = NULL;
 	tkey.otherlen = 0;
 
-	RETERR(buildquery(msg, name, &tkey));
+	RETERR(buildquery(msg, name, &tkey, ISC_FALSE));
 
 	if (nonce == NULL)
 		isc_mem_put(msg->mctx, r.base, 0);
@@ -900,23 +976,25 @@ dns_tkey_builddhquery(dns_message_t *msg, dst_key_t *key, dns_name_t *name,
 }
 
 isc_result_t
-dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
-		       dns_name_t *gname, void *cred,
-		       isc_uint32_t lifetime, void **context)
+dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name, dns_name_t *gname,
+		       isc_buffer_t *intoken, isc_uint32_t lifetime,
+		       gss_ctx_id_t *context, isc_boolean_t win2k)
 {
 	dns_rdata_tkey_t tkey;
 	isc_result_t result;
 	isc_stdtime_t now;
 	isc_buffer_t token;
-	unsigned char array[1024];
+	unsigned char array[4096];
+
+	UNUSED(intoken);
 
 	REQUIRE(msg != NULL);
 	REQUIRE(name != NULL);
 	REQUIRE(gname != NULL);
-	REQUIRE(context != NULL && *context == NULL);
+	REQUIRE(context != NULL);
 
 	isc_buffer_init(&token, array, sizeof(array));
-	result = dst_gssapi_initctx(gname, cred, NULL, &token, context);
+	result = dst_gssapi_initctx(gname, NULL, &token, context);
 	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
 		return (result);
 
@@ -925,7 +1003,12 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
 	ISC_LINK_INIT(&tkey.common, link);
 	tkey.mctx = NULL;
 	dns_name_init(&tkey.algorithm, NULL);
-	dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
+
+	if (win2k)
+		dns_name_clone(DNS_TSIG_GSSAPIMS_NAME, &tkey.algorithm);
+	else
+		dns_name_clone(DNS_TSIG_GSSAPI_NAME, &tkey.algorithm);
+
 	isc_stdtime_get(&now);
 	tkey.inception = now;
 	tkey.expire = now + lifetime;
@@ -936,7 +1019,7 @@ dns_tkey_buildgssquery(dns_message_t *msg, dns_name_t *name,
 	tkey.other = NULL;
 	tkey.otherlen = 0;
 
-	RETERR(buildquery(msg, name, &tkey));
+	RETERR(buildquery(msg, name, &tkey, win2k));
 
 	return (ISC_R_SUCCESS);
 
@@ -963,7 +1046,7 @@ dns_tkey_builddeletequery(dns_message_t *msg, dns_tsigkey_t *key) {
 	tkey.keylen = tkey.otherlen = 0;
 	tkey.key = tkey.other = NULL;
 
-	return (buildquery(msg, &key->name, &tkey));
+	return (buildquery(msg, &key->name, &tkey, ISC_FALSE));
 }
 
 static isc_result_t
@@ -1034,10 +1117,9 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	    rtkey.mode != DNS_TKEYMODE_DIFFIEHELLMAN ||
 	    rtkey.mode != qtkey.mode ||
 	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
-	    rmsg->rcode != dns_rcode_noerror)
-	{
+	    rmsg->rcode != dns_rcode_noerror) {
 		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
-			 "or error set");
+			 "or error set(1)");
 		result = DNS_R_INVALIDTKEY;
 		dns_rdata_freestruct(&qtkey);
 		goto failure;
@@ -1106,7 +1188,7 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	result = dns_tsigkey_create(tkeyname, &rtkey.algorithm,
 				    r.base, r.length, ISC_TRUE,
 				    NULL, rtkey.inception, rtkey.expire,
-				    ring->mctx, ring, outkey);
+				    rmsg->mctx, ring, outkey);
 	isc_buffer_free(&shared);
 	dns_rdata_freestruct(&rtkey);
 	dst_key_free(&theirkey);
@@ -1127,18 +1209,19 @@ dns_tkey_processdhresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 
 isc_result_t
 dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
-			    dns_name_t *gname, void *cred, void **context,
-			    dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring)
+			    dns_name_t *gname, gss_ctx_id_t *context,
+			    isc_buffer_t *outtoken, dns_tsigkey_t **outkey,
+			    dns_tsig_keyring_t *ring)
 {
 	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
 	dns_name_t *tkeyname;
 	dns_rdata_tkey_t rtkey, qtkey;
-	isc_buffer_t outtoken;
 	dst_key_t *dstkey = NULL;
-	isc_region_t r;
+	isc_buffer_t intoken;
 	isc_result_t result;
 	unsigned char array[1024];
 
+	REQUIRE(outtoken != NULL);
 	REQUIRE(qmsg != NULL);
 	REQUIRE(rmsg != NULL);
 	REQUIRE(gname != NULL);
@@ -1150,31 +1233,42 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
 	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
 
-	RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
-			 DNS_SECTION_ADDITIONAL));
+	/*
+	 * Win2k puts the item in the ANSWER section, while the RFC
+	 * specifies it should be in the ADDITIONAL section.  Check first
+	 * where it should be, and then where it may be.
+	 */
+	result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+			   DNS_SECTION_ADDITIONAL);
+	if (result == ISC_R_NOTFOUND)
+		result = find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+				   DNS_SECTION_ANSWER);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
 	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
 
 	if (rtkey.error != dns_rcode_noerror ||
 	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
-	    !dns_name_equal(&rtkey.algorithm, &rtkey.algorithm))
-	{
-		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
-			 "or error set");
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm)) {
+		tkey_log("dns_tkey_processgssresponse: tkey mode invalid "
+			 "or error set(2) %d", rtkey.error);
+		_dns_tkey_dumpmessage(qmsg);
+		_dns_tkey_dumpmessage(rmsg);
 		result = DNS_R_INVALIDTKEY;
 		goto failure;
 	}
 
-	isc_buffer_init(&outtoken, array, sizeof(array));
-	r.base = rtkey.key;
-	r.length = rtkey.keylen;
-	RETERR(dst_gssapi_initctx(gname, cred, &r, &outtoken, context));
+	isc_buffer_init(outtoken, array, sizeof(array));
+	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
+	RETERR(dst_gssapi_initctx(gname, &intoken, outtoken, context));
 
 	dstkey = NULL;
 	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
 				  &dstkey));
 
 	RETERR(dns_tsigkey_createfromkey(tkeyname, DNS_TSIG_GSSAPI_NAME,
-					 dstkey, ISC_TRUE, NULL,
+					 dstkey, ISC_FALSE, NULL,
 					 rtkey.inception, rtkey.expire,
 					 ring->mctx, ring, outkey));
 
@@ -1182,6 +1276,9 @@ dns_tkey_processgssresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	return (result);
 
  failure:
+	/*
+	 * XXXSRA This probably leaks memory from rtkey and qtkey.
+	 */
 	return (result);
 }
 
@@ -1212,10 +1309,9 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
 	    rtkey.mode != DNS_TKEYMODE_DELETE ||
 	    rtkey.mode != qtkey.mode ||
 	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm) ||
-	    rmsg->rcode != dns_rcode_noerror)
-	{
+	    rmsg->rcode != dns_rcode_noerror) {
 		tkey_log("dns_tkey_processdeleteresponse: tkey mode invalid "
-			 "or error set");
+			 "or error set(3)");
 		result = DNS_R_INVALIDTKEY;
 		dns_rdata_freestruct(&qtkey);
 		dns_rdata_freestruct(&rtkey);
@@ -1240,3 +1336,84 @@ dns_tkey_processdeleteresponse(dns_message_t *qmsg, dns_message_t *rmsg,
  failure:
 	return (result);
 }
+
+isc_result_t
+dns_tkey_gssnegotiate(dns_message_t *qmsg, dns_message_t *rmsg,
+		      dns_name_t *server, gss_ctx_id_t *context,
+		      dns_tsigkey_t **outkey, dns_tsig_keyring_t *ring,
+		      isc_boolean_t win2k)
+{
+	dns_rdata_t rtkeyrdata = DNS_RDATA_INIT, qtkeyrdata = DNS_RDATA_INIT;
+	dns_name_t *tkeyname;
+	dns_rdata_tkey_t rtkey, qtkey;
+	isc_buffer_t intoken, outtoken;
+	dst_key_t *dstkey = NULL;
+	isc_result_t result;
+	unsigned char array[1024];
+
+	REQUIRE(qmsg != NULL);
+	REQUIRE(rmsg != NULL);
+	REQUIRE(server != NULL);
+	if (outkey != NULL)
+		REQUIRE(*outkey == NULL);
+
+	if (rmsg->rcode != dns_rcode_noerror)
+		return (ISC_RESULTCLASS_DNSRCODE + rmsg->rcode);
+
+	RETERR(find_tkey(rmsg, &tkeyname, &rtkeyrdata, DNS_SECTION_ANSWER));
+	RETERR(dns_rdata_tostruct(&rtkeyrdata, &rtkey, NULL));
+
+	if (win2k == ISC_TRUE)
+		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+			 DNS_SECTION_ANSWER));
+	else
+		RETERR(find_tkey(qmsg, &tkeyname, &qtkeyrdata,
+			 DNS_SECTION_ADDITIONAL));
+
+	RETERR(dns_rdata_tostruct(&qtkeyrdata, &qtkey, NULL));
+
+	if (rtkey.error != dns_rcode_noerror ||
+	    rtkey.mode != DNS_TKEYMODE_GSSAPI ||
+	    !dns_name_equal(&rtkey.algorithm, &qtkey.algorithm))
+	{
+		tkey_log("dns_tkey_processdhresponse: tkey mode invalid "
+			 "or error set(4)");
+		result = DNS_R_INVALIDTKEY;
+		goto failure;
+	}
+
+	isc_buffer_init(&intoken, rtkey.key, rtkey.keylen);
+	isc_buffer_init(&outtoken, array, sizeof(array));
+
+	result = dst_gssapi_initctx(server, &intoken, &outtoken, context);
+	if (result != DNS_R_CONTINUE && result != ISC_R_SUCCESS)
+		return (result);
+
+	dstkey = NULL;
+	RETERR(dst_key_fromgssapi(dns_rootname, *context, rmsg->mctx,
+				  &dstkey));
+
+	/*
+	 * XXXSRA This seems confused.  If we got CONTINUE from initctx,
+	 * the GSS negotiation hasn't completed yet, so we can't sign
+	 * anything yet.
+	 */
+
+	RETERR(dns_tsigkey_createfromkey(tkeyname,
+					 (win2k
+					  ? DNS_TSIG_GSSAPIMS_NAME
+					  : DNS_TSIG_GSSAPI_NAME),
+					 dstkey, ISC_TRUE, NULL,
+					 rtkey.inception, rtkey.expire,
+					 ring->mctx, ring, outkey));
+
+	dns_rdata_freestruct(&rtkey);
+	return (result);
+
+ failure:
+	/*
+	 * XXXSRA This probably leaks memory from qtkey.
+	 */
+	dns_rdata_freestruct(&rtkey);
+	return (result);
+}
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index f21832f..74a7af3 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -16,7 +16,7 @@
  */
 
 /*
- * $Id: tsig.c,v 1.117.18.14 2008/01/17 23:46:03 tbox Exp $
+ * $Id: tsig.c,v 1.136 2008/11/04 21:23:14 marka Exp $
  */
 /*! \file */
 #include <config.h>
@@ -28,10 +28,12 @@
 #include <isc/refcount.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
 #include <isc/util.h>
+#include <isc/time.h>
 
 #include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/message.h>
+#include <dns/fixedname.h>
 #include <dns/rbt.h>
 #include <dns/rdata.h>
 #include <dns/rdatalist.h>
@@ -74,7 +76,6 @@ dns_name_t *dns_tsig_hmacmd5_name = &hmacmd5;
 
 static unsigned char gsstsig_ndata[] = "\010gss-tsig";
 static unsigned char gsstsig_offsets[] = { 0, 9 };
-
 static dns_name_t gsstsig = {
 	DNS_NAME_MAGIC,
 	gsstsig_ndata, 10, 2,
@@ -83,13 +84,14 @@ static dns_name_t gsstsig = {
 	{(void *)-1, (void *)-1},
 	{NULL, NULL}
 };
-
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapi_name = &gsstsig;
 
-/* It's nice of Microsoft to conform to their own standard. */
+/*
+ * Since Microsoft doesn't follow its own standard, we will use this
+ * alternate name as a second guess.
+ */
 static unsigned char gsstsigms_ndata[] = "\003gss\011microsoft\003com";
 static unsigned char gsstsigms_offsets[] = { 0, 4, 14, 18 };
-
 static dns_name_t gsstsigms = {
 	DNS_NAME_MAGIC,
 	gsstsigms_ndata, 19, 4,
@@ -98,7 +100,6 @@ static dns_name_t gsstsigms = {
 	{(void *)-1, (void *)-1},
 	{NULL, NULL}
 };
-
 LIBDNS_EXTERNAL_DATA dns_name_t *dns_tsig_gssapims_name = &gsstsigms;
 
 static unsigned char hmacsha1_ndata[] = "\011hmac-sha1";
@@ -179,10 +180,16 @@ tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...)
      ISC_FORMAT_PRINTF(3, 4);
 
 static void
+cleanup_ring(dns_tsig_keyring_t *ring);
+static void
+tsigkey_free(dns_tsigkey_t *key);
+
+static void
 tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
 	va_list ap;
 	char message[4096];
 	char namestr[DNS_NAME_FORMATSIZE];
+	char creatorstr[DNS_NAME_FORMATSIZE];
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
@@ -190,11 +197,22 @@ tsig_log(dns_tsigkey_t *key, int level, const char *fmt, ...) {
 		dns_name_format(&key->name, namestr, sizeof(namestr));
 	else
 		strcpy(namestr, "<null>");
+
+	if (key != NULL && key->generated)
+		dns_name_format(key->creator, creatorstr, sizeof(creatorstr));
+
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
-	isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
-		      level, "tsig key '%s': %s", namestr, message);
+	if (key != NULL && key->generated)
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
+			      level, "tsig key '%s' (%s): %s",
+			      namestr, creatorstr, message);
+	else
+		isc_log_write(dns_lctx,
+			      DNS_LOGCATEGORY_DNSSEC, DNS_LOGMODULE_TSIG,
+			      level, "tsig key '%s': %s", namestr, message);
 }
 
 isc_result_t
@@ -330,6 +348,16 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 
 	if (ring != NULL) {
 		RWLOCK(&ring->lock, isc_rwlocktype_write);
+		ring->writecount++;
+
+		/*
+		 * Do on the fly cleaning.  Find some nodes we might not
+		 * want around any more.
+		 */
+		if (ring->writecount > 10) {
+			cleanup_ring(ring);
+			ring->writecount = 0;
+		}
 		ret = dns_rbt_addname(ring->keys, name, tkey);
 		if (ret != ISC_R_SUCCESS) {
 			RWUNLOCK(&ring->lock, isc_rwlocktype_write);
@@ -338,7 +366,12 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
 	}
 
-	if (dstkey != NULL && dst_key_size(dstkey) < 64) {
+	/*
+	 * Ignore this if it's a GSS key, since the key size is meaningless.
+	 */
+	if (dstkey != NULL && dst_key_size(dstkey) < 64 &&
+	    !dns_name_equal(algorithm, DNS_TSIG_GSSAPI_NAME) &&
+	    !dns_name_equal(algorithm, DNS_TSIG_GSSAPIMS_NAME)) {
 		char namestr[DNS_NAME_FORMATSIZE];
 		dns_name_format(name, namestr, sizeof(namestr));
 		isc_log_write(dns_lctx, DNS_LOGCATEGORY_DNSSEC,
@@ -375,6 +408,66 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	return (ret);
 }
 
+/*
+ * Find a few nodes to destroy if possible.
+ */
+static void
+cleanup_ring(dns_tsig_keyring_t *ring)
+{
+	isc_result_t result;
+	dns_rbtnodechain_t chain;
+	dns_name_t foundname;
+	dns_fixedname_t fixedorigin;
+	dns_name_t *origin;
+	isc_stdtime_t now;
+	dns_rbtnode_t *node;
+	dns_tsigkey_t *tkey;
+
+	/*
+	 * Start up a new iterator each time.
+	 */
+	isc_stdtime_get(&now);
+	dns_name_init(&foundname, NULL);
+	dns_fixedname_init(&fixedorigin);
+	origin = dns_fixedname_name(&fixedorigin);
+
+ again:
+	dns_rbtnodechain_init(&chain, ring->mctx);
+	result = dns_rbtnodechain_first(&chain, ring->keys, &foundname,
+					origin);
+	if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+		dns_rbtnodechain_invalidate(&chain);
+		return;
+	}
+
+	for (;;) {
+		node = NULL;
+		dns_rbtnodechain_current(&chain, &foundname, origin, &node);
+		tkey = node->data;
+		if (tkey != NULL) {
+			if (tkey->generated
+			    && isc_refcount_current(&tkey->refs) == 1
+			    && tkey->inception != tkey->expire
+			    && tkey->expire < now) {
+				tsig_log(tkey, 2, "tsig expire: deleting");
+				/* delete the key */
+				dns_rbtnodechain_invalidate(&chain);
+				(void)dns_rbt_deletename(ring->keys,
+							 &tkey->name,
+							 ISC_FALSE);
+				goto again;
+			}
+		}
+		result = dns_rbtnodechain_next(&chain, &foundname,
+					       origin);
+		if (result != ISC_R_SUCCESS && result != DNS_R_NEWORIGIN) {
+			dns_rbtnodechain_invalidate(&chain);
+			return;
+		}
+
+	}
+}
+
 isc_result_t
 dns_tsigkey_create(dns_name_t *name, dns_name_t *algorithm,
 		   unsigned char *secret, int length, isc_boolean_t generated,
@@ -540,17 +633,6 @@ dns_tsigkey_setdeleted(dns_tsigkey_t *key) {
 	RWUNLOCK(&key->ring->lock, isc_rwlocktype_write);
 }
 
-static void
-buffer_putuint48(isc_buffer_t *b, isc_uint64_t val) {
-	isc_uint16_t valhi;
-	isc_uint32_t vallo;
-
-	valhi = (isc_uint16_t)(val >> 32);
-	vallo = (isc_uint32_t)(val & 0xFFFFFFFF);
-	isc_buffer_putuint16(b, valhi);
-	isc_buffer_putuint32(b, vallo);
-}
-
 isc_result_t
 dns_tsig_sign(dns_message_t *msg) {
 	dns_tsigkey_t *key;
@@ -613,7 +695,7 @@ dns_tsig_sign(dns_message_t *msg) {
 		tsig.otherlen = BADTIMELEN;
 		tsig.other = badtimedata;
 		isc_buffer_init(&otherbuf, tsig.other, tsig.otherlen);
-		buffer_putuint48(&otherbuf, tsig.timesigned);
+		isc_buffer_putuint48(&otherbuf, tsig.timesigned);
 	}
 
 	if (key->key != NULL && tsig.error != dns_tsigerror_badsig) {
@@ -641,8 +723,7 @@ dns_tsig_sign(dns_message_t *msg) {
 				goto cleanup_context;
 			isc_buffer_putuint16(&databuf, querytsig.siglen);
 			if (isc_buffer_availablelength(&databuf) <
-			    querytsig.siglen)
-			{
+			    querytsig.siglen) {
 				ret = ISC_R_NOSPACE;
 				goto cleanup_context;
 			}
@@ -700,7 +781,7 @@ dns_tsig_sign(dns_message_t *msg) {
 		isc_buffer_clear(&databuf);
 		if (tsig.error == dns_tsigerror_badtime)
 			tsig.timesigned = querytsig.timesigned;
-		buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
 		isc_buffer_putuint16(&databuf, tsig.fudge);
 		isc_buffer_usedregion(&databuf, &r);
 		ret = dst_context_adddata(ctx, &r);
@@ -852,6 +933,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	REQUIRE(source != NULL);
 	REQUIRE(DNS_MESSAGE_VALID(msg));
 	tsigkey = dns_message_gettsigkey(msg);
+
 	REQUIRE(tsigkey == NULL || VALID_TSIG_KEY(tsigkey));
 
 	msg->verify_attempted = 1;
@@ -907,8 +989,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 	 */
 	if (is_response(msg) &&
 	    (!dns_name_equal(keyname, &tsigkey->name) ||
-	     !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)))
-	{
+	     !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))) {
 		msg->tsigstatus = dns_tsigerror_badkey;
 		tsig_log(msg->tsigkey, 2,
 			 "key name and algorithm do not match");
@@ -1084,7 +1165,7 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 			goto cleanup_context;
 
 		isc_buffer_clear(&databuf);
-		buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
 		isc_buffer_putuint16(&databuf, tsig.fudge);
 		isc_buffer_putuint16(&databuf, tsig.error);
 		isc_buffer_putuint16(&databuf, tsig.otherlen);
@@ -1106,15 +1187,14 @@ dns_tsig_verify(isc_buffer_t *source, dns_message_t *msg,
 			msg->tsigstatus = dns_tsigerror_badsig;
 			ret = DNS_R_TSIGVERIFYFAILURE;
 			tsig_log(msg->tsigkey, 2,
-				 "signature failed to verify");
+				 "signature failed to verify(1)");
 			goto cleanup_context;
 		} else if (ret != ISC_R_SUCCESS)
 			goto cleanup_context;
 
 		dst_context_destroy(&ctx);
 	} else if (tsig.error != dns_tsigerror_badsig &&
-		   tsig.error != dns_tsigerror_badkey)
-	{
+		   tsig.error != dns_tsigerror_badkey) {
 		msg->tsigstatus = dns_tsigerror_badsig;
 		tsig_log(msg->tsigkey, 2, "signature was empty");
 		return (DNS_R_TSIGVERIFYFAILURE);
@@ -1201,8 +1281,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 		 * Do the key name and algorithm match that of the query?
 		 */
 		if (!dns_name_equal(keyname, &tsigkey->name) ||
-		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm))
-		{
+		    !dns_name_equal(&tsig.algorithm, &querytsig.algorithm)) {
 			msg->tsigstatus = dns_tsigerror_badkey;
 			ret = DNS_R_TSIGVERIFYFAILURE;
 			tsig_log(msg->tsigkey, 2,
@@ -1221,8 +1300,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 			ret = DNS_R_CLOCKSKEW;
 			goto cleanup_querystruct;
 		} else if (now + msg->timeadjust <
-			   tsig.timesigned - tsig.fudge)
-		{
+			   tsig.timesigned - tsig.fudge) {
 			msg->tsigstatus = dns_tsigerror_badtime;
 			tsig_log(msg->tsigkey, 2,
 				 "signature is in the future");
@@ -1312,7 +1390,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 	 */
 	if (has_tsig) {
 		isc_buffer_init(&databuf, data, sizeof(data));
-		buffer_putuint48(&databuf, tsig.timesigned);
+		isc_buffer_putuint48(&databuf, tsig.timesigned);
 		isc_buffer_putuint16(&databuf, tsig.fudge);
 		isc_buffer_usedregion(&databuf, &r);
 		ret = dst_context_adddata(msg->tsigctx, &r);
@@ -1339,7 +1417,7 @@ tsig_verify_tcp(isc_buffer_t *source, dns_message_t *msg) {
 		if (ret == DST_R_VERIFYFAILURE) {
 			msg->tsigstatus = dns_tsigerror_badsig;
 			tsig_log(msg->tsigkey, 2,
-				 "signature failed to verify");
+				 "signature failed to verify(2)");
 			ret = DNS_R_TSIGVERIFYFAILURE;
 			goto cleanup_context;
 		}
@@ -1375,6 +1453,10 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
 	REQUIRE(name != NULL);
 	REQUIRE(ring != NULL);
 
+	RWLOCK(&ring->lock, isc_rwlocktype_write);
+	cleanup_ring(ring);
+	RWUNLOCK(&ring->lock, isc_rwlocktype_write);
+
 	isc_stdtime_get(&now);
 	RWLOCK(&ring->lock, isc_rwlocktype_read);
 	key = NULL;
@@ -1393,7 +1475,7 @@ dns_tsigkey_find(dns_tsigkey_t **tsigkey, dns_name_t *name,
 		 */
 		RWUNLOCK(&ring->lock, isc_rwlocktype_read);
 		RWLOCK(&ring->lock, isc_rwlocktype_write);
-		(void) dns_rbt_deletename(ring->keys, name, ISC_FALSE);
+		(void)dns_rbt_deletename(ring->keys, name, ISC_FALSE);
 		RWUNLOCK(&ring->lock, isc_rwlocktype_write);
 		return (ISC_R_NOTFOUND);
 	}
@@ -1443,6 +1525,7 @@ dns_tsigkeyring_create(isc_mem_t *mctx, dns_tsig_keyring_t **ringp) {
 		return (result);
 	}
 
+	ring->writecount = 0;
 	ring->mctx = NULL;
 	isc_mem_attach(mctx, &ring->mctx);
 
diff --git a/lib/dns/ttl.c b/lib/dns/ttl.c
index 39d2ac3..9d0dec5 100644
--- a/lib/dns/ttl.c
+++ b/lib/dns/ttl.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ttl.c,v 1.25.18.2 2005/04/29 00:16:07 marka Exp $ */
+/* $Id: ttl.c,v 1.29 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 685434b..c62b714 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,18 +15,17 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: validator.c,v 1.119.18.41.2.1 2009/03/17 02:23:49 marka Exp $ */
-
-/*! \file */
+/* $Id: validator.c,v 1.164.12.9 2009/05/07 23:47:12 tbox Exp $ */
 
 #include <config.h>
 
+#include <isc/base32.h>
 #include <isc/mem.h>
 #include <isc/print.h>
+#include <isc/sha2.h>
 #include <isc/string.h>
 #include <isc/task.h>
 #include <isc/util.h>
-#include <isc/sha2.h>
 
 #include <dns/db.h>
 #include <dns/ds.h>
@@ -37,6 +36,7 @@
 #include <dns/message.h>
 #include <dns/ncache.h>
 #include <dns/nsec.h>
+#include <dns/nsec3.h>
 #include <dns/rdata.h>
 #include <dns/rdatastruct.h>
 #include <dns/rdataset.h>
@@ -89,7 +89,7 @@
 #define VALID_VALIDATOR(v)		ISC_MAGIC_VALID(v, VALIDATOR_MAGIC)
 
 #define VALATTR_SHUTDOWN		0x0001	/*%< Shutting down. */
-#define VALATTR_CANCELED		0x0002	/*%< Cancelled. */
+#define VALATTR_CANCELED		0x0002	/*%< Canceled. */
 #define VALATTR_TRIEDVERIFY		0x0004  /*%< We have found a key and
 						 * have attempted a verify. */
 #define VALATTR_INSECURITY		0x0010	/*%< Attempting proveunsecure. */
@@ -98,16 +98,23 @@
 /*!
  * NSEC proofs to be looked for.
  */
-#define VALATTR_NEEDNOQNAME		0x0100
-#define VALATTR_NEEDNOWILDCARD		0x0200
-#define VALATTR_NEEDNODATA		0x0400
+#define VALATTR_NEEDNOQNAME		0x00000100
+#define VALATTR_NEEDNOWILDCARD		0x00000200
+#define VALATTR_NEEDNODATA		0x00000400
 
 /*!
  * NSEC proofs that have been found.
  */
-#define VALATTR_FOUNDNOQNAME		0x1000
-#define VALATTR_FOUNDNOWILDCARD		0x2000
-#define VALATTR_FOUNDNODATA		0x4000
+#define VALATTR_FOUNDNOQNAME		0x00001000
+#define VALATTR_FOUNDNOWILDCARD		0x00002000
+#define VALATTR_FOUNDNODATA		0x00004000
+#define VALATTR_FOUNDCLOSEST		0x00008000
+
+/*
+ *
+ */
+#define VALATTR_FOUNDOPTOUT		0x00010000
+#define VALATTR_FOUNDUNKNOWN		0x00020000
 
 #define NEEDNODATA(val) ((val->attributes & VALATTR_NEEDNODATA) != 0)
 #define NEEDNOQNAME(val) ((val->attributes & VALATTR_NEEDNOQNAME) != 0)
@@ -250,10 +257,20 @@ static isc_boolean_t
 isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
 	     isc_result_t dbresult)
 {
-	dns_rdataset_t set;
+	dns_fixedname_t fixed;
+	dns_label_t hashlabel;
+	dns_name_t nsec3name;
+	dns_rdata_nsec3_t nsec3;
 	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t set;
+	int order;
+	int scope;
 	isc_boolean_t found;
+	isc_buffer_t buffer;
 	isc_result_t result;
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
+	unsigned int length;
 
 	REQUIRE(dbresult == DNS_R_NXRRSET || dbresult == DNS_R_NCACHENXRRSET);
 
@@ -263,6 +280,8 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
 	else {
 		result = dns_ncache_getrdataset(rdataset, name,
 						dns_rdatatype_nsec, &set);
+		if (result == ISC_R_NOTFOUND)
+			goto trynsec3;
 		if (result != ISC_R_SUCCESS)
 			return (ISC_FALSE);
 	}
@@ -274,9 +293,78 @@ isdelegation(dns_name_t *name, dns_rdataset_t *rdataset,
 	if (result == ISC_R_SUCCESS) {
 		dns_rdataset_current(&set, &rdata);
 		found = dns_nsec_typepresent(&rdata, dns_rdatatype_ns);
+		dns_rdata_reset(&rdata);
 	}
 	dns_rdataset_disassociate(&set);
 	return (found);
+
+ trynsec3:
+	/*
+	 * Iterate over the ncache entry.
+	 */
+	found = ISC_FALSE;
+	dns_name_init(&nsec3name, NULL);
+	dns_fixedname_init(&fixed);
+	dns_name_downcase(name, dns_fixedname_name(&fixed), NULL);
+	name = dns_fixedname_name(&fixed);
+	result = dns_rdataset_first(rdataset);
+	for (result = dns_rdataset_first(rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(rdataset))
+	{
+		dns_ncache_current(rdataset, &nsec3name, &set);
+		if (set.type != dns_rdatatype_nsec3) {
+			dns_rdataset_disassociate(&set);
+			continue;
+		}
+		dns_name_getlabel(&nsec3name, 0, &hashlabel);
+		isc_region_consume(&hashlabel, 1);
+		isc_buffer_init(&buffer, owner, sizeof(owner));
+		result = isc_base32hex_decoderegion(&hashlabel, &buffer);
+		if (result != ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&set);
+			continue;
+		}
+		for (result = dns_rdataset_first(&set);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&set))
+		{
+			dns_rdata_reset(&rdata);
+			dns_rdataset_current(&set, &rdata);
+			(void)dns_rdata_tostruct(&rdata, &nsec3, NULL);
+			if (nsec3.hash != 1)
+				continue;
+			length = isc_iterated_hash(hash, nsec3.hash,
+						   nsec3.iterations, nsec3.salt,
+						   nsec3.salt_length,
+						   name->ndata, name->length);
+			if (length != isc_buffer_usedlength(&buffer))
+				continue;
+			order = memcmp(hash, owner, length);
+			if (order == 0) {
+				found = dns_nsec3_typepresent(&rdata,
+							      dns_rdatatype_ns);
+				dns_rdataset_disassociate(&set);
+				return (found);
+			}
+			if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) == 0)
+				continue;
+			/*
+			 * Does this optout span cover the name?
+			 */
+			scope = memcmp(owner, nsec3.next, nsec3.next_length);
+			if ((scope < 0 && order > 0 &&
+			     memcmp(hash, nsec3.next, length) < 0) ||
+			    (scope >= 0 && (order > 0 ||
+					memcmp(hash, nsec3.next, length) < 0)))
+			{
+				dns_rdataset_disassociate(&set);
+				return (ISC_TRUE);
+			}
+		}
+		dns_rdataset_disassociate(&set);
+	}
+	return (found);
 }
 
 /*%
@@ -767,10 +855,317 @@ nsecnoexistnodata(dns_validator_t *val, dns_name_t* name, dns_name_t *nsecname,
 	return (ISC_R_SUCCESS);
 }
 
+static isc_result_t
+nsec3noexistnodata(dns_validator_t *val, dns_name_t* name,
+		   dns_name_t *nsec3name, dns_rdataset_t *nsec3set,
+		   dns_name_t *zonename, isc_boolean_t *exists,
+		   isc_boolean_t *data, isc_boolean_t *optout,
+		   isc_boolean_t *unknown, isc_boolean_t *setclosest,
+		   isc_boolean_t *setnearest, dns_name_t *closest,
+		   dns_name_t *nearest)
+{
+	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_fixedname_t fzone;
+	dns_fixedname_t qfixed;
+	dns_label_t hashlabel;
+	dns_name_t *qname;
+	dns_name_t *zone;
+	dns_rdata_nsec3_t nsec3;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	int order;
+	int scope;
+	isc_boolean_t atparent;
+	isc_boolean_t first;
+	isc_boolean_t ns;
+	isc_boolean_t soa;
+	isc_buffer_t buffer;
+	isc_result_t answer = ISC_R_IGNORE;
+	isc_result_t result;
+	unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+	unsigned char owner[NSEC3_MAX_HASH_LENGTH];
+	unsigned int length;
+	unsigned int qlabels;
+	unsigned int zlabels;
+
+	REQUIRE((exists == NULL && data == NULL) ||
+		(exists != NULL && data != NULL));
+	REQUIRE(nsec3set != NULL && nsec3set->type == dns_rdatatype_nsec3);
+	REQUIRE((setclosest == NULL && closest == NULL) ||
+		(setclosest != NULL && closest != NULL));
+	REQUIRE((setnearest == NULL && nearest == NULL) ||
+		(setnearest != NULL && nearest != NULL));
+
+	result = dns_rdataset_first(nsec3set);
+	if (result != ISC_R_SUCCESS) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			"failure processing NSEC3 set");
+		return (result);
+	}
+
+	dns_rdataset_current(nsec3set, &rdata);
+
+	result = dns_rdata_tostruct(&rdata, &nsec3, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	validator_log(val, ISC_LOG_DEBUG(3), "looking for relevant NSEC3");
+
+	dns_fixedname_init(&fzone);
+	zone = dns_fixedname_name(&fzone);
+	zlabels = dns_name_countlabels(nsec3name);
+
+	/*
+	 * NSEC3 records must have two or more labels to be valid.
+	 */
+	if (zlabels < 2)
+		return (ISC_R_IGNORE);
+
+	/*
+	 * Strip off the NSEC3 hash to get the zone.
+	 */
+	zlabels--;
+	dns_name_split(nsec3name, zlabels, NULL, zone);
+
+	/*
+	 * If not below the zone name we can ignore this record.
+	 */
+	if (!dns_name_issubdomain(name, zone))
+		return (ISC_R_IGNORE);
+
+	/*
+	 * Is this zone the same or deeper than the current zone?
+	 */
+	if (dns_name_countlabels(zonename) == 0 ||
+	    dns_name_issubdomain(zone, zonename))
+		dns_name_copy(zone, zonename, NULL);
+
+	if (!dns_name_equal(zone, zonename))
+		return (ISC_R_IGNORE);
+
+	/*
+	 * Are we only looking for the most enclosing zone?
+	 */
+	if (exists == NULL || data == NULL)
+		return (ISC_R_SUCCESS);
+
+	/*
+	 * Only set unknown once we are sure that this NSEC3 is from
+	 * the deepest covering zone.
+	 */
+	if (!dns_nsec3_supportedhash(nsec3.hash)) {
+		if (unknown != NULL)
+			*unknown = ISC_TRUE;
+		return (ISC_R_IGNORE);
+	}
+
+	/*
+	 * Recover the hash from the first label.
+	 */
+	dns_name_getlabel(nsec3name, 0, &hashlabel);
+	isc_region_consume(&hashlabel, 1);
+	isc_buffer_init(&buffer, owner, sizeof(owner));
+	result = isc_base32hex_decoderegion(&hashlabel, &buffer);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	/*
+	 * The hash lengths should match.  If not ignore the record.
+	 */
+	if (isc_buffer_usedlength(&buffer) != nsec3.next_length)
+		return (ISC_R_IGNORE);
+
+	/*
+	 * Work out what this NSEC3 covers.
+	 * Inside (<0) or outside (>=0).
+	 */
+	scope = memcmp(owner, nsec3.next, nsec3.next_length);
+
+	/*
+	 * Prepare to compute all the hashes.
+	 */
+	dns_fixedname_init(&qfixed);
+	qname = dns_fixedname_name(&qfixed);
+	dns_name_downcase(name, qname, NULL);
+	qlabels = dns_name_countlabels(qname);
+	first = ISC_TRUE;
+
+	while (qlabels >= zlabels) {
+		length = isc_iterated_hash(hash, nsec3.hash, nsec3.iterations,
+					   nsec3.salt, nsec3.salt_length,
+					   qname->ndata, qname->length);
+		/*
+		 * The computed hash length should match.
+		 */
+		if (length != nsec3.next_length) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "ignoring NSEC bad length %u vs %u",
+				      length, nsec3.next_length);
+			return (ISC_R_IGNORE);
+		}
+
+		order = memcmp(hash, owner, length);
+		if (first && order == 0) {
+			/*
+			 * The hashes are the same.
+			 */
+			atparent = dns_rdatatype_atparent(val->event->type);
+			ns = dns_nsec3_typepresent(&rdata, dns_rdatatype_ns);
+			soa = dns_nsec3_typepresent(&rdata, dns_rdatatype_soa);
+			if (ns && !soa) {
+				if (!atparent) {
+					/*
+					 * This NSEC record is from somewhere
+					 * higher in the DNS, and at the
+					 * parent of a delegation. It can not
+					 * be legitimately used here.
+					 */
+					validator_log(val, ISC_LOG_DEBUG(3),
+						      "ignoring parent NSEC3");
+					return (ISC_R_IGNORE);
+				}
+			} else if (atparent && ns && soa) {
+				/*
+				 * This NSEC record is from the child.
+				 * It can not be legitimately used here.
+				 */
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "ignoring child NSEC3");
+				return (ISC_R_IGNORE);
+			}
+			if (val->event->type == dns_rdatatype_cname ||
+			    val->event->type == dns_rdatatype_nxt ||
+			    val->event->type == dns_rdatatype_nsec ||
+			    val->event->type == dns_rdatatype_key ||
+			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_cname)) {
+				*exists = ISC_TRUE;
+				*data = dns_nsec3_typepresent(&rdata,
+							      val->event->type);
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "NSEC3 proves name exists (owner) "
+					      "data=%d", *data);
+				return (ISC_R_SUCCESS);
+			}
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "NSEC3 proves CNAME exists");
+			return (ISC_R_IGNORE);
+		}
+
+		if (order == 0 &&
+		    dns_nsec3_typepresent(&rdata, dns_rdatatype_ns) &&
+		    !dns_nsec3_typepresent(&rdata, dns_rdatatype_soa))
+		{
+			/*
+			 * This NSEC3 record is from somewhere higher in
+			 * the DNS, and at the parent of a delegation.
+			 * It can not be legitimately used here.
+			 */
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "ignoring parent NSEC3");
+			return (ISC_R_IGNORE);
+		}
+
+		/*
+		 * Potential closest encloser.
+		 */
+		if (order == 0) {
+			if (closest != NULL &&
+			    (dns_name_countlabels(closest) == 0 ||
+			     dns_name_issubdomain(qname, closest)) &&
+			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) &&
+			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_dname) &&
+			    (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) ||
+			     !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns)))
+			{
+
+				dns_name_format(qname, namebuf,
+						sizeof(namebuf));
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "NSEC3 indicates potential "
+					      "closest encloser: '%s'",
+					       namebuf);
+				dns_name_copy(qname, closest, NULL);
+				*setclosest = ISC_TRUE;
+			}
+			dns_name_format(qname, namebuf, sizeof(namebuf));
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "NSEC3 at super-domain %s", namebuf);
+			return (answer);
+		}
+
+		/*
+		 * Find if the name does not exist.
+		 *
+		 * We continue as we need to find the name closest to the
+		 * closest encloser that doesn't exist.
+		 *
+		 * We also need to continue to ensure that we are not
+		 * proving the non-existence of a record in a sub-zone.
+		 * If that would be the case we will return ISC_R_IGNORE
+		 * above.
+		 */
+		if ((scope < 0 && order > 0 &&
+		     memcmp(hash, nsec3.next, length) < 0) ||
+		    (scope >= 0 && (order > 0 ||
+				    memcmp(hash, nsec3.next, length) < 0)))
+		{
+			char namebuf[DNS_NAME_FORMATSIZE];
+
+			dns_name_format(qname, namebuf, sizeof(namebuf));
+			validator_log(val, ISC_LOG_DEBUG(3), "NSEC3 proves "
+				      "name does not exist: '%s'", namebuf);
+			if (nearest != NULL &&
+			    (dns_name_countlabels(nearest) == 0 ||
+			     dns_name_issubdomain(nearest, qname))) {
+				dns_name_copy(qname, nearest, NULL);
+				*setnearest = ISC_TRUE;
+			}
+#if 0
+			/*
+			 * The closest encloser may be the zone name.
+			 */
+			if (closest != NULL &&
+			    dns_name_countlabels(closest) == 0 &&
+			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_ds) &&
+			    !dns_nsec3_typepresent(&rdata, dns_rdatatype_dname) &&
+			    (dns_nsec3_typepresent(&rdata, dns_rdatatype_soa) ||
+			     !dns_nsec3_typepresent(&rdata, dns_rdatatype_ns)))
+			{
+				char namebuf[DNS_NAME_FORMATSIZE];
+
+				dns_name_format(zone, namebuf,
+						sizeof(namebuf));
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "NSEC3 potential closest "
+					       "encloser from zone name: '%s'",
+					       namebuf);
+				dns_name_copy(zone, closest, NULL);
+				*setclosest = ISC_TRUE;
+			}
+#endif
+			*exists = ISC_FALSE;
+			*data = ISC_FALSE;
+			if (optout != NULL) {
+				if ((nsec3.flags & DNS_NSEC3FLAG_OPTOUT) != 0)
+					validator_log(val, ISC_LOG_DEBUG(3),
+						      "NSEC3 indicates optout");
+				*optout =
+				    ISC_TF(nsec3.flags & DNS_NSEC3FLAG_OPTOUT);
+			}
+			answer = ISC_R_SUCCESS;
+		}
+
+		qlabels--;
+		if (qlabels > 0)
+			dns_name_split(qname, qlabels, NULL, qname);
+		first = ISC_FALSE;
+	}
+	return (answer);
+}
+
 /*%
  * Callback for when NSEC records have been validated.
  *
- * Looks for NOQNAME and NODATA proofs.
+ * Looks for NOQNAME, NODATA and OPTOUT proofs.
  *
  * Resumes nsecvalidate.
  */
@@ -779,6 +1174,7 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 	dns_validatorevent_t *devent;
 	dns_validator_t *val;
 	dns_rdataset_t *rdataset;
+	dns_rdataset_t *sigrdataset;
 	isc_boolean_t want_destroy;
 	isc_result_t result;
 	isc_boolean_t exists, data;
@@ -788,6 +1184,7 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 
 	devent = (dns_validatorevent_t *)event;
 	rdataset = devent->rdataset;
+	sigrdataset = devent->sigrdataset;
 	val = devent->ev_arg;
 	result = devent->result;
 	dns_validator_destroy(&val->subvalidator);
@@ -834,11 +1231,18 @@ authvalidated(isc_task_t *task, isc_event_t *event) {
 			}
 			if (!exists) {
 				val->attributes |= VALATTR_FOUNDNOQNAME;
+				val->attributes |= VALATTR_FOUNDCLOSEST;
+				/*
+				 * The NSEC noqname proof also contains
+				 * the closest encloser.
+
+				 */
 				if (NEEDNOQNAME(val))
 					proofs[DNS_VALIDATOR_NOQNAMEPROOF] =
 						devent->name;
 			}
 		}
+
 		result = nsecvalidate(val, ISC_TRUE);
 		if (result != DNS_R_WAIT)
 			validator_done(val, result);
@@ -992,13 +1396,25 @@ view_find(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
  * the validation process will stall if looping was to occur.
  */
 static inline isc_boolean_t
-check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type) {
+check_deadlock(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
+	       dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset)
+{
 	dns_validator_t *parent;
 
 	for (parent = val; parent != NULL; parent = parent->parent) {
 		if (parent->event != NULL &&
 		    parent->event->type == type &&
-		    dns_name_equal(parent->event->name, name))
+		    dns_name_equal(parent->event->name, name) &&
+		    /*
+		     * As NSEC3 records are meta data you sometimes
+		     * need to prove a NSEC3 record which says that
+		     * itself doesn't exist.
+		     */
+		    (parent->event->type != dns_rdatatype_nsec3 ||
+		     rdataset == NULL || sigrdataset == NULL ||
+		     parent->event->message == NULL ||
+		     parent->event->rdataset != NULL ||
+		     parent->event->sigrdataset != NULL))
 		{
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "continuing validation would lead to "
@@ -1021,7 +1437,7 @@ create_fetch(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 	if (dns_rdataset_isassociated(&val->fsigrdataset))
 		dns_rdataset_disassociate(&val->fsigrdataset);
 
-	if (check_deadlock(val, name, type))
+	if (check_deadlock(val, name, type, NULL, NULL))
 		return (DNS_R_NOVALIDSIG);
 
 	validator_logcreate(val, name, type, caller, "fetch");
@@ -1044,7 +1460,7 @@ create_validator(dns_validator_t *val, dns_name_t *name, dns_rdatatype_t type,
 {
 	isc_result_t result;
 
-	if (check_deadlock(val, name, type))
+	if (check_deadlock(val, name, type, rdataset, sigrdataset))
 		return (DNS_R_NOVALIDSIG);
 
 	validator_logcreate(val, name, type, caller, "validator");
@@ -1128,7 +1544,7 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo,
 }
 
 /*%
- * Get the key that genertated this signature.
+ * Get the key that generated this signature.
  */
 static isc_result_t
 get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
@@ -1141,7 +1557,7 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
 	 * Is the signer name appropriate for this signature?
 	 *
 	 * The signer name must be at the same level as the owner name
-	 * or closer to the the DNS root.
+	 * or closer to the DNS root.
 	 */
 	namereln = dns_name_fullcompare(val->event->name, &siginfo->signer,
 					&order, &nlabels);
@@ -1163,6 +1579,23 @@ get_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo) {
 		 */
 		if (dns_rdatatype_atparent(val->event->rdataset->type))
 			return (DNS_R_CONTINUE);
+	} else {
+		/*
+		 * SOA and NS RRsets can only be signed by a key with
+		 * the same name.
+		 */
+		if (val->event->rdataset->type == dns_rdatatype_soa ||
+		    val->event->rdataset->type == dns_rdatatype_ns) {
+			const char *typename;
+
+			if (val->event->rdataset->type == dns_rdatatype_soa)
+				typename = "SOA";
+			else
+				typename = "NS";
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "%s signer mismatch", typename);
+			return (DNS_R_CONTINUE);
+		}
 	}
 
 	/*
@@ -1620,6 +2053,7 @@ dlv_validatezonekey(dns_validator_t *val) {
 				break;
 		}
 		if (result != ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&trdataset);
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "no DNSKEY matching DLV");
 			continue;
@@ -1734,6 +2168,10 @@ validatezonekey(dns_validator_t *val) {
 					     &sigrdata);
 			result = dns_rdata_tostruct(&sigrdata, &sig, NULL);
 			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+			if (!dns_name_equal(val->event->name, &sig.signer))
+				continue;
+
 			result = dns_keytable_findkeynode(val->keytable,
 							  val->event->name,
 							  sig.algorithm,
@@ -1957,6 +2395,7 @@ validatezonekey(dns_validator_t *val) {
 				break;
 		}
 		if (result != ISC_R_SUCCESS) {
+			dns_rdataset_disassociate(&trdataset);
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "no DNSKEY matching DS");
 			continue;
@@ -1974,7 +2413,11 @@ validatezonekey(dns_validator_t *val) {
 			if (ds.key_tag != sig.keyid ||
 			    ds.algorithm != sig.algorithm)
 				continue;
-
+			if (!dns_name_equal(val->event->name, &sig.signer)) {
+				validator_log(val, ISC_LOG_DEBUG(3),
+					      "DNSKEY signer mismatch");
+				continue;
+			}
 			dstkey = NULL;
 			result = dns_dnssec_keyfromrdata(val->event->name,
 							 &keyrdata,
@@ -2044,7 +2487,8 @@ start_positive_validation(dns_validator_t *val) {
  * \li	ISC_R_SUCCESS
  */
 static isc_result_t
-checkwildcard(dns_validator_t *val) {
+checkwildcard(dns_validator_t *val, dns_rdatatype_t type, dns_name_t *zonename)
+{
 	dns_name_t *name, *wild;
 	dns_message_t *message = val->event->message;
 	isc_result_t result;
@@ -2052,6 +2496,13 @@ checkwildcard(dns_validator_t *val) {
 	char namebuf[DNS_NAME_FORMATSIZE];
 
 	wild = dns_fixedname_name(&val->wild);
+
+	if (dns_name_countlabels(wild) == 0) {
+		validator_log(val, ISC_LOG_DEBUG(3),
+			      "in checkwildcard: no wildcard to check");
+		return (ISC_R_SUCCESS);
+	}
+
 	dns_name_format(wild, namebuf, sizeof(namebuf));
 	validator_log(val, ISC_LOG_DEBUG(3), "in checkwildcard: %s", namebuf);
 
@@ -2068,9 +2519,8 @@ checkwildcard(dns_validator_t *val) {
 		     rdataset != NULL;
 		     rdataset = ISC_LIST_NEXT(rdataset, link))
 		{
-			if (rdataset->type != dns_rdatatype_nsec)
+			if (rdataset->type != type)
 				continue;
-			val->nsecset = rdataset;
 
 			for (sigrdataset = ISC_LIST_HEAD(name->list);
 			     sigrdataset != NULL;
@@ -2086,7 +2536,8 @@ checkwildcard(dns_validator_t *val) {
 			if (rdataset->trust != dns_trust_secure)
 				continue;
 
-			if (((val->attributes & VALATTR_NEEDNODATA) != 0 ||
+			if (rdataset->type == dns_rdatatype_nsec &&
+			    ((val->attributes & VALATTR_NEEDNODATA) != 0 ||
 			     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0) &&
 			    (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
 			    (val->attributes & VALATTR_FOUNDNOWILDCARD) == 0 &&
@@ -2108,6 +2559,31 @@ checkwildcard(dns_validator_t *val) {
 							 name;
 				return (ISC_R_SUCCESS);
 			}
+
+			if (rdataset->type == dns_rdatatype_nsec3 &&
+			    ((val->attributes & VALATTR_NEEDNODATA) != 0 ||
+			     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0) &&
+			    (val->attributes & VALATTR_FOUNDNODATA) == 0 &&
+			    (val->attributes & VALATTR_FOUNDNOWILDCARD) == 0 &&
+			    nsec3noexistnodata(val, wild, name, rdataset,
+					       zonename, &exists, &data,
+					       NULL, NULL, NULL, NULL, NULL,
+					       NULL) == ISC_R_SUCCESS)
+			{
+				dns_name_t **proofs = val->event->proofs;
+				if (exists && !data)
+					val->attributes |= VALATTR_FOUNDNODATA;
+				if (exists && !data && NEEDNODATA(val))
+					proofs[DNS_VALIDATOR_NODATAPROOF] =
+							 name;
+				if (!exists)
+					val->attributes |=
+						 VALATTR_FOUNDNOWILDCARD;
+				if (!exists && NEEDNOQNAME(val))
+					proofs[DNS_VALIDATOR_NOWILDCARDPROOF] =
+							 name;
+				return (ISC_R_SUCCESS);
+			}
 		}
 	}
 	if (result == ISC_R_NOMORE)
@@ -2115,6 +2591,170 @@ checkwildcard(dns_validator_t *val) {
 	return (result);
 }
 
+
+static isc_result_t
+findnsec3proofs(dns_validator_t *val) {
+	dns_name_t *name;
+	dns_message_t *message = val->event->message;
+	isc_result_t result;
+	isc_boolean_t exists, data, optout, unknown;
+	isc_boolean_t setclosest, setnearest;
+	dns_fixedname_t fclosest, fnearest, fzonename;
+	dns_name_t *closest, *nearest, *zonename;
+	dns_name_t **proofs = val->event->proofs;
+
+	dns_fixedname_init(&fclosest);
+	dns_fixedname_init(&fnearest);
+	dns_fixedname_init(&fzonename);
+	closest = dns_fixedname_name(&fclosest);
+	nearest = dns_fixedname_name(&fnearest);
+	zonename = dns_fixedname_name(&fzonename);
+
+	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
+	{
+		dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (rdataset->type != dns_rdatatype_nsec3)
+				continue;
+
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+			{
+				if (sigrdataset->type == dns_rdatatype_rrsig &&
+				    sigrdataset->covers == dns_rdatatype_nsec3)
+					break;
+			}
+			if (sigrdataset == NULL)
+				continue;
+
+			if (rdataset->trust != dns_trust_secure)
+				continue;
+
+			result = nsec3noexistnodata(val, val->event->name,
+						    name, rdataset,
+						    zonename, NULL, NULL, NULL,
+						    NULL, NULL, NULL, NULL,
+						    NULL);
+			if (result != ISC_R_IGNORE && result != ISC_R_SUCCESS)
+				return (result);
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	if (dns_name_countlabels(zonename) == 0)
+		return (ISC_R_SUCCESS);
+
+	for (result = dns_message_firstname(message, DNS_SECTION_AUTHORITY);
+	     result == ISC_R_SUCCESS;
+	     result = dns_message_nextname(message, DNS_SECTION_AUTHORITY))
+	{
+		dns_rdataset_t *rdataset = NULL, *sigrdataset = NULL;
+
+		name = NULL;
+		dns_message_currentname(message, DNS_SECTION_AUTHORITY, &name);
+
+		for (rdataset = ISC_LIST_HEAD(name->list);
+		     rdataset != NULL;
+		     rdataset = ISC_LIST_NEXT(rdataset, link))
+		{
+			if (rdataset->type != dns_rdatatype_nsec3)
+				continue;
+
+			for (sigrdataset = ISC_LIST_HEAD(name->list);
+			     sigrdataset != NULL;
+			     sigrdataset = ISC_LIST_NEXT(sigrdataset, link))
+			{
+				if (sigrdataset->type == dns_rdatatype_rrsig &&
+				    sigrdataset->covers == dns_rdatatype_nsec3)
+					break;
+			}
+			if (sigrdataset == NULL)
+				continue;
+
+			if (rdataset->trust != dns_trust_secure)
+				continue;
+
+			/*
+			 * We process all NSEC3 records to find the closest
+			 * encloser and nearest name to the closest encloser.
+			 */
+			setclosest = setnearest = ISC_FALSE;
+			optout = ISC_FALSE;
+			unknown = ISC_FALSE;
+			result = nsec3noexistnodata(val, val->event->name,
+						    name, rdataset,
+						    zonename, &exists,
+						    &data, &optout, &unknown,
+						    &setclosest, &setnearest,
+						    closest, nearest);
+			if (setclosest)
+				proofs[DNS_VALIDATOR_CLOSESTENCLOSER] = name;
+			if (unknown)
+				val->attributes |= VALATTR_FOUNDUNKNOWN;
+			if (result != ISC_R_SUCCESS)
+				continue;
+			if (exists && !data && NEEDNODATA(val)) {
+				val->attributes |= VALATTR_FOUNDNODATA;
+				proofs[DNS_VALIDATOR_NODATAPROOF] = name;
+			}
+			if (!exists && setnearest) {
+				val->attributes |= VALATTR_FOUNDNOQNAME;
+				proofs[DNS_VALIDATOR_NOQNAMEPROOF] = name;
+				if (optout)
+					val->attributes |= VALATTR_FOUNDOPTOUT;
+			}
+		}
+	}
+	if (result != ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	/*
+	 * To know we have a valid noqname and optout proofs we need to also
+	 * have a valid closest encloser.  Otherwise we could still be looking
+	 * at proofs from the parent zone.
+	 */
+	if (dns_name_countlabels(closest) > 0 &&
+	    dns_name_countlabels(nearest) ==
+	    dns_name_countlabels(closest) + 1 &&
+	    dns_name_issubdomain(nearest, closest))
+	{
+		val->attributes |= VALATTR_FOUNDCLOSEST;
+		result = dns_name_concatenate(dns_wildcardname, closest,
+					      dns_fixedname_name(&val->wild),
+					      NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	} else {
+		val->attributes &= ~VALATTR_FOUNDNOQNAME;
+		val->attributes &= ~VALATTR_FOUNDOPTOUT;
+		proofs[DNS_VALIDATOR_NOQNAMEPROOF] = NULL;
+	}
+
+	/*
+	 * Do we need to check for the wildcard?
+	 */
+	if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
+	    (val->attributes & VALATTR_FOUNDCLOSEST) != 0 &&
+	    (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
+	      (val->attributes & VALATTR_FOUNDNODATA) == 0) ||
+	     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0)) {
+		result = checkwildcard(val, dns_rdatatype_nsec3, zonename);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+	return (result);
+}
+
 /*%
  * Prove a negative answer is good or that there is a NOQNAME when the
  * answer is from a wildcard.
@@ -2220,7 +2860,10 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 	if ((val->attributes & VALATTR_NEEDNODATA) == 0 &&
 	    (val->attributes & VALATTR_NEEDNOWILDCARD) == 0 &&
 	    (val->attributes & VALATTR_NEEDNOQNAME) != 0) {
-		if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0) {
+		if ((val->attributes & VALATTR_FOUNDNOQNAME) == 0)
+			findnsec3proofs(val);
+		if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
+		    (val->attributes & VALATTR_FOUNDCLOSEST) != 0) {
 			validator_log(val, ISC_LOG_DEBUG(3),
 				      "noqname proof found");
 			validator_log(val, ISC_LOG_DEBUG(3),
@@ -2228,34 +2871,57 @@ nsecvalidate(dns_validator_t *val, isc_boolean_t resume) {
 			val->event->rdataset->trust = dns_trust_secure;
 			val->event->sigrdataset->trust = dns_trust_secure;
 			return (ISC_R_SUCCESS);
+		} else if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0 &&
+			   dns_name_countlabels(dns_fixedname_name(&val->wild))
+					 != 0) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "optout proof found");
+			val->event->optout = ISC_TRUE;
+			markanswer(val);
+			return (ISC_R_SUCCESS);
+		} else if ((val->attributes & VALATTR_FOUNDUNKNOWN) != 0) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "unknown NSEC3 hash algorithm found");
+			markanswer(val);
+			return (ISC_R_SUCCESS);
 		}
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "noqname proof not found");
 		return (DNS_R_NOVALIDNSEC);
 	}
 
+	if ((val->attributes & VALATTR_FOUNDNOQNAME) == 0 &&
+	    (val->attributes & VALATTR_FOUNDNODATA) == 0)
+		findnsec3proofs(val);
+
 	/*
 	 * Do we need to check for the wildcard?
 	 */
 	if ((val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
+	    (val->attributes & VALATTR_FOUNDCLOSEST) != 0 &&
 	    (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
 	      (val->attributes & VALATTR_FOUNDNODATA) == 0) ||
 	     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0)) {
-		result = checkwildcard(val);
+		result = checkwildcard(val, dns_rdatatype_nsec, NULL);
 		if (result != ISC_R_SUCCESS)
 			return (result);
 	}
 
 	if (((val->attributes & VALATTR_NEEDNODATA) != 0 &&
-	     (val->attributes & VALATTR_FOUNDNODATA) != 0) ||
+	     ((val->attributes & VALATTR_FOUNDNODATA) != 0 ||
+	      (val->attributes & VALATTR_FOUNDOPTOUT) != 0)) ||
 	    ((val->attributes & VALATTR_NEEDNOQNAME) != 0 &&
 	     (val->attributes & VALATTR_FOUNDNOQNAME) != 0 &&
 	     (val->attributes & VALATTR_NEEDNOWILDCARD) != 0 &&
-	     (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0)) {
+	     (val->attributes & VALATTR_FOUNDNOWILDCARD) != 0 &&
+	     (val->attributes & VALATTR_FOUNDCLOSEST) != 0)) {
+		if ((val->attributes & VALATTR_FOUNDOPTOUT) != 0)
+			val->event->optout = ISC_TRUE;
 		validator_log(val, ISC_LOG_DEBUG(3),
 			      "nonexistence proof(s) found");
 		return (ISC_R_SUCCESS);
 	}
+		findnsec3proofs(val);
 
 	validator_log(val, ISC_LOG_DEBUG(3),
 		      "nonexistence proof(s) not found");
@@ -2380,7 +3046,7 @@ dlvfetched(isc_task_t *task, isc_event_t *event) {
 }
 
 /*%
- * Start the DLV lookup proccess.
+ * Start the DLV lookup process.
  *
  * Returns
  * \li	ISC_R_SUCCESS
@@ -2424,7 +3090,7 @@ startfinddlvsep(dns_validator_t *val, dns_name_t *unsecure) {
 		validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found", namebuf);
 		dlv_validator_start(val);
 		return (DNS_R_WAIT);
-	} 
+	}
 	validator_log(val, ISC_LOG_DEBUG(3), "DLV %s found with no supported "
 		      "algorithms", namebuf);
 	markanswer(val);
@@ -2566,9 +3232,13 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 	dns_name_t *secroot;
 	dns_name_t *tname;
 	char namebuf[DNS_NAME_FORMATSIZE];
+	dns_name_t *found;
+	dns_fixedname_t fixedfound;
 
 	dns_fixedname_init(&fixedsecroot);
 	secroot = dns_fixedname_name(&fixedsecroot);
+	dns_fixedname_init(&fixedfound);
+	found = dns_fixedname_name(&fixedfound);
 	if (val->havedlvsep)
 		dns_name_copy(dns_fixedname_name(&val->dlvsep), secroot, NULL);
 	else {
@@ -2676,6 +3346,28 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 					goto out;
 				return (DNS_R_WAIT);
 			}
+			/*
+			 * Zones using NSEC3 don't return a NSEC RRset so
+			 * we need to use dns_view_findzonecut2 to find
+			 * the zone cut.
+			 */
+			if (result == DNS_R_NXRRSET &&
+			    !dns_rdataset_isassociated(&val->frdataset) &&
+			    dns_view_findzonecut2(val->view, tname, found,
+						  0, 0, ISC_FALSE, ISC_FALSE,
+						  NULL, NULL) == ISC_R_SUCCESS &&
+			    dns_name_equal(tname, found)) {
+				if (val->mustbesecure) {
+					validator_log(val, ISC_LOG_WARNING,
+						      "must be secure failure");
+					return (DNS_R_MUSTBESECURE);
+				}
+				if (val->view->dlv == NULL || DLVTRIED(val)) {
+					markanswer(val);
+					return (ISC_R_SUCCESS);
+				}
+				return (startfinddlvsep(val, tname));
+			}
 			if (val->frdataset.trust < dns_trust_secure) {
 				/*
 				 * This shouldn't happen, since the negative
@@ -2775,6 +3467,15 @@ proveunsecure(dns_validator_t *val, isc_boolean_t have_ds, isc_boolean_t resume)
 			return (DNS_R_WAIT);
 		}
 	}
+
+/*
+	if ((val->attributes & VALATTR_NEEDOPTOUT) == 0 &&
+	    val->event->message != NULL) {
+		val->attributes |= VALATTR_NEEDOPTOUT;
+		return (nsecvalidate(val, ISC_FALSE));
+	}
+*/
+
 	validator_log(val, ISC_LOG_DEBUG(3), "insecurity proof failed");
 	return (DNS_R_NOTINSECURE); /* Couldn't complete insecurity proof */
 
@@ -2808,7 +3509,7 @@ dlv_validator_start(dns_validator_t *val) {
 /*%
  * Start the validation process.
  *
- * Attempt to valididate the answer based on the category it appears to
+ * Attempt to validate the answer based on the category it appears to
  * fall in.
  * \li	1. secure positive answer.
  * \li	2. unsecure positive answer.
@@ -2829,7 +3530,7 @@ validator_start(isc_task_t *task, isc_event_t *event) {
 	vevent = (dns_validatorevent_t *)event;
 	val = vevent->validator;
 
-	/* If the validator has been cancelled, val->event == NULL */
+	/* If the validator has been canceled, val->event == NULL */
 	if (val->event == NULL)
 		return;
 
@@ -2955,6 +3656,7 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	event->sigrdataset = sigrdataset;
 	event->message = message;
 	memset(event->proofs, 0, sizeof(event->proofs));
+	event->optout = ISC_FALSE;
 	result = isc_mutex_init(&val->lock);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_event;
@@ -2984,6 +3686,8 @@ dns_validator_create(dns_view_t *view, dns_name_t *name, dns_rdatatype_t type,
 	dns_rdataset_init(&val->frdataset);
 	dns_rdataset_init(&val->fsigrdataset);
 	dns_fixedname_init(&val->wild);
+	dns_fixedname_init(&val->nearest);
+	dns_fixedname_init(&val->closest);
 	ISC_LINK_INIT(val, link);
 	val->magic = VALIDATOR_MAGIC;
 
diff --git a/lib/dns/version.c b/lib/dns/version.c
index 1c03774..fbc8889 100644
--- a/lib/dns/version.c
+++ b/lib/dns/version.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.11.18.2 2005/04/29 00:16:07 marka Exp $ */
+/* $Id: version.c,v 1.15 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/view.c b/lib/dns/view.c
index 4851cf0..5f1447a 100644
--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,15 +15,16 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.126.18.16 2008/06/17 23:46:03 tbox Exp $ */
+/* $Id: view.c,v 1.150.84.2 2009/01/29 23:47:44 tbox Exp $ */
 
 /*! \file */
 
 #include <config.h>
 
 #include <isc/hash.h>
-#include <isc/task.h>
+#include <isc/stats.h>
 #include <isc/string.h>		/* Required for HP/UX (and others?) */
+#include <isc/task.h>
 #include <isc/util.h>
 
 #include <dns/acache.h>
@@ -43,6 +44,7 @@
 #include <dns/request.h>
 #include <dns/resolver.h>
 #include <dns/result.h>
+#include <dns/stats.h>
 #include <dns/tsig.h>
 #include <dns/zone.h>
 #include <dns/zt.h>
@@ -151,6 +153,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->delonly = NULL;
 	view->rootdelonly = ISC_FALSE;
 	view->rootexclude = NULL;
+	view->resstats = NULL;
+	view->resquerystats = NULL;
 
 	/*
 	 * Initialize configuration data with default values.
@@ -165,8 +169,14 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->minimalresponses = ISC_FALSE;
 	view->transfer_format = dns_one_answer;
 	view->queryacl = NULL;
+	view->queryonacl = NULL;
 	view->recursionacl = NULL;
+	view->recursiononacl = NULL;
 	view->sortlist = NULL;
+	view->transferacl = NULL;
+	view->notifyacl = NULL;
+	view->updateacl = NULL;
+	view->upfwdacl = NULL;
 	view->requestixfr = ISC_TRUE;
 	view->provideixfr = ISC_TRUE;
 	view->maxcachettl = 7 * 24 * 3600;
@@ -286,10 +296,22 @@ destroy(dns_view_t *view) {
 		dns_acl_detach(&view->matchdestinations);
 	if (view->queryacl != NULL)
 		dns_acl_detach(&view->queryacl);
+	if (view->queryonacl != NULL)
+		dns_acl_detach(&view->queryonacl);
 	if (view->recursionacl != NULL)
 		dns_acl_detach(&view->recursionacl);
+	if (view->recursiononacl != NULL)
+		dns_acl_detach(&view->recursiononacl);
 	if (view->sortlist != NULL)
 		dns_acl_detach(&view->sortlist);
+	if (view->transferacl != NULL)
+		dns_acl_detach(&view->transferacl);
+	if (view->notifyacl != NULL)
+		dns_acl_detach(&view->notifyacl);
+	if (view->updateacl != NULL)
+		dns_acl_detach(&view->updateacl);
+	if (view->upfwdacl != NULL)
+		dns_acl_detach(&view->upfwdacl);
 	if (view->delonly != NULL) {
 		dns_name_t *name;
 		int i;
@@ -325,6 +347,10 @@ destroy(dns_view_t *view) {
 			    sizeof(dns_namelist_t) * DNS_VIEW_DELONLYHASH);
 		view->rootexclude = NULL;
 	}
+	if (view->resstats != NULL)
+		isc_stats_detach(&view->resstats);
+	if (view->resquerystats != NULL)
+		dns_stats_detach(&view->resquerystats);
 	dns_keytable_detach(&view->trustedkeys);
 	dns_keytable_detach(&view->secroots);
 	dns_fwdtable_destroy(&view->fwdtable);
@@ -571,6 +597,7 @@ dns_view_createresolver(dns_view_t *view,
 	}
 
 	result = dns_adb_create(mctx, view, timermgr, taskmgr, &view->adb);
+	isc_mem_setname(mctx, "ADB", NULL);
 	isc_mem_detach(&mctx);
 	if (result != ISC_R_SUCCESS) {
 		dns_resolver_shutdown(view->resolver);
@@ -1129,6 +1156,55 @@ dns_viewlist_find(dns_viewlist_t *list, const char *name,
 }
 
 isc_result_t
+dns_viewlist_findzone(dns_viewlist_t *list, dns_name_t *name,
+		      isc_boolean_t allclasses, dns_rdataclass_t rdclass,
+		      dns_zone_t **zonep)
+{
+	dns_view_t *view;
+	isc_result_t result;
+	dns_zone_t *zone1 = NULL, *zone2 = NULL;
+	dns_zone_t **zp = NULL;;
+
+	REQUIRE(list != NULL);
+	for (view = ISC_LIST_HEAD(*list);
+	     view != NULL;
+	     view = ISC_LIST_NEXT(view, link)) {
+		if (allclasses == ISC_FALSE && view->rdclass != rdclass)
+			continue;
+
+		/*
+		 * If the zone is defined in more than one view,
+		 * treat it as not found.
+		 */
+		zp = (zone1 == NULL) ? &zone1 : &zone2;
+		result = dns_zt_find(view->zonetable, name, 0, NULL, zp);
+		INSIST(result == ISC_R_SUCCESS ||
+		       result == ISC_R_NOTFOUND ||
+		       result == DNS_R_PARTIALMATCH);
+
+		/* Treat a partial match as no match */
+		if (result == DNS_R_PARTIALMATCH) {
+			dns_zone_detach(zp);
+			result = ISC_R_NOTFOUND;
+		}
+
+		if (zone2 != NULL) {
+			dns_zone_detach(&zone1);
+			dns_zone_detach(&zone2);
+			return (ISC_R_NOTFOUND);
+		}
+	}
+
+	if (zone1 != NULL) {
+		dns_zone_attach(zone1, zonep);
+		dns_zone_detach(&zone1);
+		return (ISC_R_SUCCESS);
+	}
+
+	return (ISC_R_NOTFOUND);
+}
+
+isc_result_t
 dns_view_load(dns_view_t *view, isc_boolean_t stop) {
 
 	REQUIRE(DNS_VIEW_VALID(view));
@@ -1354,3 +1430,39 @@ dns_view_freezezones(dns_view_t *view, isc_boolean_t value) {
 	REQUIRE(DNS_VIEW_VALID(view));
 	return (dns_zt_freezezones(view->zonetable, value));
 }
+
+void
+dns_view_setresstats(dns_view_t *view, isc_stats_t *stats) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->resstats == NULL);
+
+	isc_stats_attach(stats, &view->resstats);
+}
+
+void
+dns_view_getresstats(dns_view_t *view, isc_stats_t **statsp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	if (view->resstats != NULL)
+		isc_stats_attach(view->resstats, statsp);
+}
+
+void
+dns_view_setresquerystats(dns_view_t *view, dns_stats_t *stats) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(!view->frozen);
+	REQUIRE(view->resquerystats == NULL);
+
+	dns_stats_attach(stats, &view->resquerystats);
+}
+
+void
+dns_view_getresquerystats(dns_view_t *view, dns_stats_t **statsp) {
+	REQUIRE(DNS_VIEW_VALID(view));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	if (view->resquerystats != NULL)
+		dns_stats_attach(view->resquerystats, statsp);
+}
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 7171a37..4e3d2c3 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.c,v 1.135.18.23 2008/09/25 04:15:52 marka Exp $ */
+/* $Id: xfrin.c,v 1.166 2008/09/25 04:12:39 marka Exp $ */
 
 /*! \file */
 
@@ -142,6 +142,11 @@ struct dns_xfrin_ctx {
 	isc_boolean_t 		is_ixfr;
 
 	unsigned int		nmsg;		/*%< Number of messages recvd */
+	unsigned int		nrecs;		/*%< Number of records recvd */
+	isc_uint64_t		nbytes;		/*%< Number of bytes received */
+
+	isc_time_t		start;		/*%< Start time of the transfer */
+	isc_time_t		end;		/*%< End time of the transfer */
 
 	dns_tsigkey_t		*tsigkey;	/*%< Key used to create TSIG */
 	isc_buffer_t		*lasttsig;	/*%< The last TSIG */
@@ -426,6 +431,8 @@ xfr_rr(dns_xfrin_ctx_t *xfr, dns_name_t *name, isc_uint32_t ttl,
 {
 	isc_result_t result;
 
+	xfr->nrecs++;
+
 	if (rdata->type == dns_rdatatype_none ||
 	    dns_rdatatype_ismeta(rdata->type))
 		FAIL(DNS_R_FORMERR);
@@ -804,6 +811,9 @@ xfrin_create(isc_mem_t *mctx,
 	/* end_serial */
 
 	xfr->nmsg = 0;
+	xfr->nrecs = 0;
+	xfr->nbytes = 0;
+	isc_time_now(&xfr->start);
 
 	xfr->tsigkey = NULL;
 	if (tsigkey != NULL)
@@ -865,6 +875,7 @@ xfrin_start(dns_xfrin_ctx_t *xfr) {
 				isc_sockaddr_pf(&xfr->sourceaddr),
 				isc_sockettype_tcp,
 				&xfr->socket));
+	isc_socket_setname(xfr->socket, "xfrin", NULL);
 #ifndef BROKEN_TCP_BIND_BEFORE_CONNECT
 	CHECK(isc_socket_bind(xfr->socket, &xfr->sourceaddr,
 			      ISC_SOCKET_REUSEADDRESS));
@@ -908,8 +919,7 @@ static void
 xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
 	isc_socket_connev_t *cev = (isc_socket_connev_t *) event;
 	dns_xfrin_ctx_t *xfr = (dns_xfrin_ctx_t *) event->ev_arg;
-	isc_result_t evresult = cev->result;
-	isc_result_t result;
+	isc_result_t result = cev->result;
 	char sourcetext[ISC_SOCKADDR_FORMATSIZE];
 	isc_sockaddr_t sockaddr;
 
@@ -926,7 +936,18 @@ xfrin_connect_done(isc_task_t *task, isc_event_t *event) {
 		return;
 	}
 
-	CHECK(evresult);
+	if (result != ISC_R_SUCCESS) {
+		dns_zonemgr_t * zmgr = dns_zone_getmgr(xfr->zone);
+		isc_time_t now;
+
+		if (zmgr != NULL) {
+			TIME_NOW(&now);
+			dns_zonemgr_unreachableadd(zmgr, &xfr->masteraddr,
+						   &xfr->sourceaddr, &now);
+		}
+		goto failure;
+	}
+
 	result = isc_socket_getsockname(xfr->socket, &sockaddr);
 	if (result == ISC_R_SUCCESS) {
 		isc_sockaddr_format(&sockaddr, sourcetext, sizeof(sourcetext));
@@ -1054,6 +1075,9 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) {
 	xfr->checkid = ISC_TRUE;
 	xfr->id++;
 	xfr->nmsg = 0;
+	xfr->nrecs = 0;
+	xfr->nbytes = 0;
+	isc_time_now(&xfr->start);
 	msg->id = xfr->id;
 	if (xfr->tsigctx != NULL)
 		dst_context_destroy(&xfr->tsigctx);
@@ -1308,6 +1332,11 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 	xfr->nmsg++;
 
 	/*
+	 * Update the number of bytes received.
+	 */
+	xfr->nbytes += tcpmsg->buffer.used;
+
+	/*
 	 * Take the context back.
 	 */
 	INSIST(xfr->tsigctx == NULL);
@@ -1373,6 +1402,9 @@ xfrin_timeout(isc_task_t *task, isc_event_t *event) {
 
 static void
 maybe_free(dns_xfrin_ctx_t *xfr) {
+	isc_uint64_t msecs;
+	isc_uint64_t persec;
+
 	REQUIRE(VALID_XFRIN(xfr));
 
 	if (! xfr->shuttingdown || xfr->refcount != 0 ||
@@ -1380,7 +1412,22 @@ maybe_free(dns_xfrin_ctx_t *xfr) {
 	    xfr->recvs != 0)
 		return;
 
-	xfrin_log(xfr, ISC_LOG_INFO, "end of transfer");
+	/*
+	 * Calculate the length of time the transfer took,
+	 * and print a log message with the bytes and rate.
+	 */
+	isc_time_now(&xfr->end);
+	msecs = isc_time_microdiff(&xfr->end, &xfr->start) / 1000;
+	if (msecs == 0)
+		msecs = 1;
+	persec = (xfr->nbytes * 1000) / msecs;
+	xfrin_log(xfr, ISC_LOG_INFO,
+		  "Transfer completed: %d messages, %d records, "
+		  "%" ISC_PRINT_QUADFORMAT "u bytes, "
+		  "%u.%03u secs (%u bytes/sec)",
+		  xfr->nmsg, xfr->nrecs, xfr->nbytes,
+		  (unsigned int) (msecs / 1000), (unsigned int) (msecs % 1000),
+		  (unsigned int) persec);
 
 	if (xfr->socket != NULL)
 		isc_socket_detach(&xfr->socket);
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 36f303c..423b005 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,11 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.410.18.55 2008/10/24 01:43:17 tbox Exp $ */
+/* $Id: zone.c,v 1.483.36.6 2009/03/26 22:57:07 marka Exp $ */
 
 /*! \file */
 
 #include <config.h>
+#include <errno.h>
 
 #include <isc/file.h>
 #include <isc/mutex.h>
@@ -29,6 +30,9 @@
 #include <isc/refcount.h>
 #include <isc/rwlock.h>
 #include <isc/serial.h>
+#include <isc/strerror.h>
+#include <isc/stats.h>
+#include <isc/stdtime.h>
 #include <isc/string.h>
 #include <isc/taskpool.h>
 #include <isc/timer.h>
@@ -40,29 +44,37 @@
 #include <dns/callbacks.h>
 #include <dns/db.h>
 #include <dns/dbiterator.h>
+#include <dns/dnssec.h>
 #include <dns/events.h>
 #include <dns/journal.h>
+#include <dns/keyvalues.h>
 #include <dns/log.h>
 #include <dns/master.h>
 #include <dns/masterdump.h>
 #include <dns/message.h>
 #include <dns/name.h>
+#include <dns/nsec.h>
+#include <dns/nsec3.h>
 #include <dns/peer.h>
 #include <dns/rcode.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatalist.h>
 #include <dns/rdataset.h>
+#include <dns/rdatasetiter.h>
 #include <dns/rdatastruct.h>
 #include <dns/rdatatype.h>
 #include <dns/request.h>
 #include <dns/resolver.h>
 #include <dns/result.h>
-#include <dns/stats.h>
+#include <dns/soa.h>
 #include <dns/ssu.h>
+#include <dns/stats.h>
 #include <dns/tsig.h>
 #include <dns/xfrin.h>
 #include <dns/zone.h>
 
+#include <dst/dst.h>
+
 #define ZONE_MAGIC			ISC_MAGIC('Z', 'O', 'N', 'E')
 #define DNS_ZONE_VALID(zone)		ISC_MAGIC_VALID(zone, ZONE_MAGIC)
 
@@ -90,6 +102,8 @@
 #define RANGE(a, min, max) \
 		(((a) < (min)) ? (min) : ((a) < (max) ? (a) : (max)))
 
+#define NSEC3REMOVE(x) (((x) & DNS_NSEC3FLAG_REMOVE) != 0)
+
 /*
  * Default values.
  */
@@ -111,6 +125,10 @@ typedef struct dns_load dns_load_t;
 typedef struct dns_forward dns_forward_t;
 typedef struct dns_io dns_io_t;
 typedef ISC_LIST(dns_io_t) dns_iolist_t;
+typedef struct dns_signing dns_signing_t;
+typedef ISC_LIST(dns_signing_t) dns_signinglist_t;
+typedef struct dns_nsec3chain dns_nsec3chain_t;
+typedef ISC_LIST(dns_nsec3chain_t) dns_nsec3chainlist_t;
 
 #define DNS_ZONE_CHECKLOCK
 #ifdef DNS_ZONE_CHECKLOCK
@@ -178,11 +196,16 @@ struct dns_zone {
 	isc_time_t		dumptime;
 	isc_time_t		loadtime;
 	isc_time_t		notifytime;
+	isc_time_t		resigntime;
+	isc_time_t		keywarntime;
+	isc_time_t		signingtime;
+	isc_time_t		nsec3chaintime;
 	isc_uint32_t		serial;
 	isc_uint32_t		refresh;
 	isc_uint32_t		retry;
 	isc_uint32_t		expire;
 	isc_uint32_t		minimum;
+	isc_stdtime_t		key_expiry;
 	char			*keydirectory;
 
 	isc_uint32_t		maxrefresh;
@@ -215,6 +238,7 @@ struct dns_zone {
 	dns_acl_t		*forward_acl;
 	dns_acl_t		*notify_acl;
 	dns_acl_t		*query_acl;
+	dns_acl_t		*queryon_acl;
 	dns_acl_t		*xfr_acl;
 	isc_boolean_t		update_disabled;
 	isc_boolean_t		zero_no_soa_ttl;
@@ -232,6 +256,7 @@ struct dns_zone {
 	isc_event_t		ctlevent;
 	dns_ssutable_t		*ssutable;
 	isc_uint32_t		sigvalidityinterval;
+	isc_uint32_t		sigresigninginterval;
 	dns_view_t		*view;
 	dns_acache_t		*acache;
 	dns_checkmxfunc_t	checkmx;
@@ -247,17 +272,39 @@ struct dns_zone {
 	ISC_LINK(dns_zone_t)	statelink;
 	dns_zonelist_t		*statelist;
 	/*%
-	 * Optional per-zone statistics counters (NULL if not present).
+	 * Statistics counters about zone management.
 	 */
-	isc_uint64_t	    	*counters;
+	isc_stats_t	    	*stats;
+	/*%
+	 * Optional per-zone statistics counters.  Counted outside of this
+	 * module.
+	 */
+	isc_boolean_t	    	requeststats_on;
+	isc_stats_t	    	*requeststats;
 	isc_uint32_t		notifydelay;
 	dns_isselffunc_t	isself;
 	void			*isselfarg;
 
+	char *			strnamerd;
+	char *			strname;
+	char *			strrdclass;
+	char *			strviewname;
+
 	/*%
 	 * Serial number for deferred journal compaction.
 	 */
 	isc_uint32_t		compact_serial;
+	/*%
+	 * Keys that are signing the zone for the first time.
+	 */
+	dns_signinglist_t	signing;
+	dns_nsec3chainlist_t	nsec3chain;
+	/*%
+	 * Signing / re-signing quantum stopping parameters.
+	 */
+	isc_uint32_t		signatures;
+	isc_uint32_t		nodes;
+	dns_rdatatype_t		privatetype;
 };
 
 #define DNS_ZONE_FLAG(z,f) (ISC_TF(((z)->flags & (f)) != 0))
@@ -287,7 +334,7 @@ struct dns_zone {
 						 * reload */
 #define DNS_ZONEFLG_NOMASTERS	0x00001000U	/*%< an attempt to refresh a
 						 * zone with no masters
-						 * occured */
+						 * occurred */
 #define DNS_ZONEFLG_LOADING	0x00002000U	/*%< load from disk in progress*/
 #define DNS_ZONEFLG_HAVETIMERS	0x00004000U	/*%< timer values have been set
 						 * from SOA (if not set, we
@@ -310,6 +357,21 @@ struct dns_zone {
 /* Flags for zone_load() */
 #define DNS_ZONELOADFLAG_NOSTAT	0x00000001U	/* Do not stat() master files */
 
+#define UNREACH_CHACHE_SIZE	10U
+#define UNREACH_HOLD_TIME	600	/* 10 minutes */
+
+#define CHECK(op) \
+	do { result = (op); \
+		if (result != ISC_R_SUCCESS) goto failure; \
+	} while (0)
+
+struct dns_unreachable {
+	isc_sockaddr_t	remote;
+	isc_sockaddr_t	local;
+	isc_uint32_t	expire;
+	isc_uint32_t	last;
+};
+
 struct dns_zonemgr {
 	unsigned int		magic;
 	isc_mem_t *		mctx;
@@ -338,6 +400,10 @@ struct dns_zonemgr {
 	isc_uint32_t		ioactive;
 	dns_iolist_t		high;
 	dns_iolist_t		low;
+
+	/* Locked by rwlock. */
+	/* LRU cache */
+	struct dns_unreachable	unreachable[UNREACH_CHACHE_SIZE];
 };
 
 /*%
@@ -410,6 +476,56 @@ struct dns_io {
 	isc_event_t	*event;
 };
 
+/*%
+ *	Hold state for when we are signing a zone with a new
+ *	DNSKEY as result of an update.
+ */
+struct dns_signing {
+	unsigned int    	magic;
+	dns_db_t		*db;
+	dns_dbiterator_t	*dbiterator;
+	dns_secalg_t		algorithm;
+	isc_uint16_t		keyid;
+	isc_boolean_t		delete;
+	isc_boolean_t		done;
+	ISC_LINK(dns_signing_t)	link;
+};
+
+struct dns_nsec3chain {
+	unsigned int            	magic;
+	dns_db_t			*db;
+	dns_dbiterator_t		*dbiterator;
+	dns_rdata_nsec3param_t		nsec3param;
+	unsigned char			salt[255];
+	isc_boolean_t			done;
+	isc_boolean_t 			seen_nsec;
+	isc_boolean_t 			delete_nsec;
+	isc_boolean_t 			save_delete_nsec;
+	ISC_LINK(dns_nsec3chain_t)	link;
+};
+/*%<
+ * 'dbiterator' contains a iterator for the database.  If we are creating
+ * a NSEC3 chain only the non-NSEC3 nodes will be iterated.  If we are
+ * removing a NSEC3 chain then both NSEC3 and non-NSEC3 nodes will be
+ * iterated.
+ *
+ * 'nsec3param' contains the parameters of the NSEC3 chain being created
+ * or removed.
+ *
+ * 'salt' is buffer space and is referenced via 'nsec3param.salt'.
+ *
+ * 'seen_nsec' will be set to true if, while iterating the zone to create a
+ * NSEC3 chain, a NSEC record is seen.
+ *
+ * 'delete_nsec' will be set to true if, at the completion of the creation
+ * of a NSEC3 chain, 'seen_nsec' is true.  If 'delete_nsec' is true then we
+ * are in the process of deleting the NSEC chain.
+ *
+ * 'save_delete_nsec' is used to store the initial state of 'delete_nsec'
+ * so it can be recovered in the event of a error.
+ */
+
+
 #define SEND_BUFFER_SIZE 2048
 
 static void zone_settimer(dns_zone_t *, isc_time_t *);
@@ -436,6 +552,10 @@ static void zone_shutdown(isc_task_t *, isc_event_t *);
 static void zone_loaddone(void *arg, isc_result_t result);
 static isc_result_t zone_startload(dns_db_t *db, dns_zone_t *zone,
 				   isc_time_t loadtime);
+static void zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void zone_name_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length);
+static void zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length);
 
 #if 0
 /* ondestroy example */
@@ -484,6 +604,12 @@ static void zone_saveunique(dns_zone_t *zone, const char *path,
 static void zone_maintenance(dns_zone_t *zone);
 static void zone_notify(dns_zone_t *zone, isc_time_t *now);
 static void dump_done(void *arg, isc_result_t result);
+static isc_boolean_t dns_zonemgr_unreachable(dns_zonemgr_t *zmgr,
+					     isc_sockaddr_t *remote,
+					     isc_sockaddr_t *local,
+					     isc_time_t *now);
+static isc_result_t zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
+				     isc_uint16_t keyid, isc_boolean_t delete);
 
 #define ENTER zone_debuglog(zone, me, 1, "enter")
 
@@ -518,6 +644,15 @@ static const char *dbargv_default[] = { "rbt" };
 		} \
 	} while (0)
 
+/*%
+ * Increment resolver-related statistics counters.  Zone must be locked.
+ */
+static inline void
+inc_stats(dns_zone_t *zone, isc_statscounter_t counter) {
+	if (zone->stats != NULL)
+		isc_stats_increment(zone->stats, counter);
+}
+
 /***
  ***	Public functions.
  ***/
@@ -559,8 +694,12 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 		goto free_dblock;
 	zone->irefs = 0;
 	dns_name_init(&zone->origin, NULL);
+	zone->strnamerd = NULL;
+	zone->strname = NULL;
+	zone->strrdclass = NULL;
+	zone->strviewname = NULL;
 	zone->masterfile = NULL;
-	zone->masterformat =  dns_masterformat_none;
+	zone->masterformat = dns_masterformat_none;
 	zone->keydirectory = NULL;
 	zone->journalsize = -1;
 	zone->journal = NULL;
@@ -575,6 +714,10 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	isc_time_settoepoch(&zone->dumptime);
 	isc_time_settoepoch(&zone->loadtime);
 	zone->notifytime = now;
+	isc_time_settoepoch(&zone->resigntime);
+	isc_time_settoepoch(&zone->keywarntime);
+	isc_time_settoepoch(&zone->signingtime);
+	isc_time_settoepoch(&zone->nsec3chaintime);
 	zone->serial = 0;
 	zone->refresh = DNS_ZONE_DEFAULTREFRESH;
 	zone->retry = DNS_ZONE_DEFAULTRETRY;
@@ -597,6 +740,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->forward_acl = NULL;
 	zone->notify_acl = NULL;
 	zone->query_acl = NULL;
+	zone->queryon_acl = NULL;
 	zone->xfr_acl = NULL;
 	zone->update_disabled = ISC_FALSE;
 	zone->zero_no_soa_ttl = ISC_TRUE;
@@ -622,6 +766,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->maxxfrout = MAX_XFER_TIME;
 	zone->ssutable = NULL;
 	zone->sigvalidityinterval = 30 * 24 * 3600;
+	zone->sigresigninginterval = 7 * 24 * 3600;
 	zone->view = NULL;
 	zone->acache = NULL;
 	zone->checkmx = NULL;
@@ -629,10 +774,17 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 	zone->checkns = NULL;
 	ISC_LINK_INIT(zone, statelink);
 	zone->statelist = NULL;
-	zone->counters = NULL;
+	zone->stats = NULL;
+	zone->requeststats_on = ISC_FALSE;
+	zone->requeststats = NULL;
 	zone->notifydelay = 5;
 	zone->isself = NULL;
 	zone->isselfarg = NULL;
+	ISC_LIST_INIT(zone->signing);
+	ISC_LIST_INIT(zone->nsec3chain);
+	zone->signatures = 10;
+	zone->nodes = 100;
+	zone->privatetype = (dns_rdatatype_t)0xffffU;
 
 	zone->magic = ZONE_MAGIC;
 
@@ -669,6 +821,8 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx) {
 static void
 zone_free(dns_zone_t *zone) {
 	isc_mem_t *mctx = NULL;
+	dns_signing_t *signing;
+	dns_nsec3chain_t *nsec3chain;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(isc_refcount_current(&zone->erefs) == 0);
@@ -687,10 +841,26 @@ zone_free(dns_zone_t *zone) {
 
 	if (zone->task != NULL)
 		isc_task_detach(&zone->task);
-	if (zone->zmgr)
+	if (zone->zmgr != NULL)
 		dns_zonemgr_releasezone(zone->zmgr, zone);
 
 	/* Unmanaged objects */
+	for (signing = ISC_LIST_HEAD(zone->signing);
+	     signing != NULL;
+	     signing = ISC_LIST_HEAD(zone->signing)) {
+		ISC_LIST_UNLINK(zone->signing, signing, link);
+		dns_db_detach(&signing->db);
+		dns_dbiterator_destroy(&signing->dbiterator);
+		isc_mem_put(zone->mctx, signing, sizeof *signing);
+	}
+	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	     nsec3chain != NULL;
+	     nsec3chain = ISC_LIST_HEAD(zone->nsec3chain)) {
+		ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
+		dns_db_detach(&nsec3chain->db);
+		dns_dbiterator_destroy(&nsec3chain->dbiterator);
+		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+	}
 	if (zone->masterfile != NULL)
 		isc_mem_free(zone->mctx, zone->masterfile);
 	zone->masterfile = NULL;
@@ -701,8 +871,10 @@ zone_free(dns_zone_t *zone) {
 	if (zone->journal != NULL)
 		isc_mem_free(zone->mctx, zone->journal);
 	zone->journal = NULL;
-	if (zone->counters != NULL)
-		dns_stats_freecounters(zone->mctx, &zone->counters);
+	if (zone->stats != NULL)
+		isc_stats_detach(&zone->stats);
+	if (zone->requeststats != NULL)
+		isc_stats_detach(&zone->requeststats);
 	if (zone->db != NULL)
 		zone_detachdb(zone);
 	if (zone->acache != NULL)
@@ -721,10 +893,20 @@ zone_free(dns_zone_t *zone) {
 		dns_acl_detach(&zone->notify_acl);
 	if (zone->query_acl != NULL)
 		dns_acl_detach(&zone->query_acl);
+	if (zone->queryon_acl != NULL)
+		dns_acl_detach(&zone->queryon_acl);
 	if (zone->xfr_acl != NULL)
 		dns_acl_detach(&zone->xfr_acl);
 	if (dns_name_dynamic(&zone->origin))
 		dns_name_free(&zone->origin, zone->mctx);
+	if (zone->strnamerd != NULL)
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	if (zone->strname != NULL)
+		isc_mem_free(zone->mctx, zone->strname);
+	if (zone->strrdclass != NULL)
+		isc_mem_free(zone->mctx, zone->strrdclass);
+	if (zone->strviewname != NULL)
+		isc_mem_free(zone->mctx, zone->strviewname);
 	if (zone->ssutable != NULL)
 		dns_ssutable_detach(&zone->ssutable);
 
@@ -743,6 +925,7 @@ zone_free(dns_zone_t *zone) {
  */
 void
 dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
+	char namebuf[1024];
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(rdclass != dns_rdataclass_none);
@@ -754,11 +937,22 @@ dns_zone_setclass(dns_zone_t *zone, dns_rdataclass_t rdclass) {
 	REQUIRE(zone->rdclass == dns_rdataclass_none ||
 		zone->rdclass == rdclass);
 	zone->rdclass = rdclass;
+
+	if (zone->strnamerd != NULL)
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	if (zone->strrdclass != NULL)
+		isc_mem_free(zone->mctx, zone->strrdclass);
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_rdclass_tostr(zone, namebuf, sizeof namebuf);
+	zone->strrdclass = isc_mem_strdup(zone->mctx, namebuf);
+
 	UNLOCK_ZONE(zone);
 }
 
 dns_rdataclass_t
-dns_zone_getclass(dns_zone_t *zone){
+dns_zone_getclass(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	return (zone->rdclass);
@@ -773,6 +967,19 @@ dns_zone_setnotifytype(dns_zone_t *zone, dns_notifytype_t notifytype) {
 	UNLOCK_ZONE(zone);
 }
 
+isc_uint32_t
+dns_zone_getserial(dns_zone_t *zone) {
+	isc_uint32_t serial;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	serial = zone->serial;
+	UNLOCK_ZONE(zone);
+
+	return (serial);
+}
+
 /*
  *	Single shot.
  */
@@ -888,12 +1095,24 @@ dns_zone_setdbtype(dns_zone_t *zone,
 
 void
 dns_zone_setview(dns_zone_t *zone, dns_view_t *view) {
+	char namebuf[1024];
 	REQUIRE(DNS_ZONE_VALID(zone));
 
 	LOCK_ZONE(zone);
 	if (zone->view != NULL)
 		dns_view_weakdetach(&zone->view);
 	dns_view_weakattach(view, &zone->view);
+
+	if (zone->strviewname != NULL)
+		isc_mem_free(zone->mctx, zone->strviewname);
+	if (zone->strnamerd != NULL)
+		isc_mem_free(zone->mctx, zone->strnamerd);
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_viewname_tostr(zone, namebuf, sizeof namebuf);
+	zone->strviewname = isc_mem_strdup(zone->mctx, namebuf);
+
 	UNLOCK_ZONE(zone);
 }
 
@@ -909,6 +1128,7 @@ dns_zone_getview(dns_zone_t *zone) {
 isc_result_t
 dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
 	isc_result_t result;
+	char namebuf[1024];
 
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(origin != NULL);
@@ -919,6 +1139,17 @@ dns_zone_setorigin(dns_zone_t *zone, const dns_name_t *origin) {
 		dns_name_init(&zone->origin, NULL);
 	}
 	result = dns_name_dup(origin, zone->mctx, &zone->origin);
+
+	if (zone->strnamerd != NULL)
+		isc_mem_free(zone->mctx, zone->strnamerd);
+	if (zone->strname != NULL)
+		isc_mem_free(zone->mctx, zone->strname);
+
+	zone_namerd_tostr(zone, namebuf, sizeof namebuf);
+	zone->strnamerd = isc_mem_strdup(zone->mctx, namebuf);
+	zone_name_tostr(zone, namebuf, sizeof namebuf);
+	zone->strname = isc_mem_strdup(zone->mctx, namebuf);
+
 	UNLOCK_ZONE(zone);
 	return (result);
 }
@@ -1064,11 +1295,7 @@ zone_isdynamic(dns_zone_t *zone) {
 		       zone->type == dns_zone_stub ||
 		       (!zone->update_disabled && zone->ssutable != NULL) ||
 		       (!zone->update_disabled && zone->update_acl != NULL &&
-			! (zone->update_acl->length == 1 &&
-			   zone->update_acl->elements[0].negative == ISC_TRUE
-			   &&
-			   zone->update_acl->elements[0].type ==
-			   dns_aclelementtype_any))));
+			!dns_acl_isnone(zone->update_acl))));
 }
 
 
@@ -1243,6 +1470,33 @@ dns_zone_loadnew(dns_zone_t *zone) {
 	return (zone_load(zone, DNS_ZONELOADFLAG_NOSTAT));
 }
 
+static unsigned int
+get_master_options(dns_zone_t *zone) {
+	unsigned int options;
+
+	options = DNS_MASTER_ZONE;
+	if (zone->type == dns_zone_slave)
+		options |= DNS_MASTER_SLAVE;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS))
+		options |= DNS_MASTER_CHECKNS;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS))
+		options |= DNS_MASTER_FATALNS;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
+		options |= DNS_MASTER_CHECKNAMES;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL))
+		options |= DNS_MASTER_CHECKNAMESFAIL;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX))
+		options |= DNS_MASTER_CHECKMX;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL))
+		options |= DNS_MASTER_CHECKMXFAIL;
+	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD))
+		options |= DNS_MASTER_CHECKWILDCARD;
+	if (zone->type == dns_zone_master &&
+	    (zone->update_acl != NULL || zone->ssutable != NULL))
+		options |= DNS_MASTER_RESIGN;
+	return (options);
+}
+
 static void
 zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
 	dns_load_t *load = event->ev_arg;
@@ -1257,28 +1511,14 @@ zone_gotreadhandle(isc_task_t *task, isc_event_t *event) {
 	if (result == ISC_R_CANCELED)
 		goto fail;
 
-	options = DNS_MASTER_ZONE;
-	if (load->zone->type == dns_zone_slave)
-		options |= DNS_MASTER_SLAVE;
-	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNS))
-		options |= DNS_MASTER_CHECKNS;
-	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_FATALNS))
-		options |= DNS_MASTER_FATALNS;
-	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNAMES))
-		options |= DNS_MASTER_CHECKNAMES;
-	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKNAMESFAIL))
-		options |= DNS_MASTER_CHECKNAMESFAIL;
-	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKMX))
-		options |= DNS_MASTER_CHECKMX;
-	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKMXFAIL))
-		options |= DNS_MASTER_CHECKMXFAIL;
-	if (DNS_ZONE_OPTION(load->zone, DNS_ZONEOPT_CHECKWILDCARD))
-		options |= DNS_MASTER_CHECKWILDCARD;
-	result = dns_master_loadfileinc2(load->zone->masterfile,
+	options = get_master_options(load->zone);
+
+	result = dns_master_loadfileinc3(load->zone->masterfile,
 					 dns_db_origin(load->db),
 					 dns_db_origin(load->db),
 					 load->zone->rdclass,
 					 options,
+					 load->zone->sigresigninginterval,
 					 &load->callbacks, task,
 					 zone_loaddone, load,
 					 &load->zone->lctx, load->zone->mctx,
@@ -1334,25 +1574,10 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 	isc_result_t tresult;
 	unsigned int options;
 
-	options = DNS_MASTER_ZONE;
+	options = get_master_options(zone);
+
 	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS))
 		options |= DNS_MASTER_MANYERRORS;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNS))
-		options |= DNS_MASTER_CHECKNS;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_FATALNS))
-		options |= DNS_MASTER_FATALNS;
-	if (zone->type == dns_zone_slave)
-		options |= DNS_MASTER_SLAVE;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMES))
-		options |= DNS_MASTER_CHECKNAMES;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKNAMESFAIL))
-		options |= DNS_MASTER_CHECKNAMESFAIL;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMX))
-		options |= DNS_MASTER_CHECKMX;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKMXFAIL))
-		options |= DNS_MASTER_CHECKMXFAIL;
-	if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKWILDCARD))
-		options |= DNS_MASTER_CHECKWILDCARD;
 
 	if (zone->zmgr != NULL && zone->db != NULL && zone->task != NULL) {
 		load = isc_mem_get(zone->mctx, sizeof(*load));
@@ -1394,9 +1619,10 @@ zone_startload(dns_db_t *db, dns_zone_t *zone, isc_time_t loadtime) {
 					  &callbacks.add_private);
 		if (result != ISC_R_SUCCESS)
 			return (result);
-		result = dns_master_loadfile2(zone->masterfile, &zone->origin,
+		result = dns_master_loadfile3(zone->masterfile, &zone->origin,
 					      &zone->origin, zone->rdclass,
-					      options, &callbacks, zone->mctx,
+					      options, zone->sigresigninginterval,
+					      &callbacks, zone->mctx,
 					      zone->masterformat);
 		tresult = dns_db_endload(db, &callbacks.add_private);
 		if (result == ISC_R_SUCCESS)
@@ -1727,7 +1953,7 @@ integrity_checks(dns_zone_t *zone, dns_db_t *db) {
 	dns_rdataset_init(&rdataset);
 	dns_rdata_init(&rdata);
 
-	result = dns_db_createiterator(db, ISC_FALSE, &dbiterator);
+	result = dns_db_createiterator(db, 0, &dbiterator);
 	if (result != ISC_R_SUCCESS)
 		return (ISC_TRUE);
 
@@ -1890,6 +2116,292 @@ zone_check_dnskeys(dns_zone_t *zone, dns_db_t *db) {
 
 }
 
+static void
+resume_signingwithkey(dns_zone_t *zone) {
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	result = dns_db_findnode(zone->db, &zone->origin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_db_currentversion(zone->db, &version);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(zone->db, node, version,
+				     zone->privatetype,
+				     dns_rdatatype_none, 0,
+				     &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		if (rdata.length != 5 || rdata.data[4] != 0) {
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		result = zone_signwithkey(zone, rdata.data[0],
+					  (rdata.data[1] << 8) | rdata.data[2],						  ISC_TF(rdata.data[3]));
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_signwithkey failed: %s",
+				     dns_result_totext(result));
+		}
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+ cleanup:
+	if (node != NULL)
+		dns_db_detachnode(zone->db, &node);
+	if (version != NULL)
+		dns_db_closeversion(zone->db, &version, ISC_FALSE);
+
+}
+
+static isc_result_t
+zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
+	dns_nsec3chain_t *nsec3chain, *current;
+	isc_result_t result;
+	isc_time_t now;
+	unsigned int options = 0;
+
+	nsec3chain = isc_mem_get(zone->mctx, sizeof *nsec3chain);
+	if (nsec3chain == NULL)
+		return (ISC_R_NOMEMORY);
+
+	nsec3chain->magic = 0;
+	nsec3chain->done = ISC_FALSE;
+	nsec3chain->db = NULL;
+	nsec3chain->dbiterator = NULL;
+	nsec3chain->nsec3param.common.rdclass = nsec3param->common.rdclass;
+	nsec3chain->nsec3param.common.rdtype = nsec3param->common.rdtype;
+	nsec3chain->nsec3param.hash = nsec3param->hash;
+	nsec3chain->nsec3param.iterations = nsec3param->iterations;
+	nsec3chain->nsec3param.flags = nsec3param->flags;
+	nsec3chain->nsec3param.salt_length = nsec3param->salt_length;
+	memcpy(nsec3chain->salt, nsec3param->salt, nsec3param->salt_length);
+	nsec3chain->nsec3param.salt = nsec3chain->salt;
+	nsec3chain->seen_nsec = ISC_FALSE;
+	nsec3chain->delete_nsec = ISC_FALSE;
+	nsec3chain->save_delete_nsec = ISC_FALSE;
+
+	for (current = ISC_LIST_HEAD(zone->nsec3chain);
+	     current != NULL;
+	     current = ISC_LIST_NEXT(current, link)) {
+		if (current->db == zone->db &&
+		    current->nsec3param.hash == nsec3param->hash &&
+		    current->nsec3param.iterations == nsec3param->iterations &&
+		    current->nsec3param.salt_length == nsec3param->salt_length
+		    && !memcmp(current->nsec3param.salt, nsec3param->salt,
+			       nsec3param->salt_length))
+			current->done = ISC_TRUE;
+	}
+
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &nsec3chain->db);
+		if ((nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0)
+			options = DNS_DB_NONSEC3;
+		result = dns_db_createiterator(nsec3chain->db, options,
+					       &nsec3chain->dbiterator);
+		if (result == ISC_R_SUCCESS)
+			dns_dbiterator_first(nsec3chain->dbiterator);
+		if (result == ISC_R_SUCCESS) {
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			ISC_LIST_INITANDAPPEND(zone->nsec3chain,
+					       nsec3chain, link);
+			nsec3chain = NULL;
+			if (isc_time_isepoch(&zone->nsec3chaintime)) {
+				TIME_NOW(&now);
+				zone->nsec3chaintime = now;
+				if (zone->task != NULL)
+					zone_settimer(zone, &now);
+			}
+		}
+	} else
+		result = ISC_R_NOTFOUND;
+
+	if (nsec3chain != NULL) {
+		if (nsec3chain->db != NULL)
+			dns_db_detach(&nsec3chain->db);
+		if (nsec3chain->dbiterator != NULL)
+			dns_dbiterator_destroy(&nsec3chain->dbiterator);
+		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+	}
+	return (result);
+}
+
+static void
+resume_addnsec3chain(dns_zone_t *zone) {
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+	dns_rdata_nsec3param_t nsec3param;
+
+	result = dns_db_findnode(zone->db, &zone->origin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	dns_db_currentversion(zone->db, &version);
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(zone->db, node, version,
+				     dns_rdatatype_nsec3param,
+				     dns_rdatatype_none, 0,
+				     &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+		if ((nsec3param.flags & DNS_NSEC3FLAG_CREATE) != 0 ||
+		    (nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
+			result = zone_addnsec3chain(zone, &nsec3param);
+			if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_addnsec3chain failed: %s",
+					     dns_result_totext(result));
+			}
+		}
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+
+ cleanup:
+	if (node != NULL)
+		dns_db_detachnode(zone->db, &node);
+	if (version != NULL)
+		dns_db_closeversion(zone->db, &version, ISC_FALSE);
+}
+
+static void
+set_resigntime(dns_zone_t *zone) {
+	dns_rdataset_t rdataset;
+	dns_fixedname_t fixed;
+	char namebuf[DNS_NAME_FORMATSIZE];
+	unsigned int resign;
+	isc_result_t result;
+	isc_uint32_t nanosecs;
+
+	dns_rdataset_init(&rdataset);
+	dns_fixedname_init(&fixed);
+	result  = dns_db_getsigningtime(zone->db, &rdataset,
+					dns_fixedname_name(&fixed));
+	if (result != ISC_R_SUCCESS) {
+		isc_time_settoepoch(&zone->resigntime);
+		return;
+	}
+	resign = rdataset.resign;
+	dns_name_format(dns_fixedname_name(&fixed), namebuf, sizeof(namebuf));
+	dns_rdataset_disassociate(&rdataset);
+	isc_random_get(&nanosecs);
+	nanosecs %= 1000000000;
+	isc_time_set(&zone->resigntime, resign, nanosecs);
+}
+
+static isc_result_t
+check_nsec3param(dns_zone_t *zone, dns_db_t *db) {
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_dbversion_t *version = NULL;
+	dns_rdata_nsec3param_t nsec3param;
+	isc_boolean_t ok = ISC_FALSE;
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_boolean_t dynamic = (zone->type == dns_zone_master) ?
+				zone_isdynamic(zone) : ISC_FALSE;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findnode(db, &zone->origin, ISC_FALSE, &node);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "nsec3param lookup failure: %s",
+			     dns_result_totext(result));
+		return (result);
+	}
+	dns_db_currentversion(db, &version);
+
+	result = dns_db_findrdataset(db, node, version,
+				     dns_rdatatype_nsec3param,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		goto cleanup;
+	}
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "nsec3param lookup failure: %s",
+			     dns_result_totext(result));
+		goto cleanup;
+	}
+
+	/*
+	 * For dynamic zones we must support every algorithm so we can
+	 * regenerate all the NSEC3 chains.
+	 * For non-dynamic zones we only need to find a supported algorithm.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
+	{
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &nsec3param, NULL);
+		dns_rdata_reset(&rdata);
+		INSIST(result == ISC_R_SUCCESS);
+		if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NSEC3TESTZONE) &&
+		    nsec3param.hash == DNS_NSEC3_UNKNOWNALG && !dynamic)
+		{
+			dns_zone_log(zone, ISC_LOG_WARNING,
+			     "nsec3 test \"unknown\" hash algorithm found: %u",
+				     nsec3param.hash);
+			ok = ISC_TRUE;
+		} else if (!dns_nsec3_supportedhash(nsec3param.hash)) {
+			if (dynamic) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "unsupported nsec3 hash algorithm"
+					     " in dynamic zone: %u",
+					     nsec3param.hash);
+				result = DNS_R_BADZONE;
+				/* Stop second error message. */
+				ok = ISC_TRUE;
+				break;
+			} else
+				dns_zone_log(zone, ISC_LOG_WARNING,
+				     "unsupported nsec3 hash algorithm: %u",
+					     nsec3param.hash);
+		} else
+			ok = ISC_TRUE;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+
+	if (!ok) {
+		result = DNS_R_BADZONE;
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "no supported nsec3 hash algorithm");
+	}
+
+ cleanup:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	dns_db_closeversion(db, &version, ISC_FALSE);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
 static isc_result_t
 zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	      isc_result_t result)
@@ -1901,6 +2413,7 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	isc_time_t now;
 	isc_boolean_t needdump = ISC_FALSE;
 	isc_boolean_t hasinclude = DNS_ZONE_FLAG(zone, DNS_ZONEFLG_HASINCLUDE);
+	unsigned int options;
 
 	TIME_NOW(&now);
 
@@ -1945,7 +2458,12 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	    ! DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOMERGE) &&
 	    ! DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED))
 	{
-		result = dns_journal_rollforward(zone->mctx, db,
+		if (zone->type == dns_zone_master &&
+		    (zone->update_acl != NULL || zone->ssutable != NULL))
+			options = DNS_JOURNALOPT_RESIGN;
+		else
+			options = 0;
+		result = dns_journal_rollforward(zone->mctx, db, options,
 						 zone->journal);
 		if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND &&
 		    result != DNS_R_UPTODATE && result != DNS_R_NOJOURNAL &&
@@ -1972,7 +2490,6 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	zone->loadtime = loadtime;
 
 	dns_zone_log(zone, ISC_LOG_DEBUG(1), "loaded");
-
 	/*
 	 * Obtain ns, soa and cname counts for top of zone.
 	 */
@@ -2010,6 +2527,11 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 			result = DNS_R_BADZONE;
 			goto cleanup;
 		}
+		if (zone->type != dns_zone_stub) {
+			result = check_nsec3param(zone, db);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+		}
 		if (zone->type == dns_zone_master &&
 		    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_CHECKINTEGRITY) &&
 		    !integrity_checks(zone, db)) {
@@ -2047,6 +2569,17 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 					     "zone may fail to transfer "
 					     "to slaves.");
 		}
+
+		if (zone->type == dns_zone_master &&
+		    (zone->update_acl != NULL || zone->ssutable != NULL) &&
+		    zone->sigresigninginterval < (3 * refresh) &&
+		    dns_db_issecure(db))
+		{
+			dns_zone_log(zone, ISC_LOG_WARNING,
+				     "sig-re-signing-interval less than "
+				     "3 * refresh.");
+		}
+
 		zone->serial = serial;
 		zone->refresh = RANGE(refresh,
 				      zone->minrefresh, zone->maxrefresh);
@@ -2121,8 +2654,14 @@ zone_postload(dns_zone_t *zone, dns_db_t *db, isc_time_t loadtime,
 	result = ISC_R_SUCCESS;
 	if (needdump)
 		zone_needdump(zone, DNS_DUMP_DELAY);
-	if (zone->task != NULL)
+	if (zone->task != NULL) {
+		if (zone->type == dns_zone_master) {
+			set_resigntime(zone);
+			resume_signingwithkey(zone);
+			resume_addnsec3chain(zone);
+		}
 		zone_settimer(zone, &now);
+	}
 
 	if (! dns_db_ispersistent(db))
 		dns_zone_log(zone, ISC_LOG_INFO, "loaded serial %u%s",
@@ -2809,7 +3348,7 @@ dns_zone_setmasterswithkeys(dns_zone_t *zone,
 		goto unlock;
 
 	/*
-	 * masters must countain count elements!
+	 * masters must contain count elements!
 	 */
 	new = isc_mem_get(zone->mctx, count * sizeof(*new));
 	if (new == NULL) {
@@ -2935,6 +3474,2432 @@ was_dumping(dns_zone_t *zone) {
 	return (dumping);
 }
 
+#define MAXZONEKEYS 10
+
+static isc_result_t
+do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
+	     dns_diff_t *diff)
+{
+	dns_diff_t temp_diff;
+	isc_result_t result;
+
+	/*
+	 * Create a singleton diff.
+	 */
+	dns_diff_init(diff->mctx, &temp_diff);
+	temp_diff.resign = diff->resign;
+	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
+
+	/*
+	 * Apply it to the database.
+	 */
+	result = dns_diff_apply(&temp_diff, db, ver);
+	ISC_LIST_UNLINK(temp_diff.tuples, *tuple, link);
+	if (result != ISC_R_SUCCESS) {
+		dns_difftuple_free(tuple);
+		return (result);
+	}
+
+	/*
+	 * Merge it into the current pending journal entry.
+	 */
+	dns_diff_appendminimal(diff, tuple);
+
+	/*
+	 * Do not clear temp_diff.
+	 */
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+increment_soa_serial(dns_db_t *db, dns_dbversion_t *ver,
+		     dns_diff_t *diff, isc_mem_t *mctx)
+{
+	dns_difftuple_t *deltuple = NULL;
+	dns_difftuple_t *addtuple = NULL;
+	isc_uint32_t serial;
+	isc_result_t result;
+
+	CHECK(dns_db_createsoatuple(db, ver, mctx, DNS_DIFFOP_DEL, &deltuple));
+	CHECK(dns_difftuple_copy(deltuple, &addtuple));
+	addtuple->op = DNS_DIFFOP_ADD;
+
+	serial = dns_soa_getserial(&addtuple->rdata);
+
+	/* RFC1982 */
+	serial = (serial + 1) & 0xFFFFFFFF;
+	if (serial == 0)
+		serial = 1;
+
+	dns_soa_setserial(serial, &addtuple->rdata);
+	CHECK(do_one_tuple(&deltuple, db, ver, diff));
+	CHECK(do_one_tuple(&addtuple, db, ver, diff));
+	result = ISC_R_SUCCESS;
+
+	failure:
+	if (addtuple != NULL)
+		dns_difftuple_free(&addtuple);
+	if (deltuple != NULL)
+		dns_difftuple_free(&deltuple);
+	return (result);
+}
+
+static isc_result_t
+update_one_rr(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff,
+	      dns_diffop_t op, dns_name_t *name, dns_ttl_t ttl,
+	      dns_rdata_t *rdata)
+{
+	dns_difftuple_t *tuple = NULL;
+	isc_result_t result;
+	result = dns_difftuple_create(diff->mctx, op,
+				      name, ttl, rdata, &tuple);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	return (do_one_tuple(&tuple, db, ver, diff));
+}
+
+static isc_boolean_t
+ksk_sanity(dns_db_t *db, dns_dbversion_t *ver) {
+	isc_boolean_t ret = ISC_FALSE;
+	isc_boolean_t have_ksk = ISC_FALSE, have_nonksk = ISC_FALSE;
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_dnskey_t dnskey;
+
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
+	CHECK(dns_db_findrdataset(db, node, ver, dns_rdatatype_dnskey, 0, 0,
+				   &rdataset, NULL));
+	CHECK(dns_rdataset_first(&rdataset));
+	while (result == ISC_R_SUCCESS && (!have_ksk || !have_nonksk)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &dnskey, NULL));
+		if ((dnskey.flags & (DNS_KEYFLAG_OWNERMASK|DNS_KEYTYPE_NOAUTH))
+				 == DNS_KEYOWNER_ZONE) {
+			if ((dnskey.flags & DNS_KEYFLAG_KSK) != 0)
+				have_ksk = ISC_TRUE;
+			else
+				have_nonksk = ISC_TRUE;
+		}
+		dns_rdata_reset(&rdata);
+		result = dns_rdataset_next(&rdataset);
+	}
+	if (have_ksk && have_nonksk)
+		ret = ISC_TRUE;
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (ret);
+}
+
+static isc_result_t
+find_zone_keys(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver,
+	       isc_mem_t *mctx, unsigned int maxkeys,
+	       dst_key_t **keys, unsigned int *nkeys)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	const char *directory = dns_zone_getkeydirectory(zone);
+	CHECK(dns_db_findnode(db, dns_db_origin(db), ISC_FALSE, &node));
+	result = dns_dnssec_findzonekeys2(db, ver, node, dns_db_origin(db),
+					  directory, mctx, maxkeys, keys,
+					  nkeys);
+	if (result == ISC_R_NOTFOUND)
+		result = ISC_R_SUCCESS;
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static isc_result_t
+offline(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, dns_name_t *name,
+	dns_ttl_t ttl, dns_rdata_t *rdata)
+{
+	isc_result_t result;
+
+	if ((rdata->flags & DNS_RDATA_OFFLINE) != 0)
+		return (ISC_R_SUCCESS);
+	result = update_one_rr(db, ver, diff, DNS_DIFFOP_DELRESIGN,
+			       name, ttl, rdata);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	rdata->flags |= DNS_RDATA_OFFLINE;
+	result = update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN,
+			       name, ttl, rdata);
+	return (result);
+}
+
+static void
+set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now)
+{
+	unsigned int delta;
+
+	zone->key_expiry = when;
+	if (when <= now) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "DNSKEY RRSIG(s) have expired");
+		isc_time_settoepoch(&zone->keywarntime);
+	} else if (when < now + 7 * 24 * 3600) {
+		dns_zone_log(zone, ISC_LOG_WARNING,
+			     "DNSKEY RRSIG(s) will expire at %u",
+			     when);	/* XXXMPA convert to date. */
+		delta = when - now;
+		delta--;		/* loop prevention */
+		delta /= 24 * 3600;	/* to whole days */
+		delta *= 24 * 3600;	/* to seconds */
+		isc_time_set(&zone->keywarntime, when - delta, 0);
+	}  else {
+		dns_zone_log(zone, ISC_LOG_NOTICE, /* XXMPA ISC_LOG_DEBUG(1) */
+			     "setting keywarntime to %u - 7 days",
+			     when);	/* XXXMPA convert to date. */
+		isc_time_set(&zone->keywarntime, when - 7 * 24 * 3600, 0);
+	}
+}
+
+/*
+ * Delete expired RRsigs and any RRsigs we are about to re-sign.
+ * See also update.c:del_keysigs().
+ */
+static isc_result_t
+del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
+	 unsigned int nkeys, isc_stdtime_t now)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned int i;
+	dns_rdata_rrsig_t rrsig;
+	isc_boolean_t found;
+	isc_stdtime_t warn = 0, maybe = 0;
+
+	dns_rdataset_init(&rdataset);
+
+	if (type == dns_rdatatype_nsec3)
+		result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
+	else
+		result = dns_db_findnode(db, name, ISC_FALSE, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_rrsig, type,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+		if (type != dns_rdatatype_dnskey) {
+			result = update_one_rr(db, ver, diff,
+					       DNS_DIFFOP_DEL, name,
+					       rdataset.ttl, &rdata);
+			dns_rdata_reset(&rdata);
+			if (result != ISC_R_SUCCESS)
+				break;
+			continue;
+		}
+
+		/*
+		 * RRSIG(DNSKEY) requires special processing.
+		 */
+		found = ISC_FALSE;
+		for (i = 0; i < nkeys; i++) {
+			if (rrsig.algorithm == dst_key_alg(keys[i]) &&
+			    rrsig.keyid == dst_key_id(keys[i])) {
+				found = ISC_TRUE;
+				/*
+				 * Mark offline RRSIG(DNSKEY).
+				 * We want the earliest offline expire time
+				 * iff there is a new offline signature.
+				 */
+				if (!dst_key_isprivate(keys[i])) {
+					if (warn != 0 &&
+					    warn > rrsig.timeexpire)
+						warn = rrsig.timeexpire;
+					if (rdata.flags & DNS_RDATA_OFFLINE) {
+						if (maybe == 0 ||
+						    maybe > rrsig.timeexpire)
+							maybe =
+							     rrsig.timeexpire;
+						break;
+					}
+					if (warn == 0)
+						warn = maybe;
+					if (warn == 0 ||
+					    warn > rrsig.timeexpire)
+						warn = rrsig.timeexpire;
+					result = offline(db, ver, diff, name,
+							 rdataset.ttl, &rdata);
+					break;
+				}
+				result = update_one_rr(db, ver, diff,
+						       DNS_DIFFOP_DEL,
+						       name, rdataset.ttl,
+						       &rdata);
+				break;
+			}
+		}
+		/*
+		 * If there is not a matching DNSKEY then
+		 * delete the RRSIG.
+		 */
+		if (!found)
+			result = update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
+					       name, rdataset.ttl, &rdata);
+		dns_rdata_reset(&rdata);
+		if (result != ISC_R_SUCCESS)
+			break;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	if (warn != 0)
+		set_key_expiry_warning(zone, warn, now);
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static isc_result_t
+add_sigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
+	 dns_rdatatype_t type, dns_diff_t *diff, dst_key_t **keys,
+	 unsigned int nkeys, isc_mem_t *mctx, isc_stdtime_t inception,
+	 isc_stdtime_t expire, isc_boolean_t check_ksk)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t sig_rdata = DNS_RDATA_INIT;
+	unsigned char data[1024]; /* XXX */
+	isc_buffer_t buffer;
+	unsigned int i;
+
+	dns_rdataset_init(&rdataset);
+	isc_buffer_init(&buffer, data, sizeof(data));
+
+	if (type == dns_rdatatype_nsec3)
+		result = dns_db_findnsec3node(db, name, ISC_FALSE, &node);
+	else
+		result = dns_db_findnode(db, name, ISC_FALSE, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	result = dns_db_findrdataset(db, node, ver, type, 0,
+				     (isc_stdtime_t) 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	for (i = 0; i < nkeys; i++) {
+		if (check_ksk && type != dns_rdatatype_dnskey &&
+		    (dst_key_flags(keys[i]) & DNS_KEYFLAG_KSK) != 0)
+			continue;
+		if (!dst_key_isprivate(keys[i]))
+			continue;
+		/* Calculate the signature, creating a RRSIG RDATA. */
+		CHECK(dns_dnssec_sign(name, &rdataset, keys[i],
+				      &inception, &expire,
+				      mctx, &buffer, &sig_rdata));
+		/* Update the database and journal with the RRSIG. */
+		/* XXX inefficient - will cause dataset merging */
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN,
+				    name, rdataset.ttl, &sig_rdata));
+		dns_rdata_reset(&sig_rdata);
+	}
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	return (result);
+}
+
+static void
+zone_resigninc(dns_zone_t *zone) {
+	const char *journalfile;
+	dns_db_t *db = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t sig_diff;
+	dns_fixedname_t fixed;
+	dns_name_t *name;
+	dns_rdataset_t rdataset;
+	dns_rdatatype_t covers;
+	dst_key_t *zone_keys[MAXZONEKEYS];
+	isc_boolean_t check_ksk;
+	isc_result_t result;
+	isc_stdtime_t now, inception, soaexpire, expire, stop;
+	isc_uint32_t jitter;
+	unsigned int i;
+	unsigned int nkeys = 0;
+	unsigned int resign;
+
+	dns_rdataset_init(&rdataset);
+	dns_fixedname_init(&fixed);
+	dns_diff_init(zone->mctx, &sig_diff);
+	sig_diff.resign = zone->sigresigninginterval;
+
+	/*
+	 * Updates are disabled.  Pause for 5 minutes.
+	 */
+	if (zone->update_disabled) {
+		result = ISC_R_FAILURE;
+		goto failure;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:dns_db_newversion -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = find_zone_keys(zone, db, version, zone->mctx, MAXZONEKEYS,
+				zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:find_zone_keys -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+	inception = now - 3600;	/* Allow for clock skew. */
+	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+	/*
+	 * Spread out signatures over time if they happen to be
+	 * clumped.  We don't do this for each add_sigs() call as
+	 * we still want some clustering to occur.
+	 */
+	isc_random_get(&jitter);
+	expire = soaexpire - jitter % 3600;
+	stop = now + 5;
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	if (check_ksk)
+		check_ksk = ksk_sanity(db, version);
+
+	name = dns_fixedname_name(&fixed);
+	result = dns_db_getsigningtime(db, &rdataset, name);
+	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:dns_db_getsigningtime -> %s\n",
+			     dns_result_totext(result));
+	}
+
+	i = 0;
+	while (result == ISC_R_SUCCESS) {
+		resign = rdataset.resign;
+		covers = rdataset.covers;
+		/*
+		 * Stop if we hit the SOA as that means we have walked the
+		 * entire zone.  The SOA record should always be the most
+		 * recent signature.
+		 */
+		/* XXXMPA increase number of RRsets signed pre call */
+		if (covers == dns_rdatatype_soa || i++ > zone->signatures ||
+		    resign > stop) {
+			/*
+			 * Ensure that we don't loop resigning the SOA.
+			 */
+			if (covers == dns_rdatatype_soa)
+				dns_db_resigned(db, &rdataset, version);
+			dns_rdataset_disassociate(&rdataset);
+			break;
+		}
+
+		dns_db_resigned(db, &rdataset, version);
+		dns_rdataset_disassociate(&rdataset);
+
+		result = del_sigs(zone, db, version, name, covers, &sig_diff,
+				  zone_keys, nkeys, now);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_resigninc:del_sigs -> %s\n",
+				     dns_result_totext(result));
+			break;
+		}
+		result = add_sigs(db, version, name, covers, &sig_diff,
+				  zone_keys, nkeys, zone->mctx, inception,
+				  expire, check_ksk);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_resigninc:add_sigs -> %s\n",
+				     dns_result_totext(result));
+			break;
+		}
+		result  = dns_db_getsigningtime(db, &rdataset,
+						dns_fixedname_name(&fixed));
+		if (nkeys == 0 && result == ISC_R_NOTFOUND) {
+			result = ISC_R_SUCCESS;
+			break;
+		}
+		if (result != ISC_R_SUCCESS)
+			dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:dns_db_getsigningtime -> %s\n",
+				     dns_result_totext(result));
+	}
+
+	if (result != ISC_R_NOMORE && result != ISC_R_SUCCESS)
+		goto failure;
+
+	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
+			  &sig_diff, zone_keys, nkeys, now);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:del_sigs -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = increment_soa_serial(db, version, &sig_diff, zone->mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:increment_soa_serial -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Generate maximum life time signatures so that the above loop
+	 * termination is sensible.
+	 */
+	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
+			  &sig_diff, zone_keys, nkeys, zone->mctx, inception,
+			  soaexpire, check_ksk);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_resigninc:add_sigs -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	journalfile = dns_zone_getjournal(zone);
+	if (journalfile != NULL) {
+		dns_journal_t *journal = NULL;
+		result = dns_journal_open(zone->mctx, journalfile,
+					  ISC_TRUE, &journal);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_resigninc:dns_journal_open -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+
+		result = dns_journal_write_transaction(journal, &sig_diff);
+		dns_journal_destroy(&journal);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+			 "zone_resigninc:dns_journal_write_transaction -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+	}
+
+	/*
+	 * Everything has succeeded. Commit the changes.
+	 */
+	dns_db_closeversion(db, &version, ISC_TRUE);
+
+ failure:
+	dns_diff_clear(&sig_diff);
+	for (i = 0; i < nkeys; i++)
+		dst_key_free(&zone_keys[i]);
+	if (version != NULL) {
+		dns_db_closeversion(zone->db, &version, ISC_FALSE);
+		dns_db_detach(&db);
+	} else if (db != NULL)
+		dns_db_detach(&db);
+	if (result == ISC_R_SUCCESS) {
+		set_resigntime(zone);
+		LOCK_ZONE(zone);
+		zone_needdump(zone, DNS_DUMP_DELAY);
+		DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_NEEDNOTIFY);
+		UNLOCK_ZONE(zone);
+	} else {
+		/*
+		 * Something failed.  Retry in 5 minutes.
+		 */
+		isc_interval_t ival;
+		isc_interval_set(&ival, 300, 0);
+		isc_time_nowplusinterval(&zone->resigntime, &ival);
+	}
+}
+
+static isc_result_t
+next_active(dns_db_t *db, dns_dbversion_t *version, dns_name_t *oldname,
+	    dns_name_t *newname, isc_boolean_t bottom)
+{
+	isc_result_t result;
+	dns_dbiterator_t *dbit = NULL;
+	dns_rdatasetiter_t *rdsit = NULL;
+	dns_dbnode_t *node = NULL;
+
+	CHECK(dns_db_createiterator(db, DNS_DB_NONSEC3, &dbit));
+	CHECK(dns_dbiterator_seek(dbit, oldname));
+	do {
+		result = dns_dbiterator_next(dbit);
+		if (result == ISC_R_NOMORE)
+			CHECK(dns_dbiterator_first(dbit));
+		CHECK(dns_dbiterator_current(dbit, &node, newname));
+		if (bottom && dns_name_issubdomain(newname, oldname) &&
+		    !dns_name_equal(newname, oldname)) {
+			dns_db_detachnode(db, &node);
+			continue;
+		}
+		/*
+		 * Is this node empty?
+		 */
+		CHECK(dns_db_allrdatasets(db, node, version, 0, &rdsit));
+		result = dns_rdatasetiter_first(rdsit);
+		dns_db_detachnode(db, &node);
+		dns_rdatasetiter_destroy(&rdsit);
+		if (result != ISC_R_NOMORE)
+			break;
+	} while (1);
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (dbit != NULL)
+		dns_dbiterator_destroy(&dbit);
+	return (result);
+}
+
+static void
+set_bit(unsigned char *array, unsigned int index) {
+	unsigned int shift, mask;
+
+	shift = 7 - (index % 8);
+	mask = 1 << shift;
+
+	array[index / 8] |= mask;
+}
+
+static isc_boolean_t
+signed_with_key(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
+		dns_rdatatype_t type, dst_key_t *key)
+{
+	isc_result_t result;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_rrsig_t rrsig;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_rrsig,
+				     type, 0, &rdataset, NULL);
+	if (result != ISC_R_SUCCESS)
+		return (ISC_FALSE);
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		result = dns_rdata_tostruct(&rdata, &rrsig, NULL);
+		INSIST(result == ISC_R_SUCCESS);
+		if (rrsig.algorithm == dst_key_alg(key) &&
+		    rrsig.keyid == dst_key_id(key)) {
+			dns_rdataset_disassociate(&rdataset);
+			return (ISC_TRUE);
+		}
+		dns_rdata_reset(&rdata);
+	}
+	dns_rdataset_disassociate(&rdataset);
+	return (ISC_FALSE);
+}
+
+static isc_result_t
+add_nsec(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	 dns_dbnode_t *node, dns_ttl_t ttl, isc_boolean_t bottom,
+	 dns_diff_t *diff)
+{
+	dns_fixedname_t fixed;
+	dns_name_t *next;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_result_t result;
+	unsigned char nsecbuffer[DNS_NSEC_BUFFERSIZE];
+
+	dns_fixedname_init(&fixed);
+	next = dns_fixedname_name(&fixed);
+
+	CHECK(next_active(db, version, name, next, bottom));
+	CHECK(dns_nsec_buildrdata(db, version, node, next, nsecbuffer,
+				  &rdata));
+	if (dns_name_equal(dns_db_origin(db), name)) {
+		/*
+		 * Set the OPT bit to indicate that this is a
+		 * partially secure zone.
+		 */
+		isc_region_t region;
+
+		dns_rdata_toregion(&rdata, &region);
+		dns_name_fromregion(next, &region);
+		isc_region_consume(&region, next->length);
+		INSIST(region.length > (2 + dns_rdatatype_opt / 8) &&
+		       region.base[0] == 0 &&
+		       region.base[1] > dns_rdatatype_opt / 8);
+		set_bit(region.base + 2, dns_rdatatype_opt);
+	}
+	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, ttl,
+			    &rdata));
+ failure:
+	return (result);
+}
+
+static isc_result_t
+sign_a_node(dns_db_t *db, dns_name_t *name, dns_dbnode_t *node,
+	    dns_dbversion_t *version, isc_boolean_t build_nsec3,
+	    isc_boolean_t build_nsec, dst_key_t *key,
+	    isc_stdtime_t inception, isc_stdtime_t expire,
+	    unsigned int minimum, isc_boolean_t is_ksk,
+	    isc_boolean_t *delegation, dns_diff_t *diff,
+	    isc_int32_t *signatures, isc_mem_t *mctx)
+{
+	isc_result_t result;
+	dns_rdatasetiter_t *iterator = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	isc_buffer_t buffer;
+	unsigned char data[1024];
+	isc_boolean_t seen_soa, seen_ns, seen_rr, seen_dname, seen_nsec,
+		      seen_nsec3, seen_ds;
+	isc_boolean_t bottom;
+
+	result = dns_db_allrdatasets(db, node, version, 0, &iterator);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_SUCCESS;
+		return (result);
+	}
+	dns_rdataset_init(&rdataset);
+	isc_buffer_init(&buffer, data, sizeof(data));
+	seen_rr = seen_soa = seen_ns = seen_dname = seen_nsec =
+	seen_nsec3 = seen_ds = ISC_FALSE;
+	for (result = dns_rdatasetiter_first(iterator);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iterator)) {
+		dns_rdatasetiter_current(iterator, &rdataset);
+		if (rdataset.type == dns_rdatatype_soa)
+			seen_soa = ISC_TRUE;
+		else if (rdataset.type == dns_rdatatype_ns)
+			seen_ns = ISC_TRUE;
+		else if (rdataset.type == dns_rdatatype_ds)
+			seen_ds = ISC_TRUE;
+		else if (rdataset.type == dns_rdatatype_dname)
+			seen_dname = ISC_TRUE;
+		else if (rdataset.type == dns_rdatatype_nsec)
+			seen_nsec = ISC_TRUE;
+		else if (rdataset.type == dns_rdatatype_nsec3)
+			seen_nsec3 = ISC_TRUE;
+		seen_rr = ISC_TRUE;
+		dns_rdataset_disassociate(&rdataset);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+	if (seen_ns && !seen_soa)
+		*delegation = ISC_TRUE;
+	/*
+	 * Going from insecure to NSEC3.
+	 * Don't generate NSEC3 records for NSEC3 records.
+	 */
+	if (build_nsec3 && !seen_nsec3 && seen_rr) {
+		isc_boolean_t unsecure = !seen_ds && seen_ns && !seen_soa;
+		CHECK(dns_nsec3_addnsec3s(db, version, name, minimum,
+					  unsecure, diff));
+		(*signatures)--;
+	}
+	/*
+	 * Going from insecure to NSEC.
+	 * Don't generate NSEC records for NSEC3 records.
+	 */
+	if (build_nsec && !seen_nsec3 && !seen_nsec && seen_rr) {
+		/* Build and add NSEC. */
+		bottom = (seen_ns && !seen_soa) || seen_dname;
+		CHECK(add_nsec(db, version, name, node, minimum, bottom, diff));
+		/* Count a NSEC generation as a signature generation. */
+		(*signatures)--;
+	}
+	result = dns_rdatasetiter_first(iterator);
+	while (result == ISC_R_SUCCESS) {
+		dns_rdatasetiter_current(iterator, &rdataset);
+		if (rdataset.type == dns_rdatatype_soa ||
+		    rdataset.type == dns_rdatatype_rrsig)
+			goto next_rdataset;
+		if (is_ksk && rdataset.type != dns_rdatatype_dnskey)
+			goto next_rdataset;
+		if (*delegation &&
+		    rdataset.type != dns_rdatatype_ds &&
+		    rdataset.type != dns_rdatatype_nsec)
+			goto next_rdataset;
+		if (signed_with_key(db, node, version, rdataset.type, key))
+			goto next_rdataset;
+		/* Calculate the signature, creating a RRSIG RDATA. */
+		CHECK(dns_dnssec_sign(name, &rdataset, key, &inception,
+				      &expire, mctx, &buffer, &rdata));
+		/* Update the database and journal with the RRSIG. */
+		/* XXX inefficient - will cause dataset merging */
+		CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADDRESIGN,
+				    name, rdataset.ttl, &rdata));
+		dns_rdata_reset(&rdata);
+		(*signatures)--;
+ next_rdataset:
+		dns_rdataset_disassociate(&rdataset);
+		result = dns_rdatasetiter_next(iterator);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	if (seen_dname)
+		*delegation = ISC_TRUE;
+failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (iterator != NULL)
+		dns_rdatasetiter_destroy(&iterator);
+	return (result);
+}
+
+static isc_result_t
+updatesecure(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	     dns_ttl_t minimum, isc_boolean_t *secureupdated, dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char nsecbuffer[DNS_NSEC_BUFFERSIZE];
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec_t nsec;
+	dns_dbnode_t *node = NULL;
+
+	/*
+	 * Check to see if the OPT bit has already been cleared.
+	 */
+	CHECK(dns_db_getoriginnode(db, &node));
+	dns_rdataset_init(&rdataset);
+	CHECK(dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
+				  dns_rdatatype_none, 0, &rdataset, NULL));
+	CHECK(dns_rdataset_first(&rdataset));
+	dns_rdataset_current(&rdataset, &rdata);
+
+	/*
+	 * Find the NEXT name for building the new record.
+	 */
+	CHECK(dns_rdata_tostruct(&rdata, &nsec, NULL));
+
+	/*
+	 * Delete the old NSEC record.
+	 */
+	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_DEL, name, minimum,
+			    &rdata));
+	dns_rdata_reset(&rdata);
+
+	/*
+	 * Add the new NSEC record.
+	 */
+	CHECK(dns_nsec_buildrdata(db, version, node, &nsec.next, nsecbuffer,
+				  &rdata));
+	CHECK(update_one_rr(db, version, diff, DNS_DIFFOP_ADD, name, minimum,
+			    &rdata));
+	dns_rdata_reset(&rdata);
+
+	if (secureupdated != NULL)
+		*secureupdated = ISC_TRUE;
+
+ failure:
+	if (node != NULL)
+		dns_db_detachnode(db, &node);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+updatesignwithkey(dns_signing_t *signing, dns_dbversion_t *version,
+		  dns_name_t *name, dns_rdatatype_t privatetype,
+		  dns_diff_t *diff)
+{
+	isc_result_t result;
+	dns_dbnode_t *node = NULL;
+	dns_rdataset_t rdataset;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	unsigned char data[5];
+	isc_boolean_t seen_done = ISC_FALSE;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_getoriginnode(signing->db, &node);
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	result = dns_db_findrdataset(signing->db, node, version, privatetype,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		if (rdata.length != 5 ||
+		    rdata.data[0] != signing->algorithm ||
+		    rdata.data[1] != ((signing->keyid >> 8) & 0xff) ||
+		    rdata.data[2] != (signing->keyid & 0xff)) {
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+		if (!signing->delete && rdata.data[4] != 0)
+			seen_done = ISC_TRUE;
+		else
+			CHECK(update_one_rr(signing->db, version, diff,
+					    DNS_DIFFOP_DEL, name,							    rdataset.ttl, &rdata));
+		dns_rdata_reset(&rdata);
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+	if (!signing->delete && !seen_done) {
+
+		data[0] = signing->algorithm;
+		data[1] = (signing->keyid >> 8) & 0xff;
+		data[2] = signing->keyid & 0xff;
+		data[3] = 0;
+		data[4] = 1;
+		rdata.length = sizeof(data);
+		rdata.data = data;
+		rdata.type = privatetype;
+		rdata.rdclass = dns_db_class(signing->db);
+		CHECK(update_one_rr(signing->db, version, diff, DNS_DIFFOP_ADD,
+				    name, rdataset.ttl, &rdata));
+	}
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	if (node != NULL)
+		dns_db_detachnode(signing->db, &node);
+	return (result);
+}
+
+static isc_result_t
+fixup_nsec3param(dns_db_t *db, dns_dbversion_t *ver, dns_nsec3chain_t *chain,
+		 isc_boolean_t active, dns_diff_t *diff)
+{
+	dns_dbnode_t *node = NULL;
+	dns_name_t *name = dns_db_origin(db);
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3param_t nsec3param;
+	isc_result_t result;
+	isc_buffer_t buffer;
+	unsigned char parambuf[DNS_NSEC3PARAM_BUFFERSIZE];
+	dns_ttl_t ttl = 0;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_getoriginnode(db, &node);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto add;
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	/*
+	 * Preserve the existing ttl.
+	 */
+	ttl = rdataset.ttl;
+
+	/*
+	 * Delete all NSEC3PARAM records which match that in nsec3chain.
+	 */
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3param, NULL));
+
+		if (nsec3param.hash != chain->nsec3param.hash ||
+		    (active && nsec3param.flags != 0) ||
+		    nsec3param.iterations != chain->nsec3param.iterations ||
+		    nsec3param.salt_length != chain->nsec3param.salt_length ||
+		    memcmp(nsec3param.salt, chain->nsec3param.salt,
+			   nsec3param.salt_length)) {
+			dns_rdata_reset(&rdata);
+			continue;
+		}
+
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL,
+				    name, rdataset.ttl, &rdata));
+		dns_rdata_reset(&rdata);
+	}
+	if (result != ISC_R_NOMORE)
+		goto failure;
+
+  add:
+	if ((chain->nsec3param.flags & DNS_NSEC3FLAG_REMOVE) != 0) {
+		result = ISC_R_SUCCESS;
+		goto failure;
+	}
+
+	/*
+	 * Add a NSEC3PARAM record which matches that in nsec3chain but
+	 * with all flags bits cleared.
+	 *
+	 * Note: we do not clear chain->nsec3param.flags as this change
+	 * may be reversed.
+	 */
+	isc_buffer_init(&buffer, &parambuf, sizeof(parambuf));
+	CHECK(dns_rdata_fromstruct(&rdata, dns_db_class(db),
+				   dns_rdatatype_nsec3param,
+				   &chain->nsec3param, &buffer));
+	rdata.data[1] = 0;	/* Clear flag bits. */
+	CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADD, name, ttl, &rdata));
+
+  failure:
+	dns_db_detachnode(db, &node);
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+delete_nsec(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
+	    dns_name_t *name, dns_diff_t *diff)
+{
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
+				    rdataset.ttl, &rdata));
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ failure:
+	dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+deletematchingnsec3(dns_db_t *db, dns_dbversion_t *ver, dns_dbnode_t *node,
+		    dns_name_t *name, const dns_rdata_nsec3param_t *param,
+		    dns_diff_t *diff)
+{
+	dns_rdataset_t rdataset;
+	dns_rdata_nsec3_t nsec3;
+	isc_result_t result;
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		return (ISC_R_SUCCESS);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdata_t rdata = DNS_RDATA_INIT;
+
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &nsec3, NULL));
+		if (nsec3.hash != param->hash ||
+		    nsec3.iterations != param->iterations ||
+		    nsec3.salt_length != param->salt_length ||
+		    memcmp(nsec3.salt, param->salt, nsec3.salt_length))
+			continue;
+		CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_DEL, name,
+				    rdataset.ttl, &rdata));
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ failure:
+	dns_rdataset_disassociate(&rdataset);
+	return (result);
+}
+
+static isc_result_t
+need_nsec_chain(dns_db_t *db, dns_dbversion_t *ver,
+		const dns_rdata_nsec3param_t *param,
+		isc_boolean_t *answer, isc_boolean_t *updatensec)
+{
+	dns_dbnode_t *node = NULL;
+	dns_rdata_t rdata = DNS_RDATA_INIT;
+	dns_rdata_nsec3param_t myparam;
+	dns_rdataset_t rdataset;
+	isc_result_t result;
+
+	*answer = ISC_FALSE;
+
+	result = dns_db_getoriginnode(db, &node);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+
+	dns_rdataset_init(&rdataset);
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND)
+		goto check_nsec3param;
+
+	if (result != ISC_R_SUCCESS)
+		goto failure;
+
+	CHECK(dns_rdataset_first(&rdataset));
+	dns_rdataset_current(&rdataset, &rdata);
+
+	if (!dns_nsec_typepresent(&rdata, dns_rdatatype_opt)) {
+		/*
+		 * We have a complete NSEC chain.  Signal to update
+		 * the apex NSEC record.
+		 */
+		*updatensec = ISC_TRUE;
+		goto failure;
+	}
+	dns_rdataset_disassociate(&rdataset);
+	dns_rdata_reset(&rdata);
+
+ check_nsec3param:
+	result = dns_db_findrdataset(db, node, ver, dns_rdatatype_nsec3param,
+				     0, 0, &rdataset, NULL);
+	if (result == ISC_R_NOTFOUND) {
+		*answer = ISC_TRUE;
+		dns_db_detachnode(db, &node);
+		return (ISC_R_SUCCESS);
+	}
+	if (result != ISC_R_SUCCESS) {
+		dns_db_detachnode(db, &node);
+		return (result);
+	}
+
+	for (result = dns_rdataset_first(&rdataset);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset)) {
+		dns_rdataset_current(&rdataset, &rdata);
+		CHECK(dns_rdata_tostruct(&rdata, &myparam, NULL));
+		dns_rdata_reset(&rdata);
+		/*
+		 * Ignore any NSEC3PARAM removals.
+		 */
+		if (NSEC3REMOVE(myparam.flags))
+			continue;
+		/*
+		 * Ignore the chain that we are in the process of deleting.
+		 */
+		if (myparam.hash == param->hash &&
+		    myparam.iterations == param->iterations &&
+		    myparam.salt_length == param->salt_length &&
+		    !memcmp(myparam.salt, param->salt, myparam.salt_length))
+			continue;
+		/*
+		 * Found an active NSEC3 chain.
+		 */
+		break;
+	}
+	if (result == ISC_R_NOMORE) {
+		*answer = ISC_TRUE;
+		result = ISC_R_SUCCESS;
+	}
+
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	dns_db_detachnode(db, &node);
+	return (result);
+}
+
+/*
+ * Incrementally build and sign a new NSEC3 chain using the parameters
+ * requested.
+ */
+static void
+zone_nsec3chain(dns_zone_t *zone) {
+	const char *journalfile;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t sig_diff;
+	dns_diff_t nsec_diff;
+	dns_diff_t nsec3_diff;
+	dns_diff_t param_diff;
+	dns_fixedname_t fixed;
+	dns_fixedname_t nextfixed;
+	dns_name_t *name, *nextname;
+	dns_rdataset_t rdataset;
+	dns_nsec3chain_t *nsec3chain = NULL, *nextnsec3chain;
+	dns_nsec3chainlist_t cleanup;
+	dst_key_t *zone_keys[MAXZONEKEYS];
+	isc_int32_t signatures;
+	isc_boolean_t check_ksk, is_ksk;
+	isc_boolean_t delegation;
+	isc_boolean_t first;
+	isc_result_t result;
+	isc_stdtime_t now, inception, soaexpire, expire, stop;
+	isc_uint32_t jitter;
+	unsigned int i;
+	unsigned int nkeys = 0;
+	isc_uint32_t nodes;
+	isc_boolean_t unsecure = ISC_FALSE;
+	isc_boolean_t seen_soa, seen_ns, seen_dname, seen_ds;
+	isc_boolean_t seen_nsec, seen_nsec3, seen_rr;
+	dns_rdatasetiter_t *iterator = NULL;
+	dns_difftuple_t *tuple;
+	isc_boolean_t buildnsecchain;
+	isc_boolean_t updatensec = ISC_FALSE;
+
+	dns_rdataset_init(&rdataset);
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	dns_fixedname_init(&nextfixed);
+	nextname = dns_fixedname_name(&nextfixed);
+	dns_diff_init(zone->mctx, &param_diff);
+	dns_diff_init(zone->mctx, &nsec3_diff);
+	dns_diff_init(zone->mctx, &nsec_diff);
+	dns_diff_init(zone->mctx, &sig_diff);
+	sig_diff.resign = zone->sigresigninginterval;
+	ISC_LIST_INIT(cleanup);
+
+	/*
+	 * Updates are disabled.  Pause for 5 minutes.
+	 */
+	if (zone->update_disabled) {
+		result = ISC_R_FAILURE;
+		goto failure;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_nsec3chain:dns_db_newversion -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = find_zone_keys(zone, db, version, zone->mctx,
+				MAXZONEKEYS, zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_nsec3chain:find_zone_keys -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+	inception = now - 3600;	/* Allow for clock skew. */
+	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+
+	/*
+	 * Spread out signatures over time if they happen to be
+	 * clumped.  We don't do this for each add_sigs() call as
+	 * we still want some clustering to occur.
+	 */
+	isc_random_get(&jitter);
+	expire = soaexpire - jitter % 3600;
+	stop = now + 5;
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	if (check_ksk)
+		check_ksk = ksk_sanity(db, version);
+
+	/*
+	 * We keep pulling nodes off each iterator in turn until
+	 * we have no more nodes to pull off or we reach the limits
+	 * for this quantum.
+	 */
+	nodes = zone->nodes;
+	signatures = zone->signatures;
+	LOCK_ZONE(zone);
+	nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	UNLOCK_ZONE(zone);
+	first = ISC_TRUE;
+
+	if (nsec3chain != NULL)
+		nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
+	/*
+	 * Generate new NSEC3 chains first.
+	 */
+	while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
+		LOCK_ZONE(zone);
+		nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
+
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (nsec3chain->done || nsec3chain->db != zone->db) {
+			ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain, link);
+			ISC_LIST_APPEND(cleanup, nsec3chain, link);
+		}
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+		UNLOCK_ZONE(zone);
+		if (ISC_LIST_TAIL(cleanup) == nsec3chain)
+			goto next_addchain;
+
+		/*
+		 * Possible future db.
+		 */
+		if (nsec3chain->db != db) {
+			goto next_addchain;
+		}
+
+		if (NSEC3REMOVE(nsec3chain->nsec3param.flags))
+			goto next_addchain;
+
+		is_ksk = ISC_FALSE;
+		delegation = ISC_FALSE;
+		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
+
+		if (nsec3chain->delete_nsec) {
+			delegation = ISC_FALSE;
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			CHECK(delete_nsec(db, version, node, name, &nsec_diff));
+			goto next_addnode;
+		}
+		/*
+		 * On the first pass we need to check if the current node
+		 * has not been obscured.
+		 */
+		delegation = ISC_FALSE;
+		unsecure = ISC_FALSE;
+		if (first) {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			dns_fixedname_init(&ffound);
+			found = dns_fixedname_name(&ffound);
+			result = dns_db_find(db, name, version,
+					     dns_rdatatype_soa,
+					     DNS_DBFIND_NOWILD, 0, NULL, found,
+					     NULL, NULL);
+			if ((result == DNS_R_DELEGATION ||
+			    result == DNS_R_DNAME) &&
+			    !dns_name_equal(name, found)) {
+				/*
+				 * Remember the obscuring name so that
+				 * we skip all obscured names.
+				 */
+				dns_name_copy(found, name, NULL);
+				delegation = ISC_TRUE;
+				goto next_addnode;
+			}
+		}
+
+		/*
+		 * Check to see if this is a bottom of zone node.
+		 */
+		result = dns_db_allrdatasets(db, node, version, 0, &iterator);
+		if (result == ISC_R_NOTFOUND)	/* Empty node? */
+			goto next_addnode;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		seen_soa = seen_ns = seen_dname = seen_ds = seen_nsec =
+			ISC_FALSE;
+		for (result = dns_rdatasetiter_first(iterator);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(iterator)) {
+			dns_rdatasetiter_current(iterator, &rdataset);
+			INSIST(rdataset.type != dns_rdatatype_nsec3);
+			if (rdataset.type == dns_rdatatype_soa)
+				seen_soa = ISC_TRUE;
+			else if (rdataset.type == dns_rdatatype_ns)
+				seen_ns = ISC_TRUE;
+			else if (rdataset.type == dns_rdatatype_dname)
+				seen_dname = ISC_TRUE;
+			else if (rdataset.type == dns_rdatatype_ds)
+				seen_ds = ISC_TRUE;
+			else if (rdataset.type == dns_rdatatype_nsec)
+				seen_nsec = ISC_TRUE;
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&iterator);
+		/*
+		 * Is there a NSEC chain than needs to be cleaned up?
+		 */
+		if (seen_nsec)
+			nsec3chain->seen_nsec = ISC_TRUE;
+		if (seen_ns && !seen_soa && !seen_ds)
+			unsecure = ISC_TRUE;
+		if ((seen_ns && !seen_soa) || seen_dname)
+			delegation = ISC_TRUE;
+
+		/*
+		 * Process one node.
+		 */
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		CHECK(dns_nsec3_addnsec3(db, version, name,
+					 &nsec3chain->nsec3param,
+					 zone->minimum, unsecure, &nsec3_diff));
+		/*
+		 * Treat each call to dns_nsec3_addnsec3() as if it's cost is
+		 * two signatures.  Additionally there will, in general, be
+		 * two signature generated below.
+		 *
+		 * If we are only changing the optout flag the cost is half
+		 * that of the cost of generating a completely new chain.
+		 */
+		signatures -= 4;
+
+		/*
+		 * Go onto next node.
+		 */
+ next_addnode:
+		first = ISC_FALSE;
+		dns_db_detachnode(db, &node);
+		do {
+			result = dns_dbiterator_next(nsec3chain->dbiterator);
+
+			if (result == ISC_R_NOMORE && nsec3chain->delete_nsec) {
+				CHECK(fixup_nsec3param(db, version, nsec3chain,
+						       ISC_FALSE, &param_diff));
+				LOCK_ZONE(zone);
+				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
+						link);
+				UNLOCK_ZONE(zone);
+				ISC_LIST_APPEND(cleanup, nsec3chain, link);
+				goto next_addchain;
+			}
+			if (result == ISC_R_NOMORE) {
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+				if (nsec3chain->seen_nsec) {
+					CHECK(fixup_nsec3param(db, version,
+							       nsec3chain,
+							       ISC_TRUE,
+							       &param_diff));
+					nsec3chain->delete_nsec = ISC_TRUE;
+					goto same_addchain;
+				}
+				CHECK(fixup_nsec3param(db, version, nsec3chain,
+						       ISC_FALSE, &param_diff));
+				LOCK_ZONE(zone);
+				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
+						link);
+				UNLOCK_ZONE(zone);
+				ISC_LIST_APPEND(cleanup, nsec3chain, link);
+				goto next_addchain;
+			} else if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "dns_dbiterator_next -> %s\n",
+					     dns_result_totext(result));
+				goto failure;
+			} else if (delegation) {
+				dns_dbiterator_current(nsec3chain->dbiterator,
+						       &node, nextname);
+				dns_db_detachnode(db, &node);
+				if (!dns_name_issubdomain(nextname, name))
+					break;
+			} else
+				break;
+		} while (1);
+		continue;
+
+ same_addchain:
+		CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
+		first = ISC_TRUE;
+		continue;
+
+ next_addchain:
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		nsec3chain = nextnsec3chain;
+		first = ISC_TRUE;
+		if (nsec3chain != NULL)
+			nsec3chain->save_delete_nsec = nsec3chain->delete_nsec;
+	}
+
+	/*
+	 * Process removals.
+	 */
+	LOCK_ZONE(zone);
+	nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	UNLOCK_ZONE(zone);
+	first = ISC_TRUE;
+	buildnsecchain = ISC_FALSE;
+	while (nsec3chain != NULL && nodes-- > 0 && signatures > 0) {
+		LOCK_ZONE(zone);
+		nextnsec3chain = ISC_LIST_NEXT(nsec3chain, link);
+		UNLOCK_ZONE(zone);
+
+		if (nsec3chain->db != db)
+			goto next_removechain;
+
+		if (!NSEC3REMOVE(nsec3chain->nsec3param.flags))
+			goto next_removechain;
+
+		/*
+		 * Work out if we need to build a NSEC chain as a consequence
+		 * of removing this NSEC3 chain.
+		 */
+		if (first && !updatensec &&
+		    (nsec3chain->nsec3param.flags & DNS_NSEC3FLAG_NONSEC) == 0)
+			CHECK(need_nsec_chain(db, version,
+					      &nsec3chain->nsec3param,
+					      &buildnsecchain, &updatensec));
+
+		dns_dbiterator_current(nsec3chain->dbiterator, &node, name);
+		delegation = ISC_FALSE;
+
+		if (!buildnsecchain) {
+			/*
+			 * Delete the NSECPARAM record that matches this chain.
+			 */
+			if (first)
+				CHECK(fixup_nsec3param(db, version, nsec3chain,
+						       ISC_TRUE, &param_diff));
+
+			/*
+			 *  Delete the NSEC3 records.
+			 */
+			CHECK(deletematchingnsec3(db, version, node, name,
+						  &nsec3chain->nsec3param,
+						  &nsec3_diff));
+			goto next_removenode;
+		}
+
+		if (first) {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			dns_fixedname_init(&ffound);
+			found = dns_fixedname_name(&ffound);
+			result = dns_db_find(db, name, version,
+					     dns_rdatatype_soa,
+					     DNS_DBFIND_NOWILD, 0, NULL, found,
+					     NULL, NULL);
+			if ((result == DNS_R_DELEGATION ||
+			     result == DNS_R_DNAME) &&
+			    !dns_name_equal(name, found)) {
+				/*
+				 * Remember the obscuring name so that
+				 * we skip all obscured names.
+				 */
+				dns_name_copy(found, name, NULL);
+				delegation = ISC_TRUE;
+				goto next_removenode;
+			}
+		}
+
+		/*
+		 * Check to see if this is a bottom of zone node.
+		 */
+		result = dns_db_allrdatasets(db, node, version, 0, &iterator);
+		if (result == ISC_R_NOTFOUND)	/* Empty node? */
+			goto next_removenode;
+		if (result != ISC_R_SUCCESS)
+			goto failure;
+
+		seen_soa = seen_ns = seen_dname = seen_nsec3 = seen_nsec =
+			seen_rr = ISC_FALSE;
+		for (result = dns_rdatasetiter_first(iterator);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdatasetiter_next(iterator)) {
+			dns_rdatasetiter_current(iterator, &rdataset);
+			if (rdataset.type == dns_rdatatype_soa)
+				seen_soa = ISC_TRUE;
+			else if (rdataset.type == dns_rdatatype_ns)
+				seen_ns = ISC_TRUE;
+			else if (rdataset.type == dns_rdatatype_dname)
+				seen_dname = ISC_TRUE;
+			else if (rdataset.type == dns_rdatatype_nsec)
+				seen_nsec = ISC_TRUE;
+			else if (rdataset.type == dns_rdatatype_nsec3)
+				seen_nsec3 = ISC_TRUE;
+			seen_rr = ISC_TRUE;
+			dns_rdataset_disassociate(&rdataset);
+		}
+		dns_rdatasetiter_destroy(&iterator);
+
+		if (!seen_rr || seen_nsec3 || seen_nsec)
+			goto next_removenode;
+		if ((seen_ns && !seen_soa) || seen_dname)
+			delegation = ISC_TRUE;
+
+		CHECK(add_nsec(db, version, name, node, zone->minimum,
+			       delegation, &nsec_diff));
+
+ next_removenode:
+		first = ISC_FALSE;
+		dns_db_detachnode(db, &node);
+		do {
+			result = dns_dbiterator_next(nsec3chain->dbiterator);
+			if (result == ISC_R_NOMORE && buildnsecchain) {
+				/*
+				 * The NSEC chain should now be built.
+				 * We can now remove the NSEC3 chain.
+				 */
+				updatensec = ISC_TRUE;
+				goto same_removechain;
+			}
+			if (result == ISC_R_NOMORE) {
+				LOCK_ZONE(zone);
+				ISC_LIST_UNLINK(zone->nsec3chain, nsec3chain,
+						link);
+				UNLOCK_ZONE(zone);
+				ISC_LIST_APPEND(cleanup, nsec3chain, link);
+				dns_dbiterator_pause(nsec3chain->dbiterator);
+				CHECK(fixup_nsec3param(db, version, nsec3chain,
+						       ISC_FALSE, &param_diff));
+				goto next_removechain;
+			} else if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					     "zone_nsec3chain:"
+					     "dns_dbiterator_next -> %s\n",
+					     dns_result_totext(result));
+				goto failure;
+			} else if (delegation) {
+				dns_dbiterator_current(nsec3chain->dbiterator,
+						       &node, nextname);
+				dns_db_detachnode(db, &node);
+				if (!dns_name_issubdomain(nextname, name))
+					break;
+			} else
+				break;
+		} while (1);
+		continue;
+
+ same_removechain:
+		CHECK(dns_dbiterator_first(nsec3chain->dbiterator));
+		buildnsecchain = ISC_FALSE;
+		first = ISC_TRUE;
+		continue;
+
+ next_removechain:
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+		nsec3chain = nextnsec3chain;
+		first = ISC_TRUE;
+	}
+
+	/*
+	 * Add / update signatures for the NSEC3 records.
+	 */
+	for (tuple = ISC_LIST_HEAD(nsec3_diff.tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_HEAD(nsec3_diff.tuples)) {
+		/*
+		 * We have changed the NSEC3 RRset above so we need to update
+		 * the signatures.
+		 */
+		result = del_sigs(zone, db, version, &tuple->name,
+				  dns_rdatatype_nsec3, &sig_diff,
+				  zone_keys, nkeys, now);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_nsec3chain:del_sigs -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+		result = add_sigs(db, version, &tuple->name,
+				  dns_rdatatype_nsec3, &sig_diff, zone_keys,
+				  nkeys, zone->mctx, inception, expire,
+				  check_ksk);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_nsec3chain:add_sigs -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+
+		do {
+			dns_difftuple_t *next = ISC_LIST_NEXT(tuple, link);
+			while (next != NULL &&
+			       !dns_name_equal(&tuple->name, &next->name))
+				next = ISC_LIST_NEXT(next, link);
+			ISC_LIST_UNLINK(nsec3_diff.tuples, tuple, link);
+			dns_diff_appendminimal(&sig_diff, &tuple);
+			INSIST(tuple == NULL);
+			tuple = next;
+		} while (tuple != NULL);
+	}
+
+	for (tuple = ISC_LIST_HEAD(param_diff.tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_HEAD(param_diff.tuples)) {
+		/*
+		 * We have changed the NSEC3PARAM RRset above so we need to
+		 * update the signatures.
+		 */
+		result = del_sigs(zone, db, version, &tuple->name,
+				  dns_rdatatype_nsec3param, &sig_diff,
+				  zone_keys, nkeys, now);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_nsec3chain:del_sigs -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+		result = add_sigs(db, version, &tuple->name,
+				  dns_rdatatype_nsec3param, &sig_diff,
+				  zone_keys, nkeys, zone->mctx, inception,
+				  expire, check_ksk);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_nsec3chain:add_sigs -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+		ISC_LIST_UNLINK(param_diff.tuples, tuple, link);
+		dns_diff_appendminimal(&sig_diff, &tuple);
+		INSIST(tuple == NULL);
+	}
+
+	if (updatensec)
+		CHECK(updatesecure(db, version, &zone->origin, zone->minimum,
+				   NULL, &nsec_diff));
+
+	for (tuple = ISC_LIST_HEAD(nsec_diff.tuples);
+	     tuple != NULL;
+	     tuple = ISC_LIST_HEAD(nsec_diff.tuples)) {
+		result = del_sigs(zone, db, version, &tuple->name,
+				  dns_rdatatype_nsec, &sig_diff,
+				  zone_keys, nkeys, now);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_nsec3chain:del_sigs -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+		result = add_sigs(db, version, &tuple->name,
+				  dns_rdatatype_nsec, &sig_diff,
+				  zone_keys, nkeys, zone->mctx, inception,
+				  expire, check_ksk);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_nsec3chain:add_sigs -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+		ISC_LIST_UNLINK(nsec_diff.tuples, tuple, link);
+		dns_diff_appendminimal(&sig_diff, &tuple);
+		INSIST(tuple == NULL);
+	}
+
+	/*
+	 * If we made no effective changes to the zone then we can just
+	 * cleanup otherwise we need to increment the serial.
+	 */
+	if (ISC_LIST_HEAD(sig_diff.tuples) == NULL)
+		goto done;
+
+	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
+			  &sig_diff, zone_keys, nkeys, now);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "del_sigs -> %s\n", dns_result_totext(result));
+		goto failure;
+	}
+
+	result = increment_soa_serial(db, version, &sig_diff, zone->mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "increment_soa_serial -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
+			  &sig_diff, zone_keys, nkeys, zone->mctx, inception,
+			  soaexpire, check_ksk);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+			     "add_sigs -> %s\n", dns_result_totext(result));
+		goto failure;
+	}
+
+	journalfile = dns_zone_getjournal(zone);
+	if (journalfile != NULL) {
+		dns_journal_t *journal = NULL;
+		result = dns_journal_open(zone->mctx, journalfile,
+					  ISC_TRUE, &journal);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+				     "dns_journal_open -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+
+		result = dns_journal_write_transaction(journal, &sig_diff);
+		dns_journal_destroy(&journal);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR, "zone_nsec3chain:"
+				     "dns_journal_write_transaction -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+	}
+
+	LOCK_ZONE(zone);
+	zone_needdump(zone, DNS_DUMP_DELAY);
+	UNLOCK_ZONE(zone);
+
+ done:
+	/*
+	 * Pause all iterators so that dns_db_closeversion() can succeed.
+	 */
+	LOCK_ZONE(zone);
+	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	     nsec3chain != NULL;
+	     nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+	UNLOCK_ZONE(zone);
+
+	/*
+	 * Everything has succeeded. Commit the changes.
+	 */
+	dns_db_closeversion(db, &version, ISC_TRUE);
+
+	/*
+	 * Everything succeeded so we can clean these up now.
+	 */
+	nsec3chain = ISC_LIST_HEAD(cleanup);
+	while (nsec3chain != NULL) {
+		ISC_LIST_UNLINK(cleanup, nsec3chain, link);
+		dns_db_detach(&nsec3chain->db);
+		dns_dbiterator_destroy(&nsec3chain->dbiterator);
+		isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+		nsec3chain = ISC_LIST_HEAD(cleanup);
+	}
+
+	set_resigntime(zone);
+
+ failure:
+	/*
+	 * On error roll back the current nsec3chain.
+	 */
+	if (result != ISC_R_SUCCESS && nsec3chain != NULL) {
+		if (nsec3chain->done) {
+			dns_db_detach(&nsec3chain->db);
+			dns_dbiterator_destroy(&nsec3chain->dbiterator);
+			isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+		} else {
+			result = dns_dbiterator_first(nsec3chain->dbiterator);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
+		}
+	}
+
+	/*
+	 * Rollback the cleanup list.
+	 */
+	nsec3chain = ISC_LIST_TAIL(cleanup);
+	while (nsec3chain != NULL) {
+		ISC_LIST_UNLINK(cleanup, nsec3chain, link);
+		if (nsec3chain->done) {
+			dns_db_detach(&nsec3chain->db);
+			dns_dbiterator_destroy(&nsec3chain->dbiterator);
+			isc_mem_put(zone->mctx, nsec3chain, sizeof *nsec3chain);
+		} else {
+			LOCK_ZONE(zone);
+			ISC_LIST_PREPEND(zone->nsec3chain, nsec3chain, link);
+			UNLOCK_ZONE(zone);
+			result = dns_dbiterator_first(nsec3chain->dbiterator);
+			RUNTIME_CHECK(result == ISC_R_SUCCESS);
+			dns_dbiterator_pause(nsec3chain->dbiterator);
+			nsec3chain->delete_nsec = nsec3chain->save_delete_nsec;
+		}
+		nsec3chain = ISC_LIST_TAIL(cleanup);
+	}
+
+	LOCK_ZONE(zone);
+	for (nsec3chain = ISC_LIST_HEAD(zone->nsec3chain);
+	     nsec3chain != NULL;
+	     nsec3chain = ISC_LIST_NEXT(nsec3chain, link))
+		dns_dbiterator_pause(nsec3chain->dbiterator);
+	UNLOCK_ZONE(zone);
+
+	dns_diff_clear(&param_diff);
+	dns_diff_clear(&nsec3_diff);
+	dns_diff_clear(&nsec_diff);
+	dns_diff_clear(&sig_diff);
+
+	if (iterator != NULL)
+		dns_rdatasetiter_destroy(&iterator);
+
+	for (i = 0; i < nkeys; i++)
+		dst_key_free(&zone_keys[i]);
+
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, ISC_FALSE);
+		dns_db_detach(&db);
+	} else if (db != NULL)
+		dns_db_detach(&db);
+
+	LOCK_ZONE(zone);
+	if (ISC_LIST_HEAD(zone->nsec3chain) != NULL) {
+		isc_interval_t i;
+		if (zone->update_disabled || result != ISC_R_SUCCESS)
+			isc_interval_set(&i, 60, 0);		/* 1 minute */
+		else
+			isc_interval_set(&i, 0, 10000000);	/* 10 ms */
+		isc_time_nowplusinterval(&zone->nsec3chaintime, &i);
+	} else
+		isc_time_settoepoch(&zone->nsec3chaintime);
+	UNLOCK_ZONE(zone);
+}
+
+static isc_result_t
+del_sig(dns_db_t *db, dns_dbversion_t *version, dns_name_t *name,
+	dns_dbnode_t *node, unsigned int nkeys, dns_secalg_t algorithm,
+	isc_uint16_t keyid, dns_diff_t *diff)
+{
+	dns_rdata_rrsig_t rrsig;
+	dns_rdataset_t rdataset;
+	dns_rdatasetiter_t *iterator = NULL;
+	isc_result_t result;
+
+	result = dns_db_allrdatasets(db, node, version, 0, &iterator);
+	if (result != ISC_R_SUCCESS) {
+		if (result == ISC_R_NOTFOUND)
+			result = ISC_R_SUCCESS;
+		return (result);
+	}
+
+	dns_rdataset_init(&rdataset);
+	for (result = dns_rdatasetiter_first(iterator);
+	     result == ISC_R_SUCCESS;
+	     result = dns_rdatasetiter_next(iterator)) {
+		dns_rdatasetiter_current(iterator, &rdataset);
+		if (nkeys == 0 && rdataset.type == dns_rdatatype_nsec) {
+			for (result = dns_rdataset_first(&rdataset);
+			     result == ISC_R_SUCCESS;
+			     result = dns_rdataset_next(&rdataset)) {
+				dns_rdata_t rdata = DNS_RDATA_INIT;
+				dns_rdataset_current(&rdataset, &rdata);
+				CHECK(update_one_rr(db, version, diff,
+						    DNS_DIFFOP_DEL, name,
+						    rdataset.ttl, &rdata));
+			}
+			if (result != ISC_R_NOMORE)
+				goto failure;
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		if (rdataset.type != dns_rdatatype_rrsig) {
+			dns_rdataset_disassociate(&rdataset);
+			continue;
+		}
+		for (result = dns_rdataset_first(&rdataset);
+		     result == ISC_R_SUCCESS;
+		     result = dns_rdataset_next(&rdataset)) {
+			dns_rdata_t rdata = DNS_RDATA_INIT;
+			dns_rdataset_current(&rdataset, &rdata);
+			CHECK(dns_rdata_tostruct(&rdata, &rrsig, NULL));
+			if (rrsig.algorithm != algorithm ||
+			    rrsig.keyid != keyid)
+				continue;
+			CHECK(update_one_rr(db, version, diff,
+					    DNS_DIFFOP_DEL, name,
+					    rdataset.ttl, &rdata));
+		}
+		dns_rdataset_disassociate(&rdataset);
+		if (result != ISC_R_NOMORE)
+			break;
+	}
+	if (result == ISC_R_NOMORE)
+		result = ISC_R_SUCCESS;
+ failure:
+	if (dns_rdataset_isassociated(&rdataset))
+		dns_rdataset_disassociate(&rdataset);
+	dns_rdatasetiter_destroy(&iterator);
+	return (result);
+}
+
+/*
+ * Incrementally sign the zone using the keys requested.
+ * Builds the NSEC chain if required.
+ */
+static void
+zone_sign(dns_zone_t *zone) {
+	const char *journalfile;
+	dns_db_t *db = NULL;
+	dns_dbnode_t *node = NULL;
+	dns_dbversion_t *version = NULL;
+	dns_diff_t sig_diff;
+	dns_fixedname_t fixed;
+	dns_fixedname_t nextfixed;
+	dns_name_t *name, *nextname;
+	dns_rdataset_t rdataset;
+	dns_signing_t *signing, *nextsigning;
+	dns_signinglist_t cleanup;
+	dst_key_t *zone_keys[MAXZONEKEYS];
+	isc_int32_t signatures;
+	isc_boolean_t check_ksk, is_ksk;
+	isc_boolean_t delegation;
+	isc_boolean_t finishedakey = ISC_FALSE;
+	isc_boolean_t secureupdated = ISC_FALSE;
+	isc_boolean_t build_nsec3 = ISC_FALSE, build_nsec = ISC_FALSE;
+	isc_boolean_t first;
+	isc_result_t result;
+	isc_stdtime_t now, inception, soaexpire, expire, stop;
+	isc_uint32_t jitter;
+	unsigned int i;
+	unsigned int nkeys = 0;
+	isc_uint32_t nodes;
+
+	dns_rdataset_init(&rdataset);
+	dns_fixedname_init(&fixed);
+	name = dns_fixedname_name(&fixed);
+	dns_fixedname_init(&nextfixed);
+	nextname = dns_fixedname_name(&nextfixed);
+	dns_diff_init(zone->mctx, &sig_diff);
+	sig_diff.resign = zone->sigresigninginterval;
+	ISC_LIST_INIT(cleanup);
+
+	/*
+	 * Updates are disabled.  Pause for 5 minutes.
+	 */
+	if (zone->update_disabled) {
+		result = ISC_R_FAILURE;
+		goto failure;
+	}
+
+	ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+	dns_db_attach(zone->db, &db);
+	ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+	result = dns_db_newversion(db, &version);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_sign:dns_db_newversion -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = find_zone_keys(zone, db, version, zone->mctx,
+				MAXZONEKEYS, zone_keys, &nkeys);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_sign:find_zone_keys -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	isc_stdtime_get(&now);
+	inception = now - 3600;	/* Allow for clock skew. */
+	soaexpire = now + dns_zone_getsigvalidityinterval(zone);
+
+	/*
+	 * Spread out signatures over time if they happen to be
+	 * clumped.  We don't do this for each add_sigs() call as
+	 * we still want some clustering to occur.
+	 */
+	isc_random_get(&jitter);
+	expire = soaexpire - jitter % 3600;
+	stop = now + 5;
+
+	check_ksk = DNS_ZONE_OPTION(zone, DNS_ZONEOPT_UPDATECHECKKSK);
+	if (check_ksk)
+		check_ksk = ksk_sanity(db, version);
+
+	/*
+	 * We keep pulling nodes off each iterator in turn until
+	 * we have no more nodes to pull off or we reach the limits
+	 * for this quantum.
+	 */
+	nodes = zone->nodes;
+	signatures = zone->signatures;
+	signing = ISC_LIST_HEAD(zone->signing);
+	first = ISC_TRUE;
+	/*
+	 * See if we have a NSEC chain.
+	 */
+	result = dns_db_getoriginnode(db, &node);
+	RUNTIME_CHECK(result == ISC_R_SUCCESS);
+	result = dns_db_findrdataset(db, node, version, dns_rdatatype_nsec,
+				     dns_rdatatype_none, 0, &rdataset, NULL);
+	dns_db_detachnode(db, &node);
+	if (result == ISC_R_SUCCESS) {
+		build_nsec = ISC_TRUE;
+		dns_rdataset_disassociate(&rdataset);
+	} else if (result != ISC_R_NOTFOUND) {
+		goto failure;
+	} else {
+		/*
+		 * No NSEC chain present.
+		 * See if we need to build a NSEC3 chain?
+		 */
+		result = dns_nsec3_active(db, version, ISC_TRUE, &build_nsec3);
+		if (result == ISC_R_SUCCESS) {
+			if (build_nsec3)
+				build_nsec3 = ISC_FALSE;
+			else  {
+				result = dns_nsec3_active(db, version,
+							  ISC_FALSE,
+							  &build_nsec3);
+				if (build_nsec3)
+					secureupdated = ISC_TRUE;
+				else
+					build_nsec = ISC_TRUE;
+			}
+		}
+	}
+
+	while (signing != NULL && nodes-- > 0 && signatures > 0) {
+		nextsigning = ISC_LIST_NEXT(signing, link);
+
+		ZONEDB_LOCK(&zone->dblock, isc_rwlocktype_read);
+		if (signing->done || signing->db != zone->db) {
+			/*
+			 * The zone has been reloaded.  We will have
+			 * created new signings as part of the reload
+			 * process so we can destroy this one.
+			 */
+			ISC_LIST_UNLINK(zone->signing, signing, link);
+			ISC_LIST_APPEND(cleanup, signing, link);
+			ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+			goto next_signing;
+		}
+		ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_read);
+
+		if (signing->db != db)
+			goto next_signing;
+
+		is_ksk = ISC_FALSE;
+		delegation = ISC_FALSE;
+
+		dns_dbiterator_current(signing->dbiterator, &node, name);
+
+		if (signing->delete) {
+			dns_dbiterator_pause(signing->dbiterator);
+			CHECK(del_sig(db, version, name, node, nkeys,
+				      signing->algorithm, signing->keyid,
+				      &sig_diff));
+			goto next_node;
+		}
+		/*
+		 * On the first pass we need to check if the current node
+		 * has not been obscured.
+		 */
+		if (first) {
+			dns_fixedname_t ffound;
+			dns_name_t *found;
+			dns_fixedname_init(&ffound);
+			found = dns_fixedname_name(&ffound);
+			result = dns_db_find(db, name, version,
+					     dns_rdatatype_soa,
+					     DNS_DBFIND_NOWILD, 0, NULL, found,
+					     NULL, NULL);
+			if ((result == DNS_R_DELEGATION ||
+			    result == DNS_R_DNAME) &&
+			    !dns_name_equal(name, found)) {
+				/*
+				 * Remember the obscuring name so that
+				 * we skip all obscured names.
+				 */
+				dns_name_copy(found, name, NULL);
+				delegation = ISC_TRUE;
+				goto next_node;
+			}
+		}
+
+		/*
+		 * Process one node.
+		 */
+		dns_dbiterator_pause(signing->dbiterator);
+		for (i = 0; i < nkeys; i++) {
+			/*
+			 * Find the key we want to sign with.
+			 */
+			if (dst_key_alg(zone_keys[i]) != signing->algorithm ||
+			    dst_key_id(zone_keys[i]) != signing->keyid ||
+			    !dst_key_isprivate(zone_keys[i]))
+				continue;
+			/*
+			 * Do we do KSK processing?
+			 */
+			if (check_ksk &&
+			    (dst_key_flags(zone_keys[i]) & DNS_KEYFLAG_KSK) != 0)
+				is_ksk = ISC_TRUE;
+			CHECK(sign_a_node(db, name, node, version, build_nsec3,
+					  build_nsec, zone_keys[i], inception,
+					  expire, zone->minimum, is_ksk,
+					  &delegation, &sig_diff, &signatures,
+					  zone->mctx));
+			break;
+		}
+		/*
+		 * Go onto next node.
+		 */
+ next_node:
+		first = ISC_FALSE;
+		dns_db_detachnode(db, &node);
+		do {
+			result = dns_dbiterator_next(signing->dbiterator);
+			if (result == ISC_R_NOMORE) {
+				ISC_LIST_UNLINK(zone->signing, signing, link);
+				ISC_LIST_APPEND(cleanup, signing, link);
+				dns_dbiterator_pause(signing->dbiterator);
+				finishedakey = ISC_TRUE;
+				if (!is_ksk && !secureupdated && nkeys != 0 &&
+				    build_nsec) {
+					/*
+					 * We have finished regenerating the
+					 * zone with a zone signing key.
+					 * The NSEC chain is now complete and
+					 * there is a full set of signatures
+					 * for the zone.  We can now clear the
+					 * OPT bit from the NSEC record.
+					 */
+					result = updatesecure(db, version,
+							      &zone->origin,
+							      zone->minimum,
+							      &secureupdated,
+							      &sig_diff);
+					if (result != ISC_R_SUCCESS) {
+						dns_zone_log(zone,
+							     ISC_LOG_ERROR,
+						    "updatesecure -> %s\n",
+						    dns_result_totext(result));
+						goto failure;
+					}
+				}
+				result = updatesignwithkey(signing, version,
+							   &zone->origin,
+							   zone->privatetype,
+							   &sig_diff);
+				if (result != ISC_R_SUCCESS) {
+					dns_zone_log(zone, ISC_LOG_ERROR,
+						     "updatesignwithkey -> %s\n",
+						     dns_result_totext(result));
+					goto failure;
+				}
+				goto next_signing;
+			} else if (result != ISC_R_SUCCESS) {
+				dns_zone_log(zone, ISC_LOG_ERROR,
+					"zone_sign:dns_dbiterator_next -> %s\n",
+					     dns_result_totext(result));
+				goto failure;
+			} else if (delegation) {
+				dns_dbiterator_current(signing->dbiterator,
+						       &node, nextname);
+				dns_db_detachnode(db, &node);
+				if (!dns_name_issubdomain(nextname, name))
+					break;
+			} else
+				break;
+		} while (1);
+		continue;
+
+ next_signing:
+		dns_dbiterator_pause(signing->dbiterator);
+		signing = nextsigning;
+		first = ISC_TRUE;
+	}
+
+	if (secureupdated) {
+		/*
+		 * We have changed the NSEC RRset above so we need to update
+		 * the signatures.
+		 */
+		result = del_sigs(zone, db, version, &zone->origin,
+				  dns_rdatatype_nsec, &sig_diff, zone_keys,
+				  nkeys, now);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_sign:del_sigs -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+		result = add_sigs(db, version, &zone->origin,
+				  dns_rdatatype_nsec, &sig_diff, zone_keys,
+				  nkeys, zone->mctx, inception, soaexpire,
+				  check_ksk);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_sign:add_sigs -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+	}
+	if (finishedakey) {
+		/*
+		 * We have changed the RRset above so we need to update
+		 * the signatures.
+		 */
+		result = del_sigs(zone, db, version, &zone->origin,
+				  zone->privatetype, &sig_diff,
+				  zone_keys, nkeys, now);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_sign:del_sigs -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+		result = add_sigs(db, version, &zone->origin,
+				  zone->privatetype, &sig_diff,
+				  zone_keys, nkeys, zone->mctx, inception,
+				  soaexpire, check_ksk);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_sign:add_sigs -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+	}
+	result = del_sigs(zone, db, version, &zone->origin, dns_rdatatype_soa,
+			  &sig_diff, zone_keys, nkeys, now);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_sign:del_sigs -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	result = increment_soa_serial(db, version, &sig_diff, zone->mctx);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_sign:increment_soa_serial -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	/*
+	 * Generate maximum life time signatures so that the above loop
+	 * termination is sensible.
+	 */
+	result = add_sigs(db, version, &zone->origin, dns_rdatatype_soa,
+			  &sig_diff, zone_keys, nkeys, zone->mctx, inception,
+			  soaexpire, check_ksk);
+	if (result != ISC_R_SUCCESS) {
+		dns_zone_log(zone, ISC_LOG_ERROR,
+			     "zone_sign:add_sigs -> %s\n",
+			     dns_result_totext(result));
+		goto failure;
+	}
+
+	journalfile = dns_zone_getjournal(zone);
+	if (journalfile != NULL) {
+		dns_journal_t *journal = NULL;
+		result = dns_journal_open(zone->mctx, journalfile,
+					  ISC_TRUE, &journal);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+				     "zone_sign:dns_journal_open -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+
+		result = dns_journal_write_transaction(journal, &sig_diff);
+		dns_journal_destroy(&journal);
+		if (result != ISC_R_SUCCESS) {
+			dns_zone_log(zone, ISC_LOG_ERROR,
+			 "zone_sign:dns_journal_write_transaction -> %s\n",
+				     dns_result_totext(result));
+			goto failure;
+		}
+	}
+
+
+	/*
+	 * Pause all iterators so that dns_db_closeversion() can succeed.
+	 */
+	for (signing = ISC_LIST_HEAD(zone->signing);
+	     signing != NULL;
+	     signing = ISC_LIST_NEXT(signing, link))
+		dns_dbiterator_pause(signing->dbiterator);
+
+	for (signing = ISC_LIST_HEAD(cleanup);
+	     signing != NULL;
+	     signing = ISC_LIST_NEXT(signing, link))
+		dns_dbiterator_pause(signing->dbiterator);
+
+	/*
+	 * Everything has succeeded. Commit the changes.
+	 */
+	dns_db_closeversion(db, &version, ISC_TRUE);
+
+	/*
+	 * Everything succeeded so we can clean these up now.
+	 */
+	signing = ISC_LIST_HEAD(cleanup);
+	while (signing != NULL) {
+		ISC_LIST_UNLINK(cleanup, signing, link);
+		dns_db_detach(&signing->db);
+		dns_dbiterator_destroy(&signing->dbiterator);
+		isc_mem_put(zone->mctx, signing, sizeof *signing);
+		signing = ISC_LIST_HEAD(cleanup);
+	}
+
+	set_resigntime(zone);
+
+	LOCK_ZONE(zone);
+	zone_needdump(zone, DNS_DUMP_DELAY);
+	UNLOCK_ZONE(zone);
+
+ failure:
+	/*
+	 * Rollback the cleanup list.
+	 */
+	signing = ISC_LIST_HEAD(cleanup);
+	while (signing != NULL) {
+		ISC_LIST_UNLINK(cleanup, signing, link);
+		ISC_LIST_APPEND(zone->signing, signing, link);
+		dns_dbiterator_first(signing->dbiterator);
+		dns_dbiterator_pause(signing->dbiterator);
+		signing = ISC_LIST_HEAD(cleanup);
+	}
+
+	for (signing = ISC_LIST_HEAD(zone->signing);
+	     signing != NULL;
+	     signing = ISC_LIST_NEXT(signing, link))
+		dns_dbiterator_pause(signing->dbiterator);
+
+	dns_diff_clear(&sig_diff);
+
+	for (i = 0; i < nkeys; i++)
+		dst_key_free(&zone_keys[i]);
+
+	if (version != NULL) {
+		dns_db_closeversion(db, &version, ISC_FALSE);
+		dns_db_detach(&db);
+	} else if (db != NULL)
+		dns_db_detach(&db);
+
+	if (ISC_LIST_HEAD(zone->signing) != NULL) {
+		isc_interval_t i;
+		if (zone->update_disabled || result != ISC_R_SUCCESS)
+			isc_interval_set(&i, 60, 0);		/* 1 minute */
+		else
+			isc_interval_set(&i, 0, 10000000);	/* 10 ms */
+		isc_time_nowplusinterval(&zone->signingtime, &i);
+	} else
+		isc_time_settoepoch(&zone->signingtime);
+}
+
 static void
 zone_maintenance(dns_zone_t *zone) {
 	const char me[] = "zone_maintenance";
@@ -3016,15 +5981,34 @@ zone_maintenance(dns_zone_t *zone) {
 		break;
 	}
 
-	/*
-	 * Do we need to send out notify messages?
-	 */
 	switch (zone->type) {
 	case dns_zone_master:
 	case dns_zone_slave:
+		/*
+		 * Do we need to send out notify messages?
+		 */
 		if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NEEDNOTIFY) &&
 		    isc_time_compare(&now, &zone->notifytime) >= 0)
 			zone_notify(zone, &now);
+		/*
+		 * Do we need to sign/resign some RRsets?
+		 */
+		if (!isc_time_isepoch(&zone->signingtime) &&
+		    isc_time_compare(&now, &zone->signingtime) >= 0)
+			zone_sign(zone);
+		else if (!isc_time_isepoch(&zone->resigntime) &&
+		    isc_time_compare(&now, &zone->resigntime) >= 0)
+			zone_resigninc(zone);
+		else if (!isc_time_isepoch(&zone->nsec3chaintime) &&
+			isc_time_compare(&now, &zone->nsec3chaintime) >= 0)
+			zone_nsec3chain(zone);
+		/*
+		 * Do we need to issue a key expiry warning.
+		 */
+		if (!isc_time_isepoch(&zone->keywarntime) &&
+		    isc_time_compare(&now, &zone->keywarntime) >= 0)
+			set_key_expiry_warning(zone, zone->key_expiry,
+					       isc_time_seconds(&now));
 		break;
 	default:
 		break;
@@ -3036,6 +6020,7 @@ void
 dns_zone_markdirty(dns_zone_t *zone) {
 
 	LOCK_ZONE(zone);
+	set_resigntime(zone);	/* XXXMPA make separate call back */
 	zone_needdump(zone, DNS_DUMP_DELAY);
 	UNLOCK_ZONE(zone);
 }
@@ -3776,6 +6761,16 @@ notify_send_toaddr(isc_task_t *task, isc_event_t *event) {
 					timeout * 3, timeout,
 					notify->zone->task, notify_done,
 					notify, &notify->request);
+	if (result == ISC_R_SUCCESS) {
+		if (isc_sockaddr_pf(&notify->dst) == AF_INET) {
+			inc_stats(notify->zone,
+				  dns_zonestatscounter_notifyoutv4);
+		} else {
+			inc_stats(notify->zone,
+				  dns_zonestatscounter_notifyoutv6);
+		}
+	}
+
  cleanup_key:
 	if (key != NULL)
 		dns_tsigkey_detach(&key);
@@ -3975,9 +6970,11 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) {
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		dns_rdata_reset(&rdata);
 		/*
-		 * don't notify the master server.
+		 * Don't notify the master server unless explicitly
+		 * configured to do so.
 		 */
-		if (dns_name_compare(&master, &ns.name) == 0) {
+		if (!DNS_ZONE_OPTION(zone, DNS_ZONEOPT_NOTIFYTOSOA) &&
+		    dns_name_compare(&master, &ns.name) == 0) {
 			result = dns_rdataset_next(&nsrdset);
 			continue;
 		}
@@ -4163,6 +7160,8 @@ stub_callback(isc_task_t *task, isc_event_t *event) {
 				     master, source);
 			goto same_master;
 		}
+		dns_zonemgr_unreachableadd(zone->zmgr, &zone->masteraddr,
+					   &zone->sourceaddr, &now);
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "could not refresh stub from master %s"
 			     " (source %s): %s", master, source,
@@ -4424,12 +7423,23 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 				     "master %s exceeded (source %s)",
 				     master, source);
 			/* Try with slave with TCP. */
-			if (zone->type == dns_zone_slave) {
-				LOCK_ZONE(zone);
-				DNS_ZONE_SETFLAG(zone,
-						 DNS_ZONEFLG_SOABEFOREAXFR);
-				UNLOCK_ZONE(zone);
-				goto tcp_transfer;
+			if (zone->type == dns_zone_slave &&
+			    DNS_ZONE_OPTION(zone, DNS_ZONEOPT_TRYTCPREFRESH)) {
+				if (!dns_zonemgr_unreachable(zone->zmgr,
+							     &zone->masteraddr,
+							     &zone->sourceaddr,
+							     &now)) {
+					LOCK_ZONE(zone);
+					DNS_ZONE_SETFLAG(zone,
+						     DNS_ZONEFLG_SOABEFOREAXFR);
+					UNLOCK_ZONE(zone);
+					goto tcp_transfer;
+				}
+				dns_zone_log(zone, ISC_LOG_DEBUG(1),
+					     "refresh: skipped tcp fallback"
+					     "as master %s (source %s) is "
+					     "unreachable (cached)",
+					      master, source);
 			}
 		} else
 			dns_zone_log(zone, ISC_LOG_INFO,
@@ -4479,7 +7489,7 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 			     "master %s (source %s)", (int)rb.used, rcode,
 			     master, source);
 		/*
-		 * Perhaps AXFR/IXFR is allowed even if SOA queries arn't.
+		 * Perhaps AXFR/IXFR is allowed even if SOA queries aren't.
 		 */
 		if (msg->rcode == dns_rcode_refused &&
 		    zone->type == dns_zone_slave)
@@ -4605,6 +7615,16 @@ refresh_callback(isc_task_t *task, isc_event_t *event) {
 	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_LOADED) ||
 	    DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER) ||
 	    isc_serial_gt(serial, zone->serial)) {
+		if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
+					    &zone->sourceaddr, &now)) {
+			dns_zone_log(zone, ISC_LOG_INFO,
+				     "refresh: skipping %s as master %s "
+				     "(source %s) is unreachable (cached)",
+				     zone->type == dns_zone_slave ?
+				     "zone transfer" : "NS query",
+				     master, source);
+			goto next_master;
+		}
  tcp_transfer:
 		isc_event_free(&event);
 		LOCK_ZONE(zone);
@@ -4820,7 +7840,7 @@ create_query(dns_zone_t *zone, dns_rdatatype_t rdtype,
 }
 
 static isc_result_t
-add_opt(dns_message_t *message, isc_uint16_t udpsize) {
+add_opt(dns_message_t *message, isc_uint16_t udpsize, isc_boolean_t reqnsid) {
 	dns_rdataset_t *rdataset = NULL;
 	dns_rdatalist_t *rdatalist = NULL;
 	dns_rdata_t *rdata = NULL;
@@ -4850,11 +7870,21 @@ add_opt(dns_message_t *message, isc_uint16_t udpsize) {
 	 */
 	rdatalist->ttl = 0;
 
-	/*
-	 * No EDNS options.
-	 */
-	rdata->data = NULL;
-	rdata->length = 0;
+	/* Set EDNS options if applicable */
+	if (reqnsid) {
+		unsigned char data[4];
+		isc_buffer_t buf;
+
+		isc_buffer_init(&buf, data, sizeof(data));
+		isc_buffer_putuint16(&buf, DNS_OPT_NSID);
+		isc_buffer_putuint16(&buf, 0);
+		rdata->data = data;
+		rdata->length = sizeof(data);
+	} else {
+		rdata->data = NULL;
+		rdata->length = 0;
+	}
+
 	rdata->rdclass = rdatalist->rdclass;
 	rdata->type = rdatalist->type;
 	rdata->flags = 0;
@@ -4889,7 +7919,7 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 	isc_uint32_t options;
 	isc_boolean_t cancel = ISC_TRUE;
 	int timeout;
-	isc_boolean_t have_xfrsource;
+	isc_boolean_t have_xfrsource, reqnsid;
 	isc_uint16_t udpsize = SEND_BUFFER_SIZE;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -4941,6 +7971,7 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 		(void)dns_view_getpeertsig(zone->view, &masterip, &key);
 
 	have_xfrsource = ISC_FALSE;
+	reqnsid = zone->view->requestnsid;
 	if (zone->view->peers != NULL) {
 		dns_peer_t *peer = NULL;
 		isc_boolean_t edns;
@@ -4958,6 +7989,7 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 				udpsize =
 				  dns_resolver_getudpsize(zone->view->resolver);
 			(void)dns_peer_getudpsize(peer, &udpsize);
+			(void)dns_peer_getrequestnsid(peer, &reqnsid);
 		}
 	}
 
@@ -4989,7 +8021,7 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 		  DNS_REQUESTOPT_TCP : 0;
 
 	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-		result = add_opt(message, udpsize);
+		result = add_opt(message, udpsize, reqnsid);
 		if (result != ISC_R_SUCCESS)
 			zone_debuglog(zone, me, 1,
 				      "unable to add opt record: %s",
@@ -5011,6 +8043,11 @@ soa_query(isc_task_t *task, isc_event_t *event) {
 			      "dns_request_createvia2() failed: %s",
 			      dns_result_totext(result));
 		goto cleanup;
+	} else {
+		if (isc_sockaddr_pf(&zone->masteraddr) == PF_INET)
+			inc_stats(zone, dns_zonestatscounter_soaoutv4);
+		else
+			inc_stats(zone, dns_zonestatscounter_soaoutv6);
 	}
 	cancel = ISC_FALSE;
 
@@ -5053,7 +8090,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 	dns_tsigkey_t *key = NULL;
 	dns_dbnode_t *node = NULL;
 	int timeout;
-	isc_boolean_t have_xfrsource = ISC_FALSE;
+	isc_boolean_t have_xfrsource = ISC_FALSE, reqnsid;
 	isc_uint16_t udpsize = SEND_BUFFER_SIZE;
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -5165,6 +8202,7 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 	if (key == NULL)
 		(void)dns_view_getpeertsig(zone->view, &masterip, &key);
 
+	reqnsid = zone->view->requestnsid;
 	if (zone->view->peers != NULL) {
 		dns_peer_t *peer = NULL;
 		isc_boolean_t edns;
@@ -5182,11 +8220,12 @@ ns_query(dns_zone_t *zone, dns_rdataset_t *soardataset, dns_stub_t *stub) {
 				udpsize =
 				  dns_resolver_getudpsize(zone->view->resolver);
 			(void)dns_peer_getudpsize(peer, &udpsize);
+			(void)dns_peer_getrequestnsid(peer, &reqnsid);
 		}
 
 	}
 	if (!DNS_ZONE_FLAG(zone, DNS_ZONEFLG_NOEDNS)) {
-		result = add_opt(message, udpsize);
+		result = add_opt(message, udpsize, reqnsid);
 		if (result != ISC_R_SUCCESS)
 			zone_debuglog(zone, me, 1,
 				      "unable to add opt record: %s",
@@ -5382,6 +8421,26 @@ zone_settimer(dns_zone_t *zone, isc_time_t *now) {
 			    isc_time_compare(&zone->dumptime, &next) < 0)
 				next = zone->dumptime;
 		}
+		if (!isc_time_isepoch(&zone->resigntime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->resigntime, &next) < 0)
+				next = zone->resigntime;
+		}
+		if (!isc_time_isepoch(&zone->keywarntime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->keywarntime, &next) < 0)
+				next = zone->keywarntime;
+		}
+		if (!isc_time_isepoch(&zone->signingtime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->signingtime, &next) < 0)
+				next = zone->signingtime;
+		}
+		if (!isc_time_isepoch(&zone->nsec3chaintime)) {
+			if (isc_time_isepoch(&next) ||
+			    isc_time_compare(&zone->nsec3chaintime, &next) < 0)
+				next = zone->nsec3chaintime;
+		}
 		break;
 
 	case dns_zone_slave:
@@ -5651,6 +8710,10 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	 *  We only handle NOTIFY (SOA) at the present.
 	 */
 	LOCK_ZONE(zone);
+	if (isc_sockaddr_pf(from) == PF_INET)
+		inc_stats(zone, dns_zonestatscounter_notifyinv4);
+	else
+		inc_stats(zone, dns_zonestatscounter_notifyinv6);
 	if (msg->counts[DNS_SECTION_QUESTION] == 0 ||
 	    dns_message_findname(msg, DNS_SECTION_QUESTION, &zone->origin,
 				 dns_rdatatype_soa, dns_rdatatype_none,
@@ -5705,6 +8768,7 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 		UNLOCK_ZONE(zone);
 		dns_zone_log(zone, ISC_LOG_INFO,
 			     "refused notify from non-master: %s", fromtext);
+		inc_stats(zone, dns_zonestatscounter_notifyrej);
 		return (DNS_R_REFUSED);
 	}
 
@@ -5788,6 +8852,18 @@ dns_zone_setqueryacl(dns_zone_t *zone, dns_acl_t *acl) {
 }
 
 void
+dns_zone_setqueryonacl(dns_zone_t *zone, dns_acl_t *acl) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->queryon_acl != NULL)
+		dns_acl_detach(&zone->queryon_acl);
+	dns_acl_attach(acl, &zone->queryon_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
 dns_zone_setupdateacl(dns_zone_t *zone, dns_acl_t *acl) {
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -5840,6 +8916,14 @@ dns_zone_getqueryacl(dns_zone_t *zone) {
 }
 
 dns_acl_t *
+dns_zone_getqueryonacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->queryon_acl);
+}
+
+dns_acl_t *
 dns_zone_getupdateacl(dns_zone_t *zone) {
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -5908,6 +8992,17 @@ dns_zone_clearqueryacl(dns_zone_t *zone) {
 }
 
 void
+dns_zone_clearqueryonacl(dns_zone_t *zone) {
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->queryon_acl != NULL)
+		dns_acl_detach(&zone->queryon_acl);
+	UNLOCK_ZONE(zone);
+}
+
+void
 dns_zone_clearxfracl(dns_zone_t *zone) {
 
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -5977,7 +9072,7 @@ dns_zone_getjournalsize(dns_zone_t *zone) {
 }
 
 static void
-zone_tostr(dns_zone_t *zone, char *buf, size_t length) {
+zone_namerd_tostr(dns_zone_t *zone, char *buf, size_t length) {
 	isc_result_t result = ISC_R_FAILURE;
 	isc_buffer_t buffer;
 
@@ -6008,29 +9103,88 @@ zone_tostr(dns_zone_t *zone, char *buf, size_t length) {
 	buf[isc_buffer_usedlength(&buffer)] = '\0';
 }
 
+static void
+zone_name_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_result_t result = ISC_R_FAILURE;
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, length - 1);
+	if (dns_name_dynamic(&zone->origin))
+		result = dns_name_totext(&zone->origin, ISC_TRUE, &buffer);
+	if (result != ISC_R_SUCCESS &&
+	    isc_buffer_availablelength(&buffer) >= (sizeof("<UNKNOWN>") - 1))
+		isc_buffer_putstr(&buffer, "<UNKNOWN>");
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+static void
+zone_rdclass_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, length - 1);
+	(void)dns_rdataclass_totext(zone->rdclass, &buffer);
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
+static void
+zone_viewname_tostr(dns_zone_t *zone, char *buf, size_t length) {
+	isc_buffer_t buffer;
+
+	REQUIRE(buf != NULL);
+	REQUIRE(length > 1U);
+
+
+	/*
+	 * Leave space for terminating '\0'.
+	 */
+	isc_buffer_init(&buffer, buf, length - 1);
+
+	if (zone->view == NULL) {
+		isc_buffer_putstr(&buffer, "_none");
+	} else if (strlen(zone->view->name)
+		   < isc_buffer_availablelength(&buffer)) {
+		isc_buffer_putstr(&buffer, zone->view->name);
+	} else {
+		isc_buffer_putstr(&buffer, "_toolong");
+	}
+
+	buf[isc_buffer_usedlength(&buffer)] = '\0';
+}
+
 void
 dns_zone_name(dns_zone_t *zone, char *buf, size_t length) {
 	REQUIRE(DNS_ZONE_VALID(zone));
 	REQUIRE(buf != NULL);
-	zone_tostr(zone, buf, length);
+	zone_namerd_tostr(zone, buf, length);
 }
 
 static void
 notify_log(dns_zone_t *zone, int level, const char *fmt, ...) {
 	va_list ap;
 	char message[4096];
-	char namebuf[1024+32];
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
 
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_NOTIFY, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", namebuf, message);
+		      level, "zone %s: %s", zone->strnamerd, message);
 }
 
 void
@@ -6038,36 +9192,30 @@ dns_zone_logc(dns_zone_t *zone, isc_logcategory_t *category,
 	      int level, const char *fmt, ...) {
 	va_list ap;
 	char message[4096];
-	char namebuf[1024+32];
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
 
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, category, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", namebuf, message);
+		      level, "zone %s: %s", zone->strnamerd, message);
 }
 
 void
 dns_zone_log(dns_zone_t *zone, int level, const char *fmt, ...) {
 	va_list ap;
 	char message[4096];
-	char namebuf[1024+32];
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
 
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "zone %s: %s", namebuf, message);
+		      level, "zone %s: %s", zone->strnamerd, message);
 }
 
 static void
@@ -6076,19 +9224,16 @@ zone_debuglog(dns_zone_t *zone, const char *me, int debuglevel,
 {
 	va_list ap;
 	char message[4096];
-	char namebuf[1024+32];
 	int level = ISC_LOG_DEBUG(debuglevel);
 
 	if (isc_log_wouldlog(dns_lctx, level) == ISC_FALSE)
 		return;
 
-	zone_tostr(zone, namebuf, sizeof(namebuf));
-
 	va_start(ap, fmt);
 	vsnprintf(message, sizeof(message), fmt, ap);
 	va_end(ap);
 	isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_ZONE,
-		      level, "%s: zone %s: %s", me, namebuf, message);
+		      level, "%s: zone %s: %s", me, zone->strnamerd, message);
 }
 
 static int
@@ -6313,12 +9458,16 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 		return (result);
 	}
 
+	result = check_nsec3param(zone, db);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
 	ver = NULL;
 	dns_db_currentversion(db, &ver);
 
 	/*
 	 * The initial version of a slave zone is always dumped;
-	 * subsequent versions may be journalled instead if this
+	 * subsequent versions may be journaled instead if this
 	 * is enabled in the configuration.
 	 */
 	if (zone->db != NULL && zone->journal != NULL &&
@@ -6401,7 +9550,7 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 			 * The in-memory database just changed, and
 			 * because 'dump' is set, it didn't change by
 			 * being loaded from disk.  Also, we have not
-			 * journalled diffs for this change.
+			 * journaled diffs for this change.
 			 * Therefore, the on-disk journal is missing
 			 * the deltas for this change.  Since it can
 			 * no longer be used to bring the zone
@@ -6411,7 +9560,17 @@ zone_replacedb(dns_zone_t *zone, dns_db_t *db, isc_boolean_t dump) {
 			isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
 				      DNS_LOGMODULE_ZONE, ISC_LOG_DEBUG(3),
 				      "removing journal file");
-			(void)remove(zone->journal);
+			if (remove(zone->journal) < 0 && errno != ENOENT) {
+				char strbuf[ISC_STRERRORSIZE];
+				isc__strerror(errno, strbuf, sizeof(strbuf));
+				isc_log_write(dns_lctx,
+					      DNS_LOGCATEGORY_GENERAL,
+					      DNS_LOGMODULE_ZONE,
+					      ISC_LOG_WARNING,
+					      "unable to remove journal "
+					      "'%s': '%s'",
+					      zone->journal, strbuf);
+			}
 		}
 	}
 
@@ -6568,7 +9727,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 		}
 
 		/*
-		 * This is not neccessary if we just performed a AXFR
+		 * This is not necessary if we just performed a AXFR
 		 * however it is necessary for an IXFR / UPTODATE and
 		 * won't hurt with an AXFR.
 		 */
@@ -6592,6 +9751,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 					     dns_result_totext(result));
 		}
 
+		inc_stats(zone, dns_zonestatscounter_xfrsuccess);
 		break;
 
 	case DNS_R_BADIXFR:
@@ -6626,6 +9786,7 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
 			DNS_ZONE_SETFLAG(zone, DNS_ZONEFLG_REFRESH);
 			again = ISC_TRUE;
 		}
+		inc_stats(zone, dns_zonestatscounter_xfrfail);
 		break;
 	}
 	zone_settimer(zone, &now);
@@ -6760,6 +9921,20 @@ dns_zone_getsigvalidityinterval(dns_zone_t *zone) {
 	return (zone->sigvalidityinterval);
 }
 
+void
+dns_zone_setsigresigninginterval(dns_zone_t *zone, isc_uint32_t interval) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	zone->sigresigninginterval = interval;
+}
+
+isc_uint32_t
+dns_zone_getsigresigninginterval(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	return (zone->sigresigninginterval);
+}
+
 static void
 queue_xfrin(dns_zone_t *zone) {
 	const char me[] = "queue_xfrin";
@@ -6798,12 +9973,14 @@ static void
 got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 	isc_result_t result;
 	dns_peer_t *peer = NULL;
-	char mastertext[256];
+	char master[ISC_SOCKADDR_FORMATSIZE];
+	char source[ISC_SOCKADDR_FORMATSIZE];
 	dns_rdatatype_t xfrtype;
 	dns_zone_t *zone = event->ev_arg;
 	isc_netaddr_t masterip;
 	isc_sockaddr_t sourceaddr;
 	isc_sockaddr_t masteraddr;
+	isc_time_t now;
 
 	UNUSED(task);
 
@@ -6814,34 +9991,44 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 		goto cleanup;
 	}
 
-	isc_sockaddr_format(&zone->masteraddr, mastertext, sizeof(mastertext));
+	TIME_NOW(&now);
+
+	isc_sockaddr_format(&zone->masteraddr, master, sizeof(master));
+	if (dns_zonemgr_unreachable(zone->zmgr, &zone->masteraddr,
+				    &zone->sourceaddr, &now)) {
+		isc_sockaddr_format(&zone->sourceaddr, source, sizeof(source));
+		dns_zone_log(zone, ISC_LOG_INFO,
+			     "got_transfer_quota: skipping zone transfer as "
+			     "master %s (source %s) is unreachable (cached)",
+			     master, source);
+		result = ISC_R_CANCELED;
+		goto cleanup;
+	}
 
 	isc_netaddr_fromsockaddr(&masterip, &zone->masteraddr);
-	(void)dns_peerlist_peerbyaddr(zone->view->peers,
-				      &masterip, &peer);
+	(void)dns_peerlist_peerbyaddr(zone->view->peers, &masterip, &peer);
 
 	/*
 	 * Decide whether we should request IXFR or AXFR.
 	 */
 	if (zone->db == NULL) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
-			     "no database exists yet, "
-			     "requesting AXFR of "
-			     "initial version from %s", mastertext);
+			     "no database exists yet, requesting AXFR of "
+			     "initial version from %s", master);
 		xfrtype = dns_rdatatype_axfr;
 	} else if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_IXFRFROMDIFFS)) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1), "ixfr-from-differences "
-			     "set, requesting AXFR from %s", mastertext);
+			     "set, requesting AXFR from %s", master);
 		xfrtype = dns_rdatatype_axfr;
 	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_FORCEXFER)) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "forced reload, requesting AXFR of "
-			     "initial version from %s", mastertext);
+			     "initial version from %s", master);
 		xfrtype = dns_rdatatype_axfr;
 	} else if (DNS_ZONE_FLAG(zone, DNS_ZONEFLAG_NOIXFR)) {
 		dns_zone_log(zone, ISC_LOG_DEBUG(1),
 			     "retrying with AXFR from %s due to "
-			     "previous IXFR failure", mastertext);
+			     "previous IXFR failure", master);
 		xfrtype = dns_rdatatype_axfr;
 		LOCK_ZONE(zone);
 		DNS_ZONE_CLRFLAG(zone, DNS_ZONEFLAG_NOIXFR);
@@ -6857,17 +10044,15 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 		}
 		if (use_ixfr == ISC_FALSE) {
 			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "IXFR disabled, "
-				     "requesting AXFR from %s",
-				     mastertext);
+				     "IXFR disabled, requesting AXFR from %s",
+				     master);
 			if (DNS_ZONE_FLAG(zone, DNS_ZONEFLG_SOABEFOREAXFR))
 				xfrtype = dns_rdatatype_soa;
 			else
 				xfrtype = dns_rdatatype_axfr;
 		} else {
 			dns_zone_log(zone, ISC_LOG_DEBUG(1),
-				     "requesting IXFR from %s",
-				     mastertext);
+				     "requesting IXFR from %s", master);
 			xfrtype = dns_rdatatype_ixfr;
 		}
 	}
@@ -6892,8 +10077,7 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 
 	if (result != ISC_R_SUCCESS && result != ISC_R_NOTFOUND) {
 		dns_zone_log(zone, ISC_LOG_ERROR,
-			     "could not get TSIG key "
-			     "for zone transfer: %s",
+			     "could not get TSIG key for zone transfer: %s",
 			     isc_result_totext(result));
 	}
 
@@ -6906,6 +10090,21 @@ got_transfer_quota(isc_task_t *task, isc_event_t *event) {
 				   zone->tsigkey, zone->mctx,
 				   zone->zmgr->timermgr, zone->zmgr->socketmgr,
 				   zone->task, zone_xfrdone, &zone->xfr);
+	if (result == ISC_R_SUCCESS) {
+		LOCK_ZONE(zone);
+		if (xfrtype == dns_rdatatype_axfr) {
+			if (isc_sockaddr_pf(&masteraddr) == PF_INET)
+				inc_stats(zone, dns_zonestatscounter_axfrreqv4);
+			else
+				inc_stats(zone, dns_zonestatscounter_axfrreqv6);
+		} else if (xfrtype == dns_rdatatype_ixfr) {
+			if (isc_sockaddr_pf(&masteraddr) == PF_INET)
+				inc_stats(zone, dns_zonestatscounter_ixfrreqv4);
+			else
+				inc_stats(zone, dns_zonestatscounter_ixfrreqv6);
+		}
+		UNLOCK_ZONE(zone);
+	}
  cleanup:
 	/*
 	 * Any failure in this function is handled like a failed
@@ -7175,6 +10374,7 @@ dns_zonemgr_create(isc_mem_t *mctx, isc_taskmgr_t *taskmgr,
 	ISC_LIST_INIT(zmgr->zones);
 	ISC_LIST_INIT(zmgr->waiting_for_xfrin);
 	ISC_LIST_INIT(zmgr->xfrin_in_progress);
+	memset(zmgr->unreachable, 0, sizeof(zmgr->unreachable));
 	result = isc_rwlock_init(&zmgr->rwlock, 0, 0);
 	if (result != ISC_R_SUCCESS)
 		goto free_mem;
@@ -7264,8 +10464,10 @@ dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
 				  NULL, NULL,
 				  zone->task, zone_timer, zone,
 				  &zone->timer);
+
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_task;
+
 	/*
 	 * The timer "holds" a iref.
 	 */
@@ -7735,7 +10937,7 @@ zone_saveunique(dns_zone_t *zone, const char *path, const char *templat) {
 }
 
 #if 0
-/* Hook for ondestroy notifcation from a database. */
+/* Hook for ondestroy notification from a database. */
 
 static void
 dns_zonemgr_dbdestroyed(isc_task_t *task, isc_event_t *event) {
@@ -7791,6 +10993,87 @@ dns_zonemgr_getserialqueryrate(dns_zonemgr_t *zmgr) {
 	return (zmgr->serialqueryrate);
 }
 
+static isc_boolean_t
+dns_zonemgr_unreachable(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			isc_sockaddr_t *local, isc_time_t *now)
+{
+	unsigned int i;
+	isc_rwlocktype_t locktype;
+	isc_result_t result;
+	isc_uint32_t seconds = isc_time_seconds(now);
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	locktype = isc_rwlocktype_read;
+	RWLOCK(&zmgr->rwlock, locktype);
+	for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
+		if (zmgr->unreachable[i].expire >= seconds &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local)) {
+			result = isc_rwlock_tryupgrade(&zmgr->rwlock);
+			if (result == ISC_R_SUCCESS) {
+				locktype = isc_rwlocktype_write;
+				zmgr->unreachable[i].last = seconds;
+			}
+			break;
+		}
+	}
+	RWUNLOCK(&zmgr->rwlock, locktype);
+	return (ISC_TF(i < UNREACH_CHACHE_SIZE));
+}
+
+void
+dns_zonemgr_unreachableadd(dns_zonemgr_t *zmgr, isc_sockaddr_t *remote,
+			   isc_sockaddr_t *local, isc_time_t *now)
+{
+	isc_uint32_t seconds = isc_time_seconds(now);
+	isc_uint32_t last = seconds;
+	unsigned int i, slot = UNREACH_CHACHE_SIZE, oldest = 0;
+
+	REQUIRE(DNS_ZONEMGR_VALID(zmgr));
+
+	RWLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+	for (i = 0; i < UNREACH_CHACHE_SIZE; i++) {
+		/* Existing entry? */
+		if (isc_sockaddr_equal(&zmgr->unreachable[i].remote, remote) &&
+		    isc_sockaddr_equal(&zmgr->unreachable[i].local, local))
+			break;
+		/* Empty slot? */
+		if (zmgr->unreachable[i].expire < seconds)
+			slot = i;
+		/* Least recently used slot? */
+		if (zmgr->unreachable[i].last < last) {
+			last = zmgr->unreachable[i].last;
+			oldest = i;
+		}
+	}
+	if (i < UNREACH_CHACHE_SIZE) {
+		/*
+		 * Found a existing entry.  Update the expire timer and
+		 * last usage timestamps.
+		 */
+		zmgr->unreachable[i].expire = seconds + UNREACH_HOLD_TIME;
+		zmgr->unreachable[i].last = seconds;
+	} else if (slot != UNREACH_CHACHE_SIZE) {
+		/*
+		 * Found a empty slot. Add a new entry to the cache.
+		 */
+		zmgr->unreachable[slot].expire = seconds + UNREACH_HOLD_TIME;
+		zmgr->unreachable[slot].last = seconds;
+		zmgr->unreachable[slot].remote = *remote;
+		zmgr->unreachable[slot].local = *local;
+	} else {
+		/*
+		 * Replace the least recently used entry in the cache.
+		 */
+		zmgr->unreachable[oldest].expire = seconds + UNREACH_HOLD_TIME;
+		zmgr->unreachable[oldest].last = seconds;
+		zmgr->unreachable[oldest].remote = *remote;
+		zmgr->unreachable[oldest].local = *local;
+	}
+	RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
+}
+
 void
 dns_zone_forcereload(dns_zone_t *zone) {
 	REQUIRE(DNS_ZONE_VALID(zone));
@@ -7813,26 +11096,66 @@ dns_zone_isforced(dns_zone_t *zone) {
 
 isc_result_t
 dns_zone_setstatistics(dns_zone_t *zone, isc_boolean_t on) {
-	isc_result_t result = ISC_R_SUCCESS;
+	/*
+	 * This function is obsoleted.
+	 */
+	UNUSED(zone);
+	UNUSED(on);
+	return (ISC_R_NOTIMPLEMENTED);
+}
+
+isc_uint64_t *
+dns_zone_getstatscounters(dns_zone_t *zone) {
+	/*
+	 * This function is obsoleted.
+	 */
+	UNUSED(zone);
+	return (NULL);
+}
+
+void
+dns_zone_setstats(dns_zone_t *zone, isc_stats_t *stats) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	REQUIRE(zone->stats == NULL);
 
 	LOCK_ZONE(zone);
-	if (on) {
-		if (zone->counters != NULL)
-			goto done;
-		result = dns_stats_alloccounters(zone->mctx, &zone->counters);
-	} else {
-		if (zone->counters == NULL)
-			goto done;
-		dns_stats_freecounters(zone->mctx, &zone->counters);
+	zone->stats = NULL;
+	isc_stats_attach(stats, &zone->stats);
+	UNLOCK_ZONE(zone);
+}
+
+void
+dns_zone_setrequeststats(dns_zone_t *zone, isc_stats_t *stats) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	LOCK_ZONE(zone);
+	if (zone->requeststats_on && stats == NULL)
+		zone->requeststats_on = ISC_FALSE;
+	else if (!zone->requeststats_on && stats != NULL) {
+		if (zone->requeststats == NULL) {
+			isc_stats_attach(stats, &zone->requeststats);
+			zone->requeststats_on = ISC_TRUE;
+		}
 	}
- done:
 	UNLOCK_ZONE(zone);
-	return (result);
+
+	return;
 }
 
-isc_uint64_t *
-dns_zone_getstatscounters(dns_zone_t *zone) {
-	return (zone->counters);
+isc_stats_t *
+dns_zone_getrequeststats(dns_zone_t *zone) {
+	/*
+	 * We don't lock zone for efficiency reason.  This is not catastrophic
+	 * because requeststats must always be valid when requeststats_on is
+	 * true.
+	 * Some counters may be incremented while requeststats_on is becoming
+	 * false, or some cannot be incremented just after the statistics are
+	 * installed, but it shouldn't matter much in practice.
+	 */
+	if (zone->requeststats_on)
+		return (zone->requeststats);
+	else
+		return (NULL);
 }
 
 void
@@ -8043,3 +11366,152 @@ dns_zone_getnotifydelay(dns_zone_t *zone) {
 
 	return (zone->notifydelay);
 }
+
+isc_result_t
+dns_zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm,
+		     isc_uint16_t keyid, isc_boolean_t delete)
+{
+	isc_result_t result;
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	dns_zone_log(zone, ISC_LOG_NOTICE,
+		     "dns_zone_signwithkey(algorithm=%u, keyid=%u)",
+		     algorithm, keyid);
+	LOCK_ZONE(zone);
+	result = zone_signwithkey(zone, algorithm, keyid, delete);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+static const char *hex = "0123456789ABCDEF";
+
+isc_result_t
+dns_zone_addnsec3chain(dns_zone_t *zone, dns_rdata_nsec3param_t *nsec3param) {
+	isc_result_t result;
+	char salt[255*2+1];
+	unsigned int i, j;
+
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (nsec3param->salt_length != 0) {
+		INSIST((nsec3param->salt_length * 2U) < sizeof(salt));
+		for (i = 0, j = 0; i < nsec3param->salt_length; i++) {
+			salt[j++] = hex[(nsec3param->salt[i] >> 4) & 0xf];
+			salt[j++] = hex[nsec3param->salt[i] & 0xf];
+		}
+		salt[j] = '\0';
+	} else
+		strcpy(salt, "-");
+	dns_zone_log(zone, ISC_LOG_NOTICE,
+		     "dns_zone_addnsec3chain(hash=%u, iterations=%u, salt=%s)",
+		     nsec3param->hash, nsec3param->iterations,
+		     salt);
+	LOCK_ZONE(zone);
+	result = zone_addnsec3chain(zone, nsec3param);
+	UNLOCK_ZONE(zone);
+
+	return (result);
+}
+
+void
+dns_zone_setnodes(dns_zone_t *zone, isc_uint32_t nodes) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	if (nodes == 0)
+		nodes = 1;
+	zone->nodes = nodes;
+}
+
+void
+dns_zone_setsignatures(dns_zone_t *zone, isc_uint32_t signatures) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+
+	/*
+	 * We treat signatures as a signed value so explicitly
+	 * limit its range here.
+	 */
+	if (signatures > ISC_INT32_MAX)
+		signatures = ISC_INT32_MAX;
+	else if (signatures == 0)
+		signatures = 1;
+	zone->signatures = signatures;
+}
+
+void
+dns_zone_setprivatetype(dns_zone_t *zone, dns_rdatatype_t type) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	zone->privatetype = type;
+}
+
+dns_rdatatype_t
+dns_zone_getprivatetype(dns_zone_t *zone) {
+	REQUIRE(DNS_ZONE_VALID(zone));
+	return (zone->privatetype);
+}
+
+static isc_result_t
+zone_signwithkey(dns_zone_t *zone, dns_secalg_t algorithm, isc_uint16_t keyid,
+		 isc_boolean_t delete)
+{
+	dns_signing_t *signing;
+	dns_signing_t *current;
+	isc_result_t result = ISC_R_SUCCESS;
+	isc_time_t now;
+
+	signing = isc_mem_get(zone->mctx, sizeof *signing);
+	if (signing == NULL)
+		return (ISC_R_NOMEMORY);
+
+	signing->magic = 0;
+	signing->db  = NULL;
+	signing->dbiterator = NULL;
+	signing->algorithm = algorithm;
+	signing->keyid = keyid;
+	signing->delete = delete;
+	signing->done = ISC_FALSE;
+
+	TIME_NOW(&now);
+
+	for (current = ISC_LIST_HEAD(zone->signing);
+	     current != NULL;
+	     current = ISC_LIST_NEXT(current, link)) {
+		if (current->db == zone->db &&
+		    current->algorithm == signing->algorithm &&
+		    current->keyid == signing->keyid) {
+			if (current->delete != signing->delete)
+				current->done = ISC_TRUE;
+			else
+				goto cleanup;
+		}
+	}
+
+	if (zone->db != NULL) {
+		dns_db_attach(zone->db, &signing->db);
+		result = dns_db_createiterator(signing->db, 0,
+					       &signing->dbiterator);
+
+		if (result == ISC_R_SUCCESS)
+			result = dns_dbiterator_first(signing->dbiterator);
+		if (result == ISC_R_SUCCESS) {
+			dns_dbiterator_pause(signing->dbiterator);
+			ISC_LIST_INITANDAPPEND(zone->signing, signing, link);
+			signing = NULL;
+			if (isc_time_isepoch(&zone->signingtime)) {
+				zone->signingtime = now;
+				if (zone->task != NULL)
+					zone_settimer(zone, &now);
+			}
+		}
+	} else
+		result = ISC_R_NOTFOUND;
+
+ cleanup:
+	if (signing != NULL) {
+		dns_db_detach(&signing->db);
+		if (signing->dbiterator != NULL)
+			dns_dbiterator_destroy(&signing->dbiterator);
+		isc_mem_put(zone->mctx, signing, sizeof *signing);
+	}
+	return (result);
+}
diff --git a/lib/dns/zonekey.c b/lib/dns/zonekey.c
index 0ed63bb..bf7474b 100644
--- a/lib/dns/zonekey.c
+++ b/lib/dns/zonekey.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zonekey.c,v 1.5.18.2 2005/04/29 00:16:08 marka Exp $ */
+/* $Id: zonekey.c,v 1.9 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/dns/zt.c b/lib/dns/zt.c
index 4cb8f3f..ed7f28a 100644
--- a/lib/dns/zt.c
+++ b/lib/dns/zt.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zt.c,v 1.38.18.5 2005/11/30 03:44:39 marka Exp $ */
+/* $Id: zt.c,v 1.47 2007/06/19 23:47:16 tbox Exp $ */
 
 /*! \file */
 
@@ -63,7 +63,8 @@ static isc_result_t
 freezezones(dns_zone_t *zone, void *uap);
 
 isc_result_t
-dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp) {
+dns_zt_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, dns_zt_t **ztp)
+{
 	dns_zt_t *zt;
 	isc_result_t result;
 
diff --git a/lib/isc/Makefile.in b/lib/isc/Makefile.in
index 82afe5f..6fa284b 100644
--- a/lib/isc/Makefile.in
+++ b/lib/isc/Makefile.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.81.18.10 2008/06/24 23:45:55 tbox Exp $
+# $Id: Makefile.in,v 1.96.50.3 2009/02/16 01:02:58 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -51,28 +51,32 @@ WIN32OBJS = 	win32/condition.@O@ win32/dir.@O@ win32/file.@O@ \
 
 # Alphabetically
 OBJS =		@ISC_EXTRA_OBJS@ \
-		assertions.@O@ base64.@O@ bitstring.@O@ buffer.@O@ \
+		assertions.@O@ base32.@O@ base64.@O@ bitstring.@O@ buffer.@O@ \
 		bufferlist.@O@ commandline.@O@ error.@O@ event.@O@ \
-		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@\
-		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ md5.@O@ \
-		mem.@O@ mutexblock.@O@ netaddr.@O@ netscope.@O@ ondestroy.@O@ \
-		parseint.@O@ portset.@O@ quota.@O@ random.@O@ \
+		hash.@O@ heap.@O@ hex.@O@ hmacmd5.@O@ hmacsha.@O@ \
+		httpd.@O@ inet_aton.@O@ iterated_hash.@O@ \
+		lex.@O@ lfsr.@O@ lib.@O@ log.@O@ \
+		md5.@O@ mem.@O@ mutexblock.@O@ \
+		netaddr.@O@ netscope.@O@ ondestroy.@O@ \
+		parseint.@O@ portset.@O@ quota.@O@ radix.@O@ random.@O@ \
 		ratelimiter.@O@ refcount.@O@ region.@O@ result.@O@ rwlock.@O@ \
-		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ string.@O@ \
-	        strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ timer.@O@ \
-	        version.@O@ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
+		serial.@O@ sha1.@O@ sha2.@O@ sockaddr.@O@ stats.@O@ \
+		string.@O@ strtoul.@O@ symtab.@O@ task.@O@ taskpool.@O@ \
+		timer.@O@ version.@O@ ${UNIXOBJS} ${NLSOBJS} ${THREADOBJS}
 
 # Alphabetically
 SRCS =		@ISC_EXTRA_SRCS@ \
-		assertions.c base64.c bitstring.c buffer.c \
+		assertions.c base32.c base64.c bitstring.c buffer.c \
 		bufferlist.c commandline.c error.c event.c \
 		heap.c hex.c hmacmd5.c hmacsha.c \
+		httpd.c inet_aton.c iterated_hash.c \
 		lex.c lfsr.c lib.c log.c \
-		md5.c mem.c mutexblock.c netaddr.c netscope.c ondestroy.c \
-		parseint.c portset.c quota.c random.c \
+		md5.c mem.c mutexblock.c \
+		netaddr.c netscope.c ondestroy.c \
+		parseint.c portset.c quota.c radix.c random.c \
 		ratelimiter.c refcount.c region.c result.c rwlock.c \
-		serial.c sha1.c sha2.c sockaddr.c string.c strtoul.c symtab.c \
-		task.c taskpool.c timer.c version.c
+		serial.c sha1.c sha2.c sockaddr.c stats.c string.c strtoul.c \
+		symtab.c task.c taskpool.c timer.c version.c
 
 LIBS =		@LIBS@
 
diff --git a/lib/isc/alpha/Makefile.in b/lib/isc/alpha/Makefile.in
index c8e77e4..324db07 100644
--- a/lib/isc/alpha/Makefile.in
+++ b/lib/isc/alpha/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/alpha/include/Makefile.in b/lib/isc/alpha/include/Makefile.in
index f4dd2f6..f1d8bdd 100644
--- a/lib/isc/alpha/include/Makefile.in
+++ b/lib/isc/alpha/include/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/alpha/include/isc/Makefile.in b/lib/isc/alpha/include/isc/Makefile.in
index 6760ce6..5f116ca 100644
--- a/lib/isc/alpha/include/isc/Makefile.in
+++ b/lib/isc/alpha/include/isc/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/alpha/include/isc/atomic.h b/lib/isc/alpha/include/isc/atomic.h
index a4b9b15..f60f9fd 100644
--- a/lib/isc/alpha/include/isc/atomic.h
+++ b/lib/isc/alpha/include/isc/atomic.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.2.2 2005/06/16 22:01:01 jinmei Exp $ */
+/* $Id: atomic.h,v 1.5.332.2 2009/04/08 06:47:32 tbox Exp $ */
 
 /*
  * This code was written based on FreeBSD's kernel source whose copyright
@@ -62,16 +62,20 @@
 
 /*
  * This routine atomically increments the value stored in 'p' by 'val', and
- * returns the previous value.
+ * returns the previous value.  Memory access ordering around this function
+ * can be critical, so we add explicit memory block instructions at the
+ * beginning and the end of it (same for other functions).
  */
-static inline isc_int32_t 
+static inline isc_int32_t
 isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
-	return (asm("1:"
+	return (asm("mb;"
+		    "1:"
 		    "ldl_l %t0, 0(%a0);"	/* load old value */
 		    "mov %t0, %v0;"		/* copy the old value */
 		    "addl %t0, %a1, %t0;"	/* calculate new value */
 		    "stl_c %t0, 0(%a0);"	/* attempt to store */
-		    "beq %t0, 1b;",		/* spin if failed */
+		    "beq %t0, 1b;"		/* spin if failed */
+		    "mb;",
 		    p, val));
 }
 
@@ -80,11 +84,13 @@ isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
  */
 static inline void
 isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
-	(void)asm("1:"
+	(void)asm("mb;"
+		  "1:"
 		  "ldl_l %t0, 0(%a0);"		/* load old value */
 		  "mov %a1, %t0;"		/* value to store */
 		  "stl_c %t0, 0(%a0);"		/* attempt to store */
-		  "beq %t0, 1b;",		/* spin if failed */
+		  "beq %t0, 1b;"		/* spin if failed */
+		  "mb;",
 		  p, val);
 }
 
@@ -96,7 +102,8 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
 static inline isc_int32_t
 isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
 
-	return(asm("1:"
+	return(asm("mb;"
+		   "1:"
 		   "ldl_l %t0, 0(%a0);"		/* load old value */
 		   "mov %t0, %v0;"		/* copy the old value */
 		   "cmpeq %t0, %a1, %t0;"	/* compare */
@@ -104,22 +111,25 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
 		   "mov %a2, %t0;"		/* value to store */
 		   "stl_c %t0, 0(%a0);"		/* attempt to store */
 		   "beq %t0, 1b;"		/* if it failed, spin */
-		   "2:",
+		   "2:"
+		   "mb;",
 		   p, cmpval, val));
 }
 #elif defined (ISC_PLATFORM_USEGCCASM)
-static inline isc_int32_t 
+static inline isc_int32_t
 isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
 	isc_int32_t temp, prev;
 
 	__asm__ volatile(
+		"mb;"
 		"1:"
 		"ldl_l %0, %1;"			/* load old value */
 		"mov %0, %2;"			/* copy the old value */
 		"addl %0, %3, %0;"		/* calculate new value */
 		"stl_c %0, %1;"			/* attempt to store */
 		"beq %0, 1b;"			/* spin if failed */
-		: "=&r"(temp), "+m"(*p), "=r"(prev)
+		"mb;"
+		: "=&r"(temp), "+m"(*p), "=&r"(prev)
 		: "r"(val)
 		: "memory");
 
@@ -131,11 +141,13 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
 	isc_int32_t temp;
 
 	__asm__ volatile(
+		"mb;"
 		"1:"
 		"ldl_l %0, %1;"			/* load old value */
 		"mov %2, %0;"			/* value to store */
 		"stl_c %0, %1;"			/* attempt to store */
 		"beq %0, 1b;"			/* if it failed, spin */
+		"mb;"
 		: "=&r"(temp), "+m"(*p)
 		: "r"(val)
 		: "memory");
@@ -146,6 +158,7 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
 	isc_int32_t temp, prev;
 
 	__asm__ volatile(
+		"mb;"
 		"1:"
 		"ldl_l %0, %1;"			/* load old value */
 		"mov %0, %2;"			/* copy the old value */
@@ -155,7 +168,8 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
 		"stl_c %0, %1;"			/* attempt to store */
 		"beq %0, 1b;"			/* if it failed, spin */
 		"2:"
-		: "=&r"(temp), "+m"(*p), "=r"(prev)
+		"mb;"
+		: "=&r"(temp), "+m"(*p), "=&r"(prev)
 		: "r"(cmpval), "r"(val)
 		: "memory");
 
diff --git a/lib/isc/api b/lib/isc/api
index 0b8a3bc..5ef8dc0 100644
--- a/lib/isc/api
+++ b/lib/isc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 36
-LIBREVISION = 2
-LIBAGE = 0
+LIBINTERFACE = 51
+LIBREVISION = 1
+LIBAGE = 1
diff --git a/lib/isc/assertions.c b/lib/isc/assertions.c
index 3eb27e0..4c9251b 100644
--- a/lib/isc/assertions.c
+++ b/lib/isc/assertions.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assertions.c,v 1.17.18.4 2008/10/15 23:46:06 tbox Exp $ */
+/* $Id: assertions.c,v 1.23 2008/10/15 23:47:31 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/base32.c b/lib/isc/base32.c
new file mode 100644
index 0000000..3000a84
--- /dev/null
+++ b/lib/isc/base32.c
@@ -0,0 +1,371 @@
+/*
+ * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: base32.c,v 1.3.116.2 2009/01/18 23:47:41 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/base32.h>
+#include <isc/buffer.h>
+#include <isc/lex.h>
+#include <isc/region.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#define RETERR(x) do { \
+	isc_result_t _r = (x); \
+	if (_r != ISC_R_SUCCESS) \
+		return (_r); \
+	} while (0)
+
+
+/*@{*/
+/*!
+ * These static functions are also present in lib/dns/rdata.c.  I'm not
+ * sure where they should go. -- bwelling
+ */
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target);
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length);
+
+/*@}*/
+
+static const char base32[] =
+	 "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567=abcdefghijklmnopqrstuvwxyz234567";
+static const char base32hex[] =
+	"0123456789ABCDEFGHIJKLMNOPQRSTUV=0123456789abcdefghijklmnopqrstuv";
+
+static isc_result_t
+base32_totext(isc_region_t *source, int wordlength, const char *wordbreak,
+	      isc_buffer_t *target, const char base[])
+{
+	char buf[9];
+	unsigned int loops = 0;
+
+	if (wordlength >= 0 && wordlength < 8)
+		wordlength = 8;
+
+	memset(buf, 0, sizeof(buf));
+	while (source->length > 0) {
+		buf[0] = base[((source->base[0]>>3)&0x1f)];	/* 5 + */
+		if (source->length == 1) {
+			buf[1] = base[(source->base[0]<<2)&0x1c];
+			buf[2] = buf[3] = buf[4] = '=';
+			buf[5] = buf[6] = buf[7] = '=';
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[1] = base[((source->base[0]<<2)&0x1c)|	/* 3 = 8 */
+			      ((source->base[1]>>6)&0x03)];	/* 2 + */
+		buf[2] = base[((source->base[1]>>1)&0x1f)];	/* 5 + */
+		if (source->length == 2) {
+			buf[3] = base[(source->base[1]<<4)&0x10];
+			buf[4] = buf[5] = buf[6] = buf[7] = '=';
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[3] = base[((source->base[1]<<4)&0x10)|	/* 1 = 8 */
+			      ((source->base[2]>>4)&0x0f)];	/* 4 + */
+		if (source->length == 3) {
+			buf[4] = base[(source->base[2]<<1)&0x1e];
+			buf[5] = buf[6] = buf[7] = '=';
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[4] = base[((source->base[2]<<1)&0x1e)|	/* 4 = 8 */
+			      ((source->base[3]>>7)&0x01)];	/* 1 + */
+		buf[5] = base[((source->base[3]>>2)&0x1f)];	/* 5 + */
+		if (source->length == 4) {
+			buf[6] = base[(source->base[3]<<3)&0x18];
+			buf[7] = '=';
+			RETERR(str_totext(buf, target));
+			break;
+		}
+		buf[6] = base[((source->base[3]<<3)&0x18)|	/* 2 = 8 */
+			      ((source->base[4]>>5)&0x07)];	/* 3 + */
+		buf[7] = base[source->base[4]&0x1f];		/* 5 = 8 */
+		RETERR(str_totext(buf, target));
+		isc_region_consume(source, 5);
+
+		loops++;
+		if (source->length != 0 && wordlength >= 0 &&
+		    (int)((loops + 1) * 8) >= wordlength)
+		{
+			loops = 0;
+			RETERR(str_totext(wordbreak, target));
+		}
+	}
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_totext(isc_region_t *source, int wordlength,
+		  const char *wordbreak, isc_buffer_t *target)
+{
+	return (base32_totext(source, wordlength, wordbreak, target, base32));
+}
+
+isc_result_t
+isc_base32hex_totext(isc_region_t *source, int wordlength,
+		     const char *wordbreak, isc_buffer_t *target)
+{
+	return (base32_totext(source, wordlength, wordbreak, target,
+			      base32hex));
+}
+
+/*%
+ * State of a base32 decoding process in progress.
+ */
+typedef struct {
+	int length;		/*%< Desired length of binary data or -1 */
+	isc_buffer_t *target;	/*%< Buffer for resulting binary data */
+	int digits;		/*%< Number of buffered base32 digits */
+	isc_boolean_t seen_end;	/*%< True if "=" end marker seen */
+	int val[8];
+	const char *base;	/*%< Which encoding we are using */
+	int seen_32;		/*%< Number of significant bytes if non zero */
+} base32_decode_ctx_t;
+
+static inline void
+base32_decode_init(base32_decode_ctx_t *ctx, int length,
+		   const char base[], isc_buffer_t *target)
+{
+	ctx->digits = 0;
+	ctx->seen_end = ISC_FALSE;
+	ctx->seen_32 = 0;
+	ctx->length = length;
+	ctx->target = target;
+	ctx->base = base;
+}
+
+static inline isc_result_t
+base32_decode_char(base32_decode_ctx_t *ctx, int c) {
+	char *s;
+	unsigned int last;
+
+	if (ctx->seen_end)
+		return (ISC_R_BADBASE32);
+	if ((s = strchr(ctx->base, c)) == NULL)
+		return (ISC_R_BADBASE32);
+	last = s - ctx->base;
+	/*
+	 * Handle lower case.
+	 */
+	if (last > 32)
+		last -= 33;
+	/*
+	 * Check that padding is contiguous.
+	 */
+	if (last != 32 && ctx->seen_32 != 0)
+		return (ISC_R_BADBASE32);
+	/*
+	 * Check that padding starts at the right place and that
+	 * bits that should be zero are.
+	 * Record how many significant bytes in answer (seen_32).
+	 */
+	if (last == 32 && ctx->seen_32 == 0)
+		switch (ctx->digits) {
+		case 0:
+		case 1:
+			return (ISC_R_BADBASE32);
+		case 2:
+			if ((ctx->val[1]&0x03) != 0)
+				return (ISC_R_BADBASE32);
+			ctx->seen_32 = 1;
+			break;
+		case 3:
+			return (ISC_R_BADBASE32);
+		case 4:
+			if ((ctx->val[3]&0x0f) != 0)
+				return (ISC_R_BADBASE32);
+			ctx->seen_32 = 3;
+			break;
+		case 5:
+			if ((ctx->val[4]&0x01) != 0)
+				return (ISC_R_BADBASE32);
+			ctx->seen_32 = 3;
+			break;
+		case 6:
+			return (ISC_R_BADBASE32);
+		case 7:
+			if ((ctx->val[6]&0x07) != 0)
+				return (ISC_R_BADBASE32);
+			ctx->seen_32 = 4;
+			break;
+		}
+	/*
+	 * Zero fill pad values.
+	 */
+	ctx->val[ctx->digits++] = (last == 32) ? 0 : last;
+
+	if (ctx->digits == 8) {
+		int n = 5;
+		unsigned char buf[5];
+
+		if (ctx->seen_32 != 0) {
+			ctx->seen_end = ISC_TRUE;
+			n = ctx->seen_32;
+		}
+		buf[0] = (ctx->val[0]<<3)|(ctx->val[1]>>2);
+		buf[1] = (ctx->val[1]<<6)|(ctx->val[2]<<1)|(ctx->val[3]>>4);
+		buf[2] = (ctx->val[3]<<4)|(ctx->val[4]>>1);
+		buf[3] = (ctx->val[4]<<7)|(ctx->val[5]<<2)|(ctx->val[6]>>3);
+		buf[4] = (ctx->val[6]<<5)|(ctx->val[7]);
+		RETERR(mem_tobuffer(ctx->target, buf, n));
+		if (ctx->length >= 0) {
+			if (n > ctx->length)
+				return (ISC_R_BADBASE32);
+			else
+				ctx->length -= n;
+		}
+		ctx->digits = 0;
+	}
+	return (ISC_R_SUCCESS);
+}
+
+static inline isc_result_t
+base32_decode_finish(base32_decode_ctx_t *ctx) {
+	if (ctx->length > 0)
+		return (ISC_R_UNEXPECTEDEND);
+	if (ctx->digits != 0)
+		return (ISC_R_BADBASE32);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+base32_tobuffer(isc_lex_t *lexer, const char base[], isc_buffer_t *target,
+		int length)
+{
+	base32_decode_ctx_t ctx;
+	isc_textregion_t *tr;
+	isc_token_t token;
+	isc_boolean_t eol;
+
+	base32_decode_init(&ctx, length, base, target);
+
+	while (!ctx.seen_end && (ctx.length != 0)) {
+		unsigned int i;
+
+		if (length > 0)
+			eol = ISC_FALSE;
+		else
+			eol = ISC_TRUE;
+		RETERR(isc_lex_getmastertoken(lexer, &token,
+					      isc_tokentype_string, eol));
+		if (token.type != isc_tokentype_string)
+			break;
+		tr = &token.value.as_textregion;
+		for (i = 0; i < tr->length; i++)
+			RETERR(base32_decode_char(&ctx, tr->base[i]));
+	}
+	if (ctx.length < 0 && !ctx.seen_end)
+		isc_lex_ungettoken(lexer, &token);
+	RETERR(base32_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	return (base32_tobuffer(lexer, base32, target, length));
+}
+
+isc_result_t
+isc_base32hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
+	return (base32_tobuffer(lexer, base32hex, target, length));
+}
+
+static isc_result_t
+base32_decodestring(const char *cstr, const char base[], isc_buffer_t *target) {
+	base32_decode_ctx_t ctx;
+
+	base32_decode_init(&ctx, -1, base, target);
+	for (;;) {
+		int c = *cstr++;
+		if (c == '\0')
+			break;
+		if (c == ' ' || c == '\t' || c == '\n' || c== '\r')
+			continue;
+		RETERR(base32_decode_char(&ctx, c));
+	}
+	RETERR(base32_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_decodestring(const char *cstr, isc_buffer_t *target) {
+	return (base32_decodestring(cstr, base32, target));
+}
+
+isc_result_t
+isc_base32hex_decodestring(const char *cstr, isc_buffer_t *target) {
+	return (base32_decodestring(cstr, base32hex, target));
+}
+
+static isc_result_t
+base32_decoderegion(isc_region_t *source, const char base[], isc_buffer_t *target) {
+	base32_decode_ctx_t ctx;
+
+	base32_decode_init(&ctx, -1, base, target);
+	while (source->length != 0) {
+		int c = *source->base;
+		RETERR(base32_decode_char(&ctx, c));
+		isc_region_consume(source, 1);
+	}
+	RETERR(base32_decode_finish(&ctx));
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_base32_decoderegion(isc_region_t *source, isc_buffer_t *target) {
+	return (base32_decoderegion(source, base32, target));
+}
+
+isc_result_t
+isc_base32hex_decoderegion(isc_region_t *source, isc_buffer_t *target) {
+	return (base32_decoderegion(source, base32hex, target));
+}
+
+static isc_result_t
+str_totext(const char *source, isc_buffer_t *target) {
+	unsigned int l;
+	isc_region_t region;
+
+	isc_buffer_availableregion(target, &region);
+	l = strlen(source);
+
+	if (l > region.length)
+		return (ISC_R_NOSPACE);
+
+	memcpy(region.base, source, l);
+	isc_buffer_add(target, l);
+	return (ISC_R_SUCCESS);
+}
+
+static isc_result_t
+mem_tobuffer(isc_buffer_t *target, void *base, unsigned int length) {
+	isc_region_t tr;
+
+	isc_buffer_availableregion(target, &tr);
+	if (length > tr.length)
+		return (ISC_R_NOSPACE);
+	memcpy(tr.base, base, length);
+	isc_buffer_add(target, length);
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/base64.c b/lib/isc/base64.c
index faeae92..13ed6b5 100644
--- a/lib/isc/base64.c
+++ b/lib/isc/base64.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.28.18.2 2005/04/29 00:16:44 marka Exp $ */
+/* $Id: base64.c,v 1.32 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/bitstring.c b/lib/isc/bitstring.c
index 105b5aa..33c7c1f 100644
--- a/lib/isc/bitstring.c
+++ b/lib/isc/bitstring.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bitstring.c,v 1.13.18.2 2005/04/29 00:16:44 marka Exp $ */
+/* $Id: bitstring.c,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/buffer.c b/lib/isc/buffer.c
index fc07c00..1b59e65 100644
--- a/lib/isc/buffer.c
+++ b/lib/isc/buffer.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: buffer.c,v 1.40.18.2 2005/04/29 00:16:44 marka Exp $ */
+/* $Id: buffer.c,v 1.49 2008/09/25 04:02:39 tbox Exp $ */
 
 /*! \file */
 
@@ -40,6 +40,35 @@ isc__buffer_init(isc_buffer_t *b, const void *base, unsigned int length) {
 }
 
 void
+isc__buffer_initnull(isc_buffer_t *b) {
+	/*
+	 * Initialize a new buffer which has no backing store.  This can
+	 * later be grown as needed and swapped in place.
+	 */
+
+	ISC__BUFFER_INIT(b, NULL, 0);
+}
+
+void
+isc_buffer_reinit(isc_buffer_t *b, void *base, unsigned int length) {
+	/*
+	 * Re-initialize the buffer enough to reconfigure the base of the
+	 * buffer.  We will swap in the new buffer, after copying any
+	 * data we contain into the new buffer and adjusting all of our
+	 * internal pointers.
+	 *
+	 * The buffer must not be smaller than the length of the original
+	 * buffer.
+	 */
+	REQUIRE(b->length <= length);
+	REQUIRE(base != NULL);
+
+	(void)memmove(base, b->base, b->length);
+	b->base = base;
+	b->length = length;
+}
+
+void
 isc__buffer_invalidate(isc_buffer_t *b) {
 	/*
 	 * Make 'b' an invalid buffer.
@@ -287,6 +316,14 @@ isc__buffer_putuint16(isc_buffer_t *b, isc_uint16_t val) {
 	ISC__BUFFER_PUTUINT16(b, val);
 }
 
+void
+isc__buffer_putuint24(isc_buffer_t *b, isc_uint32_t val) {
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used + 3 <= b->length);
+
+	ISC__BUFFER_PUTUINT24(b, val);
+}
+
 isc_uint32_t
 isc_buffer_getuint32(isc_buffer_t *b) {
 	unsigned char *cp;
@@ -318,6 +355,45 @@ isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val) {
 	ISC__BUFFER_PUTUINT32(b, val);
 }
 
+isc_uint64_t
+isc_buffer_getuint48(isc_buffer_t *b) {
+	unsigned char *cp;
+	isc_uint64_t result;
+
+	/*
+	 * Read an unsigned 48-bit integer in network byte order from 'b',
+	 * convert it to host byte order, and return it.
+	 */
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used - b->current >= 6);
+
+	cp = isc_buffer_current(b);
+	b->current += 6;
+	result = ((isc_int64_t)(cp[0])) << 40;
+	result |= ((isc_int64_t)(cp[1])) << 32;
+	result |= ((isc_int64_t)(cp[2])) << 24;
+	result |= ((isc_int64_t)(cp[3])) << 16;
+	result |= ((isc_int64_t)(cp[4])) << 8;
+	result |= ((isc_int64_t)(cp[5]));
+
+	return (result);
+}
+
+void
+isc__buffer_putuint48(isc_buffer_t *b, isc_uint64_t val) {
+	isc_uint16_t valhi;
+	isc_uint32_t vallo;
+
+	REQUIRE(ISC_BUFFER_VALID(b));
+	REQUIRE(b->used + 6 <= b->length);
+
+	valhi = (isc_uint16_t)(val >> 32);
+	vallo = (isc_uint32_t)(val & 0xFFFFFFFF);
+	ISC__BUFFER_PUTUINT16(b, valhi);
+	ISC__BUFFER_PUTUINT32(b, vallo);
+}
+
 void
 isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
 		   unsigned int length)
@@ -361,7 +437,7 @@ isc_buffer_copyregion(isc_buffer_t *b, const isc_region_t *r) {
 	 */
 	base = isc_buffer_used(b);
 	available = isc_buffer_availablelength(b);
-        if (r->length > available)
+	if (r->length > available)
 		return (ISC_R_NOSPACE);
 	memcpy(base, r->base, r->length);
 	b->used += r->length;
diff --git a/lib/isc/bufferlist.c b/lib/isc/bufferlist.c
index 773d075..0e5c125 100644
--- a/lib/isc/bufferlist.c
+++ b/lib/isc/bufferlist.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bufferlist.c,v 1.13.18.2 2005/04/29 00:16:45 marka Exp $ */
+/* $Id: bufferlist.c,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/commandline.c b/lib/isc/commandline.c
index 679ed6d..aca1203 100644
--- a/lib/isc/commandline.c
+++ b/lib/isc/commandline.c
@@ -1,8 +1,8 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: commandline.c,v 1.16.18.2 2005/04/29 00:16:45 marka Exp $ */
+/* $Id: commandline.c,v 1.22 2008/09/25 04:02:39 tbox Exp $ */
 
 /*! \file
  * This file was adapted from the NetBSD project's source tree, RCS ID:
@@ -107,7 +107,10 @@ isc_commandline_parse(int argc, char * const *argv, const char *options) {
 	 * the previous argv was finished.
 	 */
 	if (isc_commandline_reset || *place == '\0') {
-		isc_commandline_reset = ISC_FALSE;
+		if (isc_commandline_reset) {
+			isc_commandline_index = 1;
+			isc_commandline_reset = ISC_FALSE;
+		}
 
 		if (isc_commandline_progname == NULL)
 			isc_commandline_progname = argv[0];
diff --git a/lib/isc/entropy.c b/lib/isc/entropy.c
index 3e87d87..25ab002 100644
--- a/lib/isc/entropy.c
+++ b/lib/isc/entropy.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.11.18.3 2005/07/12 01:22:28 marka Exp $ */
+/* $Id: entropy.c,v 1.18.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 /*! \file
  * \brief
@@ -290,7 +290,7 @@ entropypool_add_word(isc_entropypool_t *rp, isc_uint32_t val) {
 	 * If we have looped around the pool, increment the rotate
 	 * variable so the next value will get xored in rotated to
 	 * a different position.
-	 * Increment by a value that is relativly prime to the word size
+	 * Increment by a value that is relatively prime to the word size
 	 * to try to spread the bits throughout the pool quickly when the
 	 * pool is empty.
 	 */
@@ -1102,6 +1102,17 @@ isc_entropy_stats(isc_entropy_t *ent, FILE *out) {
 	UNLOCK(&ent->lock);
 }
 
+unsigned int
+isc_entropy_status(isc_entropy_t *ent) {
+	unsigned int estimate;
+
+	LOCK(&ent->lock);
+	estimate = ent->pool.entropy;
+	UNLOCK(&ent->lock);
+
+	return estimate;
+}
+
 void
 isc_entropy_attach(isc_entropy_t *ent, isc_entropy_t **entp) {
 	REQUIRE(VALID_ENTROPY(ent));
@@ -1251,7 +1262,7 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
 
 		if (final_result != ISC_R_SUCCESS)
 			final_result = result;
-	}	
+	}
 
 	/*
 	 * final_result is ISC_R_SUCCESS if at least one source of entropy
diff --git a/lib/isc/error.c b/lib/isc/error.c
index 282986c..095100a 100644
--- a/lib/isc/error.c
+++ b/lib/isc/error.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: error.c,v 1.17.18.2 2005/04/29 00:16:45 marka Exp $ */
+/* $Id: error.c,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/event.c b/lib/isc/event.c
index 7931061..8ab7524 100644
--- a/lib/isc/event.c
+++ b/lib/isc/event.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: event.c,v 1.17.18.2 2005/04/29 00:16:45 marka Exp $ */
+/* $Id: event.c,v 1.21 2007/06/19 23:47:17 tbox Exp $ */
 
 /*!
  * \file
diff --git a/lib/isc/fsaccess.c b/lib/isc/fsaccess.c
index cdab3d8..5c97183 100644
--- a/lib/isc/fsaccess.c
+++ b/lib/isc/fsaccess.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.6.18.2 2005/04/29 00:16:45 marka Exp $ */
+/* $Id: fsaccess.c,v 1.10 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/lib/isc/hash.c b/lib/isc/hash.c
index 4b6dc06..9911bde 100644
--- a/lib/isc/hash.c
+++ b/lib/isc/hash.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,11 +15,11 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.c,v 1.6.18.5 2006/01/04 00:37:23 marka Exp $ */
+/* $Id: hash.c,v 1.13.332.3 2009/05/07 23:47:12 tbox Exp $ */
 
 /*! \file
  * Some portion of this code was derived from universal hash function
- * libraries of Rice University. 
+ * libraries of Rice University.
 \section license UH Universal Hashing Library
 
 Copyright ((c)) 2002, Rice University
@@ -244,7 +244,7 @@ isc_hash_ctxinit(isc_hash_t *hctx) {
 		goto out;
 
 	if (hctx->entropy) {
-		result = isc_entropy_getdata(hctx->entropy, 
+		result = isc_entropy_getdata(hctx->entropy,
 					     hctx->rndvector, hctx->vectorlen,
 					     NULL, 0);
 		INSIST(result == ISC_R_SUCCESS);
@@ -276,7 +276,7 @@ isc_hash_ctxinit(isc_hash_t *hctx) {
 void
 isc_hash_init() {
 	INSIST(hash != NULL && VALID_HASH(hash));
-	
+
 	isc_hash_ctxinit(hash);
 }
 
diff --git a/lib/isc/heap.c b/lib/isc/heap.c
index 9c495a7..91d78c0 100644
--- a/lib/isc/heap.c
+++ b/lib/isc/heap.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.c,v 1.30.18.3 2006/04/17 18:27:33 explorer Exp $ */
+/* $Id: heap.c,v 1.37 2007/10/19 17:15:53 explorer Exp $ */
 
 /*! \file
  * Heap implementation of priority queues adapted from the following:
@@ -208,9 +208,13 @@ isc_heap_delete(isc_heap_t *heap, unsigned int index) {
 	REQUIRE(index >= 1 && index <= heap->last);
 
 	if (index == heap->last) {
+		heap->array[heap->last] = NULL;
 		heap->last--;
 	} else {
-		elt = heap->array[heap->last--];
+		elt = heap->array[heap->last];
+		heap->array[heap->last] = NULL;
+		heap->last--;
+
 		less = heap->compare(elt, heap->array[index]);
 		heap->array[index] = elt;
 		if (less)
@@ -239,9 +243,11 @@ isc_heap_decreased(isc_heap_t *heap, unsigned int index) {
 void *
 isc_heap_element(isc_heap_t *heap, unsigned int index) {
 	REQUIRE(VALID_HEAP(heap));
-	REQUIRE(index >= 1 && index <= heap->last);
+	REQUIRE(index >= 1);
 
-	return (heap->array[index]);
+	if (index <= heap->last)
+		return (heap->array[index]);
+	return (NULL);
 }
 
 void
diff --git a/lib/isc/hex.c b/lib/isc/hex.c
index 8dfec02..3fa0e69 100644
--- a/lib/isc/hex.c
+++ b/lib/isc/hex.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hex.c,v 1.14.18.2 2005/04/29 00:16:46 marka Exp $ */
+/* $Id: hex.c,v 1.20 2008/09/25 04:02:39 tbox Exp $ */
 
 /*! \file */
 
@@ -156,7 +156,7 @@ isc_hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length) {
 }
 
 isc_result_t
-isc_hex_decodestring(char *cstr, isc_buffer_t *target) {
+isc_hex_decodestring(const char *cstr, isc_buffer_t *target) {
 	hex_decode_ctx_t ctx;
 
 	hex_decode_init(&ctx, -1, target);
@@ -168,7 +168,7 @@ isc_hex_decodestring(char *cstr, isc_buffer_t *target) {
 			continue;
 		RETERR(hex_decode_char(&ctx, c));
 	}
-	RETERR(hex_decode_finish(&ctx));	
+	RETERR(hex_decode_finish(&ctx));
 	return (ISC_R_SUCCESS);
 }
 
diff --git a/lib/isc/hmacmd5.c b/lib/isc/hmacmd5.c
index f832146..63853dc 100644
--- a/lib/isc/hmacmd5.c
+++ b/lib/isc/hmacmd5.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.c,v 1.7.18.5 2006/02/26 22:30:56 marka Exp $ */
+/* $Id: hmacmd5.c,v 1.14 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file
  * This code implements the HMAC-MD5 keyed hash algorithm
diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c
index 7ee13f7..dfcd8bf 100644
--- a/lib/isc/hmacsha.c
+++ b/lib/isc/hmacsha.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacsha.c,v 1.2.2.7 2007/08/28 07:20:06 tbox Exp $ */
+/* $Id: hmacsha.c,v 1.8 2007/08/27 03:27:53 marka Exp $ */
 
 /*
  * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
diff --git a/lib/isc/httpd.c b/lib/isc/httpd.c
new file mode 100644
index 0000000..fa31325
--- /dev/null
+++ b/lib/isc/httpd.c
@@ -0,0 +1,987 @@
+/*
+ * Copyright (C) 2006-2008  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: httpd.c,v 1.16 2008/08/08 05:06:49 marka Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <isc/buffer.h>
+#include <isc/httpd.h>
+#include <isc/mem.h>
+#include <isc/socket.h>
+#include <isc/string.h>
+#include <isc/task.h>
+#include <isc/util.h>
+
+#include <string.h>
+
+/*%
+ * TODO:
+ *
+ *  o  Put in better checks to make certain things are passed in correctly.
+ *     This includes a magic number for externally-visible structures,
+ *     checking for NULL-ness before dereferencing, etc.
+ *  o  Make the URL processing external functions which will fill-in a buffer
+ *     structure we provide, or return an error and we will render a generic
+ *     page and close the client.
+ */
+
+#define MSHUTTINGDOWN(cm) ((cm->flags & ISC_HTTPDMGR_FLAGSHUTTINGDOWN) != 0)
+#define MSETSHUTTINGDOWN(cm) (cm->flags |= ISC_HTTPDMGR_FLAGSHUTTINGDOWN)
+
+#ifdef DEBUG_HTTPD
+#define ENTER(x) do { fprintf(stderr, "ENTER %s\n", (x)); } while (0)
+#define EXIT(x) do { fprintf(stderr, "EXIT %s\n", (x)); } while (0)
+#define NOTICE(x) do { fprintf(stderr, "NOTICE %s\n", (x)); } while (0)
+#else
+#define ENTER(x) do { } while(0)
+#define EXIT(x) do { } while(0)
+#define NOTICE(x) do { } while(0)
+#endif
+
+#define HTTP_RECVLEN			1024
+#define HTTP_SENDGROW			1024
+#define HTTP_SEND_MAXLEN		10240
+
+/*%
+ * HTTP urls.  These are the URLs we manage, and the function to call to
+ * provide the data for it.  We pass in the base url (so the same function
+ * can handle multiple requests), and a structure to fill in to return a
+ * result to the client.  We also pass in a pointer to be filled in for
+ * the data cleanup function.
+ */
+struct isc_httpdurl {
+	char			       *url;
+	isc_httpdaction_t	       *action;
+	void			       *action_arg;
+	ISC_LINK(isc_httpdurl_t)	link;
+};
+
+#define HTTPD_CLOSE		0x0001 /* Got a Connection: close header */
+#define HTTPD_FOUNDHOST		0x0002 /* Got a Host: header */
+
+/*% http client */
+struct isc_httpd {
+	isc_httpdmgr_t	       *mgr;		/*%< our parent */
+	ISC_LINK(isc_httpd_t)	link;
+	unsigned int		state;
+	isc_socket_t		*sock;
+
+	/*%
+	 * Received data state.
+	 */
+	char			recvbuf[HTTP_RECVLEN]; /*%< receive buffer */
+	isc_uint32_t		recvlen;	/*%< length recv'd */
+	unsigned int		method;
+	char		       *url;
+	char		       *querystring;
+	char		       *protocol;
+
+	/*
+	 * Flags on the httpd client.
+	 */
+	int			flags;
+
+	/*%
+	 * Transmit data state.
+	 *
+	 * This is the data buffer we will transmit.
+	 *
+	 * This free function pointer is filled in by the rendering function
+	 * we call.  The free function is called after the data is transmitted
+	 * to the client.
+	 *
+	 * The bufflist is the list of buffers we are currently transmitting.
+	 * The headerdata is where we render our headers to.  If we run out of
+	 * space when rendering a header, we will change the size of our
+	 * buffer.  We will not free it until we are finished, and will
+	 * allocate an additional HTTP_SENDGROW bytes per header space grow.
+	 *
+	 * We currently use two buffers total, one for the headers (which
+	 * we manage) and another for the client to fill in (which it manages,
+	 * it provides the space for it, etc) -- we will pass that buffer
+	 * structure back to the caller, who is responsible for managing the
+	 * space it may have allocated as backing store for it.  This second
+	 * buffer is bodybuffer, and we only allocate the buffer itself, not
+	 * the backing store.
+	 */
+	isc_bufferlist_t	bufflist;
+	char		       *headerdata; /*%< send header buf */
+	unsigned int		headerlen;  /*%< current header buffer size */
+	isc_buffer_t		headerbuffer;
+
+	const char	       *mimetype;
+	unsigned int		retcode;
+	const char	       *retmsg;
+	isc_buffer_t		bodybuffer;
+	isc_httpdfree_t	       *freecb;
+	void		       *freecb_arg;
+};
+
+/*% lightweight socket manager for httpd output */
+struct isc_httpdmgr {
+	isc_mem_t	       *mctx;
+	isc_socket_t	       *sock;		/*%< listening socket */
+	isc_task_t	       *task;		/*%< owning task */
+	isc_timermgr_t	       *timermgr;
+
+	isc_httpdclientok_t    *client_ok;	/*%< client validator */
+	isc_httpdondestroy_t   *ondestroy;	/*%< cleanup callback */
+	void		       *cb_arg;		/*%< argument for the above */
+
+	unsigned int		flags;
+	ISC_LIST(isc_httpd_t)	running;	/*%< running clients */
+
+	isc_mutex_t		lock;
+
+	ISC_LIST(isc_httpdurl_t) urls;		/*%< urls we manage */
+	isc_httpdaction_t      *render_404;
+};
+
+/*%
+ * HTTP methods.
+ */
+#define ISC_HTTPD_METHODUNKNOWN	0
+#define ISC_HTTPD_METHODGET	1
+#define ISC_HTTPD_METHODPOST	2
+
+/*%
+ * Client states.
+ *
+ * _IDLE	The client is not doing anything at all.  This state should
+ *		only occur just after creation, and just before being
+ *		destroyed.
+ *
+ * _RECV	The client is waiting for data after issuing a socket recv().
+ *
+ * _RECVDONE	Data has been received, and is being processed.
+ *
+ * _SEND	All data for a response has completed, and a reply was
+ *		sent via a socket send() call.
+ *
+ * _SENDDONE	Send is completed.
+ *
+ * Badly formatted state table:
+ *
+ *	IDLE -> RECV when client has a recv() queued.
+ *
+ *	RECV -> RECVDONE when recvdone event received.
+ *
+ *	RECVDONE -> SEND if the data for a reply is at hand.
+ *
+ *	SEND -> RECV when a senddone event was received.
+ *
+ *	At any time -> RECV on error.  If RECV fails, the client will
+ *	self-destroy, closing the socket and freeing memory.
+ */
+#define ISC_HTTPD_STATEIDLE	0
+#define ISC_HTTPD_STATERECV	1
+#define ISC_HTTPD_STATERECVDONE	2
+#define ISC_HTTPD_STATESEND	3
+#define ISC_HTTPD_STATESENDDONE	4
+
+#define ISC_HTTPD_ISRECV(c)	((c)->state == ISC_HTTPD_STATERECV)
+#define ISC_HTTPD_ISRECVDONE(c)	((c)->state == ISC_HTTPD_STATERECVDONE)
+#define ISC_HTTPD_ISSEND(c)	((c)->state == ISC_HTTPD_STATESEND)
+#define ISC_HTTPD_ISSENDDONE(c)	((c)->state == ISC_HTTPD_STATESENDDONE)
+
+/*%
+ * Overall magic test that means we're not idle.
+ */
+#define ISC_HTTPD_SETRECV(c)	((c)->state = ISC_HTTPD_STATERECV)
+#define ISC_HTTPD_SETRECVDONE(c)	((c)->state = ISC_HTTPD_STATERECVDONE)
+#define ISC_HTTPD_SETSEND(c)	((c)->state = ISC_HTTPD_STATESEND)
+#define ISC_HTTPD_SETSENDDONE(c)	((c)->state = ISC_HTTPD_STATESENDDONE)
+
+static void isc_httpd_accept(isc_task_t *, isc_event_t *);
+static void isc_httpd_recvdone(isc_task_t *, isc_event_t *);
+static void isc_httpd_senddone(isc_task_t *, isc_event_t *);
+static void destroy_client(isc_httpd_t **);
+static isc_result_t process_request(isc_httpd_t *, int);
+static void httpdmgr_destroy(isc_httpdmgr_t *);
+static isc_result_t grow_headerspace(isc_httpd_t *);
+static void reset_client(isc_httpd_t *httpd);
+static isc_result_t render_404(const char *, const char *,
+			       void *,
+			       unsigned int *, const char **,
+			       const char **, isc_buffer_t *,
+			       isc_httpdfree_t **, void **);
+
+static void
+destroy_client(isc_httpd_t **httpdp)
+{
+	isc_httpd_t *httpd = *httpdp;
+	isc_httpdmgr_t *httpdmgr = httpd->mgr;
+
+	*httpdp = NULL;
+
+	LOCK(&httpdmgr->lock);
+
+	isc_socket_detach(&httpd->sock);
+	ISC_LIST_UNLINK(httpdmgr->running, httpd, link);
+
+	if (httpd->headerlen > 0)
+		isc_mem_put(httpdmgr->mctx, httpd->headerdata,
+			    httpd->headerlen);
+
+	isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
+
+	UNLOCK(&httpdmgr->lock);
+
+	httpdmgr_destroy(httpdmgr);
+}
+
+isc_result_t
+isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
+		    isc_httpdclientok_t *client_ok,
+		    isc_httpdondestroy_t *ondestroy, void *cb_arg,
+		    isc_timermgr_t *tmgr, isc_httpdmgr_t **httpdp)
+{
+	isc_result_t result;
+	isc_httpdmgr_t *httpd;
+
+	REQUIRE(mctx != NULL);
+	REQUIRE(sock != NULL);
+	REQUIRE(task != NULL);
+	REQUIRE(tmgr != NULL);
+	REQUIRE(httpdp != NULL && *httpdp == NULL);
+
+	httpd = isc_mem_get(mctx, sizeof(isc_httpdmgr_t));
+	if (httpd == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&httpd->lock);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(mctx, httpd, sizeof(isc_httpdmgr_t));
+		return (result);
+	}
+	httpd->mctx = NULL;
+	isc_mem_attach(mctx, &httpd->mctx);
+	httpd->sock = NULL;
+	isc_socket_attach(sock, &httpd->sock);
+	httpd->task = NULL;
+	isc_task_attach(task, &httpd->task);
+	httpd->timermgr = tmgr; /* XXXMLG no attach function? */
+	httpd->client_ok = client_ok;
+	httpd->ondestroy = ondestroy;
+	httpd->cb_arg = cb_arg;
+
+	ISC_LIST_INIT(httpd->running);
+	ISC_LIST_INIT(httpd->urls);
+
+	/* XXXMLG ignore errors on isc_socket_listen() */
+	result = isc_socket_listen(sock, SOMAXCONN);
+	if (result != ISC_R_SUCCESS) {
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "isc_socket_listen() failed: %s",
+				 isc_result_totext(result));
+		goto cleanup;
+	}
+
+	(void)isc_socket_filter(sock, "httpready");
+
+	result = isc_socket_accept(sock, task, isc_httpd_accept, httpd);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup;
+
+	httpd->render_404 = render_404;
+
+	*httpdp = httpd;
+	return (ISC_R_SUCCESS);
+
+  cleanup:
+	isc_task_detach(&httpd->task);
+	isc_socket_detach(&httpd->sock);
+	isc_mem_detach(&httpd->mctx);
+	isc_mutex_destroy(&httpd->lock);
+	isc_mem_put(mctx, httpd, sizeof(isc_httpdmgr_t));
+	return (result);
+}
+
+static void
+httpdmgr_destroy(isc_httpdmgr_t *httpdmgr)
+{
+	isc_mem_t *mctx;
+	isc_httpdurl_t *url;
+
+	ENTER("httpdmgr_destroy");
+
+	LOCK(&httpdmgr->lock);
+
+	if (!MSHUTTINGDOWN(httpdmgr)) {
+		NOTICE("httpdmgr_destroy not shutting down yet");
+		UNLOCK(&httpdmgr->lock);
+		return;
+	}
+
+	/*
+	 * If all clients are not shut down, don't do anything yet.
+	 */
+	if (!ISC_LIST_EMPTY(httpdmgr->running)) {
+		NOTICE("httpdmgr_destroy clients still active");
+		UNLOCK(&httpdmgr->lock);
+		return;
+	}
+
+	NOTICE("httpdmgr_destroy detaching socket, task, and timermgr");
+
+	isc_socket_detach(&httpdmgr->sock);
+	isc_task_detach(&httpdmgr->task);
+	httpdmgr->timermgr = NULL;
+
+	/*
+	 * Clear out the list of all actions we know about.  Just free the
+	 * memory.
+	 */
+	url = ISC_LIST_HEAD(httpdmgr->urls);
+	while (url != NULL) {
+		isc_mem_free(httpdmgr->mctx, url->url);
+		ISC_LIST_UNLINK(httpdmgr->urls, url, link);
+		isc_mem_put(httpdmgr->mctx, url, sizeof(isc_httpdurl_t));
+		url = ISC_LIST_HEAD(httpdmgr->urls);
+	}
+
+	UNLOCK(&httpdmgr->lock);
+	isc_mutex_destroy(&httpdmgr->lock);
+
+	if (httpdmgr->ondestroy != NULL)
+		(httpdmgr->ondestroy)(httpdmgr->cb_arg);
+
+	mctx = httpdmgr->mctx;
+	isc_mem_putanddetach(&mctx, httpdmgr, sizeof(isc_httpdmgr_t));
+
+	EXIT("httpdmgr_destroy");
+}
+
+#define LENGTHOK(s) (httpd->recvbuf - (s) < (int)httpd->recvlen)
+#define BUFLENOK(s) (httpd->recvbuf - (s) < HTTP_RECVLEN)
+
+static isc_result_t
+process_request(isc_httpd_t *httpd, int length)
+{
+	char *s;
+	char *p;
+	int delim;
+
+	ENTER("request");
+
+	httpd->recvlen += length;
+
+	httpd->recvbuf[httpd->recvlen] = 0;
+
+	/*
+	 * If we don't find a blank line in our buffer, return that we need
+	 * more data.
+	 */
+	s = strstr(httpd->recvbuf, "\r\n\r\n");
+	delim = 1;
+	if (s == NULL) {
+		s = strstr(httpd->recvbuf, "\n\n");
+		delim = 2;
+	}
+	if (s == NULL)
+		return (ISC_R_NOTFOUND);
+
+	/*
+	 * Determine if this is a POST or GET method.  Any other values will
+	 * cause an error to be returned.
+	 */
+	if (strncmp(httpd->recvbuf, "GET ", 4) == 0) {
+		httpd->method = ISC_HTTPD_METHODGET;
+		p = httpd->recvbuf + 4;
+	} else if (strncmp(httpd->recvbuf, "POST ", 5) == 0) {
+		httpd->method = ISC_HTTPD_METHODPOST;
+		p = httpd->recvbuf + 5;
+	} else {
+		return (ISC_R_RANGE);
+	}
+
+	/*
+	 * From now on, p is the start of our buffer.
+	 */
+
+	/*
+	 * Extract the URL.
+	 */
+	s = p;
+	while (LENGTHOK(s) && BUFLENOK(s) &&
+	       (*s != '\n' && *s != '\r' && *s != '\0' && *s != ' '))
+		s++;
+	if (!LENGTHOK(s))
+		return (ISC_R_NOTFOUND);
+	if (!BUFLENOK(s))
+		return (ISC_R_NOMEMORY);
+	*s = 0;
+
+	/*
+	 * Make the URL relative.
+	 */
+	if ((strncmp(p, "http:/", 6) == 0)
+	    || (strncmp(p, "https:/", 7) == 0)) {
+		/* Skip first / */
+		while (*p != '/' && *p != 0)
+			p++;
+		if (*p == 0)
+			return (ISC_R_RANGE);
+		p++;
+		/* Skip second / */
+		while (*p != '/' && *p != 0)
+			p++;
+		if (*p == 0)
+			return (ISC_R_RANGE);
+		p++;
+		/* Find third / */
+		while (*p != '/' && *p != 0)
+			p++;
+		if (*p == 0) {
+			p--;
+			*p = '/';
+		}
+	}
+
+	httpd->url = p;
+	p = s + delim;
+	s = p;
+
+	/*
+	 * Now, see if there is a ? mark in the URL.  If so, this is
+	 * part of the query string, and we will split it from the URL.
+	 */
+	httpd->querystring = strchr(httpd->url, '?');
+	if (httpd->querystring != NULL) {
+		*(httpd->querystring) = 0;
+		httpd->querystring++;
+	}
+
+	/*
+	 * Extract the HTTP/1.X protocol.  We will bounce on anything but
+	 * HTTP/1.1 for now.
+	 */
+	while (LENGTHOK(s) && BUFLENOK(s) &&
+	       (*s != '\n' && *s != '\r' && *s != '\0'))
+		s++;
+	if (!LENGTHOK(s))
+		return (ISC_R_NOTFOUND);
+	if (!BUFLENOK(s))
+		return (ISC_R_NOMEMORY);
+	*s = 0;
+	if ((strncmp(p, "HTTP/1.0", 8) != 0)
+	    && (strncmp(p, "HTTP/1.1", 8) != 0))
+		return (ISC_R_RANGE);
+	httpd->protocol = p;
+	p = s + 1;
+	s = p;
+
+	if (strstr(s, "Connection: close") != NULL)
+		httpd->flags |= HTTPD_CLOSE;
+
+	if (strstr(s, "Host: ") != NULL)
+		httpd->flags |= HTTPD_FOUNDHOST;
+
+	/*
+	 * Standards compliance hooks here.
+	 */
+	if (strcmp(httpd->protocol, "HTTP/1.1") == 0
+	    && ((httpd->flags & HTTPD_FOUNDHOST) == 0))
+		return (ISC_R_RANGE);
+
+	EXIT("request");
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+isc_httpd_accept(isc_task_t *task, isc_event_t *ev)
+{
+	isc_result_t result;
+	isc_httpdmgr_t *httpdmgr = ev->ev_arg;
+	isc_httpd_t *httpd;
+	isc_region_t r;
+	isc_socket_newconnev_t *nev = (isc_socket_newconnev_t *)ev;
+	isc_sockaddr_t peeraddr;
+
+	ENTER("accept");
+
+	LOCK(&httpdmgr->lock);
+	if (MSHUTTINGDOWN(httpdmgr)) {
+		NOTICE("accept shutting down, goto out");
+		goto out;
+	}
+
+	if (nev->result == ISC_R_CANCELED) {
+		NOTICE("accept canceled, goto out");
+		goto out;
+	}
+
+	if (nev->result != ISC_R_SUCCESS) {
+		/* XXXMLG log failure */
+		NOTICE("accept returned failure, goto requeue");
+		goto requeue;
+	}
+
+	(void)isc_socket_getpeername(nev->newsocket, &peeraddr);
+	if (httpdmgr->client_ok != NULL &&
+	    !(httpdmgr->client_ok)(&peeraddr, httpdmgr->cb_arg)) {
+		isc_socket_detach(&nev->newsocket);
+		goto requeue;
+	}
+
+	httpd = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpd_t));
+	if (httpd == NULL) {
+		/* XXXMLG log failure */
+		NOTICE("accept failed to allocate memory, goto requeue");
+		isc_socket_detach(&nev->newsocket);
+		goto requeue;
+	}
+
+	httpd->mgr = httpdmgr;
+	ISC_LINK_INIT(httpd, link);
+	ISC_LIST_APPEND(httpdmgr->running, httpd, link);
+	ISC_HTTPD_SETRECV(httpd);
+	httpd->sock = nev->newsocket;
+	isc_socket_setname(httpd->sock, "httpd", NULL);
+	httpd->flags = 0;
+
+	/*
+	 * Initialize the buffer for our headers.
+	 */
+	httpd->headerdata = isc_mem_get(httpdmgr->mctx, HTTP_SENDGROW);
+	if (httpd->headerdata == NULL) {
+		isc_mem_put(httpdmgr->mctx, httpd, sizeof(isc_httpd_t));
+		isc_socket_detach(&nev->newsocket);
+		goto requeue;
+	}
+	httpd->headerlen = HTTP_SENDGROW;
+	isc_buffer_init(&httpd->headerbuffer, httpd->headerdata,
+			httpd->headerlen);
+
+	ISC_LIST_INIT(httpd->bufflist);
+
+	isc_buffer_initnull(&httpd->bodybuffer);
+	reset_client(httpd);
+
+	r.base = (unsigned char *)httpd->recvbuf;
+	r.length = HTTP_RECVLEN - 1;
+	result = isc_socket_recv(httpd->sock, &r, 1, task, isc_httpd_recvdone,
+				 httpd);
+	NOTICE("accept queued recv on socket");
+
+ requeue:
+	result = isc_socket_accept(httpdmgr->sock, task, isc_httpd_accept,
+				   httpdmgr);
+	if (result != ISC_R_SUCCESS) {
+		/* XXXMLG what to do?  Log failure... */
+		NOTICE("accept could not reaccept due to failure");
+	}
+
+ out:
+	UNLOCK(&httpdmgr->lock);
+
+	httpdmgr_destroy(httpdmgr);
+
+	isc_event_free(&ev);
+
+	EXIT("accept");
+}
+
+static isc_result_t
+render_404(const char *url, const char *querystring,
+	   void *arg,
+	   unsigned int *retcode, const char **retmsg,
+	   const char **mimetype, isc_buffer_t *b,
+	   isc_httpdfree_t **freecb, void **freecb_args)
+{
+	static char msg[] = "No such URL.";
+
+	UNUSED(url);
+	UNUSED(querystring);
+	UNUSED(arg);
+
+	*retcode = 404;
+	*retmsg = "No such URL";
+	*mimetype = "text/plain";
+	isc_buffer_reinit(b, msg, strlen(msg));
+	isc_buffer_add(b, strlen(msg));
+	*freecb = NULL;
+	*freecb_args = NULL;
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+isc_httpd_recvdone(isc_task_t *task, isc_event_t *ev)
+{
+	isc_region_t r;
+	isc_result_t result;
+	isc_httpd_t *httpd = ev->ev_arg;
+	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
+	isc_httpdurl_t *url;
+	isc_time_t now;
+	char datebuf[32];  /* Only need 30, but safety first */
+
+	ENTER("recv");
+
+	INSIST(ISC_HTTPD_ISRECV(httpd));
+
+	if (sev->result != ISC_R_SUCCESS) {
+		NOTICE("recv destroying client");
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	result = process_request(httpd, sev->n);
+	if (result == ISC_R_NOTFOUND) {
+		if (httpd->recvlen >= HTTP_RECVLEN - 1) {
+			destroy_client(&httpd);
+			goto out;
+		}
+		r.base = (unsigned char *)httpd->recvbuf + httpd->recvlen;
+		r.length = HTTP_RECVLEN - httpd->recvlen - 1;
+		result = isc_socket_recv(httpd->sock, &r, 1, task,
+					 isc_httpd_recvdone, httpd);
+		goto out;
+	} else if (result != ISC_R_SUCCESS) {
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	ISC_HTTPD_SETSEND(httpd);
+
+	/*
+	 * XXXMLG Call function here.  Provide an add-header function
+	 * which will append the common headers to a response we generate.
+	 */
+	isc_buffer_initnull(&httpd->bodybuffer);
+	isc_time_now(&now);
+	isc_time_formathttptimestamp(&now, datebuf, sizeof(datebuf));
+	url = ISC_LIST_HEAD(httpd->mgr->urls);
+	while (url != NULL) {
+		if (strcmp(httpd->url, url->url) == 0)
+			break;
+		url = ISC_LIST_NEXT(url, link);
+	}
+	if (url == NULL)
+		result = httpd->mgr->render_404(httpd->url, httpd->querystring,
+						NULL,
+						&httpd->retcode,
+						&httpd->retmsg,
+						&httpd->mimetype,
+						&httpd->bodybuffer,
+						&httpd->freecb,
+						&httpd->freecb_arg);
+	else
+		result = url->action(httpd->url, httpd->querystring,
+				     url->action_arg,
+				     &httpd->retcode, &httpd->retmsg,
+				     &httpd->mimetype, &httpd->bodybuffer,
+				     &httpd->freecb, &httpd->freecb_arg);
+	if (result != ISC_R_SUCCESS) {
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	isc_httpd_response(httpd);
+	isc_httpd_addheader(httpd, "Content-Type", httpd->mimetype);
+	isc_httpd_addheader(httpd, "Date", datebuf);
+	isc_httpd_addheader(httpd, "Expires", datebuf);
+	isc_httpd_addheader(httpd, "Last-Modified", datebuf);
+	isc_httpd_addheader(httpd, "Pragma: no-cache", NULL);
+	isc_httpd_addheader(httpd, "Cache-Control: no-cache", NULL);
+	isc_httpd_addheader(httpd, "Server: libisc", NULL);
+	isc_httpd_addheaderuint(httpd, "Content-Length",
+				isc_buffer_usedlength(&httpd->bodybuffer));
+	isc_httpd_endheaders(httpd);  /* done */
+
+	ISC_LIST_APPEND(httpd->bufflist, &httpd->headerbuffer, link);
+	/*
+	 * Link the data buffer into our send queue, should we have any data
+	 * rendered into it.  If no data is present, we won't do anything
+	 * with the buffer.
+	 */
+	if (isc_buffer_length(&httpd->bodybuffer) > 0)
+		ISC_LIST_APPEND(httpd->bufflist, &httpd->bodybuffer, link);
+
+	result = isc_socket_sendv(httpd->sock, &httpd->bufflist, task,
+				  isc_httpd_senddone, httpd);
+
+ out:
+	isc_event_free(&ev);
+	EXIT("recv");
+}
+
+void
+isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdmgrp)
+{
+	isc_httpdmgr_t *httpdmgr;
+	isc_httpd_t *httpd;
+	httpdmgr = *httpdmgrp;
+	*httpdmgrp = NULL;
+
+	ENTER("isc_httpdmgr_shutdown");
+
+	LOCK(&httpdmgr->lock);
+
+	MSETSHUTTINGDOWN(httpdmgr);
+
+	isc_socket_cancel(httpdmgr->sock, httpdmgr->task, ISC_SOCKCANCEL_ALL);
+
+	httpd = ISC_LIST_HEAD(httpdmgr->running);
+	while (httpd != NULL) {
+		isc_socket_cancel(httpd->sock, httpdmgr->task,
+				  ISC_SOCKCANCEL_ALL);
+		httpd = ISC_LIST_NEXT(httpd, link);
+	}
+
+	UNLOCK(&httpdmgr->lock);
+
+	EXIT("isc_httpdmgr_shutdown");
+}
+
+static isc_result_t
+grow_headerspace(isc_httpd_t *httpd)
+{
+	char *newspace;
+	unsigned int newlen;
+	isc_region_t r;
+
+	newlen = httpd->headerlen + HTTP_SENDGROW;
+	if (newlen > HTTP_SEND_MAXLEN)
+		return (ISC_R_NOSPACE);
+
+	newspace = isc_mem_get(httpd->mgr->mctx, newlen);
+	if (newspace == NULL)
+		return (ISC_R_NOMEMORY);
+	isc_buffer_region(&httpd->headerbuffer, &r);
+	isc_buffer_reinit(&httpd->headerbuffer, newspace, newlen);
+
+	isc_mem_put(httpd->mgr->mctx, r.base, r.length);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_response(isc_httpd_t *httpd)
+{
+	isc_result_t result;
+	unsigned int needlen;
+
+	needlen = strlen(httpd->protocol) + 1; /* protocol + space */
+	needlen += 3 + 1;  /* room for response code, always 3 bytes */
+	needlen += strlen(httpd->retmsg) + 2;  /* return msg + CRLF */
+
+	if (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	sprintf(isc_buffer_used(&httpd->headerbuffer), "%s %03d %s\r\n",
+		httpd->protocol, httpd->retcode, httpd->retmsg);
+	isc_buffer_add(&httpd->headerbuffer, needlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_addheader(isc_httpd_t *httpd, const char *name,
+		    const char *val)
+{
+	isc_result_t result;
+	unsigned int needlen;
+
+	needlen = strlen(name); /* name itself */
+	if (val != NULL)
+		needlen += 2 + strlen(val); /* :<space> and val */
+	needlen += 2; /* CRLF */
+
+	if (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	if (val != NULL)
+		sprintf(isc_buffer_used(&httpd->headerbuffer),
+			"%s: %s\r\n", name, val);
+	else
+		sprintf(isc_buffer_used(&httpd->headerbuffer),
+			"%s\r\n", name);
+
+	isc_buffer_add(&httpd->headerbuffer, needlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_endheaders(isc_httpd_t *httpd)
+{
+	isc_result_t result;
+
+	if (isc_buffer_availablelength(&httpd->headerbuffer) < 2) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	sprintf(isc_buffer_used(&httpd->headerbuffer), "\r\n");
+	isc_buffer_add(&httpd->headerbuffer, 2);
+
+	return (ISC_R_SUCCESS);
+}
+
+isc_result_t
+isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val) {
+	isc_result_t result;
+	unsigned int needlen;
+	char buf[sizeof "18446744073709551616"];
+
+	sprintf(buf, "%d", val);
+
+	needlen = strlen(name); /* name itself */
+	needlen += 2 + strlen(buf); /* :<space> and val */
+	needlen += 2; /* CRLF */
+
+	if (isc_buffer_availablelength(&httpd->headerbuffer) < needlen) {
+		result = grow_headerspace(httpd);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
+
+	sprintf(isc_buffer_used(&httpd->headerbuffer),
+		"%s: %s\r\n", name, buf);
+
+	isc_buffer_add(&httpd->headerbuffer, needlen);
+
+	return (ISC_R_SUCCESS);
+}
+
+static void
+isc_httpd_senddone(isc_task_t *task, isc_event_t *ev)
+{
+	isc_httpd_t *httpd = ev->ev_arg;
+	isc_region_t r;
+	isc_result_t result;
+	isc_socketevent_t *sev = (isc_socketevent_t *)ev;
+
+	ENTER("senddone");
+	INSIST(ISC_HTTPD_ISSEND(httpd));
+
+	/*
+	 * First, unlink our header buffer from the socket's bufflist.  This
+	 * is sort of an evil hack, since we know our buffer will be there,
+	 * and we know it's address, so we can just remove it directly.
+	 */
+	NOTICE("senddone unlinked header");
+	ISC_LIST_UNLINK(sev->bufferlist, &httpd->headerbuffer, link);
+
+	/*
+	 * We will always want to clean up our receive buffer, even if we
+	 * got an error on send or we are shutting down.
+	 *
+	 * We will pass in the buffer only if there is data in it.  If
+	 * there is no data, we will pass in a NULL.
+	 */
+	if (httpd->freecb != NULL) {
+		isc_buffer_t *b = NULL;
+		if (isc_buffer_length(&httpd->bodybuffer) > 0)
+			b = &httpd->bodybuffer;
+		httpd->freecb(b, httpd->freecb_arg);
+		NOTICE("senddone free callback performed");
+	}
+	if (ISC_LINK_LINKED(&httpd->bodybuffer, link)) {
+		ISC_LIST_UNLINK(sev->bufferlist, &httpd->bodybuffer, link);
+		NOTICE("senddone body buffer unlinked");
+	}
+
+	if (sev->result != ISC_R_SUCCESS) {
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	if ((httpd->flags & HTTPD_CLOSE) != 0) {
+		destroy_client(&httpd);
+		goto out;
+	}
+
+	ISC_HTTPD_SETRECV(httpd);
+
+	NOTICE("senddone restarting recv on socket");
+
+	reset_client(httpd);
+
+	r.base = (unsigned char *)httpd->recvbuf;
+	r.length = HTTP_RECVLEN - 1;
+	result = isc_socket_recv(httpd->sock, &r, 1, task, isc_httpd_recvdone,
+				 httpd);
+
+out:
+	isc_event_free(&ev);
+	EXIT("senddone");
+}
+
+static void
+reset_client(isc_httpd_t *httpd)
+{
+	/*
+	 * Catch errors here.  We MUST be in RECV mode, and we MUST NOT have
+	 * any outstanding buffers.  If we have buffers, we have a leak.
+	 */
+	INSIST(ISC_HTTPD_ISRECV(httpd));
+	INSIST(!ISC_LINK_LINKED(&httpd->headerbuffer, link));
+	INSIST(!ISC_LINK_LINKED(&httpd->bodybuffer, link));
+
+	httpd->recvbuf[0] = 0;
+	httpd->recvlen = 0;
+	httpd->method = ISC_HTTPD_METHODUNKNOWN;
+	httpd->url = NULL;
+	httpd->querystring = NULL;
+	httpd->protocol = NULL;
+	httpd->flags = 0;
+
+	isc_buffer_clear(&httpd->headerbuffer);
+	isc_buffer_invalidate(&httpd->bodybuffer);
+}
+
+isc_result_t
+isc_httpdmgr_addurl(isc_httpdmgr_t *httpdmgr, const char *url,
+		    isc_httpdaction_t *func, void *arg)
+{
+	isc_httpdurl_t *item;
+
+	if (url == NULL) {
+		httpdmgr->render_404 = func;
+		return (ISC_R_SUCCESS);
+	}
+
+	item = isc_mem_get(httpdmgr->mctx, sizeof(isc_httpdurl_t));
+	if (item == NULL)
+		return (ISC_R_NOMEMORY);
+
+	item->url = isc_mem_strdup(httpdmgr->mctx, url);
+	if (item->url == NULL) {
+		isc_mem_put(httpdmgr->mctx, item, sizeof(isc_httpdurl_t));
+		return (ISC_R_NOMEMORY);
+	}
+
+	item->action = func;
+	item->action_arg = arg;
+	ISC_LINK_INIT(item, link);
+	ISC_LIST_APPEND(httpdmgr->urls, item, link);
+
+	return (ISC_R_SUCCESS);
+}
diff --git a/lib/isc/ia64/Makefile.in b/lib/isc/ia64/Makefile.in
index c8e77e4..324db07 100644
--- a/lib/isc/ia64/Makefile.in
+++ b/lib/isc/ia64/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/ia64/include/Makefile.in b/lib/isc/ia64/include/Makefile.in
index f4dd2f6..f1d8bdd 100644
--- a/lib/isc/ia64/include/Makefile.in
+++ b/lib/isc/ia64/include/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/ia64/include/isc/Makefile.in b/lib/isc/ia64/include/isc/Makefile.in
index 6760ce6..5f116ca 100644
--- a/lib/isc/ia64/include/isc/Makefile.in
+++ b/lib/isc/ia64/include/isc/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/ia64/include/isc/atomic.h b/lib/isc/ia64/include/isc/atomic.h
index 20cbabd..4c46797 100644
--- a/lib/isc/ia64/include/isc/atomic.h
+++ b/lib/isc/ia64/include/isc/atomic.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2006, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.2.1 2006/06/21 03:38:32 marka Exp $ */
+/* $Id: atomic.h,v 1.4.326.2 2009/02/06 23:47:11 tbox Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
@@ -31,7 +31,11 @@
  * (e.g., 1 and -1)?
  */
 static inline isc_int32_t
-isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
+isc_atomic_xadd(isc_int32_t *p, isc_int32_t val)
+#ifdef __GNUC__
+__attribute__ ((unused))
+#endif
+{
 	isc_int32_t prev, swapped;
 
 	for (prev = *(volatile isc_int32_t *)p; ; prev = swapped) {
@@ -53,7 +57,11 @@ isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
  * This routine atomically stores the value 'val' in 'p'.
  */
 static inline void
-isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
+isc_atomic_store(isc_int32_t *p, isc_int32_t val)
+#ifdef __GNUC__
+__attribute__ ((unused))
+#endif
+{
 	__asm__ volatile(
 		"st4.rel %0=%1"
 		: "=m" (*p)
@@ -68,7 +76,11 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
  * case.
  */
 static inline isc_int32_t
-isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
+isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val)
+#ifdef __GNUC__
+__attribute__ ((unused))
+#endif
+{
 	isc_int32_t ret;
 
 	__asm__ volatile(
diff --git a/lib/isc/include/Makefile.in b/lib/isc/include/Makefile.in
index ceb8eb6..04778d7 100644
--- a/lib/isc/include/Makefile.in
+++ b/lib/isc/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.11 2004/03/05 05:10:53 marka Exp $
+# $Id: Makefile.in,v 1.13 2007/06/19 23:47:18 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/include/isc/Makefile.in b/lib/isc/include/isc/Makefile.in
index 0f0e936..def1180 100644
--- a/lib/isc/include/isc/Makefile.in
+++ b/lib/isc/include/isc/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001, 2003  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.54.18.4 2006/01/27 23:57:45 marka Exp $
+# $Id: Makefile.in,v 1.64.12.2 2009/02/12 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -30,14 +30,18 @@ HEADERS =	app.h assertions.h base64.h bitstring.h boolean.h buffer.h \
 		bufferlist.h commandline.h entropy.h error.h event.h \
 		eventclass.h file.h formatcheck.h fsaccess.h \
 		hash.h heap.h hex.h hmacmd5.h \
-		interfaceiter.h @ISC_IPV6_H@ lang.h lex.h \
-		lfsr.h lib.h list.h log.h magic.h md5.h mem.h msgcat.h msgs.h \
+		httpd.h \
+		interfaceiter.h @ISC_IPV6_H@ iterated_hash.h lang.h lex.h \
+		lfsr.h lib.h list.h log.h \
+		magic.h md5.h mem.h msgcat.h msgs.h \
 		mutexblock.h netaddr.h ondestroy.h os.h parseint.h \
-		print.h quota.h random.h ratelimiter.h \
+		print.h quota.h radix.h random.h ratelimiter.h \
 		refcount.h region.h resource.h \
 		result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \
-		sockaddr.h socket.h stdio.h stdlib.h string.h symtab.h \
-	        task.h taskpool.h timer.h types.h util.h version.h
+		sockaddr.h socket.h stdio.h stdlib.h string.h \
+		symtab.h \
+	        task.h taskpool.h timer.h types.h util.h version.h \
+		xml.h
 
 SUBDIRS =
 TARGETS =
diff --git a/lib/isc/include/isc/app.h b/lib/isc/include/isc/app.h
index f51aff7..c4d54cb 100644
--- a/lib/isc/include/isc/app.h
+++ b/lib/isc/include/isc/app.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.h,v 1.2.18.2 2005/04/29 00:16:52 marka Exp $ */
+/* $Id: app.h,v 1.8 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_APP_H
 #define ISC_APP_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/app.h
  * \brief ISC Application Support
  *
  * Dealing with program termination can be difficult, especially in a
diff --git a/lib/isc/include/isc/assertions.h b/lib/isc/include/isc/assertions.h
index fcf0eb8..b031152 100644
--- a/lib/isc/include/isc/assertions.h
+++ b/lib/isc/include/isc/assertions.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,9 +16,9 @@
  */
 
 /*
- * $Id: assertions.h,v 1.18.18.4 2008/10/15 23:46:06 tbox Exp $
+ * $Id: assertions.h,v 1.26 2008/10/15 23:47:31 tbox Exp $
  */
-/*! \file assertions.h
+/*! \file isc/assertions.h
  */
 
 #ifndef ISC_ASSERTIONS_H
diff --git a/lib/isc/include/isc/base32.h b/lib/isc/include/isc/base32.h
new file mode 100644
index 0000000..978a8db
--- /dev/null
+++ b/lib/isc/include/isc/base32.h
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: base32.h,v 1.3 2008/09/25 04:02:39 tbox Exp $ */
+
+#ifndef ISC_BASE32_H
+#define ISC_BASE32_H 1
+
+/*! \file */
+
+/*
+ * Routines for manipulating base 32 and base 32 hex encoded data.
+ * Based on RFC 4648.
+ *
+ * Base 32 hex preserves the sort order of data when it is encoded /
+ * decoded.
+ */
+
+#include <isc/lang.h>
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/***
+ *** Functions
+ ***/
+
+isc_result_t
+isc_base32_totext(isc_region_t *source, int wordlength,
+		  const char *wordbreak, isc_buffer_t *target);
+isc_result_t
+isc_base32hex_totext(isc_region_t *source, int wordlength,
+		     const char *wordbreak, isc_buffer_t *target);
+/*!<
+ * \brief Convert data into base32 encoded text.
+ *
+ * Notes:
+ *\li	The base32 encoded text in 'target' will be divided into
+ *	words of at most 'wordlength' characters, separated by
+ * 	the 'wordbreak' string.  No parentheses will surround
+ *	the text.
+ *
+ * Requires:
+ *\li	'source' is a region containing binary data
+ *\li	'target' is a text buffer containing available space
+ *\li	'wordbreak' points to a null-terminated string of
+ *		zero or more whitespace characters
+ *
+ * Ensures:
+ *\li	target will contain the base32 encoded version of the data
+ *	in source.  The 'used' pointer in target will be advanced as
+ *	necessary.
+ */
+
+isc_result_t
+isc_base32_decodestring(const char *cstr, isc_buffer_t *target);
+isc_result_t
+isc_base32hex_decodestring(const char *cstr, isc_buffer_t *target);
+/*!<
+ * \brief Decode a null-terminated base32 string.
+ *
+ * Requires:
+ *\li	'cstr' is non-null.
+ *\li	'target' is a valid buffer.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS	-- the entire decoded representation of 'cstring'
+ *			   fit in 'target'.
+ *\li	#ISC_R_BADBASE32 -- 'cstr' is not a valid base32 encoding.
+ *
+ * 	Other error returns are any possible error code from:
+ *\li		isc_lex_create(),
+ *\li		isc_lex_openbuffer(),
+ *\li		isc_base32_tobuffer().
+ */
+
+isc_result_t
+isc_base32_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+isc_result_t
+isc_base32hex_tobuffer(isc_lex_t *lexer, isc_buffer_t *target, int length);
+/*!<
+ * \brief Convert base32 encoded text from a lexer context into data.
+ *
+ * Requires:
+ *\li	'lex' is a valid lexer context
+ *\li	'target' is a buffer containing binary data
+ *\li	'length' is an integer
+ *
+ * Ensures:
+ *\li	target will contain the data represented by the base32 encoded
+ *	string parsed by the lexer.  No more than length bytes will be read,
+ *	if length is positive.  The 'used' pointer in target will be
+ *	advanced as necessary.
+ */
+
+isc_result_t
+isc_base32_decoderegion(isc_region_t *source, isc_buffer_t *target);
+isc_result_t
+isc_base32hex_decoderegion(isc_region_t *source, isc_buffer_t *target);
+/*!<
+ * \brief Decode a packed (no white space permitted) base32 region.
+ *
+ * Requires:
+ *\li   'source' is a valid region.
+ *\li   'target' is a valid buffer.
+ *
+ * Returns:
+ *\li   #ISC_R_SUCCESS  -- the entire decoded representation of 'cstring'
+ *                         fit in 'target'.
+ *\li   #ISC_R_BADBASE32 -- 'source' is not a valid base32 encoding.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_BASE32_H */
diff --git a/lib/isc/include/isc/base64.h b/lib/isc/include/isc/base64.h
index 26ffa48..e48ef2a 100644
--- a/lib/isc/include/isc/base64.h
+++ b/lib/isc/include/isc/base64.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.h,v 1.16.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: base64.h,v 1.22 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_BASE64_H
 #define ISC_BASE64_H 1
 
-/*! \file */
+/*! \file isc/base64.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/isc/include/isc/bitstring.h b/lib/isc/include/isc/bitstring.h
index 3e626b8..252d111 100644
--- a/lib/isc/include/isc/bitstring.h
+++ b/lib/isc/include/isc/bitstring.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bitstring.h,v 1.8.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: bitstring.h,v 1.14 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_BITSTRING_H
 #define ISC_BITSTRING_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file bitstring.h
+/*! \file isc/bitstring.h
  *
  * \brief Bitstring manipulation functions.
  *
diff --git a/lib/isc/include/isc/boolean.h b/lib/isc/include/isc/boolean.h
index ad736fe..348b096 100644
--- a/lib/isc/include/isc/boolean.h
+++ b/lib/isc/include/isc/boolean.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: boolean.h,v 1.13.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: boolean.h,v 1.19 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_BOOLEAN_H
 #define ISC_BOOLEAN_H 1
 
-/*! \file */
+/*! \file isc/boolean.h */
 
 typedef enum { isc_boolean_false = 0, isc_boolean_true = 1 } isc_boolean_t;
 
diff --git a/lib/isc/include/isc/buffer.h b/lib/isc/include/isc/buffer.h
index a285e27..2a02d88 100644
--- a/lib/isc/include/isc/buffer.h
+++ b/lib/isc/include/isc/buffer.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: buffer.h,v 1.43.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: buffer.h,v 1.53 2008/09/25 04:02:39 tbox Exp $ */
 
 #ifndef ISC_BUFFER_H
 #define ISC_BUFFER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file buffer.h
+/*! \file isc/buffer.h
  *
  * \brief A buffer is a region of memory, together with a set of related subregions.
  * Buffers are used for parsing and I/O operations.
@@ -112,7 +112,7 @@
 #include <isc/types.h>
 
 /*!
- * To make many functions be inline macros (via #define) define this.
+ * To make many functions be inline macros (via \#define) define this.
  * If it is undefined, a function will be used.
  */
 /* #define ISC_BUFFER_USEINLINE */
@@ -168,13 +168,13 @@ ISC_LANG_BEGINDECLS
 struct isc_buffer {
 	unsigned int		magic;
 	void		       *base;
-        /*@{*/
+	/*@{*/
 	/*! The following integers are byte offsets from 'base'. */
 	unsigned int		length;
 	unsigned int		used;
 	unsigned int 		current;
 	unsigned int 		active;
-        /*@}*/
+	/*@}*/
 	/*! linkable */
 	ISC_LINK(isc_buffer_t)	link;
 	/*! private internal elements */
@@ -235,6 +235,26 @@ isc__buffer_init(isc_buffer_t *b, const void *base, unsigned int length);
  */
 
 void
+isc__buffer_initnull(isc_buffer_t *b);
+/*!<
+ *\brief Initialize a buffer 'b' with a null data and zero length/
+ */
+
+void
+isc_buffer_reinit(isc_buffer_t *b, void *base, unsigned int length);
+/*!<
+ * \brief Make 'b' refer to the 'length'-byte region starting at base.
+ * Any existing data will be copied.
+ *
+ * Requires:
+ *
+ *\li	'length' > 0 AND length >= previous length
+ *
+ *\li	'base' is a pointer to a sequence of 'length' bytes.
+ *
+ */
+
+void
 isc__buffer_invalidate(isc_buffer_t *b);
 /*!<
  * \brief Make 'b' an invalid buffer.
@@ -539,6 +559,57 @@ isc__buffer_putuint32(isc_buffer_t *b, isc_uint32_t val);
  *\li	The used pointer in 'b' is advanced by 4.
  */
 
+isc_uint64_t
+isc_buffer_getuint48(isc_buffer_t *b);
+/*!<
+ * \brief Read an unsigned 48-bit integer in network byte order from 'b',
+ * convert it to host byte order, and return it.
+ *
+ * Requires:
+ *
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the available region of 'b' is at least 6.
+ *
+ * Ensures:
+ *
+ *\li	The current pointer in 'b' is advanced by 6.
+ *
+ * Returns:
+ *
+ *\li	A 48-bit unsigned integer (stored in a 64-bit integer).
+ */
+
+void
+isc__buffer_putuint48(isc_buffer_t *b, isc_uint64_t val);
+/*!<
+ * \brief Store an unsigned 48-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *\li	The length of the unused region of 'b' is at least 6.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 6.
+ */
+
+void
+isc__buffer_putuint24(isc_buffer_t *b, isc_uint32_t val);
+/*!<
+ * Store an unsigned 24-bit integer in host byte order from 'val'
+ * into 'b' in network byte order.
+ *
+ * Requires:
+ *\li	'b' is a valid buffer.
+ *
+ *	The length of the unused region of 'b' is at least 3.
+ *
+ * Ensures:
+ *\li	The used pointer in 'b' is advanced by 3.
+ */
+
 void
 isc__buffer_putmem(isc_buffer_t *b, const unsigned char *base,
 		   unsigned int length);
@@ -625,6 +696,8 @@ ISC_LANG_ENDDECLS
 		(_b)->magic = ISC_BUFFER_MAGIC; \
 	} while (0)
 
+#define ISC__BUFFER_INITNULL(_b) ISC__BUFFER_INIT(_b, NULL, 0)
+
 #define ISC__BUFFER_INVALIDATE(_b) \
 	do { \
 		(_b)->magic = 0; \
@@ -752,6 +825,17 @@ ISC_LANG_ENDDECLS
 		_cp[1] = (unsigned char)(_val2 & 0x00ffU); \
 	} while (0)
 
+#define ISC__BUFFER_PUTUINT24(_b, _val) \
+	do { \
+		unsigned char *_cp; \
+		isc_uint32_t _val2 = (_val); \
+		_cp = isc_buffer_used(_b); \
+		(_b)->used += 3; \
+		_cp[0] = (unsigned char)((_val2 & 0xff0000U) >> 16); \
+		_cp[1] = (unsigned char)((_val2 & 0xff00U) >> 8); \
+		_cp[2] = (unsigned char)(_val2 & 0x00ffU); \
+	} while (0)
+
 #define ISC__BUFFER_PUTUINT32(_b, _val) \
 	do { \
 		unsigned char *_cp; \
@@ -766,6 +850,7 @@ ISC_LANG_ENDDECLS
 
 #if defined(ISC_BUFFER_USEINLINE)
 #define isc_buffer_init			ISC__BUFFER_INIT
+#define isc_buffer_initnull		ISC__BUFFER_INITNULL
 #define isc_buffer_invalidate		ISC__BUFFER_INVALIDATE
 #define isc_buffer_region		ISC__BUFFER_REGION
 #define isc_buffer_usedregion		ISC__BUFFER_USEDREGION
@@ -784,9 +869,11 @@ ISC_LANG_ENDDECLS
 #define isc_buffer_putstr		ISC__BUFFER_PUTSTR
 #define isc_buffer_putuint8		ISC__BUFFER_PUTUINT8
 #define isc_buffer_putuint16		ISC__BUFFER_PUTUINT16
+#define isc_buffer_putuint24		ISC__BUFFER_PUTUINT24
 #define isc_buffer_putuint32		ISC__BUFFER_PUTUINT32
 #else
 #define isc_buffer_init			isc__buffer_init
+#define isc_buffer_initnull		isc__buffer_initnull
 #define isc_buffer_invalidate		isc__buffer_invalidate
 #define isc_buffer_region		isc__buffer_region
 #define isc_buffer_usedregion		isc__buffer_usedregion
@@ -805,7 +892,13 @@ ISC_LANG_ENDDECLS
 #define isc_buffer_putstr		isc__buffer_putstr
 #define isc_buffer_putuint8		isc__buffer_putuint8
 #define isc_buffer_putuint16		isc__buffer_putuint16
+#define isc_buffer_putuint24		isc__buffer_putuint24
 #define isc_buffer_putuint32		isc__buffer_putuint32
 #endif
 
+/*
+ * No inline method for this one (yet).
+ */
+#define isc_buffer_putuint48		isc__buffer_putuint48
+
 #endif /* ISC_BUFFER_H */
diff --git a/lib/isc/include/isc/bufferlist.h b/lib/isc/include/isc/bufferlist.h
index 7fc2ecc..54e00c7 100644
--- a/lib/isc/include/isc/bufferlist.h
+++ b/lib/isc/include/isc/bufferlist.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: bufferlist.h,v 1.11.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: bufferlist.h,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_BUFFERLIST_H
 #define ISC_BUFFERLIST_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file bufferlist.h
+/*! \file isc/bufferlist.h
  *
  *
  *\brief	Buffer lists have no synchronization.  Clients must ensure exclusive
diff --git a/lib/isc/include/isc/commandline.h b/lib/isc/include/isc/commandline.h
index 5ece26f..384640a 100644
--- a/lib/isc/include/isc/commandline.h
+++ b/lib/isc/include/isc/commandline.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: commandline.h,v 1.10.18.2 2005/04/29 00:16:53 marka Exp $ */
+/* $Id: commandline.h,v 1.16 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_COMMANDLINE_H
 #define ISC_COMMANDLINE_H 1
 
-/*! \file */
+/*! \file isc/commandline.h */
 
 #include <isc/boolean.h>
 #include <isc/lang.h>
diff --git a/lib/isc/include/isc/entropy.h b/lib/isc/include/isc/entropy.h
index 2890f6c..e9e59c4 100644
--- a/lib/isc/include/isc/entropy.h
+++ b/lib/isc/include/isc/entropy.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.h,v 1.25.18.2 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: entropy.h,v 1.32.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_ENTROPY_H
 #define ISC_ENTROPY_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file entropy.h
+/*! \file isc/entropy.h
  * \brief The entropy API
  *
  * \li MP:
@@ -74,7 +74,7 @@ typedef void (*isc_entropystop_t)(isc_entropysource_t *source, void *arg);
  ***/
 
 /*!
- * \brief 
+ * \brief
  *	Extract only "good" data; return failure if there is not enough
  *	data available and there are no sources which we can poll to get
  *	data, or those sources are empty.
@@ -103,7 +103,7 @@ typedef void (*isc_entropystop_t)(isc_entropysource_t *source, void *arg);
 /*!
  * \brief
  *	Estimate the amount of entropy contained in the sample pool.
- *	If this is not set, the source will be gathered and perodically
+ *	If this is not set, the source will be gathered and periodically
  *	mixed into the entropy pool, but no increment in contained entropy
  *	will be assumed.  This flag only makes sense on sample sources.
  */
@@ -113,12 +113,12 @@ typedef void (*isc_entropystop_t)(isc_entropysource_t *source, void *arg);
  * For use with isc_entropy_usebestsource().
  */
 /*!
- * \brief 
+ * \brief
  *	Use the keyboard as the only entropy source.
  */
 #define ISC_ENTROPY_KEYBOARDYES		1
 /*!
- * \brief 
+ * \brief
  *	Never use the keyboard as an entropy source.
  */
 #define ISC_ENTROPY_KEYBOARDNO		2
@@ -194,7 +194,7 @@ isc_entropy_createcallbacksource(isc_entropy_t *ent,
 				 void *arg,
 				 isc_entropysource_t **sourcep);
 /*!<
- * \brief Create an entropy source that is polled via a callback.  
+ * \brief Create an entropy source that is polled via a callback.
  *
  * This would
  * be used when keyboard input is used, or a GUI input method.  It can
@@ -220,7 +220,7 @@ isc_result_t
 isc_entropy_addsample(isc_entropysource_t *source, isc_uint32_t sample,
 		      isc_uint32_t extra);
 /*!<
- * \brief Add a sample to the sample source.  
+ * \brief Add a sample to the sample source.
  *
  * The sample MUST be a timestamp
  * that increases over time, with the exception of wrap-around for
@@ -267,6 +267,13 @@ isc_entropy_stats(isc_entropy_t *ent, FILE *out);
  * \brief Dump some (trivial) stats to the stdio stream "out".
  */
 
+unsigned int
+isc_entropy_status(isc_entropy_t *end);
+/*
+ * Returns the number of bits the pool currently contains.  This is just
+ * an estimate.
+ */
+
 isc_result_t
 isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
 			  const char *randomfile, int use_keyboard);
@@ -275,11 +282,11 @@ isc_entropy_usebestsource(isc_entropy_t *ectx, isc_entropysource_t **source,
  *
  * Notes:
  *\li	If "randomfile" is not NULL, open it with
- *	isc_entropy_createfilesource(). 
+ *	isc_entropy_createfilesource().
  *
  *\li	If "randomfile" is NULL and the system's random device was detected
  *	when the program was configured and built, open that device with
- *	isc_entropy_createfilesource(). 
+ *	isc_entropy_createfilesource().
  *
  *\li	If "use_keyboard" is #ISC_ENTROPY_KEYBOARDYES, then always open
  *	the keyboard as an entropy source (possibly in addition to
diff --git a/lib/isc/include/isc/error.h b/lib/isc/include/isc/error.h
index 3320ae9..efb9b5f 100644
--- a/lib/isc/include/isc/error.h
+++ b/lib/isc/include/isc/error.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: error.h,v 1.14.18.2 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: error.h,v 1.20 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_ERROR_H
 #define ISC_ERROR_H 1
 
-/*! \file */
+/*! \file isc/error.h */
 
 #include <stdarg.h>
 
diff --git a/lib/isc/include/isc/event.h b/lib/isc/include/isc/event.h
index f1b1d61..68fabb2 100644
--- a/lib/isc/include/isc/event.h
+++ b/lib/isc/include/isc/event.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: event.h,v 1.27.18.3 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: event.h,v 1.34 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_EVENT_H
 #define ISC_EVENT_H 1
 
-/*! \file */
+/*! \file isc/event.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/isc/include/isc/eventclass.h b/lib/isc/include/isc/eventclass.h
index 71de715..9e6c145 100644
--- a/lib/isc/include/isc/eventclass.h
+++ b/lib/isc/include/isc/eventclass.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: eventclass.h,v 1.14.18.2 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: eventclass.h,v 1.18 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_EVENTCLASS_H
 #define ISC_EVENTCLASS_H 1
diff --git a/lib/isc/include/isc/file.h b/lib/isc/include/isc/file.h
index 16b0075..c945734 100644
--- a/lib/isc/include/isc/file.h
+++ b/lib/isc/include/isc/file.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: file.h,v 1.27.18.2 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: file.h,v 1.33.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_FILE_H
 #define ISC_FILE_H 1
 
-/*! \file */
+/*! \file isc/file.h */
 
 #include <stdio.h>
 
@@ -35,7 +35,7 @@ isc_file_settime(const char *file, isc_time_t *time);
 isc_result_t
 isc_file_getmodtime(const char *file, isc_time_t *time);
 /*!<
- * \brief Get the time of last modication of a file.
+ * \brief Get the time of last modification of a file.
  *
  * Notes:
  *\li	The time that is set is relative to the (OS-specific) epoch, as are
@@ -204,7 +204,7 @@ isc_result_t
 isc_file_progname(const char *filename, char *buf, size_t buflen);
 /*!<
  * \brief Given an operating system specific file name "filename"
- * referring to a program, return the canonical program name. 
+ * referring to a program, return the canonical program name.
  *
  *
  * Any directory prefix or executable file name extension (if
diff --git a/lib/isc/include/isc/formatcheck.h b/lib/isc/include/isc/formatcheck.h
index 93c6232..51ce3ca 100644
--- a/lib/isc/include/isc/formatcheck.h
+++ b/lib/isc/include/isc/formatcheck.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: formatcheck.h,v 1.7.18.2 2005/04/29 00:16:54 marka Exp $ */
+/* $Id: formatcheck.h,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_FORMATCHECK_H
 #define ISC_FORMATCHECK_H 1
 
-/*! \file */
+/*! \file isc/formatcheck.h */
 
 /*%
  * ISC_FORMAT_PRINTF().
diff --git a/lib/isc/include/isc/fsaccess.h b/lib/isc/include/isc/fsaccess.h
index 70c4d7c..3b455e5 100644
--- a/lib/isc/include/isc/fsaccess.h
+++ b/lib/isc/include/isc/fsaccess.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,18 +15,18 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.h,v 1.8.18.2 2005/04/29 00:16:55 marka Exp $ */
+/* $Id: fsaccess.h,v 1.14.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_FSACCESS_H
 #define ISC_FSACCESS_H 1
 
-/*! \file
+/*! \file isc/fsaccess.h
  * \brief The ISC filesystem access module encapsulates the setting of file
  * and directory access permissions into one API that is meant to be
  * portable to multiple operating systems.
  *
- * The two primary operating system flavors that are initially accomodated are
- * POSIX and Windows NT 4.0 and later.  The Windows NT access model is
+ * The two primary operating system flavors that are initially accommodated
+ * are POSIX and Windows NT 4.0 and later.  The Windows NT access model is
  * considerable more flexible than POSIX's model (as much as I am loathe to
  * admit it), and so the ISC API has a higher degree of complexity than would
  * be needed to simply address POSIX's needs.
@@ -88,7 +88,7 @@
  *
  * The rest of this comment discusses a few of the incompatibilities
  * between the two systems that need more thought if this API is to
- * be extended to accomodate them.
+ * be extended to accommodate them.
  *
  * The Windows standard access right "DELETE" doesn't have a direct
  * equivalent in the Unix world, so it isn't clear what should be done
@@ -98,18 +98,19 @@
  * of allowing users to create files in a directory but not delete or
  * rename them, it does not have a concept of allowing them to be deleted
  * if they are owned by the user trying to delete/rename.  While it is
- * probable that something could be cobbled together in NT 5 with inheritence,
+ * probable that something could be cobbled together in NT 5 with inheritance,
  * it can't really be done in NT 4 as a single property that you could
  * set on a directory.  You'd need to coordinate something with file creation
  * so that every file created had DELETE set for the owner but noone else.
  *
  * On Unix systems, setting #ISC_FSACCESS_LISTDIRECTORY sets READ.
- * ... setting either of #ISC_FSACCESS_(CREATE|DELETE)CHILD sets WRITE.
+ * ... setting either #ISC_FSACCESS_CREATECHILD or #ISC_FSACCESS_DELETECHILD
+ *      sets WRITE.
  * ... setting #ISC_FSACCESS_ACCESSCHILD sets EXECUTE.
  *
  * On NT systems, setting #ISC_FSACCESS_LISTDIRECTORY sets FILE_LIST_DIRECTORY.
- * ... setting ISC_FSACCESS_(CREATE|DELETE)CHILD sets
- *	FILE_(CREATE|DELETE)_CHILD independently.
+ * ... setting #ISC_FSACCESS_CREATECHILD sets FILE_CREATE_CHILD independently.
+ * ... setting #ISC_FSACCESS_DELETECHILD sets FILE_DELETE_CHILD independently.
  * ... setting #ISC_FSACCESS_ACCESSCHILD sets FILE_TRAVERSE.
  *
  * Unresolved:							XXXDCL
@@ -155,7 +156,7 @@
  * Adding any permission bits beyond 0x200 would mean typedef'ing
  * isc_fsaccess_t as isc_uint64_t, and redefining this value to
  * reflect the new range of permission types, Probably to 21 for
- * maximum flexibility.  The number of bits has to accomodate all of
+ * maximum flexibility.  The number of bits has to accommodate all of
  * the permission types, and three full sets of them have to fit
  * within an isc_fsaccess_t.
  */
diff --git a/lib/isc/include/isc/hash.h b/lib/isc/include/isc/hash.h
index cd29cdf..da30a19 100644
--- a/lib/isc/include/isc/hash.h
+++ b/lib/isc/include/isc/hash.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hash.h,v 1.4.18.2 2005/04/29 00:16:55 marka Exp $ */
+/* $Id: hash.h,v 1.10.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_HASH_H
 #define ISC_HASH_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/hash.h
  *
  * \brief The hash API
  *	provides an unpredictable hash value for variable length data.
@@ -36,7 +36,7 @@
  *	in the random vector are unpredictable, the probability of hash
  *	collision between arbitrary two different values is at most 1/2^16.
  *
- *	Altough the API is generic about the hash keys, it mainly expects
+ *	Although the API is generic about the hash keys, it mainly expects
  *	DNS names (and sometimes IPv4/v6 addresses) as inputs.  It has an
  *	upper limit of the input length, and may run slow to calculate the
  *	hash values for large inputs.
@@ -135,7 +135,7 @@ isc_hash_ctxinit(isc_hash_t *hctx);
 void
 isc_hash_init(void);
 /*!<
- * \brief Initialize a hash object.  
+ * \brief Initialize a hash object.
  *
  * It fills in the random vector with a proper
  * source of entropy, which is typically from the entropy object specified
diff --git a/lib/isc/include/isc/heap.h b/lib/isc/include/isc/heap.h
index d54a8d5..82c5982 100644
--- a/lib/isc/include/isc/heap.h
+++ b/lib/isc/include/isc/heap.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: heap.h,v 1.17.18.3 2006/04/17 18:27:33 explorer Exp $ */
+/* $Id: heap.h,v 1.24.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_HEAP_H
 #define ISC_HEAP_H 1
 
-/*! \file */
+/*! \file isc/heap.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
@@ -28,7 +28,7 @@
 ISC_LANG_BEGINDECLS
 
 /*%
- * The comparision function returns ISC_TRUE if the first argument has
+ * The comparison function returns ISC_TRUE if the first argument has
  * higher priority than the second argument, and ISC_FALSE otherwise.
  */
 typedef isc_boolean_t (*isc_heapcompare_t)(void *, void *);
diff --git a/lib/isc/include/isc/hex.h b/lib/isc/include/isc/hex.h
index 9124a9b..a5e2f53 100644
--- a/lib/isc/include/isc/hex.h
+++ b/lib/isc/include/isc/hex.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hex.h,v 1.5.18.2 2005/04/29 00:16:55 marka Exp $ */
+/* $Id: hex.h,v 1.13 2008/09/25 04:02:39 tbox Exp $ */
 
 #ifndef ISC_HEX_H
 #define ISC_HEX_H 1
 
-/*! \file */
+/*! \file isc/hex.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
@@ -56,7 +56,7 @@ isc_hex_totext(isc_region_t *source, int wordlength,
  */
 
 isc_result_t
-isc_hex_decodestring(char *cstr, isc_buffer_t *target);
+isc_hex_decodestring(const char *cstr, isc_buffer_t *target);
 /*!<
  * \brief Decode a null-terminated hex string.
  *
diff --git a/lib/isc/include/isc/hmacmd5.h b/lib/isc/include/isc/hmacmd5.h
index 5c05675..fab9c58 100644
--- a/lib/isc/include/isc/hmacmd5.h
+++ b/lib/isc/include/isc/hmacmd5.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacmd5.h,v 1.5.18.4 2006/01/27 23:57:45 marka Exp $ */
+/* $Id: hmacmd5.h,v 1.12 2007/06/19 23:47:18 tbox Exp $ */
 
-/*! \file
+/*! \file isc/hmacmd5.h
  * \brief This is the header file for the HMAC-MD5 keyed hash algorithm
  * described in RFC2104.
  */
diff --git a/lib/isc/include/isc/hmacsha.h b/lib/isc/include/isc/hmacsha.h
index fce645c5..362b37f 100644
--- a/lib/isc/include/isc/hmacsha.h
+++ b/lib/isc/include/isc/hmacsha.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005-2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,9 +14,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacsha.h,v 1.2.2.3 2006/08/16 03:18:14 marka Exp $ */
+/* $Id: hmacsha.h,v 1.7 2007/06/19 23:47:18 tbox Exp $ */
 
-/*
+/*! \file isc/hmacsha.h
  * This is the header file for the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
  * HMAC-SHA334 and HMAC-SHA512 hash algorithm described in RFC 2104.
  */
diff --git a/lib/isc/include/isc/httpd.h b/lib/isc/include/isc/httpd.h
new file mode 100644
index 0000000..ba7f900
--- /dev/null
+++ b/lib/isc/include/isc/httpd.h
@@ -0,0 +1,64 @@
+/*
+ * Copyright (C) 2006-2008  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: httpd.h,v 1.9 2008/08/08 05:06:49 marka Exp $ */
+
+#ifndef ISC_HTTPD_H
+#define ISC_HTTPD_H 1
+
+/*! \file */
+
+#include <isc/event.h>
+#include <isc/eventclass.h>
+#include <isc/types.h>
+#include <isc/mutex.h>
+#include <isc/task.h>
+
+#define HTTPD_EVENTCLASS		ISC_EVENTCLASS(4300)
+#define HTTPD_SHUTDOWN			(HTTPD_EVENTCLASS + 0x0001)
+
+#define ISC_HTTPDMGR_FLAGSHUTTINGDOWN	0x00000001
+
+/*
+ * Create a new http daemon which will send, once every time period,
+ * a http-like header followed by HTTP data.
+ */
+isc_result_t
+isc_httpdmgr_create(isc_mem_t *mctx, isc_socket_t *sock, isc_task_t *task,
+		    isc_httpdclientok_t *client_ok,
+		    isc_httpdondestroy_t *ondestory, void *cb_arg,
+		    isc_timermgr_t *tmgr, isc_httpdmgr_t **httpdp);
+
+void
+isc_httpdmgr_shutdown(isc_httpdmgr_t **httpdp);
+
+isc_result_t
+isc_httpdmgr_addurl(isc_httpdmgr_t *httpdmgr, const char *url,
+		    isc_httpdaction_t *func, void *arg);
+
+isc_result_t
+isc_httpd_response(isc_httpd_t *httpd);
+
+isc_result_t
+isc_httpd_addheader(isc_httpd_t *httpd, const char *name,
+		    const char *val);
+
+isc_result_t
+isc_httpd_addheaderuint(isc_httpd_t *httpd, const char *name, int val);
+
+isc_result_t isc_httpd_endheaders(isc_httpd_t *httpd);
+
+#endif /* ISC_HTTPD_H */
diff --git a/lib/isc/include/isc/interfaceiter.h b/lib/isc/include/isc/interfaceiter.h
index 12ec188..26d5dfb 100644
--- a/lib/isc/include/isc/interfaceiter.h
+++ b/lib/isc/include/isc/interfaceiter.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.h,v 1.11.18.2 2005/04/29 00:16:55 marka Exp $ */
+/* $Id: interfaceiter.h,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_INTERFACEITER_H
 #define ISC_INTERFACEITER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/interfaceiter.h
  * \brief Iterates over the list of network interfaces.
  *
  * Interfaces whose address family is not supported are ignored and never
diff --git a/lib/isc/include/isc/ipv6.h b/lib/isc/include/isc/ipv6.h
index 7c88f2b..8054c9e 100644
--- a/lib/isc/include/isc/ipv6.h
+++ b/lib/isc/include/isc/ipv6.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.20.18.2 2005/04/29 00:16:56 marka Exp $ */
+/* $Id: ipv6.h,v 1.24 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_IPV6_H
 #define ISC_IPV6_H 1
diff --git a/lib/isc/include/isc/iterated_hash.h b/lib/isc/include/isc/iterated_hash.h
new file mode 100644
index 0000000..a8173f0
--- /dev/null
+++ b/lib/isc/include/isc/iterated_hash.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: iterated_hash.h,v 1.3 2008/09/25 04:02:39 tbox Exp $ */
+
+#ifndef ISC_ITERATED_HASH_H
+#define ISC_ITERATED_HASH_H 1
+
+#include <isc/lang.h>
+#include <isc/sha1.h>
+
+/*
+ * The maximal hash length that can be encoded it a name
+ * using base32hex.  floor(255/8)*5
+ */
+#define NSEC3_MAX_HASH_LENGTH 155
+
+/*
+ * The maximum has that can be encoded in a single label using
+ * base32hex.  floor(63/8)*5
+ */
+#define NSEC3_MAX_LABEL_HASH 35
+
+ISC_LANG_BEGINDECLS
+
+int isc_iterated_hash(unsigned char out[NSEC3_MAX_HASH_LENGTH],
+		      unsigned int hashalg, int iterations,
+		      const unsigned char *salt, int saltlength,
+		      const unsigned char *in, int inlength);
+
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_ITERATED_HASH_H */
diff --git a/lib/isc/include/isc/lang.h b/lib/isc/include/isc/lang.h
index abe16f5..8c60866 100644
--- a/lib/isc/include/isc/lang.h
+++ b/lib/isc/include/isc/lang.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lang.h,v 1.7.18.2 2005/04/29 00:16:56 marka Exp $ */
+/* $Id: lang.h,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_LANG_H
 #define ISC_LANG_H 1
 
-/*! \file */
+/*! \file isc/lang.h */
 
 #ifdef __cplusplus
 #define ISC_LANG_BEGINDECLS	extern "C" {
diff --git a/lib/isc/include/isc/lex.h b/lib/isc/include/isc/lex.h
index cb9cc18..8612150 100644
--- a/lib/isc/include/isc/lex.h
+++ b/lib/isc/include/isc/lex.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex.h,v 1.30.18.5 2008/05/30 23:46:01 tbox Exp $ */
+/* $Id: lex.h,v 1.37 2008/05/30 23:47:01 tbox Exp $ */
 
 #ifndef ISC_LEX_H
 #define ISC_LEX_H 1
diff --git a/lib/isc/include/isc/lfsr.h b/lib/isc/include/isc/lfsr.h
index 0c2e845..d4d9707 100644
--- a/lib/isc/include/isc/lfsr.h
+++ b/lib/isc/include/isc/lfsr.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr.h,v 1.11.18.2 2005/04/29 00:16:56 marka Exp $ */
+/* $Id: lfsr.h,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_LFSR_H
 #define ISC_LFSR_H 1
 
-/*! \file */
+/*! \file isc/lfsr.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/isc/include/isc/lib.h b/lib/isc/include/isc/lib.h
index 45c547c..765cdfa 100644
--- a/lib/isc/include/isc/lib.h
+++ b/lib/isc/include/isc/lib.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.8.18.2 2005/04/29 00:16:58 marka Exp $ */
+/* $Id: lib.h,v 1.14 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_LIB_H
 #define ISC_LIB_H 1
 
-/*! \file */
+/*! \file isc/lib.h */
 
 #include <isc/types.h>
 #include <isc/lang.h>
diff --git a/lib/isc/include/isc/list.h b/lib/isc/include/isc/list.h
index 2adc33f..9338275 100644
--- a/lib/isc/include/isc/list.h
+++ b/lib/isc/include/isc/list.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.20.18.2 2006/06/06 00:11:41 marka Exp $ */
+/* $Id: list.h,v 1.24 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_LIST_H
 #define ISC_LIST_H 1
diff --git a/lib/isc/include/isc/log.h b/lib/isc/include/isc/log.h
index c381775..c9ba808 100644
--- a/lib/isc/include/isc/log.h
+++ b/lib/isc/include/isc/log.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.47.18.3 2005/04/29 00:16:58 marka Exp $ */
+/* $Id: log.h,v 1.54.332.5 2009/02/16 02:04:05 marka Exp $ */
 
 #ifndef ISC_LOG_H
 #define ISC_LOG_H 1
 
-/*! \file */
+/*! \file isc/log.h */
 
 #include <stdio.h>
 #include <stdarg.h>
@@ -86,7 +86,7 @@
 /*@}*/
 
 /*!
- * \brief Used to name the categories used by a library.  
+ * \brief Used to name the categories used by a library.
  *
  * An array of isc_logcategory
  * structures names each category, and the id value is initialized by calling
@@ -107,13 +107,13 @@ struct isc_logmodule {
 
 /*%
  * The isc_logfile structure is initialized as part of an isc_logdestination
- * before calling isc_log_createchannel().  
+ * before calling isc_log_createchannel().
  *
  * When defining an #ISC_LOG_TOFILE
  * channel the name, versions and maximum_size should be set before calling
  * isc_log_createchannel().  To define an #ISC_LOG_TOFILEDESC channel set only
  * the stream before the call.
- * 
+ *
  * Setting maximum_size to zero implies no maximum.
  */
 typedef struct isc_logfile {
@@ -166,6 +166,7 @@ LIBISC_EXTERNAL_DATA extern isc_logmodule_t isc_modules[];
 #define ISC_LOGMODULE_TIME (&isc_modules[1])
 #define ISC_LOGMODULE_INTERFACE (&isc_modules[2])
 #define ISC_LOGMODULE_TIMER (&isc_modules[3])
+#define ISC_LOGMODULE_FILE (&isc_modules[4])
 
 ISC_LANG_BEGINDECLS
 
@@ -477,7 +478,7 @@ isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
  *	number of named channels.)  When multiple channels of the same
  *	name are defined, the most recent definition is found.
  *
- *\li	Specifing a very large number of channels for a category will have
+ *\li	Specifying a very large number of channels for a category will have
  *	a moderate impact on performance in isc_log_write(), as each
  *	call looks up the category for the start of a linked list, which
  *	it follows all the way to the end to find matching modules.  The
@@ -527,7 +528,7 @@ isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
  */
 
 /* Attention: next four comments PRECEED code */
-/*! 
+/*!
  *   \brief
  * Write a message to the log channels.
  *
@@ -546,7 +547,7 @@ isc_log_usechannel(isc_logconfig_t *lcfg, const char *name,
  *\li	lctx is a valid logging context.
  *
  *\li	The category and module arguments must have ids that are in the
- *	range of known ids, as estabished by isc_log_registercategories()
+ *	range of known ids, as established by isc_log_registercategories()
  *	and isc_log_registermodules().
  *
  *\li	level != #ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
@@ -585,7 +586,7 @@ ISC_FORMAT_PRINTF(5, 6);
  *\li	lctx is a valid logging context.
  *
  *\li	The category and module arguments must have ids that are in the
- *	range of known ids, as estabished by isc_log_registercategories()
+ *	range of known ids, as established by isc_log_registercategories()
  *	and isc_log_registermodules().
  *
  *\li	level != #ISC_LOG_DYNAMIC.  ISC_LOG_DYNAMIC is used only to define
@@ -633,8 +634,8 @@ isc_log_vwrite1(isc_log_t *lctx, isc_logcategory_t *category,
 ISC_FORMAT_PRINTF(5, 0);
 
 /*%
- * These are four internationalized versions of the the isc_log_[v]write[1]
- * functions.  
+ * These are four internationalized versions of the isc_log_[v]write[1]
+ * functions.
  *
  * The only difference is that they take arguments for a message
  * catalog, message set, and message number, all immediately preceding the
@@ -824,7 +825,7 @@ isc_log_opensyslog(const char *tag, int options, int facility);
  *			declared facility.
  * \endcode
  *
- *\li	Zero effort has been made (yet) to accomodate systems with openlog()
+ *\li	Zero effort has been made (yet) to accommodate systems with openlog()
  *	that only takes two arguments, or to identify valid syslog
  *	facilities or options for any given architecture.
  *
diff --git a/lib/isc/include/isc/magic.h b/lib/isc/include/isc/magic.h
index 045b54f..073de90 100644
--- a/lib/isc/include/isc/magic.h
+++ b/lib/isc/include/isc/magic.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: magic.h,v 1.12.18.2 2005/04/29 00:16:59 marka Exp $ */
+/* $Id: magic.h,v 1.18 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_MAGIC_H
 #define ISC_MAGIC_H 1
 
-/*! \file */
+/*! \file isc/magic.h */
 
 typedef struct {
 	unsigned int magic;
diff --git a/lib/isc/include/isc/md5.h b/lib/isc/include/isc/md5.h
index 3f9667e..5b0d785 100644
--- a/lib/isc/include/isc/md5.h
+++ b/lib/isc/include/isc/md5.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.h,v 1.9.18.4 2006/02/01 00:10:34 marka Exp $ */
+/* $Id: md5.h,v 1.16 2007/06/19 23:47:18 tbox Exp $ */
 
-/*! \file 
+/*! \file isc/md5.h
  * \brief This is the header file for the MD5 message-digest algorithm.
  *
  * The algorithm is due to Ron Rivest.  This code was
diff --git a/lib/isc/include/isc/mem.h b/lib/isc/include/isc/mem.h
index 2c3c54e..480a934 100644
--- a/lib/isc/include/isc/mem.h
+++ b/lib/isc/include/isc/mem.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.h,v 1.59.18.11 2008/02/07 23:45:56 tbox Exp $ */
+/* $Id: mem.h,v 1.78.120.3 2009/02/11 03:07:01 jinmei Exp $ */
 
 #ifndef ISC_MEM_H
 #define ISC_MEM_H 1
 
-/*! \file */
+/*! \file isc/mem.h */
 
 #include <stdio.h>
 
@@ -28,6 +28,7 @@
 #include <isc/mutex.h>
 #include <isc/platform.h>
 #include <isc/types.h>
+#include <isc/xml.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -93,7 +94,7 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
 /*!<
  * The variable isc_mem_debugging holds a set of flags for
  * turning certain memory debugging options on or off at
- * runtime.  Its is intialized to the value ISC_MEM_DEGBUGGING,
+ * runtime.  It is initialized to the value ISC_MEM_DEGBUGGING,
  * which is 0 by default but may be overridden at compile time.
  * The following flags can be specified:
  *
@@ -105,7 +106,7 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
  *	Crash if a free doesn't match an allocation.
  *
  * \li #ISC_MEM_DEBUGUSAGE
- *	If a hi_water mark is set, print the maximium inuse memory
+ *	If a hi_water mark is set, print the maximum inuse memory
  *	every time it is raised once it exceeds the hi_water mark.
  *
  * \li #ISC_MEM_DEBUGSIZE
@@ -153,11 +154,12 @@ LIBISC_EXTERNAL_DATA extern unsigned int isc_mem_debugging;
 
 #define isc_mem_get(c, s)	isc__mem_get((c), (s) _ISC_MEM_FILELINE)
 #define isc_mem_allocate(c, s)	isc__mem_allocate((c), (s) _ISC_MEM_FILELINE)
+#define isc_mem_reallocate(c, p, s) isc__mem_reallocate((c), (p), (s) _ISC_MEM_FILELINE)
 #define isc_mem_strdup(c, p)	isc__mem_strdup((c), (p) _ISC_MEM_FILELINE)
 #define isc_mempool_get(c)	isc__mempool_get((c) _ISC_MEM_FILELINE)
 
 /*%
- * isc_mem_putanddetach() is a convienence function for use where you
+ * isc_mem_putanddetach() is a convenience function for use where you
  * have a structure with an attached memory context.
  *
  * Given:
@@ -340,12 +342,12 @@ isc_mem_setwater(isc_mem_t *mctx, isc_mem_water_t water, void *water_arg,
  *
  * When the memory usage of 'mctx' exceeds 'hiwater',
  * '(water)(water_arg, #ISC_MEM_HIWATER)' will be called.  'water' needs to
- * call isc_mem_waterack() with #ISC_MEM_HIWATER to acknowlege the state
+ * call isc_mem_waterack() with #ISC_MEM_HIWATER to acknowledge the state
  * change.  'water' may be called multiple times.
  *
  * When the usage drops below 'lowater', 'water' will again be called, this
  * time with #ISC_MEM_LOWATER.  'water' need to calls isc_mem_waterack() with
- * #ISC_MEM_LOWATER to acknowlege the change.
+ * #ISC_MEM_LOWATER to acknowledge the change.
  *
  *	static void
  *	water(void *arg, int mark) {
@@ -359,6 +361,7 @@ isc_mem_setwater(isc_mem_t *mctx, isc_mem_water_t water, void *water_arg,
  *		}
  *		UNLOCK(&foo->marklock);
  *	}
+ *
  * If 'water' is NULL then 'water_arg', 'hi_water' and 'lo_water' are
  * ignored and the state is reset.
  *
@@ -371,7 +374,7 @@ isc_mem_setwater(isc_mem_t *mctx, isc_mem_water_t water, void *water_arg,
 void
 isc_mem_waterack(isc_mem_t *ctx, int mark);
 /*%<
- * Called to acknowledge changes in signalled by calls to 'water'.
+ * Called to acknowledge changes in signaled by calls to 'water'.
  */
 
 void
@@ -398,6 +401,65 @@ isc_mem_checkdestroyed(FILE *file);
  * Fatally fails if there are still active contexts.
  */
 
+unsigned int
+isc_mem_references(isc_mem_t *ctx);
+/*%<
+ * Return the current reference count.
+ */
+
+void
+isc_mem_setname(isc_mem_t *ctx, const char *name, void *tag);
+/*%<
+ * Name 'ctx'.
+ *
+ * Notes:
+ *
+ *\li	Only the first 15 characters of 'name' will be copied.
+ *
+ *\li	'tag' is for debugging purposes only.
+ *
+ * Requires:
+ *
+ *\li	'ctx' is a valid ctx.
+ */
+
+const char *
+isc_mem_getname(isc_mem_t *ctx);
+/*%<
+ * Get the name of 'ctx', as previously set using isc_mem_setname().
+ *
+ * Requires:
+ *\li	'ctx' is a valid ctx.
+ *
+ * Returns:
+ *\li	A non-NULL pointer to a null-terminated string.
+ * 	If the ctx has not been named, the string is
+ * 	empty.
+ */
+
+void *
+isc_mem_gettag(isc_mem_t *ctx);
+/*%<
+ * Get the tag value for  'task', as previously set using isc_mem_setname().
+ *
+ * Requires:
+ *\li	'ctx' is a valid ctx.
+ *
+ * Notes:
+ *\li	This function is for debugging purposes only.
+ *
+ * Requires:
+ *\li	'ctx' is a valid task.
+ */
+
+#ifdef HAVE_LIBXML2
+void
+isc_mem_renderxml(xmlTextWriterPtr writer);
+/*%<
+ * Render all contexts' statistics and status in XML for writer.
+ */
+#endif /* HAVE_LIBXML2 */
+
 /*
  * Memory pools
  */
@@ -451,7 +513,7 @@ isc_mempool_associatelock(isc_mempool_t *mpctx, isc_mutex_t *lock);
  * and it is also used to set or get internal state via the isc_mempool_get*()
  * and isc_mempool_set*() set of functions.
  *
- * Mutiple pools can each share a single lock.  For instance, if "manager"
+ * Multiple pools can each share a single lock.  For instance, if "manager"
  * type object contained pools for various sizes of events, and each of
  * these pools used a common lock.  Note that this lock must NEVER be used
  * by other than mempool routines once it is given to a pool, since that can
@@ -551,6 +613,8 @@ void
 isc__mem_put(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
 void *
 isc__mem_allocate(isc_mem_t *, size_t _ISC_MEM_FLARG);
+void *
+isc__mem_reallocate(isc_mem_t *, void *, size_t _ISC_MEM_FLARG);
 void
 isc__mem_free(isc_mem_t *, void * _ISC_MEM_FLARG);
 char *
diff --git a/lib/isc/include/isc/msgcat.h b/lib/isc/include/isc/msgcat.h
index 813b57c..fe3d336 100644
--- a/lib/isc/include/isc/msgcat.h
+++ b/lib/isc/include/isc/msgcat.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgcat.h,v 1.9.18.2 2005/04/29 00:16:59 marka Exp $ */
+/* $Id: msgcat.h,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_MSGCAT_H
 #define ISC_MSGCAT_H 1
diff --git a/lib/isc/include/isc/msgs.h b/lib/isc/include/isc/msgs.h
index 0970647..d8f2787 100644
--- a/lib/isc/include/isc/msgs.h
+++ b/lib/isc/include/isc/msgs.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgs.h,v 1.9.18.4 2008/08/08 06:27:56 tbox Exp $ */
+/* $Id: msgs.h,v 1.17 2008/08/08 06:28:59 tbox Exp $ */
 
 #ifndef ISC_MSGS_H
 #define ISC_MSGS_H 1
 
-/*! \file */
+/*! \file isc/msgs.h */
 
 #include <isc/lib.h>		/* Provide isc_msgcat global variable. */
 #include <isc/msgcat.h>		/* Provide isc_msgcat_*() functions. */
diff --git a/lib/isc/include/isc/mutexblock.h b/lib/isc/include/isc/mutexblock.h
index fa244c9..65bf2bf 100644
--- a/lib/isc/include/isc/mutexblock.h
+++ b/lib/isc/include/isc/mutexblock.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutexblock.h,v 1.11.18.2 2005/04/29 00:17:00 marka Exp $ */
+/* $Id: mutexblock.h,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_MUTEXBLOCK_H
 #define ISC_MUTEXBLOCK_H 1
 
-/*! \file */
+/*! \file isc/mutexblock.h */
 
 #include <isc/lang.h>
 #include <isc/mutex.h>
diff --git a/lib/isc/include/isc/netaddr.h b/lib/isc/include/isc/netaddr.h
index 06d063e..8bfdbce 100644
--- a/lib/isc/include/isc/netaddr.h
+++ b/lib/isc/include/isc/netaddr.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr.h,v 1.25.18.5 2005/07/28 04:58:47 marka Exp $ */
+/* $Id: netaddr.h,v 1.35.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_NETADDR_H
 #define ISC_NETADDR_H 1
 
-/*! \file */
+/*! \file isc/netaddr.h */
 
 #include <isc/lang.h>
 #include <isc/net.h>
@@ -36,7 +36,7 @@ ISC_LANG_BEGINDECLS
 struct isc_netaddr {
 	unsigned int family;
 	union {
-    		struct in_addr in;
+		struct in_addr in;
 		struct in6_addr in6;
 #ifdef ISC_PLATFORM_HAVESYSUNH
 		char un[sizeof(((struct sockaddr_un *)0)->sun_path)];
@@ -48,13 +48,18 @@ struct isc_netaddr {
 isc_boolean_t
 isc_netaddr_equal(const isc_netaddr_t *a, const isc_netaddr_t *b);
 
+/*%<
+ * Compare network addresses 'a' and 'b'.  Return #ISC_TRUE if
+ * they are equal, #ISC_FALSE if not.
+ */
+
 isc_boolean_t
 isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
 		     unsigned int prefixlen);
 /*%<
  * Compare the 'prefixlen' most significant bits of the network
- * addresses 'a' and 'b'.  Return #ISC_TRUE if they are equal,
- * #ISC_FALSE if not.
+ * addresses 'a' and 'b'.  If 'b''s scope is zero then 'a''s scope is
+ * ignored.  Return #ISC_TRUE if they are equal, #ISC_FALSE if not.
  */
 
 isc_result_t
@@ -166,7 +171,7 @@ isc_netaddr_prefixok(const isc_netaddr_t *na, unsigned int prefixlen);
  * Returns:
  *	ISC_R_SUCCESS
  *	ISC_R_RANGE		prefixlen out of range
- *	ISC_R_NOTIMPLENTED	unsupported family
+ *	ISC_R_NOTIMPLEMENTED	unsupported family
  *	ISC_R_FAILURE		extra bits.
  */
 
diff --git a/lib/isc/include/isc/netscope.h b/lib/isc/include/isc/netscope.h
index d9bea54..ba4e792 100644
--- a/lib/isc/include/isc/netscope.h
+++ b/lib/isc/include/isc/netscope.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netscope.h,v 1.5.18.2 2005/04/29 00:17:00 marka Exp $ */
+/* $Id: netscope.h,v 1.11 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_NETSCOPE_H
 #define ISC_NETSCOPE_H 1
 
-/*! \file */
+/*! \file isc/netscope.h */
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isc/include/isc/ondestroy.h b/lib/isc/include/isc/ondestroy.h
index 035873c..64bd643 100644
--- a/lib/isc/include/isc/ondestroy.h
+++ b/lib/isc/include/isc/ondestroy.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ondestroy.h,v 1.8.18.2 2005/04/29 00:17:00 marka Exp $ */
+/* $Id: ondestroy.h,v 1.14 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_ONDESTROY_H
 #define ISC_ONDESTROY_H 1
@@ -25,7 +25,7 @@
 
 ISC_LANG_BEGINDECLS
 
-/*! \file 
+/*! \file isc/ondestroy.h
  * ondestroy handling.
  *
  * Any class ``X'' of objects that wants to send out notifications
diff --git a/lib/isc/include/isc/os.h b/lib/isc/include/isc/os.h
index b2b76d5..3cf59e2 100644
--- a/lib/isc/include/isc/os.h
+++ b/lib/isc/include/isc/os.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.h,v 1.6.18.2 2005/04/29 00:17:00 marka Exp $ */
+/* $Id: os.h,v 1.12 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_OS_H
 #define ISC_OS_H 1
 
-/*! \file */
+/*! \file isc/os.h */
 
 #include <isc/lang.h>
 
diff --git a/lib/isc/include/isc/parseint.h b/lib/isc/include/isc/parseint.h
index 6940add..5047676 100644
--- a/lib/isc/include/isc/parseint.h
+++ b/lib/isc/include/isc/parseint.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parseint.h,v 1.3.18.2 2005/04/29 00:17:00 marka Exp $ */
+/* $Id: parseint.h,v 1.9 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_PARSEINT_H
 #define ISC_PARSEINT_H 1
@@ -23,7 +23,7 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-/*! \file
+/*! \file isc/parseint.h
  * \brief Parse integers, in a saner way than atoi() or strtoul() do.
  */
 
diff --git a/lib/isc/include/isc/platform.h.in b/lib/isc/include/isc/platform.h.in
index afcd4df..1ed76b8 100644
--- a/lib/isc/include/isc/platform.h.in
+++ b/lib/isc/include/isc/platform.h.in
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.34.18.11 2008/06/24 23:45:55 tbox Exp $ */
+/* $Id: platform.h.in,v 1.48.84.2 2009/02/16 23:47:15 tbox Exp $ */
 
 #ifndef ISC_PLATFORM_H
 #define ISC_PLATFORM_H 1
@@ -26,11 +26,6 @@
  ***** Platform-dependent defines.
  *****/
 
-/*
- * Define if the platform has <strings.h>.
- */
-@ISC_PLATFORM_HAVESTRINGSH@
-
 /***
  *** Network.
  ***/
@@ -99,29 +94,26 @@
 @ISC_PLATFORM_NEEDPTON@
 
 /*! \brief
- * If this system needs inet_aton(), ISC_PLATFORM_NEEDATON will be defined.
- */
-@ISC_PLATFORM_NEEDATON@
-
-/*! \brief
  * If this system needs in_port_t, ISC_PLATFORM_NEEDPORTT will be defined.
  */
 @ISC_PLATFORM_NEEDPORTT@
 
 /*! \brief
- * If the system needs strsep(), ISC_PLATFORM_NEEDSTRSEP will be defined.
+ * Define if the system has struct lifconf which is a extended struct ifconf
+ * for IPv6.
  */
-@ISC_PLATFORM_NEEDSTRSEP@
+@ISC_PLATFORM_HAVELIFCONF@
 
 /*! \brief
- * If the system needs strlcpy(), ISC_PLATFORM_NEEDSTRLCPY will be defined.
+ * Define if the system has struct if_laddrconf which is a extended struct
+ * ifconf for IPv6.
  */
-@ISC_PLATFORM_NEEDSTRLCPY@
+@ISC_PLATFORM_HAVEIF_LADDRCONF@
 
 /*! \brief
- * If the system needs strlcat(), ISC_PLATFORM_NEEDSTRLCAT will be defined.
+ * Define if the system has struct if_laddrreq.
  */
-@ISC_PLATFORM_NEEDSTRLCAT@
+@ISC_PLATFORM_HAVEIF_LADDRREQ@
 
 /*! \brief
  * Define either ISC_PLATFORM_BSD44MSGHDR or ISC_PLATFORM_BSD43MSGHDR.
@@ -129,10 +121,9 @@
 @ISC_PLATFORM_MSGHDRFLAVOR@
 
 /*! \brief
- * Define if PTHREAD_ONCE_INIT should be surrounded by braces to
- * prevent compiler warnings (such as with gcc on Solaris 2.8).
+ * Define if the system supports if_nametoindex.
  */
-@ISC_PLATFORM_BRACEPTHREADONCEINIT@
+@ISC_PLATFORM_HAVEIFNAMETOINDEX@
 
 /*! \brief
  * Define on some UnixWare systems to fix erroneous definitions of various
@@ -175,62 +166,74 @@
  */
 @ISC_PLATFORM_QUADFORMAT@
 
-/*! \brief
- * Defined if we are using threads.
+/***
+ *** String functions.
+ ***/
+/*
+ * If the system needs strsep(), ISC_PLATFORM_NEEDSTRSEP will be defined.
  */
-@ISC_PLATFORM_USETHREADS@
+@ISC_PLATFORM_NEEDSTRSEP@
 
-/*! \brief
- * Defined if unistd.h does not cause fd_set to be delared.
+/*
+ * If the system needs strlcpy(), ISC_PLATFORM_NEEDSTRLCPY will be defined.
  */
-@ISC_PLATFORM_NEEDSYSSELECTH@
+@ISC_PLATFORM_NEEDSTRLCPY@
 
-/*! \brief
- * Type used for resource limits.
+/*
+ * If the system needs strlcat(), ISC_PLATFORM_NEEDSTRLCAT will be defined.
  */
-@ISC_PLATFORM_RLIMITTYPE@
+@ISC_PLATFORM_NEEDSTRLCAT@
 
-/*! \brief
- * Define if your compiler supports "long long int".
+/*
+ * Define if this system needs strtoul.
  */
-@ISC_PLATFORM_HAVELONGLONG@
+@ISC_PLATFORM_NEEDSTRTOUL@
 
-/*! \brief
- * Define if the system has struct lifconf which is a extended struct ifconf
- * for IPv6.
+/*
+ * Define if this system needs memmove.
  */
-@ISC_PLATFORM_HAVELIFCONF@
+@ISC_PLATFORM_NEEDMEMMOVE@
 
-/*! \brief
- * Define if the system has struct if_laddrconf which is a extended struct
- * ifconf for IPv6.
+/***
+ *** Miscellaneous.
+ ***/
+
+/*
+ * Defined if we are using threads.
  */
-@ISC_PLATFORM_HAVEIF_LADDRCONF@
+@ISC_PLATFORM_USETHREADS@
 
-/*! \brief
- * Define if the system has struct if_laddrreq.
+/*
+ * Defined if unistd.h does not cause fd_set to be delared.
  */
-@ISC_PLATFORM_HAVEIF_LADDRREQ@
+@ISC_PLATFORM_NEEDSYSSELECTH@
 
-/*! \brief
- * Used to control how extern data is linked; needed for Win32 platforms.
+/*
+ * Defined to <gssapi.h> or <gssapi/gssapi.h> for how to include
+ * the GSSAPI header.
  */
-@ISC_PLATFORM_USEDECLSPEC@
+@ISC_PLATFORM_GSSAPIHEADER@
 
-/*! \brief
- * Define if the system supports if_nametoindex.
+/*
+ * Type used for resource limits.
  */
-@ISC_PLATFORM_HAVEIFNAMETOINDEX@
+@ISC_PLATFORM_RLIMITTYPE@
 
-/*! \brief
- * Define if this system needs strtoul.
+/*
+ * Define if your compiler supports "long long int".
  */
-@ISC_PLATFORM_NEEDSTRTOUL@
+@ISC_PLATFORM_HAVELONGLONG@
 
-/*! \brief
- * Define if this system needs memmove.
+/*
+ * Define if PTHREAD_ONCE_INIT should be surrounded by braces to
+ * prevent compiler warnings (such as with gcc on Solaris 2.8).
  */
-@ISC_PLATFORM_NEEDMEMMOVE@
+@ISC_PLATFORM_BRACEPTHREADONCEINIT@
+
+/*
+ * Used to control how extern data is linked; needed for Win32 platforms.
+ */
+@ISC_PLATFORM_USEDECLSPEC@
 
 /*
  * Define if the platform has <sys/un.h>.
@@ -244,6 +247,12 @@
 @ISC_PLATFORM_HAVEXADD@
 
 /*
+ * If the "xaddq" operation (64bit xadd) is available on this architecture,
+ * ISC_PLATFORM_HAVEXADDQ will be defined.
+ */
+@ISC_PLATFORM_HAVEXADDQ@
+
+/*
  * If the "atomic swap" operation is available on this architecture,
  * ISC_PLATFORM_HAVEATOMICSTORE" will be defined.
  */
@@ -271,6 +280,15 @@
 @ISC_PLATFORM_USESTDASM@
 
 /*
+ * Define if the platform has <strings.h>.
+ */
+@ISC_PLATFORM_HAVESTRINGSH@
+
+/***
+ ***	Windows dll support.
+ ***/
+
+/*
  * Define if MacOS style of PPC assembly must be used.
  * e.g. "r6", not "6", for register six.
  */
diff --git a/lib/isc/include/isc/portset.h b/lib/isc/include/isc/portset.h
index 6396e5c..dc1f856 100644
--- a/lib/isc/include/isc/portset.h
+++ b/lib/isc/include/isc/portset.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -14,10 +14,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portset.h,v 1.3.4.1 2008/06/24 03:42:10 marka Exp $ */
+/* $Id: portset.h,v 1.3.90.2 2009/01/18 23:47:41 tbox Exp $ */
 
 /*! \file isc/portset.h
- * \brief Transport Protocol Port Manipuration Module
+ * \brief Transport Protocol Port Manipulation Module
  *
  * This module provides simple utilities to handle a set of transport protocol
  * (UDP or TCP) port numbers, e.g., for creating an ACL list.  An isc_portset_t
diff --git a/lib/isc/include/isc/print.h b/lib/isc/include/isc/print.h
index 95c6b1c..cd1e38e 100644
--- a/lib/isc/include/isc/print.h
+++ b/lib/isc/include/isc/print.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.h,v 1.19.18.3 2005/06/08 02:07:56 marka Exp $ */
+/* $Id: print.h,v 1.26 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_PRINT_H
 #define ISC_PRINT_H 1
 
-/*! \file */
+/*! \file isc/print.h */
 
 /***
  *** Imports
diff --git a/lib/isc/include/isc/quota.h b/lib/isc/include/isc/quota.h
index 6f95cd5..7b0d0d9 100644
--- a/lib/isc/include/isc/quota.h
+++ b/lib/isc/include/isc/quota.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: quota.h,v 1.10.18.4 2005/08/11 15:01:54 marka Exp $ */
+/* $Id: quota.h,v 1.16 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_QUOTA_H
 #define ISC_QUOTA_H 1
diff --git a/lib/isc/include/isc/radix.h b/lib/isc/include/isc/radix.h
new file mode 100644
index 0000000..fbb1893
--- /dev/null
+++ b/lib/isc/include/isc/radix.h
@@ -0,0 +1,240 @@
+/*
+ * Copyright (C) 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: radix.h,v 1.11.44.2 2008/12/24 23:47:02 tbox Exp $ */
+
+/*
+ * This source was adapted from MRT's RCS Ids:
+ * Id: radix.h,v 1.6 1999/08/03 03:32:53 masaki Exp
+ * Id: mrt.h,v 1.57.2.6 1999/12/28 23:41:27 labovit Exp
+ * Id: defs.h,v 1.5.2.2 2000/01/15 14:19:16 masaki Exp
+ */
+
+#include <isc/magic.h>
+#include <isc/types.h>
+#include <isc/mutex.h>
+#include <isc/net.h>
+#include <isc/refcount.h>
+
+#include <string.h>
+
+#ifndef _RADIX_H
+#define _RADIX_H
+
+#define NETADDR_TO_PREFIX_T(na,pt,bits) \
+	do { \
+		memset(&(pt), 0, sizeof(pt)); \
+		if((na) != NULL) { \
+			(pt).family = (na)->family; \
+			(pt).bitlen = (bits); \
+			if ((pt).family == AF_INET6) { \
+				memcpy(&(pt).add.sin6, &(na)->type.in6, \
+				       ((bits)+7)/8); \
+			} else \
+				memcpy(&(pt).add.sin, &(na)->type.in, \
+				       ((bits)+7)/8); \
+		} else { \
+			(pt).family = AF_UNSPEC; \
+			(pt).bitlen = 0; \
+		} \
+		isc_refcount_init(&(pt).refcount, 0); \
+	} while(0)
+
+typedef struct isc_prefix {
+    unsigned int family;	/* AF_INET | AF_INET6, or AF_UNSPEC for "any" */
+    unsigned int bitlen;	/* 0 for "any" */
+    isc_refcount_t refcount;
+    union {
+		struct in_addr sin;
+		struct in6_addr sin6;
+    } add;
+} isc_prefix_t;
+
+typedef void (*isc_radix_destroyfunc_t)(void *);
+typedef void (*isc_radix_processfunc_t)(isc_prefix_t *, void **);
+
+#define isc_prefix_tochar(prefix) ((char *)&(prefix)->add.sin)
+#define isc_prefix_touchar(prefix) ((u_char *)&(prefix)->add.sin)
+
+#define BIT_TEST(f, b)  ((f) & (b))
+
+/*
+ * We need "first match" when we search the radix tree to preserve
+ * compatibility with the existing ACL implementation. Radix trees
+ * naturally lend themselves to "best match". In order to get "first match"
+ * behavior, we keep track of the order in which entries are added to the
+ * tree--and when a search is made, we find all matching entries, and
+ * return the one that was added first.
+ *
+ * An IPv4 prefix and an IPv6 prefix may share a radix tree node if they
+ * have the same length and bit pattern (e.g., 127/8 and 7f::/8).  To
+ * disambiguate between them, node_num and data are two-element arrays;
+ * node_num[0] and data[0] are used for IPv4 addresses, node_num[1]
+ * and data[1] for IPv6 addresses.  The only exception is a prefix of
+ * 0/0 (aka "any" or "none"), which is always stored as IPv4 but matches
+ * IPv6 addresses too.
+ */
+
+#define ISC_IS6(family) ((family) == AF_INET6 ? 1 : 0)
+typedef struct isc_radix_node {
+   isc_uint32_t bit;			/* bit length of the prefix */
+   isc_prefix_t *prefix;		/* who we are in radix tree */
+   struct isc_radix_node *l, *r;	/* left and right children */
+   struct isc_radix_node *parent;	/* may be used */
+   void *data[2];			/* pointers to IPv4 and IPV6 data */
+   int node_num[2];			/* which node this was in the tree,
+					   or -1 for glue nodes */
+} isc_radix_node_t;
+
+#define RADIX_TREE_MAGIC         ISC_MAGIC('R','d','x','T');
+#define RADIX_TREE_VALID(a)      ISC_MAGIC_VALID(a, RADIX_TREE_MAGIC);
+
+typedef struct isc_radix_tree {
+   unsigned int		magic;
+   isc_mem_t		*mctx;
+   isc_radix_node_t 	*head;
+   isc_uint32_t		maxbits;	/* for IP, 32 bit addresses */
+   int num_active_node;			/* for debugging purposes */
+   int num_added_node;			/* total number of nodes */
+} isc_radix_tree_t;
+
+isc_result_t
+isc_radix_search(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_prefix_t *prefix);
+/*%<
+ * Search 'radix' for the best match to 'prefix'.
+ * Return the node found in '*target'.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'target' is not NULL and "*target" is NULL.
+ * \li	'prefix' to be valid.
+ *
+ * Returns:
+ * \li	ISC_R_NOTFOUND
+ * \li	ISC_R_SUCCESS
+ */
+
+isc_result_t
+isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_radix_node_t *source, isc_prefix_t *prefix);
+/*%<
+ * Insert 'source' or 'prefix' into the radix tree 'radix'.
+ * Return the node added in 'target'.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'target' is not NULL and "*target" is NULL.
+ * \li	'prefix' to be valid or 'source' to be non NULL and contain
+ *	a valid prefix.
+ *
+ * Returns:
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_SUCCESS
+ */
+
+void
+isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node);
+/*%<
+ * Remove the node 'node' from the radix tree 'radix'.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'node' to be valid.
+ */
+
+isc_result_t
+isc_radix_create(isc_mem_t *mctx, isc_radix_tree_t **target, int maxbits);
+/*%<
+ * Create a radix tree with a maximum depth of 'maxbits';
+ *
+ * Requires:
+ * \li	'mctx' to be valid.
+ * \li	'target' to be non NULL and '*target' to be NULL.
+ * \li	'maxbits' to be less than or equal to RADIX_MAXBITS.
+ *
+ * Returns:
+ * \li	ISC_R_NOMEMORY
+ * \li	ISC_R_SUCCESS
+ */
+
+void
+isc_radix_destroy(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func);
+/*%<
+ * Destroy a radix tree optionally calling 'func' to clean up node data.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ */
+
+void
+isc_radix_process(isc_radix_tree_t *radix, isc_radix_processfunc_t func);
+/*%<
+ * Walk a radix tree calling 'func' to process node data.
+ *
+ * Requires:
+ * \li	'radix' to be valid.
+ * \li	'func' to point to a function.
+ */
+
+#define RADIX_MAXBITS 128
+#define RADIX_NBIT(x)        (0x80 >> ((x) & 0x7f))
+#define RADIX_NBYTE(x)       ((x) >> 3)
+
+#define RADIX_DATA_GET(node, type) (type *)((node)->data)
+#define RADIX_DATA_SET(node, value) ((node)->data = (void *)(value))
+
+#define RADIX_WALK(Xhead, Xnode) \
+    do { \
+	isc_radix_node_t *Xstack[RADIX_MAXBITS+1]; \
+	isc_radix_node_t **Xsp = Xstack; \
+	isc_radix_node_t *Xrn = (Xhead); \
+	while ((Xnode = Xrn)) { \
+	    if (Xnode->prefix)
+
+#define RADIX_WALK_ALL(Xhead, Xnode) \
+do { \
+	isc_radix_node_t *Xstack[RADIX_MAXBITS+1]; \
+	isc_radix_node_t **Xsp = Xstack; \
+	isc_radix_node_t *Xrn = (Xhead); \
+	while ((Xnode = Xrn)) { \
+	    if (1)
+
+#define RADIX_WALK_BREAK { \
+	    if (Xsp != Xstack) { \
+		Xrn = *(--Xsp); \
+	     } else { \
+		Xrn = (radix_node_t *) 0; \
+	    } \
+	    continue; }
+
+#define RADIX_WALK_END \
+	    if (Xrn->l) { \
+		if (Xrn->r) { \
+		    *Xsp++ = Xrn->r; \
+		} \
+		Xrn = Xrn->l; \
+	    } else if (Xrn->r) { \
+		Xrn = Xrn->r; \
+	    } else if (Xsp != Xstack) { \
+		Xrn = *(--Xsp); \
+	    } else { \
+		Xrn = (isc_radix_node_t *) 0; \
+	    } \
+	} \
+    } while (0)
+
+#endif /* _RADIX_H */
diff --git a/lib/isc/include/isc/random.h b/lib/isc/include/isc/random.h
index c5cef8b..9b6ca64 100644
--- a/lib/isc/include/isc/random.h
+++ b/lib/isc/include/isc/random.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: random.h,v 1.12.18.2 2005/04/29 00:17:01 marka Exp $ */
+/* $Id: random.h,v 1.18.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_RANDOM_H
 #define ISC_RANDOM_H 1
@@ -23,9 +23,9 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-/*! \file
+/*! \file isc/random.h
  * \brief Implements a random state pool which will let the caller return a
- * series of possibly non-reproducable random values.  
+ * series of possibly non-reproducible random values.
  *
  * Note that the
  * strength of these numbers is not all that high, and should not be
diff --git a/lib/isc/include/isc/ratelimiter.h b/lib/isc/include/isc/ratelimiter.h
index 1944754..d18cf25 100644
--- a/lib/isc/include/isc/ratelimiter.h
+++ b/lib/isc/include/isc/ratelimiter.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ratelimiter.h,v 1.15.18.2 2005/04/29 00:17:01 marka Exp $ */
+/* $Id: ratelimiter.h,v 1.21.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_RATELIMITER_H
 #define ISC_RATELIMITER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/ratelimiter.h
  * \brief A rate limiter is a mechanism for dispatching events at a limited
  * rate.  This is intended to be used when sending zone maintenance
  * SOA queries, NOTIFY messages, etc.
@@ -53,7 +53,7 @@ isc_ratelimiter_create(isc_mem_t *mctx, isc_timermgr_t *timermgr,
 isc_result_t
 isc_ratelimiter_setinterval(isc_ratelimiter_t *rl, isc_interval_t *interval);
 /*!<
- * Set the mininum interval between event executions.
+ * Set the minimum interval between event executions.
  * The interval value is copied, so the caller need not preserve it.
  *
  * Requires:
@@ -71,7 +71,7 @@ isc_result_t
 isc_ratelimiter_enqueue(isc_ratelimiter_t *rl, isc_task_t *task,
 			isc_event_t **eventp);
 /*%<
- * Queue an event for rate-limited execution.  
+ * Queue an event for rate-limited execution.
  *
  * This is similar
  * to doing an isc_task_send() to the 'task', except that the
@@ -102,7 +102,7 @@ isc_ratelimiter_shutdown(isc_ratelimiter_t *ratelimiter);
  *\li	Further attempts to enqueue events will fail with
  * 	#ISC_R_SHUTTINGDOWN.
  *
- *\li	The reatelimiter is no longer attached to its task.
+ *\li	The rate limiter is no longer attached to its task.
  */
 
 void
diff --git a/lib/isc/include/isc/refcount.h b/lib/isc/include/isc/refcount.h
index b930465..6ab14ae 100644
--- a/lib/isc/include/isc/refcount.h
+++ b/lib/isc/include/isc/refcount.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: refcount.h,v 1.6.18.5 2005/07/12 01:22:31 marka Exp $ */
+/* $Id: refcount.h,v 1.15 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_REFCOUNT_H
 #define ISC_REFCOUNT_H 1
@@ -27,7 +27,7 @@
 #include <isc/types.h>
 #include <isc/util.h>
 
-/*! \file
+/*! \file isc/refcount.h
  * \brief Implements a locked reference counter.  
  *
  * These functions may actually be
diff --git a/lib/isc/include/isc/region.h b/lib/isc/include/isc/region.h
index 9b651fe..43d8f8f 100644
--- a/lib/isc/include/isc/region.h
+++ b/lib/isc/include/isc/region.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: region.h,v 1.19.18.2 2005/04/29 00:17:01 marka Exp $ */
+/* $Id: region.h,v 1.25 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_REGION_H
 #define ISC_REGION_H 1
 
-/*! \file */
+/*! \file isc/region.h */
 
 #include <isc/types.h>
 
diff --git a/lib/isc/include/isc/resource.h b/lib/isc/include/isc/resource.h
index 8c33c89..747c9fd 100644
--- a/lib/isc/include/isc/resource.h
+++ b/lib/isc/include/isc/resource.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resource.h,v 1.5.18.4 2008/08/01 23:45:58 tbox Exp $ */
+/* $Id: resource.h,v 1.13 2008/07/11 23:47:09 tbox Exp $ */
 
 #ifndef ISC_RESOURCE_H
 #define ISC_RESOURCE_H 1
 
-/*! \file */
+/*! \file isc/resource.h */
 
 #include <isc/lang.h>
 #include <isc/types.h>
diff --git a/lib/isc/include/isc/result.h b/lib/isc/include/isc/result.h
index 0de3493..56b4ca6 100644
--- a/lib/isc/include/isc/result.h
+++ b/lib/isc/include/isc/result.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,11 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.62.18.4 2005/06/22 22:05:49 marka Exp $ */
+/* $Id: result.h,v 1.71 2008/09/25 04:02:39 tbox Exp $ */
 
 #ifndef ISC_RESULT_H
 #define ISC_RESULT_H 1
 
+/*! \file isc/result.h */
+
 #include <isc/lang.h>
 #include <isc/types.h>
 
@@ -83,9 +85,10 @@
 #define ISC_R_DISABLED			57	/*%< disabled */
 #define ISC_R_MAXSIZE			58	/*%< max size */
 #define ISC_R_BADADDRESSFORM		59	/*%< invalid address format */
+#define ISC_R_BADBASE32			60	/*%< bad base32 encoding */
 
 /*% Not a result code: the number of results. */
-#define ISC_R_NRESULTS 			60
+#define ISC_R_NRESULTS 			61
 
 ISC_LANG_BEGINDECLS
 
diff --git a/lib/isc/include/isc/resultclass.h b/lib/isc/include/isc/resultclass.h
index 5e20800..b32426f 100644
--- a/lib/isc/include/isc/resultclass.h
+++ b/lib/isc/include/isc/resultclass.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,13 +15,13 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resultclass.h,v 1.12.18.2 2005/04/29 00:17:02 marka Exp $ */
+/* $Id: resultclass.h,v 1.18 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_RESULTCLASS_H
 #define ISC_RESULTCLASS_H 1
 
 
-/*! \file
+/*! \file isc/resultclass.h
  * \brief Registry of Predefined Result Type Classes
  *
  * A result class number is an unsigned 16 bit number.  Each class may
diff --git a/lib/isc/include/isc/rwlock.h b/lib/isc/include/isc/rwlock.h
index 404f93c..28052cd 100644
--- a/lib/isc/include/isc/rwlock.h
+++ b/lib/isc/include/isc/rwlock.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock.h,v 1.21.18.3 2005/06/04 06:23:44 jinmei Exp $ */
+/* $Id: rwlock.h,v 1.28 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_RWLOCK_H
 #define ISC_RWLOCK_H 1
 
-/*! \file */
+/*! \file isc/rwlock.h */
 
 #include <isc/condition.h>
 #include <isc/lang.h>
diff --git a/lib/isc/include/isc/serial.h b/lib/isc/include/isc/serial.h
index 86d9b2f..f7e3049 100644
--- a/lib/isc/include/isc/serial.h
+++ b/lib/isc/include/isc/serial.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial.h,v 1.10.18.2 2005/04/29 00:17:02 marka Exp $ */
+/* $Id: serial.h,v 1.16.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_SERIAL_H
 #define ISC_SERIAL_H 1
@@ -23,8 +23,8 @@
 #include <isc/lang.h>
 #include <isc/types.h>
 
-/*! \file
- *	\brief Implement 32 bit serial space arithmetic comparision functions.
+/*! \file isc/serial.h
+ *	\brief Implement 32 bit serial space arithmetic comparison functions.
  *	Note: Undefined results are returned as ISC_FALSE.
  */
 
diff --git a/lib/isc/include/isc/sha1.h b/lib/isc/include/isc/sha1.h
index bb22f06..63f12bb 100644
--- a/lib/isc/include/isc/sha1.h
+++ b/lib/isc/include/isc/sha1.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -18,11 +18,11 @@
 #ifndef ISC_SHA1_H
 #define ISC_SHA1_H 1
 
-/* $Id: sha1.h,v 1.9.18.5 2006/08/16 03:18:14 marka Exp $ */
+/* $Id: sha1.h,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
 
 /*	$NetBSD: sha1.h,v 1.2 1998/05/29 22:55:44 thorpej Exp $	*/
 
-/*! \file
+/*! \file isc/sha1.h
  * \brief SHA-1 in C
  * \author By Steve Reid <steve@edmweb.com>
  * \note 100% Public Domain
diff --git a/lib/isc/include/isc/sha2.h b/lib/isc/include/isc/sha2.h
index e54c620..211e255 100644
--- a/lib/isc/include/isc/sha2.h
+++ b/lib/isc/include/isc/sha2.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005-2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.h,v 1.2.2.6 2006/08/16 03:18:14 marka Exp $ */
+/* $Id: sha2.h,v 1.9 2007/06/19 23:47:18 tbox Exp $ */
 
 /*	$FreeBSD$	*/
 /*	$KAME: sha2.h,v 1.3 2001/03/12 08:27:48 itojun Exp $	*/
diff --git a/lib/isc/include/isc/sockaddr.h b/lib/isc/include/isc/sockaddr.h
index 83412d2..62cc773 100644
--- a/lib/isc/include/isc/sockaddr.h
+++ b/lib/isc/include/isc/sockaddr.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.h,v 1.42.18.8 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: sockaddr.h,v 1.55.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_SOCKADDR_H
 #define ISC_SOCKADDR_H 1
 
-/*! \file */
+/*! \file isc/sockaddr.h */
 
 #include <isc/lang.h>
 #include <isc/net.h>
@@ -84,6 +84,7 @@ isc_sockaddr_eqaddrprefix(const isc_sockaddr_t *a, const isc_sockaddr_t *b,
 /*%<
  * Return ISC_TRUE iff the most significant 'prefixlen' bits of the
  * socket addresses 'a' and 'b' are equal, ignoring the ports.
+ * If 'b''s scope is zero then 'a''s scope will be ignored.
  */
 
 unsigned int
@@ -209,7 +210,7 @@ isc_sockaddr_isexperimental(const isc_sockaddr_t *sa);
 isc_boolean_t
 isc_sockaddr_islinklocal(const isc_sockaddr_t *sa);
 /*%<
- * Returns ISC_TRUE if the address is a link local addresss.
+ * Returns ISC_TRUE if the address is a link local address.
  */
 
 isc_boolean_t
diff --git a/lib/isc/include/isc/socket.h b/lib/isc/include/isc/socket.h
index a9a22c8..035c994 100644
--- a/lib/isc/include/isc/socket.h
+++ b/lib/isc/include/isc/socket.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.h,v 1.57.18.15 2008/09/04 08:03:08 marka Exp $ */
+/* $Id: socket.h,v 1.85.58.3 2009/01/29 22:40:35 jinmei Exp $ */
 
 #ifndef ISC_SOCKET_H
 #define ISC_SOCKET_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/socket.h
  * \brief Provides TCP and UDP sockets for network I/O.  The sockets are event
  * sources in the task system.
  *
@@ -64,6 +64,7 @@
 #include <isc/time.h>
 #include <isc/region.h>
 #include <isc/sockaddr.h>
+#include <isc/xml.h>
 
 ISC_LANG_BEGINDECLS
 
@@ -83,6 +84,75 @@ ISC_LANG_BEGINDECLS
  */
 #define ISC_SOCKET_REUSEADDRESS		0x01U
 
+/*%
+ * Statistics counters.  Used as isc_statscounter_t values.
+ */
+enum {
+	isc_sockstatscounter_udp4open = 0,
+	isc_sockstatscounter_udp6open = 1,
+	isc_sockstatscounter_tcp4open = 2,
+	isc_sockstatscounter_tcp6open = 3,
+	isc_sockstatscounter_unixopen = 4,
+
+	isc_sockstatscounter_udp4openfail = 5,
+	isc_sockstatscounter_udp6openfail = 6,
+	isc_sockstatscounter_tcp4openfail = 7,
+	isc_sockstatscounter_tcp6openfail = 8,
+	isc_sockstatscounter_unixopenfail = 9,
+
+	isc_sockstatscounter_udp4close = 10,
+	isc_sockstatscounter_udp6close = 11,
+	isc_sockstatscounter_tcp4close = 12,
+	isc_sockstatscounter_tcp6close = 13,
+	isc_sockstatscounter_unixclose = 14,
+	isc_sockstatscounter_fdwatchclose = 15,
+
+	isc_sockstatscounter_udp4bindfail = 16,
+	isc_sockstatscounter_udp6bindfail = 17,
+	isc_sockstatscounter_tcp4bindfail = 18,
+	isc_sockstatscounter_tcp6bindfail = 19,
+	isc_sockstatscounter_unixbindfail = 20,
+	isc_sockstatscounter_fdwatchbindfail = 21,
+
+	isc_sockstatscounter_udp4connect = 22,
+	isc_sockstatscounter_udp6connect = 23,
+	isc_sockstatscounter_tcp4connect = 24,
+	isc_sockstatscounter_tcp6connect = 25,
+	isc_sockstatscounter_unixconnect = 26,
+	isc_sockstatscounter_fdwatchconnect = 27,
+
+	isc_sockstatscounter_udp4connectfail = 28,
+	isc_sockstatscounter_udp6connectfail = 29,
+	isc_sockstatscounter_tcp4connectfail = 30,
+	isc_sockstatscounter_tcp6connectfail = 31,
+	isc_sockstatscounter_unixconnectfail = 32,
+	isc_sockstatscounter_fdwatchconnectfail = 33,
+
+	isc_sockstatscounter_tcp4accept = 34,
+	isc_sockstatscounter_tcp6accept = 35,
+	isc_sockstatscounter_unixaccept = 36,
+
+	isc_sockstatscounter_tcp4acceptfail = 37,
+	isc_sockstatscounter_tcp6acceptfail = 38,
+	isc_sockstatscounter_unixacceptfail = 39,
+
+	isc_sockstatscounter_udp4sendfail = 40,
+	isc_sockstatscounter_udp6sendfail = 41,
+	isc_sockstatscounter_tcp4sendfail = 42,
+	isc_sockstatscounter_tcp6sendfail = 43,
+	isc_sockstatscounter_unixsendfail = 44,
+	isc_sockstatscounter_fdwatchsendfail = 45,
+
+	isc_sockstatscounter_udp4recvfail = 46,
+	isc_sockstatscounter_udp6recvfail = 47,
+	isc_sockstatscounter_tcp4recvfail = 48,
+	isc_sockstatscounter_tcp6recvfail = 49,
+	isc_sockstatscounter_unixrecvfail = 50,
+	isc_sockstatscounter_fdwatchrecvfail = 51,
+
+	isc_sockstatscounter_max = 52
+};
+
 /***
  *** Types
  ***/
@@ -150,7 +220,8 @@ struct isc_socket_connev {
 typedef enum {
 	isc_sockettype_udp = 1,
 	isc_sockettype_tcp = 2,
-	isc_sockettype_unix = 3
+	isc_sockettype_unix = 3,
+	isc_sockettype_fdwatch = 4
 } isc_sockettype_t;
 
 /*@{*/
@@ -181,6 +252,14 @@ typedef enum {
 #define ISC_SOCKFLAG_NORETRY	0x00000002	/*%< drop failed UDP sends */
 /*@}*/
 
+/*@{*/
+/*!
+ * Flags for fdwatchcreate.
+ */
+#define ISC_SOCKFDWATCH_READ	0x00000001	/*%< watch for readable */
+#define ISC_SOCKFDWATCH_WRITE	0x00000002	/*%< watch for writable */
+/*@}*/
+
 /***
  *** Socket and Socket Manager Functions
  ***
@@ -189,6 +268,45 @@ typedef enum {
  ***/
 
 isc_result_t
+isc_socket_fdwatchcreate(isc_socketmgr_t *manager,
+			 int fd,
+			 int flags,
+			 isc_sockfdwatch_t callback,
+			 void *cbarg,
+			 isc_task_t *task,
+			 isc_socket_t **socketp);
+/*%<
+ * Create a new file descriptor watch socket managed by 'manager'.
+ *
+ * Note:
+ *
+ *\li   'fd' is the already-opened file descriptor.
+ *\li	This function is not available on Windows.
+ *\li	The callback function is called "in-line" - this means the function
+ *	needs to return as fast as possible, as all other I/O will be suspended
+ *	until the callback completes.
+ *
+ * Requires:
+ *
+ *\li	'manager' is a valid manager
+ *
+ *\li	'socketp' is a valid pointer, and *socketp == NULL
+ *
+ *\li	'fd' be opened.
+ *
+ * Ensures:
+ *
+ *	'*socketp' is attached to the newly created fdwatch socket
+ *
+ * Returns:
+ *
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li	#ISC_R_NORESOURCES
+ *\li	#ISC_R_UNEXPECTED
+ */
+
+isc_result_t
 isc_socket_create(isc_socketmgr_t *manager,
 		  int pf,
 		  isc_sockettype_t type,
@@ -196,6 +314,9 @@ isc_socket_create(isc_socketmgr_t *manager,
 /*%<
  * Create a new 'type' socket managed by 'manager'.
  *
+ * For isc_sockettype_fdwatch sockets you should use isc_socket_fdwatchcreate()
+ * rather than isc_socket_create().
+ *
  * Note:
  *
  *\li	'pf' is the desired protocol family, e.g. PF_INET or PF_INET6.
@@ -206,6 +327,8 @@ isc_socket_create(isc_socketmgr_t *manager,
  *
  *\li	'socketp' is a valid pointer, and *socketp == NULL
  *
+ *\li	'type' is not isc_sockettype_fdwatch
+ *
  * Ensures:
  *
  *	'*socketp' is attached to the newly created socket
@@ -329,12 +452,17 @@ isc_socket_open(isc_socket_t *sock);
  * one.  This optimization may not be available for some systems, in which
  * case this function will return ISC_R_NOTIMPLEMENTED and must not be used.
  *
+ * isc_socket_open() should not be called on sockets created by
+ * isc_socket_fdwatchcreate().
+ *
  * Requires:
  *
  * \li	there must be no other reference to this socket.
  *
  * \li	'socket' is a valid and previously closed by isc_socket_close()
  *
+ * \li  'sock->type' is not isc_sockettype_fdwatch
+ *
  * Returns:
  *	Same as isc_socket_create().
  * \li	ISC_R_NOTIMPLEMENTED
@@ -350,6 +478,9 @@ isc_socket_close(isc_socket_t *sock);
  * systems, in which case this function will return ISC_R_NOTIMPLEMENTED and
  * must not be used.
  *
+ * isc_socket_close() should not be called on sockets created by
+ * isc_socket_fdwatchcreate().
+ *
  * Requires:
  *
  * \li	The socket must have a valid descriptor.
@@ -358,6 +489,8 @@ isc_socket_close(isc_socket_t *sock);
  *
  * \li	There must be no pending I/O requests.
  *
+ * \li  'sock->type' is not isc_sockettype_fdwatch
+ *
  * Returns:
  * \li	#ISC_R_NOTIMPLEMENTED
  */
@@ -738,6 +871,19 @@ isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp);
  */
 
 void
+isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats);
+/*%<
+ * Set a general socket statistics counter set 'stats' for 'manager'.
+ *
+ * Requires:
+ * \li	'manager' is valid, hasn't opened any socket, and doesn't have
+ *	stats already set.
+ *
+ *\li	stats is a valid statistics supporting socket statistics counters
+ *	(see above).
+ */
+
+void
 isc_socketmgr_destroy(isc_socketmgr_t **managerp);
 /*%<
  * Destroy a socket manager.
@@ -812,7 +958,7 @@ isc_socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
  * Set ownership and file permissions on the UNIX domain socket.
  *
  * Note: On Solaris and SunOS this secures the directory containing
- *       the socket as Solaris and SunOS do not honour the filesytem
+ *       the socket as Solaris and SunOS do not honour the filesystem
  *	 permissions on the socket.
  *
  * Requires:
@@ -823,12 +969,39 @@ isc_socket_permunix(isc_sockaddr_t *sockaddr, isc_uint32_t perm,
  * \li	#ISC_R_FAILURE
  */
 
+void isc_socket_setname(isc_socket_t *socket, const char *name, void *tag);
+/*%<
+ * Set the name and optional tag for a socket.  This allows tracking of the
+ * owner or purpose for this socket, and is useful for tracing and statistics
+ * reporting.
+ */
+
+const char *isc_socket_getname(isc_socket_t *socket);
+/*%<
+ * Get the name associated with a socket, if any.
+ */
+
+void *isc_socket_gettag(isc_socket_t *socket);
+/*%<
+ * Get the tag associated with a socket, if any.
+ */
+
 void
 isc__socketmgr_setreserved(isc_socketmgr_t *mgr, isc_uint32_t);
 /*%<
  * Temporary.  For use by named only.
  */
 
+#ifdef HAVE_LIBXML2
+
+void
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer);
+/*%<
+ * Render internal statistics and other state into the XML document.
+ */
+
+#endif /* HAVE_LIBXML2 */
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_SOCKET_H */
diff --git a/lib/isc/include/isc/stats.h b/lib/isc/include/isc/stats.h
new file mode 100644
index 0000000..a6156d8
--- /dev/null
+++ b/lib/isc/include/isc/stats.h
@@ -0,0 +1,121 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: stats.h,v 1.4.2.2 2009/01/29 23:47:44 tbox Exp $ */
+
+#ifndef ISC_STATS_H
+#define ISC_STATS_H 1
+
+/*! \file isc/stats.h */
+
+#include <isc/types.h>
+
+ISC_LANG_BEGINDECLS
+
+/*%<
+ * Flag(s) for isc_stats_dump().
+ */
+#define ISC_STATSDUMP_VERBOSE	0x00000001 /*%< dump 0-value counters */
+
+/*%<
+ * Dump callback type.
+ */
+typedef void (*isc_stats_dumper_t)(isc_statscounter_t, isc_uint64_t, void *);
+
+isc_result_t
+isc_stats_create(isc_mem_t *mctx, isc_stats_t **statsp, int ncounters);
+/*%<
+ * Create a statistics counter structure of general type.  It counts a general
+ * set of counters indexed by an ID between 0 and ncounters -1.
+ *
+ * Requires:
+ *\li	'mctx' must be a valid memory context.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL.
+ *
+ * Returns:
+ *\li	ISC_R_SUCCESS	-- all ok
+ *
+ *\li	anything else	-- failure
+ */
+
+void
+isc_stats_attach(isc_stats_t *stats, isc_stats_t **statsp);
+/*%<
+ * Attach to a statistics set.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *
+ *\li	'statsp' != NULL && '*statsp' == NULL
+ */
+
+void
+isc_stats_detach(isc_stats_t **statsp);
+/*%<
+ * Detaches from the statistics set.
+ *
+ * Requires:
+ *\li	'statsp' != NULL and '*statsp' is a valid isc_stats_t.
+ */
+
+int
+isc_stats_ncounters(isc_stats_t *stats);
+/*%<
+ * Returns the number of counters contained in stats.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *
+ */
+
+void
+isc_stats_increment(isc_stats_t *stats, isc_statscounter_t counter);
+/*%<
+ * Increment the counter-th counter of stats.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ *
+ *\li	counter is less than the maximum available ID for the stats specified
+ *	on creation.
+ */
+
+void
+isc_stats_decrement(isc_stats_t *stats, isc_statscounter_t counter);
+/*%<
+ * Decrement the counter-th counter of stats.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ */
+
+void
+isc_stats_dump(isc_stats_t *stats, isc_stats_dumper_t dump_fn, void *arg,
+	       unsigned int options);
+/*%<
+ * Dump the current statistics counters in a specified way.  For each counter
+ * in stats, dump_fn is called with its current value and the given argument
+ * arg.  By default counters that have a value of 0 is skipped; if options has
+ * the ISC_STATSDUMP_VERBOSE flag, even such counters are dumped.
+ *
+ * Requires:
+ *\li	'stats' is a valid isc_stats_t.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif /* ISC_STATS_H */
diff --git a/lib/isc/include/isc/stdio.h b/lib/isc/include/isc/stdio.h
index e3bf0cd..1a7ae64 100644
--- a/lib/isc/include/isc/stdio.h
+++ b/lib/isc/include/isc/stdio.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdio.h,v 1.7.18.2 2005/04/29 00:17:03 marka Exp $ */
+/* $Id: stdio.h,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_STDIO_H
 #define ISC_STDIO_H 1
 
-/*! \file */
+/*! \file isc/stdio.h */
 
 /*% 
  * These functions are wrappers around the corresponding stdio functions.
diff --git a/lib/isc/include/isc/stdlib.h b/lib/isc/include/isc/stdlib.h
index 0e2c697..02243f0 100644
--- a/lib/isc/include/isc/stdlib.h
+++ b/lib/isc/include/isc/stdlib.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdlib.h,v 1.2.18.2 2005/04/29 00:17:03 marka Exp $ */
+/* $Id: stdlib.h,v 1.8 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_STDLIB_H
 #define ISC_STDLIB_H 1
 
-/*! \file */
+/*! \file isc/stdlib.h */
 
 #include <stdlib.h>
 
diff --git a/lib/isc/include/isc/string.h b/lib/isc/include/isc/string.h
index bda71f4..b49fdbc 100644
--- a/lib/isc/include/isc/string.h
+++ b/lib/isc/include/isc/string.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: string.h,v 1.12.18.6 2007/09/13 05:04:01 each Exp $ */
+/* $Id: string.h,v 1.23 2007/09/13 04:48:16 each Exp $ */
 
 #ifndef ISC_STRING_H
 #define ISC_STRING_H 1
 
-/*! \file */
+/*! \file isc/string.h */
 
 #include <isc/formatcheck.h>
 #include <isc/int.h>
diff --git a/lib/isc/include/isc/symtab.h b/lib/isc/include/isc/symtab.h
index 94ea173..396d645 100644
--- a/lib/isc/include/isc/symtab.h
+++ b/lib/isc/include/isc/symtab.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.17.18.4 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: symtab.h,v 1.24.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_SYMTAB_H
 #define ISC_SYMTAB_H 1
@@ -24,10 +24,10 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/symtab.h
  * \brief Provides a simple memory-based symbol table.
  *
- * Keys are C strings, and key comparisons are case-insenstive.  A type may
+ * Keys are C strings, and key comparisons are case-insensitive.  A type may
  * be specified when looking up, defining, or undefining.  A type value of
  * 0 means "match any type"; any other value will only match the given
  * type.
diff --git a/lib/isc/include/isc/task.h b/lib/isc/include/isc/task.h
index f7d237c..8106571 100644
--- a/lib/isc/include/isc/task.h
+++ b/lib/isc/include/isc/task.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.h,v 1.51.18.2 2005/04/29 00:17:03 marka Exp $ */
+/* $Id: task.h,v 1.61.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISC_TASK_H
 #define ISC_TASK_H 1
@@ -24,9 +24,9 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/task.h
  * \brief The task system provides a lightweight execution context, which is
- * basically an event queue.  
+ * basically an event queue.
 
  * When a task's event queue is non-empty, the
  * task is runnable.  A small work crew of threads, typically one per CPU,
@@ -67,7 +67,7 @@
  * Consumers of events should purge, not unsend.
  *
  * Producers of events often want to remove events when the caller indicates
- * it is no longer interested in the object, e.g. by cancelling a timer.
+ * it is no longer interested in the object, e.g. by canceling a timer.
  * Sometimes this can be done by purging, but for some event types, the
  * calls to isc_event_free() cause deadlock because the event free routine
  * wants to acquire a lock the caller is already holding.  Unsending instead
@@ -84,6 +84,7 @@
 #include <isc/lang.h>
 #include <isc/stdtime.h>
 #include <isc/types.h>
+#include <isc/xml.h>
 
 #define ISC_TASKEVENT_FIRSTEVENT	(ISC_EVENTCLASS_TASK + 0)
 #define ISC_TASKEVENT_SHUTDOWN		(ISC_EVENTCLASS_TASK + 1)
@@ -497,7 +498,7 @@ isc_task_beginexclusive(isc_task_t *task);
  * current event, and prevents any new events from executing in any of the
  * tasks sharing a task manager with 'task'.
  *
- * The exclusive access must be relinquished by calling 
+ * The exclusive access must be relinquished by calling
  * isc_task_endexclusive() before returning from the current event handler.
  *
  * Requires:
@@ -512,7 +513,7 @@ isc_task_beginexclusive(isc_task_t *task);
 void
 isc_task_endexclusive(isc_task_t *task);
 /*%<
- * Relinquish the exclusive access obtained by isc_task_beginexclusive(), 
+ * Relinquish the exclusive access obtained by isc_task_beginexclusive(),
  * allowing other tasks to execute.
  *
  * Requires:
@@ -592,7 +593,7 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp);
  *	because it would block forever waiting for the event action to
  *	complete.  An event action that wants to cause task manager shutdown
  *	should request some non-event action thread of execution to do the
- *	shutdown, e.g. by signalling a condition variable or using
+ *	shutdown, e.g. by signaling a condition variable or using
  *	isc_app_shutdown().
  *
  *\li	Task manager references are not reference counted, so the caller
@@ -611,6 +612,13 @@ isc_taskmgr_destroy(isc_taskmgr_t **managerp);
  *	have been freed.
  */
 
+#ifdef HAVE_LIBXML2
+
+void
+isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer);
+
+#endif
+
 ISC_LANG_ENDDECLS
 
 #endif /* ISC_TASK_H */
diff --git a/lib/isc/include/isc/taskpool.h b/lib/isc/include/isc/taskpool.h
index 6c97605..fd07bfd 100644
--- a/lib/isc/include/isc/taskpool.h
+++ b/lib/isc/include/isc/taskpool.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: taskpool.h,v 1.9.18.2 2005/04/29 00:17:04 marka Exp $ */
+/* $Id: taskpool.h,v 1.15 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_TASKPOOL_H
 #define ISC_TASKPOOL_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/taskpool.h
  * \brief A task pool is a mechanism for sharing a small number of tasks
  * among a large number of objects such that each object is
  * assigned a unique task, but each task may be shared by several
diff --git a/lib/isc/include/isc/timer.h b/lib/isc/include/isc/timer.h
index 7a7f614..a4b2df7 100644
--- a/lib/isc/include/isc/timer.h
+++ b/lib/isc/include/isc/timer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.h,v 1.31.18.5 2008/06/24 23:45:55 tbox Exp $ */
+/* $Id: timer.h,v 1.40 2008/06/23 23:47:11 tbox Exp $ */
 
 #ifndef ISC_TIMER_H
 #define ISC_TIMER_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isc/timer.h
  * \brief Provides timers which are event sources in the task system.
  *
  * Three types of timers are supported:
diff --git a/lib/isc/include/isc/types.h b/lib/isc/include/isc/types.h
index b501b2c..4dccbf9 100644
--- a/lib/isc/include/isc/types.h
+++ b/lib/isc/include/isc/types.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.35.18.4 2008/06/24 23:45:55 tbox Exp $ */
+/* $Id: types.h,v 1.46.84.2 2009/01/29 23:47:44 tbox Exp $ */
 
 #ifndef ISC_TYPES_H
 #define ISC_TYPES_H 1
 
-/*! \file
+/*! \file isc/types.h
  * \brief
  * OS-specific types, from the OS-specific include directories.
  */
@@ -52,6 +52,11 @@ typedef ISC_LIST(isc_event_t)		isc_eventlist_t;	/*%< Event List */
 typedef unsigned int			isc_eventtype_t;	/*%< Event Type */
 typedef isc_uint32_t			isc_fsaccess_t;		/*%< FS Access */
 typedef struct isc_hash			isc_hash_t;		/*%< Hash */
+typedef struct isc_httpd		isc_httpd_t;		/*%< HTTP client */
+typedef void (isc_httpdfree_t)(isc_buffer_t *, void *);		/*%< HTTP free function */
+typedef struct isc_httpdmgr		isc_httpdmgr_t;		/*%< HTTP manager */
+typedef struct isc_httpdurl		isc_httpdurl_t;		/*%< HTTP URL */
+typedef void (isc_httpdondestroy_t)(void *);			/*%< Callback on destroying httpd */
 typedef struct isc_interface		isc_interface_t;	/*%< Interface */
 typedef struct isc_interfaceiter	isc_interfaceiter_t;	/*%< Interface Iterator */
 typedef struct isc_interval		isc_interval_t;		/*%< Interval */
@@ -77,6 +82,8 @@ typedef struct isc_sockaddr		isc_sockaddr_t;		/*%< Socket Address */
 typedef struct isc_socket		isc_socket_t;		/*%< Socket */
 typedef struct isc_socketevent		isc_socketevent_t;	/*%< Socket Event */
 typedef struct isc_socketmgr		isc_socketmgr_t;	/*%< Socket Manager */
+typedef struct isc_stats		isc_stats_t;		/*%< Statistics */
+typedef int				isc_statscounter_t;	/*%< Statistics Counter */
 typedef struct isc_symtab		isc_symtab_t;		/*%< Symbol Table */
 typedef struct isc_task			isc_task_t;		/*%< Task */
 typedef ISC_LIST(isc_task_t)		isc_tasklist_t;		/*%< Task List */
@@ -87,6 +94,19 @@ typedef struct isc_timer		isc_timer_t;		/*%< Timer */
 typedef struct isc_timermgr		isc_timermgr_t;		/*%< Timer Manager */
 
 typedef void (*isc_taskaction_t)(isc_task_t *, isc_event_t *);
+typedef int (*isc_sockfdwatch_t)(isc_task_t *, isc_socket_t *, void *);
+
+/* The following cannot be listed alphabetically due to forward reference */
+typedef isc_result_t (isc_httpdaction_t)(const char *url,
+					 const char *querystring,
+					 void *arg,
+					 unsigned int *retcode,
+					 const char **retmsg,
+					 const char **mimetype,
+					 isc_buffer_t *body,
+					 isc_httpdfree_t **freecb,
+					 void **freecb_args);
+typedef isc_boolean_t (isc_httpdclientok_t)(const isc_sockaddr_t *, void *);
 
 /*% Resource */
 typedef enum {
diff --git a/lib/isc/include/isc/util.h b/lib/isc/include/isc/util.h
index 95fe436..8a3b95d 100644
--- a/lib/isc/include/isc/util.h
+++ b/lib/isc/include/isc/util.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.24.18.2 2005/04/29 00:17:04 marka Exp $ */
+/* $Id: util.h,v 1.30 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_UTIL_H
 #define ISC_UTIL_H 1
 
-/*! \file util.h
+/*! \file isc/util.h
  * NOTE:
  *
  * This file is not to be included from any <isc/???.h> (or other) library
diff --git a/lib/isc/include/isc/version.h b/lib/isc/include/isc/version.h
index 82d4617..ec00bde 100644
--- a/lib/isc/include/isc/version.h
+++ b/lib/isc/include/isc/version.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:04 marka Exp $ */
+/* $Id: version.h,v 1.9 2007/06/19 23:47:18 tbox Exp $ */
 
-/*! \file */
+/*! \file isc/version.h */
 
 #include <isc/platform.h>
 
diff --git a/lib/isc/include/isc/xml.h b/lib/isc/include/isc/xml.h
new file mode 100644
index 0000000..d31a31a
--- /dev/null
+++ b/lib/isc/include/isc/xml.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: xml.h,v 1.4 2007/06/19 23:47:18 tbox Exp $ */
+
+#ifndef ISC_XML_H
+#define ISC_XML_H 1
+
+/*
+ * This file is here mostly to make it easy to add additional libxml header
+ * files as needed across all the users of this file.  Rather than place
+ * these libxml includes in each file, one include makes it easy to handle
+ * the ifdef as well as adding the ability to add additional functions
+ * which may be useful.
+ */
+
+#ifdef HAVE_LIBXML2
+#include <libxml/encoding.h>
+#include <libxml/xmlwriter.h>
+#endif
+
+#define ISC_XMLCHAR (const xmlChar *)
+
+#define ISC_XML_RENDERCONFIG		0x00000001 /* render config data */
+#define ISC_XML_RENDERSTATS		0x00000002 /* render stats */
+#define ISC_XML_RENDERALL		0x000000ff /* render everything */
+
+#endif /* ISC_XML_H */
diff --git a/lib/isc/inet_aton.c b/lib/isc/inet_aton.c
index 1602521..ad9401f 100644
--- a/lib/isc/inet_aton.c
+++ b/lib/isc/inet_aton.c
@@ -1,8 +1,8 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1996-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -71,7 +71,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: inet_aton.c,v 1.17.18.2 2005/04/29 00:16:46 marka Exp $";
+static char rcsid[] = "$Id: inet_aton.c,v 1.21.332.2 2009/03/05 23:47:03 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
@@ -145,7 +145,7 @@ isc_net_aton(const char *cp, struct in_addr *addr) {
 			 *	a.b.c	(with c treated as 16 bits)
 			 *	a.b	(with b treated as 24 bits)
 			 */
-			if (pp >= parts + 3 || val > 0xff)
+			if (pp >= parts + 3 || val > 0xffU)
 				return (0);
 			*pp++ = (isc_uint8_t)val;
 			c = *++cp;
@@ -172,19 +172,19 @@ isc_net_aton(const char *cp, struct in_addr *addr) {
 		break;
 
 	case 2:				/* a.b -- 8.24 bits */
-		if (val > 0xffffff)
+		if (val > 0xffffffU)
 			return (0);
 		val |= parts[0] << 24;
 		break;
 
 	case 3:				/* a.b.c -- 8.8.16 bits */
-		if (val > 0xffff)
+		if (val > 0xffffU)
 			return (0);
 		val |= (parts[0] << 24) | (parts[1] << 16);
 		break;
 
 	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
-		if (val > 0xff)
+		if (val > 0xffU)
 			return (0);
 		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
 		break;
diff --git a/lib/isc/inet_ntop.c b/lib/isc/inet_ntop.c
index c0d1161..dc053ed 100644
--- a/lib/isc/inet_ntop.c
+++ b/lib/isc/inet_ntop.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: inet_ntop.c,v 1.14.18.3 2005/04/29 00:16:46 marka Exp $";
+	"$Id: inet_ntop.c,v 1.19 2007/06/19 23:47:17 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/isc/inet_pton.c b/lib/isc/inet_pton.c
index a537e9c..6bada23 100644
--- a/lib/isc/inet_pton.c
+++ b/lib/isc/inet_pton.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: inet_pton.c,v 1.13.18.4 2005/04/29 00:16:46 marka Exp $";
+	"$Id: inet_pton.c,v 1.19 2007/06/19 23:47:17 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/isc/iterated_hash.c b/lib/isc/iterated_hash.c
new file mode 100644
index 0000000..1674314
--- /dev/null
+++ b/lib/isc/iterated_hash.c
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2006, 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: iterated_hash.c,v 1.4.48.2 2009/02/18 23:47:12 tbox Exp $ */
+
+#include "config.h"
+
+#include <stdio.h>
+
+#include <isc/sha1.h>
+#include <isc/iterated_hash.h>
+
+int
+isc_iterated_hash(unsigned char out[ISC_SHA1_DIGESTLENGTH],
+		  unsigned int hashalg, int iterations,
+		  const unsigned char *salt, int saltlength,
+		  const unsigned char *in, int inlength)
+{
+	isc_sha1_t ctx;
+	int n = 0;
+
+	if (hashalg != 1)
+		return (0);
+
+	do {
+		isc_sha1_init(&ctx);
+		isc_sha1_update(&ctx, in, inlength);
+		isc_sha1_update(&ctx, salt, saltlength);
+		isc_sha1_final(&ctx, out);
+		in = out;
+		inlength = ISC_SHA1_DIGESTLENGTH;
+	} while (n++ < iterations);
+
+	return (ISC_SHA1_DIGESTLENGTH);
+}
diff --git a/lib/isc/lex.c b/lib/isc/lex.c
index 2e4e48a..8749ed0 100644
--- a/lib/isc/lex.c
+++ b/lib/isc/lex.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lex.c,v 1.78.18.5 2005/11/30 03:44:39 marka Exp $ */
+/* $Id: lex.c,v 1.86 2007/09/17 09:56:29 shane Exp $ */
 
 /*! \file */
 
@@ -720,11 +720,7 @@ isc_lex_gettoken(isc_lex_t *lex, unsigned int options, isc_token_t *tokenp) {
 				state = lexstate_ccomment;
 			break;
 		case lexstate_eatline:
-			if (c == EOF) {
-				result = ISC_R_UNEXPECTEDEND;
-				goto done;
-			}
-			if (c == '\n') {
+			if ((c == '\n') || (c == EOF)) {
 				no_comments = ISC_FALSE;
 				state = saved_state;
 				goto no_read;
diff --git a/lib/isc/lfsr.c b/lib/isc/lfsr.c
index 61f9386..0b8d782 100644
--- a/lib/isc/lfsr.c
+++ b/lib/isc/lfsr.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lfsr.c,v 1.14.18.4 2005/10/14 01:28:29 marka Exp $ */
+/* $Id: lfsr.c,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/lib.c b/lib/isc/lib.c
index 7a70c12..f3a2c2d 100644
--- a/lib/isc/lib.c
+++ b/lib/isc/lib.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.10.18.2 2005/04/29 00:16:47 marka Exp $ */
+/* $Id: lib.c,v 1.14 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/log.c b/lib/isc/log.c
index 27c01d1..e19c9ba 100644
--- a/lib/isc/log.c
+++ b/lib/isc/log.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.84.18.8 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: log.c,v 1.94.332.5 2009/02/16 02:04:05 marka Exp $ */
 
 /*! \file
  * \author  Principal Authors: DCL */
@@ -61,7 +61,7 @@
  * This is the structure that holds each named channel.  A simple linked
  * list chains all of the channels together, so an individual channel is
  * found by doing strcmp()s with the names down the list.  Their should
- * be no peformance penalty from this as it is expected that the number
+ * be no performance penalty from this as it is expected that the number
  * of named channels will be no more than a dozen or so, and name lookups
  * from the head of the list are only done when isc_log_usechannel() is
  * called, which should also be very infrequent.
@@ -128,7 +128,7 @@ struct isc_logconfig {
  * This isc_log structure provides the context for the isc_log functions.
  * The log context locks itself in isc_log_doit, the internal backend to
  * isc_log_write.  The locking is necessary both to provide exclusive access
- * to the the buffer into which the message is formatted and to guard against
+ * to the buffer into which the message is formatted and to guard against
  * competing threads trying to write to the same syslog resource.  (On
  * some systems, such as BSD/OS, stdio is thread safe but syslog is not.)
  * Unfortunately, the lock cannot guard against a _different_ logging
@@ -204,6 +204,7 @@ LIBISC_EXTERNAL_DATA isc_logmodule_t isc_modules[] = {
 	{ "time", 0 },
 	{ "interface", 0 },
 	{ "timer", 0 },
+	{ "file", 0 },
 	{ NULL, 0 }
 };
 
@@ -1448,7 +1449,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 	LOCK(&lctx->lock);
 
 	lctx->buffer[0] = '\0';
-	
+
 	lcfg = lctx->logconfig;
 
 	category_channels = ISC_LIST_HEAD(lcfg->channellists[category->id]);
@@ -1507,7 +1508,7 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 		if ((channel->flags & ISC_LOG_PRINTTIME) != 0 &&
 		    time_string[0] == '\0') {
 			isc_time_t isctime;
-			
+
 			TIME_NOW(&isctime);
 			isc_time_formattimestamp(&isctime, time_string,
 						 sizeof(time_string));
@@ -1518,9 +1519,9 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 			if (level < ISC_LOG_CRITICAL)
 				snprintf(level_string, sizeof(level_string),
 					 isc_msgcat_get(isc_msgcat,
-						        ISC_MSGSET_LOG,
-						        ISC_MSG_LEVEL,
-						        "level %d: "),
+							ISC_MSGSET_LOG,
+							ISC_MSG_LEVEL,
+							"level %d: "),
 					 level);
 			else if (level > ISC_LOG_DYNAMIC)
 				snprintf(level_string, sizeof(level_string),
@@ -1700,8 +1701,8 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 				printcategory ? category->name	: "",
 				printcategory ? ": "		: "",
 				printmodule   ? (module != NULL ? module->name
-						 		: "no_module")
-					      			: "",
+								: "no_module")
+								: "",
 				printmodule   ? ": "		: "",
 				printlevel    ? level_string	: "",
 				lctx->buffer);
@@ -1743,8 +1744,8 @@ isc_log_doit(isc_log_t *lctx, isc_logcategory_t *category,
 			       printcategory ? category->name	: "",
 			       printcategory ? ": "		: "",
 			       printmodule   ? (module != NULL	? module->name
-						 		: "no_module")
-					      			: "",
+								: "no_module")
+								: "",
 			       printmodule   ? ": "		: "",
 			       printlevel    ? level_string	: "",
 			       lctx->buffer);
diff --git a/lib/isc/md5.c b/lib/isc/md5.c
index 07d7546..5004c3e 100644
--- a/lib/isc/md5.c
+++ b/lib/isc/md5.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: md5.c,v 1.10.18.2 2005/04/29 00:16:47 marka Exp $ */
+/* $Id: md5.c,v 1.14 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file
  * This code implements the MD5 message-digest algorithm.
diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index 408770d..9c37d74 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mem.c,v 1.116.18.21 2008/02/07 23:45:56 tbox Exp $ */
+/* $Id: mem.c,v 1.145.120.4 2009/02/16 03:17:05 marka Exp $ */
 
 /*! \file */
 
@@ -33,9 +33,10 @@
 #include <isc/once.h>
 #include <isc/ondestroy.h>
 #include <isc/string.h>
-
 #include <isc/mutex.h>
+#include <isc/print.h>
 #include <isc/util.h>
+#include <isc/xml.h>
 
 #define MCTXLOCK(m, l) if (((m)->flags & ISC_MEMFLAG_NOLOCK) == 0) LOCK(l)
 #define MCTXUNLOCK(m, l) if (((m)->flags & ISC_MEMFLAG_NOLOCK) == 0) UNLOCK(l)
@@ -51,7 +52,7 @@ LIBISC_EXTERNAL_DATA unsigned int isc_mem_debugging = ISC_MEM_DEBUGGING;
 
 #define DEF_MAX_SIZE		1100
 #define DEF_MEM_TARGET		4096
-#define ALIGNMENT_SIZE		8		/*%< must be a power of 2 */
+#define ALIGNMENT_SIZE		8U		/*%< must be a power of 2 */
 #define NUM_BASIC_BLOCKS	64		/*%< must be > 1 */
 #define TABLE_INCREMENT		1024
 #define DEBUGLIST_COUNT		1024
@@ -113,6 +114,12 @@ static ISC_LIST(isc_mem_t)	contexts;
 static isc_once_t		once = ISC_ONCE_INIT;
 static isc_mutex_t		lock;
 
+/*%
+ * Total size of lost memory due to a bug of external library.
+ * Locked by the global lock.
+ */
+static isc_uint64_t		totallost;
+
 struct isc_mem {
 	unsigned int		magic;
 	isc_ondestroy_t		ondestroy;
@@ -125,6 +132,8 @@ struct isc_mem {
 	isc_boolean_t		checkfree;
 	struct stats *		stats;
 	unsigned int		references;
+	char			name[16];
+	void *			tag;
 	size_t			quota;
 	size_t			total;
 	size_t			inuse;
@@ -135,6 +144,7 @@ struct isc_mem {
 	isc_mem_water_t		water;
 	void *			water_arg;
 	ISC_LIST(isc_mempool_t)	pools;
+	unsigned int		poolcnt;
 
 	/*  ISC_MEMFLAG_INTERNAL */
 	size_t			mem_target;
@@ -148,6 +158,7 @@ struct isc_mem {
 
 #if ISC_MEM_TRACKLINES
 	debuglist_t *	 	debuglist;
+	unsigned int		debuglistcnt;
 #endif
 
 	unsigned int		memalloc_failures;
@@ -259,6 +270,7 @@ add_trace_entry(isc_mem_t *mctx, const void *ptr, unsigned int size
 	dl->count = 1;
 
 	ISC_LIST_PREPEND(mctx->debuglist[size], dl, link);
+	mctx->debuglistcnt++;
 }
 
 static inline void
@@ -692,6 +704,7 @@ static void
 initialize_action(void) {
 	RUNTIME_CHECK(isc_mutex_init(&lock) == ISC_R_SUCCESS);
 	ISC_LIST_INIT(contexts);
+	totallost = 0;
 }
 
 /*
@@ -742,6 +755,8 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
 		ctx->max_size = init_max_size;
 	ctx->flags = flags;
 	ctx->references = 1;
+	memset(ctx->name, 0, sizeof(ctx->name));
+	ctx->tag = NULL;
 	ctx->quota = 0;
 	ctx->total = 0;
 	ctx->inuse = 0;
@@ -760,8 +775,10 @@ isc_mem_createx2(size_t init_max_size, size_t target_size,
 	ctx->checkfree = ISC_TRUE;
 #if ISC_MEM_TRACKLINES
 	ctx->debuglist = NULL;
+	ctx->debuglistcnt = 0;
 #endif
 	ISC_LIST_INIT(ctx->pools);
+	ctx->poolcnt = 0;
 	ctx->freelists = NULL;
 	ctx->basic_blocks = NULL;
 	ctx->basic_table = NULL;
@@ -862,6 +879,7 @@ destroy(isc_mem_t *ctx) {
 
 	LOCK(&lock);
 	ISC_LIST_UNLINK(contexts, ctx, link);
+	totallost += ctx->inuse;
 	UNLOCK(&lock);
 
 	INSIST(ISC_LIST_EMPTY(ctx->pools));
@@ -1173,7 +1191,7 @@ print_active(isc_mem_t *mctx, FILE *out) {
 		const char *format;
 		isc_boolean_t found;
 
-		fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+		fprintf(out, "%s", isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
 					    ISC_MSG_DUMPALLOC,
 					    "Dump of all outstanding "
 					    "memory allocations:\n"));
@@ -1199,7 +1217,7 @@ print_active(isc_mem_t *mctx, FILE *out) {
 			}
 		}
 		if (!found)
-			fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+			fprintf(out, "%s", isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
 						    ISC_MSG_NONE, "\tNone.\n"));
 	}
 }
@@ -1241,7 +1259,7 @@ isc_mem_stats(isc_mem_t *ctx, FILE *out) {
 	 */
 	pool = ISC_LIST_HEAD(ctx->pools);
 	if (pool != NULL) {
-		fprintf(out, isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
+		fprintf(out, "%s", isc_msgcat_get(isc_msgcat, ISC_MSGSET_MEM,
 					    ISC_MSG_POOLSTATS,
 					    "[Pool statistics]\n"));
 		fprintf(out, "%15s %10s %10s %10s %10s %10s %10s %10s %1s\n",
@@ -1347,6 +1365,40 @@ isc__mem_allocate(isc_mem_t *ctx, size_t size FLARG) {
 	return (si);
 }
 
+void *
+isc__mem_reallocate(isc_mem_t *ctx, void *ptr, size_t size FLARG) {
+	void *new_ptr = NULL;
+	size_t oldsize, copysize;
+
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	/*
+	 * This function emulates the realloc(3) standard library function:
+	 * - if size > 0, allocate new memory; and if ptr is non NULL, copy
+	 *   as much of the old contents to the new buffer and free the old one.
+	 *   Note that when allocation fails the original pointer is intact;
+	 *   the caller must free it.
+	 * - if size is 0 and ptr is non NULL, simply free the given ptr.
+	 * - this function returns:
+	 *     pointer to the newly allocated memory, or
+	 *     NULL if allocation fails or doesn't happen.
+	 */
+	if (size > 0U) {
+		new_ptr = isc__mem_allocate(ctx, size FLARG_PASS);
+		if (new_ptr != NULL && ptr != NULL) {
+			oldsize = (((size_info *)ptr)[-1]).u.size;
+			INSIST(oldsize >= ALIGNMENT_SIZE);
+			oldsize -= ALIGNMENT_SIZE;
+			copysize = oldsize > size ? size : oldsize;
+			memcpy(new_ptr, ptr, copysize);
+			isc__mem_free(ctx, ptr FLARG_PASS);
+		}
+	} else if (ptr != NULL)
+		isc__mem_free(ctx, ptr FLARG_PASS);
+
+	return (new_ptr);
+}
+
 void
 isc__mem_free(isc_mem_t *ctx, void *ptr FLARG) {
 	size_info *si;
@@ -1507,6 +1559,31 @@ isc_mem_setwater(isc_mem_t *ctx, isc_mem_water_t water, void *water_arg,
 		(oldwater)(oldwater_arg, ISC_MEM_LOWATER);
 }
 
+void
+isc_mem_setname(isc_mem_t *ctx, const char *name, void *tag) {
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	LOCK(&ctx->lock);
+	memset(ctx->name, 0, sizeof(ctx->name));
+	strncpy(ctx->name, name, sizeof(ctx->name) - 1);
+	ctx->tag = tag;
+	UNLOCK(&ctx->lock);
+}
+
+const char *
+isc_mem_getname(isc_mem_t *ctx) {
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	return (ctx->name);
+}
+
+void *
+isc_mem_gettag(isc_mem_t *ctx) {
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	return (ctx->tag);
+}
+
 /*
  * Memory pool stuff
  */
@@ -1546,6 +1623,7 @@ isc_mempool_create(isc_mem_t *mctx, size_t size, isc_mempool_t **mpctxp) {
 
 	MCTXLOCK(mctx, &mctx->lock);
 	ISC_LIST_INITANDAPPEND(mctx->pools, mpctx, link);
+	mctx->poolcnt++;
 	MCTXUNLOCK(mctx, &mctx->lock);
 
 	return (ISC_R_SUCCESS);
@@ -1620,6 +1698,7 @@ isc_mempool_destroy(isc_mempool_t **mpctxp) {
 	 */
 	MCTXLOCK(mctx, &mctx->lock);
 	ISC_LIST_UNLINK(mctx->pools, mpctx, link);
+	mctx->poolcnt--;
 	MCTXUNLOCK(mctx, &mctx->lock);
 
 	mpctx->magic = 0;
@@ -1963,3 +2042,164 @@ isc_mem_checkdestroyed(FILE *file) {
 	}
 	UNLOCK(&lock);
 }
+
+unsigned int
+isc_mem_references(isc_mem_t *ctx) {
+	unsigned int references;
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	MCTXLOCK(ctx, &ctx->lock);
+	references = ctx->references;
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	return (references);
+}
+
+#ifdef HAVE_LIBXML2
+
+typedef struct summarystat {
+	isc_uint64_t	total;
+	isc_uint64_t	inuse;
+	isc_uint64_t	blocksize;
+	isc_uint64_t	contextsize;
+} summarystat_t;
+
+static void
+renderctx(isc_mem_t *ctx, summarystat_t *summary, xmlTextWriterPtr writer) {
+	REQUIRE(VALID_CONTEXT(ctx));
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "context");
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "id");
+	xmlTextWriterWriteFormatString(writer, "%p", ctx);
+	xmlTextWriterEndElement(writer); /* id */
+
+	if (ctx->name[0] != 0) {
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
+		xmlTextWriterWriteFormatString(writer, "%s", ctx->name);
+		xmlTextWriterEndElement(writer); /* name */
+	}
+
+	REQUIRE(VALID_CONTEXT(ctx));
+	MCTXLOCK(ctx, &ctx->lock);
+
+	summary->contextsize += sizeof(*ctx) +
+		(ctx->max_size + 1) * sizeof(struct stats) +
+		ctx->max_size * sizeof(element *) +
+		ctx->basic_table_count * sizeof(char *);
+#if ISC_MEM_TRACKLINES
+	if (ctx->debuglist != NULL) {
+		summary->contextsize +=
+			(ctx->max_size + 1) * sizeof(debuglist_t) +
+			ctx->debuglistcnt * sizeof(debuglink_t);
+	}
+#endif
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
+	xmlTextWriterWriteFormatString(writer, "%d", ctx->references);
+	xmlTextWriterEndElement(writer); /* references */
+
+	summary->total += ctx->total;
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "total");
+	xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u",
+				       (isc_uint64_t)ctx->total);
+	xmlTextWriterEndElement(writer); /* total */
+
+	summary->inuse += ctx->inuse;
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "inuse");
+	xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u",
+				       (isc_uint64_t)ctx->inuse);
+	xmlTextWriterEndElement(writer); /* inuse */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "maxinuse");
+	xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u",
+				       (isc_uint64_t)ctx->maxinuse);
+	xmlTextWriterEndElement(writer); /* maxinuse */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "blocksize");
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		summary->blocksize += ctx->basic_table_count *
+			NUM_BASIC_BLOCKS * ctx->mem_target;
+		xmlTextWriterWriteFormatString(writer,
+					       "%" ISC_PRINT_QUADFORMAT "u",
+					       (isc_uint64_t)
+					       ctx->basic_table_count *
+					       NUM_BASIC_BLOCKS *
+					       ctx->mem_target);
+	} else
+		xmlTextWriterWriteFormatString(writer, "%s", "-");
+	xmlTextWriterEndElement(writer); /* blocksize */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "pools");
+	xmlTextWriterWriteFormatString(writer, "%u", ctx->poolcnt);
+	xmlTextWriterEndElement(writer); /* pools */
+	summary->contextsize += ctx->poolcnt * sizeof(isc_mempool_t);
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "hiwater");
+	xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u",
+				       (isc_uint64_t)ctx->hi_water);
+	xmlTextWriterEndElement(writer); /* hiwater */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "lowater");
+	xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u",
+				       (isc_uint64_t)ctx->lo_water);
+	xmlTextWriterEndElement(writer); /* lowater */
+
+	MCTXUNLOCK(ctx, &ctx->lock);
+
+	xmlTextWriterEndElement(writer); /* context */
+}
+
+void
+isc_mem_renderxml(xmlTextWriterPtr writer) {
+	isc_mem_t *ctx;
+	summarystat_t summary;
+	isc_uint64_t lost;
+
+	memset(&summary, 0, sizeof(summary));
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "contexts");
+
+	RUNTIME_CHECK(isc_once_do(&once, initialize_action) == ISC_R_SUCCESS);
+
+	LOCK(&lock);
+	lost = totallost;
+	for (ctx = ISC_LIST_HEAD(contexts);
+	     ctx != NULL;
+	     ctx = ISC_LIST_NEXT(ctx, link)) {
+		renderctx(ctx, &summary, writer);
+	}
+	UNLOCK(&lock);
+
+	xmlTextWriterEndElement(writer); /* contexts */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "summary");
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "TotalUse");
+	xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u",
+				       summary.total);
+	xmlTextWriterEndElement(writer); /* TotalUse */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "InUse");
+	xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u",
+				       summary.inuse);
+	xmlTextWriterEndElement(writer); /* InUse */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "BlockSize");
+	xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u",
+				       summary.blocksize);
+	xmlTextWriterEndElement(writer); /* BlockSize */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "ContextSize");
+	xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u",
+				       summary.contextsize);
+	xmlTextWriterEndElement(writer); /* ContextSize */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "Lost");
+	xmlTextWriterWriteFormatString(writer, "%" ISC_PRINT_QUADFORMAT "u",
+				       lost);
+	xmlTextWriterEndElement(writer); /* Lost */
+
+	xmlTextWriterEndElement(writer); /* summary */
+}
+
+#endif /* HAVE_LIBXML2 */
diff --git a/lib/isc/mips/Makefile.in b/lib/isc/mips/Makefile.in
index c8e77e4..324db07 100644
--- a/lib/isc/mips/Makefile.in
+++ b/lib/isc/mips/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/mips/include/Makefile.in b/lib/isc/mips/include/Makefile.in
index f4dd2f6..f1d8bdd 100644
--- a/lib/isc/mips/include/Makefile.in
+++ b/lib/isc/mips/include/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/mips/include/isc/Makefile.in b/lib/isc/mips/include/isc/Makefile.in
index 6760ce6..5f116ca 100644
--- a/lib/isc/mips/include/isc/Makefile.in
+++ b/lib/isc/mips/include/isc/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/mips/include/isc/atomic.h b/lib/isc/mips/include/isc/atomic.h
index 368a6ef..bb739f7 100644
--- a/lib/isc/mips/include/isc/atomic.h
+++ b/lib/isc/mips/include/isc/atomic.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.1.2.1 2005/07/09 07:14:00 jinmei Exp $ */
+/* $Id: atomic.h,v 1.3 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/lib/isc/mutexblock.c b/lib/isc/mutexblock.c
index d8a82cc..d45ad0e 100644
--- a/lib/isc/mutexblock.c
+++ b/lib/isc/mutexblock.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutexblock.c,v 1.16.18.2 2005/04/29 00:16:47 marka Exp $ */
+/* $Id: mutexblock.c,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c
index e56e05b..85dd53e 100644
--- a/lib/isc/netaddr.c
+++ b/lib/isc/netaddr.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netaddr.c,v 1.27.18.8 2005/04/27 05:02:03 sra Exp $ */
+/* $Id: netaddr.c,v 1.38 2007/06/18 23:47:44 tbox Exp $ */
 
 /*! \file */
 
@@ -79,7 +79,7 @@ isc_netaddr_eqprefix(const isc_netaddr_t *a, const isc_netaddr_t *b,
 	if (a->family != b->family)
 		return (ISC_FALSE);
 
-	if (a->zone != b->zone)
+	if (a->zone != b->zone && b->zone != 0)
 		return (ISC_FALSE);
 
 	switch (a->family) {
diff --git a/lib/isc/netscope.c b/lib/isc/netscope.c
index 75827d2..9aa11db 100644
--- a/lib/isc/netscope.c
+++ b/lib/isc/netscope.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
 
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: netscope.c,v 1.7.18.4 2006/08/25 05:25:51 marka Exp $";
+	"$Id: netscope.c,v 1.13 2007/06/19 23:47:17 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/isc/nls/Makefile.in b/lib/isc/nls/Makefile.in
index 8211d9b..695c313 100644
--- a/lib/isc/nls/Makefile.in
+++ b/lib/isc/nls/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12 2004/03/05 05:11:05 marka Exp $
+# $Id: Makefile.in,v 1.14 2007/06/19 23:47:18 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/nls/msgcat.c b/lib/isc/nls/msgcat.c
index ae56de7..3d6b676 100644
--- a/lib/isc/nls/msgcat.c
+++ b/lib/isc/nls/msgcat.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: msgcat.c,v 1.13.18.3 2005/06/08 02:07:57 marka Exp $ */
+/* $Id: msgcat.c,v 1.18 2007/06/19 23:47:18 tbox Exp $ */
 
 /*! \file msgcat.c
  *
diff --git a/lib/isc/noatomic/Makefile.in b/lib/isc/noatomic/Makefile.in
index c8e77e4..324db07 100644
--- a/lib/isc/noatomic/Makefile.in
+++ b/lib/isc/noatomic/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/noatomic/include/Makefile.in b/lib/isc/noatomic/include/Makefile.in
index f4dd2f6..f1d8bdd 100644
--- a/lib/isc/noatomic/include/Makefile.in
+++ b/lib/isc/noatomic/include/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/noatomic/include/isc/Makefile.in b/lib/isc/noatomic/include/isc/Makefile.in
index 6760ce6..5f116ca 100644
--- a/lib/isc/noatomic/include/isc/Makefile.in
+++ b/lib/isc/noatomic/include/isc/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/noatomic/include/isc/atomic.h b/lib/isc/noatomic/include/isc/atomic.h
index 1c7035f..942ba03 100644
--- a/lib/isc/noatomic/include/isc/atomic.h
+++ b/lib/isc/noatomic/include/isc/atomic.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.2.1 2005/06/04 06:23:44 jinmei Exp $ */
+/* $Id: atomic.h,v 1.4 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/lib/isc/nothreads/Makefile.in b/lib/isc/nothreads/Makefile.in
index c9e8637..75a2cb5 100644
--- a/lib/isc/nothreads/Makefile.in
+++ b/lib/isc/nothreads/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5 2004/03/05 05:11:08 marka Exp $
+# $Id: Makefile.in,v 1.7 2007/06/19 23:47:18 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/nothreads/condition.c b/lib/isc/nothreads/condition.c
index 329fbc8..9be8f83 100644
--- a/lib/isc/nothreads/condition.c
+++ b/lib/isc/nothreads/condition.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.6.18.2 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: condition.c,v 1.10 2007/06/19 23:47:18 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/nothreads/include/Makefile.in b/lib/isc/nothreads/include/Makefile.in
index ecfc329..a52310a 100644
--- a/lib/isc/nothreads/include/Makefile.in
+++ b/lib/isc/nothreads/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3 2004/03/05 05:11:11 marka Exp $
+# $Id: Makefile.in,v 1.5 2007/06/19 23:47:18 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/nothreads/include/isc/Makefile.in b/lib/isc/nothreads/include/isc/Makefile.in
index f6482fb..3c9eab0 100644
--- a/lib/isc/nothreads/include/isc/Makefile.in
+++ b/lib/isc/nothreads/include/isc/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5 2004/03/05 05:11:13 marka Exp $
+# $Id: Makefile.in,v 1.7 2007/06/19 23:47:18 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/nothreads/include/isc/condition.h b/lib/isc/nothreads/include/isc/condition.h
index 39889b1..b269f82 100644
--- a/lib/isc/nothreads/include/isc/condition.h
+++ b/lib/isc/nothreads/include/isc/condition.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.h,v 1.4 2004/03/05 05:11:13 marka Exp $ */
+/* $Id: condition.h,v 1.6 2007/06/19 23:47:18 tbox Exp $ */
 
 /*
  * This provides a limited subset of the isc_condition_t
diff --git a/lib/isc/nothreads/include/isc/mutex.h b/lib/isc/nothreads/include/isc/mutex.h
index a586435..1f2187b 100644
--- a/lib/isc/nothreads/include/isc/mutex.h
+++ b/lib/isc/nothreads/include/isc/mutex.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.h,v 1.4 2004/03/05 05:11:13 marka Exp $ */
+/* $Id: mutex.h,v 1.6 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_MUTEX_H
 #define ISC_MUTEX_H 1
diff --git a/lib/isc/nothreads/include/isc/once.h b/lib/isc/nothreads/include/isc/once.h
index 470120a..ab705a4 100644
--- a/lib/isc/nothreads/include/isc/once.h
+++ b/lib/isc/nothreads/include/isc/once.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.h,v 1.4 2004/03/05 05:11:13 marka Exp $ */
+/* $Id: once.h,v 1.6 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_ONCE_H
 #define ISC_ONCE_H 1
diff --git a/lib/isc/nothreads/include/isc/thread.h b/lib/isc/nothreads/include/isc/thread.h
index 6c85913..313bc5f 100644
--- a/lib/isc/nothreads/include/isc/thread.h
+++ b/lib/isc/nothreads/include/isc/thread.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.4 2004/03/05 05:11:13 marka Exp $ */
+/* $Id: thread.h,v 1.6 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
diff --git a/lib/isc/nothreads/mutex.c b/lib/isc/nothreads/mutex.c
index 0048d87..50ba0f4 100644
--- a/lib/isc/nothreads/mutex.c
+++ b/lib/isc/nothreads/mutex.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2006, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.6.18.2 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: mutex.c,v 1.10 2007/06/19 23:47:18 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/nothreads/thread.c b/lib/isc/nothreads/thread.c
index 0f20927..9075e25 100644
--- a/lib/isc/nothreads/thread.c
+++ b/lib/isc/nothreads/thread.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.c,v 1.3 2004/03/05 05:11:09 marka Exp $ */
+/* $Id: thread.c,v 1.5 2007/06/19 23:47:18 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/ondestroy.c b/lib/isc/ondestroy.c
index 2cd9687..32a75e1 100644
--- a/lib/isc/ondestroy.c
+++ b/lib/isc/ondestroy.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ondestroy.c,v 1.12.18.2 2005/04/29 00:16:48 marka Exp $ */
+/* $Id: ondestroy.c,v 1.16 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/parseint.c b/lib/isc/parseint.c
index 0696344..266d44c 100644
--- a/lib/isc/parseint.c
+++ b/lib/isc/parseint.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parseint.c,v 1.4.18.2 2005/04/29 00:16:48 marka Exp $ */
+/* $Id: parseint.c,v 1.8 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/portset.c b/lib/isc/portset.c
index 0265c89..471ca8e 100644
--- a/lib/isc/portset.c
+++ b/lib/isc/portset.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: portset.c,v 1.2.4.3 2008/06/24 23:27:11 marka Exp $ */
+/* $Id: portset.c,v 1.4 2008/06/24 23:24:35 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/powerpc/Makefile.in b/lib/isc/powerpc/Makefile.in
index c8e77e4..324db07 100644
--- a/lib/isc/powerpc/Makefile.in
+++ b/lib/isc/powerpc/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/powerpc/include/Makefile.in b/lib/isc/powerpc/include/Makefile.in
index f4dd2f6..f1d8bdd 100644
--- a/lib/isc/powerpc/include/Makefile.in
+++ b/lib/isc/powerpc/include/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/powerpc/include/isc/Makefile.in b/lib/isc/powerpc/include/isc/Makefile.in
index 6760ce6..5f116ca 100644
--- a/lib/isc/powerpc/include/isc/Makefile.in
+++ b/lib/isc/powerpc/include/isc/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/powerpc/include/isc/atomic.h b/lib/isc/powerpc/include/isc/atomic.h
index 30db328..765cb6d 100644
--- a/lib/isc/powerpc/include/isc/atomic.h
+++ b/lib/isc/powerpc/include/isc/atomic.h
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.1.6.6 2007/08/28 07:20:06 tbox Exp $ */
+/* $Id: atomic.h,v 1.6 2007/06/18 23:47:47 tbox Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
diff --git a/lib/isc/print.c b/lib/isc/print.c
index 191ad24..b892e3a 100644
--- a/lib/isc/print.c
+++ b/lib/isc/print.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.c,v 1.27.18.5 2008/02/18 23:46:01 tbox Exp $ */
+/* $Id: print.c,v 1.35 2008/02/18 23:46:59 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/pthreads/Makefile.in b/lib/isc/pthreads/Makefile.in
index b9cc906..a287457 100644
--- a/lib/isc/pthreads/Makefile.in
+++ b/lib/isc/pthreads/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.17 2004/03/05 05:11:16 marka Exp $
+# $Id: Makefile.in,v 1.19 2007/06/19 23:47:18 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/pthreads/condition.c b/lib/isc/pthreads/condition.c
index b9c26c6..50281a2 100644
--- a/lib/isc/pthreads/condition.c
+++ b/lib/isc/pthreads/condition.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.c,v 1.32.18.2 2005/04/29 00:17:05 marka Exp $ */
+/* $Id: condition.c,v 1.36 2007/06/19 23:47:18 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/pthreads/include/Makefile.in b/lib/isc/pthreads/include/Makefile.in
index b1164b6..0303ab1 100644
--- a/lib/isc/pthreads/include/Makefile.in
+++ b/lib/isc/pthreads/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12 2004/03/05 05:11:19 marka Exp $
+# $Id: Makefile.in,v 1.14 2007/06/19 23:47:18 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/pthreads/include/isc/Makefile.in b/lib/isc/pthreads/include/isc/Makefile.in
index 2e11f6c..11675ec 100644
--- a/lib/isc/pthreads/include/isc/Makefile.in
+++ b/lib/isc/pthreads/include/isc/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.14 2004/03/05 05:11:40 marka Exp $
+# $Id: Makefile.in,v 1.16 2007/06/19 23:47:18 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/pthreads/include/isc/condition.h b/lib/isc/pthreads/include/isc/condition.h
index f7cea75..04a6118 100644
--- a/lib/isc/pthreads/include/isc/condition.h
+++ b/lib/isc/pthreads/include/isc/condition.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: condition.h,v 1.22.18.2 2005/04/29 00:17:05 marka Exp $ */
+/* $Id: condition.h,v 1.26 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_CONDITION_H
 #define ISC_CONDITION_H 1
diff --git a/lib/isc/pthreads/include/isc/mutex.h b/lib/isc/pthreads/include/isc/mutex.h
index edafaf6..dd7d326 100644
--- a/lib/isc/pthreads/include/isc/mutex.h
+++ b/lib/isc/pthreads/include/isc/mutex.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.h,v 1.25.18.3 2005/07/12 01:22:33 marka Exp $ */
+/* $Id: mutex.h,v 1.30 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_MUTEX_H
 #define ISC_MUTEX_H 1
diff --git a/lib/isc/pthreads/include/isc/once.h b/lib/isc/pthreads/include/isc/once.h
index 7e9f672..31d76fb 100644
--- a/lib/isc/pthreads/include/isc/once.h
+++ b/lib/isc/pthreads/include/isc/once.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: once.h,v 1.9.18.2 2005/04/29 00:17:06 marka Exp $ */
+/* $Id: once.h,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_ONCE_H
 #define ISC_ONCE_H 1
diff --git a/lib/isc/pthreads/include/isc/thread.h b/lib/isc/pthreads/include/isc/thread.h
index 3262607..7dcc952 100644
--- a/lib/isc/pthreads/include/isc/thread.h
+++ b/lib/isc/pthreads/include/isc/thread.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.h,v 1.20.18.4 2005/09/18 07:58:08 marka Exp $ */
+/* $Id: thread.h,v 1.26 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef ISC_THREAD_H
 #define ISC_THREAD_H 1
diff --git a/lib/isc/pthreads/mutex.c b/lib/isc/pthreads/mutex.c
index afbc861..b57d9ee 100644
--- a/lib/isc/pthreads/mutex.c
+++ b/lib/isc/pthreads/mutex.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: mutex.c,v 1.8.18.6 2008/04/04 23:46:02 tbox Exp $ */
+/* $Id: mutex.c,v 1.16 2008/04/04 23:47:01 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/pthreads/thread.c b/lib/isc/pthreads/thread.c
index bdbb593..4b5b491 100644
--- a/lib/isc/pthreads/thread.c
+++ b/lib/isc/pthreads/thread.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: thread.c,v 1.12.18.3 2005/04/29 00:17:05 marka Exp $ */
+/* $Id: thread.c,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/quota.c b/lib/isc/quota.c
index 9290167..5e5c50c 100644
--- a/lib/isc/quota.c
+++ b/lib/isc/quota.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: quota.c,v 1.13.18.3 2005/07/27 02:44:21 marka Exp $ */
+/* $Id: quota.c,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/radix.c b/lib/isc/radix.c
new file mode 100644
index 0000000..7786984
--- /dev/null
+++ b/lib/isc/radix.c
@@ -0,0 +1,706 @@
+/*
+ * Copyright (C) 2007-2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: radix.c,v 1.20.36.3 2009/01/18 23:47:41 tbox Exp $ */
+
+/*
+ * This source was adapted from MRT's RCS Ids:
+ * Id: radix.c,v 1.10.2.1 1999/11/29 05:16:24 masaki Exp
+ * Id: prefix.c,v 1.37.2.9 2000/03/10 02:53:19 labovit Exp
+ */
+
+#include <config.h>
+
+#include <isc/mem.h>
+#include <isc/types.h>
+#include <isc/util.h>
+#include <isc/radix.h>
+
+static isc_result_t
+_new_prefix(isc_mem_t *mctx, isc_prefix_t **target, int family,
+	    void *dest, int bitlen);
+
+static void
+_deref_prefix(isc_mem_t *mctx, isc_prefix_t *prefix);
+
+static isc_result_t
+_ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix);
+
+static int
+_comp_with_mask(void *addr, void *dest, u_int mask);
+
+static void
+_clear_radix(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func);
+
+static isc_result_t
+_new_prefix(isc_mem_t *mctx, isc_prefix_t **target, int family, void *dest,
+	    int bitlen)
+{
+	isc_prefix_t *prefix;
+
+	REQUIRE(target != NULL);
+
+	if (family != AF_INET6 && family != AF_INET && family != AF_UNSPEC)
+		return (ISC_R_NOTIMPLEMENTED);
+
+	prefix = isc_mem_get(mctx, sizeof(isc_prefix_t));
+	if (prefix == NULL)
+		return (ISC_R_NOMEMORY);
+
+	if (family == AF_INET6) {
+		prefix->bitlen = (bitlen >= 0) ? bitlen : 128;
+		memcpy(&prefix->add.sin6, dest, 16);
+	} else {
+		/* AF_UNSPEC is "any" or "none"--treat it as AF_INET */
+		prefix->bitlen = (bitlen >= 0) ? bitlen : 32;
+		memcpy(&prefix->add.sin, dest, 4);
+	}
+
+	prefix->family = family;
+
+	isc_refcount_init(&prefix->refcount, 1);
+
+	*target = prefix;
+	return (ISC_R_SUCCESS);
+}
+
+static void
+_deref_prefix(isc_mem_t *mctx, isc_prefix_t *prefix) {
+	int refs;
+
+	if (prefix == NULL)
+		return;
+
+	isc_refcount_decrement(&prefix->refcount, &refs);
+
+	if (refs <= 0) {
+		isc_refcount_destroy(&prefix->refcount);
+		isc_mem_put(mctx, prefix, sizeof(isc_prefix_t));
+	}
+}
+
+static isc_result_t
+_ref_prefix(isc_mem_t *mctx, isc_prefix_t **target, isc_prefix_t *prefix) {
+	INSIST(prefix != NULL);
+	INSIST((prefix->family == AF_INET && prefix->bitlen <= 32) ||
+	       (prefix->family == AF_INET6 && prefix->bitlen <= 128) ||
+	       (prefix->family == AF_UNSPEC && prefix->bitlen == 0));
+	REQUIRE(target != NULL && *target == NULL);
+
+	/*
+	 * If this prefix is a static allocation, copy it into new memory.
+	 * (Note, the refcount still has to be destroyed by the calling
+	 * routine.)
+	 */
+	if (isc_refcount_current(&prefix->refcount) == 0) {
+		isc_result_t ret;
+		ret = _new_prefix(mctx, target, prefix->family,
+				  &prefix->add, prefix->bitlen);
+		return ret;
+	}
+
+	isc_refcount_increment(&prefix->refcount, NULL);
+
+	*target = prefix;
+	return (ISC_R_SUCCESS);
+}
+
+static int
+_comp_with_mask(void *addr, void *dest, u_int mask) {
+
+	/* Mask length of zero matches everything */
+	if (mask == 0)
+		return (1);
+
+	if (memcmp(addr, dest, mask / 8) == 0) {
+		int n = mask / 8;
+		int m = ((~0) << (8 - (mask % 8)));
+
+		if ((mask % 8) == 0 ||
+		    (((u_char *)addr)[n] & m) == (((u_char *)dest)[n] & m))
+			return (1);
+	}
+	return (0);
+}
+
+isc_result_t
+isc_radix_create(isc_mem_t *mctx, isc_radix_tree_t **target, int maxbits) {
+	isc_radix_tree_t *radix;
+
+	REQUIRE(target != NULL && *target == NULL);
+
+	radix = isc_mem_get(mctx, sizeof(isc_radix_tree_t));
+	if (radix == NULL)
+		return (ISC_R_NOMEMORY);
+
+	radix->mctx = mctx;
+	radix->maxbits = maxbits;
+	radix->head = NULL;
+	radix->num_active_node = 0;
+	radix->num_added_node = 0;
+	RUNTIME_CHECK(maxbits <= RADIX_MAXBITS); /* XXX */
+	radix->magic = RADIX_TREE_MAGIC;
+	*target = radix;
+	return (ISC_R_SUCCESS);
+}
+
+/*
+ * if func is supplied, it will be called as func(node->data)
+ * before deleting the node
+ */
+
+static void
+_clear_radix(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func) {
+
+	REQUIRE(radix != NULL);
+
+	if (radix->head != NULL) {
+
+		isc_radix_node_t *Xstack[RADIX_MAXBITS+1];
+		isc_radix_node_t **Xsp = Xstack;
+		isc_radix_node_t *Xrn = radix->head;
+
+		while (Xrn != NULL) {
+			isc_radix_node_t *l = Xrn->l;
+			isc_radix_node_t *r = Xrn->r;
+
+			if (Xrn->prefix != NULL) {
+				_deref_prefix(radix->mctx, Xrn->prefix);
+				if (func != NULL && (Xrn->data[0] != NULL ||
+						     Xrn->data[1] != NULL))
+					func(Xrn->data);
+			} else {
+				INSIST(Xrn->data[0] == NULL &&
+				       Xrn->data[1] == NULL);
+			}
+
+			isc_mem_put(radix->mctx, Xrn, sizeof(*Xrn));
+			radix->num_active_node--;
+
+			if (l != NULL) {
+				if (r != NULL) {
+					*Xsp++ = r;
+				}
+				Xrn = l;
+			} else if (r != NULL) {
+				Xrn = r;
+			} else if (Xsp != Xstack) {
+				Xrn = *(--Xsp);
+			} else {
+				Xrn = NULL;
+			}
+		}
+	}
+	RUNTIME_CHECK(radix->num_active_node == 0);
+}
+
+
+void
+isc_radix_destroy(isc_radix_tree_t *radix, isc_radix_destroyfunc_t func)
+{
+	REQUIRE(radix != NULL);
+	_clear_radix(radix, func);
+	isc_mem_put(radix->mctx, radix, sizeof(*radix));
+}
+
+
+/*
+ * func will be called as func(node->prefix, node->data)
+ */
+void
+isc_radix_process(isc_radix_tree_t *radix, isc_radix_processfunc_t func)
+{
+	isc_radix_node_t *node;
+
+	REQUIRE(func != NULL);
+
+	RADIX_WALK(radix->head, node) {
+		func(node->prefix, node->data);
+	} RADIX_WALK_END;
+}
+
+
+isc_result_t
+isc_radix_search(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_prefix_t *prefix)
+{
+	isc_radix_node_t *node;
+	isc_radix_node_t *stack[RADIX_MAXBITS + 1];
+	u_char *addr;
+	isc_uint32_t bitlen;
+	int tfamily = -1;
+	int cnt = 0;
+
+	REQUIRE(radix != NULL);
+	REQUIRE(prefix != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+	RUNTIME_CHECK(prefix->bitlen <= radix->maxbits);
+
+	*target = NULL;
+
+	if (radix->head == NULL) {
+		return (ISC_R_NOTFOUND);
+	}
+
+	node = radix->head;
+	addr = isc_prefix_touchar(prefix);
+	bitlen = prefix->bitlen;
+
+	while (node->bit < bitlen) {
+		if (node->prefix)
+			stack[cnt++] = node;
+
+		if (BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
+			node = node->r;
+		else
+			node = node->l;
+
+		if (node == NULL)
+			break;
+	}
+
+	if (node && node->prefix)
+		stack[cnt++] = node;
+
+	while (--cnt >= 0) {
+		node = stack[cnt];
+
+		if (_comp_with_mask(isc_prefix_tochar(node->prefix),
+				    isc_prefix_tochar(prefix),
+				    node->prefix->bitlen)) {
+			if (node->node_num[ISC_IS6(prefix->family)] != -1 &&
+				 ((*target == NULL) ||
+				  (*target)->node_num[ISC_IS6(tfamily)] >
+				   node->node_num[ISC_IS6(prefix->family)])) {
+				*target = node;
+				tfamily = prefix->family;
+			}
+		}
+	}
+
+	if (*target == NULL) {
+		return (ISC_R_NOTFOUND);
+	} else {
+		return (ISC_R_SUCCESS);
+	}
+}
+
+isc_result_t
+isc_radix_insert(isc_radix_tree_t *radix, isc_radix_node_t **target,
+		 isc_radix_node_t *source, isc_prefix_t *prefix)
+{
+	isc_radix_node_t *node, *new_node, *parent, *glue = NULL;
+	u_char *addr, *test_addr;
+	isc_uint32_t bitlen, fam, check_bit, differ_bit;
+	isc_uint32_t i, j, r;
+	isc_result_t result;
+
+	REQUIRE(radix != NULL);
+	REQUIRE(target != NULL && *target == NULL);
+	REQUIRE(prefix != NULL || (source != NULL && source->prefix != NULL));
+	RUNTIME_CHECK(prefix == NULL || prefix->bitlen <= radix->maxbits);
+
+	if (prefix == NULL)
+		prefix = source->prefix;
+
+	INSIST(prefix != NULL);
+
+	bitlen = prefix->bitlen;
+	fam = prefix->family;
+
+	if (radix->head == NULL) {
+		node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
+		if (node == NULL)
+			return (ISC_R_NOMEMORY);
+		node->bit = bitlen;
+		node->node_num[0] = node->node_num[1] = -1;
+		node->prefix = NULL;
+		result = _ref_prefix(radix->mctx, &node->prefix, prefix);
+		if (result != ISC_R_SUCCESS) {
+			isc_mem_put(radix->mctx, node,
+				    sizeof(isc_radix_node_t));
+			return (result);
+		}
+		node->parent = NULL;
+		node->l = node->r = NULL;
+		if (source != NULL) {
+			/*
+			 * If source is non-NULL, then we're merging in a
+			 * node from an existing radix tree.  To keep
+			 * the node_num values consistent, the calling
+			 * function will add the total number of nodes
+			 * added to num_added_node at the end of
+			 * the merge operation--we don't do it here.
+			 */
+			if (source->node_num[0] != -1)
+				node->node_num[0] = radix->num_added_node +
+						    source->node_num[0];
+			if (source->node_num[1] != -1)
+				node->node_num[1] = radix->num_added_node +
+						    source->node_num[1];
+			node->data[0] = source->data[0];
+			node->data[1] = source->data[1];
+		} else {
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
+			node->data[0] = NULL;
+			node->data[1] = NULL;
+		}
+		radix->head = node;
+		radix->num_active_node++;
+		*target = node;
+		return (ISC_R_SUCCESS);
+	}
+
+	addr = isc_prefix_touchar(prefix);
+	node = radix->head;
+
+	while (node->bit < bitlen || node->prefix == NULL) {
+		if (node->bit < radix->maxbits &&
+		    BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
+		{
+			if (node->r == NULL)
+				break;
+			node = node->r;
+		} else {
+			if (node->l == NULL)
+				break;
+			node = node->l;
+		}
+
+		INSIST(node != NULL);
+	}
+
+	INSIST(node->prefix != NULL);
+
+	test_addr = isc_prefix_touchar(node->prefix);
+	/* Find the first bit different. */
+	check_bit = (node->bit < bitlen) ? node->bit : bitlen;
+	differ_bit = 0;
+	for (i = 0; i*8 < check_bit; i++) {
+		if ((r = (addr[i] ^ test_addr[i])) == 0) {
+			differ_bit = (i + 1) * 8;
+			continue;
+		}
+		/* I know the better way, but for now. */
+		for (j = 0; j < 8; j++) {
+			if (BIT_TEST (r, (0x80 >> j)))
+				break;
+		}
+		/* Must be found. */
+		INSIST(j < 8);
+		differ_bit = i * 8 + j;
+		break;
+	}
+
+	if (differ_bit > check_bit)
+		differ_bit = check_bit;
+
+	parent = node->parent;
+	while (parent != NULL && parent->bit >= differ_bit) {
+		node = parent;
+		parent = node->parent;
+	}
+
+	if (differ_bit == bitlen && node->bit == bitlen) {
+		if (node->prefix != NULL) {
+			/* Set node_num only if it hasn't been set before */
+			if (source != NULL) {
+				/* Merging node */
+				if (node->node_num[0] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[0] =
+						radix->num_added_node +
+						source->node_num[0];
+					node->data[0] = source->data[0];
+				}
+				if (node->node_num[1] == -1 &&
+				    source->node_num[0] != -1) {
+					node->node_num[1] =
+						radix->num_added_node +
+						source->node_num[1];
+					node->data[1] = source->data[1];
+				}
+			} else {
+				if (fam == AF_UNSPEC) {
+					/* "any" or "none" */
+					int next = radix->num_added_node + 1;
+					if (node->node_num[0] == -1) {
+						node->node_num[0] = next;
+						radix->num_added_node = next;
+					}
+					if (node->node_num[1] == -1) {
+						node->node_num[1] = next;
+						radix->num_added_node = next;
+					}
+				} else {
+					if (node->node_num[ISC_IS6(fam)] == -1)
+						node->node_num[ISC_IS6(fam)]
+						   = ++radix->num_added_node;
+				}
+			}
+			*target = node;
+			return (ISC_R_SUCCESS);
+		} else {
+			result =
+				_ref_prefix(radix->mctx, &node->prefix, prefix);
+			if (result != ISC_R_SUCCESS)
+				return (result);
+		}
+		INSIST(node->data[0] == NULL && node->node_num[0] == -1 &&
+		       node->data[1] == NULL && node->node_num[1] == -1);
+		if (source != NULL) {
+			/* Merging node */
+			if (source->node_num[0] != -1) {
+				node->node_num[0] = radix->num_added_node +
+						    source->node_num[0];
+				node->data[0] = source->data[0];
+			}
+			if (source->node_num[1] != -1) {
+				node->node_num[1] = radix->num_added_node +
+						    source->node_num[1];
+				node->data[1] = source->data[1];
+			}
+		} else {
+			if (fam == AF_UNSPEC) {
+				/* "any" or "none" */
+				node->node_num[0] = node->node_num[1] =
+					++radix->num_added_node;
+			} else {
+				node->node_num[ISC_IS6(fam)] =
+					++radix->num_added_node;
+			}
+		}
+		*target = node;
+		return (ISC_R_SUCCESS);
+	}
+
+	new_node = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
+	if (new_node == NULL)
+		return (ISC_R_NOMEMORY);
+	if (node->bit != differ_bit && bitlen != differ_bit) {
+		glue = isc_mem_get(radix->mctx, sizeof(isc_radix_node_t));
+		if (glue == NULL) {
+			isc_mem_put(radix->mctx, new_node,
+				    sizeof(isc_radix_node_t));
+			return (ISC_R_NOMEMORY);
+		}
+	}
+	new_node->bit = bitlen;
+	new_node->prefix = NULL;
+	result = _ref_prefix(radix->mctx, &new_node->prefix, prefix);
+	if (result != ISC_R_SUCCESS) {
+		isc_mem_put(radix->mctx, new_node, sizeof(isc_radix_node_t));
+		if (glue != NULL)
+			isc_mem_put(radix->mctx, glue,
+				    sizeof(isc_radix_node_t));
+		return (result);
+	}
+	new_node->parent = NULL;
+	new_node->l = new_node->r = NULL;
+	new_node->node_num[0] = new_node->node_num[1] = -1;
+	radix->num_active_node++;
+
+	if (source != NULL) {
+		/* Merging node */
+		if (source->node_num[0] != -1)
+			new_node->node_num[0] = radix->num_added_node +
+						source->node_num[0];
+		if (source->node_num[1] != -1)
+			new_node->node_num[1] = radix->num_added_node +
+						source->node_num[1];
+		new_node->data[0] = source->data[0];
+		new_node->data[1] = source->data[1];
+	} else {
+		if (fam == AF_UNSPEC) {
+			/* "any" or "none" */
+			new_node->node_num[0] = new_node->node_num[1] =
+				++radix->num_added_node;
+		} else {
+			new_node->node_num[ISC_IS6(fam)] =
+				++radix->num_added_node;
+		}
+		new_node->data[0] = NULL;
+		new_node->data[1] = NULL;
+	}
+
+	if (node->bit == differ_bit) {
+		INSIST(glue == NULL);
+		new_node->parent = node;
+		if (node->bit < radix->maxbits &&
+		    BIT_TEST(addr[node->bit >> 3], 0x80 >> (node->bit & 0x07)))
+		{
+			INSIST(node->r == NULL);
+			node->r = new_node;
+		} else {
+			INSIST(node->l == NULL);
+			node->l = new_node;
+		}
+		*target = new_node;
+		return (ISC_R_SUCCESS);
+	}
+
+	if (bitlen == differ_bit) {
+		INSIST(glue == NULL);
+		if (bitlen < radix->maxbits &&
+		    BIT_TEST(test_addr[bitlen >> 3], 0x80 >> (bitlen & 0x07))) {
+			new_node->r = node;
+		} else {
+			new_node->l = node;
+		}
+		new_node->parent = node->parent;
+		if (node->parent == NULL) {
+			INSIST(radix->head == node);
+			radix->head = new_node;
+		} else if (node->parent->r == node) {
+			node->parent->r = new_node;
+		} else {
+			node->parent->l = new_node;
+		}
+		node->parent = new_node;
+	} else {
+		INSIST(glue != NULL);
+		glue->bit = differ_bit;
+		glue->prefix = NULL;
+		glue->parent = node->parent;
+		glue->data[0] = glue->data[1] = NULL;
+		glue->node_num[0] = glue->node_num[1] = -1;
+		radix->num_active_node++;
+		if (differ_bit < radix->maxbits &&
+		    BIT_TEST(addr[differ_bit>>3], 0x80 >> (differ_bit & 07))) {
+			glue->r = new_node;
+			glue->l = node;
+		} else {
+			glue->r = node;
+			glue->l = new_node;
+		}
+		new_node->parent = glue;
+
+		if (node->parent == NULL) {
+			INSIST(radix->head == node);
+			radix->head = glue;
+		} else if (node->parent->r == node) {
+			node->parent->r = glue;
+		} else {
+			node->parent->l = glue;
+		}
+		node->parent = glue;
+	}
+
+	*target = new_node;
+	return (ISC_R_SUCCESS);
+}
+
+void
+isc_radix_remove(isc_radix_tree_t *radix, isc_radix_node_t *node) {
+	isc_radix_node_t *parent, *child;
+
+	REQUIRE(radix != NULL);
+	REQUIRE(node != NULL);
+
+	if (node->r && node->l) {
+		/*
+		 * This might be a placeholder node -- have to check and
+		 * make sure there is a prefix associated with it!
+		 */
+		if (node->prefix != NULL)
+			_deref_prefix(radix->mctx, node->prefix);
+
+		node->prefix = NULL;
+		node->data[0] = node->data[1] = NULL;
+		return;
+	}
+
+	if (node->r == NULL && node->l == NULL) {
+		parent = node->parent;
+		_deref_prefix(radix->mctx, node->prefix);
+		isc_mem_put(radix->mctx, node, sizeof(*node));
+		radix->num_active_node--;
+
+		if (parent == NULL) {
+			INSIST(radix->head == node);
+			radix->head = NULL;
+			return;
+		}
+
+		if (parent->r == node) {
+			parent->r = NULL;
+			child = parent->l;
+		} else {
+			INSIST(parent->l == node);
+			parent->l = NULL;
+			child = parent->r;
+		}
+
+		if (parent->prefix)
+			return;
+
+		/* We need to remove parent too. */
+
+		if (parent->parent == NULL) {
+			INSIST(radix->head == parent);
+			radix->head = child;
+		} else if (parent->parent->r == parent) {
+			parent->parent->r = child;
+		} else {
+			INSIST(parent->parent->l == parent);
+			parent->parent->l = child;
+		}
+		child->parent = parent->parent;
+		isc_mem_put(radix->mctx, parent, sizeof(*parent));
+		radix->num_active_node--;
+		return;
+	}
+
+	if (node->r) {
+		child = node->r;
+	} else {
+		INSIST(node->l != NULL);
+		child = node->l;
+	}
+	parent = node->parent;
+	child->parent = parent;
+
+	_deref_prefix(radix->mctx, node->prefix);
+	isc_mem_put(radix->mctx, node, sizeof(*node));
+	radix->num_active_node--;
+
+	if (parent == NULL) {
+		INSIST(radix->head == node);
+		radix->head = child;
+		return;
+	}
+
+	if (parent->r == node) {
+		parent->r = child;
+	} else {
+		INSIST(parent->l == node);
+		parent->l = child;
+	}
+}
+
+/*
+Local Variables:
+c-basic-offset: 4
+indent-tabs-mode: t
+End:
+*/
diff --git a/lib/isc/random.c b/lib/isc/random.c
index f6c7d6e..0329abd 100644
--- a/lib/isc/random.c
+++ b/lib/isc/random.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: random.c,v 1.21.18.2 2005/04/29 00:16:48 marka Exp $ */
+/* $Id: random.c,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/ratelimiter.c b/lib/isc/ratelimiter.c
index 3d65139..07bcc7c 100644
--- a/lib/isc/ratelimiter.c
+++ b/lib/isc/ratelimiter.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ratelimiter.c,v 1.21.18.2 2005/04/29 00:16:49 marka Exp $ */
+/* $Id: ratelimiter.c,v 1.25 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/refcount.c b/lib/isc/refcount.c
index d5095eb..36dfff2 100644
--- a/lib/isc/refcount.c
+++ b/lib/isc/refcount.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: refcount.c,v 1.2.2.2 2005/07/25 00:51:46 marka Exp $ */
+/* $Id: refcount.c,v 1.5 2007/06/19 23:47:17 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/region.c b/lib/isc/region.c
index bc32b86..cf64979 100644
--- a/lib/isc/region.c
+++ b/lib/isc/region.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: region.c,v 1.3.18.2 2005/04/29 00:16:49 marka Exp $ */
+/* $Id: region.c,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/result.c b/lib/isc/result.c
index e0c8653..5713580 100644
--- a/lib/isc/result.c
+++ b/lib/isc/result.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.62.18.6 2005/06/22 22:05:48 marka Exp $ */
+/* $Id: result.c,v 1.71 2008/09/25 04:02:39 tbox Exp $ */
 
 /*! \file */
 
@@ -100,7 +100,8 @@ static const char *text[ISC_R_NRESULTS] = {
 	"not a valid number",			/*%< 56 */
 	"disabled",				/*%< 57 */
 	"max size",				/*%< 58 */
-	"invalid address format"		/*%< 59 */
+	"invalid address format",		/*%< 59 */
+	"bad base32 encoding",			/*%< 60 */
 };
 
 #define ISC_RESULT_RESULTSET			2
diff --git a/lib/isc/rwlock.c b/lib/isc/rwlock.c
index 69b8f56..ca8e83d 100644
--- a/lib/isc/rwlock.c
+++ b/lib/isc/rwlock.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: rwlock.c,v 1.37.18.5 2005/07/12 01:22:30 marka Exp $ */
+/* $Id: rwlock.c,v 1.44.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 /*! \file */
 
@@ -45,7 +45,7 @@
 
 #ifdef ISC_RWLOCK_TRACE
 #include <stdio.h>		/* Required for fprintf/stderr. */
-#include <isc/thread.h>		/* Requried for isc_thread_self(). */
+#include <isc/thread.h>		/* Required for isc_thread_self(). */
 
 static void
 print_lock(const char *operation, isc_rwlock_t *rwl, isc_rwlocktype_t type) {
@@ -55,17 +55,17 @@ print_lock(const char *operation, isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 			       "rwlock %p thread %lu %s(%s): %s, %u active, "
 			       "%u granted, %u rwaiting, %u wwaiting\n"),
 		rwl, isc_thread_self(), operation,
-		(type == isc_rwlocktype_read ? 
+		(type == isc_rwlocktype_read ?
 		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
 				ISC_MSG_READ, "read") :
 		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
 				ISC_MSG_WRITE, "write")),
-	        (rwl->type == isc_rwlocktype_read ?
+		(rwl->type == isc_rwlocktype_read ?
 		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
-				ISC_MSG_READING, "reading") : 
+				ISC_MSG_READING, "reading") :
 		 isc_msgcat_get(isc_msgcat, ISC_MSGSET_RWLOCK,
 				ISC_MSG_WRITING, "writing")),
-	        rwl->active, rwl->granted, rwl->readers_waiting,
+		rwl->active, rwl->granted, rwl->readers_waiting,
 		rwl->writers_waiting);
 }
 #endif
@@ -381,7 +381,7 @@ isc_rwlock_trylock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 				BROADCAST(&rwl->writeable);
 				UNLOCK(&rwl->lock);
 			}
-			
+
 			return (ISC_R_LOCKBUSY);
 		}
 	} else {
@@ -434,7 +434,7 @@ isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
 		return (ISC_R_LOCKBUSY);
 
 	return (ISC_R_SUCCESS);
-	
+
 }
 
 void
@@ -555,7 +555,7 @@ doit(isc_rwlock_t *rwl, isc_rwlocktype_t type, isc_boolean_t nonblock) {
 			    ((rwl->active == 0 ||
 			      (rwl->type == isc_rwlocktype_read &&
 			       (rwl->writers_waiting == 0 ||
-			        rwl->granted < rwl->read_quota)))))
+				rwl->granted < rwl->read_quota)))))
 			{
 				rwl->type = isc_rwlocktype_read;
 				rwl->active++;
@@ -751,7 +751,7 @@ isc_rwlock_lock(isc_rwlock_t *rwl, isc_rwlocktype_t type) {
 		rwl->type = isc_rwlocktype_write;
 		rwl->active = 1;
 	}
-        return (ISC_R_SUCCESS);
+	return (ISC_R_SUCCESS);
 }
 
 isc_result_t
@@ -766,7 +766,7 @@ isc_rwlock_tryupgrade(isc_rwlock_t *rwl) {
 	REQUIRE(VALID_RWLOCK(rwl));
 	REQUIRE(rwl->type == isc_rwlocktype_read);
 	REQUIRE(rwl->active != 0);
-	
+
 	/* If we are the only reader then succeed. */
 	if (rwl->active == 1)
 		rwl->type = isc_rwlocktype_write;
diff --git a/lib/isc/serial.c b/lib/isc/serial.c
index 5d1bde7..b43aac7 100644
--- a/lib/isc/serial.c
+++ b/lib/isc/serial.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: serial.c,v 1.8.18.2 2005/04/29 00:16:49 marka Exp $ */
+/* $Id: serial.c,v 1.12 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/sha1.c b/lib/isc/sha1.c
index 6f4af6d..3575288 100644
--- a/lib/isc/sha1.c
+++ b/lib/isc/sha1.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha1.c,v 1.14.18.2 2005/04/29 00:16:49 marka Exp $ */
+/* $Id: sha1.c,v 1.18 2007/06/19 23:47:17 tbox Exp $ */
 
 /*	$NetBSD: sha1.c,v 1.5 2000/01/22 22:19:14 mycroft Exp $	*/
 /*	$OpenBSD: sha1.c,v 1.9 1997/07/23 21:12:32 kstailey Exp $	*/
diff --git a/lib/isc/sha2.c b/lib/isc/sha2.c
index 7b41a28..70eea4f 100644
--- a/lib/isc/sha2.c
+++ b/lib/isc/sha2.c
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005, 2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sha2.c,v 1.2.2.12 2006/08/16 03:18:14 marka Exp $ */
+/* $Id: sha2.c,v 1.13.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 /*	$FreeBSD$	*/
 /*	$KAME: sha2.c,v 1.8 2001/11/08 01:07:52 itojun Exp $	*/
@@ -39,7 +39,7 @@
  * 3. Neither the name of the copyright holder nor the names of contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) AND CONTRIBUTOR(S) ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -72,7 +72,7 @@
  *
  * or define below:
  *
- *   #define ISC_SHA2_UNROLL_TRANSFORM
+ *   \#define ISC_SHA2_UNROLL_TRANSFORM
  *
  */
 
@@ -83,21 +83,21 @@
  * Please make sure that your system defines BYTE_ORDER.  If your
  * architecture is little-endian, make sure it also defines
  * LITTLE_ENDIAN and that the two (BYTE_ORDER and LITTLE_ENDIAN) are
- * equivilent.
+ * equivalent.
  *
  * If your system does not define the above, then you can do so by
  * hand like this:
  *
- *   #define LITTLE_ENDIAN 1234
- *   #define BIG_ENDIAN    4321
+ *   \#define LITTLE_ENDIAN 1234
+ *   \#define BIG_ENDIAN    4321
  *
  * And for little-endian machines, add:
  *
- *   #define BYTE_ORDER LITTLE_ENDIAN 
+ *   \#define BYTE_ORDER LITTLE_ENDIAN
  *
  * Or for big-endian machines:
  *
- *   #define BYTE_ORDER BIG_ENDIAN
+ *   \#define BYTE_ORDER BIG_ENDIAN
  *
  * The FreeBSD machine this was written on defines BYTE_ORDER
  * appropriately by including <sys/types.h> (which in turn includes
@@ -414,12 +414,12 @@ isc_sha224_init(isc_sha224_t *context) {
 	context->bitcount = 0;
 }
 
-void 
+void
 isc_sha224_update(isc_sha224_t *context, const isc_uint8_t* data, size_t len) {
 	isc_sha256_update((isc_sha256_t *)context, data, len);
 }
 
-void 
+void
 isc_sha224_final(isc_uint8_t digest[], isc_sha224_t *context) {
 	isc_uint8_t sha256_digest[ISC_SHA256_DIGESTLENGTH];
 	isc_sha256_final(sha256_digest, (isc_sha256_t *)context);
@@ -453,7 +453,7 @@ isc_sha224_end(isc_sha224_t *context, char buffer[]) {
 
 char*
 isc_sha224_data(const isc_uint8_t *data, size_t len,
-	        char digest[ISC_SHA224_DIGESTSTRINGLENGTH])
+		char digest[ISC_SHA224_DIGESTSTRINGLENGTH])
 {
 	isc_sha224_t context;
 
@@ -483,7 +483,7 @@ isc_sha256_init(isc_sha256_t *context) {
 #define ROUND256_0_TO_15(a,b,c,d,e,f,g,h)	\
 	REVERSE32(*data++, W256[j]); \
 	T1 = (h) + Sigma1_256(e) + Ch((e), (f), (g)) + \
-             K256[j] + W256[j]; \
+	     K256[j] + W256[j]; \
 	(d) += T1; \
 	(h) = T1 + Sigma0_256(a) + Maj((a), (b), (c)); \
 	j++
@@ -615,11 +615,11 @@ isc_sha256_transform(isc_sha256_t *context, const isc_uint32_t* data) {
 		/* Part of the message block expansion: */
 		s0 = W256[(j+1)&0x0f];
 		s0 = sigma0_256(s0);
-		s1 = W256[(j+14)&0x0f];	
+		s1 = W256[(j+14)&0x0f];
 		s1 = sigma1_256(s1);
 
 		/* Apply the SHA-256 compression function to update a..h */
-		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] + 
+		T1 = h + Sigma1_256(e) + Ch(e, f, g) + K256[j] +
 		     (W256[j&0x0f] += s1 + W256[(j+9)&0x0f] + s0);
 		T2 = Sigma0_256(a) + Maj(a, b, c);
 		h = g;
@@ -828,7 +828,7 @@ isc_sha512_init(isc_sha512_t *context) {
 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
 	REVERSE64(*data++, W512[j]); \
 	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
-             K512[j] + W512[j]; \
+	     K512[j] + W512[j]; \
 	(d) += T1, \
 	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)), \
 	j++
@@ -838,7 +838,7 @@ isc_sha512_init(isc_sha512_t *context) {
 
 #define ROUND512_0_TO_15(a,b,c,d,e,f,g,h)	\
 	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + \
-             K512[j] + (W512[j] = *data++); \
+	     K512[j] + (W512[j] = *data++); \
 	(d) += T1; \
 	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
 	j++
@@ -851,7 +851,7 @@ isc_sha512_init(isc_sha512_t *context) {
 	s1 = W512[(j+14)&0x0f]; \
 	s1 = sigma1_512(s1); \
 	T1 = (h) + Sigma1_512(e) + Ch((e), (f), (g)) + K512[j] + \
-             (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
+	     (W512[j&0x0f] += s1 + W512[(j+9)&0x0f] + s0); \
 	(d) += T1; \
 	(h) = T1 + Sigma0_512(a) + Maj((a), (b), (c)); \
 	j++
@@ -1163,12 +1163,12 @@ isc_sha384_init(isc_sha384_t *context) {
 	context->bitcount[0] = context->bitcount[1] = 0;
 }
 
-void 
+void
 isc_sha384_update(isc_sha384_t *context, const isc_uint8_t* data, size_t len) {
 	isc_sha512_update((isc_sha512_t *)context, data, len);
 }
 
-void 
+void
 isc_sha384_final(isc_uint8_t digest[], isc_sha384_t *context) {
 	isc_uint64_t	*d = (isc_uint64_t*)digest;
 
@@ -1224,7 +1224,7 @@ isc_sha384_end(isc_sha384_t *context, char buffer[]) {
 
 char*
 isc_sha384_data(const isc_uint8_t *data, size_t len,
-	        char digest[ISC_SHA384_DIGESTSTRINGLENGTH])
+		char digest[ISC_SHA384_DIGESTSTRINGLENGTH])
 {
 	isc_sha384_t context;
 
diff --git a/lib/isc/sockaddr.c b/lib/isc/sockaddr.c
index 2fd73af..62975df 100644
--- a/lib/isc/sockaddr.c
+++ b/lib/isc/sockaddr.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sockaddr.c,v 1.59.18.9 2006/06/21 01:25:40 marka Exp $ */
+/* $Id: sockaddr.c,v 1.70 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/sparc64/Makefile.in b/lib/isc/sparc64/Makefile.in
index c8e77e4..324db07 100644
--- a/lib/isc/sparc64/Makefile.in
+++ b/lib/isc/sparc64/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/sparc64/include/Makefile.in b/lib/isc/sparc64/include/Makefile.in
index f4dd2f6..f1d8bdd 100644
--- a/lib/isc/sparc64/include/Makefile.in
+++ b/lib/isc/sparc64/include/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/sparc64/include/isc/Makefile.in b/lib/isc/sparc64/include/isc/Makefile.in
index 6760ce6..5f116ca 100644
--- a/lib/isc/sparc64/include/isc/Makefile.in
+++ b/lib/isc/sparc64/include/isc/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/sparc64/include/isc/atomic.h b/lib/isc/sparc64/include/isc/atomic.h
index 5c254cf..b920095 100644
--- a/lib/isc/sparc64/include/isc/atomic.h
+++ b/lib/isc/sparc64/include/isc/atomic.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.2.2 2005/06/16 22:01:02 jinmei Exp $ */
+/* $Id: atomic.h,v 1.5 2007/06/19 23:47:18 tbox Exp $ */
 
 /*
  * This code was written based on FreeBSD's kernel source whose copyright
diff --git a/lib/isc/stats.c b/lib/isc/stats.c
new file mode 100644
index 0000000..9e4e089
--- /dev/null
+++ b/lib/isc/stats.c
@@ -0,0 +1,326 @@
+/*
+ * Copyright (C) 2009  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: stats.c,v 1.3.6.2 2009/01/29 23:47:44 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <string.h>
+
+#include <isc/atomic.h>
+#include <isc/buffer.h>
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/platform.h>
+#include <isc/print.h>
+#include <isc/rwlock.h>
+#include <isc/stats.h>
+#include <isc/util.h>
+
+#define ISC_STATS_MAGIC			ISC_MAGIC('S', 't', 'a', 't')
+#define ISC_STATS_VALID(x)		ISC_MAGIC_VALID(x, ISC_STATS_MAGIC)
+
+#ifndef ISC_STATS_USEMULTIFIELDS
+#if defined(ISC_RWLOCK_USEATOMIC) && defined(ISC_PLATFORM_HAVEXADD) && !defined(ISC_PLATFORM_HAVEXADDQ)
+#define ISC_STATS_USEMULTIFIELDS 1
+#else
+#define ISC_STATS_USEMULTIFIELDS 0
+#endif
+#endif	/* ISC_STATS_USEMULTIFIELDS */
+
+#if ISC_STATS_USEMULTIFIELDS
+typedef struct {
+	isc_uint32_t hi;
+	isc_uint32_t lo;
+} isc_stat_t;
+#else
+typedef isc_uint64_t isc_stat_t;
+#endif
+
+struct isc_stats {
+	/*% Unlocked */
+	unsigned int	magic;
+	isc_mem_t	*mctx;
+	int		ncounters;
+
+	isc_mutex_t	lock;
+	unsigned int	references; /* locked by lock */
+
+	/*%
+	 * Locked by counterlock or unlocked if efficient rwlock is not
+	 * available.
+	 */
+#ifdef ISC_RWLOCK_USEATOMIC
+	isc_rwlock_t	counterlock;
+#endif
+	isc_stat_t	*counters;
+
+	/*%
+	 * We don't want to lock the counters while we are dumping, so we first
+	 * copy the current counter values into a local array.  This buffer
+	 * will be used as the copy destination.  It's allocated on creation
+	 * of the stats structure so that the dump operation won't fail due
+	 * to memory allocation failure.
+	 * XXX: this approach is weird for non-threaded build because the
+	 * additional memory and the copy overhead could be avoided.  We prefer
+	 * simplicity here, however, under the assumption that this function
+	 * should be only rarely called.
+	 */
+	isc_uint64_t	*copiedcounters;
+};
+
+static isc_result_t
+create_stats(isc_mem_t *mctx, int ncounters, isc_stats_t **statsp) {
+	isc_stats_t *stats;
+	isc_result_t result = ISC_R_SUCCESS;
+
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	stats = isc_mem_get(mctx, sizeof(*stats));
+	if (stats == NULL)
+		return (ISC_R_NOMEMORY);
+
+	result = isc_mutex_init(&stats->lock);
+	if (result != ISC_R_SUCCESS)
+		goto clean_stats;
+
+	stats->counters = isc_mem_get(mctx, sizeof(isc_stat_t) * ncounters);
+	if (stats->counters == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto clean_mutex;
+	}
+	stats->copiedcounters = isc_mem_get(mctx,
+					    sizeof(isc_uint64_t) * ncounters);
+	if (stats->copiedcounters == NULL) {
+		result = ISC_R_NOMEMORY;
+		goto clean_counters;
+	}
+
+#ifdef ISC_RWLOCK_USEATOMIC
+	result = isc_rwlock_init(&stats->counterlock, 0, 0);
+	if (result != ISC_R_SUCCESS)
+		goto clean_copiedcounters;
+#endif
+
+	stats->references = 1;
+	memset(stats->counters, 0, sizeof(isc_stat_t) * ncounters);
+	stats->mctx = NULL;
+	isc_mem_attach(mctx, &stats->mctx);
+	stats->ncounters = ncounters;
+	stats->magic = ISC_STATS_MAGIC;
+
+	*statsp = stats;
+
+	return (result);
+
+clean_counters:
+	isc_mem_put(mctx, stats->counters, sizeof(isc_stat_t) * ncounters);
+
+#ifdef ISC_RWLOCK_USEATOMIC
+clean_copiedcounters:
+	isc_mem_put(mctx, stats->copiedcounters,
+		    sizeof(isc_stat_t) * ncounters);
+#endif
+
+clean_mutex:
+	DESTROYLOCK(&stats->lock);
+
+clean_stats:
+	isc_mem_put(mctx, stats, sizeof(*stats));
+
+	return (result);
+}
+
+void
+isc_stats_attach(isc_stats_t *stats, isc_stats_t **statsp) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	LOCK(&stats->lock);
+	stats->references++;
+	UNLOCK(&stats->lock);
+
+	*statsp = stats;
+}
+
+void
+isc_stats_detach(isc_stats_t **statsp) {
+	isc_stats_t *stats;
+
+	REQUIRE(statsp != NULL && ISC_STATS_VALID(*statsp));
+
+	stats = *statsp;
+	*statsp = NULL;
+
+	LOCK(&stats->lock);
+	stats->references--;
+	UNLOCK(&stats->lock);
+
+	if (stats->references == 0) {
+		isc_mem_put(stats->mctx, stats->copiedcounters,
+			    sizeof(isc_stat_t) * stats->ncounters);
+		isc_mem_put(stats->mctx, stats->counters,
+			    sizeof(isc_stat_t) * stats->ncounters);
+		DESTROYLOCK(&stats->lock);
+#ifdef ISC_RWLOCK_USEATOMIC
+		isc_rwlock_destroy(&stats->counterlock);
+#endif
+		isc_mem_putanddetach(&stats->mctx, stats, sizeof(*stats));
+	}
+}
+
+int
+isc_stats_ncounters(isc_stats_t *stats) {
+	REQUIRE(ISC_STATS_VALID(stats));
+
+	return (stats->ncounters);
+}
+
+static inline void
+incrementcounter(isc_stats_t *stats, int counter) {
+	isc_int32_t prev;
+
+#ifdef ISC_RWLOCK_USEATOMIC
+	/*
+	 * We use a "read" lock to prevent other threads from reading the
+	 * counter while we "writing" a counter field.  The write access itself
+	 * is protected by the atomic operation.
+	 */
+	isc_rwlock_lock(&stats->counterlock, isc_rwlocktype_read);
+#endif
+
+#if ISC_STATS_USEMULTIFIELDS
+	prev = isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].lo, 1);
+	/*
+	 * If the lower 32-bit field overflows, increment the higher field.
+	 * Note that it's *theoretically* possible that the lower field
+	 * overlaps again before the higher field is incremented.  It doesn't
+	 * matter, however, because we don't read the value until
+	 * isc_stats_copy() is called where the whole process is protected
+	 * by the write (exclusive) lock.
+	 */
+	if (prev == (isc_int32_t)0xffffffff)
+		isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].hi, 1);
+#elif defined(ISC_PLATFORM_HAVEXADDQ)
+	UNUSED(prev);
+	isc_atomic_xaddq((isc_int64_t *)&stats->counters[counter], 1);
+#else
+	UNUSED(prev);
+	stats->counters[counter]++;
+#endif
+
+#ifdef ISC_RWLOCK_USEATOMIC
+	isc_rwlock_unlock(&stats->counterlock, isc_rwlocktype_read);
+#endif
+}
+
+static inline void
+decrementcounter(isc_stats_t *stats, int counter) {
+	isc_int32_t prev;
+
+#ifdef ISC_RWLOCK_USEATOMIC
+	isc_rwlock_lock(&stats->counterlock, isc_rwlocktype_read);
+#endif
+
+#if ISC_STATS_USEMULTIFIELDS
+	prev = isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].lo, -1);
+	if (prev == 0)
+		isc_atomic_xadd((isc_int32_t *)&stats->counters[counter].hi,
+				-1);
+#elif defined(ISC_PLATFORM_HAVEXADDQ)
+	UNUSED(prev);
+	isc_atomic_xaddq((isc_int64_t *)&stats->counters[counter], -1);
+#else
+	UNUSED(prev);
+	stats->counters[counter]--;
+#endif
+
+#ifdef ISC_RWLOCK_USEATOMIC
+	isc_rwlock_unlock(&stats->counterlock, isc_rwlocktype_read);
+#endif
+}
+
+static void
+copy_counters(isc_stats_t *stats) {
+	int i;
+
+#ifdef ISC_RWLOCK_USEATOMIC
+	/*
+	 * We use a "write" lock before "reading" the statistics counters as
+	 * an exclusive lock.
+	 */
+	isc_rwlock_lock(&stats->counterlock, isc_rwlocktype_write);
+#endif
+
+#if ISC_STATS_USEMULTIFIELDS
+	for (i = 0; i < stats->ncounters; i++) {
+		stats->copiedcounters[i] =
+				(isc_uint64_t)(stats->counters[i].hi) << 32 |
+				stats->counters[i].lo;
+	}
+#else
+	UNUSED(i);
+	memcpy(stats->copiedcounters, stats->counters,
+	       stats->ncounters * sizeof(isc_stat_t));
+#endif
+
+#ifdef ISC_RWLOCK_USEATOMIC
+	isc_rwlock_unlock(&stats->counterlock, isc_rwlocktype_write);
+#endif
+}
+
+isc_result_t
+isc_stats_create(isc_mem_t *mctx, isc_stats_t **statsp, int ncounters) {
+	REQUIRE(statsp != NULL && *statsp == NULL);
+
+	return (create_stats(mctx, ncounters, statsp));
+}
+
+void
+isc_stats_increment(isc_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(counter < stats->ncounters);
+
+	incrementcounter(stats, (int)counter);
+}
+
+void
+isc_stats_decrement(isc_stats_t *stats, isc_statscounter_t counter) {
+	REQUIRE(ISC_STATS_VALID(stats));
+	REQUIRE(counter < stats->ncounters);
+
+	decrementcounter(stats, (int)counter);
+}
+
+void
+isc_stats_dump(isc_stats_t *stats, isc_stats_dumper_t dump_fn,
+	       void *arg, unsigned int options)
+{
+	int i;
+
+	REQUIRE(ISC_STATS_VALID(stats));
+
+	copy_counters(stats);
+
+	for (i = 0; i < stats->ncounters; i++) {
+		if ((options & ISC_STATSDUMP_VERBOSE) == 0 &&
+		    stats->copiedcounters[i] == 0)
+				continue;
+		dump_fn((isc_statscounter_t)i, stats->copiedcounters[i], arg);
+	}
+}
diff --git a/lib/isc/string.c b/lib/isc/string.c
index c09fa4f..b9c43e7 100644
--- a/lib/isc/string.c
+++ b/lib/isc/string.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: string.c,v 1.10.18.7 2006/10/03 23:50:51 marka Exp $ */
+/* $Id: string.c,v 1.20 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/strtoul.c b/lib/isc/strtoul.c
index 5070c08..18d93e2 100644
--- a/lib/isc/strtoul.c
+++ b/lib/isc/strtoul.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -53,7 +53,7 @@
 static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
 #endif /* LIBC_SCCS and not lint */
 
-/* $Id: strtoul.c,v 1.3.18.2 2005/04/29 00:16:50 marka Exp $ */
+/* $Id: strtoul.c,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/symtab.c b/lib/isc/symtab.c
index 716ca88..9f8e798 100644
--- a/lib/isc/symtab.c
+++ b/lib/isc/symtab.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.c,v 1.26.18.2 2005/04/29 00:16:50 marka Exp $ */
+/* $Id: symtab.c,v 1.30 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/task.c b/lib/isc/task.c
index 5c80712..a630173 100644
--- a/lib/isc/task.c
+++ b/lib/isc/task.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.c,v 1.91.18.6 2006/01/04 23:50:23 marka Exp $ */
+/* $Id: task.c,v 1.107 2008/03/27 23:46:57 tbox Exp $ */
 
 /*! \file
  * \author Principal Author: Bob Halley
@@ -38,13 +38,12 @@
 #include <isc/task.h>
 #include <isc/thread.h>
 #include <isc/util.h>
+#include <isc/xml.h>
 
 #ifndef ISC_PLATFORM_USETHREADS
 #include "task_p.h"
 #endif /* ISC_PLATFORM_USETHREADS */
 
-#define ISC_TASK_NAMES 1
-
 #ifdef ISC_TASK_TRACE
 #define XTRACE(m)		fprintf(stderr, "task %p thread %lu: %s\n", \
 				       task, isc_thread_self(), (m))
@@ -67,6 +66,12 @@ typedef enum {
 	task_state_done
 } task_state_t;
 
+#ifdef HAVE_LIBXML2
+static const char *statenames[] = {
+	"idle", "ready", "running", "done",
+};
+#endif
+
 #define TASK_MAGIC			ISC_MAGIC('T', 'A', 'S', 'K')
 #define VALID_TASK(t)			ISC_MAGIC_VALID(t, TASK_MAGIC)
 
@@ -83,10 +88,8 @@ struct isc_task {
 	unsigned int			quantum;
 	unsigned int			flags;
 	isc_stdtime_t			now;
-#ifdef ISC_TASK_NAMES
 	char				name[16];
 	void *				tag;
-#endif
 	/* Locked by task manager lock. */
 	LINK(isc_task_t)		link;
 	LINK(isc_task_t)		ready_link;
@@ -196,10 +199,8 @@ isc_task_create(isc_taskmgr_t *manager, unsigned int quantum,
 	task->quantum = quantum;
 	task->flags = 0;
 	task->now = 0;
-#ifdef ISC_TASK_NAMES
 	memset(task->name, 0, sizeof(task->name));
 	task->tag = NULL;
-#endif
 	INIT_LINK(task, link);
 	INIT_LINK(task, ready_link);
 
@@ -694,17 +695,11 @@ isc_task_setname(isc_task_t *task, const char *name, void *tag) {
 
 	REQUIRE(VALID_TASK(task));
 
-#ifdef ISC_TASK_NAMES
 	LOCK(&task->lock);
 	memset(task->name, 0, sizeof(task->name));
 	strncpy(task->name, name, sizeof(task->name) - 1);
 	task->tag = tag;
 	UNLOCK(&task->lock);
-#else
-	UNUSED(name);
-	UNUSED(tag);
-#endif
-
 }
 
 const char *
@@ -806,9 +801,9 @@ dispatch(isc_taskmgr_t *manager) {
 		 * task lock.
 		 */
 		while ((EMPTY(manager->ready_tasks) ||
-		        manager->exclusive_requested) &&
-		  	!FINISHED(manager)) 
-	  	{
+			manager->exclusive_requested) &&
+			!FINISHED(manager))
+		{
 			XTHREADTRACE(isc_msgcat_get(isc_msgcat,
 						    ISC_MSGSET_GENERAL,
 						    ISC_MSG_WAIT, "wait"));
@@ -1021,7 +1016,7 @@ manager_free(isc_taskmgr_t *manager) {
 	isc_mem_t *mctx;
 
 #ifdef ISC_PLATFORM_USETHREADS
-	(void)isc_condition_destroy(&manager->exclusive_granted);	
+	(void)isc_condition_destroy(&manager->exclusive_granted);
 	(void)isc_condition_destroy(&manager->work_available);
 	isc_mem_free(manager->mctx, manager->threads);
 #endif /* ISC_PLATFORM_USETHREADS */
@@ -1263,19 +1258,19 @@ isc__taskmgr_dispatch(void) {
 
 isc_result_t
 isc_task_beginexclusive(isc_task_t *task) {
-#ifdef ISC_PLATFORM_USETHREADS	
+#ifdef ISC_PLATFORM_USETHREADS
 	isc_taskmgr_t *manager = task->manager;
 	REQUIRE(task->state == task_state_running);
 	LOCK(&manager->lock);
 	if (manager->exclusive_requested) {
-		UNLOCK(&manager->lock);			
+		UNLOCK(&manager->lock);
 		return (ISC_R_LOCKBUSY);
 	}
 	manager->exclusive_requested = ISC_TRUE;
 	while (manager->tasks_running > 1) {
 		WAIT(&manager->exclusive_granted, &manager->lock);
 	}
-	UNLOCK(&manager->lock);	
+	UNLOCK(&manager->lock);
 #else
 	UNUSED(task);
 #endif
@@ -1284,7 +1279,7 @@ isc_task_beginexclusive(isc_task_t *task) {
 
 void
 isc_task_endexclusive(isc_task_t *task) {
-#ifdef ISC_PLATFORM_USETHREADS	
+#ifdef ISC_PLATFORM_USETHREADS
 	isc_taskmgr_t *manager = task->manager;
 	REQUIRE(task->state == task_state_running);
 	LOCK(&manager->lock);
@@ -1296,3 +1291,86 @@ isc_task_endexclusive(isc_task_t *task) {
 	UNUSED(task);
 #endif
 }
+
+#ifdef HAVE_LIBXML2
+
+void
+isc_taskmgr_renderxml(isc_taskmgr_t *mgr, xmlTextWriterPtr writer)
+{
+	isc_task_t *task;
+
+	LOCK(&mgr->lock);
+
+	/*
+	 * Write out the thread-model, and some details about each depending
+	 * on which type is enabled.
+	 */
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "thread-model");
+#ifdef ISC_PLATFORM_USETHREADS
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "type");
+	xmlTextWriterWriteString(writer, ISC_XMLCHAR "threaded");
+	xmlTextWriterEndElement(writer); /* type */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "worker-threads");
+	xmlTextWriterWriteFormatString(writer, "%d", mgr->workers);
+	xmlTextWriterEndElement(writer); /* worker-threads */
+#else /* ISC_PLATFORM_USETHREADS */
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "type");
+	xmlTextWriterWriteString(writer, ISC_XMLCHAR "non-threaded");
+	xmlTextWriterEndElement(writer); /* type */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
+	xmlTextWriterWriteFormatString(writer, "%d", mgr->refs);
+	xmlTextWriterEndElement(writer); /* references */
+#endif /* ISC_PLATFORM_USETHREADS */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "default-quantum");
+	xmlTextWriterWriteFormatString(writer, "%d", mgr->default_quantum);
+	xmlTextWriterEndElement(writer); /* default-quantum */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks-running");
+	xmlTextWriterWriteFormatString(writer, "%d", mgr->tasks_running);
+	xmlTextWriterEndElement(writer); /* tasks-running */
+
+	xmlTextWriterEndElement(writer); /* thread-model */
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "tasks");
+	task = ISC_LIST_HEAD(mgr->tasks);
+	while (task != NULL) {
+		LOCK(&task->lock);
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "task");
+
+		if (task->name[0] != 0) {
+			xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
+			xmlTextWriterWriteFormatString(writer, "%s",
+						       task->name);
+			xmlTextWriterEndElement(writer); /* name */
+		}
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
+		xmlTextWriterWriteFormatString(writer, "%d", task->references);
+		xmlTextWriterEndElement(writer); /* references */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "id");
+		xmlTextWriterWriteFormatString(writer, "%p", task);
+		xmlTextWriterEndElement(writer); /* id */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "state");
+		xmlTextWriterWriteFormatString(writer, "%s",
+					       statenames[task->state]);
+		xmlTextWriterEndElement(writer); /* state */
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "quantum");
+		xmlTextWriterWriteFormatString(writer, "%d", task->quantum);
+		xmlTextWriterEndElement(writer); /* quantum */
+
+		xmlTextWriterEndElement(writer);
+
+		UNLOCK(&task->lock);
+		task = ISC_LIST_NEXT(task, link);
+	}
+	xmlTextWriterEndElement(writer); /* tasks */
+
+	UNLOCK(&mgr->lock);
+}
+#endif /* HAVE_LIBXML2 */
diff --git a/lib/isc/task_p.h b/lib/isc/task_p.h
index 8ada721..c888103 100644
--- a/lib/isc/task_p.h
+++ b/lib/isc/task_p.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task_p.h,v 1.7.18.2 2005/04/29 00:16:50 marka Exp $ */
+/* $Id: task_p.h,v 1.11 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef ISC_TASK_P_H
 #define ISC_TASK_P_H
diff --git a/lib/isc/taskpool.c b/lib/isc/taskpool.c
index f1f619d..d9c2fbe 100644
--- a/lib/isc/taskpool.c
+++ b/lib/isc/taskpool.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: taskpool.c,v 1.12.18.3 2005/11/30 03:44:39 marka Exp $ */
+/* $Id: taskpool.c,v 1.18 2007/06/18 23:47:44 tbox Exp $ */
 
 /*! \file */
 
@@ -66,6 +66,7 @@ isc_taskpool_create(isc_taskmgr_t *tmgr, isc_mem_t *mctx,
 			isc_taskpool_destroy(&pool);
 			return (result);
 		}
+		isc_task_setname(pool->tasks[i], "taskpool", NULL);
 	}
 	*poolp = pool;
 	return (ISC_R_SUCCESS);
diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index c27281d..21fcd69 100644
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2002  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.73.18.10 2008/08/22 05:59:04 marka Exp $ */
+/* $Id: timer.c,v 1.84.58.4 2009/01/23 23:47:21 tbox Exp $ */
 
 /*! \file */
 
@@ -662,7 +662,7 @@ dispatch(isc_timermgr_t *manager, isc_time_t *now) {
 					isc_task_send(timer->task,
 						      ISC_EVENT_PTR(&event));
 				} else
-					UNEXPECTED_ERROR(__FILE__, __LINE__,
+					UNEXPECTED_ERROR(__FILE__, __LINE__, "%s",
 						 isc_msgcat_get(isc_msgcat,
 							 ISC_MSGSET_TIMER,
 							 ISC_MSG_EVENTNOTALLOC,
@@ -678,11 +678,12 @@ dispatch(isc_timermgr_t *manager, isc_time_t *now) {
 				result = schedule(timer, now, ISC_FALSE);
 				if (result != ISC_R_SUCCESS)
 					UNEXPECTED_ERROR(__FILE__, __LINE__,
+							 "%s: %u",
 						isc_msgcat_get(isc_msgcat,
 							ISC_MSGSET_TIMER,
 							ISC_MSG_SCHEDFAIL,
-							"couldn't "
-							"schedule timer: %u"),
+							"couldn't schedule "
+							"timer"),
 							 result);
 			}
 		} else {
diff --git a/lib/isc/timer_p.h b/lib/isc/timer_p.h
index fcc7b6c..ec8e2e0 100644
--- a/lib/isc/timer_p.h
+++ b/lib/isc/timer_p.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer_p.h,v 1.6.18.2 2005/04/29 00:16:51 marka Exp $ */
+/* $Id: timer_p.h,v 1.10 2007/06/19 23:47:17 tbox Exp $ */
 
 #ifndef ISC_TIMER_P_H
 #define ISC_TIMER_P_H
diff --git a/lib/isc/unix/Makefile.in b/lib/isc/unix/Makefile.in
index afb77a6..7d19b5c 100644
--- a/lib/isc/unix/Makefile.in
+++ b/lib/isc/unix/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.38.18.1 2004/06/22 02:54:06 marka Exp $
+# $Id: Makefile.in,v 1.41 2007/06/19 23:47:18 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/unix/app.c b/lib/isc/unix/app.c
index c119362..660b438 100644
--- a/lib/isc/unix/app.c
+++ b/lib/isc/unix/app.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: app.c,v 1.50.18.8 2008/10/15 03:41:17 marka Exp $ */
+/* $Id: app.c,v 1.60 2008/10/15 03:41:17 marka Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/dir.c b/lib/isc/unix/dir.c
index b627c88..9244147 100644
--- a/lib/isc/unix/dir.c
+++ b/lib/isc/unix/dir.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.c,v 1.20.18.3 2005/09/05 00:18:30 marka Exp $ */
+/* $Id: dir.c,v 1.25.332.3 2009/02/16 23:47:15 tbox Exp $ */
 
 /*! \file
  * \author  Principal Authors: DCL */
@@ -93,7 +93,7 @@ isc_dir_open(isc_dir_t *dir, const char *dirname) {
 }
 
 /*!
- * \brief Return previously retrieved file or get next one.  
+ * \brief Return previously retrieved file or get next one.
 
  * Unix's dirent has
  * separate open and read functions, but the Win32 and DOS interfaces open
@@ -171,10 +171,14 @@ isc_dir_chroot(const char *dirname) {
 
 	REQUIRE(dirname != NULL);
 
-	if (chroot(dirname) < 0)
+#ifdef HAVE_CHROOT
+	if (chroot(dirname) < 0 || chdir("/") < 0)
 		return (isc__errno2result(errno));
 
 	return (ISC_R_SUCCESS);
+#else
+	return (ISC_R_NOTIMPLEMENTED);
+#endif
 }
 
 isc_result_t
diff --git a/lib/isc/unix/entropy.c b/lib/isc/unix/entropy.c
index 4c0d0d0..0e9e297 100644
--- a/lib/isc/unix/entropy.c
+++ b/lib/isc/unix/entropy.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: entropy.c,v 1.71.18.7 2006/12/07 04:53:03 marka Exp $ */
+/* $Id: entropy.c,v 1.80.332.2 2009/02/16 23:47:15 tbox Exp $ */
 
 /* \file unix/entropy.c
  * \brief
@@ -31,6 +31,9 @@
 #include <sys/socket.h>
 #include <sys/un.h>
 
+#ifdef HAVE_NANOSLEEP
+#include <time.h>
+#endif
 #include <unistd.h>
 
 #include <isc/platform.h>
@@ -153,12 +156,12 @@ get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
 				source->sources.usocket.status =
 					isc_usocketsource_ndesired;
 				goto eagain_loop;
-			}	
+			}
 			INSIST(n == 2);
 			source->sources.usocket.status =
 						isc_usocketsource_wrote;
 			/*FALLTHROUGH*/
-		
+
 		case isc_usocketsource_wrote:
 			if (recvfrom(fd, buf, 1, 0, NULL, NULL) != 1) {
 				if (errno == EAGAIN) {
@@ -166,15 +169,23 @@ get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
 					 * The problem of EAGAIN (try again
 					 * later) is a major issue on HP-UX.
 					 * Solaris actually tries the recvfrom
-					 * call again, while HP-UX just dies. 
+					 * call again, while HP-UX just dies.
 					 * This code is an attempt to let the
 					 * entropy pool fill back up (at least
 					 * that's what I think the problem is.)
-					 * We go to eagain_loop because if we 
+					 * We go to eagain_loop because if we
 					 * just "break", then the "desired"
 					 * amount gets borked.
 					 */
+#ifdef HAVE_NANOSLEEP
+					struct timespec ts;
+
+					ts.tv_sec = 0;
+					ts.tv_nsec = 1000000;
+					nanosleep(&ts, NULL);
+#else
 					usleep(1000);
+#endif
 					goto eagain_loop;
 				}
 				if (errno == EWOULDBLOCK || errno == EINTR)
@@ -201,7 +212,7 @@ get_from_usocketsource(isc_entropysource_t *source, isc_uint32_t desired) {
 			} else
 				n = 0;
 			break;
-		
+
 		default:
 			goto err;
 		}
@@ -491,7 +502,7 @@ isc_entropy_createfilesource(isc_entropy_t *ent, const char *fname) {
 		ret = isc__errno2result(errno);
 		goto errout;
 	}
-	/* 
+	/*
 	 * Solaris 2.5.1 does not have support for sockets (S_IFSOCK),
 	 * but it does return type S_IFIFO (the OS believes that
 	 * the socket is a fifo).  This may be an issue if we tell
diff --git a/lib/isc/unix/errno2result.c b/lib/isc/unix/errno2result.c
index d4b188f..606c560 100644
--- a/lib/isc/unix/errno2result.c
+++ b/lib/isc/unix/errno2result.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.c,v 1.13.18.2 2005/04/29 00:17:07 marka Exp $ */
+/* $Id: errno2result.c,v 1.17 2007/06/19 23:47:18 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/errno2result.h b/lib/isc/unix/errno2result.h
index 5e36116..b5b658d 100644
--- a/lib/isc/unix/errno2result.h
+++ b/lib/isc/unix/errno2result.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: errno2result.h,v 1.8.18.2 2005/04/29 00:17:07 marka Exp $ */
+/* $Id: errno2result.h,v 1.12 2007/06/19 23:47:18 tbox Exp $ */
 
 #ifndef UNIX_ERRNO2RESULT_H
 #define UNIX_ERRNO2RESULT_H 1
diff --git a/lib/isc/unix/file.c b/lib/isc/unix/file.c
index e45e0fe..748aee8 100644
--- a/lib/isc/unix/file.c
+++ b/lib/isc/unix/file.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -48,7 +48,7 @@
  * SUCH DAMAGE.
  */
 
-/* $Id: file.c,v 1.47.18.2 2005/04/29 00:17:07 marka Exp $ */
+/* $Id: file.c,v 1.51.332.2 2009/02/16 23:47:15 tbox Exp $ */
 
 /*! \file */
 
@@ -67,6 +67,7 @@
 
 #include <isc/dir.h>
 #include <isc/file.h>
+#include <isc/log.h>
 #include <isc/random.h>
 #include <isc/string.h>
 #include <isc/time.h>
@@ -235,7 +236,9 @@ isc_file_renameunique(const char *file, char *templet) {
 			}
 		}
 	}
-	(void)unlink(file);
+	if (unlink(file) < 0)
+		if (errno != ENOENT)
+			return (isc__errno2result(errno));
 	return (ISC_R_SUCCESS);
 }
 
@@ -287,7 +290,11 @@ isc_file_openunique(char *templet, FILE **fp) {
 	f = fdopen(fd, "w+");
 	if (f == NULL) {
 		result = isc__errno2result(errno);
-		(void)remove(templet);
+		if (remove(templet) < 0) {
+			isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				      ISC_LOGMODULE_FILE, ISC_LOG_ERROR,
+				      "remove '%s': failed", templet);
+		}
 		(void)close(fd);
 	} else
 		*fp = f;
@@ -386,7 +393,7 @@ isc_file_progname(const char *filename, char *buf, size_t buflen) {
 
 /*
  * Put the absolute name of the current directory into 'dirname', which is
- * a buffer of at least 'length' characters.  End the string with the 
+ * a buffer of at least 'length' characters.  End the string with the
  * appropriate path separator, such that the final product could be
  * concatenated with a relative pathname to make a valid pathname string.
  */
@@ -431,7 +438,7 @@ isc_result_t
 isc_file_truncate(const char *filename, isc_offset_t size) {
 	isc_result_t result = ISC_R_SUCCESS;
 
-	if (truncate(filename, size) < 0) 
+	if (truncate(filename, size) < 0)
 		result = isc__errno2result(errno);
 	return (result);
 }
diff --git a/lib/isc/unix/fsaccess.c b/lib/isc/unix/fsaccess.c
index f3ed60f..a2bd89a 100644
--- a/lib/isc/unix/fsaccess.c
+++ b/lib/isc/unix/fsaccess.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: fsaccess.c,v 1.7.18.4 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: fsaccess.c,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/ifiter_getifaddrs.c b/lib/isc/unix/ifiter_getifaddrs.c
index 3599a89..b576d46 100644
--- a/lib/isc/unix/ifiter_getifaddrs.c
+++ b/lib/isc/unix/ifiter_getifaddrs.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_getifaddrs.c,v 1.4.18.5 2007/08/28 07:20:06 tbox Exp $ */
+/* $Id: ifiter_getifaddrs.c,v 1.11 2008/03/20 23:47:00 tbox Exp $ */
 
 /*! \file
  * \brief
@@ -29,6 +29,10 @@
 /*% Valid Iterator */
 #define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
 
+#ifdef __linux
+static isc_boolean_t seenv6 = ISC_FALSE;
+#endif
+
 /*% Iterator structure */
 struct isc_interfaceiter {
 	unsigned int		magic;		/*%< Magic number. */
@@ -39,9 +43,13 @@ struct isc_interfaceiter {
 	struct ifaddrs		*pos;		/*%< Ptr to current ifaddr */
 	isc_interface_t		current;	/*%< Current interface data. */
 	isc_result_t		result;		/*%< Last result code. */
+#ifdef  __linux
+	FILE *                  proc;
+	char                    entry[ISC_IF_INET6_SZ];
+	isc_result_t            valid;
+#endif
 };
 
-
 isc_result_t
 isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	isc_interfaceiter_t *iter;
@@ -60,6 +68,17 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	iter->buf = NULL;
 	iter->bufsize = 0;
 	iter->ifaddrs = NULL;
+#ifdef __linux
+	/*
+	 * Only open "/proc/net/if_inet6" if we have never seen a IPv6
+	 * address returned by getifaddrs().
+	 */
+	if (!seenv6)
+		iter->proc = fopen("/proc/net/if_inet6", "r");
+	else
+		iter->proc = NULL;
+	iter->valid = ISC_R_FAILURE;
+#endif
 
 	if (getifaddrs(&iter->ifaddrs) < 0) {
 		isc__strerror(errno, strbuf, sizeof(strbuf));
@@ -86,6 +105,10 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 	return (ISC_R_SUCCESS);
 
  failure:
+#ifdef __linux
+	if (iter->proc != NULL)
+		fclose(iter->proc);
+#endif
 	if (iter->ifaddrs != NULL) /* just in case */
 		freeifaddrs(iter->ifaddrs);
 	isc_mem_put(mctx, iter, sizeof(*iter));
@@ -109,6 +132,11 @@ internal_current(isc_interfaceiter_t *iter) {
 
 	ifa = iter->pos;
 
+#ifdef __linux
+	if (iter->pos == NULL)
+		return (linux_if_inet6_current(iter));
+#endif
+
 	INSIST(ifa != NULL);
 	INSIST(ifa->ifa_name != NULL);
 
@@ -119,6 +147,11 @@ internal_current(isc_interfaceiter_t *iter) {
 	if (family != AF_INET && family != AF_INET6)
 		return (ISC_R_IGNORE);
 
+#ifdef __linux
+	if (family == AF_INET6)
+		seenv6 = ISC_TRUE;
+#endif
+
 	memset(&iter->current, 0, sizeof(iter->current));
 
 	namelen = strlen(ifa->ifa_name);
@@ -164,16 +197,28 @@ internal_current(isc_interfaceiter_t *iter) {
  */
 static isc_result_t
 internal_next(isc_interfaceiter_t *iter) {
-	iter->pos = iter->pos->ifa_next;
 
-	if (iter->pos == NULL)
+	if (iter->pos != NULL)
+		iter->pos = iter->pos->ifa_next;
+	if (iter->pos == NULL) {
+#ifdef __linux
+		if (!seenv6)
+			return (linux_if_inet6_next(iter));
+#endif
 		return (ISC_R_NOMORE);
+	}
 
 	return (ISC_R_SUCCESS);
 }
 
 static void
 internal_destroy(isc_interfaceiter_t *iter) {
+
+#ifdef __linux
+	if (iter->proc != NULL)
+		fclose(iter->proc);
+	iter->proc = NULL;
+#endif
 	if (iter->ifaddrs)
 		freeifaddrs(iter->ifaddrs);
 	iter->ifaddrs = NULL;
@@ -181,5 +226,9 @@ internal_destroy(isc_interfaceiter_t *iter) {
 
 static
 void internal_first(isc_interfaceiter_t *iter) {
+
+#ifdef __linux
+	linux_if_inet6_first(iter);
+#endif
 	iter->pos = iter->ifaddrs;
 }
diff --git a/lib/isc/unix/ifiter_ioctl.c b/lib/isc/unix/ifiter_ioctl.c
index ce63de7..a9d29bc 100644
--- a/lib/isc/unix/ifiter_ioctl.c
+++ b/lib/isc/unix/ifiter_ioctl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_ioctl.c,v 1.44.18.13 2007/08/31 23:46:25 tbox Exp $ */
+/* $Id: ifiter_ioctl.c,v 1.60.120.2 2009/01/18 23:47:41 tbox Exp $ */
 
 /*! \file
  * \brief
@@ -50,9 +50,6 @@
 #define IFITER_MAGIC		ISC_MAGIC('I', 'F', 'I', 'T')
 #define VALID_IFITER(t)		ISC_MAGIC_VALID(t, IFITER_MAGIC)
 
-#define ISC_IF_INET6_SZ \
-    sizeof("00000000000000000000000000000001 01 80 10 80 XXXXXXloXXXXXXXX\n")
-
 struct isc_interfaceiter {
 	unsigned int		magic;		/* Magic number. */
 	isc_mem_t		*mctx;
@@ -82,7 +79,6 @@ struct isc_interfaceiter {
 	FILE *			proc;
 	char			entry[ISC_IF_INET6_SZ];
 	isc_result_t		valid;
-	isc_boolean_t		first;
 #endif
 	isc_interface_t		current;	/* Current interface data. */
 	isc_result_t		result;		/* Last result code. */
@@ -104,7 +100,7 @@ struct isc_interfaceiter {
 #ifdef __linux
 #ifndef IF_NAMESIZE
 # ifdef IFNAMSIZ
-#  define IF_NAMESIZE  IFNAMSIZ  
+#  define IF_NAMESIZE  IFNAMSIZ
 # else
 #  define IF_NAMESIZE 16
 # endif
@@ -126,7 +122,7 @@ getbuf4(isc_interfaceiter_t *iter) {
 		iter->ifc.ifc_len = iter->bufsize;
 		iter->ifc.ifc_buf = iter->buf;
 		/*
-		 * Ignore the HP/UX warning about "interger overflow during
+		 * Ignore the HP/UX warning about "integer overflow during
 		 * conversion".  It comes from its own macro definition,
 		 * and is really hard to shut up.
 		 */
@@ -206,7 +202,7 @@ getbuf6(isc_interfaceiter_t *iter) {
 		iter->lifc.lifc_len = iter->bufsize6;
 		iter->lifc.lifc_buf = iter->buf6;
 		/*
-		 * Ignore the HP/UX warning about "interger overflow during
+		 * Ignore the HP/UX warning about "integer overflow during
 		 * conversion".  It comes from its own macro definition,
 		 * and is really hard to shut up.
 		 */
@@ -372,7 +368,6 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 #ifdef __linux
 	iter->proc = fopen("/proc/net/if_inet6", "r");
 	iter->valid = ISC_R_FAILURE;
-	iter->first = ISC_FALSE;
 #endif
 	iter->result = ISC_R_FAILURE;
 
@@ -394,7 +389,7 @@ isc_interfaceiter_create(isc_mem_t *mctx, isc_interfaceiter_t **iterp) {
 		(void) close(iter->socket6);
   socket6_failure:
 #endif
- 
+
 	isc_mem_put(mctx, iter, sizeof(*iter));
 	return (result);
 }
@@ -422,89 +417,6 @@ internal_current_clusteralias(isc_interfaceiter_t *iter) {
 }
 #endif
 
-#ifdef __linux
-static isc_result_t
-linux_if_inet6_next(isc_interfaceiter_t *iter) {
-	if (iter->proc != NULL &&
-	    fgets(iter->entry, sizeof(iter->entry), iter->proc) != NULL)
-		iter->valid = ISC_R_SUCCESS;
-	else
-		iter->valid = ISC_R_NOMORE;
-	return (iter->valid);
-}
-
-static void
-linux_if_inet6_first(isc_interfaceiter_t *iter) {
-	if (iter->proc != NULL) {
-		rewind(iter->proc);
-		(void)linux_if_inet6_next(iter);
-	} else
-		iter->valid = ISC_R_NOMORE;
-	iter->first = ISC_FALSE;
-}
-
-static isc_result_t
-linux_if_inet6_current(isc_interfaceiter_t *iter) {
-	char address[33];
-	char name[IF_NAMESIZE+1];
-	struct in6_addr addr6;
-	int ifindex, prefix, flag3, flag4;
-	int res;
-	unsigned int i;
-
-	if (iter->valid != ISC_R_SUCCESS)
-		return (iter->valid);
-	if (iter->proc == NULL) {
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
-			      "/proc/net/if_inet6:iter->proc == NULL");
-		return (ISC_R_FAILURE);
-	}
-
-	res = sscanf(iter->entry, "%32[a-f0-9] %x %x %x %x %16s\n",
-		     address, &ifindex, &prefix, &flag3, &flag4, name);
-	if (res != 6) {
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
-			      "/proc/net/if_inet6:sscanf() -> %d (expected 6)",
-			      res);
-		return (ISC_R_FAILURE);
-	}
-	if (strlen(address) != 32) {
-		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
-			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
-			      "/proc/net/if_inet6:strlen(%s) != 32", address);
-		return (ISC_R_FAILURE);
-	}
-	for (i = 0; i < 16; i++) {
-		unsigned char byte;
-		static const char hex[] = "0123456789abcdef";
-		byte = ((index(hex, address[i * 2]) - hex) << 4) |
-		       (index(hex, address[i * 2 + 1]) - hex);
-		addr6.s6_addr[i] = byte;
-	}
-	iter->current.af = AF_INET6;
-	iter->current.flags = INTERFACE_F_UP;
-	isc_netaddr_fromin6(&iter->current.address, &addr6);
-	if (isc_netaddr_islinklocal(&iter->current.address)) {
-		isc_netaddr_setzone(&iter->current.address,
-				    (isc_uint32_t)ifindex);
-	}
-	for (i = 0; i < 16; i++) {
-		if (prefix > 8) {
-			addr6.s6_addr[i] = 0xff;
-			prefix -= 8;
-		} else {
-			addr6.s6_addr[i] = (0xff << (8 - prefix)) & 0xff;
-			prefix = 0;
-		}
-	}
-	isc_netaddr_fromin6(&iter->current.netmask, &addr6);
-	strncpy(iter->current.name, name, sizeof(iter->current.name));
-	return (ISC_R_SUCCESS);
-}
-#endif
-
 /*
  * Get information about the current interface to iter->current.
  * If successful, return ISC_R_SUCCESS.
@@ -525,23 +437,19 @@ internal_current4(isc_interfaceiter_t *iter) {
 	char sabuf[256];
 #endif
 	int i, bits, prefixlen;
-#ifdef __linux
-	isc_result_t result;
-#endif
 
 	REQUIRE(VALID_IFITER(iter));
-	REQUIRE(iter->ifc.ifc_len == 0 ||
-		iter->pos < (unsigned int) iter->ifc.ifc_len);
 
+	if (iter->ifc.ifc_len == 0 ||
+	    iter->pos == (unsigned int)iter->ifc.ifc_len) {
 #ifdef __linux
-	result = linux_if_inet6_current(iter);
-	if (result != ISC_R_NOMORE)
-		return (result);
-	iter->first = ISC_TRUE;
+		return (linux_if_inet6_current(iter));
+#else
+		return (ISC_R_NOMORE);
 #endif
+	}
 
-	if (iter->ifc.ifc_len == 0)
-		return (ISC_R_NOMORE);
+	INSIST( iter->pos < (unsigned int) iter->ifc.ifc_len);
 
 	ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
 
@@ -588,7 +496,7 @@ internal_current4(isc_interfaceiter_t *iter) {
 	iter->current.flags = 0;
 
 	/*
-	 * Ignore the HP/UX warning about "interger overflow during
+	 * Ignore the HP/UX warning about "integer overflow during
 	 * conversion.  It comes from its own macro definition,
 	 * and is really hard to shut up.
 	 */
@@ -666,7 +574,7 @@ internal_current4(isc_interfaceiter_t *iter) {
 	 */
 	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
 		/*
-		 * Ignore the HP/UX warning about "interger overflow during
+		 * Ignore the HP/UX warning about "integer overflow during
 		 * conversion.  It comes from its own macro definition,
 		 * and is really hard to shut up.
 		 */
@@ -693,7 +601,7 @@ internal_current4(isc_interfaceiter_t *iter) {
 	memset(&ifreq, 0, sizeof(ifreq));
 	memcpy(&ifreq, ifrp, sizeof(ifreq));
 	/*
-	 * Ignore the HP/UX warning about "interger overflow during
+	 * Ignore the HP/UX warning about "integer overflow during
 	 * conversion.  It comes from its own macro definition,
 	 * and is really hard to shut up.
 	 */
@@ -776,7 +684,7 @@ internal_current6(isc_interfaceiter_t *iter) {
 		fd = iter->socket;
 
 	/*
-	 * Ignore the HP/UX warning about "interger overflow during
+	 * Ignore the HP/UX warning about "integer overflow during
 	 * conversion.  It comes from its own macro definition,
 	 * and is really hard to shut up.
 	 */
@@ -805,7 +713,7 @@ internal_current6(isc_interfaceiter_t *iter) {
 	 */
 	if ((iter->current.flags & INTERFACE_F_POINTTOPOINT) != 0) {
 		/*
-		 * Ignore the HP/UX warning about "interger overflow during
+		 * Ignore the HP/UX warning about "integer overflow during
 		 * conversion.  It comes from its own macro definition,
 		 * and is really hard to shut up.
 		 */
@@ -855,7 +763,7 @@ internal_current6(isc_interfaceiter_t *iter) {
 #endif
 
 	/*
-	 * Ignore the HP/UX warning about "interger overflow during
+	 * Ignore the HP/UX warning about "integer overflow during
 	 * conversion.  It comes from its own macro definition,
 	 * and is really hard to shut up.
 	 */
@@ -905,31 +813,25 @@ internal_next4(isc_interfaceiter_t *iter) {
 	struct ifreq *ifrp;
 #endif
 
-	REQUIRE(iter->ifc.ifc_len == 0 ||
-	        iter->pos < (unsigned int) iter->ifc.ifc_len);
-
-#ifdef __linux
-	if (linux_if_inet6_next(iter) == ISC_R_SUCCESS)
-		return (ISC_R_SUCCESS);
-	if (!iter->first)
-		return (ISC_R_SUCCESS);
-#endif
-
-	if (iter->ifc.ifc_len == 0)
-		return (ISC_R_NOMORE);
-
+	if (iter->pos < (unsigned int) iter->ifc.ifc_len) {
 #ifdef ISC_PLATFORM_HAVESALEN
-	ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
+		ifrp = (struct ifreq *)((char *) iter->ifc.ifc_req + iter->pos);
 
-	if (ifrp->ifr_addr.sa_len > sizeof(struct sockaddr))
-		iter->pos += sizeof(ifrp->ifr_name) + ifrp->ifr_addr.sa_len;
-	else
+		if (ifrp->ifr_addr.sa_len > sizeof(struct sockaddr))
+			iter->pos += sizeof(ifrp->ifr_name) +
+				     ifrp->ifr_addr.sa_len;
+		else
 #endif
-		iter->pos += sizeof(struct ifreq);
+			iter->pos += sizeof(struct ifreq);
 
-	if (iter->pos >= (unsigned int) iter->ifc.ifc_len)
+	} else {
+		INSIST(iter->pos == (unsigned int) iter->ifc.ifc_len);
+#ifdef __linux
+		return (linux_if_inet6_next(iter));
+#else
 		return (ISC_R_NOMORE);
-
+#endif
+	}
 	return (ISC_R_SUCCESS);
 }
 
@@ -939,7 +841,7 @@ internal_next6(isc_interfaceiter_t *iter) {
 #ifdef ISC_PLATFORM_HAVESALEN
 	struct LIFREQ *ifrp;
 #endif
-	
+
 	if (iter->result6 != ISC_R_SUCCESS && iter->result6 != ISC_R_IGNORE)
 		return (iter->result6);
 
diff --git a/lib/isc/unix/ifiter_sysctl.c b/lib/isc/unix/ifiter_sysctl.c
index 212a478..9d5bf6d 100644
--- a/lib/isc/unix/ifiter_sysctl.c
+++ b/lib/isc/unix/ifiter_sysctl.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ifiter_sysctl.c,v 1.20.18.3 2005/04/27 05:02:35 sra Exp $ */
+/* $Id: ifiter_sysctl.c,v 1.25 2007/06/19 23:47:18 tbox Exp $ */
 
 /*! \file
  * \brief
diff --git a/lib/isc/unix/include/Makefile.in b/lib/isc/unix/include/Makefile.in
index 78eba44..0303ab1 100644
--- a/lib/isc/unix/include/Makefile.in
+++ b/lib/isc/unix/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12 2004/03/05 05:11:50 marka Exp $
+# $Id: Makefile.in,v 1.14 2007/06/19 23:47:18 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/unix/include/isc/Makefile.in b/lib/isc/unix/include/isc/Makefile.in
index 9599f7c..2f4d216 100644
--- a/lib/isc/unix/include/isc/Makefile.in
+++ b/lib/isc/unix/include/isc/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.28 2004/03/05 05:11:52 marka Exp $
+# $Id: Makefile.in,v 1.30 2007/06/19 23:47:19 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/unix/include/isc/dir.h b/lib/isc/unix/include/isc/dir.h
index cc85706..e4a2ad0 100644
--- a/lib/isc/unix/include/isc/dir.h
+++ b/lib/isc/unix/include/isc/dir.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dir.h,v 1.17.18.2 2005/04/29 00:17:09 marka Exp $ */
+/* $Id: dir.h,v 1.21 2007/06/19 23:47:19 tbox Exp $ */
 
 /* Principal Authors: DCL */
 
diff --git a/lib/isc/unix/include/isc/int.h b/lib/isc/unix/include/isc/int.h
index 1e1de7b..73feb3b 100644
--- a/lib/isc/unix/include/isc/int.h
+++ b/lib/isc/unix/include/isc/int.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.12.18.2 2005/04/29 00:17:09 marka Exp $ */
+/* $Id: int.h,v 1.16 2007/06/19 23:47:19 tbox Exp $ */
 
 #ifndef ISC_INT_H
 #define ISC_INT_H 1
diff --git a/lib/isc/unix/include/isc/keyboard.h b/lib/isc/unix/include/isc/keyboard.h
index 4b28cc0..43f5e7e 100644
--- a/lib/isc/unix/include/isc/keyboard.h
+++ b/lib/isc/unix/include/isc/keyboard.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard.h,v 1.7.18.2 2005/04/29 00:17:09 marka Exp $ */
+/* $Id: keyboard.h,v 1.11 2007/06/19 23:47:19 tbox Exp $ */
 
 #ifndef ISC_KEYBOARD_H
 #define ISC_KEYBOARD_H 1
diff --git a/lib/isc/unix/include/isc/net.h b/lib/isc/unix/include/isc/net.h
index 948e7b1..53bebd7 100644
--- a/lib/isc/unix/include/isc/net.h
+++ b/lib/isc/unix/include/isc/net.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.39.18.6 2008/06/24 23:45:55 tbox Exp $ */
+/* $Id: net.h,v 1.48.84.2 2009/02/16 23:47:15 tbox Exp $ */
 
 #ifndef ISC_NET_H
 #define ISC_NET_H 1
@@ -354,11 +354,10 @@ isc_net_pton(int af, const char *src, void *dst);
 #define inet_pton isc_net_pton
 #endif
 
-#ifdef ISC_PLATFORM_NEEDATON
 int
 isc_net_aton(const char *cp, struct in_addr *addr);
+#undef inet_aton
 #define inet_aton isc_net_aton
-#endif
 
 ISC_LANG_ENDDECLS
 
diff --git a/lib/isc/unix/include/isc/netdb.h b/lib/isc/unix/include/isc/netdb.h
index 428f087..ff12a26 100644
--- a/lib/isc/unix/include/isc/netdb.h
+++ b/lib/isc/unix/include/isc/netdb.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h,v 1.7.18.2 2005/04/29 00:17:10 marka Exp $ */
+/* $Id: netdb.h,v 1.11 2007/06/19 23:47:19 tbox Exp $ */
 
 #ifndef ISC_NETDB_H
 #define ISC_NETDB_H 1
diff --git a/lib/isc/unix/include/isc/offset.h b/lib/isc/unix/include/isc/offset.h
index 15fbad4..0e484be 100644
--- a/lib/isc/unix/include/isc/offset.h
+++ b/lib/isc/unix/include/isc/offset.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: offset.h,v 1.11.18.2 2005/04/29 00:17:10 marka Exp $ */
+/* $Id: offset.h,v 1.15.332.2 2009/02/16 23:47:15 tbox Exp $ */
 
 #ifndef ISC_OFFSET_H
 #define ISC_OFFSET_H 1
@@ -26,6 +26,7 @@
  */
 #include <limits.h>             /* Required for CHAR_BIT. */
 #include <sys/types.h>
+#include <stddef.h>		/* For Linux Standard Base. */
 
 typedef off_t isc_offset_t;
 
diff --git a/lib/isc/unix/include/isc/stat.h b/lib/isc/unix/include/isc/stat.h
index d1b2489..b7a7986 100644
--- a/lib/isc/unix/include/isc/stat.h
+++ b/lib/isc/unix/include/isc/stat.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stat.h,v 1.2.18.1 2004/08/19 04:42:54 marka Exp $ */
+/* $Id: stat.h,v 1.5 2007/06/19 23:47:19 tbox Exp $ */
 
 #ifndef ISC_STAT_H
 #define ISC_STAT_H 1
diff --git a/lib/isc/unix/include/isc/stdtime.h b/lib/isc/unix/include/isc/stdtime.h
index 24a91d2..4cb9e81 100644
--- a/lib/isc/unix/include/isc/stdtime.h
+++ b/lib/isc/unix/include/isc/stdtime.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.h,v 1.9.18.3 2005/06/04 06:23:45 jinmei Exp $ */
+/* $Id: stdtime.h,v 1.14 2007/06/19 23:47:19 tbox Exp $ */
 
 #ifndef ISC_STDTIME_H
 #define ISC_STDTIME_H 1
diff --git a/lib/isc/unix/include/isc/strerror.h b/lib/isc/unix/include/isc/strerror.h
index fb2e8a4..2953f71 100644
--- a/lib/isc/unix/include/isc/strerror.h
+++ b/lib/isc/unix/include/isc/strerror.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.h,v 1.4.18.2 2005/04/29 00:17:10 marka Exp $ */
+/* $Id: strerror.h,v 1.8.332.2 2009/02/16 23:47:15 tbox Exp $ */
 
 #ifndef ISC_STRERROR_H
 #define ISC_STRERROR_H
@@ -32,7 +32,7 @@ ISC_LANG_BEGINDECLS
 #define ISC_STRERRORSIZE 128
 
 /*%
- * Provide a thread safe wrapper to strerrror().
+ * Provide a thread safe wrapper to strerror().
  *
  * Requires:
  * 	'buf' to be non NULL.
diff --git a/lib/isc/unix/include/isc/syslog.h b/lib/isc/unix/include/isc/syslog.h
index 08adca1..7e0c88c 100644
--- a/lib/isc/unix/include/isc/syslog.h
+++ b/lib/isc/unix/include/isc/syslog.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.h,v 1.3.18.2 2005/04/29 00:17:10 marka Exp $ */
+/* $Id: syslog.h,v 1.7 2007/06/19 23:47:19 tbox Exp $ */
 
 #ifndef ISC_SYSLOG_H
 #define ISC_SYSLOG_H 1
diff --git a/lib/isc/unix/include/isc/time.h b/lib/isc/unix/include/isc/time.h
index 6579439..45c4510 100644
--- a/lib/isc/unix/include/isc/time.h
+++ b/lib/isc/unix/include/isc/time.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.30.18.2 2005/04/29 00:17:10 marka Exp $ */
+/* $Id: time.h,v 1.38.56.2 2009/01/05 23:47:23 tbox Exp $ */
 
 #ifndef ISC_TIME_H
 #define ISC_TIME_H 1
@@ -29,7 +29,7 @@
  *** Intervals
  ***/
 
-/*! 
+/*!
  *  \brief
  * The contents of this structure are private, and MUST NOT be accessed
  * directly by callers.
@@ -90,15 +90,17 @@ extern isc_time_t *isc_time_epoch;
 void
 isc_time_set(isc_time_t *t, unsigned int seconds, unsigned int nanoseconds);
 /*%<
- * Set 't' to a particular number of seconds + nanoseconds since the epoch.
+ * Set 't' to a value which represents the given number of seconds and
+ * nanoseconds since 00:00:00 January 1, 1970, UTC.
  *
  * Notes:
- *\li	This call is equivalent to:
+ *\li	The Unix version of this call is equivalent to:
  *\code
  *	isc_time_settoepoch(t);
  *	isc_interval_set(i, seconds, nanoseconds);
  *	isc_time_add(t, i, t);
  *\endcode
+ *
  * Requires:
  *\li	't' is a valid pointer.
  *\li	nanoseconds < 1000000000.
@@ -110,7 +112,7 @@ isc_time_settoepoch(isc_time_t *t);
  * Set 't' to the time of the epoch.
  *
  * Notes:
- * \li	The date of the epoch is platform-dependent.
+ *\li	The date of the epoch is platform-dependent.
  *
  * Requires:
  *
@@ -199,7 +201,7 @@ isc_time_add(const isc_time_t *t, const isc_interval_t *i, isc_time_t *result);
  *\li	't', 'i', and 'result' are valid pointers.
  *
  * Returns:
- * \li	Success
+ *\li	Success
  *\li	Out of range
  * 		The interval added to the time is too large to
  *		be represented in the current definition of isc_time_t.
@@ -274,7 +276,7 @@ isc_time_nanoseconds(const isc_time_t *t);
  * Return the number of nanoseconds stored in a time structure.
  *
  * Notes:
- *\li	This is the number of nanoseconds in excess of the the number
+ *\li	This is the number of nanoseconds in excess of the number
  *	of seconds since the epoch; it will always be less than one
  *	full second.
  *
@@ -295,7 +297,35 @@ isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len);
  *
  *  Requires:
  *\li      'len' > 0
- *  \li    'buf' points to an array of at least len chars
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using a format like "Mon, 30 Aug 2000 04:06:47 GMT"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
+ *
+ */
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len);
+/*%<
+ * Format the time 't' into the buffer 'buf' of length 'len',
+ * using the ISO8601 format: "yyyy-mm-ddThh:mm:ssZ"
+ * If the text does not fit in the buffer, the result is indeterminate,
+ * but is always guaranteed to be null terminated.
+ *
+ *  Requires:
+ *\li      'len' > 0
+ *\li      'buf' points to an array of at least len chars
  *
  */
 
diff --git a/lib/isc/unix/interfaceiter.c b/lib/isc/unix/interfaceiter.c
index 72ecdd2..4cfc821 100644
--- a/lib/isc/unix/interfaceiter.c
+++ b/lib/isc/unix/interfaceiter.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: interfaceiter.c,v 1.35.18.5 2005/04/29 00:17:08 marka Exp $ */
+/* $Id: interfaceiter.c,v 1.44.120.2 2009/02/16 23:47:15 tbox Exp $ */
 
 /*! \file */
 
@@ -145,6 +145,14 @@ get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src,
  * Include system-dependent code.
  */
 
+#ifdef __linux
+#define ISC_IF_INET6_SZ \
+    sizeof("00000000000000000000000000000001 01 80 10 80 XXXXXXloXXXXXXXX\n")
+static isc_result_t linux_if_inet6_next(isc_interfaceiter_t *);
+static isc_result_t linux_if_inet6_current(isc_interfaceiter_t *);
+static void linux_if_inet6_first(isc_interfaceiter_t *iter);
+#endif
+
 #if HAVE_GETIFADDRS
 #include "ifiter_getifaddrs.c"
 #elif HAVE_IFLIST_SYSCTL
@@ -153,6 +161,88 @@ get_addr(unsigned int family, isc_netaddr_t *dst, struct sockaddr *src,
 #include "ifiter_ioctl.c"
 #endif
 
+#ifdef __linux
+static void
+linux_if_inet6_first(isc_interfaceiter_t *iter) {
+	if (iter->proc != NULL) {
+		rewind(iter->proc);
+		(void)linux_if_inet6_next(iter);
+	} else
+		iter->valid = ISC_R_NOMORE;
+}
+
+static isc_result_t
+linux_if_inet6_next(isc_interfaceiter_t *iter) {
+	if (iter->proc != NULL &&
+	    fgets(iter->entry, sizeof(iter->entry), iter->proc) != NULL)
+		iter->valid = ISC_R_SUCCESS;
+	else
+		iter->valid = ISC_R_NOMORE;
+	return (iter->valid);
+}
+
+static isc_result_t
+linux_if_inet6_current(isc_interfaceiter_t *iter) {
+	char address[33];
+	char name[IF_NAMESIZE+1];
+	struct in6_addr addr6;
+	int ifindex, prefix, flag3, flag4;
+	int res;
+	unsigned int i;
+
+	if (iter->valid != ISC_R_SUCCESS)
+		return (iter->valid);
+	if (iter->proc == NULL) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:iter->proc == NULL");
+		return (ISC_R_FAILURE);
+	}
+
+	res = sscanf(iter->entry, "%32[a-f0-9] %x %x %x %x %16s\n",
+		     address, &ifindex, &prefix, &flag3, &flag4, name);
+	if (res != 6) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:sscanf() -> %d (expected 6)",
+			      res);
+		return (ISC_R_FAILURE);
+	}
+	if (strlen(address) != 32) {
+		isc_log_write(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+			      ISC_LOGMODULE_INTERFACE, ISC_LOG_ERROR,
+			      "/proc/net/if_inet6:strlen(%s) != 32", address);
+		return (ISC_R_FAILURE);
+	}
+	for (i = 0; i < 16; i++) {
+		unsigned char byte;
+		static const char hex[] = "0123456789abcdef";
+		byte = ((strchr(hex, address[i * 2]) - hex) << 4) |
+		       (strchr(hex, address[i * 2 + 1]) - hex);
+		addr6.s6_addr[i] = byte;
+	}
+	iter->current.af = AF_INET6;
+	iter->current.flags = INTERFACE_F_UP;
+	isc_netaddr_fromin6(&iter->current.address, &addr6);
+	if (isc_netaddr_islinklocal(&iter->current.address)) {
+		isc_netaddr_setzone(&iter->current.address,
+				    (isc_uint32_t)ifindex);
+	}
+	for (i = 0; i < 16; i++) {
+		if (prefix > 8) {
+			addr6.s6_addr[i] = 0xff;
+			prefix -= 8;
+		} else {
+			addr6.s6_addr[i] = (0xff << (8 - prefix)) & 0xff;
+			prefix = 0;
+		}
+	}
+	isc_netaddr_fromin6(&iter->current.netmask, &addr6);
+	strncpy(iter->current.name, name, sizeof(iter->current.name));
+	return (ISC_R_SUCCESS);
+}
+#endif
+
 /*
  * The remaining code is common to the sysctl and ioctl case.
  */
diff --git a/lib/isc/unix/ipv6.c b/lib/isc/unix/ipv6.c
index 3066e0c..61e984f 100644
--- a/lib/isc/unix/ipv6.c
+++ b/lib/isc/unix/ipv6.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.c,v 1.8.18.4 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: ipv6.c,v 1.14 2007/06/19 23:47:18 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/keyboard.c b/lib/isc/unix/keyboard.c
index db56b3c..8ee62d3 100644
--- a/lib/isc/unix/keyboard.c
+++ b/lib/isc/unix/keyboard.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: keyboard.c,v 1.11 2004/03/05 05:11:46 marka Exp $ */
+/* $Id: keyboard.c,v 1.13 2007/06/19 23:47:18 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/net.c b/lib/isc/unix/net.c
index 600ac92..b2fb30e 100644
--- a/lib/isc/unix/net.c
+++ b/lib/isc/unix/net.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.c,v 1.29.18.9 2008/07/04 05:52:05 each Exp $ */
+/* $Id: net.c,v 1.40 2008/07/04 05:52:31 each Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/os.c b/lib/isc/unix/os.c
index 6bbf059..c050d14 100644
--- a/lib/isc/unix/os.c
+++ b/lib/isc/unix/os.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: os.c,v 1.13.18.3 2005/10/14 02:13:08 marka Exp $ */
+/* $Id: os.c,v 1.18 2007/06/19 23:47:18 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/resource.c b/lib/isc/unix/resource.c
index e9bc5fd..8bd8885 100644
--- a/lib/isc/unix/resource.c
+++ b/lib/isc/unix/resource.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resource.c,v 1.12.18.6 2008/08/05 07:17:05 marka Exp $ */
+/* $Id: resource.c,v 1.21.66.2 2009/02/13 23:47:39 tbox Exp $ */
 
 #include <config.h>
 
@@ -159,7 +159,11 @@ isc_resource_setlimit(isc_resource_t resource, isc_resourcevalue_t value) {
 		if (unixresult == 0)
 			return (ISC_R_SUCCESS);
 	}
-#elif defined(NR_OPEN) && defined(__linux__)
+#elif defined(__linux__)
+#ifndef NR_OPEN
+#define NR_OPEN (1024*1024)
+#endif
+
 	/*
 	 * Some Linux kernels don't accept RLIM_INFINIT; the maximum
 	 * possible value is the NR_OPEN defined in linux/fs.h.
diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
index 8b006e4..d09fe51 100644
--- a/lib/isc/unix/socket.c
+++ b/lib/isc/unix/socket.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket.c,v 1.237.18.56.2.1 2008/12/23 00:14:34 marka Exp $ */
+/* $Id: socket.c,v 1.308.12.8 2009/04/18 01:29:26 jinmei Exp $ */
 
 /*! \file */
 
@@ -50,10 +50,12 @@
 #include <isc/print.h>
 #include <isc/region.h>
 #include <isc/socket.h>
+#include <isc/stats.h>
 #include <isc/strerror.h>
 #include <isc/task.h>
 #include <isc/thread.h>
 #include <isc/util.h>
+#include <isc/xml.h>
 
 #ifdef ISC_PLATFORM_HAVESYSUNH
 #include <sys/un.h>
@@ -74,6 +76,10 @@
 #include "socket_p.h"
 #endif /* ISC_PLATFORM_USETHREADS */
 
+#if defined(SO_BSDCOMPAT) && defined(__linux__)
+#include <sys/utsname.h>
+#endif
+
 /*%
  * Choose the most preferable multiplex method.
  */
@@ -201,11 +207,6 @@ typedef enum { poll_idle, poll_active, poll_checking } pollstate_t;
 #define ISC_SOCKADDR_LEN_T unsigned int
 #endif
 
-
-#if defined(SO_BSDCOMPAT) && defined(__linux__)
-#include <sys/utsname.h>
-#endif
-
 /*%
  * Define what the possible "soft" errors can be.  These are non-fatal returns
  * of various network related functions, like recv() and so on.
@@ -268,7 +269,7 @@ typedef isc_event_t intev_t;
 #endif
 
 /*%
- * The size to raise the recieve buffer to (from BIND 8).
+ * The size to raise the receive buffer to (from BIND 8).
  */
 #define RCVBUFSIZE (32*1024)
 
@@ -283,12 +284,15 @@ struct isc_socket {
 	isc_socketmgr_t	       *manager;
 	isc_mutex_t		lock;
 	isc_sockettype_t	type;
+	const isc_statscounter_t	*statsindex;
 
 	/* Locked by socket lock. */
 	ISC_LINK(isc_socket_t)	link;
 	unsigned int		references;
 	int			fd;
 	int			pf;
+	char				name[16];
+	void *				tag;
 
 	ISC_LIST(isc_socketevent_t)		send_list;
 	ISC_LIST(isc_socketevent_t)		recv_list;
@@ -303,7 +307,7 @@ struct isc_socket {
 	intev_t			readable_ev;
 	intev_t			writable_ev;
 
-	isc_sockaddr_t		address;  /* remote address */
+	isc_sockaddr_t		peer_address;  /* remote address */
 
 	unsigned int		pending_recv : 1,
 				pending_send : 1,
@@ -321,6 +325,11 @@ struct isc_socket {
 	ISC_SOCKADDR_LEN_T	recvcmsgbuflen;
 	char			*sendcmsgbuf;
 	ISC_SOCKADDR_LEN_T	sendcmsgbuflen;
+
+	void			*fdwatcharg;
+	isc_sockfdwatch_t	fdwatchcb;
+	int			fdwatchflags;
+	isc_task_t		*fdwatchtask;
 };
 
 #define SOCKET_MANAGER_MAGIC	ISC_MAGIC('I', 'O', 'm', 'g')
@@ -332,6 +341,7 @@ struct isc_socketmgr {
 	isc_mem_t	       *mctx;
 	isc_mutex_t		lock;
 	isc_mutex_t		*fdlock;
+	isc_stats_t		*stats;
 #ifdef USE_KQUEUE
 	int			kqueue_fd;
 	int			nevents;
@@ -384,9 +394,9 @@ struct isc_socketmgr {
 static isc_socketmgr_t *socketmgr = NULL;
 #endif /* ISC_PLATFORM_USETHREADS */
 
-#define CLOSED		0	/* this one must be zero */
-#define MANAGED		1
-#define CLOSE_PENDING	2
+#define CLOSED			0	/* this one must be zero */
+#define MANAGED			1
+#define CLOSE_PENDING		2
 
 /*
  * send() and recv() iovec counts
@@ -408,6 +418,8 @@ static void internal_accept(isc_task_t *, isc_event_t *);
 static void internal_connect(isc_task_t *, isc_event_t *);
 static void internal_recv(isc_task_t *, isc_event_t *);
 static void internal_send(isc_task_t *, isc_event_t *);
+static void internal_fdwatch_write(isc_task_t *, isc_event_t *);
+static void internal_fdwatch_read(isc_task_t *, isc_event_t *);
 static void process_cmsg(isc_socket_t *, struct msghdr *, isc_socketevent_t *);
 static void build_msghdr_send(isc_socket_t *, isc_socketevent_t *,
 			      struct msghdr *, struct iovec *, size_t *);
@@ -427,6 +439,94 @@ static isc_boolean_t process_ctlfd(isc_socketmgr_t *manager);
 
 #define SOCK_DEAD(s)			((s)->references == 0)
 
+/*%
+ * Shortcut index arrays to get access to statistics counters.
+ */
+enum {
+	STATID_OPEN = 0,
+	STATID_OPENFAIL = 1,
+	STATID_CLOSE = 2,
+	STATID_BINDFAIL = 3,
+	STATID_CONNECTFAIL = 4,
+	STATID_CONNECT = 5,
+	STATID_ACCEPTFAIL = 6,
+	STATID_ACCEPT = 7,
+	STATID_SENDFAIL = 8,
+	STATID_RECVFAIL = 9
+};
+static const isc_statscounter_t upd4statsindex[] = {
+	isc_sockstatscounter_udp4open,
+	isc_sockstatscounter_udp4openfail,
+	isc_sockstatscounter_udp4close,
+	isc_sockstatscounter_udp4bindfail,
+	isc_sockstatscounter_udp4connectfail,
+	isc_sockstatscounter_udp4connect,
+	-1,
+	-1,
+	isc_sockstatscounter_udp4sendfail,
+	isc_sockstatscounter_udp4recvfail
+};
+static const isc_statscounter_t upd6statsindex[] = {
+	isc_sockstatscounter_udp6open,
+	isc_sockstatscounter_udp6openfail,
+	isc_sockstatscounter_udp6close,
+	isc_sockstatscounter_udp6bindfail,
+	isc_sockstatscounter_udp6connectfail,
+	isc_sockstatscounter_udp6connect,
+	-1,
+	-1,
+	isc_sockstatscounter_udp6sendfail,
+	isc_sockstatscounter_udp6recvfail
+};
+static const isc_statscounter_t tcp4statsindex[] = {
+	isc_sockstatscounter_tcp4open,
+	isc_sockstatscounter_tcp4openfail,
+	isc_sockstatscounter_tcp4close,
+	isc_sockstatscounter_tcp4bindfail,
+	isc_sockstatscounter_tcp4connectfail,
+	isc_sockstatscounter_tcp4connect,
+	isc_sockstatscounter_tcp4acceptfail,
+	isc_sockstatscounter_tcp4accept,
+	isc_sockstatscounter_tcp4sendfail,
+	isc_sockstatscounter_tcp4recvfail
+};
+static const isc_statscounter_t tcp6statsindex[] = {
+	isc_sockstatscounter_tcp6open,
+	isc_sockstatscounter_tcp6openfail,
+	isc_sockstatscounter_tcp6close,
+	isc_sockstatscounter_tcp6bindfail,
+	isc_sockstatscounter_tcp6connectfail,
+	isc_sockstatscounter_tcp6connect,
+	isc_sockstatscounter_tcp6acceptfail,
+	isc_sockstatscounter_tcp6accept,
+	isc_sockstatscounter_tcp6sendfail,
+	isc_sockstatscounter_tcp6recvfail
+};
+static const isc_statscounter_t unixstatsindex[] = {
+	isc_sockstatscounter_unixopen,
+	isc_sockstatscounter_unixopenfail,
+	isc_sockstatscounter_unixclose,
+	isc_sockstatscounter_unixbindfail,
+	isc_sockstatscounter_unixconnectfail,
+	isc_sockstatscounter_unixconnect,
+	isc_sockstatscounter_unixacceptfail,
+	isc_sockstatscounter_unixaccept,
+	isc_sockstatscounter_unixsendfail,
+	isc_sockstatscounter_unixrecvfail
+};
+static const isc_statscounter_t fdwatchstatsindex[] = {
+	-1,
+	-1,
+	isc_sockstatscounter_fdwatchclose,
+	isc_sockstatscounter_fdwatchbindfail,
+	isc_sockstatscounter_fdwatchconnectfail,
+	isc_sockstatscounter_fdwatchconnect,
+	-1,
+	-1,
+	isc_sockstatscounter_fdwatchsendfail,
+	isc_sockstatscounter_fdwatchrecvfail
+};
+
 static void
 manager_log(isc_socketmgr_t *sockmgr,
 	    isc_logcategory_t *category, isc_logmodule_t *module, int level,
@@ -516,6 +616,17 @@ FIX_IPV6_RECVPKTINFO(isc_socket_t *sock)
 #define FIX_IPV6_RECVPKTINFO(sock) (void)0
 #endif
 
+/*%
+ * Increment socket-related statistics counters.
+ */
+static inline void
+inc_stats(isc_stats_t *stats, isc_statscounter_t counterid) {
+	REQUIRE(counterid != -1);
+
+	if (stats != NULL)
+		isc_stats_increment(stats, counterid);
+}
+
 static inline isc_result_t
 watch_fd(isc_socketmgr_t *manager, int fd, int msg) {
 	isc_result_t result = ISC_R_SUCCESS;
@@ -695,6 +806,7 @@ wakeup_socket(isc_socketmgr_t *manager, int fd, int msg) {
 	LOCK(&manager->fdlock[lockid]);
 	if (manager->fdstate[fd] == CLOSE_PENDING) {
 		UNLOCK(&manager->fdlock[lockid]);
+
 		/*
 		 * We accept (and ignore) any error from unwatch_fd() as we are
 		 * closing the socket, hoping it doesn't leave dangling state in
@@ -1119,7 +1231,7 @@ build_msghdr_send(isc_socket_t *sock, isc_socketevent_t *dev,
 
 /*
  * Construct an iov array and attach it to the msghdr passed in.  This is
- * the RECV constructor, which will use the avialable region of the buffer
+ * the RECV constructor, which will use the available region of the buffer
  * (if using a buffer list) or will use the internal region (if a single
  * buffer I/O is requested).
  *
@@ -1169,7 +1281,7 @@ build_msghdr_recv(isc_socket_t *sock, isc_socketevent_t *dev,
 	} else { /* TCP */
 		msg->msg_name = NULL;
 		msg->msg_namelen = 0;
-		dev->address = sock->address;
+		dev->address = sock->peer_address;
 	}
 
 	buffer = ISC_LIST_HEAD(dev->bufferlist);
@@ -1258,10 +1370,10 @@ set_dev_address(isc_sockaddr_t *address, isc_socket_t *sock,
 		if (address != NULL)
 			dev->address = *address;
 		else
-			dev->address = sock->address;
+			dev->address = sock->peer_address;
 	} else if (sock->type == isc_sockettype_tcp) {
 		INSIST(address == NULL);
-		dev->address = sock->address;
+		dev->address = sock->peer_address;
 	}
 }
 
@@ -1368,6 +1480,8 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
 	if (recv_errno == _system) { \
 		if (sock->connected) { \
 			dev->result = _isc; \
+			inc_stats(sock->manager->stats, \
+				  sock->statsindex[STATID_RECVFAIL]); \
 			return (DOIO_HARD); \
 		} \
 		return (DOIO_SOFT); \
@@ -1375,6 +1489,8 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
 #define ALWAYS_HARD(_system, _isc) \
 	if (recv_errno == _system) { \
 		dev->result = _isc; \
+		inc_stats(sock->manager->stats, \
+			  sock->statsindex[STATID_RECVFAIL]); \
 		return (DOIO_HARD); \
 	}
 
@@ -1398,6 +1514,8 @@ doio_recv(isc_socket_t *sock, isc_socketevent_t *dev) {
 #undef ALWAYS_HARD
 
 		dev->result = isc__errno2result(recv_errno);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_RECVFAIL]);
 		return (DOIO_HARD);
 	}
 
@@ -1526,6 +1644,8 @@ doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
 	if (send_errno == _system) { \
 		if (sock->connected) { \
 			dev->result = _isc; \
+			inc_stats(sock->manager->stats, \
+				  sock->statsindex[STATID_SENDFAIL]); \
 			return (DOIO_HARD); \
 		} \
 		return (DOIO_SOFT); \
@@ -1533,6 +1653,8 @@ doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
 #define ALWAYS_HARD(_system, _isc) \
 	if (send_errno == _system) { \
 		dev->result = _isc; \
+		inc_stats(sock->manager->stats, \
+			  sock->statsindex[STATID_SENDFAIL]); \
 		return (DOIO_HARD); \
 	}
 
@@ -1567,14 +1689,19 @@ doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
 		UNEXPECTED_ERROR(__FILE__, __LINE__, "internal_send: %s: %s",
 				 addrbuf, strbuf);
 		dev->result = isc__errno2result(send_errno);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_SENDFAIL]);
 		return (DOIO_HARD);
 	}
 
-	if (cc == 0)
+	if (cc == 0) {
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_SENDFAIL]);
 		UNEXPECTED_ERROR(__FILE__, __LINE__,
-				 "internal_send: send() %s 0",
+				 "doio_send: send() %s 0",
 				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 						ISC_MSG_RETURNED, "returned"));
+	}
 
 	/*
 	 * If we write less than we expected, update counters, poke.
@@ -1598,20 +1725,37 @@ doio_send(isc_socket_t *sock, isc_socketevent_t *dev) {
  * references exist.
  */
 static void
-closesocket(isc_socketmgr_t *manager, isc_sockettype_t type, int fd) {
+closesocket(isc_socketmgr_t *manager, isc_socket_t *sock, int fd) {
+	isc_sockettype_t type = sock->type;
 	int lockid = FDLOCK_ID(fd);
 
-	UNUSED(type);
-
 	/*
 	 * No one has this socket open, so the watcher doesn't have to be
 	 * poked, and the socket doesn't have to be locked.
 	 */
 	LOCK(&manager->fdlock[lockid]);
 	manager->fds[fd] = NULL;
-	manager->fdstate[fd] = CLOSE_PENDING;
+	if (type == isc_sockettype_fdwatch)
+		manager->fdstate[fd] = CLOSED;
+	else
+		manager->fdstate[fd] = CLOSE_PENDING;
 	UNLOCK(&manager->fdlock[lockid]);
-	select_poke(manager, fd, SELECT_POKE_CLOSE);
+	if (type == isc_sockettype_fdwatch) {
+		/*
+		 * The caller may close the socket once this function returns,
+		 * and `fd' may be reassigned for a new socket.  So we do
+		 * unwatch_fd() here, rather than defer it via select_poke().
+		 * Note: this may complicate data protection among threads and
+		 * may reduce performance due to additional locks.  One way to
+		 * solve this would be to dup() the watched descriptor, but we
+		 * take a simpler approach at this moment.
+		 */
+		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
+		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
+	} else
+		select_poke(manager, fd, SELECT_POKE_CLOSE);
+
+	inc_stats(manager->stats, sock->statsindex[STATID_CLOSE]);
 
 	/*
 	 * update manager->maxfd here (XXX: this should be implemented more
@@ -1661,7 +1805,7 @@ destroy(isc_socket_t **sockp) {
 	if (sock->fd >= 0) {
 		fd = sock->fd;
 		sock->fd = -1;
-		closesocket(manager, sock->type, fd);
+		closesocket(manager, sock, fd);
 	}
 
 	LOCK(&manager->lock);
@@ -1699,6 +1843,7 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 	sock->manager = manager;
 	sock->type = type;
 	sock->fd = -1;
+	sock->statsindex = NULL;
 
 	ISC_LINK_INIT(sock, link);
 
@@ -1733,6 +1878,9 @@ allocate_socket(isc_socketmgr_t *manager, isc_sockettype_t type,
 			goto error;
 	}
 
+	memset(sock->name, 0, sizeof(sock->name));
+	sock->tag = NULL;
+
 	/*
 	 * set up list of readers and writers to be initially empty
 	 */
@@ -1884,6 +2032,12 @@ opensocket(isc_socketmgr_t *manager, isc_socket_t *sock) {
 	case isc_sockettype_unix:
 		sock->fd = socket(sock->pf, SOCK_STREAM, 0);
 		break;
+	case isc_sockettype_fdwatch:
+		/*
+		 * We should not be called for isc_sockettype_fdwatch sockets.
+		 */
+		INSIST(0);
+		break;
 	}
 	if (sock->fd == -1 && errno == EINTR && tries++ < 42)
 		goto again;
@@ -1927,6 +2081,13 @@ opensocket(isc_socketmgr_t *manager, isc_socket_t *sock) {
 		switch (errno) {
 		case EMFILE:
 		case ENFILE:
+			isc__strerror(errno, strbuf, sizeof(strbuf));
+			isc_log_iwrite(isc_lctx, ISC_LOGCATEGORY_GENERAL,
+				       ISC_LOGMODULE_SOCKET, ISC_LOG_ERROR,
+				       isc_msgcat, ISC_MSGSET_SOCKET,
+				       ISC_MSG_TOOMANYFDS,
+				       "%s: %s", err, strbuf);
+			/* fallthrough */
 		case ENOBUFS:
 			return (ISC_R_NORESOURCES);
 
@@ -2108,6 +2269,8 @@ opensocket(isc_socketmgr_t *manager, isc_socket_t *sock) {
 	}
 #endif /* defined(USE_CMSG) || defined(SO_RCVBUF) */
 
+	inc_stats(manager->stats, sock->statsindex[STATID_OPEN]);
+
 	return (ISC_R_SUCCESS);
 }
 
@@ -2127,14 +2290,32 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type,
 
 	REQUIRE(VALID_MANAGER(manager));
 	REQUIRE(socketp != NULL && *socketp == NULL);
+	REQUIRE(type != isc_sockettype_fdwatch);
 
 	result = allocate_socket(manager, type, &sock);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 
+	switch (sock->type) {
+	case isc_sockettype_udp:
+		sock->statsindex =
+			(pf == AF_INET) ? upd4statsindex : upd6statsindex;
+		break;
+	case isc_sockettype_tcp:
+		sock->statsindex =
+			(pf == AF_INET) ? tcp4statsindex : tcp6statsindex;
+		break;
+	case isc_sockettype_unix:
+		sock->statsindex = unixstatsindex;
+		break;
+	default:
+		INSIST(0);
+	}
+
 	sock->pf = pf;
 	result = opensocket(manager, sock);
 	if (result != ISC_R_SUCCESS) {
+		inc_stats(manager->stats, sock->statsindex[STATID_OPENFAIL]);
 		free_socket(&sock);
 		return (result);
 	}
@@ -2179,6 +2360,7 @@ isc_socket_open(isc_socket_t *sock) {
 
 	LOCK(&sock->lock);
 	REQUIRE(sock->references == 1);
+	REQUIRE(sock->type != isc_sockettype_fdwatch);
 	UNLOCK(&sock->lock);
 	/*
 	 * We don't need to retain the lock hereafter, since no one else has
@@ -2214,6 +2396,68 @@ isc_socket_open(isc_socket_t *sock) {
 }
 
 /*
+ * Create a new 'type' socket managed by 'manager'.  Events
+ * will be posted to 'task' and when dispatched 'action' will be
+ * called with 'arg' as the arg value.  The new socket is returned
+ * in 'socketp'.
+ */
+isc_result_t
+isc_socket_fdwatchcreate(isc_socketmgr_t *manager, int fd, int flags,
+			 isc_sockfdwatch_t callback, void *cbarg,
+			 isc_task_t *task, isc_socket_t **socketp)
+{
+	isc_socket_t *sock = NULL;
+	isc_result_t result;
+	int lockid;
+
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(socketp != NULL && *socketp == NULL);
+
+	result = allocate_socket(manager, isc_sockettype_fdwatch, &sock);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+
+	sock->fd = fd;
+	sock->fdwatcharg = cbarg;
+	sock->fdwatchcb = callback;
+	sock->fdwatchflags = flags;
+	sock->fdwatchtask = task;
+	sock->statsindex = fdwatchstatsindex;
+
+	sock->references = 1;
+	*socketp = sock;
+
+	/*
+	 * Note we don't have to lock the socket like we normally would because
+	 * there are no external references to it yet.
+	 */
+
+	lockid = FDLOCK_ID(sock->fd);
+	LOCK(&manager->fdlock[lockid]);
+	manager->fds[sock->fd] = sock;
+	manager->fdstate[sock->fd] = MANAGED;
+	UNLOCK(&manager->fdlock[lockid]);
+
+	LOCK(&manager->lock);
+	ISC_LIST_APPEND(manager->socklist, sock, link);
+#ifdef USE_SELECT
+	if (manager->maxfd < sock->fd)
+		manager->maxfd = sock->fd;
+#endif
+	UNLOCK(&manager->lock);
+
+	if (flags & ISC_SOCKFDWATCH_READ)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
+	if (flags & ISC_SOCKFDWATCH_WRITE)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
+
+	socket_log(sock, NULL, CREATION, isc_msgcat, ISC_MSGSET_SOCKET,
+		   ISC_MSG_CREATED, "fdwatch-created");
+
+	return (ISC_R_SUCCESS);
+}
+
+/*
  * Attach to a socket.  Caller must explicitly detach when it is done.
  */
 void
@@ -2257,17 +2501,15 @@ isc_socket_detach(isc_socket_t **socketp) {
 isc_result_t
 isc_socket_close(isc_socket_t *sock) {
 	int fd;
+	isc_socketmgr_t *manager;
+	isc_sockettype_t type;
 
 	REQUIRE(VALID_SOCKET(sock));
 
 	LOCK(&sock->lock);
-	REQUIRE(sock->references == 1);
-	UNLOCK(&sock->lock);
-	/*
-	 * We don't need to retain the lock hereafter, since no one else has
-	 * this socket.
-	 */
 
+	REQUIRE(sock->references == 1);
+	REQUIRE(sock->type != isc_sockettype_fdwatch);
 	REQUIRE(sock->fd >= 0 && sock->fd < (int)sock->manager->maxsocks);
 
 	INSIST(!sock->connecting);
@@ -2279,15 +2521,21 @@ isc_socket_close(isc_socket_t *sock) {
 	INSIST(ISC_LIST_EMPTY(sock->accept_list));
 	INSIST(sock->connect_ev == NULL);
 
+	manager = sock->manager;
+	type = sock->type;
 	fd = sock->fd;
 	sock->fd = -1;
+	memset(sock->name, 0, sizeof(sock->name));
+	sock->tag = NULL;
 	sock->listener = 0;
 	sock->connected = 0;
 	sock->connecting = 0;
 	sock->bound = 0;
-	isc_sockaddr_any(&sock->address);
+	isc_sockaddr_any(&sock->peer_address);
+
+	UNLOCK(&sock->lock);
 
-	closesocket(sock->manager, sock->type, fd);
+	closesocket(manager, sock, fd);
 
 	return (ISC_R_SUCCESS);
 }
@@ -2304,50 +2552,68 @@ static void
 dispatch_recv(isc_socket_t *sock) {
 	intev_t *iev;
 	isc_socketevent_t *ev;
+	isc_task_t *sender;
 
 	INSIST(!sock->pending_recv);
 
-	ev = ISC_LIST_HEAD(sock->recv_list);
-	if (ev == NULL)
-		return;
+	if (sock->type != isc_sockettype_fdwatch) {
+		ev = ISC_LIST_HEAD(sock->recv_list);
+		if (ev == NULL)
+			return;
+		socket_log(sock, NULL, EVENT, NULL, 0, 0,
+			   "dispatch_recv:  event %p -> task %p",
+			   ev, ev->ev_sender);
+		sender = ev->ev_sender;
+	} else {
+		sender = sock->fdwatchtask;
+	}
 
 	sock->pending_recv = 1;
 	iev = &sock->readable_ev;
 
-	socket_log(sock, NULL, EVENT, NULL, 0, 0,
-		   "dispatch_recv:  event %p -> task %p", ev, ev->ev_sender);
-
 	sock->references++;
 	iev->ev_sender = sock;
-	iev->ev_action = internal_recv;
+	if (sock->type == isc_sockettype_fdwatch)
+		iev->ev_action = internal_fdwatch_read;
+	else
+		iev->ev_action = internal_recv;
 	iev->ev_arg = sock;
 
-	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
+	isc_task_send(sender, (isc_event_t **)&iev);
 }
 
 static void
 dispatch_send(isc_socket_t *sock) {
 	intev_t *iev;
 	isc_socketevent_t *ev;
+	isc_task_t *sender;
 
 	INSIST(!sock->pending_send);
 
-	ev = ISC_LIST_HEAD(sock->send_list);
-	if (ev == NULL)
-		return;
+	if (sock->type != isc_sockettype_fdwatch) {
+		ev = ISC_LIST_HEAD(sock->send_list);
+		if (ev == NULL)
+			return;
+		socket_log(sock, NULL, EVENT, NULL, 0, 0,
+			   "dispatch_send:  event %p -> task %p",
+			   ev, ev->ev_sender);
+		sender = ev->ev_sender;
+	} else {
+		sender = sock->fdwatchtask;
+	}
 
 	sock->pending_send = 1;
 	iev = &sock->writable_ev;
 
-	socket_log(sock, NULL, EVENT, NULL, 0, 0,
-		   "dispatch_send:  event %p -> task %p", ev, ev->ev_sender);
-
 	sock->references++;
 	iev->ev_sender = sock;
-	iev->ev_action = internal_send;
+	if (sock->type == isc_sockettype_fdwatch)
+		iev->ev_action = internal_fdwatch_write;
+	else
+		iev->ev_action = internal_send;
 	iev->ev_arg = sock;
 
-	isc_task_send(ev->ev_sender, (isc_event_t **)&iev);
+	isc_task_send(sender, (isc_event_t **)&iev);
 }
 
 /*
@@ -2517,12 +2783,12 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	 * a documented error for accept().  ECONNABORTED has been
 	 * reported for Solaris 8.  The rest are thrown in not because
 	 * we have seen them but because they are ignored by other
-	 * deamons such as BIND 8 and Apache.
+	 * daemons such as BIND 8 and Apache.
 	 */
 
-	addrlen = sizeof(dev->newsocket->address.type);
-	memset(&dev->newsocket->address.type, 0, addrlen);
-	fd = accept(sock->fd, &dev->newsocket->address.type.sa,
+	addrlen = sizeof(dev->newsocket->peer_address.type);
+	memset(&dev->newsocket->peer_address.type, 0, addrlen);
+	fd = accept(sock->fd, &dev->newsocket->peer_address.type.sa,
 		    (void *)&addrlen);
 
 #ifdef F_DUPFD
@@ -2592,14 +2858,14 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 
 			(void)close(fd);
 			goto soft_error;
-		} else if (dev->newsocket->address.type.sa.sa_family !=
+		} else if (dev->newsocket->peer_address.type.sa.sa_family !=
 			   sock->pf)
 		{
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
 					 "internal_accept(): "
 					 "accept() returned peer address "
 					 "family %u (expected %u)",
-					 dev->newsocket->address.
+					 dev->newsocket->peer_address.
 					 type.sa.sa_family,
 					 sock->pf);
 			(void)close(fd);
@@ -2618,7 +2884,7 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 	}
 
 	if (fd != -1) {
-		dev->newsocket->address.length = addrlen;
+		dev->newsocket->peer_address.length = addrlen;
 		dev->newsocket->pf = sock->pf;
 	}
 
@@ -2662,20 +2928,23 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
 		/*
 		 * Save away the remote address
 		 */
-		dev->address = dev->newsocket->address;
+		dev->address = dev->newsocket->peer_address;
 
 #ifdef USE_SELECT
 		if (manager->maxfd < fd)
 			manager->maxfd = fd;
 #endif
 
-		socket_log(sock, &dev->newsocket->address, CREATION,
+		socket_log(sock, &dev->newsocket->peer_address, CREATION,
 			   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_ACCEPTEDCXN,
 			   "accepted connection, new socket %p",
 			   dev->newsocket);
 
 		UNLOCK(&manager->lock);
+
+		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPT]);
 	} else {
+		inc_stats(manager->stats, sock->statsindex[STATID_ACCEPTFAIL]);
 		dev->newsocket->references--;
 		free_socket(&dev->newsocket);
 	}
@@ -2693,6 +2962,8 @@ internal_accept(isc_task_t *me, isc_event_t *ev) {
  soft_error:
 	select_poke(sock->manager, sock->fd, SELECT_POKE_ACCEPT);
 	UNLOCK(&sock->lock);
+
+	inc_stats(manager->stats, sock->statsindex[STATID_ACCEPTFAIL]);
 	return;
 }
 
@@ -2816,6 +3087,86 @@ internal_send(isc_task_t *me, isc_event_t *ev) {
 	UNLOCK(&sock->lock);
 }
 
+static void
+internal_fdwatch_write(isc_task_t *me, isc_event_t *ev) {
+	isc_socket_t *sock;
+	int more_data;
+
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTW);
+
+	/*
+	 * Find out what socket this is and lock it.
+	 */
+	sock = (isc_socket_t *)ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALSEND,
+		   "internal_fdwatch_write: task %p got event %p", me, ev);
+
+	INSIST(sock->pending_send == 1);
+
+	UNLOCK(&sock->lock);
+	more_data = (sock->fdwatchcb)(me, sock, sock->fdwatcharg);
+	LOCK(&sock->lock);
+
+	sock->pending_send = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	if (more_data)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_WRITE);
+
+	UNLOCK(&sock->lock);
+}
+
+static void
+internal_fdwatch_read(isc_task_t *me, isc_event_t *ev) {
+	isc_socket_t *sock;
+	int more_data;
+
+	INSIST(ev->ev_type == ISC_SOCKEVENT_INTR);
+
+	/*
+	 * Find out what socket this is and lock it.
+	 */
+	sock = (isc_socket_t *)ev->ev_sender;
+	INSIST(VALID_SOCKET(sock));
+
+	LOCK(&sock->lock);
+	socket_log(sock, NULL, IOEVENT,
+		   isc_msgcat, ISC_MSGSET_SOCKET, ISC_MSG_INTERNALRECV,
+		   "internal_fdwatch_read: task %p got event %p", me, ev);
+
+	INSIST(sock->pending_recv == 1);
+
+	UNLOCK(&sock->lock);
+	more_data = (sock->fdwatchcb)(me, sock, sock->fdwatcharg);
+	LOCK(&sock->lock);
+
+	sock->pending_recv = 0;
+
+	INSIST(sock->references > 0);
+	sock->references--;  /* the internal event is done with this socket */
+	if (sock->references == 0) {
+		UNLOCK(&sock->lock);
+		destroy(&sock);
+		return;
+	}
+
+	if (more_data)
+		select_poke(sock->manager, sock->fd, SELECT_POKE_READ);
+
+	UNLOCK(&sock->lock);
+}
+
 /*
  * Process read/writes on each fd here.  Avoid locking
  * and unlocking twice if both reads and writes are possible.
@@ -2826,6 +3177,7 @@ process_fd(isc_socketmgr_t *manager, int fd, isc_boolean_t readable,
 {
 	isc_socket_t *sock;
 	isc_boolean_t unlock_sock;
+	isc_boolean_t unwatch_read = ISC_FALSE, unwatch_write = ISC_FALSE;
 	int lockid = FDLOCK_ID(fd);
 
 	/*
@@ -2841,11 +3193,10 @@ process_fd(isc_socketmgr_t *manager, int fd, isc_boolean_t readable,
 	}
 
 	sock = manager->fds[fd];
-	UNLOCK(&manager->fdlock[lockid]);
 	unlock_sock = ISC_FALSE;
 	if (readable) {
 		if (sock == NULL) {
-			(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
+			unwatch_read = ISC_TRUE;
 			goto check_write;
 		}
 		unlock_sock = ISC_TRUE;
@@ -2856,13 +3207,13 @@ process_fd(isc_socketmgr_t *manager, int fd, isc_boolean_t readable,
 			else
 				dispatch_recv(sock);
 		}
-		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
+		unwatch_read = ISC_TRUE;
 	}
 check_write:
 	if (writeable) {
 		if (sock == NULL) {
-			(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
-			return;
+			unwatch_write = ISC_TRUE;
+			goto unlock_fd;
 		}
 		if (!unlock_sock) {
 			unlock_sock = ISC_TRUE;
@@ -2874,10 +3225,18 @@ check_write:
 			else
 				dispatch_send(sock);
 		}
-		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
+		unwatch_write = ISC_TRUE;
 	}
 	if (unlock_sock)
 		UNLOCK(&sock->lock);
+
+ unlock_fd:
+	UNLOCK(&manager->fdlock[lockid]);
+	if (unwatch_read)
+		(void)unwatch_fd(manager, fd, SELECT_POKE_READ);
+	if (unwatch_write)
+		(void)unwatch_fd(manager, fd, SELECT_POKE_WRITE);
+
 }
 
 #ifdef USE_KQUEUE
@@ -3184,7 +3543,7 @@ watcher(void *uap) {
 #endif
 	}
 
-	manager_log(manager, TRACE,
+	manager_log(manager, TRACE, "%s",
 		    isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 				   ISC_MSG_EXITING, "watcher exiting"));
 
@@ -3207,6 +3566,9 @@ isc__socketmgr_setreserved(isc_socketmgr_t *manager, isc_uint32_t reserved) {
 static isc_result_t
 setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 	isc_result_t result;
+#if defined(USE_KQUEUE) || defined(USE_EPOLL) || defined(USE_DEVPOLL)
+	char strbuf[ISC_STRERRORSIZE];
+#endif
 
 #ifdef USE_KQUEUE
 	manager->nevents = ISC_SOCKET_MAXEVENTS;
@@ -3217,6 +3579,12 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 	manager->kqueue_fd = kqueue();
 	if (manager->kqueue_fd == -1) {
 		result = isc__errno2result(errno);
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "kqueue %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
 		isc_mem_put(mctx, manager->events,
 			    sizeof(struct kevent) * manager->nevents);
 		return (result);
@@ -3240,6 +3608,12 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 	manager->epoll_fd = epoll_create(manager->nevents);
 	if (manager->epoll_fd == -1) {
 		result = isc__errno2result(errno);
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "epoll_create %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
 		isc_mem_put(mctx, manager->events,
 			    sizeof(struct epoll_event) * manager->nevents);
 		return (result);
@@ -3278,6 +3652,12 @@ setup_watcher(isc_mem_t *mctx, isc_socketmgr_t *manager) {
 	manager->devpoll_fd = open("/dev/poll", O_RDWR);
 	if (manager->devpoll_fd == -1) {
 		result = isc__errno2result(errno);
+		isc__strerror(errno, strbuf, sizeof(strbuf));
+		UNEXPECTED_ERROR(__FILE__, __LINE__,
+				 "open(/dev/poll) %s: %s",
+				 isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
+						ISC_MSG_FAILED, "failed"),
+				 strbuf);
 		isc_mem_put(mctx, manager->events,
 			    sizeof(struct pollfd) * manager->nevents);
 		isc_mem_put(mctx, manager->fdpollinfo,
@@ -3441,10 +3821,11 @@ isc_socketmgr_create2(isc_mem_t *mctx, isc_socketmgr_t **managerp,
 		goto free_manager;
 	}
 	manager->fdstate = isc_mem_get(mctx, manager->maxsocks * sizeof(int));
-	if (manager->fds == NULL) {
+	if (manager->fdstate == NULL) {
 		result = ISC_R_NOMEMORY;
 		goto free_manager;
 	}
+	manager->stats = NULL;
 
 	manager->magic = SOCKET_MANAGER_MAGIC;
 	manager->mctx = NULL;
@@ -3582,6 +3963,16 @@ isc_socketmgr_getmaxsockets(isc_socketmgr_t *manager, unsigned int *nsockp) {
 }
 
 void
+isc_socketmgr_setstats(isc_socketmgr_t *manager, isc_stats_t *stats) {
+	REQUIRE(VALID_MANAGER(manager));
+	REQUIRE(ISC_LIST_EMPTY(manager->socklist));
+	REQUIRE(manager->stats == NULL);
+	REQUIRE(isc_stats_ncounters(stats) == isc_sockstatscounter_max);
+
+	isc_stats_attach(stats, &manager->stats);
+}
+
+void
 isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 	isc_socketmgr_t *manager;
 	int i;
@@ -3610,7 +4001,7 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 	 * Wait for all sockets to be destroyed.
 	 */
 	while (!ISC_LIST_EMPTY(manager->socklist)) {
-		manager_log(manager, CREATION,
+		manager_log(manager, CREATION, "%s",
 			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
 					   ISC_MSG_SOCKETSREMAIN,
 					   "sockets exist"));
@@ -3621,7 +4012,7 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 	 * Hope all sockets have been destroyed.
 	 */
 	if (!ISC_LIST_EMPTY(manager->socklist)) {
-		manager_log(manager, CREATION,
+		manager_log(manager, CREATION, "%s",
 			    isc_msgcat_get(isc_msgcat, ISC_MSGSET_SOCKET,
 					   ISC_MSG_SOCKETSREMAIN,
 					   "sockets exist"));
@@ -3669,6 +4060,9 @@ isc_socketmgr_destroy(isc_socketmgr_t **managerp) {
 	isc_mem_put(manager->mctx, manager->fdstate,
 		    manager->maxsocks * sizeof(int));
 
+	if (manager->stats != NULL)
+		isc_stats_detach(&manager->stats);
+
 	if (manager->fdlock != NULL) {
 		for (i = 0; i < FDLOCK_COUNT; i++)
 			DESTROYLOCK(&manager->fdlock[i]);
@@ -4279,6 +4673,9 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr,
  bind_socket:
 #endif
 	if (bind(sock->fd, &sockaddr->type.sa, sockaddr->length) < 0) {
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_BINDFAIL]);
+
 		UNLOCK(&sock->lock);
 		switch (errno) {
 		case EACCES:
@@ -4423,6 +4820,7 @@ isc_socket_accept(isc_socket_t *sock,
 	 */
 	isc_task_attach(task, &ntask);
 	nsock->references++;
+	nsock->statsindex = sock->statsindex;
 
 	dev->ev_sender = ntask;
 	dev->newsocket = nsock;
@@ -4484,7 +4882,7 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 	 * Try to do the connect right away, as there can be only one
 	 * outstanding, and it might happen to complete.
 	 */
-	sock->address = *addr;
+	sock->peer_address = *addr;
 	cc = connect(sock->fd, &addr->type.sa, addr->length);
 	if (cc < 0) {
 		/*
@@ -4524,6 +4922,8 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 		UNEXPECTED_ERROR(__FILE__, __LINE__, "%d/%s", errno, strbuf);
 
 		UNLOCK(&sock->lock);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECTFAIL]);
 		isc_event_free(ISC_EVENT_PTR(&dev));
 		return (ISC_R_UNEXPECTED);
 
@@ -4532,6 +4932,8 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 		isc_task_send(task, ISC_EVENT_PTR(&dev));
 
 		UNLOCK(&sock->lock);
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECTFAIL]);
 		return (ISC_R_SUCCESS);
 	}
 
@@ -4546,6 +4948,10 @@ isc_socket_connect(isc_socket_t *sock, isc_sockaddr_t *addr,
 		isc_task_send(task, ISC_EVENT_PTR(&dev));
 
 		UNLOCK(&sock->lock);
+
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECT]);
+
 		return (ISC_R_SUCCESS);
 	}
 
@@ -4644,6 +5050,9 @@ internal_connect(isc_task_t *me, isc_event_t *ev) {
 			return;
 		}
 
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECTFAIL]);
+
 		/*
 		 * Translate other errors into ISC_R_* flavors.
 		 */
@@ -4666,7 +5075,7 @@ internal_connect(isc_task_t *me, isc_event_t *ev) {
 #undef ERROR_MATCH
 		default:
 			dev->result = ISC_R_UNEXPECTED;
-			isc_sockaddr_format(&sock->address, peerbuf,
+			isc_sockaddr_format(&sock->peer_address, peerbuf,
 					    sizeof(peerbuf));
 			isc__strerror(errno, strbuf, sizeof(strbuf));
 			UNEXPECTED_ERROR(__FILE__, __LINE__,
@@ -4674,6 +5083,8 @@ internal_connect(isc_task_t *me, isc_event_t *ev) {
 					 peerbuf, strbuf);
 		}
 	} else {
+		inc_stats(sock->manager->stats,
+			  sock->statsindex[STATID_CONNECT]);
 		dev->result = ISC_R_SUCCESS;
 		sock->connected = 1;
 		sock->bound = 1;
@@ -4698,7 +5109,7 @@ isc_socket_getpeername(isc_socket_t *sock, isc_sockaddr_t *addressp) {
 	LOCK(&sock->lock);
 
 	if (sock->connected) {
-		*addressp = sock->address;
+		*addressp = sock->peer_address;
 		result = ISC_R_SUCCESS;
 	} else {
 		result = ISC_R_NOTCONNECTED;
@@ -5002,3 +5413,138 @@ isc__socketmgr_dispatch(isc_socketwait_t *swait) {
 #endif
 }
 #endif /* ISC_PLATFORM_USETHREADS */
+
+void
+isc_socket_setname(isc_socket_t *socket, const char *name, void *tag) {
+
+	/*
+	 * Name 'socket'.
+	 */
+
+	REQUIRE(VALID_SOCKET(socket));
+
+	LOCK(&socket->lock);
+	memset(socket->name, 0, sizeof(socket->name));
+	strncpy(socket->name, name, sizeof(socket->name) - 1);
+	socket->tag = tag;
+	UNLOCK(&socket->lock);
+}
+
+const char *
+isc_socket_getname(isc_socket_t *socket) {
+	return (socket->name);
+}
+
+void *
+isc_socket_gettag(isc_socket_t *socket) {
+	return (socket->tag);
+}
+
+#ifdef HAVE_LIBXML2
+
+static const char *
+_socktype(isc_sockettype_t type)
+{
+	if (type == isc_sockettype_udp)
+		return ("udp");
+	else if (type == isc_sockettype_tcp)
+		return ("tcp");
+	else if (type == isc_sockettype_unix)
+		return ("unix");
+	else if (type == isc_sockettype_fdwatch)
+		return ("fdwatch");
+	else
+		return ("not-initialized");
+}
+
+void
+isc_socketmgr_renderxml(isc_socketmgr_t *mgr, xmlTextWriterPtr writer)
+{
+	isc_socket_t *sock;
+	char peerbuf[ISC_SOCKADDR_FORMATSIZE];
+	isc_sockaddr_t addr;
+	ISC_SOCKADDR_LEN_T len;
+
+	LOCK(&mgr->lock);
+
+#ifndef ISC_PLATFORM_USETHREADS
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
+	xmlTextWriterWriteFormatString(writer, "%d", mgr->refs);
+	xmlTextWriterEndElement(writer);
+#endif
+
+	xmlTextWriterStartElement(writer, ISC_XMLCHAR "sockets");
+	sock = ISC_LIST_HEAD(mgr->socklist);
+	while (sock != NULL) {
+		LOCK(&sock->lock);
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "socket");
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "id");
+		xmlTextWriterWriteFormatString(writer, "%p", sock);
+		xmlTextWriterEndElement(writer);
+
+		if (sock->name[0] != 0) {
+			xmlTextWriterStartElement(writer, ISC_XMLCHAR "name");
+			xmlTextWriterWriteFormatString(writer, "%s",
+						       sock->name);
+			xmlTextWriterEndElement(writer); /* name */
+		}
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "references");
+		xmlTextWriterWriteFormatString(writer, "%d", sock->references);
+		xmlTextWriterEndElement(writer);
+
+		xmlTextWriterWriteElement(writer, ISC_XMLCHAR "type",
+					  ISC_XMLCHAR _socktype(sock->type));
+
+		if (sock->connected) {
+			isc_sockaddr_format(&sock->peer_address, peerbuf,
+					    sizeof(peerbuf));
+			xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "peer-address",
+						  ISC_XMLCHAR peerbuf);
+		}
+
+		len = sizeof(addr);
+		if (getsockname(sock->fd, &addr.type.sa, (void *)&len) == 0) {
+			isc_sockaddr_format(&addr, peerbuf, sizeof(peerbuf));
+			xmlTextWriterWriteElement(writer,
+						  ISC_XMLCHAR "local-address",
+						  ISC_XMLCHAR peerbuf);
+		}
+
+		xmlTextWriterStartElement(writer, ISC_XMLCHAR "states");
+		if (sock->pending_recv)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						ISC_XMLCHAR "pending-receive");
+		if (sock->pending_send)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "pending-send");
+		if (sock->pending_accept)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						 ISC_XMLCHAR "pending_accept");
+		if (sock->listener)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "listener");
+		if (sock->connected)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "connected");
+		if (sock->connecting)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "connecting");
+		if (sock->bound)
+			xmlTextWriterWriteElement(writer, ISC_XMLCHAR "state",
+						  ISC_XMLCHAR "bound");
+
+		xmlTextWriterEndElement(writer); /* states */
+
+		xmlTextWriterEndElement(writer); /* socket */
+
+		UNLOCK(&sock->lock);
+		sock = ISC_LIST_NEXT(sock, link);
+	}
+	xmlTextWriterEndElement(writer); /* sockets */
+
+	UNLOCK(&mgr->lock);
+}
+#endif /* HAVE_LIBXML2 */
diff --git a/lib/isc/unix/socket_p.h b/lib/isc/unix/socket_p.h
index b7da860..fc044e5 100644
--- a/lib/isc/unix/socket_p.h
+++ b/lib/isc/unix/socket_p.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: socket_p.h,v 1.7.18.4 2008/06/24 23:45:55 tbox Exp $ */
+/* $Id: socket_p.h,v 1.13 2008/06/23 23:47:11 tbox Exp $ */
 
 #ifndef ISC_SOCKET_P_H
 #define ISC_SOCKET_P_H
diff --git a/lib/isc/unix/stdio.c b/lib/isc/unix/stdio.c
index 64db925..4e294db 100644
--- a/lib/isc/unix/stdio.c
+++ b/lib/isc/unix/stdio.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdio.c,v 1.6 2004/03/05 05:11:47 marka Exp $ */
+/* $Id: stdio.c,v 1.8 2007/06/19 23:47:18 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/isc/unix/stdtime.c b/lib/isc/unix/stdtime.c
index 3f240b7..c5d0c47 100644
--- a/lib/isc/unix/stdtime.c
+++ b/lib/isc/unix/stdtime.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdtime.c,v 1.14.18.3 2005/06/08 02:07:57 marka Exp $ */
+/* $Id: stdtime.c,v 1.19 2007/06/19 23:47:18 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/strerror.c b/lib/isc/unix/strerror.c
index 18cc367..349c8bd 100644
--- a/lib/isc/unix/strerror.c
+++ b/lib/isc/unix/strerror.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: strerror.c,v 1.4.18.2 2005/04/29 00:17:08 marka Exp $ */
+/* $Id: strerror.c,v 1.8.332.2 2009/02/16 23:47:15 tbox Exp $ */
 
 /*! \file */
 
@@ -47,7 +47,7 @@ void
 isc__strerror(int num, char *buf, size_t size) {
 #ifdef HAVE_STRERROR
 	char *msg;
-	unsigned int unum = num;
+	unsigned int unum = (unsigned int)num;
 	static isc_once_t once = ISC_ONCE_INIT;
 
 	REQUIRE(buf != NULL);
@@ -62,7 +62,7 @@ isc__strerror(int num, char *buf, size_t size) {
 		snprintf(buf, size, "Unknown error: %u", unum);
 	UNLOCK(&isc_strerror_lock);
 #else
-	unsigned int unum = num;
+	unsigned int unum = (unsigned int)num;
 
 	REQUIRE(buf != NULL);
 
diff --git a/lib/isc/unix/syslog.c b/lib/isc/unix/syslog.c
index ae67399..997508e 100644
--- a/lib/isc/unix/syslog.c
+++ b/lib/isc/unix/syslog.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: syslog.c,v 1.3.18.4 2007/09/13 23:46:26 tbox Exp $ */
+/* $Id: syslog.c,v 1.8 2007/09/13 04:45:18 each Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/unix/time.c b/lib/isc/unix/time.c
index facc12b..59428d3 100644
--- a/lib/isc/unix/time.c
+++ b/lib/isc/unix/time.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.47.18.4 2008/02/18 23:46:01 tbox Exp $ */
+/* $Id: time.c,v 1.56 2008/02/15 23:46:51 tbox Exp $ */
 
 /*! \file */
 
@@ -412,3 +412,27 @@ isc_time_formattimestamp(const isc_time_t *t, char *buf, unsigned int len) {
 	else
 		snprintf(buf, len, "99-Bad-9999 99:99:99.999");
 }
+
+void
+isc_time_formathttptimestamp(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%a, %d %b %Y %H:%M:%S GMT", gmtime(&now));
+	INSIST(flen < len);
+}
+
+void
+isc_time_formatISO8601(const isc_time_t *t, char *buf, unsigned int len) {
+	time_t now;
+	unsigned int flen;
+
+	REQUIRE(len > 0);
+
+	now = (time_t)t->seconds;
+	flen = strftime(buf, len, "%Y-%m-%dT%H:%M:%SZ", gmtime(&now));
+	INSIST(flen < len);
+}
diff --git a/lib/isc/version.c b/lib/isc/version.c
index 6d3b3d2..bfe4d6d 100644
--- a/lib/isc/version.c
+++ b/lib/isc/version.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.11.18.2 2005/04/29 00:16:51 marka Exp $ */
+/* $Id: version.c,v 1.15 2007/06/19 23:47:17 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isc/x86_32/Makefile.in b/lib/isc/x86_32/Makefile.in
index c8e77e4..324db07 100644
--- a/lib/isc/x86_32/Makefile.in
+++ b/lib/isc/x86_32/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:38 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/x86_32/include/Makefile.in b/lib/isc/x86_32/include/Makefile.in
index b68a765..f1d8bdd 100644
--- a/lib/isc/x86_32/include/Makefile.in
+++ b/lib/isc/x86_32/include/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:39 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/x86_32/include/isc/Makefile.in b/lib/isc/x86_32/include/isc/Makefile.in
index 4ce057a..5f116ca 100644
--- a/lib/isc/x86_32/include/isc/Makefile.in
+++ b/lib/isc/x86_32/include/isc/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:39 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/x86_32/include/isc/atomic.h b/lib/isc/x86_32/include/isc/atomic.h
index f3136d9..bf2148c 100644
--- a/lib/isc/x86_32/include/isc/atomic.h
+++ b/lib/isc/x86_32/include/isc/atomic.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.2.3 2005/07/27 04:23:33 marka Exp $ */
+/* $Id: atomic.h,v 1.10 2008/01/24 23:47:00 tbox Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
@@ -27,7 +27,7 @@
  * This routine atomically increments the value stored in 'p' by 'val', and
  * returns the previous value.
  */
-static inline isc_int32_t
+static __inline__ isc_int32_t
 isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
 	isc_int32_t prev = val;
 
@@ -43,10 +43,28 @@ isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
 	return (prev);
 }
 
+#ifdef ISC_PLATFORM_HAVEXADDQ
+static __inline__ isc_int64_t
+isc_atomic_xaddq(isc_int64_t *p, isc_int64_t val) {
+	isc_int64_t prev = val;
+
+	__asm__ volatile(
+#ifdef ISC_PLATFORM_USETHREADS
+	    "lock;"
+#endif
+	    "xaddq %0, %1"
+	    :"=q"(prev)
+	    :"m"(*p), "0"(prev)
+	    :"memory", "cc");
+
+	return (prev);
+}
+#endif /* ISC_PLATFORM_HAVEXADDQ */
+
 /*
  * This routine atomically stores the value 'val' in 'p'.
  */
-static inline void
+static __inline__ void
 isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
 	__asm__ volatile(
 #ifdef ISC_PLATFORM_USETHREADS
@@ -54,7 +72,7 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
 		 * xchg should automatically lock memory, but we add it
 		 * explicitly just in case (it at least doesn't harm)
 		 */
-		"lock;"		
+		"lock;"
 #endif
 
 		"xchgl %1, %0"
@@ -68,7 +86,7 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
  * original value is equal to 'cmpval'.  The original value is returned in any
  * case.
  */
-static inline isc_int32_t
+static __inline__ isc_int32_t
 isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
 	__asm__ volatile(
 #ifdef ISC_PLATFORM_USETHREADS
diff --git a/lib/isc/x86_64/Makefile.in b/lib/isc/x86_64/Makefile.in
index de577a9..324db07 100644
--- a/lib/isc/x86_64/Makefile.in
+++ b/lib/isc/x86_64/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:39 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/x86_64/include/Makefile.in b/lib/isc/x86_64/include/Makefile.in
index b68a765..f1d8bdd 100644
--- a/lib/isc/x86_64/include/Makefile.in
+++ b/lib/isc/x86_64/include/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:39 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:09:59 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/x86_64/include/isc/Makefile.in b/lib/isc/x86_64/include/isc/Makefile.in
index 4ce057a..f33ae99 100644
--- a/lib/isc/x86_64/include/isc/Makefile.in
+++ b/lib/isc/x86_64/include/isc/Makefile.in
@@ -12,7 +12,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2.2.1 2007/09/14 04:26:39 marka Exp $
+# $Id: Makefile.in,v 1.2 2007/09/14 04:10:00 marka Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isc/x86_64/include/isc/atomic.h b/lib/isc/x86_64/include/isc/atomic.h
index 0752d8f..f57bd2a 100644
--- a/lib/isc/x86_64/include/isc/atomic.h
+++ b/lib/isc/x86_64/include/isc/atomic.h
@@ -1,7 +1,7 @@
 /*
- * Copyright (C) 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: atomic.h,v 1.2.20.1 2005/09/02 13:27:12 marka Exp $ */
+/* $Id: atomic.h,v 1.6 2008/01/24 23:47:00 tbox Exp $ */
 
 #ifndef ISC_ATOMIC_H
 #define ISC_ATOMIC_H 1
@@ -49,14 +49,31 @@ isc_atomic_xadd(isc_int32_t *p, isc_int32_t val) {
 		"lock;"
 #endif
 		"xadd %eax, (%rdx)\n"
+		/*
+		 * XXX: assume %eax will be used as the return value.
+		 */
+		);
+}
 
+#ifdef ISC_PLATFORM_HAVEXADDQ
+static isc_int64_t
+isc_atomic_xaddq(isc_int64_t *p, isc_int64_t val) {
+	UNUSED(p);
+	UNUSED(val);
+
+	__asm (
+		"movq %rdi, %rdx\n"
+		"movq %rsi, %rax\n"
+#ifdef ISC_PLATFORM_USETHREADS
+		"lock;"
+#endif
+		"xaddq %rax, (%rdx)\n"
 		/*
-		 * set the return value directly in the register so that we
-		 * can avoid guessing the correct position in the stack for a
-		 * local variable.
+		 * XXX: assume %rax will be used as the return value.
 		 */
 		);
 }
+#endif
 
 static void
 isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
@@ -70,6 +87,9 @@ isc_atomic_store(isc_int32_t *p, isc_int32_t val) {
 		"lock;"
 #endif
 		"xchgl (%rax), %edx\n"
+		/*
+		 * XXX: assume %rax will be used as the return value.
+		 */
 		);
 }
 
@@ -89,7 +109,7 @@ isc_atomic_cmpxchg(isc_int32_t *p, isc_int32_t cmpval, isc_int32_t val) {
 #endif
 		/*
 		 * If (%rdi) == %eax then (%rdi) := %edx.
-		 % %eax is set to old (%ecx), which will be the return value.
+		 * %eax is set to old (%ecx), which will be the return value.
 		 */
 		"cmpxchgl %ecx, (%rdx)"
 		);
diff --git a/lib/isccc/Makefile.in b/lib/isccc/Makefile.in
index cb41681..5dcc225 100644
--- a/lib/isccc/Makefile.in
+++ b/lib/isccc/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001, 2003  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6.18.1 2004/07/20 07:03:29 marka Exp $
+# $Id: Makefile.in,v 1.9 2007/06/19 23:47:21 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccc/alist.c b/lib/isccc/alist.c
index a8335c8..4f1743e 100644
--- a/lib/isccc/alist.c
+++ b/lib/isccc/alist.c
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,7 +29,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: alist.c,v 1.3.18.2 2005/04/29 00:17:11 marka Exp $ */
+/* $Id: alist.c,v 1.8 2007/08/28 07:20:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/api b/lib/isccc/api
index cd8c055..8459d42 100644
--- a/lib/isccc/api
+++ b/lib/isccc/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 30
-LIBREVISION = 1
+LIBINTERFACE = 50
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccc/base64.c b/lib/isccc/base64.c
index e723cf2..78b34ed 100644
--- a/lib/isccc/base64.c
+++ b/lib/isccc/base64.c
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,7 +29,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.c,v 1.3.18.2 2005/04/29 00:17:11 marka Exp $ */
+/* $Id: base64.c,v 1.8 2007/08/28 07:20:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/cc.c b/lib/isccc/cc.c
index e65349e..cfa1db6 100644
--- a/lib/isccc/cc.c
+++ b/lib/isccc/cc.c
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001-2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,7 +29,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cc.c,v 1.10.18.5 2006/12/07 23:57:58 marka Exp $ */
+/* $Id: cc.c,v 1.18 2007/08/28 07:20:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/ccmsg.c b/lib/isccc/ccmsg.c
index d624c9b..298fc22 100644
--- a/lib/isccc/ccmsg.c
+++ b/lib/isccc/ccmsg.c
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,7 +29,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ccmsg.c,v 1.5.18.2 2005/04/29 00:17:11 marka Exp $ */
+/* $Id: ccmsg.c,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/include/Makefile.in b/lib/isccc/include/Makefile.in
index f3d46ab..9f727c3 100644
--- a/lib/isccc/include/Makefile.in
+++ b/lib/isccc/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.3 2004/03/05 05:12:12 marka Exp $
+# $Id: Makefile.in,v 1.5 2007/06/19 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccc/include/isccc/Makefile.in b/lib/isccc/include/isccc/Makefile.in
index b7b1d55..ae5bec7 100644
--- a/lib/isccc/include/isccc/Makefile.in
+++ b/lib/isccc/include/isccc/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5 2004/03/05 05:12:15 marka Exp $
+# $Id: Makefile.in,v 1.7 2007/06/19 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccc/include/isccc/alist.h b/lib/isccc/include/isccc/alist.h
index 16b5ba2..29147a6 100644
--- a/lib/isccc/include/isccc/alist.h
+++ b/lib/isccc/include/isccc/alist.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,12 +29,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: alist.h,v 1.3.18.2 2005/04/29 00:17:12 marka Exp $ */
+/* $Id: alist.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_ALIST_H
 #define ISCCC_ALIST_H 1
 
-/*! \file */
+/*! \file isccc/alist.h */
 
 #include <stdio.h>
 
diff --git a/lib/isccc/include/isccc/base64.h b/lib/isccc/include/isccc/base64.h
index dd70e8d..795b044 100644
--- a/lib/isccc/include/isccc/base64.h
+++ b/lib/isccc/include/isccc/base64.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,12 +29,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: base64.h,v 1.3.18.2 2005/04/29 00:17:13 marka Exp $ */
+/* $Id: base64.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_BASE64_H
 #define ISCCC_BASE64_H 1
 
-/*! \file */
+/*! \file isccc/base64.h */
 
 #include <isc/lang.h>
 #include <isccc/types.h>
diff --git a/lib/isccc/include/isccc/cc.h b/lib/isccc/include/isccc/cc.h
index 2e291ea..79393be 100644
--- a/lib/isccc/include/isccc/cc.h
+++ b/lib/isccc/include/isccc/cc.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,12 +29,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cc.h,v 1.4.18.2 2005/04/29 00:17:13 marka Exp $ */
+/* $Id: cc.h,v 1.11 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_CC_H
 #define ISCCC_CC_H 1
 
-/*! \file */
+/*! \file isccc/cc.h */
 
 #include <isc/lang.h>
 #include <isccc/types.h>
diff --git a/lib/isccc/include/isccc/ccmsg.h b/lib/isccc/include/isccc/ccmsg.h
index 372047d..e25aa51 100644
--- a/lib/isccc/include/isccc/ccmsg.h
+++ b/lib/isccc/include/isccc/ccmsg.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,12 +29,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ccmsg.h,v 1.4.18.2 2005/04/29 00:17:13 marka Exp $ */
+/* $Id: ccmsg.h,v 1.11 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_CCMSG_H
 #define ISCCC_CCMSG_H 1
 
-/*! \file */
+/*! \file isccc/ccmsg.h */
 
 #include <isc/buffer.h>
 #include <isc/lang.h>
diff --git a/lib/isccc/include/isccc/events.h b/lib/isccc/include/isccc/events.h
index 0ac365f..a3e1470 100644
--- a/lib/isccc/include/isccc/events.h
+++ b/lib/isccc/include/isccc/events.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,12 +29,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: events.h,v 1.3.18.2 2005/04/29 00:17:13 marka Exp $ */
+/* $Id: events.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_EVENTS_H
 #define ISCCC_EVENTS_H 1
 
-/*! \file */
+/*! \file isccc/events.h */
 
 #include <isc/eventclass.h>
 
diff --git a/lib/isccc/include/isccc/lib.h b/lib/isccc/include/isccc/lib.h
index 247267c..de74666 100644
--- a/lib/isccc/include/isccc/lib.h
+++ b/lib/isccc/include/isccc/lib.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,12 +29,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.h,v 1.4.18.2 2005/04/29 00:17:13 marka Exp $ */
+/* $Id: lib.h,v 1.11 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_LIB_H
 #define ISCCC_LIB_H 1
 
-/*! \file */
+/*! \file isccc/lib.h */
 
 #include <isc/types.h>
 #include <isc/lang.h>
diff --git a/lib/isccc/include/isccc/result.h b/lib/isccc/include/isccc/result.h
index 6fbc298..2d54969 100644
--- a/lib/isccc/include/isccc/result.h
+++ b/lib/isccc/include/isccc/result.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,12 +29,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.5.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: result.h,v 1.12 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_RESULT_H
 #define ISCCC_RESULT_H 1
 
-/*! \file */
+/*! \file isccc/result.h */
 
 #include <isc/lang.h>
 #include <isc/resultclass.h>
diff --git a/lib/isccc/include/isccc/sexpr.h b/lib/isccc/include/isccc/sexpr.h
index cb1d297..6112631 100644
--- a/lib/isccc/include/isccc/sexpr.h
+++ b/lib/isccc/include/isccc/sexpr.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,12 +29,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sexpr.h,v 1.4.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: sexpr.h,v 1.11 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_SEXPR_H
 #define ISCCC_SEXPR_H 1
 
-/*! \file */
+/*! \file isccc/sexpr.h */
 
 #include <stdio.h>
 
diff --git a/lib/isccc/include/isccc/symtab.h b/lib/isccc/include/isccc/symtab.h
index 5b11a01..77a188a 100644
--- a/lib/isccc/include/isccc/symtab.h
+++ b/lib/isccc/include/isccc/symtab.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,7 +29,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.h,v 1.3.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: symtab.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_SYMTAB_H
 #define ISCCC_SYMTAB_H 1
@@ -25,7 +38,7 @@
  ***** Module Info
  *****/
 
-/*! \file 
+/*! \file isccc/symtab.h
  * \brief
  * Provides a simple memory-based symbol table.
  *
diff --git a/lib/isccc/include/isccc/symtype.h b/lib/isccc/include/isccc/symtype.h
index e72ae92..c8e6868 100644
--- a/lib/isccc/include/isccc/symtype.h
+++ b/lib/isccc/include/isccc/symtype.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,12 +29,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtype.h,v 1.3.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: symtype.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_SYMTYPE_H
 #define ISCCC_SYMTYPE_H 1
 
-/*! \file */
+/*! \file isccc/symtype.h */
 
 #define ISCCC_SYMTYPE_ZONESTATS			0x0001
 #define ISCCC_SYMTYPE_CCDUP			0x0002
diff --git a/lib/isccc/include/isccc/types.h b/lib/isccc/include/isccc/types.h
index f46d257..fd5c9f3 100644
--- a/lib/isccc/include/isccc/types.h
+++ b/lib/isccc/include/isccc/types.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,12 +29,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: types.h,v 1.3.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: types.h,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_TYPES_H
 #define ISCCC_TYPES_H 1
 
-/*! \file */
+/*! \file isccc/types.h */
 
 #include <isc/boolean.h>
 #include <isc/int.h>
diff --git a/lib/isccc/include/isccc/util.h b/lib/isccc/include/isccc/util.h
index 7662483..2e36b6e 100644
--- a/lib/isccc/include/isccc/util.h
+++ b/lib/isccc/include/isccc/util.h
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,14 +29,14 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: util.h,v 1.4.18.2 2005/04/29 00:17:14 marka Exp $ */
+/* $Id: util.h,v 1.11 2007/08/28 07:20:43 tbox Exp $ */
 
 #ifndef ISCCC_UTIL_H
 #define ISCCC_UTIL_H 1
 
 #include <isc/util.h>
 
-/*! \file
+/*! \file isccc/util.h
  * \brief
  * Macros for dealing with unaligned numbers.
  *
diff --git a/lib/isccc/include/isccc/version.h b/lib/isccc/include/isccc/version.h
index b82ed8b..869316c 100644
--- a/lib/isccc/include/isccc/version.h
+++ b/lib/isccc/include/isccc/version.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:15 marka Exp $ */
+/* $Id: version.h,v 1.9 2007/06/19 23:47:22 tbox Exp $ */
 
-/*! \file */
+/*! \file isccc/version.h */
 
 #include <isc/platform.h>
 
diff --git a/lib/isccc/lib.c b/lib/isccc/lib.c
index bef2d9a..17170f5 100644
--- a/lib/isccc/lib.c
+++ b/lib/isccc/lib.c
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,7 +29,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lib.c,v 1.4.18.2 2005/04/29 00:17:12 marka Exp $ */
+/* $Id: lib.c,v 1.9 2007/08/28 07:20:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/result.c b/lib/isccc/result.c
index 974e51b..cbedc16 100644
--- a/lib/isccc/result.c
+++ b/lib/isccc/result.c
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001, 2003  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,7 +29,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.c,v 1.5.18.2 2005/04/29 00:17:12 marka Exp $ */
+/* $Id: result.c,v 1.10 2007/08/28 07:20:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/sexpr.c b/lib/isccc/sexpr.c
index 573a63c..e96536d 100644
--- a/lib/isccc/sexpr.c
+++ b/lib/isccc/sexpr.c
@@ -1,9 +1,22 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -16,7 +29,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: sexpr.c,v 1.4.18.2 2005/04/29 00:17:12 marka Exp $ */
+/* $Id: sexpr.c,v 1.9 2007/08/28 07:20:43 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/symtab.c b/lib/isccc/symtab.c
index 7ec6d55..d7ae687 100644
--- a/lib/isccc/symtab.c
+++ b/lib/isccc/symtab.c
@@ -1,6 +1,19 @@
 /*
  * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2001  Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NOMINUM DISCLAIMS ALL
+ * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ *
  * Portions Copyright (C) 2001  Nominum, Inc.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -16,7 +29,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: symtab.c,v 1.5.18.4 2007/09/13 23:46:26 tbox Exp $ */
+/* $Id: symtab.c,v 1.11 2007/09/13 04:45:18 each Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccc/version.c b/lib/isccc/version.c
index 0d65dcb..c9d9124 100644
--- a/lib/isccc/version.c
+++ b/lib/isccc/version.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.3.18.2 2005/04/29 00:17:12 marka Exp $ */
+/* $Id: version.c,v 1.7 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/isccfg/Makefile.in b/lib/isccfg/Makefile.in
index 7d19123..6dcacdd 100644
--- a/lib/isccfg/Makefile.in
+++ b/lib/isccfg/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001-2003  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.12.18.4 2005/09/05 00:18:30 marka Exp $
+# $Id: Makefile.in,v 1.18 2007/06/19 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
index d7b41ce..ad3d58e 100644
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.c,v 1.2.2.6 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: aclconf.c,v 1.22.34.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #include <config.h>
 
@@ -27,10 +27,11 @@
 #include <isccfg/aclconf.h>
 
 #include <dns/acl.h>
+#include <dns/iptable.h>
 #include <dns/fixedname.h>
 #include <dns/log.h>
 
-#define LOOP_MAGIC ISC_MAGIC('L','O','O','P') 
+#define LOOP_MAGIC ISC_MAGIC('L','O','O','P')
 
 void
 cfg_aclconfctx_init(cfg_aclconfctx_t *ctx) {
@@ -39,7 +40,8 @@ cfg_aclconfctx_init(cfg_aclconfctx_t *ctx) {
 
 void
 cfg_aclconfctx_destroy(cfg_aclconfctx_t *ctx) {
-     	dns_acl_t *dacl, *next;
+	dns_acl_t *dacl, *next;
+
 	for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
 	     dacl != NULL;
 	     dacl = next)
@@ -57,7 +59,7 @@ get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
 	isc_result_t result;
 	const cfg_obj_t *acls = NULL;
 	const cfg_listelt_t *elt;
-	
+
 	result = cfg_map_get(cctx, "acl", &acls);
 	if (result != ISC_R_SUCCESS)
 		return (result);
@@ -67,7 +69,9 @@ get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
 		const cfg_obj_t *acl = cfg_listelt_value(elt);
 		const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
 		if (strcasecmp(aclname, name) == 0) {
-			*ret = cfg_tuple_get(acl, "value");
+			if (ret != NULL) {
+				*ret = cfg_tuple_get(acl, "value");
+			}
 			return (ISC_R_SUCCESS);
 		}
 	}
@@ -77,7 +81,8 @@ get_acl_def(const cfg_obj_t *cctx, const char *name, const cfg_obj_t **ret) {
 static isc_result_t
 convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
 		  isc_log_t *lctx, cfg_aclconfctx_t *ctx,
-		  isc_mem_t *mctx, dns_acl_t **target)
+		  isc_mem_t *mctx, unsigned int nest_level,
+		  dns_acl_t **target)
 {
 	isc_result_t result;
 	const cfg_obj_t *cacl = NULL;
@@ -115,7 +120,8 @@ convert_named_acl(const cfg_obj_t *nameobj, const cfg_obj_t *cctx,
 	DE_CONST(aclname, loop.name);
 	loop.magic = LOOP_MAGIC;
 	ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
-	result = cfg_acl_fromconfig(cacl, cctx, lctx, ctx, mctx, &dacl);
+	result = cfg_acl_fromconfig(cacl, cctx, lctx, ctx, mctx,
+				    nest_level, &dacl);
 	ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
 	loop.magic = 0;
 	loop.name = NULL;
@@ -154,87 +160,246 @@ convert_keyname(const cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
 	return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
 }
 
+/*
+ * Recursively pre-parse an ACL definition to find the total number
+ * of non-IP-prefix elements (localhost, localnets, key) in all nested
+ * ACLs, so that the parent will have enough space allocated for the
+ * elements table after all the nested ACLs have been merged in to the
+ * parent.
+ */
+static int
+count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx)
+{
+	const cfg_listelt_t *elt;
+	const cfg_obj_t *cacl = NULL;
+	isc_result_t result;
+	int n = 0;
+
+	for (elt = cfg_list_first(caml);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		const cfg_obj_t *ce = cfg_listelt_value(elt);
+
+		/* negated element; just get the value. */
+		if (cfg_obj_istuple(ce))
+			ce = cfg_tuple_get(ce, "value");
+
+		if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			n++;
+		} else if (cfg_obj_islist(ce)) {
+			n += count_acl_elements(ce, cctx);
+		} else if (cfg_obj_isstring(ce)) {
+			const char *name = cfg_obj_asstring(ce);
+			if (strcasecmp(name, "localhost") == 0 ||
+			    strcasecmp(name, "localnets") == 0) {
+				n++;
+			} else if (strcasecmp(name, "any") != 0 &&
+				   strcasecmp(name, "none") != 0) {
+				result = get_acl_def(cctx, name, &cacl);
+				if (result == ISC_R_SUCCESS)
+					n += count_acl_elements(cacl, cctx) + 1;
+			}
+		}
+	}
+
+	return n;
+}
+
 isc_result_t
 cfg_acl_fromconfig(const cfg_obj_t *caml,
 		   const cfg_obj_t *cctx,
-	 	   isc_log_t *lctx,
+		   isc_log_t *lctx,
 		   cfg_aclconfctx_t *ctx,
 		   isc_mem_t *mctx,
+		   unsigned int nest_level,
 		   dns_acl_t **target)
 {
 	isc_result_t result;
-	unsigned int count;
-	dns_acl_t *dacl = NULL;
+	dns_acl_t *dacl = NULL, *inneracl = NULL;
 	dns_aclelement_t *de;
 	const cfg_listelt_t *elt;
+	dns_iptable_t *iptab;
+	int new_nest_level = 0;
 
-	REQUIRE(target != NULL && *target == NULL);
+	if (nest_level != 0)
+		new_nest_level = nest_level - 1;
 
-	count = 0;
-	for (elt = cfg_list_first(caml);
-	     elt != NULL;
-	     elt = cfg_list_next(elt))
-		count++;
+	REQUIRE(target != NULL);
+	REQUIRE(*target == NULL || DNS_ACL_VALID(*target));
 
-	result = dns_acl_create(mctx, count, &dacl);
-	if (result != ISC_R_SUCCESS)
-		return (result);
+	if (*target != NULL) {
+		/*
+		 * If target already points to an ACL, then we're being
+		 * called recursively to configure a nested ACL.  The
+		 * nested ACL's contents should just be absorbed into its
+		 * parent ACL.
+		 */
+		dns_acl_attach(*target, &dacl);
+		dns_acl_detach(target);
+	} else {
+		/*
+		 * Need to allocate a new ACL structure.  Count the items
+		 * in the ACL definition that will require space in the
+		 * elements table.  (Note that if nest_level is nonzero,
+		 * *everything* goes in the elements table.)
+		 */
+		int nelem;
+
+		if (nest_level == 0)
+			nelem = count_acl_elements(caml, cctx);
+		else
+			nelem = cfg_list_length(caml, ISC_FALSE);
+
+		result = dns_acl_create(mctx, nelem, &dacl);
+		if (result != ISC_R_SUCCESS)
+			return (result);
+	}
 
 	de = dacl->elements;
 	for (elt = cfg_list_first(caml);
 	     elt != NULL;
-	     elt = cfg_list_next(elt))
-	{
+	     elt = cfg_list_next(elt)) {
 		const cfg_obj_t *ce = cfg_listelt_value(elt);
+		isc_boolean_t	neg;
+
 		if (cfg_obj_istuple(ce)) {
 			/* This must be a negated element. */
 			ce = cfg_tuple_get(ce, "value");
-			de->negative = ISC_TRUE;
-		} else {
-			de->negative = ISC_FALSE;
+			neg = ISC_TRUE;
+			dacl->has_negatives = ISC_TRUE;
+		} else
+			neg = ISC_FALSE;
+
+		/*
+		 * If nest_level is nonzero, then every element is
+		 * to be stored as a separate, nested ACL rather than
+		 * merged into the main iptable.
+		 */
+		iptab = dacl->iptable;
+
+		if (nest_level != 0) {
+			result = dns_acl_create(mctx,
+						cfg_list_length(ce, ISC_FALSE),
+						&de->nestedacl);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+			iptab = de->nestedacl->iptable;
 		}
 
 		if (cfg_obj_isnetprefix(ce)) {
 			/* Network prefix */
-			de->type = dns_aclelementtype_ipprefix;
+			isc_netaddr_t	addr;
+			unsigned int	bitlen;
 
-			cfg_obj_asnetprefix(ce,
-					    &de->u.ip_prefix.address,
-					    &de->u.ip_prefix.prefixlen);
-		} else if (cfg_obj_istype(ce, &cfg_type_keyref)) {
-			/* Key name */
-			de->type = dns_aclelementtype_keyname;
-			dns_name_init(&de->u.keyname, NULL);
-			result = convert_keyname(ce, lctx, mctx,
-						 &de->u.keyname);
+			cfg_obj_asnetprefix(ce, &addr, &bitlen);
+
+			/*
+			 * If nesting ACLs (nest_level != 0), we negate
+			 * the nestedacl element, not the iptable entry.
+			 */
+			result = dns_iptable_addprefix(iptab, &addr, bitlen,
+					      ISC_TF(nest_level != 0 || !neg));
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
+
+			if (nest_level > 0) {
+				de->type = dns_aclelementtype_nestedacl;
+				de->negative = neg;
+			} else
+				continue;
 		} else if (cfg_obj_islist(ce)) {
-			/* Nested ACL */
-			de->type = dns_aclelementtype_nestedacl;
-			result = cfg_acl_fromconfig(ce, cctx, lctx, ctx,
-						    mctx, &de->u.nestedacl);
+			/*
+			 * If we're nesting ACLs, put the nested
+			 * ACL onto the elements list; otherwise
+			 * merge it into *this* ACL.  We nest ACLs
+			 * in two cases: 1) sortlist, 2) if the
+			 * nested ACL contains negated members.
+			 */
+			if (inneracl != NULL)
+				dns_acl_detach(&inneracl);
+			result = cfg_acl_fromconfig(ce, cctx, lctx,
+						    ctx, mctx, new_nest_level,
+						    &inneracl);
+			if (result != ISC_R_SUCCESS)
+				goto cleanup;
+nested_acl:
+			if (nest_level > 0 || inneracl->has_negatives) {
+				de->type = dns_aclelementtype_nestedacl;
+				de->negative = neg;
+				if (de->nestedacl != NULL)
+					dns_acl_detach(&de->nestedacl);
+				dns_acl_attach(inneracl,
+					       &de->nestedacl);
+				dns_acl_detach(&inneracl);
+				/* Fall through. */
+			} else {
+				dns_acl_merge(dacl, inneracl,
+					      ISC_TF(!neg));
+				de += inneracl->length;  /* elements added */
+				dns_acl_detach(&inneracl);
+				continue;
+			}
+		} else if (cfg_obj_istype(ce, &cfg_type_keyref)) {
+			/* Key name. */
+			de->type = dns_aclelementtype_keyname;
+			de->negative = neg;
+			dns_name_init(&de->keyname, NULL);
+			result = convert_keyname(ce, lctx, mctx,
+						 &de->keyname);
 			if (result != ISC_R_SUCCESS)
 				goto cleanup;
 		} else if (cfg_obj_isstring(ce)) {
-			/* ACL name */
+			/* ACL name. */
 			const char *name = cfg_obj_asstring(ce);
-			if (strcasecmp(name, "localhost") == 0) {
+			if (strcasecmp(name, "any") == 0) {
+				/* Iptable entry with zero bit length. */
+				result = dns_iptable_addprefix(iptab, NULL, 0,
+					      ISC_TF(nest_level != 0 || !neg));
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+
+				if (nest_level != 0) {
+					de->type = dns_aclelementtype_nestedacl;
+					de->negative = neg;
+				} else
+					continue;
+			} else if (strcasecmp(name, "none") == 0) {
+				/* none == !any */
+				/*
+				 * We don't unconditional set
+				 * dacl->has_negatives and
+				 * de->negative to true so we can handle
+				 * "!none;".
+				 */
+				result = dns_iptable_addprefix(iptab, NULL, 0,
+					      ISC_TF(nest_level != 0 || neg));
+				if (result != ISC_R_SUCCESS)
+					goto cleanup;
+
+				if (!neg)
+					dacl->has_negatives = !neg;
+
+				if (nest_level != 0) {
+					de->type = dns_aclelementtype_nestedacl;
+					de->negative = !neg;
+				} else
+					continue;
+			} else if (strcasecmp(name, "localhost") == 0) {
 				de->type = dns_aclelementtype_localhost;
+				de->negative = neg;
 			} else if (strcasecmp(name, "localnets") == 0) {
 				de->type = dns_aclelementtype_localnets;
-			}  else if (strcasecmp(name, "any") == 0) {
-				de->type = dns_aclelementtype_any;
-			}  else if (strcasecmp(name, "none") == 0) {
-				de->type = dns_aclelementtype_any;
-				de->negative = ISC_TF(! de->negative);
+				de->negative = neg;
 			} else {
-				de->type = dns_aclelementtype_nestedacl;
-				result = convert_named_acl(ce, cctx, lctx,
-							   ctx, mctx,
-							   &de->u.nestedacl);
+				if (inneracl != NULL)
+					dns_acl_detach(&inneracl);
+				result = convert_named_acl(ce, cctx, lctx, ctx,
+							   mctx, new_nest_level,
+							   &inneracl);
 				if (result != ISC_R_SUCCESS)
 					goto cleanup;
+
+				goto nested_acl;
 			}
 		} else {
 			cfg_obj_log(ce, lctx, ISC_LOG_WARNING,
@@ -243,14 +408,30 @@ cfg_acl_fromconfig(const cfg_obj_t *caml,
 			result = ISC_R_FAILURE;
 			goto cleanup;
 		}
-		de++;
+
+		/*
+		 * This should only be reached for localhost, localnets
+		 * and keyname elements, and nested ACLs if nest_level is
+		 * nonzero (i.e., in sortlists).
+		 */
+		if (de->nestedacl != NULL &&
+		    de->type != dns_aclelementtype_nestedacl)
+			dns_acl_detach(&de->nestedacl);
+
+		dacl->node_count++;
+		de->node_num = dacl->node_count;
+
 		dacl->length++;
+		de++;
+		INSIST(dacl->length <= dacl->alloc);
 	}
 
-	*target = dacl;
-	return (ISC_R_SUCCESS);
+	dns_acl_attach(dacl, target);
+	result = ISC_R_SUCCESS;
 
  cleanup:
+	if (inneracl != NULL)
+		dns_acl_detach(&inneracl);
 	dns_acl_detach(&dacl);
 	return (result);
 }
diff --git a/lib/isccfg/api b/lib/isccfg/api
index 510e9a9..8459d42 100644
--- a/lib/isccfg/api
+++ b/lib/isccfg/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 30
-LIBREVISION = 5
+LIBINTERFACE = 50
+LIBREVISION = 0
 LIBAGE = 0
diff --git a/lib/isccfg/include/Makefile.in b/lib/isccfg/include/Makefile.in
index 4eddd92..1f24003 100644
--- a/lib/isccfg/include/Makefile.in
+++ b/lib/isccfg/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.5 2004/03/05 05:12:24 marka Exp $
+# $Id: Makefile.in,v 1.7 2007/06/19 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccfg/include/isccfg/Makefile.in b/lib/isccfg/include/isccfg/Makefile.in
index d71d2c2..a6fd412 100644
--- a/lib/isccfg/include/isccfg/Makefile.in
+++ b/lib/isccfg/include/isccfg/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001, 2002  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.8.18.2 2005/01/12 01:54:57 marka Exp $
+# $Id: Makefile.in,v 1.12 2007/06/19 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/isccfg/include/isccfg/aclconf.h b/lib/isccfg/include/isccfg/aclconf.h
index a13740c..7ad4351 100644
--- a/lib/isccfg/include/isccfg/aclconf.h
+++ b/lib/isccfg/include/isccfg/aclconf.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.h,v 1.2.2.5 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: aclconf.h,v 1.10 2007/10/12 04:17:18 each Exp $ */
 
 #ifndef ISCCFG_ACLCONF_H
 #define ISCCFG_ACLCONF_H 1
@@ -28,6 +28,7 @@
 
 typedef struct cfg_aclconfctx {
 	ISC_LIST(dns_acl_t) named_acl_cache;
+	ISC_LIST(dns_iptable_t) named_iptable_cache;
 } cfg_aclconfctx_t;
 
 /***
@@ -54,6 +55,7 @@ cfg_acl_fromconfig(const cfg_obj_t *caml,
 		   isc_log_t *lctx,
 		   cfg_aclconfctx_t *ctx,
 		   isc_mem_t *mctx,
+		   unsigned int nest_level,
 		   dns_acl_t **target);
 /*
  * Construct a new dns_acl_t from configuration data in 'caml' and
diff --git a/lib/isccfg/include/isccfg/cfg.h b/lib/isccfg/include/isccfg/cfg.h
index 6a30a1c..d0ed94b 100644
--- a/lib/isccfg/include/isccfg/cfg.h
+++ b/lib/isccfg/include/isccfg/cfg.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: cfg.h,v 1.34.18.5 2006/03/02 00:37:22 marka Exp $ */
+/* $Id: cfg.h,v 1.44 2007/10/12 04:17:18 each Exp $ */
 
 #ifndef ISCCFG_CFG_H
 #define ISCCFG_CFG_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file
+/*! \file isccfg/cfg.h
  * \brief
  * This is the new, table-driven, YACC-free configuration file parser.
  */
@@ -347,6 +347,14 @@ cfg_list_next(const cfg_listelt_t *elt);
  * 	or NULL if there are no more elements.
  */
 
+unsigned int
+cfg_list_length(const cfg_obj_t *obj, isc_boolean_t recurse);
+/*%<
+ * Returns the length of a list of configure objects.  If obj is
+ * not a list, returns 0.  If recurse is true, add in the length of
+ * all contained lists.
+ */
+
 const cfg_obj_t *
 cfg_listelt_value(const cfg_listelt_t *elt);
 /*%<
diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h
index fa66146..f194d4c 100644
--- a/lib/isccfg/include/isccfg/grammar.h
+++ b/lib/isccfg/include/isccfg/grammar.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: grammar.h,v 1.4.18.8 2006/02/28 03:10:49 marka Exp $ */
+/* $Id: grammar.h,v 1.17 2008/09/25 04:02:39 tbox Exp $ */
 
 #ifndef ISCCFG_GRAMMAR_H
 #define ISCCFG_GRAMMAR_H 1
 
-/*! \file */
+/*! \file isccfg/grammar.h */
 
 #include <isc/lex.h>
 #include <isc/netaddr.h>
@@ -51,6 +51,8 @@
  * "directory" option.
  */
 #define CFG_CLAUSEFLAG_CALLBACK		0x00000020
+/*% A option that is only used in testing. */
+#define CFG_CLAUSEFLAG_TESTONLY		0x00000040
 
 typedef struct cfg_clausedef cfg_clausedef_t;
 typedef struct cfg_tuplefielddef cfg_tuplefielddef_t;
@@ -184,8 +186,8 @@ struct cfg_parser {
 	/*%
 	 * The stack of currently active files, represented
 	 * as a configuration list of configuration strings.
-	 * The head is the top-level file, subsequent elements 
-	 * (if any) are the nested include files, and the 
+	 * The head is the top-level file, subsequent elements
+	 * (if any) are the nested include files, and the
 	 * last element is the file currently being parsed.
 	 */
 	cfg_obj_t *	open_files;
@@ -433,7 +435,7 @@ cfg_doc_terminal(cfg_printer_t *pctx, const cfg_type_t *type);
 void
 cfg_parser_error(cfg_parser_t *pctx, unsigned int flags,
 		 const char *fmt, ...) ISC_FORMAT_PRINTF(3, 4);
-/*! 
+/*!
  * Pass one of these flags to cfg_parser_error() to include the
  * token text in log message.
  */
diff --git a/lib/isccfg/include/isccfg/log.h b/lib/isccfg/include/isccfg/log.h
index f66c37f..9750a52 100644
--- a/lib/isccfg/include/isccfg/log.h
+++ b/lib/isccfg/include/isccfg/log.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.h,v 1.6.18.2 2005/04/29 00:17:16 marka Exp $ */
+/* $Id: log.h,v 1.12.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 #ifndef ISCCFG_LOG_H
 #define ISCCFG_LOG_H 1
 
-/*! \file */
+/*! \file isccfg/log.h */
 
 #include <isc/lang.h>
 #include <isc/log.h>
@@ -46,7 +46,7 @@ cfg_log_init(isc_log_t *lctx);
  *\li	cfg_log_init() is called only once.
  *
  * Ensures:
- * \li	The catgories and modules defined above are available for
+ * \li	The categories and modules defined above are available for
  * 	use by isc_log_usechannnel() and isc_log_write().
  */
 
diff --git a/lib/isccfg/include/isccfg/namedconf.h b/lib/isccfg/include/isccfg/namedconf.h
index 6125b26..9689a2a 100644
--- a/lib/isccfg/include/isccfg/namedconf.h
+++ b/lib/isccfg/include/isccfg/namedconf.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.h,v 1.3.18.2 2005/04/29 00:17:16 marka Exp $ */
+/* $Id: namedconf.h,v 1.9 2007/06/19 23:47:22 tbox Exp $ */
 
 #ifndef ISCCFG_NAMEDCONF_H
 #define ISCCFG_NAMEDCONF_H 1
 
-/*! \file
+/*! \file isccfg/namedconf.h
  * \brief
  * This module defines the named.conf, rndc.conf, and rndc.key grammars.
  */
diff --git a/lib/isccfg/include/isccfg/version.h b/lib/isccfg/include/isccfg/version.h
index 38bb14b..8aed111 100644
--- a/lib/isccfg/include/isccfg/version.h
+++ b/lib/isccfg/include/isccfg/version.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:16 marka Exp $ */
+/* $Id: version.h,v 1.9 2007/06/19 23:47:22 tbox Exp $ */
 
-/*! \file */
+/*! \file isccfg/version.h */
 
 #include <isc/platform.h>
 
diff --git a/lib/isccfg/log.c b/lib/isccfg/log.c
index 5d5ccb5..8747fc0 100644
--- a/lib/isccfg/log.c
+++ b/lib/isccfg/log.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: log.c,v 1.5.18.2 2005/04/29 00:17:15 marka Exp $ */
+/* $Id: log.c,v 1.11 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file */
 
@@ -27,7 +27,7 @@
 
 /*%
  * When adding a new category, be sure to add the appropriate
- * #define to <isccfg/log.h>.
+ * \#define to <isccfg/log.h>.
  */
 LIBISCCFG_EXTERNAL_DATA isc_logcategory_t cfg_categories[] = {
 	{ "config", 	0 },
@@ -36,7 +36,7 @@ LIBISCCFG_EXTERNAL_DATA isc_logcategory_t cfg_categories[] = {
 
 /*%
  * When adding a new module, be sure to add the appropriate
- * #define to <isccfg/log.h>.
+ * \#define to <isccfg/log.h>.
  */
 LIBISCCFG_EXTERNAL_DATA isc_logmodule_t cfg_modules[] = {
 	{ "isccfg/parser",	0 },
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index a13d0a5..0610489 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2006, 2008  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2002, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: namedconf.c,v 1.30.18.43 2008/09/04 08:03:08 marka Exp $ */
+/* $Id: namedconf.c,v 1.92 2008/09/27 23:35:31 jinmei Exp $ */
 
 /*! \file */
 
@@ -88,9 +88,9 @@ static cfg_type_t cfg_type_masterselement;
 static cfg_type_t cfg_type_nameportiplist;
 static cfg_type_t cfg_type_negated;
 static cfg_type_t cfg_type_notifytype;
+static cfg_type_t cfg_type_optional_allow;
 static cfg_type_t cfg_type_optional_class;
 static cfg_type_t cfg_type_optional_facility;
-static cfg_type_t cfg_type_optional_facility;
 static cfg_type_t cfg_type_optional_keyref;
 static cfg_type_t cfg_type_optional_port;
 static cfg_type_t cfg_type_options;
@@ -104,6 +104,7 @@ static cfg_type_t cfg_type_size;
 static cfg_type_t cfg_type_sizenodefault;
 static cfg_type_t cfg_type_sockaddr4wild;
 static cfg_type_t cfg_type_sockaddr6wild;
+static cfg_type_t cfg_type_statschannels;
 static cfg_type_t cfg_type_view;
 static cfg_type_t cfg_type_viewopts;
 static cfg_type_t cfg_type_zone;
@@ -258,7 +259,9 @@ static cfg_type_t cfg_type_mode = {
 };
 
 static const char *matchtype_enums[] = {
-	"name", "subdomain", "wildcard", "self", "selfsub", "selfwild", NULL };
+	"name", "subdomain", "wildcard", "self", "selfsub", "selfwild",
+	"krb5-self", "ms-self", "krb5-subdomain", "ms-subdomain",
+	"tcp-self", "6to4-self", NULL };
 static cfg_type_t cfg_type_matchtype = {
 	"matchtype", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, &cfg_rep_string,
 	&matchtype_enums
@@ -633,6 +636,8 @@ namedconf_clauses[] = {
 	{ "logging", &cfg_type_logging, 0 },
 	{ "view", &cfg_type_view, CFG_CLAUSEFLAG_MULTI },
 	{ "lwres", &cfg_type_lwres, CFG_CLAUSEFLAG_MULTI },
+	{ "statistics-channels", &cfg_type_statschannels,
+	  CFG_CLAUSEFLAG_MULTI },
 	{ NULL, NULL, 0 }
 };
 
@@ -678,6 +683,7 @@ options_clauses[] = {
 	{ "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
 	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
 	{ "memstatistics-file", &cfg_type_qstring, 0 },
+	{ "memstatistics", &cfg_type_boolean, 0 },
 	{ "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "named-xfer", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "pid-file", &cfg_type_qstringornone, 0 },
@@ -781,61 +787,68 @@ static cfg_type_t cfg_type_lookaside = {
 
 static cfg_clausedef_t
 view_clauses[] = {
+	{ "acache-cleaning-interval", &cfg_type_uint32, 0 },
+	{ "acache-enable", &cfg_type_boolean, 0 },
+	{ "additional-from-auth", &cfg_type_boolean, 0 },
+	{ "additional-from-cache", &cfg_type_boolean, 0 },
 	{ "allow-query-cache", &cfg_type_bracketed_aml, 0 },
+	{ "allow-query-cache-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-recursion", &cfg_type_bracketed_aml, 0 },
+	{ "allow-recursion-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-v6-synthesis", &cfg_type_bracketed_aml,
 	  CFG_CLAUSEFLAG_OBSOLETE },
-	{ "sortlist", &cfg_type_bracketed_aml, 0 },
-	{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP },
 	{ "auth-nxdomain", &cfg_type_boolean, CFG_CLAUSEFLAG_NEWDEFAULT },
-	{ "minimal-responses", &cfg_type_boolean, 0 },
-	{ "recursion", &cfg_type_boolean, 0 },
-	{ "rrset-order", &cfg_type_rrsetorder, 0 },
-	{ "provide-ixfr", &cfg_type_boolean, 0 },
-	{ "request-ixfr", &cfg_type_boolean, 0 },
-	{ "fetch-glue", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
-	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
-	{ "additional-from-auth", &cfg_type_boolean, 0 },
-	{ "additional-from-cache", &cfg_type_boolean, 0 },
-	/*
-	 * Note that the query-source option syntax is different
-	 * from the other -source options.
-	 */
-	{ "query-source", &cfg_type_querysource4, 0 },
-	{ "query-source-v6", &cfg_type_querysource6, 0 },
-	{ "cleaning-interval", &cfg_type_uint32, 0 },
-	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
-	{ "lame-ttl", &cfg_type_uint32, 0 },
-	{ "max-ncache-ttl", &cfg_type_uint32, 0 },
-	{ "max-cache-ttl", &cfg_type_uint32, 0 },
-	{ "transfer-format", &cfg_type_transferformat, 0 },
-	{ "max-cache-size", &cfg_type_sizenodefault, 0 },
-	{ "check-names", &cfg_type_checknames, CFG_CLAUSEFLAG_MULTI },
 	{ "cache-file", &cfg_type_qstring, 0 },
-	{ "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
-	{ "preferred-glue", &cfg_type_astring, 0 },
-	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
-	{ "edns-udp-size", &cfg_type_uint32, 0 },
-	{ "max-udp-size", &cfg_type_uint32, 0 },
-	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+	{ "check-names", &cfg_type_checknames, CFG_CLAUSEFLAG_MULTI },
+	{ "cleaning-interval", &cfg_type_uint32, 0 },
+	{ "clients-per-query", &cfg_type_uint32, 0 },
 	{ "disable-algorithms", &cfg_type_disablealgorithm,
 	  CFG_CLAUSEFLAG_MULTI },
+	{ "disable-empty-zone", &cfg_type_astring, CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
 	{ "dnssec-enable", &cfg_type_boolean, 0 },
-	{ "dnssec-validation", &cfg_type_boolean, 0 },
 	{ "dnssec-lookaside", &cfg_type_lookaside, CFG_CLAUSEFLAG_MULTI },
 	{ "dnssec-must-be-secure",  &cfg_type_mustbesecure,
-	   CFG_CLAUSEFLAG_MULTI },
-	{ "dnssec-accept-expired", &cfg_type_boolean, 0 },
+	  CFG_CLAUSEFLAG_MULTI },
+	{ "dnssec-validation", &cfg_type_boolean, 0 },
+	{ "dual-stack-servers", &cfg_type_nameportiplist, 0 },
+	{ "edns-udp-size", &cfg_type_uint32, 0 },
+	{ "empty-contact", &cfg_type_astring, 0 },
+	{ "empty-server", &cfg_type_astring, 0 },
+	{ "empty-zones-enable", &cfg_type_boolean, 0 },
+	{ "fetch-glue", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
-	{ "acache-enable", &cfg_type_boolean, 0 },
-	{ "acache-cleaning-interval", &cfg_type_uint32, 0 },
+	{ "lame-ttl", &cfg_type_uint32, 0 },
 	{ "max-acache-size", &cfg_type_sizenodefault, 0 },
-	{ "clients-per-query", &cfg_type_uint32, 0 },
+	{ "max-cache-size", &cfg_type_sizenodefault, 0 },
+	{ "max-cache-ttl", &cfg_type_uint32, 0 },
 	{ "max-clients-per-query", &cfg_type_uint32, 0 },
-	{ "empty-server", &cfg_type_astring, 0 },
-	{ "empty-contact", &cfg_type_astring, 0 },
-	{ "empty-zones-enable", &cfg_type_boolean, 0 },
-	{ "disable-empty-zone", &cfg_type_astring, CFG_CLAUSEFLAG_MULTI },
+	{ "max-ncache-ttl", &cfg_type_uint32, 0 },
+	{ "max-udp-size", &cfg_type_uint32, 0 },
+	{ "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP },
+	{ "minimal-responses", &cfg_type_boolean, 0 },
+	{ "preferred-glue", &cfg_type_astring, 0 },
+	{ "provide-ixfr", &cfg_type_boolean, 0 },
+	/*
+	 * Note that the query-source option syntax is different
+	 * from the other -source options.
+	 */
+	{ "query-source", &cfg_type_querysource4, 0 },
+	{ "query-source-v6", &cfg_type_querysource6, 0 },
+	{ "queryport-pool-ports", &cfg_type_uint32, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "queryport-pool-updateinterval", &cfg_type_uint32,
+	  CFG_CLAUSEFLAG_OBSOLETE },
+	{ "recursion", &cfg_type_boolean, 0 },
+	{ "request-ixfr", &cfg_type_boolean, 0 },
+	{ "request-nsid", &cfg_type_boolean, 0 },
+	{ "rfc2308-type1", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
+	{ "root-delegation-only",  &cfg_type_optional_exclude, 0 },
+	{ "rrset-order", &cfg_type_rrsetorder, 0 },
+	{ "sortlist", &cfg_type_bracketed_aml, 0 },
+	{ "suppress-initial-notify", &cfg_type_boolean, CFG_CLAUSEFLAG_NYI },
+	{ "topology", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_NOTIMP },
+	{ "transfer-format", &cfg_type_transferformat, 0 },
+	{ "use-queryport-pool", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "zero-no-soa-ttl-cache", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };
@@ -852,53 +865,101 @@ view_only_clauses[] = {
 };
 
 /*%
+ * Sig-validity-interval.
+ */
+static isc_result_t
+parse_optional_uint32(cfg_parser_t *pctx, const cfg_type_t *type,
+		      cfg_obj_t **ret)
+{
+	isc_result_t result;
+	UNUSED(type);
+
+	CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER));
+	if (pctx->token.type == isc_tokentype_number) {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_uint32, ret));
+	} else {
+		CHECK(cfg_parse_obj(pctx, &cfg_type_void, ret));
+	}
+ cleanup:
+	return (result);
+}
+
+static void
+doc_optional_uint32(cfg_printer_t *pctx, const cfg_type_t *type) {
+	UNUSED(type);
+	cfg_print_chars(pctx, "[ <integer> ]", 13);
+}
+
+static cfg_type_t cfg_type_optional_uint32 = {
+	"optional_uint32", parse_optional_uint32, NULL, doc_optional_uint32,
+	NULL, NULL };
+
+static cfg_tuplefielddef_t validityinterval_fields[] = {
+	{ "validity", &cfg_type_uint32, 0 },
+	{ "re-sign", &cfg_type_optional_uint32, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_validityinterval = {
+	"validityinterval", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, validityinterval_fields
+};
+
+/*%
  * Clauses that can be found in a 'zone' statement,
  * with defaults in the 'view' or 'options' statement.
  */
 static cfg_clausedef_t
 zone_clauses[] = {
+	{ "allow-notify", &cfg_type_bracketed_aml, 0 },
 	{ "allow-query", &cfg_type_bracketed_aml, 0 },
+	{ "allow-query-on", &cfg_type_bracketed_aml, 0 },
 	{ "allow-transfer", &cfg_type_bracketed_aml, 0 },
 	{ "allow-update", &cfg_type_bracketed_aml, 0 },
 	{ "allow-update-forwarding", &cfg_type_bracketed_aml, 0 },
-	{ "allow-notify", &cfg_type_bracketed_aml, 0 },
-	{ "masterfile-format", &cfg_type_masterformat, 0 },
-	{ "notify", &cfg_type_notifytype, 0 },
-	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
-	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
 	{ "also-notify", &cfg_type_portiplist, 0 },
-	{ "notify-delay", &cfg_type_uint32, 0 },
+	{ "alt-transfer-source", &cfg_type_sockaddr4wild, 0 },
+	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "check-integrity", &cfg_type_boolean, 0 },
+	{ "check-mx", &cfg_type_checkmode, 0 },
+	{ "check-mx-cname", &cfg_type_checkmode, 0 },
+	{ "check-sibling", &cfg_type_boolean, 0 },
+	{ "check-srv-cname", &cfg_type_checkmode, 0 },
+	{ "check-wildcard", &cfg_type_boolean, 0 },
 	{ "dialup", &cfg_type_dialuptype, 0 },
 	{ "forward", &cfg_type_forwardtype, 0 },
 	{ "forwarders", &cfg_type_portiplist, 0 },
+	{ "key-directory", &cfg_type_qstring, 0 },
 	{ "maintain-ixfr-base", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
+	{ "masterfile-format", &cfg_type_masterformat, 0 },
 	{ "max-ixfr-log-size", &cfg_type_size, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "max-journal-size", &cfg_type_sizenodefault, 0 },
-	{ "max-transfer-time-in", &cfg_type_uint32, 0 },
-	{ "max-transfer-time-out", &cfg_type_uint32, 0 },
+	{ "max-refresh-time", &cfg_type_uint32, 0 },
+	{ "max-retry-time", &cfg_type_uint32, 0 },
 	{ "max-transfer-idle-in", &cfg_type_uint32, 0 },
 	{ "max-transfer-idle-out", &cfg_type_uint32, 0 },
-	{ "max-retry-time", &cfg_type_uint32, 0 },
-	{ "min-retry-time", &cfg_type_uint32, 0 },
-	{ "max-refresh-time", &cfg_type_uint32, 0 },
+	{ "max-transfer-time-in", &cfg_type_uint32, 0 },
+	{ "max-transfer-time-out", &cfg_type_uint32, 0 },
 	{ "min-refresh-time", &cfg_type_uint32, 0 },
+	{ "min-retry-time", &cfg_type_uint32, 0 },
 	{ "multi-master", &cfg_type_boolean, 0 },
-	{ "sig-validity-interval", &cfg_type_uint32, 0 },
+	{ "notify", &cfg_type_notifytype, 0 },
+	{ "notify-delay", &cfg_type_uint32, 0 },
+	{ "notify-source", &cfg_type_sockaddr4wild, 0 },
+	{ "notify-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "notify-to-soa", &cfg_type_boolean, 0 },
+	{ "nsec3-test-zone", &cfg_type_boolean, CFG_CLAUSEFLAG_TESTONLY },
+	{ "sig-signing-nodes", &cfg_type_uint32, 0 },
+	{ "sig-signing-signatures", &cfg_type_uint32, 0 },
+	{ "sig-signing-type", &cfg_type_uint32, 0 },
+	{ "sig-validity-interval", &cfg_type_validityinterval, 0 },
 	{ "transfer-source", &cfg_type_sockaddr4wild, 0 },
 	{ "transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
-	{ "alt-transfer-source", &cfg_type_sockaddr4wild, 0 },
-	{ "alt-transfer-source-v6", &cfg_type_sockaddr6wild, 0 },
+	{ "try-tcp-refresh", &cfg_type_boolean, 0 },
+	{ "update-check-ksk", &cfg_type_boolean, 0 },
 	{ "use-alt-transfer-source", &cfg_type_boolean, 0 },
-	{ "zone-statistics", &cfg_type_boolean, 0 },
-	{ "key-directory", &cfg_type_qstring, 0 },
-	{ "check-wildcard", &cfg_type_boolean, 0 },
-	{ "check-integrity", &cfg_type_boolean, 0 },
-	{ "check-mx", &cfg_type_checkmode, 0 },
-	{ "check-mx-cname", &cfg_type_checkmode, 0 },
-	{ "check-srv-cname", &cfg_type_checkmode, 0 },
-	{ "check-sibling", &cfg_type_boolean, 0 },
 	{ "zero-no-soa-ttl", &cfg_type_boolean, 0 },
-	{ "update-check-ksk", &cfg_type_boolean, 0 },
+	{ "zone-statistics", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };
 
@@ -1429,6 +1490,53 @@ static cfg_type_t cfg_type_controls = {
 };
 
 /*%
+ * A "statistics-channels" statement is represented as a map with the
+ * multivalued "inet" clauses.
+ */
+static void
+doc_optional_bracketed_list(cfg_printer_t *pctx, const cfg_type_t *type) {
+	const keyword_type_t *kw = type->of;
+	cfg_print_chars(pctx, "[ ", 2);
+	cfg_print_cstr(pctx, kw->name);
+	cfg_print_chars(pctx, " ", 1);
+	cfg_doc_obj(pctx, kw->type);
+	cfg_print_chars(pctx, " ]", 2);
+}
+
+static cfg_type_t cfg_type_optional_allow = {
+	"optional_allow", parse_optional_keyvalue, print_keyvalue,
+	doc_optional_bracketed_list, &cfg_rep_list, &controls_allow_kw
+};
+
+static cfg_tuplefielddef_t statserver_fields[] = {
+	{ "address", &cfg_type_controls_sockaddr, 0 }, /* reuse controls def */
+	{ "allow", &cfg_type_optional_allow, 0 },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_type_t cfg_type_statschannel = {
+	"statschannel", cfg_parse_tuple, cfg_print_tuple, cfg_doc_tuple,
+	&cfg_rep_tuple, statserver_fields
+};
+
+static cfg_clausedef_t
+statservers_clauses[] = {
+	{ "inet", &cfg_type_statschannel, CFG_CLAUSEFLAG_MULTI },
+	{ NULL, NULL, 0 }
+};
+
+static cfg_clausedef_t *
+statservers_clausesets[] = {
+	statservers_clauses,
+	NULL
+};
+
+static cfg_type_t cfg_type_statschannels = {
+	"statistics-channels", cfg_parse_map, cfg_print_map, cfg_doc_map,
+	&cfg_rep_map,	&statservers_clausesets
+};
+
+/*%
  * An optional class, as used in view and zone statements.
  */
 static isc_result_t
@@ -1526,6 +1634,7 @@ print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) {
 
 static unsigned int sockaddr4wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V4OK;
 static unsigned int sockaddr6wild_flags = CFG_ADDR_WILDOK | CFG_ADDR_V6OK;
+
 static cfg_type_t cfg_type_querysource4 = {
 	"querysource4", parse_querysource, NULL, cfg_doc_terminal,
 	NULL, &sockaddr4wild_flags
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index 19a51a6..ee19cf5 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.112.18.11 2006/02/28 03:10:49 marka Exp $ */
+/* $Id: parser.c,v 1.129 2008/09/25 04:02:39 tbox Exp $ */
 
 /*! \file */
 
@@ -50,7 +50,7 @@
 
 /* Check a return value. */
 #define CHECK(op) 						\
-     	do { result = (op); 					\
+	do { result = (op); 					\
 		if (result != ISC_R_SUCCESS) goto cleanup; 	\
 	} while (0)
 
@@ -192,7 +192,7 @@ cfg_print(const cfg_obj_t *obj,
 
 
 /* Tuples. */
-  
+
 isc_result_t
 cfg_create_tuple(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	isc_result_t result;
@@ -303,7 +303,7 @@ cfg_tuple_get(const cfg_obj_t *tupleobj, const char* name) {
 	unsigned int i;
 	const cfg_tuplefielddef_t *fields;
 	const cfg_tuplefielddef_t *f;
-	
+
 	REQUIRE(tupleobj != NULL && tupleobj->type->rep == &cfg_rep_tuple);
 
 	fields = tupleobj->type->of;
@@ -317,7 +317,7 @@ cfg_tuple_get(const cfg_obj_t *tupleobj, const char* name) {
 
 isc_result_t
 cfg_parse_special(cfg_parser_t *pctx, int special) {
-        isc_result_t result;
+	isc_result_t result;
 	CHECK(cfg_gettoken(pctx, 0));
 	if (pctx->token.type == isc_tokentype_special &&
 	    pctx->token.value.as_char == special)
@@ -338,7 +338,7 @@ cfg_parse_special(cfg_parser_t *pctx, int special) {
  */
 static isc_result_t
 parse_semicolon(cfg_parser_t *pctx) {
-        isc_result_t result;
+	isc_result_t result;
 	CHECK(cfg_gettoken(pctx, 0));
 	if (pctx->token.type == isc_tokentype_special &&
 	    pctx->token.value.as_char == ';')
@@ -355,7 +355,7 @@ parse_semicolon(cfg_parser_t *pctx) {
  */
 static isc_result_t
 parse_eof(cfg_parser_t *pctx) {
-        isc_result_t result;
+	isc_result_t result;
 	CHECK(cfg_gettoken(pctx, 0));
 
 	if (pctx->token.type == isc_tokentype_eof)
@@ -519,7 +519,7 @@ cfg_parse_buffer(cfg_parser_t *pctx, isc_buffer_t *buffer,
 {
 	isc_result_t result;
 	REQUIRE(buffer != NULL);
-	CHECK(isc_lex_openbuffer(pctx->lexer, buffer));	
+	CHECK(isc_lex_openbuffer(pctx->lexer, buffer));
 	CHECK(parse2(pctx, type, ret));
  cleanup:
 	return (result);
@@ -577,7 +577,7 @@ cfg_type_t cfg_type_void = {
  */
 isc_result_t
 cfg_parse_uint32(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-        isc_result_t result;
+	isc_result_t result;
 	cfg_obj_t *obj = NULL;
 	UNUSED(type);
 
@@ -690,7 +690,7 @@ create_string(cfg_parser_t *pctx, const char *contents, const cfg_type_t *type,
 
 isc_result_t
 cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-        isc_result_t result;
+	isc_result_t result;
 	UNUSED(type);
 
 	CHECK(cfg_gettoken(pctx, CFG_LEXOPT_QSTRING));
@@ -708,7 +708,7 @@ cfg_parse_qstring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 
 static isc_result_t
 parse_ustring(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-        isc_result_t result;
+	isc_result_t result;
 	UNUSED(type);
 
 	CHECK(cfg_gettoken(pctx, 0));
@@ -728,7 +728,7 @@ isc_result_t
 cfg_parse_astring(cfg_parser_t *pctx, const cfg_type_t *type,
 		  cfg_obj_t **ret)
 {
-        isc_result_t result;
+	isc_result_t result;
 	UNUSED(type);
 
 	CHECK(cfg_getstringtoken(pctx));
@@ -761,14 +761,14 @@ check_enum(cfg_parser_t *pctx, cfg_obj_t *obj, const char *const *enums) {
 
 isc_result_t
 cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
-        isc_result_t result;
+	isc_result_t result;
 	cfg_obj_t *obj = NULL;
 	CHECK(parse_ustring(pctx, NULL, &obj));
 	CHECK(check_enum(pctx, obj, type->of));
 	*ret = obj;
 	return (ISC_R_SUCCESS);
  cleanup:
-	CLEANUP_OBJ(obj);	
+	CLEANUP_OBJ(obj);
 	return (result);
 }
 
@@ -851,7 +851,7 @@ cfg_obj_asboolean(const cfg_obj_t *obj) {
 static isc_result_t
 parse_boolean(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret)
 {
-        isc_result_t result;
+	isc_result_t result;
 	isc_boolean_t value;
 	cfg_obj_t *obj = NULL;
 	UNUSED(type);
@@ -1109,6 +1109,29 @@ cfg_list_next(const cfg_listelt_t *elt) {
 	return (ISC_LIST_NEXT(elt, link));
 }
 
+/*
+ * Return the length of a list object.  If obj is NULL or is not
+ * a list, return 0.
+ */
+unsigned int
+cfg_list_length(const cfg_obj_t *obj, isc_boolean_t recurse) {
+	const cfg_listelt_t *elt;
+	unsigned int count = 0;
+
+	if (obj == NULL || !cfg_obj_islist(obj))
+		return (0U);
+	for (elt = cfg_list_first(obj);
+	     elt != NULL;
+	     elt = cfg_list_next(elt)) {
+		if (recurse && cfg_obj_islist(elt->obj)) {
+			count += cfg_list_length(elt->obj, recurse);
+		} else {
+			count++;
+		}
+	}
+	return (count);
+}
+
 const cfg_obj_t *
 cfg_listelt_value(const cfg_listelt_t *elt) {
 	REQUIRE(elt != NULL);
@@ -1304,7 +1327,7 @@ parse_symtab_elt(cfg_parser_t *pctx, const char *name,
 
 	if (callback && pctx->callback != NULL)
 		CHECK(pctx->callback(name, obj, pctx->callbackarg));
-	
+
 	symval.as_pointer = obj;
 	CHECK(isc_symtab_define(symtab, name,
 				1, symval,
@@ -1351,7 +1374,7 @@ parse_any_named_map(cfg_parser_t *pctx, cfg_type_t *nametype, const cfg_type_t *
 }
 
 /*
- * Parse a map identified by a string name.  E.g., "name { foo 1; }".  
+ * Parse a map identified by a string name.  E.g., "name { foo 1; }".
  * Used for the "key" and "channel" statements.
  */
 isc_result_t
@@ -1431,7 +1454,7 @@ void
 cfg_doc_mapbody(cfg_printer_t *pctx, const cfg_type_t *type) {
 	const cfg_clausedef_t * const *clauseset;
 	const cfg_clausedef_t *clause;
-	
+
 	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
 		for (clause = *clauseset;
 		     clause->name != NULL;
@@ -1454,6 +1477,7 @@ static struct flagtext {
 	{ CFG_CLAUSEFLAG_NYI, "not yet implemented" },
 	{ CFG_CLAUSEFLAG_OBSOLETE, "obsolete" },
 	{ CFG_CLAUSEFLAG_NEWDEFAULT, "default changed" },
+	{ CFG_CLAUSEFLAG_TESTONLY, "test only" },
 	{ 0, NULL }
 };
 
@@ -1488,7 +1512,7 @@ void
 cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
 	const cfg_clausedef_t * const *clauseset;
 	const cfg_clausedef_t *clause;
-	
+
 	if (type->parse == cfg_parse_named_map) {
 		cfg_doc_obj(pctx, &cfg_type_astring);
 		cfg_print_chars(pctx, " ", 1);
@@ -1499,9 +1523,9 @@ cfg_doc_map(cfg_printer_t *pctx, const cfg_type_t *type) {
 		cfg_doc_obj(pctx, &cfg_type_netprefix);
 		cfg_print_chars(pctx, " ", 1);
 	}
-	
+
 	print_open(pctx);
-	
+
 	for (clauseset = type->of; *clauseset != NULL; clauseset++) {
 		for (clause = *clauseset;
 		     clause->name != NULL;
@@ -1530,13 +1554,13 @@ cfg_map_get(const cfg_obj_t *mapobj, const char* name, const cfg_obj_t **obj) {
 	isc_result_t result;
 	isc_symvalue_t val;
 	const cfg_map_t *map;
-	
+
 	REQUIRE(mapobj != NULL && mapobj->type->rep == &cfg_rep_map);
 	REQUIRE(name != NULL);
 	REQUIRE(obj != NULL && *obj == NULL);
 
 	map = &mapobj->value.map;
-	
+
 	result = isc_symtab_lookup(map->symtab, name, MAP_SYM, &val);
 	if (result != ISC_R_SUCCESS)
 		return (result);
@@ -1555,7 +1579,7 @@ cfg_map_getname(const cfg_obj_t *mapobj) {
 static isc_result_t
 parse_token(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
 	cfg_obj_t *obj = NULL;
-        isc_result_t result;
+	isc_result_t result;
 	isc_region_t r;
 
 	UNUSED(type);
@@ -1646,7 +1670,7 @@ cfg_type_t cfg_type_unsupported = {
  *
  * If CFG_ADDR_WILDOK is set in flags, "*" can be used as a wildcard
  * and at least one of CFG_ADDR_V4OK and CFG_ADDR_V6OK must also be set.  The
- * "*" is interpreted as the IPv4 wildcard address if CFG_ADDR_V4OK is 
+ * "*" is interpreted as the IPv4 wildcard address if CFG_ADDR_V4OK is
  * set (including the case where CFG_ADDR_V4OK and CFG_ADDR_V6OK are both set),
  * and the IPv6 wildcard address otherwise.
  */
@@ -1844,7 +1868,7 @@ cfg_doc_netaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
 		if (n != 0)
 			cfg_print_chars(pctx, " | ", 3);
 		cfg_print_cstr(pctx, "<ipv6_address>");
-		n++;			
+		n++;
 	}
 	if (*flagp & CFG_ADDR_WILDOK) {
 		if (n != 0)
@@ -2031,7 +2055,7 @@ cfg_doc_sockaddr(cfg_printer_t *pctx, const cfg_type_t *type) {
 		if (n != 0)
 			cfg_print_chars(pctx, " | ", 3);
 		cfg_print_cstr(pctx, "<ipv6_address>");
-		n++;			
+		n++;
 	}
 	if (*flagp & CFG_ADDR_WILDOK) {
 		if (n != 0)
diff --git a/lib/isccfg/version.c b/lib/isccfg/version.c
index 0b7287b..25b98c6 100644
--- a/lib/isccfg/version.c
+++ b/lib/isccfg/version.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1998-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.3.18.2 2005/04/29 00:17:15 marka Exp $ */
+/* $Id: version.c,v 1.7 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/Makefile.in b/lib/lwres/Makefile.in
index a06bd8a..858b325 100644
--- a/lib/lwres/Makefile.in
+++ b/lib/lwres/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.28.18.4 2005/06/09 23:55:10 marka Exp $
+# $Id: Makefile.in,v 1.34 2007/06/19 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/api b/lib/lwres/api
index 0be3ae7..39934b4 100644
--- a/lib/lwres/api
+++ b/lib/lwres/api
@@ -1,3 +1,3 @@
-LIBINTERFACE = 30
-LIBREVISION = 6
+LIBINTERFACE = 50
+LIBREVISION = 2
 LIBAGE = 0
diff --git a/lib/lwres/assert_p.h b/lib/lwres/assert_p.h
index c47ecec..f8d6e22 100644
--- a/lib/lwres/assert_p.h
+++ b/lib/lwres/assert_p.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: assert_p.h,v 1.10.18.2 2005/04/29 00:17:16 marka Exp $ */
+/* $Id: assert_p.h,v 1.14 2007/06/19 23:47:22 tbox Exp $ */
 
 #ifndef LWRES_ASSERT_P_H
 #define LWRES_ASSERT_P_H 1
diff --git a/lib/lwres/context.c b/lib/lwres/context.c
index c731bb7..464a2cf 100644
--- a/lib/lwres/context.c
+++ b/lib/lwres/context.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.c,v 1.45.18.7 2007/08/28 07:20:06 tbox Exp $ */
+/* $Id: context.c,v 1.50.332.2 2008/12/30 23:46:49 tbox Exp $ */
 
-/*! \file context.c 
+/*! \file context.c
    lwres_context_create() creates a #lwres_context_t structure for use in
    lightweight resolver operations. It holds a socket and other data
    needed for communicating with a resolver daemon. The new
@@ -156,7 +156,6 @@ lwres_context_create(lwres_context_t **contextp, void *arg,
 	lwres_context_t *ctx;
 
 	REQUIRE(contextp != NULL && *contextp == NULL);
-	UNUSED(flags);
 
 	/*
 	 * If we were not given anything special to use, use our own
@@ -184,6 +183,17 @@ lwres_context_create(lwres_context_t **contextp, void *arg,
 	ctx->timeout = LWRES_DEFAULT_TIMEOUT;
 	ctx->serial = time(NULL); /* XXXMLG or BEW */
 
+	ctx->use_ipv4 = 1;
+	ctx->use_ipv6 = 1;
+	if ((flags & (LWRES_CONTEXT_USEIPV4 | LWRES_CONTEXT_USEIPV6)) ==
+	    LWRES_CONTEXT_USEIPV6) {
+		ctx->use_ipv4 = 0;
+	}
+	if ((flags & (LWRES_CONTEXT_USEIPV4 | LWRES_CONTEXT_USEIPV6)) ==
+	    LWRES_CONTEXT_USEIPV4) {
+		ctx->use_ipv6 = 0;
+	}
+
 	/*
 	 * Init resolv.conf bits.
 	 */
@@ -194,9 +204,9 @@ lwres_context_create(lwres_context_t **contextp, void *arg,
 }
 
 /*%
-Destroys a #lwres_context_t, closing its socket. 
-contextp is a pointer to a pointer to the context that is 
-to be destroyed. The pointer will be set to NULL 
+Destroys a #lwres_context_t, closing its socket.
+contextp is a pointer to a pointer to the context that is
+to be destroyed. The pointer will be set to NULL
 when the context has been destroyed.
  */
 void
@@ -449,7 +459,7 @@ lwres_context_sendrecv(lwres_context_t *ctx,
 	struct timeval timeout;
 
 	/*
-	 * Type of tv_sec is 32 bits long. 
+	 * Type of tv_sec is 32 bits long.
 	 */
 	if (ctx->timeout <= 0x7FFFFFFFU)
 		timeout.tv_sec = (int)ctx->timeout;
@@ -465,7 +475,7 @@ lwres_context_sendrecv(lwres_context_t *ctx,
 	FD_ZERO(&readfds);
 	FD_SET(ctx->sock, &readfds);
 	ret2 = select(ctx->sock + 1, &readfds, NULL, NULL, &timeout);
-	
+
 	/*
 	 * What happened with select?
 	 */
@@ -477,6 +487,6 @@ lwres_context_sendrecv(lwres_context_t *ctx,
 	result = lwres_context_recv(ctx, recvbase, recvlen, recvd_len);
 	if (result == LWRES_R_RETRY)
 		goto again;
-	
+
 	return (result);
 }
diff --git a/lib/lwres/context_p.h b/lib/lwres/context_p.h
index d255ef6..dd6f2b6 100644
--- a/lib/lwres/context_p.h
+++ b/lib/lwres/context_p.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context_p.h,v 1.13.18.2 2005/04/29 00:17:17 marka Exp $ */
+/* $Id: context_p.h,v 1.17.332.2 2008/12/30 23:46:49 tbox Exp $ */
 
 #ifndef LWRES_CONTEXT_P_H
 #define LWRES_CONTEXT_P_H 1
@@ -46,6 +46,8 @@ struct lwres_context {
 	 */
 	int			sock;		/*%< socket to send on */
 	lwres_addr_t		address;	/*%< address to send to */
+	int			use_ipv4;	/*%< use IPv4 transaction */
+	int			use_ipv6;	/*%< use IPv6 transaction */
 
 	/*@{*/
 	/*
diff --git a/lib/lwres/gai_strerror.c b/lib/lwres/gai_strerror.c
index 0dcfe40..70b35b0 100644
--- a/lib/lwres/gai_strerror.c
+++ b/lib/lwres/gai_strerror.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gai_strerror.c,v 1.16.18.4 2006/08/25 05:25:51 marka Exp $ */
+/* $Id: gai_strerror.c,v 1.22 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file gai_strerror.c
  * lwres_gai_strerror() returns an error message corresponding to an
diff --git a/lib/lwres/getaddrinfo.c b/lib/lwres/getaddrinfo.c
index 6056f24..fc53e63 100644
--- a/lib/lwres/getaddrinfo.c
+++ b/lib/lwres/getaddrinfo.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
  * This code is derived from software contributed to ISC by
@@ -18,7 +18,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getaddrinfo.c,v 1.43.18.8 2007/09/13 23:46:26 tbox Exp $ */
+/* $Id: getaddrinfo.c,v 1.52.254.2 2009/03/31 23:47:16 tbox Exp $ */
 
 /*! \file */
 
@@ -31,10 +31,10 @@
  *    string: a dotted decimal IPv4 address or an IPv6 address. servname is
  *    either a decimal port number or a service name as listed in
  *    /etc/services.
- * 
+ *
  *    If the operating system does not provide a struct addrinfo, the
  *    following structure is used:
- * 
+ *
  * \code
  * struct  addrinfo {
  *         int             ai_flags;       // AI_PASSIVE, AI_CANONNAME
@@ -47,29 +47,29 @@
  *         struct addrinfo *ai_next;       // next structure in linked list
  * };
  * \endcode
- * 
- * 
+ *
+ *
  *    hints is an optional pointer to a struct addrinfo. This structure can
  *    be used to provide hints concerning the type of socket that the caller
  *    supports or wishes to use. The caller can supply the following
  *    structure elements in *hints:
- * 
+ *
  * <ul>
  *    <li>ai_family:
  *           The protocol family that should be used. When ai_family is set
  *           to PF_UNSPEC, it means the caller will accept any protocol
  *           family supported by the operating system.</li>
- * 
+ *
  *    <li>ai_socktype:
  *           denotes the type of socket -- SOCK_STREAM, SOCK_DGRAM or
  *           SOCK_RAW -- that is wanted. When ai_socktype is zero the caller
  *           will accept any socket type.</li>
- * 
+ *
  *    <li>ai_protocol:
  *           indicates which transport protocol is wanted: IPPROTO_UDP or
  *           IPPROTO_TCP. If ai_protocol is zero the caller will accept any
  *           protocol.</li>
- * 
+ *
  *    <li>ai_flags:
  *           Flag bits. If the AI_CANONNAME bit is set, a successful call to
  *           lwres_getaddrinfo() will return a null-terminated string
@@ -81,7 +81,7 @@
  *           address portion of the socket address structure will be set to
  *           INADDR_ANY for an IPv4 address or IN6ADDR_ANY_INIT for an IPv6
  *           address.<br /><br />
- * 
+ *
  *           When ai_flags does not set the AI_PASSIVE bit, the returned
  *           socket address structure will be ready for use in a call to
  *           connect(2) for a connection-oriented protocol or connect(2),
@@ -89,18 +89,18 @@
  *           chosen. The IP address portion of the socket address structure
  *           will be set to the loopback address if hostname is a NULL
  *           pointer and AI_PASSIVE is not set in ai_flags.<br /><br />
- * 
+ *
  *           If ai_flags is set to AI_NUMERICHOST it indicates that hostname
  *           should be treated as a numeric string defining an IPv4 or IPv6
  *           address and no name resolution should be attempted.
  * </li></ul>
- * 
+ *
  *    All other elements of the struct addrinfo passed via hints must be
  *    zero.
- * 
+ *
  *    A hints of NULL is treated as if the caller provided a struct addrinfo
  *    initialized to zero with ai_familyset to PF_UNSPEC.
- * 
+ *
  *    After a successful call to lwres_getaddrinfo(), *res is a pointer to a
  *    linked list of one or more addrinfo structures. Each struct addrinfo
  *    in this list cn be processed by following the ai_next pointer, until a
@@ -109,7 +109,7 @@
  *    corresponding arguments for a call to socket(2). For each addrinfo
  *    structure in the list, the ai_addr member points to a filled-in socket
  *    address structure of length ai_addrlen.
- * 
+ *
  *    All of the information returned by lwres_getaddrinfo() is dynamically
  *    allocated: the addrinfo structures, and the socket address structures
  *    and canonical host name strings pointed to by the addrinfostructures.
@@ -117,15 +117,15 @@
  *    successful call to lwres_getaddrinfo() is released by
  *    lwres_freeaddrinfo(). ai is a pointer to a struct addrinfo created by
  *    a call to lwres_getaddrinfo().
- * 
+ *
  * \section lwresreturn RETURN VALUES
- * 
+ *
  *    lwres_getaddrinfo() returns zero on success or one of the error codes
  *    listed in gai_strerror() if an error occurs. If both hostname and
  *    servname are NULL lwres_getaddrinfo() returns #EAI_NONAME.
- * 
+ *
  * \section lwressee SEE ALSO
- * 
+ *
  *    lwres(3), lwres_getaddrinfo(), lwres_freeaddrinfo(),
  *    lwres_gai_strerror(), RFC2133, getservbyname(3), connect(2),
  *    sendto(2), sendmsg(2), socket(2).
@@ -145,7 +145,7 @@
 #define SA(addr)	((struct sockaddr *)(addr))
 #define SIN(addr)	((struct sockaddr_in *)(addr))
 #define SIN6(addr)	((struct sockaddr_in6 *)(addr))
-#define SUN(addr)	((struct sockaddr_un *)(addr))
+#define SLOCAL(addr)	((struct sockaddr_un *)(addr))
 
 /*! \struct addrinfo
  */
@@ -162,7 +162,7 @@ static int add_ipv4(const char *hostname, int flags, struct addrinfo **aip,
 static int add_ipv6(const char *hostname, int flags, struct addrinfo **aip,
     int socktype, int port);
 static void set_order(int, int (**)(const char *, int, struct addrinfo **,
-         int, int));
+	 int, int));
 
 #define FOUND_IPV4	0x1
 #define FOUND_IPV6	0x2
@@ -384,7 +384,7 @@ lwres_getaddrinfo(const char *hostname, const char *servname,
 			scopeid = 0;
 #endif
 
-               if (lwres_net_pton(AF_INET, hostname, (struct in_addr *)abuf)
+	       if (lwres_net_pton(AF_INET, hostname, (struct in_addr *)abuf)
 		   == 1)
 	       {
 			if (family == AF_INET6) {
@@ -709,17 +709,17 @@ lwres_freeaddrinfo(struct addrinfo *ai) {
 static int
 get_local(const char *name, int socktype, struct addrinfo **res) {
 	struct addrinfo *ai;
-	struct sockaddr_un *sun;
+	struct sockaddr_un *slocal;
 
 	if (socktype == 0)
 		return (EAI_SOCKTYPE);
 
-	ai = ai_alloc(AF_LOCAL, sizeof(*sun));
+	ai = ai_alloc(AF_LOCAL, sizeof(*slocal));
 	if (ai == NULL)
 		return (EAI_MEMORY);
 
-	sun = SUN(ai->ai_addr);
-	strncpy(sun->sun_path, name, sizeof(sun->sun_path));
+	slocal = SLOCAL(ai->ai_addr);
+	strncpy(slocal->sun_path, name, sizeof(slocal->sun_path));
 
 	ai->ai_socktype = socktype;
 	/*
diff --git a/lib/lwres/gethost.c b/lib/lwres/gethost.c
index 3cd6e4a..1a1efd4 100644
--- a/lib/lwres/gethost.c
+++ b/lib/lwres/gethost.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: gethost.c,v 1.30.18.2 2005/04/29 00:17:17 marka Exp $ */
+/* $Id: gethost.c,v 1.34 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/getipnode.c b/lib/lwres/getipnode.c
index ab49814..a6c50c2 100644
--- a/lib/lwres/getipnode.c
+++ b/lib/lwres/getipnode.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getipnode.c,v 1.37.18.7 2007/08/28 07:20:06 tbox Exp $ */
+/* $Id: getipnode.c,v 1.42 2007/06/18 23:47:51 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/getnameinfo.c b/lib/lwres/getnameinfo.c
index d1874a0..74a5b85 100644
--- a/lib/lwres/getnameinfo.c
+++ b/lib/lwres/getnameinfo.c
@@ -1,8 +1,8 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getnameinfo.c,v 1.34.18.3 2005/04/29 00:17:18 marka Exp $ */
+/* $Id: getnameinfo.c,v 1.39 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/getrrset.c b/lib/lwres/getrrset.c
index 6b7e5e5..d8b6cc3 100644
--- a/lib/lwres/getrrset.c
+++ b/lib/lwres/getrrset.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: getrrset.c,v 1.14.18.2 2005/04/29 00:17:18 marka Exp $ */
+/* $Id: getrrset.c,v 1.18 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/herror.c b/lib/lwres/herror.c
index 42b6c71..cf5b892 100644
--- a/lib/lwres/herror.c
+++ b/lib/lwres/herror.c
@@ -1,8 +1,8 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 2000, 2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -72,7 +72,7 @@
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char sccsid[] = "@(#)herror.c	8.1 (Berkeley) 6/4/93";
 static const char rcsid[] =
-	"$Id: herror.c,v 1.13.18.2 2005/04/29 00:17:18 marka Exp $";
+	"$Id: herror.c,v 1.17 2007/06/19 23:47:22 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/lwres/include/Makefile.in b/lib/lwres/include/Makefile.in
index 7501060..4750a5e 100644
--- a/lib/lwres/include/Makefile.in
+++ b/lib/lwres/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.6 2004/03/05 05:12:49 marka Exp $
+# $Id: Makefile.in,v 1.8 2007/06/19 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/include/lwres/Makefile.in b/lib/lwres/include/lwres/Makefile.in
index 98b8f48..fc3126f 100644
--- a/lib/lwres/include/lwres/Makefile.in
+++ b/lib/lwres/include/lwres/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2000, 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.21 2004/03/05 05:12:52 marka Exp $
+# $Id: Makefile.in,v 1.23 2007/06/19 23:47:22 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/include/lwres/context.h b/lib/lwres/include/lwres/context.h
index bd24446..5ae0b37 100644
--- a/lib/lwres/include/lwres/context.h
+++ b/lib/lwres/include/lwres/context.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: context.h,v 1.15.18.2 2005/04/29 00:17:21 marka Exp $ */
+/* $Id: context.h,v 1.21.332.2 2008/12/30 23:46:49 tbox Exp $ */
 
 #ifndef LWRES_CONTEXT_H
 #define LWRES_CONTEXT_H 1
 
-/*! \file */
+/*! \file lwres/context.h */
 
 #include <stddef.h>
 
@@ -57,8 +57,15 @@ typedef void (*lwres_free_t)(void *arg, void *mem, size_t length);
  * _SERVERMODE
  *	Don't allocate and connect a socket to the server, since the
  *	caller _is_ a server.
+ *
+ * _USEIPV4, _USEIPV6
+ *	Use IPv4 and IPv6 transactions with remote servers, respectively.
+ *	For backward compatibility, regard both flags as being set when both
+ *	are cleared.
  */
 #define LWRES_CONTEXT_SERVERMODE	0x00000001U
+#define LWRES_CONTEXT_USEIPV4		0x00000002U
+#define LWRES_CONTEXT_USEIPV6		0x00000004U
 
 lwres_result_t
 lwres_context_create(lwres_context_t **contextp, void *arg,
diff --git a/lib/lwres/include/lwres/int.h b/lib/lwres/include/lwres/int.h
index 337316e..3fb0c4f 100644
--- a/lib/lwres/include/lwres/int.h
+++ b/lib/lwres/include/lwres/int.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: int.h,v 1.8.18.2 2005/04/29 00:17:21 marka Exp $ */
+/* $Id: int.h,v 1.14 2007/06/19 23:47:23 tbox Exp $ */
 
 #ifndef LWRES_INT_H
 #define LWRES_INT_H 1
 
-/*! \file */
+/*! \file lwres/int.h */
 
 typedef char				lwres_int8_t;
 typedef unsigned char			lwres_uint8_t;
diff --git a/lib/lwres/include/lwres/ipv6.h b/lib/lwres/include/lwres/ipv6.h
index 06dab59..5d54b29 100644
--- a/lib/lwres/include/lwres/ipv6.h
+++ b/lib/lwres/include/lwres/ipv6.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: ipv6.h,v 1.10.18.2 2005/04/29 00:17:21 marka Exp $ */
+/* $Id: ipv6.h,v 1.16 2007/06/19 23:47:23 tbox Exp $ */
 
 #ifndef LWRES_IPV6_H
 #define LWRES_IPV6_H 1
@@ -24,7 +24,7 @@
  ***** Module Info
  *****/
 
-/*! \file ipv6.h
+/*! \file lwres/ipv6.h
  * IPv6 definitions for systems which do not support IPv6.
  */
 
diff --git a/lib/lwres/include/lwres/lang.h b/lib/lwres/include/lwres/lang.h
index a38f19d..b680e4b 100644
--- a/lib/lwres/include/lwres/lang.h
+++ b/lib/lwres/include/lwres/lang.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lang.h,v 1.7.18.2 2005/04/29 00:17:21 marka Exp $ */
+/* $Id: lang.h,v 1.13 2007/06/19 23:47:23 tbox Exp $ */
 
 #ifndef LWRES_LANG_H
 #define LWRES_LANG_H 1
 
-/*! \file */
+/*! \file lwres/lang.h */
 
 #ifdef __cplusplus
 #define LWRES_LANG_BEGINDECLS	extern "C" {
diff --git a/lib/lwres/include/lwres/list.h b/lib/lwres/include/lwres/list.h
index c22c596..c6ab096 100644
--- a/lib/lwres/include/lwres/list.h
+++ b/lib/lwres/include/lwres/list.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1997-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: list.h,v 1.8.18.2 2005/04/29 00:17:22 marka Exp $ */
+/* $Id: list.h,v 1.14 2007/06/19 23:47:23 tbox Exp $ */
 
 #ifndef LWRES_LIST_H
 #define LWRES_LIST_H 1
 
-/*! \file */
+/*! \file lwres/list.h */
 
 #define LWRES_LIST(type) struct { type *head, *tail; }
 #define LWRES_LIST_INIT(list) \
diff --git a/lib/lwres/include/lwres/lwbuffer.h b/lib/lwres/include/lwres/lwbuffer.h
index 51b1aad..e3cf343 100644
--- a/lib/lwres/include/lwres/lwbuffer.h
+++ b/lib/lwres/include/lwres/lwbuffer.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,10 +15,10 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwbuffer.h,v 1.16.18.2 2005/04/29 00:17:22 marka Exp $ */
+/* $Id: lwbuffer.h,v 1.22 2007/06/19 23:47:23 tbox Exp $ */
 
 
-/*! \file lwbuffer.h
+/*! \file lwres/lwbuffer.h
  *
  * A buffer is a region of memory, together with a set of related subregions.
  * Buffers are used for parsing and I/O operations.
diff --git a/lib/lwres/include/lwres/lwpacket.h b/lib/lwres/include/lwres/lwpacket.h
index c37353d..96f8e54 100644
--- a/lib/lwres/include/lwres/lwpacket.h
+++ b/lib/lwres/include/lwres/lwpacket.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwpacket.h,v 1.18.18.2 2005/04/29 00:17:22 marka Exp $ */
+/* $Id: lwpacket.h,v 1.24 2007/06/19 23:47:23 tbox Exp $ */
 
 #ifndef LWRES_LWPACKET_H
 #define LWRES_LWPACKET_H 1
@@ -118,7 +118,7 @@ struct lwres_lwpacket {
 
 #define LWRES_LWPACKETVERSION_0		0	/*%< Header format. */
 
-/*! \file lwpacket.h
+/*! \file lwres/lwpacket.h
  *
  *
  * The remainder of the packet consists of two regions, one described by
diff --git a/lib/lwres/include/lwres/lwres.h b/lib/lwres/include/lwres/lwres.h
index b245363..6912448 100644
--- a/lib/lwres/include/lwres/lwres.h
+++ b/lib/lwres/include/lwres/lwres.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres.h,v 1.51.18.2 2005/04/29 00:17:22 marka Exp $ */
+/* $Id: lwres.h,v 1.57 2007/06/19 23:47:23 tbox Exp $ */
 
 #ifndef LWRES_LWRES_H
 #define LWRES_LWRES_H 1
@@ -28,7 +28,7 @@
 #include <lwres/lwpacket.h>
 #include <lwres/platform.h>
 
-/*! \file */
+/*! \file lwres/lwres.h */
 
 /*!
  * Design notes:
diff --git a/lib/lwres/include/lwres/netdb.h.in b/lib/lwres/include/lwres/netdb.h.in
index eaef63b..37ab039 100644
--- a/lib/lwres/include/lwres/netdb.h.in
+++ b/lib/lwres/include/lwres/netdb.h.in
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007, 2009  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: netdb.h.in,v 1.35.18.2 2005/04/29 00:17:22 marka Exp $ */
+/* $Id: netdb.h.in,v 1.39.332.2 2009/01/18 23:47:41 tbox Exp $ */
 
 /*! \file */
 
@@ -66,7 +66,7 @@ struct addrinfo {
 #define	NETDB_INTERNAL	-1	/* see errno */
 #define	NETDB_SUCCESS	0	/* no problem */
 #define	HOST_NOT_FOUND	1 /* Authoritative Answer Host not found */
-#define	TRY_AGAIN	2 /* Non-Authoritive Host not found, or SERVERFAIL */
+#define	TRY_AGAIN	2 /* Non-Authoritative Host not found, or SERVERFAIL */
 #define	NO_RECOVERY	3 /* Non recoverable errors, FORMERR, REFUSED, NOTIMP */
 #define	NO_DATA		4 /* Valid name, no data record of requested type */
 #define	NO_ADDRESS	NO_DATA		/* no address, look for MX record */
diff --git a/lib/lwres/include/lwres/platform.h.in b/lib/lwres/include/lwres/platform.h.in
index f69e09f..bb4f6ee 100644
--- a/lib/lwres/include/lwres/platform.h.in
+++ b/lib/lwres/include/lwres/platform.h.in
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: platform.h.in,v 1.14.18.5 2005/06/08 02:07:59 marka Exp $ */
+/* $Id: platform.h.in,v 1.21 2007/06/19 23:47:23 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/include/lwres/result.h b/lib/lwres/include/lwres/result.h
index 6253fb2..cfcf166 100644
--- a/lib/lwres/include/lwres/result.h
+++ b/lib/lwres/include/lwres/result.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: result.h,v 1.15.18.2 2005/04/29 00:17:23 marka Exp $ */
+/* $Id: result.h,v 1.21 2007/06/19 23:47:23 tbox Exp $ */
 
 #ifndef LWRES_RESULT_H
 #define LWRES_RESULT_H 1
 
-/*! \file */
+/*! \file lwres/result.h */
 
 typedef unsigned int lwres_result_t;
 
diff --git a/lib/lwres/include/lwres/stdlib.h b/lib/lwres/include/lwres/stdlib.h
index 6855fcf..25a109e 100644
--- a/lib/lwres/include/lwres/stdlib.h
+++ b/lib/lwres/include/lwres/stdlib.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,12 +15,12 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: stdlib.h,v 1.2.2.1 2005/06/08 02:08:01 marka Exp $ */
+/* $Id: stdlib.h,v 1.6 2007/06/19 23:47:23 tbox Exp $ */
 
 #ifndef LWRES_STDLIB_H
 #define LWRES_STDLIB_H 1
 
-/*! \file */
+/*! \file lwres/stdlib.h */
 
 #include <stdlib.h>
 
diff --git a/lib/lwres/include/lwres/version.h b/lib/lwres/include/lwres/version.h
index 252b903..9efc86d 100644
--- a/lib/lwres/include/lwres/version.h
+++ b/lib/lwres/include/lwres/version.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,9 +15,9 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.h,v 1.3.18.2 2005/04/29 00:17:23 marka Exp $ */
+/* $Id: version.h,v 1.9 2007/06/19 23:47:23 tbox Exp $ */
 
-/*! \file */
+/*! \file lwres/version.h */
 
 #include <lwres/platform.h>
 
diff --git a/lib/lwres/lwbuffer.c b/lib/lwres/lwbuffer.c
index 5191592..49aaeb7 100644
--- a/lib/lwres/lwbuffer.c
+++ b/lib/lwres/lwbuffer.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwbuffer.c,v 1.11.18.2 2005/04/29 00:17:18 marka Exp $ */
+/* $Id: lwbuffer.c,v 1.15 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/lwconfig.c b/lib/lwres/lwconfig.c
index cf4f6a7..7ededdf 100644
--- a/lib/lwres/lwconfig.c
+++ b/lib/lwres/lwconfig.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004-2006  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwconfig.c,v 1.38.18.5 2006/10/03 23:50:51 marka Exp $ */
+/* $Id: lwconfig.c,v 1.46.332.2 2008/12/30 23:46:49 tbox Exp $ */
 
 /*! \file */
 
@@ -24,32 +24,32 @@
  *
  *    lwres_conf_init() creates an empty lwres_conf_t structure for
  *    lightweight resolver context ctx.
- * 
+ *
  *    lwres_conf_clear() frees up all the internal memory used by that
  *    lwres_conf_t structure in resolver context ctx.
- * 
+ *
  *    lwres_conf_parse() opens the file filename and parses it to initialise
  *    the resolver context ctx's lwres_conf_t structure.
- * 
+ *
  *    lwres_conf_print() prints the lwres_conf_t structure for resolver
  *    context ctx to the FILE fp.
- * 
+ *
  * \section lwconfig_return Return Values
- * 
+ *
  *    lwres_conf_parse() returns #LWRES_R_SUCCESS if it successfully read and
  *    parsed filename. It returns #LWRES_R_FAILURE if filename could not be
  *    opened or contained incorrect resolver statements.
- * 
+ *
  *    lwres_conf_print() returns #LWRES_R_SUCCESS unless an error occurred
  *    when converting the network addresses to a numeric host address
  *    string. If this happens, the function returns #LWRES_R_FAILURE.
- * 
+ *
  * \section lwconfig_see See Also
- * 
+ *
  *    stdio(3), \link resolver resolver \endlink
- * 
+ *
  * \section files Files
- * 
+ *
  *    /etc/resolv.conf
  */
 
@@ -313,8 +313,11 @@ lwres_conf_parsenameserver(lwres_context_t *ctx,  FILE *fp) {
 		return (LWRES_R_FAILURE); /* Extra junk on line. */
 
 	res = lwres_create_addr(word, &address, 1);
-	if (res == LWRES_R_SUCCESS)
+	if (res == LWRES_R_SUCCESS &&
+	    ((address.family == LWRES_ADDRTYPE_V4 && ctx->use_ipv4 == 1) ||
+	     (address.family == LWRES_ADDRTYPE_V6 && ctx->use_ipv6 == 1))) {
 		confdata->nameservers[confdata->nsnext++] = address;
+	}
 
 	return (LWRES_R_SUCCESS);
 }
diff --git a/lib/lwres/lwinetaton.c b/lib/lwres/lwinetaton.c
index cc4b9bd..e40c28f 100644
--- a/lib/lwres/lwinetaton.c
+++ b/lib/lwres/lwinetaton.c
@@ -1,8 +1,8 @@
 /*
- * Portions Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Portions Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Portions Copyright (C) 1996-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -72,7 +72,7 @@
  */
 #if defined(LIBC_SCCS) && !defined(lint)
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
-static char rcsid[] = "$Id: lwinetaton.c,v 1.12.18.2 2005/04/29 00:17:19 marka Exp $";
+static char rcsid[] = "$Id: lwinetaton.c,v 1.16 2007/06/19 23:47:22 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/lwres/lwinetntop.c b/lib/lwres/lwinetntop.c
index e65656f..cf3bdfe 100644
--- a/lib/lwres/lwinetntop.c
+++ b/lib/lwres/lwinetntop.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
  */
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] =
-	"$Id: lwinetntop.c,v 1.12.18.4 2005/11/03 23:02:24 marka Exp $";
+	"$Id: lwinetntop.c,v 1.18 2007/06/19 23:47:22 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/lwres/lwinetpton.c b/lib/lwres/lwinetpton.c
index 5155fd1..5bbef08 100644
--- a/lib/lwres/lwinetpton.c
+++ b/lib/lwres/lwinetpton.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1996-2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -19,7 +19,7 @@
  */
 
 #if defined(LIBC_SCCS) && !defined(lint)
-static char rcsid[] = "$Id: lwinetpton.c,v 1.7.18.3 2005/04/27 05:02:48 sra Exp $";
+static char rcsid[] = "$Id: lwinetpton.c,v 1.12 2007/06/19 23:47:22 tbox Exp $";
 #endif /* LIBC_SCCS and not lint */
 
 #include <config.h>
diff --git a/lib/lwres/lwpacket.c b/lib/lwres/lwpacket.c
index 964b465..cfa2723 100644
--- a/lib/lwres/lwpacket.c
+++ b/lib/lwres/lwpacket.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwpacket.c,v 1.14.18.2 2005/04/29 00:17:19 marka Exp $ */
+/* $Id: lwpacket.c,v 1.18 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/lwres_gabn.c b/lib/lwres/lwres_gabn.c
index c6f1139..3363e66 100644
--- a/lib/lwres/lwres_gabn.c
+++ b/lib/lwres/lwres_gabn.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_gabn.c,v 1.29.18.2 2005/04/29 00:17:19 marka Exp $ */
+/* $Id: lwres_gabn.c,v 1.33 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file lwres_gabn.c
    These are low-level routines for creating and parsing lightweight
diff --git a/lib/lwres/lwres_gnba.c b/lib/lwres/lwres_gnba.c
index 7627385..d18ae15 100644
--- a/lib/lwres/lwres_gnba.c
+++ b/lib/lwres/lwres_gnba.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_gnba.c,v 1.23.18.4 2007/09/26 23:46:34 tbox Exp $ */
+/* $Id: lwres_gnba.c,v 1.28 2007/09/24 17:18:25 each Exp $ */
 
 /*! \file lwres_gnba.c
    These are low-level routines for creating and parsing lightweight
diff --git a/lib/lwres/lwres_grbn.c b/lib/lwres/lwres_grbn.c
index 976708e..72718ba 100644
--- a/lib/lwres/lwres_grbn.c
+++ b/lib/lwres/lwres_grbn.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_grbn.c,v 1.6.18.2 2005/04/29 00:17:20 marka Exp $ */
+/* $Id: lwres_grbn.c,v 1.10 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file lwres_grbn.c
 
diff --git a/lib/lwres/lwres_noop.c b/lib/lwres/lwres_noop.c
index e76bc4d..369fe4e 100644
--- a/lib/lwres/lwres_noop.c
+++ b/lib/lwres/lwres_noop.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwres_noop.c,v 1.15.18.2 2005/04/29 00:17:20 marka Exp $ */
+/* $Id: lwres_noop.c,v 1.19 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/lwresutil.c b/lib/lwres/lwresutil.c
index 6d6764f..3bf5660 100644
--- a/lib/lwres/lwresutil.c
+++ b/lib/lwres/lwresutil.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwresutil.c,v 1.30.18.2 2005/04/29 00:17:20 marka Exp $ */
+/* $Id: lwresutil.c,v 1.34 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file */
 
diff --git a/lib/lwres/man/Makefile.in b/lib/lwres/man/Makefile.in
index e28123c..cb723c2 100644
--- a/lib/lwres/man/Makefile.in
+++ b/lib/lwres/man/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.7 2004/03/05 05:12:55 marka Exp $
+# $Id: Makefile.in,v 1.9 2007/06/19 23:47:23 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/man/lwres.3 b/lib/lwres/man/lwres.3
index 968e8f8..e1f8793 100644
--- a/lib/lwres/man/lwres.3
+++ b/lib/lwres/man/lwres.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres.3,v 1.17.18.11 2007/01/30 00:23:44 marka Exp $
+.\" $Id: lwres.3,v 1.28 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres.docbook b/lib/lwres/man/lwres.docbook
index cf1c154..97d591c 100644
--- a/lib/lwres/man/lwres.docbook
+++ b/lib/lwres/man/lwres.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres.docbook,v 1.4.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres.html b/lib/lwres/man/lwres.html
index e4bbc09..70d7856 100644
--- a/lib/lwres/man/lwres.html
+++ b/lib/lwres/man/lwres.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres.html,v 1.5.18.18 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_buffer.3 b/lib/lwres/man/lwres_buffer.3
index 4bebafa..cc0959d 100644
--- a/lib/lwres/man/lwres_buffer.3
+++ b/lib/lwres/man/lwres_buffer.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_buffer.3,v 1.15.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_buffer.3,v 1.26 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_buffer.docbook b/lib/lwres/man/lwres_buffer.docbook
index f0b7a9f..97c52bd 100644
--- a/lib/lwres/man/lwres_buffer.docbook
+++ b/lib/lwres/man/lwres_buffer.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_buffer.docbook,v 1.4.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_buffer.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Jun 30, 2000</date>
diff --git a/lib/lwres/man/lwres_buffer.html b/lib/lwres/man/lwres_buffer.html
index ed3e427..deb5262 100644
--- a/lib/lwres/man/lwres_buffer.html
+++ b/lib/lwres/man/lwres_buffer.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_buffer.html,v 1.5.18.16 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_buffer.html,v 1.21 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_config.3 b/lib/lwres/man/lwres_config.3
index 5a4123d..6184cb2 100644
--- a/lib/lwres/man/lwres_config.3
+++ b/lib/lwres/man/lwres_config.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_config.3,v 1.15.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_config.3,v 1.26 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_config.docbook b/lib/lwres/man/lwres_config.docbook
index eba0c44..5736ef3 100644
--- a/lib/lwres/man/lwres_config.docbook
+++ b/lib/lwres/man/lwres_config.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_config.docbook,v 1.3.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_config.docbook,v 1.9 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
   <refentryinfo>
 
diff --git a/lib/lwres/man/lwres_config.html b/lib/lwres/man/lwres_config.html
index efa33d8..e27892b 100644
--- a/lib/lwres/man/lwres_config.html
+++ b/lib/lwres/man/lwres_config.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_config.html,v 1.5.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_config.html,v 1.22 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_context.3 b/lib/lwres/man/lwres_context.3
index 8883a01..b1022d8 100644
--- a/lib/lwres/man/lwres_context.3
+++ b/lib/lwres/man/lwres_context.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_context.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_context.3,v 1.28 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_context.docbook b/lib/lwres/man/lwres_context.docbook
index b965374..ad0392e 100644
--- a/lib/lwres/man/lwres_context.docbook
+++ b/lib/lwres/man/lwres_context.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_context.docbook,v 1.5.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_context.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_context.html b/lib/lwres/man/lwres_context.html
index f2aa7e1..18c3d38 100644
--- a/lib/lwres/man/lwres_context.html
+++ b/lib/lwres/man/lwres_context.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_context.html,v 1.7.18.16 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_context.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_gabn.3 b/lib/lwres/man/lwres_gabn.3
index 69d311f..0c14384 100644
--- a/lib/lwres/man/lwres_gabn.3
+++ b/lib/lwres/man/lwres_gabn.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gabn.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_gabn.3,v 1.27 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_gabn.docbook b/lib/lwres/man/lwres_gabn.docbook
index c719420..d0b5c19 100644
--- a/lib/lwres/man/lwres_gabn.docbook
+++ b/lib/lwres/man/lwres_gabn.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gabn.docbook,v 1.4.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_gabn.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_gabn.html b/lib/lwres/man/lwres_gabn.html
index e27954b..a51d252 100644
--- a/lib/lwres/man/lwres_gabn.html
+++ b/lib/lwres/man/lwres_gabn.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gabn.html,v 1.7.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_gabn.html,v 1.24 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_gai_strerror.3 b/lib/lwres/man/lwres_gai_strerror.3
index 4fd03e2..e412b8f 100644
--- a/lib/lwres/man/lwres_gai_strerror.3
+++ b/lib/lwres/man/lwres_gai_strerror.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gai_strerror.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_gai_strerror.3,v 1.27 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_gai_strerror.docbook b/lib/lwres/man/lwres_gai_strerror.docbook
index 0b0338b..c33fee5 100644
--- a/lib/lwres/man/lwres_gai_strerror.docbook
+++ b/lib/lwres/man/lwres_gai_strerror.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gai_strerror.docbook,v 1.4.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_gai_strerror.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_gai_strerror.html b/lib/lwres/man/lwres_gai_strerror.html
index 9673253..c64beb1 100644
--- a/lib/lwres/man/lwres_gai_strerror.html
+++ b/lib/lwres/man/lwres_gai_strerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gai_strerror.html,v 1.6.18.18 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_gai_strerror.html,v 1.24 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_getaddrinfo.3 b/lib/lwres/man/lwres_getaddrinfo.3
index 9d198d6..7a1b5d7 100644
--- a/lib/lwres/man/lwres_getaddrinfo.3
+++ b/lib/lwres/man/lwres_getaddrinfo.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getaddrinfo.3,v 1.20.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_getaddrinfo.3,v 1.31 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_getaddrinfo.docbook b/lib/lwres/man/lwres_getaddrinfo.docbook
index 52d9387..a328764 100644
--- a/lib/lwres/man/lwres_getaddrinfo.docbook
+++ b/lib/lwres/man/lwres_getaddrinfo.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getaddrinfo.docbook,v 1.7.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_getaddrinfo.docbook,v 1.13 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_getaddrinfo.html b/lib/lwres/man/lwres_getaddrinfo.html
index d2dcdd9..d4dd956 100644
--- a/lib/lwres/man/lwres_getaddrinfo.html
+++ b/lib/lwres/man/lwres_getaddrinfo.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getaddrinfo.html,v 1.10.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_getaddrinfo.html,v 1.27 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_gethostent.3 b/lib/lwres/man/lwres_gethostent.3
index e6fbcd7..847d882 100644
--- a/lib/lwres/man/lwres_gethostent.3
+++ b/lib/lwres/man/lwres_gethostent.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gethostent.3,v 1.19.18.10 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_gethostent.3,v 1.29 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_gethostent.docbook b/lib/lwres/man/lwres_gethostent.docbook
index 4ed7393..a3f084b 100644
--- a/lib/lwres/man/lwres_gethostent.docbook
+++ b/lib/lwres/man/lwres_gethostent.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gethostent.docbook,v 1.6.18.5 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_gethostent.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_gethostent.html b/lib/lwres/man/lwres_gethostent.html
index 0b7ba442..efeeaa2 100644
--- a/lib/lwres/man/lwres_gethostent.html
+++ b/lib/lwres/man/lwres_gethostent.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gethostent.html,v 1.9.18.15 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_gethostent.html,v 1.24 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_getipnode.3 b/lib/lwres/man/lwres_getipnode.3
index 9c9f374..e5c51a9 100644
--- a/lib/lwres/man/lwres_getipnode.3
+++ b/lib/lwres/man/lwres_getipnode.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getipnode.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_getipnode.3,v 1.28 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_getipnode.docbook b/lib/lwres/man/lwres_getipnode.docbook
index a748920..825f462 100644
--- a/lib/lwres/man/lwres_getipnode.docbook
+++ b/lib/lwres/man/lwres_getipnode.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getipnode.docbook,v 1.6.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_getipnode.docbook,v 1.12 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_getipnode.html b/lib/lwres/man/lwres_getipnode.html
index a585f1d..23fe50f 100644
--- a/lib/lwres/man/lwres_getipnode.html
+++ b/lib/lwres/man/lwres_getipnode.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getipnode.html,v 1.9.18.16 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_getipnode.html,v 1.25 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_getnameinfo.3 b/lib/lwres/man/lwres_getnameinfo.3
index 449f591..c477f79 100644
--- a/lib/lwres/man/lwres_getnameinfo.3
+++ b/lib/lwres/man/lwres_getnameinfo.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getnameinfo.3,v 1.18.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_getnameinfo.3,v 1.29 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_getnameinfo.docbook b/lib/lwres/man/lwres_getnameinfo.docbook
index d0b0df5..504dfb7 100644
--- a/lib/lwres/man/lwres_getnameinfo.docbook
+++ b/lib/lwres/man/lwres_getnameinfo.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getnameinfo.docbook,v 1.4.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_getnameinfo.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_getnameinfo.html b/lib/lwres/man/lwres_getnameinfo.html
index 312cfe5..53a70d9 100644
--- a/lib/lwres/man/lwres_getnameinfo.html
+++ b/lib/lwres/man/lwres_getnameinfo.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getnameinfo.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_getnameinfo.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_getrrsetbyname.3 b/lib/lwres/man/lwres_getrrsetbyname.3
index 548b8e7..8419fff 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.3
+++ b/lib/lwres/man/lwres_getrrsetbyname.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_getrrsetbyname.3,v 1.14.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_getrrsetbyname.3,v 1.25 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_getrrsetbyname.docbook b/lib/lwres/man/lwres_getrrsetbyname.docbook
index 746d8bf..5f2a68d 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.docbook
+++ b/lib/lwres/man/lwres_getrrsetbyname.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_getrrsetbyname.docbook,v 1.4.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_getrrsetbyname.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_getrrsetbyname.html b/lib/lwres/man/lwres_getrrsetbyname.html
index 0925367..8dc36a1 100644
--- a/lib/lwres/man/lwres_getrrsetbyname.html
+++ b/lib/lwres/man/lwres_getrrsetbyname.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_getrrsetbyname.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_getrrsetbyname.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_gnba.3 b/lib/lwres/man/lwres_gnba.3
index 1c6574f..39a1b9d 100644
--- a/lib/lwres/man/lwres_gnba.3
+++ b/lib/lwres/man/lwres_gnba.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_gnba.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_gnba.3,v 1.27 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_gnba.docbook b/lib/lwres/man/lwres_gnba.docbook
index a22ce89..452cdfc 100644
--- a/lib/lwres/man/lwres_gnba.docbook
+++ b/lib/lwres/man/lwres_gnba.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_gnba.docbook,v 1.5.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_gnba.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_gnba.html b/lib/lwres/man/lwres_gnba.html
index aac60c6..88b18a8 100644
--- a/lib/lwres/man/lwres_gnba.html
+++ b/lib/lwres/man/lwres_gnba.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_gnba.html,v 1.7.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_gnba.html,v 1.24 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_hstrerror.3 b/lib/lwres/man/lwres_hstrerror.3
index 6fa744e..5998238 100644
--- a/lib/lwres/man/lwres_hstrerror.3
+++ b/lib/lwres/man/lwres_hstrerror.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_hstrerror.3,v 1.16.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_hstrerror.3,v 1.27 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_hstrerror.docbook b/lib/lwres/man/lwres_hstrerror.docbook
index aae00a9..ca4589e 100644
--- a/lib/lwres/man/lwres_hstrerror.docbook
+++ b/lib/lwres/man/lwres_hstrerror.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_hstrerror.docbook,v 1.5.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_hstrerror.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_hstrerror.html b/lib/lwres/man/lwres_hstrerror.html
index b52ff06..ef67d48 100644
--- a/lib/lwres/man/lwres_hstrerror.html
+++ b/lib/lwres/man/lwres_hstrerror.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_hstrerror.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_hstrerror.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_inetntop.3 b/lib/lwres/man/lwres_inetntop.3
index 4cb09f8..c7d3d12 100644
--- a/lib/lwres/man/lwres_inetntop.3
+++ b/lib/lwres/man/lwres_inetntop.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_inetntop.3,v 1.15.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_inetntop.3,v 1.26 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_inetntop.docbook b/lib/lwres/man/lwres_inetntop.docbook
index db2c652..26f1779 100644
--- a/lib/lwres/man/lwres_inetntop.docbook
+++ b/lib/lwres/man/lwres_inetntop.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_inetntop.docbook,v 1.4.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_inetntop.docbook,v 1.10 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_inetntop.html b/lib/lwres/man/lwres_inetntop.html
index 532d500..1a91110 100644
--- a/lib/lwres/man/lwres_inetntop.html
+++ b/lib/lwres/man/lwres_inetntop.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_inetntop.html,v 1.6.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_inetntop.html,v 1.23 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_noop.3 b/lib/lwres/man/lwres_noop.3
index 7884109..0e4ed71 100644
--- a/lib/lwres/man/lwres_noop.3
+++ b/lib/lwres/man/lwres_noop.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_noop.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_noop.3,v 1.28 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_noop.docbook b/lib/lwres/man/lwres_noop.docbook
index a2b0699..eb823b7 100644
--- a/lib/lwres/man/lwres_noop.docbook
+++ b/lib/lwres/man/lwres_noop.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_noop.docbook,v 1.5.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_noop.docbook,v 1.11 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_noop.html b/lib/lwres/man/lwres_noop.html
index 4705ecb..aab581a 100644
--- a/lib/lwres/man/lwres_noop.html
+++ b/lib/lwres/man/lwres_noop.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_noop.html,v 1.8.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_noop.html,v 1.25 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_packet.3 b/lib/lwres/man/lwres_packet.3
index 14109085..1e1f98f 100644
--- a/lib/lwres/man/lwres_packet.3
+++ b/lib/lwres/man/lwres_packet.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_packet.3,v 1.18.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_packet.3,v 1.29 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_packet.docbook b/lib/lwres/man/lwres_packet.docbook
index d588f21..87841db 100644
--- a/lib/lwres/man/lwres_packet.docbook
+++ b/lib/lwres/man/lwres_packet.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_packet.docbook,v 1.7.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_packet.docbook,v 1.13 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_packet.html b/lib/lwres/man/lwres_packet.html
index eeb7ebd..b4cc1df 100644
--- a/lib/lwres/man/lwres_packet.html
+++ b/lib/lwres/man/lwres_packet.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_packet.html,v 1.9.18.17 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_packet.html,v 1.26 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/man/lwres_resutil.3 b/lib/lwres/man/lwres_resutil.3
index 9aebc9f..d26f77c 100644
--- a/lib/lwres/man/lwres_resutil.3
+++ b/lib/lwres/man/lwres_resutil.3
@@ -13,7 +13,7 @@
 .\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 .\" PERFORMANCE OF THIS SOFTWARE.
 .\"
-.\" $Id: lwres_resutil.3,v 1.17.18.11 2007/01/30 00:23:45 marka Exp $
+.\" $Id: lwres_resutil.3,v 1.28 2007/01/30 00:24:59 marka Exp $
 .\"
 .hy 0
 .ad l
diff --git a/lib/lwres/man/lwres_resutil.docbook b/lib/lwres/man/lwres_resutil.docbook
index b568629..e6184d9 100644
--- a/lib/lwres/man/lwres_resutil.docbook
+++ b/lib/lwres/man/lwres_resutil.docbook
@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: lwres_resutil.docbook,v 1.6.18.6 2007/08/28 07:20:06 tbox Exp $ -->
+<!-- $Id: lwres_resutil.docbook,v 1.12 2007/06/18 23:47:51 tbox Exp $ -->
 <refentry>
 
   <refentryinfo>
diff --git a/lib/lwres/man/lwres_resutil.html b/lib/lwres/man/lwres_resutil.html
index dfa2e1c..7bc3e6e 100644
--- a/lib/lwres/man/lwres_resutil.html
+++ b/lib/lwres/man/lwres_resutil.html
@@ -14,7 +14,7 @@
  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  - PERFORMANCE OF THIS SOFTWARE.
 -->
-<!-- $Id: lwres_resutil.html,v 1.9.18.16 2007/01/30 00:23:45 marka Exp $ -->
+<!-- $Id: lwres_resutil.html,v 1.25 2007/01/30 00:24:59 marka Exp $ -->
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
diff --git a/lib/lwres/print.c b/lib/lwres/print.c
index 49da037..5245d29 100644
--- a/lib/lwres/print.c
+++ b/lib/lwres/print.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print.c,v 1.2.2.7 2005/10/14 01:28:30 marka Exp $ */
+/* $Id: print.c,v 1.10 2007/06/19 23:47:22 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/lwres/print_p.h b/lib/lwres/print_p.h
index 4c2d2bf..c22b44a 100644
--- a/lib/lwres/print_p.h
+++ b/lib/lwres/print_p.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 1999-2001, 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: print_p.h,v 1.2.2.1 2004/08/28 06:21:13 marka Exp $ */
+/* $Id: print_p.h,v 1.4 2007/06/19 23:47:22 tbox Exp $ */
 
 #ifndef LWRES_PRINT_P_H
 #define LWRES_PRINT_P_H 1
diff --git a/lib/lwres/strtoul.c b/lib/lwres/strtoul.c
index 3fc8971..f16896c 100644
--- a/lib/lwres/strtoul.c
+++ b/lib/lwres/strtoul.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2003  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -53,7 +53,7 @@
 static char sccsid[] = "@(#)strtoul.c	8.1 (Berkeley) 6/4/93";
 #endif /* LIBC_SCCS and not lint */
 
-/* $Id: strtoul.c,v 1.2.2.1 2005/06/08 02:07:59 marka Exp $ */
+/* $Id: strtoul.c,v 1.4 2007/06/19 23:47:22 tbox Exp $ */
 
 #include <config.h>
 
diff --git a/lib/lwres/unix/Makefile.in b/lib/lwres/unix/Makefile.in
index 577e3d3..5d77208 100644
--- a/lib/lwres/unix/Makefile.in
+++ b/lib/lwres/unix/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2004/03/05 05:12:59 marka Exp $
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/unix/include/Makefile.in b/lib/lwres/unix/include/Makefile.in
index 8ca7489..6190633 100644
--- a/lib/lwres/unix/include/Makefile.in
+++ b/lib/lwres/unix/include/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2004/03/05 05:13:03 marka Exp $
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/unix/include/lwres/Makefile.in b/lib/lwres/unix/include/lwres/Makefile.in
index 7e0b594..c943e01 100644
--- a/lib/lwres/unix/include/lwres/Makefile.in
+++ b/lib/lwres/unix/include/lwres/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.2 2004/03/05 05:13:06 marka Exp $
+# $Id: Makefile.in,v 1.4 2007/06/19 23:47:23 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/lib/lwres/unix/include/lwres/net.h b/lib/lwres/unix/include/lwres/net.h
index 8fb14ee..0b16178 100644
--- a/lib/lwres/unix/include/lwres/net.h
+++ b/lib/lwres/unix/include/lwres/net.h
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000-2002  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: net.h,v 1.5.18.2 2005/04/29 00:17:23 marka Exp $ */
+/* $Id: net.h,v 1.9 2007/06/19 23:47:23 tbox Exp $ */
 
 #ifndef LWRES_NET_H
 #define LWRES_NET_H 1
diff --git a/lib/lwres/version.c b/lib/lwres/version.c
index 33561fd..cc52c51 100644
--- a/lib/lwres/version.c
+++ b/lib/lwres/version.c
@@ -1,8 +1,8 @@
 /*
- * Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
  * Copyright (C) 2000, 2001  Internet Software Consortium.
  *
- * Permission to use, copy, modify, and distribute this software for any
+ * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
  * copyright notice and this permission notice appear in all copies.
  *
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: version.c,v 1.8.18.2 2005/04/29 00:17:21 marka Exp $ */
+/* $Id: version.c,v 1.12 2007/06/19 23:47:22 tbox Exp $ */
 
 /*! \file */
 
diff --git a/libtool.m4 b/libtool.m4
index 551ffd0..a352a65 100644
--- a/libtool.m4
+++ b/libtool.m4
@@ -1,28 +1,13 @@
 # libtool.m4 - Configure libtool for the host system. -*-Autoconf-*-
-## Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004
-## Free Software Foundation, Inc.
+## Copyright 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007,
+## 2008  Free Software Foundation, Inc.
 ## Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 ##
-## This program is free software; you can redistribute it and/or modify
-## it under the terms of the GNU General Public License as published by
-## the Free Software Foundation; either version 2 of the License, or
-## (at your option) any later version.
-##
-## This program is distributed in the hope that it will be useful, but
-## WITHOUT ANY WARRANTY; without even the implied warranty of
-## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-## General Public License for more details.
-##
-## You should have received a copy of the GNU General Public License
-## along with this program; if not, write to the Free Software
-## Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-##
-## As a special exception to the GNU General Public License, if you
-## distribute this file as part of a program that contains a
-## configuration script generated by Autoconf, you may include it under
-## the same distribution terms that you use for the rest of that program.
+## This file is free software; the Free Software Foundation gives
+## unlimited permission to copy and/or distribute it, with or without
+## modifications, as long as this notice is preserved.
 
-# serial 47 AC_PROG_LIBTOOL
+# serial 52 AC_PROG_LIBTOOL
 
 
 # AC_PROVIDE_IFELSE(MACRO-NAME, IF-PROVIDED, IF-NOT-PROVIDED)
@@ -110,7 +95,6 @@ AC_REQUIRE([AC_DEPLIBS_CHECK_METHOD])dnl
 AC_REQUIRE([AC_OBJEXT])dnl
 AC_REQUIRE([AC_EXEEXT])dnl
 dnl
-
 AC_LIBTOOL_SYS_MAX_CMD_LEN
 AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE
 AC_LIBTOOL_OBJDIR
@@ -132,7 +116,7 @@ esac
 
 # Sed substitution that helps us do robust quoting.  It backslashifies
 # metacharacters that are still active within double-quoted strings.
-Xsed='sed -e s/^X//'
+Xsed='sed -e 1s/^X//'
 [sed_quote_subst='s/\([\\"\\`$\\\\]\)/\\\1/g']
 
 # Same as above, but do not quote variable references.
@@ -152,7 +136,7 @@ rm="rm -f"
 default_ofile=libtool
 can_build_shared=yes
 
-# All known linkers require a `.a' archive for static linking (except M$VC,
+# All known linkers require a `.a' archive for static linking (except MSVC,
 # which needs '.lib').
 libext=a
 ltmain="$ac_aux_dir/ltmain.sh"
@@ -172,6 +156,7 @@ test -z "$AR_FLAGS" && AR_FLAGS=cru
 test -z "$AS" && AS=as
 test -z "$CC" && CC=cc
 test -z "$LTCC" && LTCC=$CC
+test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS
 test -z "$DLLTOOL" && DLLTOOL=dlltool
 test -z "$LD" && LD=ld
 test -z "$LN_S" && LN_S="ln -s"
@@ -184,23 +169,23 @@ test -z "$STRIP" && STRIP=:
 test -z "$ac_objext" && ac_objext=o
 
 # Determine commands to create old-style static archives.
-old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs$old_deplibs'
+old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs'
 old_postinstall_cmds='chmod 644 $oldlib'
 old_postuninstall_cmds=
 
 if test -n "$RANLIB"; then
   case $host_os in
   openbsd*)
-    old_postinstall_cmds="\$RANLIB -t \$oldlib~$old_postinstall_cmds"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$oldlib"
     ;;
   *)
-    old_postinstall_cmds="\$RANLIB \$oldlib~$old_postinstall_cmds"
+    old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$oldlib"
     ;;
   esac
   old_archive_cmds="$old_archive_cmds~\$RANLIB \$oldlib"
 fi
 
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+_LT_CC_BASENAME([$compiler])
 
 # Only perform the check for file, if the check method requires it
 case $deplibs_check_method in
@@ -211,6 +196,8 @@ file_magic*)
   ;;
 esac
 
+_LT_REQUIRED_DARWIN_CHECKS
+
 AC_PROVIDE_IFELSE([AC_LIBTOOL_DLOPEN], enable_dlopen=yes, enable_dlopen=no)
 AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
 enable_win32_dll=yes, enable_win32_dll=no)
@@ -242,11 +229,129 @@ AC_DEFUN([_LT_AC_SYS_COMPILER],
 # If no C compiler was specified, use CC.
 LTCC=${LTCC-"$CC"}
 
+# If no C compiler flags were specified, use CFLAGS.
+LTCFLAGS=${LTCFLAGS-"$CFLAGS"}
+
 # Allow CC to be a program name with arguments.
 compiler=$CC
 ])# _LT_AC_SYS_COMPILER
 
 
+# _LT_CC_BASENAME(CC)
+# -------------------
+# Calculate cc_basename.  Skip known compiler wrappers and cross-prefix.
+AC_DEFUN([_LT_CC_BASENAME],
+[for cc_temp in $1""; do
+  case $cc_temp in
+    compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;;
+    distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;;
+    \-*) ;;
+    *) break;;
+  esac
+done
+cc_basename=`$echo "X$cc_temp" | $Xsed -e 's%.*/%%' -e "s%^$host_alias-%%"`
+])
+
+
+# _LT_COMPILER_BOILERPLATE
+# ------------------------
+# Check for compiler boilerplate output or warnings with
+# the simple compiler test code.
+AC_DEFUN([_LT_COMPILER_BOILERPLATE],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_compile_test_code" >conftest.$ac_ext
+eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_compiler_boilerplate=`cat conftest.err`
+$rm conftest*
+])# _LT_COMPILER_BOILERPLATE
+
+
+# _LT_LINKER_BOILERPLATE
+# ----------------------
+# Check for linker boilerplate output or warnings with
+# the simple link test code.
+AC_DEFUN([_LT_LINKER_BOILERPLATE],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+ac_outfile=conftest.$ac_objext
+echo "$lt_simple_link_test_code" >conftest.$ac_ext
+eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err
+_lt_linker_boilerplate=`cat conftest.err`
+$rm -r conftest*
+])# _LT_LINKER_BOILERPLATE
+
+# _LT_REQUIRED_DARWIN_CHECKS
+# --------------------------
+# Check for some things on darwin
+AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS],[
+  case $host_os in
+    rhapsody* | darwin*)
+    AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:])
+    AC_CHECK_TOOL([NMEDIT], [nmedit], [:])
+
+    AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod],
+      [lt_cv_apple_cc_single_mod=no
+      if test -z "${LT_MULTI_MODULE}"; then
+   # By default we will add the -single_module flag. You can override
+   # by either setting the environment variable LT_MULTI_MODULE
+   # non-empty at configure time, or by adding -multi_module to the
+   # link flags.
+   echo "int foo(void){return 1;}" > conftest.c
+   $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \
+     -dynamiclib ${wl}-single_module conftest.c
+   if test -f libconftest.dylib; then
+     lt_cv_apple_cc_single_mod=yes
+     rm -rf libconftest.dylib*
+   fi
+   rm conftest.c
+      fi])
+    AC_CACHE_CHECK([for -exported_symbols_list linker flag],
+      [lt_cv_ld_exported_symbols_list],
+      [lt_cv_ld_exported_symbols_list=no
+      save_LDFLAGS=$LDFLAGS
+      echo "_main" > conftest.sym
+      LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym"
+      AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])],
+   [lt_cv_ld_exported_symbols_list=yes],
+   [lt_cv_ld_exported_symbols_list=no])
+   LDFLAGS="$save_LDFLAGS"
+    ])
+    case $host_os in
+    rhapsody* | darwin1.[[0123]])
+      _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;;
+    darwin1.*)
+     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+    darwin*)
+      # if running on 10.5 or later, the deployment target defaults
+      # to the OS version, if on x86, and 10.4, the deployment
+      # target defaults to 10.4. Don't you love it?
+      case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in
+   10.0,*86*-darwin8*|10.0,*-darwin[[91]]*)
+     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+   10.[[012]]*)
+     _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;;
+   10.*)
+     _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;;
+      esac
+    ;;
+  esac
+    if test "$lt_cv_apple_cc_single_mod" = "yes"; then
+      _lt_dar_single_mod='$single_module'
+    fi
+    if test "$lt_cv_ld_exported_symbols_list" = "yes"; then
+      _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym'
+    else
+      _lt_dar_export_syms="~$NMEDIT -s \$output_objdir/\${libname}-symbols.expsym \${lib}"
+    fi
+    if test "$DSYMUTIL" != ":"; then
+      _lt_dsymutil="~$DSYMUTIL \$lib || :"
+    else
+      _lt_dsymutil=
+    fi
+    ;;
+  esac
+])
+
 # _LT_AC_SYS_LIBPATH_AIX
 # ----------------------
 # Links a minimal program and checks the executable
@@ -256,12 +361,20 @@ compiler=$CC
 # If we don't find anything, use the default library path according
 # to the aix ld manual.
 AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX],
-[AC_LINK_IFELSE(AC_LANG_PROGRAM,[
-aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_LINK_IFELSE(AC_LANG_PROGRAM,[
+lt_aix_libpath_sed='
+    /Import File Strings/,/^$/ {
+	/^0/ {
+	    s/^0  *\(.*\)$/\1/
+	    p
+	}
+    }'
+aix_libpath=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
 # Check for a 64-bit object if we didn't find anything.
-if test -z "$aix_libpath"; then aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e '/Import File Strings/,/^$/ { /^0/ { s/^0  *\(.*\)$/\1/; p; }
-}'`; fi],[])
+if test -z "$aix_libpath"; then
+  aix_libpath=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"`
+fi],[])
 if test -z "$aix_libpath"; then aix_libpath="/usr/lib:/lib"; fi
 ])# _LT_AC_SYS_LIBPATH_AIX
 
@@ -326,8 +439,8 @@ if test "X${echo_test_string+set}" != Xset; then
 # find a string as large as possible, as long as the shell can cope with it
   for cmd in 'sed 50q "[$]0"' 'sed 20q "[$]0"' 'sed 10q "[$]0"' 'sed 2q "[$]0"' 'echo test'; do
     # expected sizes: less than 2Kb, 1Kb, 512 bytes, 16 bytes, ...
-    if (echo_test_string="`eval $cmd`") 2>/dev/null &&
-       echo_test_string="`eval $cmd`" &&
+    if (echo_test_string=`eval $cmd`) 2>/dev/null &&
+       echo_test_string=`eval $cmd` &&
        (test "X$echo_test_string" = "X$echo_test_string") 2>/dev/null
     then
       break
@@ -492,13 +605,17 @@ ia64-*-hpux*)
   rm -rf conftest*
   ;;
 
-x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
+x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \
+s390*-*linux*|sparc*-*linux*)
   # Find out which ABI we are using.
   echo 'int i;' > conftest.$ac_ext
   if AC_TRY_EVAL(ac_compile); then
-    case "`/usr/bin/file conftest.o`" in
+    case `/usr/bin/file conftest.o` in
     *32-bit*)
       case $host in
+        x86_64-*kfreebsd*-gnu)
+          LD="${LD-ld} -m elf_i386_fbsd"
+          ;;
         x86_64-*linux*)
           LD="${LD-ld} -m elf_i386"
           ;;
@@ -515,6 +632,9 @@ x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
       ;;
     *64-bit*)
       case $host in
+        x86_64-*kfreebsd*-gnu)
+          LD="${LD-ld} -m elf_x86_64_fbsd"
+          ;;
         x86_64-*linux*)
           LD="${LD-ld} -m elf_x86_64"
           ;;
@@ -547,6 +667,26 @@ x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*|s390*-*linux*|sparc*-*linux*)
     CFLAGS="$SAVE_CFLAGS"
   fi
   ;;
+sparc*-*solaris*)
+  # Find out which ABI we are using.
+  echo 'int i;' > conftest.$ac_ext
+  if AC_TRY_EVAL(ac_compile); then
+    case `/usr/bin/file conftest.o` in
+    *64-bit*)
+      case $lt_cv_prog_gnu_ld in
+      yes*) LD="${LD-ld} -m elf64_sparc" ;;
+      *)
+        if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then
+	  LD="${LD-ld} -64"
+	fi
+	;;
+      esac
+      ;;
+    esac
+  fi
+  rm -rf conftest*
+  ;;
+
 AC_PROVIDE_IFELSE([AC_LIBTOOL_WIN32_DLL],
 [*-*-cygwin* | *-*-mingw* | *-*-pw32*)
   AC_CHECK_TOOL(DLLTOOL, dlltool, false)
@@ -570,7 +710,7 @@ AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION],
 AC_CACHE_CHECK([$1], [$2],
   [$2=no
   ifelse([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4])
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
    lt_compiler_flag="$3"
    # Insert the option either (1) after the last *FLAGS variable, or
    # (2) before a word containing "conftest.", or (3) at the end.
@@ -578,7 +718,7 @@ AC_CACHE_CHECK([$1], [$2],
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    # The option is referenced via a variable to avoid confusing sed.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
    (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
@@ -588,8 +728,10 @@ AC_CACHE_CHECK([$1], [$2],
    echo "$as_me:__oline__: \$? = $ac_status" >&AS_MESSAGE_LOG_FD
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
-     # So say no if there are warnings
-     if test ! -s conftest.err; then
+     # So say no if there are warnings other than the usual output.
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' >conftest.exp
+     $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+     if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then
        $2=yes
      fi
    fi
@@ -609,22 +751,28 @@ fi
 # ------------------------------------------------------------
 # Check whether the given compiler option works
 AC_DEFUN([AC_LIBTOOL_LINKER_OPTION],
-[AC_CACHE_CHECK([$1], [$2],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_CACHE_CHECK([$1], [$2],
   [$2=no
    save_LDFLAGS="$LDFLAGS"
    LDFLAGS="$LDFLAGS $3"
-   printf "$lt_simple_link_test_code" > conftest.$ac_ext
+   echo "$lt_simple_link_test_code" > conftest.$ac_ext
    if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then
-     # The compiler can only warn and ignore the option if not recognized
+     # The linker can only warn and ignore the option if not recognized
      # So say no if there are warnings
      if test -s conftest.err; then
        # Append any errors to the config.log.
        cat conftest.err 1>&AS_MESSAGE_LOG_FD
+       $echo "X$_lt_linker_boilerplate" | $Xsed -e '/^$/d' > conftest.exp
+       $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2
+       if diff conftest.exp conftest.er2 >/dev/null; then
+         $2=yes
+       fi
      else
        $2=yes
      fi
    fi
-   $rm conftest*
+   $rm -r conftest*
    LDFLAGS="$save_LDFLAGS"
 ])
 
@@ -678,38 +826,71 @@ AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl
     lt_cv_sys_max_cmd_len=8192;
     ;;
 
-  netbsd* | freebsd* | openbsd* | darwin* )
+  netbsd* | freebsd* | openbsd* | darwin* | dragonfly*)
     # This has been around since 386BSD, at least.  Likely further.
     if test -x /sbin/sysctl; then
       lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax`
     elif test -x /usr/sbin/sysctl; then
       lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax`
     else
-      lt_cv_sys_max_cmd_len=65536 # usable default for *BSD
+      lt_cv_sys_max_cmd_len=65536	# usable default for all BSDs
     fi
     # And add a safety zone
     lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    ;;
+
+  interix*)
+    # We know the value 262144 and hardcode it with a safety zone (like BSD)
+    lt_cv_sys_max_cmd_len=196608
     ;;
 
- *)
-    # If test is not a shell built-in, we'll probably end up computing a
-    # maximum length that is only half of the actual maximum length, but
-    # we can't tell.
-    SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
-    while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \
+  osf*)
+    # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure
+    # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not
+    # nice to cause kernel panics so lets avoid the loop below.
+    # First set a reasonable default.
+    lt_cv_sys_max_cmd_len=16384
+    #
+    if test -x /sbin/sysconfig; then
+      case `/sbin/sysconfig -q proc exec_disable_arg_limit` in
+        *1*) lt_cv_sys_max_cmd_len=-1 ;;
+      esac
+    fi
+    ;;
+  sco3.2v5*)
+    lt_cv_sys_max_cmd_len=102400
+    ;;
+  sysv5* | sco5v6* | sysv4.2uw2*)
+    kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null`
+    if test -n "$kargmax"; then
+      lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ 	]]//'`
+    else
+      lt_cv_sys_max_cmd_len=32768
+    fi
+    ;;
+  *)
+    lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null`
+    if test -n "$lt_cv_sys_max_cmd_len"; then
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4`
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3`
+    else
+      SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}}
+      while (test "X"`$SHELL [$]0 --fallback-echo "X$teststring" 2>/dev/null` \
 	       = "XX$teststring") >/dev/null 2>&1 &&
-	    new_result=`expr "X$teststring" : ".*" 2>&1` &&
-	    lt_cv_sys_max_cmd_len=$new_result &&
-	    test $i != 17 # 1/2 MB should be enough
-    do
-      i=`expr $i + 1`
-      teststring=$teststring$teststring
-    done
-    teststring=
-    # Add a significant safety factor because C++ compilers can tack on massive
-    # amounts of additional arguments before passing them to the linker.
-    # It appears as though 1/2 is a usable value.
-    lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+	      new_result=`expr "X$teststring" : ".*" 2>&1` &&
+	      lt_cv_sys_max_cmd_len=$new_result &&
+	      test $i != 17 # 1/2 MB should be enough
+      do
+        i=`expr $i + 1`
+        teststring=$teststring$teststring
+      done
+      teststring=
+      # Add a significant safety factor because C++ compilers can tack on massive
+      # amounts of additional arguments before passing them to the linker.
+      # It appears as though 1/2 is a usable value.
+      lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2`
+    fi
     ;;
   esac
 ])
@@ -722,7 +903,7 @@ fi
 
 
 # _LT_AC_CHECK_DLFCN
-# --------------------
+# ------------------
 AC_DEFUN([_LT_AC_CHECK_DLFCN],
 [AC_CHECK_HEADERS(dlfcn.h)dnl
 ])# _LT_AC_CHECK_DLFCN
@@ -730,7 +911,7 @@ AC_DEFUN([_LT_AC_CHECK_DLFCN],
 
 # _LT_AC_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE,
 #                           ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING)
-# ------------------------------------------------------------------
+# ---------------------------------------------------------------------
 AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF],
 [AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
 if test "$cross_compiling" = yes; then :
@@ -796,17 +977,19 @@ int main ()
       else if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore;
       /* dlclose (self); */
     }
+  else
+    puts (dlerror ());
 
     exit (status);
 }]
 EOF
   if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then
-    (./conftest; exit; ) 2>/dev/null
+    (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null
     lt_status=$?
     case x$lt_status in
       x$lt_dlno_uscore) $1 ;;
       x$lt_dlneed_uscore) $2 ;;
-      x$lt_unknown|x*) $3 ;;
+      x$lt_dlunknown|x*) $3 ;;
     esac
   else :
     # compilation failed
@@ -818,7 +1001,7 @@ rm -fr conftest*
 
 
 # AC_LIBTOOL_DLOPEN_SELF
-# -------------------
+# ----------------------
 AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF],
 [AC_REQUIRE([_LT_AC_CHECK_DLFCN])dnl
 if test "x$enable_dlopen" != xyes; then
@@ -860,7 +1043,7 @@ else
     AC_CHECK_FUNC([shl_load],
 	  [lt_cv_dlopen="shl_load"],
       [AC_CHECK_LIB([dld], [shl_load],
-	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-dld"],
+	    [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"],
 	[AC_CHECK_FUNC([dlopen],
 	      [lt_cv_dlopen="dlopen"],
 	  [AC_CHECK_LIB([dl], [dlopen],
@@ -868,7 +1051,7 @@ else
 	    [AC_CHECK_LIB([svld], [dlopen],
 		  [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"],
 	      [AC_CHECK_LIB([dld], [dld_link],
-		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-dld"])
+		    [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"])
 	      ])
 	    ])
 	  ])
@@ -889,7 +1072,7 @@ else
     test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H"
 
     save_LDFLAGS="$LDFLAGS"
-    eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
+    wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\"
 
     save_LIBS="$LIBS"
     LIBS="$lt_cv_dlopen_libs $LIBS"
@@ -902,7 +1085,7 @@ else
     ])
 
     if test "x$lt_cv_dlopen_self" = xyes; then
-      LDFLAGS="$LDFLAGS $link_static_flag"
+      wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\"
       AC_CACHE_CHECK([whether a statically linked program can dlopen itself],
     	  lt_cv_dlopen_self_static, [dnl
 	  _LT_AC_TRY_DLOPEN_SELF(
@@ -934,7 +1117,8 @@ fi
 # ---------------------------------
 # Check to see if options -c and -o are simultaneously supported by compiler
 AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O],
-[AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_REQUIRE([_LT_AC_SYS_COMPILER])dnl
 AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
   [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)],
   [_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no
@@ -942,7 +1126,7 @@ AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
    mkdir conftest
    cd conftest
    mkdir out
-   printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+   echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
    lt_compiler_flag="-o out/conftest2.$ac_objext"
    # Insert the option either (1) after the last *FLAGS variable, or
@@ -950,7 +1134,7 @@ AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
    # Note that $ac_compile itself does not contain backslashes and begins
    # with a dollar sign (not a hyphen), so the echo should work correctly.
    lt_compile=`echo "$ac_compile" | $SED \
-   -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
+   -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \
    -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
    (eval echo "\"\$as_me:__oline__: $lt_compile\"" >&AS_MESSAGE_LOG_FD)
@@ -962,11 +1146,13 @@ AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext],
    then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
-     if test ! -s out/conftest.err; then
+     $echo "X$_lt_compiler_boilerplate" | $Xsed -e '/^$/d' > out/conftest.exp
+     $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2
+     if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then
        _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
      fi
    fi
-   chmod u+w .
+   chmod u+w . 2>&AS_MESSAGE_LOG_FD
    $rm conftest*
    # SGI C++ compiler will create directory out/ii_files/ for
    # template instantiation
@@ -1080,6 +1266,7 @@ else
    darwin*)
        if test -n "$STRIP" ; then
          striplib="$STRIP -x"
+         old_striplib="$STRIP -S"
          AC_MSG_RESULT([yes])
        else
   AC_MSG_RESULT([no])
@@ -1097,7 +1284,8 @@ fi
 # -----------------------------
 # PORTME Fill in your ld.so characteristics
 AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER],
-[AC_MSG_CHECKING([dynamic linker characteristics])
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_MSG_CHECKING([dynamic linker characteristics])
 library_names_spec=
 libname_spec='lib$name'
 soname_spec=
@@ -1111,20 +1299,58 @@ shlibpath_overrides_runpath=unknown
 version_type=none
 dynamic_linker="$host_os ld.so"
 sys_lib_dlsearch_path_spec="/lib /usr/lib"
+m4_if($1,[],[
 if test "$GCC" = yes; then
-  sys_lib_search_path_spec=`$CC -print-search-dirs | grep "^libraries:" | $SED -e "s/^libraries://" -e "s,=/,/,g"`
-  if echo "$sys_lib_search_path_spec" | grep ';' >/dev/null ; then
+  case $host_os in
+    darwin*) lt_awk_arg="/^libraries:/,/LR/" ;;
+    *) lt_awk_arg="/^libraries:/" ;;
+  esac
+  lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e "s,=/,/,g"`
+  if echo "$lt_search_path_spec" | grep ';' >/dev/null ; then
     # if the path contains ";" then we assume it to be the separator
     # otherwise default to the standard path separator (i.e. ":") - it is
     # assumed that no part of a normal pathname contains ";" but that should
     # okay in the real world where ";" in dirpaths is itself problematic.
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'`
+    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED -e 's/;/ /g'`
   else
-    sys_lib_search_path_spec=`echo "$sys_lib_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
+    lt_search_path_spec=`echo "$lt_search_path_spec" | $SED  -e "s/$PATH_SEPARATOR/ /g"`
   fi
+  # Ok, now we have the path, separated by spaces, we can step through it
+  # and add multilib dir if necessary.
+  lt_tmp_lt_search_path_spec=
+  lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null`
+  for lt_sys_path in $lt_search_path_spec; do
+    if test -d "$lt_sys_path/$lt_multi_os_dir"; then
+      lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir"
+    else
+      test -d "$lt_sys_path" && \
+	lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path"
+    fi
+  done
+  lt_search_path_spec=`echo $lt_tmp_lt_search_path_spec | awk '
+BEGIN {RS=" "; FS="/|\n";} {
+  lt_foo="";
+  lt_count=0;
+  for (lt_i = NF; lt_i > 0; lt_i--) {
+    if ($lt_i != "" && $lt_i != ".") {
+      if ($lt_i == "..") {
+        lt_count++;
+      } else {
+        if (lt_count == 0) {
+          lt_foo="/" $lt_i lt_foo;
+        } else {
+          lt_count--;
+        }
+      }
+    }
+  }
+  if (lt_foo != "") { lt_freq[[lt_foo]]++; }
+  if (lt_freq[[lt_foo]] == 1) { print lt_foo; }
+}'`
+  sys_lib_search_path_spec=`echo $lt_search_path_spec`
 else
   sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib"
-fi
+fi])
 need_lib_prefix=unknown
 hardcode_into_libs=no
 
@@ -1142,7 +1368,7 @@ aix3*)
   soname_spec='${libname}${release}${shared_ext}$major'
   ;;
 
-aix4* | aix5*)
+aix[[4-9]]*)
   version_type=linux
   need_lib_prefix=no
   need_version=no
@@ -1226,7 +1452,8 @@ cygwin* | mingw* | pw32*)
       dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i;echo \$dlname'\''`~
       dldir=$destdir/`dirname \$dlpath`~
       test -d \$dldir || mkdir -p \$dldir~
-      $install_prog $dir/$dlname \$dldir/$dlname'
+      $install_prog $dir/$dlname \$dldir/$dlname~
+      chmod a+x \$dldir/$dlname'
     postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~
       dlpath=$dir/\$dldll~
        $rm \$dlpath'
@@ -1256,7 +1483,7 @@ cygwin* | mingw* | pw32*)
       ;;
     pw32*)
       # pw32 DLLs use 'pw' prefix rather than 'lib'
-      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[.]/-/g'`${versuffix}${shared_ext}'
+      library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}'
       ;;
     esac
     ;;
@@ -1279,13 +1506,9 @@ darwin* | rhapsody*)
   soname_spec='${libname}${release}${major}$shared_ext'
   shlibpath_overrides_runpath=yes
   shlibpath_var=DYLD_LIBRARY_PATH
-  shrext_cmds='$(test .$module = .yes && echo .so || echo .dylib)'
-  # Apple's gcc prints 'gcc -print-search-dirs' doesn't operate the same.
-  if test "$GCC" = yes; then
-    sys_lib_search_path_spec=`$CC -print-search-dirs | tr "\n" "$PATH_SEPARATOR" | sed -e 's/libraries:/@libraries:/' | tr "@" "\n" | grep "^libraries:" | sed -e "s/^libraries://" -e "s,=/,/,g" -e "s,$PATH_SEPARATOR, ,g" -e "s,.*,& /lib /usr/lib /usr/local/lib,g"`
-  else
-    sys_lib_search_path_spec='/lib /usr/lib /usr/local/lib'
-  fi
+  shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`'
+  m4_if([$1], [],[
+  sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"]) 
   sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib'
   ;;
 
@@ -1302,20 +1525,17 @@ freebsd1*)
   dynamic_linker=no
   ;;
 
-kfreebsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
-freebsd*)
-  objformat=`test -x /usr/bin/objformat && /usr/bin/objformat || echo aout`
+freebsd* | dragonfly*)
+  # DragonFly does not have aout.  When/if they implement a new
+  # versioning mechanism, adjust this.
+  if test -x /usr/bin/objformat; then
+    objformat=`/usr/bin/objformat`
+  else
+    case $host_os in
+    freebsd[[123]]*) objformat=aout ;;
+    *) objformat=elf ;;
+    esac
+  fi
   version_type=freebsd-$objformat
   case $version_type in
     freebsd-elf*)
@@ -1333,14 +1553,19 @@ freebsd*)
   freebsd2*)
     shlibpath_overrides_runpath=yes
     ;;
-  freebsd3.[01]* | freebsdelf3.[01]*)
+  freebsd3.[[01]]* | freebsdelf3.[[01]]*)
     shlibpath_overrides_runpath=yes
     hardcode_into_libs=yes
     ;;
-  *) # from 3.2 on
+  freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \
+  freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1)
     shlibpath_overrides_runpath=no
     hardcode_into_libs=yes
     ;;
+  *) # from 4.6 on, and DragonFly
+    shlibpath_overrides_runpath=yes
+    hardcode_into_libs=yes
+    ;;
   esac
   ;;
 
@@ -1360,7 +1585,7 @@ hpux9* | hpux10* | hpux11*)
   version_type=sunos
   need_lib_prefix=no
   need_version=no
-  case "$host_cpu" in
+  case $host_cpu in
   ia64*)
     shrext_cmds='.so'
     hardcode_into_libs=yes
@@ -1400,6 +1625,18 @@ hpux9* | hpux10* | hpux11*)
   postinstall_cmds='chmod 555 $lib'
   ;;
 
+interix[[3-9]]*)
+  version_type=linux
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)'
+  shlibpath_var=LD_LIBRARY_PATH
+  shlibpath_overrides_runpath=no
+  hardcode_into_libs=yes
+  ;;
+
 irix5* | irix6* | nonstopux*)
   case $host_os in
     nonstopux*) version_type=nonstopux ;;
@@ -1443,7 +1680,7 @@ linux*oldld* | linux*aout* | linux*coff*)
   ;;
 
 # This must be Linux ELF.
-linux*)
+linux* | k*bsd*-gnu)
   version_type=linux
   need_lib_prefix=no
   need_version=no
@@ -1459,7 +1696,7 @@ linux*)
 
   # Append ld.so.conf contents to the search path
   if test -f /etc/ld.so.conf; then
-    lt_ld_extra=`$SED -e 's/[:,\t]/ /g;s/=[^=]*$//;s/=[^= ]* / /g' /etc/ld.so.conf | tr '\n' ' '`
+    lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ 	]*hwcap[ 	]/d;s/[:,	]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
     sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
   fi
 
@@ -1472,18 +1709,6 @@ linux*)
   dynamic_linker='GNU/Linux ld.so'
   ;;
 
-knetbsd*-gnu)
-  version_type=linux
-  need_lib_prefix=no
-  need_version=no
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-  soname_spec='${libname}${release}${shared_ext}$major'
-  shlibpath_var=LD_LIBRARY_PATH
-  shlibpath_overrides_runpath=no
-  hardcode_into_libs=yes
-  dynamic_linker='GNU ld.so'
-  ;;
-
 netbsd*)
   version_type=sunos
   need_lib_prefix=no
@@ -1521,8 +1746,13 @@ nto-qnx*)
 
 openbsd*)
   version_type=sunos
+  sys_lib_dlsearch_path_spec="/usr/lib"
   need_lib_prefix=no
-  need_version=no
+  # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs.
+  case $host_os in
+    openbsd3.3 | openbsd3.3.*) need_version=yes ;;
+    *)                         need_version=no  ;;
+  esac
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix'
   finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir'
   shlibpath_var=LD_LIBRARY_PATH
@@ -1560,11 +1790,8 @@ osf3* | osf4* | osf5*)
   sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec"
   ;;
 
-sco3.2v5*)
-  version_type=osf
-  soname_spec='${libname}${release}${shared_ext}$major'
-  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
-  shlibpath_var=LD_LIBRARY_PATH
+rdos*)
+  dynamic_linker=no
   ;;
 
 solaris*)
@@ -1592,7 +1819,7 @@ sunos4*)
   need_version=yes
   ;;
 
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+sysv4 | sysv4.3*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
   soname_spec='${libname}${release}${shared_ext}$major'
@@ -1625,6 +1852,29 @@ sysv4*MP*)
   fi
   ;;
 
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
+  version_type=freebsd-elf
+  need_lib_prefix=no
+  need_version=no
+  library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}'
+  soname_spec='${libname}${release}${shared_ext}$major'
+  shlibpath_var=LD_LIBRARY_PATH
+  hardcode_into_libs=yes
+  if test "$with_gnu_ld" = yes; then
+    sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib'
+    shlibpath_overrides_runpath=no
+  else
+    sys_lib_search_path_spec='/usr/ccs/lib /usr/lib'
+    shlibpath_overrides_runpath=yes
+    case $host_os in
+      sco3.2v5*)
+        sys_lib_search_path_spec="$sys_lib_search_path_spec /lib"
+	;;
+    esac
+  fi
+  sys_lib_dlsearch_path_spec='/usr/lib'
+  ;;
+
 uts4*)
   version_type=linux
   library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}'
@@ -1638,13 +1888,26 @@ uts4*)
 esac
 AC_MSG_RESULT([$dynamic_linker])
 test "$dynamic_linker" = no && can_build_shared=no
+
+AC_CACHE_VAL([lt_cv_sys_lib_search_path_spec],
+[lt_cv_sys_lib_search_path_spec="$sys_lib_search_path_spec"])
+sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec"
+AC_CACHE_VAL([lt_cv_sys_lib_dlsearch_path_spec],
+[lt_cv_sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec"])
+sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec"
+
+variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
+if test "$GCC" = yes; then
+  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
+fi
 ])# AC_LIBTOOL_SYS_DYNAMIC_LINKER
 
 
 # _LT_AC_TAGCONFIG
 # ----------------
 AC_DEFUN([_LT_AC_TAGCONFIG],
-[AC_ARG_WITH([tags],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_ARG_WITH([tags],
     [AC_HELP_STRING([--with-tags@<:@=TAGS@:>@],
         [include additional configurations @<:@automatic@:>@])],
     [tagnames="$withval"])
@@ -1662,6 +1925,9 @@ if test -f "$ltmain" && test -n "$tagnames"; then
       AC_MSG_WARN([using `LTCC=$LTCC', extracted from `$ofile'])
     fi
   fi
+  if test -z "$LTCFLAGS"; then
+    eval "`$SHELL ${ofile} --config | grep '^LTCFLAGS='`"
+  fi
 
   # Extract list of available tagged configurations in $ofile.
   # Note that this assumes the entire list is on one line.
@@ -1689,7 +1955,7 @@ if test -f "$ltmain" && test -n "$tagnames"; then
       case $tagname in
       CXX)
 	if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || 
+	    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
 	    (test "X$CXX" != "Xg++"))) ; then
 	  AC_LIBTOOL_LANG_CXX_CONFIG
 	else
@@ -1752,7 +2018,7 @@ AC_DEFUN([AC_LIBTOOL_DLOPEN],
 
 # AC_LIBTOOL_WIN32_DLL
 # --------------------
-# declare package support for building win32 dll's
+# declare package support for building win32 DLLs
 AC_DEFUN([AC_LIBTOOL_WIN32_DLL],
 [AC_BEFORE([$0], [AC_LIBTOOL_SETUP])
 ])# AC_LIBTOOL_WIN32_DLL
@@ -1790,7 +2056,7 @@ AC_ARG_ENABLE([shared],
 
 # AC_DISABLE_SHARED
 # -----------------
-#- set the default shared flag to --disable-shared
+# set the default shared flag to --disable-shared
 AC_DEFUN([AC_DISABLE_SHARED],
 [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
 AC_ENABLE_SHARED(no)
@@ -1902,7 +2168,7 @@ m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP],
 
 # AC_PATH_TOOL_PREFIX
 # -------------------
-# find a file program which can recognise shared library
+# find a file program which can recognize shared library
 AC_DEFUN([AC_PATH_TOOL_PREFIX],
 [AC_REQUIRE([AC_PROG_EGREP])dnl
 AC_MSG_CHECKING([for $1])
@@ -1926,7 +2192,7 @@ dnl not every word.  This closes a longstanding sh security hole.
       if test -n "$file_magic_test_file"; then
 	case $deplibs_check_method in
 	"file_magic "*)
-	  file_magic_regex="`expr \"$deplibs_check_method\" : \"file_magic \(.*\)\"`"
+	  file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"`
 	  MAGIC_CMD="$lt_cv_path_MAGIC_CMD"
 	  if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null |
 	    $EGREP "$file_magic_regex" > /dev/null; then
@@ -1965,7 +2231,7 @@ fi
 
 # AC_PATH_MAGIC
 # -------------
-# find a file program which can recognise a shared library
+# find a file program which can recognize a shared library
 AC_DEFUN([AC_PATH_MAGIC],
 [AC_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH)
 if test -z "$lt_cv_path_MAGIC_CMD"; then
@@ -2036,7 +2302,7 @@ AC_CACHE_VAL(lt_cv_path_LD,
     if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
       lt_cv_path_LD="$ac_dir/$ac_prog"
       # Check to see if the program is GNU ld.  I'd rather use --version,
-      # but apparently some GNU ld's only accept -v.
+      # but apparently some variants of GNU ld only accept -v.
       # Break only if it was the GNU/non-GNU ld that we prefer.
       case `"$lt_cv_path_LD" -v 2>&1 </dev/null` in
       *GNU* | *'with BFD'*)
@@ -2068,7 +2334,7 @@ AC_PROG_LD_GNU
 AC_DEFUN([AC_PROG_LD_GNU],
 [AC_REQUIRE([AC_PROG_EGREP])dnl
 AC_CACHE_CHECK([if the linker ($LD) is GNU ld], lt_cv_prog_gnu_ld,
-[# I'd rather use --version here, but apparently some GNU ld's only accept -v.
+[# I'd rather use --version here, but apparently some GNU lds only accept -v.
 case `$LD -v 2>&1 </dev/null` in
 *GNU* | *'with BFD'*)
   lt_cv_prog_gnu_ld=yes
@@ -2098,7 +2364,7 @@ reload_cmds='$LD$reload_flag -o $output$reload_objs'
 case $host_os in
   darwin*)
     if test "$GCC" = yes; then
-      reload_cmds='$CC -nostdlib ${wl}-r -o $output$reload_objs'
+      reload_cmds='$LTCC $LTCFLAGS -nostdlib ${wl}-r -o $output$reload_objs'
     else
       reload_cmds='$LD$reload_flag -o $output$reload_objs'
     fi
@@ -2112,7 +2378,7 @@ esac
 # how to check for library dependencies
 #  -- PORTME fill in with the dynamic library characteristics
 AC_DEFUN([AC_DEPLIBS_CHECK_METHOD],
-[AC_CACHE_CHECK([how to recognise dependent libraries],
+[AC_CACHE_CHECK([how to recognize dependent libraries],
 lt_cv_deplibs_check_method,
 [lt_cv_file_magic_cmd='$MAGIC_CMD'
 lt_cv_file_magic_test_file=
@@ -2129,7 +2395,7 @@ lt_cv_deplibs_check_method='unknown'
 # whether `pass_all' will *always* work, you probably want this one.
 
 case $host_os in
-aix4* | aix5*)
+aix[[4-9]]*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -2151,22 +2417,28 @@ cygwin*)
 
 mingw* | pw32*)
   # Base MSYS/MinGW do not provide the 'file' command needed by
-  # func_win32_libid shell function, so use a weaker test based on 'objdump'.
-  lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
-  lt_cv_file_magic_cmd='$OBJDUMP -f'
+  # func_win32_libid shell function, so use a weaker test based on 'objdump',
+  # unless we find 'file', for example because we are cross-compiling.
+  if ( file / ) >/dev/null 2>&1; then
+    lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL'
+    lt_cv_file_magic_cmd='func_win32_libid'
+  else
+    lt_cv_deplibs_check_method='file_magic file format pei*-i386(.*architecture: i386)?'
+    lt_cv_file_magic_cmd='$OBJDUMP -f'
+  fi
   ;;
 
 darwin* | rhapsody*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-freebsd* | kfreebsd*-gnu)
+freebsd* | dragonfly*)
   if echo __ELF__ | $CC -E - | grep __ELF__ > /dev/null; then
     case $host_cpu in
     i*86 )
       # Not sure whether the presence of OpenBSD here was a mistake.
       # Let's accept both of them until this is cleared up.
-      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD)/i[[3-9]]86 (compact )?demand paged shared library'
+      lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library'
       lt_cv_file_magic_cmd=/usr/bin/file
       lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*`
       ;;
@@ -2182,7 +2454,7 @@ gnu*)
 
 hpux10.20* | hpux11*)
   lt_cv_file_magic_cmd=/usr/bin/file
-  case "$host_cpu" in
+  case $host_cpu in
   ia64*)
     lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64'
     lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so
@@ -2198,6 +2470,11 @@ hpux10.20* | hpux11*)
   esac
   ;;
 
+interix[[3-9]]*)
+  # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here
+  lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$'
+  ;;
+
 irix5* | irix6* | nonstopux*)
   case $LD in
   *-32|*"-32 ") libmagic=32-bit;;
@@ -2209,7 +2486,7 @@ irix5* | irix6* | nonstopux*)
   ;;
 
 # This must be Linux ELF.
-linux*)
+linux* | k*bsd*-gnu)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -2243,7 +2520,7 @@ osf3* | osf4* | osf5*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-sco3.2v5*)
+rdos*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
@@ -2251,7 +2528,7 @@ solaris*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 
-sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+sysv4 | sysv4.3*)
   case $host_vendor in
   motorola)
     lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]'
@@ -2272,10 +2549,13 @@ sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
   siemens)
     lt_cv_deplibs_check_method=pass_all
     ;;
+  pc)
+    lt_cv_deplibs_check_method=pass_all
+    ;;
   esac
   ;;
 
-sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7* | sysv4*uw2*)
+sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*)
   lt_cv_deplibs_check_method=pass_all
   ;;
 esac
@@ -2295,36 +2575,43 @@ AC_DEFUN([AC_PROG_NM],
   # Let the user override the test.
   lt_cv_path_NM="$NM"
 else
-  lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
-  for ac_dir in $PATH /usr/ccs/bin /usr/ucb /bin; do
-    IFS="$lt_save_ifs"
-    test -z "$ac_dir" && ac_dir=.
-    tmp_nm="$ac_dir/${ac_tool_prefix}nm"
-    if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
-      # Check to see if the nm accepts a BSD-compat flag.
-      # Adding the `sed 1q' prevents false positives on HP-UX, which says:
-      #   nm: unknown option "B" ignored
-      # Tru64's nm complains that /dev/null is an invalid object file
-      case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
-      */dev/null* | *'Invalid file or object type'*)
-	lt_cv_path_NM="$tmp_nm -B"
-	break
-        ;;
-      *)
-	case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
-	*/dev/null*)
-	  lt_cv_path_NM="$tmp_nm -p"
+  lt_nm_to_check="${ac_tool_prefix}nm"
+  if test -n "$ac_tool_prefix" && test "$build" = "$host"; then
+    lt_nm_to_check="$lt_nm_to_check nm"
+  fi
+  for lt_tmp_nm in $lt_nm_to_check; do
+    lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR
+    for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do
+      IFS="$lt_save_ifs"
+      test -z "$ac_dir" && ac_dir=.
+      tmp_nm="$ac_dir/$lt_tmp_nm"
+      if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then
+	# Check to see if the nm accepts a BSD-compat flag.
+	# Adding the `sed 1q' prevents false positives on HP-UX, which says:
+	#   nm: unknown option "B" ignored
+	# Tru64's nm complains that /dev/null is an invalid object file
+	case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in
+	*/dev/null* | *'Invalid file or object type'*)
+	  lt_cv_path_NM="$tmp_nm -B"
 	  break
 	  ;;
 	*)
-	  lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
-	  continue # so that we can try to find one that supports BSD flags
+	  case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in
+	  */dev/null*)
+	    lt_cv_path_NM="$tmp_nm -p"
+	    break
+	    ;;
+	  *)
+	    lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but
+	    continue # so that we can try to find one that supports BSD flags
+	    ;;
+	  esac
 	  ;;
 	esac
-      esac
-    fi
+      fi
+    done
+    IFS="$lt_save_ifs"
   done
-  IFS="$lt_save_ifs"
   test -z "$lt_cv_path_NM" && lt_cv_path_NM=nm
 fi])
 NM="$lt_cv_path_NM"
@@ -2356,13 +2643,13 @@ esac
 # -----------------------------------
 # sets LIBLTDL to the link flags for the libltdl convenience library and
 # LTDLINCL to the include flags for the libltdl header and adds
-# --enable-ltdl-convenience to the configure arguments.  Note that LIBLTDL
-# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
-# DIRECTORY is not provided, it is assumed to be `libltdl'.  LIBLTDL will
-# be prefixed with '${top_builddir}/' and LTDLINCL will be prefixed with
-# '${top_srcdir}/' (note the single quotes!).  If your package is not
-# flat and you're not using automake, define top_builddir and
-# top_srcdir appropriately in the Makefiles.
+# --enable-ltdl-convenience to the configure arguments.  Note that
+# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
+# it is assumed to be `libltdl'.  LIBLTDL will be prefixed with
+# '${top_builddir}/' and LTDLINCL will be prefixed with '${top_srcdir}/'
+# (note the single quotes!).  If your package is not flat and you're not
+# using automake, define top_builddir and top_srcdir appropriately in
+# the Makefiles.
 AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
 [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
   case $enable_ltdl_convenience in
@@ -2381,13 +2668,13 @@ AC_DEFUN([AC_LIBLTDL_CONVENIENCE],
 # -----------------------------------
 # sets LIBLTDL to the link flags for the libltdl installable library and
 # LTDLINCL to the include flags for the libltdl header and adds
-# --enable-ltdl-install to the configure arguments.  Note that LIBLTDL
-# and LTDLINCL are not AC_SUBSTed, nor is AC_CONFIG_SUBDIRS called.  If
-# DIRECTORY is not provided and an installed libltdl is not found, it is
-# assumed to be `libltdl'.  LIBLTDL will be prefixed with '${top_builddir}/'
-# and LTDLINCL will be prefixed with '${top_srcdir}/' (note the single
-# quotes!).  If your package is not flat and you're not using automake,
-# define top_builddir and top_srcdir appropriately in the Makefiles.
+# --enable-ltdl-install to the configure arguments.  Note that
+# AC_CONFIG_SUBDIRS is not called here.  If DIRECTORY is not provided,
+# and an installed libltdl is not found, it is assumed to be `libltdl'.
+# LIBLTDL will be prefixed with '${top_builddir}/'# and LTDLINCL with
+# '${top_srcdir}/' (note the single quotes!).  If your package is not
+# flat and you're not using automake, define top_builddir and top_srcdir
+# appropriately in the Makefiles.
 # In the future, this macro may have to be called after AC_PROG_LIBTOOL.
 AC_DEFUN([AC_LIBLTDL_INSTALLABLE],
 [AC_BEFORE([$0],[AC_LIBTOOL_SETUP])dnl
@@ -2430,12 +2717,12 @@ _LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}CXX])
 ])# _LT_AC_LANG_CXX
 
 # _LT_AC_PROG_CXXCPP
-# ---------------
+# ------------------
 AC_DEFUN([_LT_AC_PROG_CXXCPP],
 [
 AC_REQUIRE([AC_PROG_CXX])
 if test -n "$CXX" && ( test "X$CXX" != "Xno" &&
-    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || 
+    ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) ||
     (test "X$CXX" != "Xg++"))) ; then
   AC_PROG_CXXCPP
 fi
@@ -2479,7 +2766,7 @@ _LT_AC_SHELL_INIT([tagnames=${tagnames+${tagnames},}GCJ])
 
 
 # AC_LIBTOOL_RC
-# --------------
+# -------------
 # enable support for Windows resource files
 AC_DEFUN([AC_LIBTOOL_RC],
 [AC_REQUIRE([LT_AC_PROG_RC])
@@ -2505,43 +2792,16 @@ objext=o
 _LT_AC_TAGVAR(objext, $1)=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;\n"
+lt_simple_compile_test_code="int some_variable = 0;"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='int main(){return(0);}\n'
+lt_simple_link_test_code='int main(){return(0);}'
 
 _LT_AC_SYS_COMPILER
 
-#
-# Check for any special shared library compilation flags.
-#
-_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)=
-if test "$GCC" = no; then
-  case $host_os in
-  sco3.2v5*)
-    _LT_AC_TAGVAR(lt_prog_cc_shlib, $1)='-belf'
-    ;;
-  esac
-fi
-if test -n "$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)"; then
-  AC_MSG_WARN([`$CC' requires `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to build shared libraries])
-  if echo "$old_CC $old_CFLAGS " | grep "[[ 	]]$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)[[ 	]]" >/dev/null; then :
-  else
-    AC_MSG_WARN([add `$_LT_AC_TAGVAR(lt_prog_cc_shlib, $1)' to the CC or CFLAGS env variable and reconfigure])
-    _LT_AC_TAGVAR(lt_cv_prog_cc_can_build_shared, $1)=no
-  fi
-fi
-
-
-#
-# Check to make sure the static flag actually works.
-#
-AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $_LT_AC_TAGVAR(lt_prog_compiler_static, $1) works],
-  _LT_AC_TAGVAR(lt_prog_compiler_static_works, $1),
-  $_LT_AC_TAGVAR(lt_prog_compiler_static, $1),
-  [],
-  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
-
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
 
 ## CAVEAT EMPTOR:
 ## There is no encapsulation within the following macros, do not change
@@ -2555,9 +2815,9 @@ AC_LIBTOOL_PROG_LD_SHLIBS($1)
 AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
 AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
 AC_LIBTOOL_SYS_LIB_STRIP
-AC_LIBTOOL_DLOPEN_SELF($1)
+AC_LIBTOOL_DLOPEN_SELF
 
-# Report which libraries types will actually be built
+# Report which library types will actually be built
 AC_MSG_CHECKING([if libtool supports shared libraries])
 AC_MSG_RESULT([$can_build_shared])
 
@@ -2566,7 +2826,7 @@ test "$can_build_shared" = "no" && enable_shared=no
 
 # On AIX, shared libraries and static libraries use the same namespace, and
 # are all built from PIC.
-case "$host_os" in
+case $host_os in
 aix3*)
   test "$enable_shared" = yes && enable_static=no
   if test -n "$RANLIB"; then
@@ -2575,7 +2835,7 @@ aix3*)
   fi
   ;;
 
-aix4* | aix5*)
+aix[[4-9]]*)
   if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
     test "$enable_shared" = yes && enable_static=no
   fi
@@ -2616,6 +2876,7 @@ _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
 _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)=
 _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
 _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
 _LT_AC_TAGVAR(hardcode_automatic, $1)=no
 _LT_AC_TAGVAR(module_cmds, $1)=
 _LT_AC_TAGVAR(module_expsym_cmds, $1)=
@@ -2631,23 +2892,28 @@ _LT_AC_TAGVAR(postdep_objects, $1)=
 _LT_AC_TAGVAR(predeps, $1)=
 _LT_AC_TAGVAR(postdeps, $1)=
 _LT_AC_TAGVAR(compiler_lib_search_path, $1)=
+_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=
 
 # Source file extension for C++ test sources.
-ac_ext=cc
+ac_ext=cpp
 
 # Object file extension for compiled C++ test sources.
 objext=o
 _LT_AC_TAGVAR(objext, $1)=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="int some_variable = 0;\n"
+lt_simple_compile_test_code="int some_variable = 0;"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='int main(int, char *[]) { return(0); }\n'
+lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }'
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_AC_SYS_COMPILER
 
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
 # Allow CC to be a program name with arguments.
 lt_save_CC=$CC
 lt_save_LD=$LD
@@ -2658,18 +2924,18 @@ lt_save_path_LD=$lt_cv_path_LD
 if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then
   lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx
 else
-  unset lt_cv_prog_gnu_ld
+  $as_unset lt_cv_prog_gnu_ld
 fi
 if test -n "${lt_cv_path_LDCXX+set}"; then
   lt_cv_path_LD=$lt_cv_path_LDCXX
 else
-  unset lt_cv_path_LD
+  $as_unset lt_cv_path_LD
 fi
 test -z "${LDCXX+set}" || LD=$LDCXX
 CC=${CXX-"c++"}
 compiler=$CC
 _LT_AC_TAGVAR(compiler, $1)=$CC
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+_LT_CC_BASENAME([$compiler])
 
 # We don't want -fno-exception wen compiling C++ code, so set the
 # no_builtin_flag separately
@@ -2736,7 +3002,7 @@ case $host_os in
     # FIXME: insert proper C++ library support
     _LT_AC_TAGVAR(ld_shlibs, $1)=no
     ;;
-  aix4* | aix5*)
+  aix[[4-9]]*)
     if test "$host_cpu" = ia64; then
       # On IA64, the linker does run time linking by default, so we don't
       # have to do anything special.
@@ -2749,7 +3015,7 @@ case $host_os in
       # Test if we are trying to use run time linking or normal
       # AIX style linking. If -brtl is somewhere in LDFLAGS, we
       # need to do runtime linking.
-      case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
+      case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
 	for ld_flag in $LDFLAGS; do
 	  case $ld_flag in
 	  *-brtl*)
@@ -2758,6 +3024,7 @@ case $host_os in
 	    ;;
 	  esac
 	done
+	;;
       esac
 
       exp_sym_flag='-bexport'
@@ -2776,7 +3043,7 @@ case $host_os in
     _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
 
     if test "$GXX" = yes; then
-      case $host_os in aix4.[012]|aix4.[012].*)
+      case $host_os in aix4.[[012]]|aix4.[[012]].*)
       # We only want to do this on AIX 4.2 and lower, the check
       # below for broken collect2 doesn't work under 4.3+
 	collect2name=`${CC} -print-prog-name=collect2`
@@ -2784,7 +3051,7 @@ case $host_os in
 	   strings "$collect2name" | grep resolve_lib_name >/dev/null
 	then
 	  # We have reworked collect2
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	  :
 	else
 	  # We have old collect2
 	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
@@ -2795,8 +3062,12 @@ case $host_os in
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
 	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
 	fi
+	;;
       esac
       shared_flag='-shared'
+      if test "$aix_use_runtimelinking" = yes; then
+	shared_flag="$shared_flag "'${wl}-G'
+      fi
     else
       # not using gcc
       if test "$host_cpu" = ia64; then
@@ -2823,12 +3094,12 @@ case $host_os in
       _LT_AC_SYS_LIBPATH_AIX
       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
 
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
      else
       if test "$host_cpu" = ia64; then
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
 	_LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
       else
 	# Determine the default libpath from the value encoded in an empty executable.
 	_LT_AC_SYS_LIBPATH_AIX
@@ -2837,16 +3108,26 @@ case $host_os in
 	# -berok will link without error, but may produce a broken library.
 	_LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
 	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	# -bexpall does not export symbols beginning with underscore (_)
-	_LT_AC_TAGVAR(always_export_symbols, $1)=yes
 	# Exported symbols can be pulled into shared objects from archives
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
 	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-	# This is similar to how AIX traditionally builds it's shared libraries.
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	# This is similar to how AIX traditionally builds its shared libraries.
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
       fi
     fi
     ;;
+
+  beos*)
+    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
+      # Joseph Beckenbach <jrb3@best.com> says some releases of gcc
+      # support --undefined.  This deserves some investigation.  FIXME
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
+    fi
+    ;;
+
   chorus*)
     case $cc_basename in
       *)
@@ -2856,7 +3137,6 @@ case $host_os in
     esac
     ;;
 
-
   cygwin* | mingw* | pw32*)
     # _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless,
     # as there is no search path for DLLs.
@@ -2866,7 +3146,7 @@ case $host_os in
     _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
 
     if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
       # If the export-symbols file already is a .def file (1st line
       # is EXPORTS), use it as is; otherwise, prepend...
       _LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -2875,65 +3155,37 @@ case $host_os in
 	echo EXPORTS > $output_objdir/$soname.def;
 	cat $export_symbols >> $output_objdir/$soname.def;
       fi~
-      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+      $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
     else
       _LT_AC_TAGVAR(ld_shlibs, $1)=no
     fi
   ;;
       darwin* | rhapsody*)
-        case "$host_os" in
-        rhapsody* | darwin1.[[012]])
-         _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
-         ;;
-       *) # Darwin 1.3 on
-         if test -z ${MACOSX_DEPLOYMENT_TARGET} ; then
-           _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-         else
-           case ${MACOSX_DEPLOYMENT_TARGET} in
-             10.[[012]])
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-flat_namespace ${wl}-undefined ${wl}suppress'
-               ;;
-             10.*)
-               _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}dynamic_lookup'
-               ;;
-           esac
-         fi
-         ;;
-        esac
       _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
       _LT_AC_TAGVAR(hardcode_direct, $1)=no
       _LT_AC_TAGVAR(hardcode_automatic, $1)=yes
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=unsupported
       _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=''
       _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
-
-    if test "$GXX" = yes ; then
-      lt_int_apple_cc_single_mod=no
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined"
+      if test "$GXX" = yes ; then
       output_verbose_link_cmd='echo'
-      if $CC -dumpspecs 2>&1 | $EGREP 'single_module' >/dev/null ; then
-       lt_int_apple_cc_single_mod=yes
+      _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+      _LT_AC_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+      _LT_AC_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
+      if test "$lt_cv_apple_cc_single_mod" != "yes"; then
+        _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}"
+        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}"
       fi
-      if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-       _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      else
-          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-        fi
-        _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-        # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          if test "X$lt_int_apple_cc_single_mod" = Xyes ; then
-            _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib -single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          else
-            _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -r -keep_private_externs -nostdlib -o ${lib}-master.o $libobjs~$CC -dynamiclib $allow_undefined_flag -o $lib ${lib}-master.o $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-          fi
-            _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
       else
-      case "$cc_basename" in
+      case $cc_basename in
         xlc*)
          output_verbose_link_cmd='echo'
-          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+          _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
           _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+          _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj ${wl}-single_module $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
           _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
           ;;
        *)
@@ -2945,11 +3197,11 @@ case $host_os in
 
   dgux*)
     case $cc_basename in
-      ec++)
+      ec++*)
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
-      ghcx)
+      ghcx*)
 	# Green Hills C++ Compiler
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
@@ -2960,14 +3212,14 @@ case $host_os in
 	;;
     esac
     ;;
-  freebsd[12]*)
+  freebsd[[12]]*)
     # C++ shared libraries reported to be fairly broken before switch to ELF
     _LT_AC_TAGVAR(ld_shlibs, $1)=no
     ;;
   freebsd-elf*)
     _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
     ;;
-  freebsd* | kfreebsd*-gnu)
+  freebsd* | dragonfly*)
     # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF
     # conventions
     _LT_AC_TAGVAR(ld_shlibs, $1)=yes
@@ -2984,11 +3236,11 @@ case $host_os in
 				# location of the library.
 
     case $cc_basename in
-    CC)
+    CC*)
       # FIXME: insert proper C++ library support
       _LT_AC_TAGVAR(ld_shlibs, $1)=no
       ;;
-    aCC)
+    aCC*)
       _LT_AC_TAGVAR(archive_cmds, $1)='$rm $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib'
       # Commands to make compiler produce verbose output that lists
       # what "hidden" libraries, object files and flags are used when
@@ -2998,7 +3250,7 @@ case $host_os in
       # explicitly linking system object files so we need to strip them
       # from the output so that they don't get included in the library
       # dependencies.
-      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[-]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+      output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | grep "[[-]]L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
       ;;
     *)
       if test "$GXX" = yes; then
@@ -3012,34 +3264,21 @@ case $host_os in
     ;;
   hpux10*|hpux11*)
     if test $with_gnu_ld = no; then
-      case "$host_cpu" in
-      hppa*64*)
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
-        ;;
-      ia64*)
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-        ;;
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+      case $host_cpu in
+      hppa*64*|ia64*) ;;
       *)
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
 	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
         ;;
       esac
     fi
-    case "$host_cpu" in
-    hppa*64*)
+    case $host_cpu in
+    hppa*64*|ia64*)
       _LT_AC_TAGVAR(hardcode_direct, $1)=no
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
       ;;
-    ia64*)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=no
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
-					      # but as the default
-					      # location of the library.
-      ;;
     *)
       _LT_AC_TAGVAR(hardcode_direct, $1)=yes
       _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH,
@@ -3049,14 +3288,17 @@ case $host_os in
     esac
 
     case $cc_basename in
-      CC)
+      CC*)
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
-      aCC)
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+      aCC*)
+	case $host_cpu in
+	hppa*64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	  ;;
 	*)
 	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
@@ -3075,9 +3317,12 @@ case $host_os in
       *)
 	if test "$GXX" = yes; then
 	  if test $with_gnu_ld = no; then
-	    case "$host_cpu" in
-	    ia64*|hppa*64*)
-	      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $linker_flags $libobjs $deplibs'
+	    case $host_cpu in
+	    hppa*64*)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	      ;;
+	    ia64*)
+	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	      ;;
 	    *)
 	      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
@@ -3091,11 +3336,25 @@ case $host_os in
 	;;
     esac
     ;;
+  interix[[3-9]]*)
+    _LT_AC_TAGVAR(hardcode_direct, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+    # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+    # Instead, shared libraries are loaded at an image base (0x10000000 by
+    # default) and relocated if they conflict, which is a slow very memory
+    # consuming and fragmenting process.  To avoid this, we pick a random,
+    # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+    # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+    ;;
   irix5* | irix6*)
     case $cc_basename in
-      CC)
+      CC*)
 	# SGI C++
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 
 	# Archives containing C++ object files must be created using
 	# "CC -ar", where "CC" is the IRIX C++ compiler.  This is
@@ -3106,7 +3365,7 @@ case $host_os in
       *)
 	if test "$GXX" = yes; then
 	  if test "$with_gnu_ld" = no; then
-	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 	  else
 	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` -o $lib'
 	  fi
@@ -3117,9 +3376,9 @@ case $host_os in
     _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
     _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
     ;;
-  linux*)
+  linux* | k*bsd*-gnu)
     case $cc_basename in
-      KCC)
+      KCC*)
 	# Kuck and Associates, Inc. (KAI) C++ Compiler
 
 	# KCC will only create a shared library if the output file
@@ -3144,7 +3403,7 @@ case $host_os in
 	# "CC -Bstatic", where "CC" is the KAI C++ compiler.
 	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
 	;;
-      icpc)
+      icpc*)
 	# Intel C++
 	with_gnu_ld=yes
 	# version 8.0 and above of icpc choke on multiply defined symbols
@@ -3156,8 +3415,12 @@ case $host_os in
   	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 	  ;;
 	*)  # Version 8.0 or newer
-  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-  	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
+	  tmp_idyn=
+	  case $host_cpu in
+	    ia64*) tmp_idyn=' -i_dynamic';;
+	  esac
+  	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib'
 	  ;;
 	esac
 	_LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
@@ -3165,7 +3428,16 @@ case $host_os in
 	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
 	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive'
 	;;
-      cxx)
+      pgCC* | pgcpp*)
+        # Portland Group C++ compiler
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib'
+  	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib'
+
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+        ;;
+      cxx*)
 	# Compaq C++
 	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname  -o $lib ${wl}-retain-symbols-file $wl$export_symbols'
@@ -3184,6 +3456,29 @@ case $host_os in
 	# dependencies.
 	output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | grep "ld"`; templist=`echo $templist | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
 	;;
+      *)
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C++ 5.9
+	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols'
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+
+	  # Not sure whether something based on
+	  # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1
+	  # would be better.
+	  output_verbose_link_cmd='echo'
+
+	  # Archives containing C++ object files must be created using
+	  # "CC -xar", where "CC" is the Sun C++ compiler.  This is
+	  # necessary to make sure instantiated templates are included
+	  # in the archive.
+	  _LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
+	  ;;
+	esac
+	;;
     esac
     ;;
   lynxos*)
@@ -3196,7 +3491,7 @@ case $host_os in
     ;;
   mvs*)
     case $cc_basename in
-      cxx)
+      cxx*)
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
@@ -3222,20 +3517,24 @@ case $host_os in
     _LT_AC_TAGVAR(ld_shlibs, $1)=no
     ;;
   openbsd*)
-    _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
-    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-    if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
-      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+    if test -f /usr/libexec/ld.so; then
+      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib'
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib'
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      fi
+      output_verbose_link_cmd='echo'
+    else
+      _LT_AC_TAGVAR(ld_shlibs, $1)=no
     fi
-    output_verbose_link_cmd='echo'
     ;;
   osf3*)
     case $cc_basename in
-      KCC)
+      KCC*)
 	# Kuck and Associates, Inc. (KAI) C++ Compiler
 
 	# KCC will only create a shared library if the output file
@@ -3251,14 +3550,14 @@ case $host_os in
 	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs'
 
 	;;
-      RCC)
+      RCC*)
 	# Rational C++ 2.4.1
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
-      cxx)
+      cxx*)
 	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && echo ${wl}-set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
@@ -3276,7 +3575,7 @@ case $host_os in
       *)
 	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
@@ -3295,7 +3594,7 @@ case $host_os in
     ;;
   osf4* | osf5*)
     case $cc_basename in
-      KCC)
+      KCC*)
 	# Kuck and Associates, Inc. (KAI) C++ Compiler
 
 	# KCC will only create a shared library if the output file
@@ -3310,17 +3609,17 @@ case $host_os in
 	# the KAI C++ compiler.
 	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs'
 	;;
-      RCC)
+      RCC*)
 	# Rational C++ 2.4.1
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
-      cxx)
+      cxx*)
 	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~
 	  echo "-hidden">> $lib.exp~
-	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry $objdir/so_locations -o $lib~
+	  $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname -Wl,-input -Wl,$lib.exp  `test -n "$verstring" && echo -set_version	$verstring` -update_registry ${output_objdir}/so_locations -o $lib~
 	  $rm $lib.exp'
 
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
@@ -3339,7 +3638,7 @@ case $host_os in
       *)
 	if test "$GXX" = yes && test "$with_gnu_ld" = no; then
 	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*'
-	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${objdir}/so_locations -o $lib'
+	 _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && echo ${wl}-set_version ${wl}$verstring` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib'
 
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir'
 	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
@@ -3360,27 +3659,14 @@ case $host_os in
     # FIXME: insert proper C++ library support
     _LT_AC_TAGVAR(ld_shlibs, $1)=no
     ;;
-  sco*)
-    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
-    case $cc_basename in
-      CC)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-      *)
-	# FIXME: insert proper C++ library support
-	_LT_AC_TAGVAR(ld_shlibs, $1)=no
-	;;
-    esac
-    ;;
   sunos4*)
     case $cc_basename in
-      CC)
+      CC*)
 	# Sun C++ 4.x
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	;;
-      lcc)
+      lcc*)
 	# Lucid
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
@@ -3393,36 +3679,28 @@ case $host_os in
     ;;
   solaris*)
     case $cc_basename in
-      CC)
+      CC*)
 	# Sun C++ 4.2, 5.x and Centerline C++
+        _LT_AC_TAGVAR(archive_cmds_need_lc,$1)=yes
 	_LT_AC_TAGVAR(no_undefined_flag, $1)=' -zdefs'
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -nolib -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag}  -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-	$CC -G${allow_undefined_flag} -nolib ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
+	$CC -G${allow_undefined_flag}  ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$rm $lib.exp'
 
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
 	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
 	case $host_os in
-	  solaris2.[0-5] | solaris2.[0-5].*) ;;
+	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
 	  *)
-	    # The C++ compiler is used as linker so we must use $wl
-	    # flag to pass the commands to the underlying system
-	    # linker.
+	    # The compiler driver will combine and reorder linker options,
+	    # but understands `-z linker_flag'.
 	    # Supported since Solaris 2.6 (maybe 2.5.1?)
-	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
 	    ;;
 	esac
 	_LT_AC_TAGVAR(link_all_deplibs, $1)=yes
 
-	# Commands to make compiler produce verbose output that lists
-	# what "hidden" libraries, object files and flags are used when
-	# linking a shared library.
-	#
-	# There doesn't appear to be a way to prevent this compiler from
-	# explicitly linking system object files so we need to strip them
-	# from the output so that they don't get included in the library
-	# dependencies.
-	output_verbose_link_cmd='templist=`$CC -G $CFLAGS -v conftest.$objext 2>&1 | grep "\-[[LR]]"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; echo $list'
+	output_verbose_link_cmd='echo'
 
 	# Archives containing C++ object files must be created using
 	# "CC -xar", where "CC" is the Sun C++ compiler.  This is
@@ -3430,7 +3708,7 @@ case $host_os in
 	# in the archive.
 	_LT_AC_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs'
 	;;
-      gcx)
+      gcx*)
 	# Green Hills C++ Compiler
 	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib'
 
@@ -3464,16 +3742,73 @@ case $host_os in
 	  fi
 
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir'
+	  case $host_os in
+	  solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
+	  *)
+	    _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	    ;;
+	  esac
 	fi
 	;;
     esac
     ;;
-  sysv5OpenUNIX8* | sysv5UnixWare7* | sysv5uw[[78]]* | unixware7*)
+  sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+    _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
+    ;;
+  sysv5* | sco3.2v5* | sco5v6*)
+    # Note: We can NOT use -z defs as we might desire, because we do not
+    # link with -lc, and that would cause any symbols used from libc to
+    # always be unresolved, which means just about no library would
+    # ever link correctly.  If we're not using GNU ld we use -z text
+    # though, which does catch some bad symbols but isn't as heavy-handed
+    # as -z defs.
+    # For security reasons, it is highly recommended that you always
+    # use absolute paths for naming shared libraries, and exclude the
+    # DT_RUNPATH tag from executables and libraries.  But doing so
+    # requires that you compile everything twice, which is a pain.
+    # So that behaviour is only enabled if SCOABSPATH is set to a
+    # non-empty value in the environment.  Most likely only useful for
+    # creating official distributions of packages.
+    # This is a hack until libtool officially supports absolute path
+    # names for shared libraries.
+    _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+    _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
     _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
+    _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+    _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+    _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
+    runpath_var='LD_RUN_PATH'
+
+    case $cc_basename in
+      CC*)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+      *)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	;;
+    esac
     ;;
   tandem*)
     case $cc_basename in
-      NCC)
+      NCC*)
 	# NonStop-UX NCC 3.20
 	# FIXME: insert proper C++ library support
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
@@ -3510,8 +3845,6 @@ AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
 AC_LIBTOOL_PROG_LD_SHLIBS($1)
 AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
 AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-AC_LIBTOOL_DLOPEN_SELF($1)
 
 AC_LIBTOOL_CONFIG($1)
 
@@ -3529,12 +3862,13 @@ lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld
 ])# AC_LIBTOOL_LANG_CXX_CONFIG
 
 # AC_LIBTOOL_POSTDEP_PREDEP([TAGNAME])
-# ------------------------
+# ------------------------------------
 # Figure out "hidden" library dependencies from verbose
 # compiler output when linking a shared library.
 # Parse the compiler output and extract the necessary
 # objects, libraries and library flags.
-AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],[
+AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP],
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
 dnl we can't use the lt_simple_compile_test_code here,
 dnl because it contains code intended for an executable,
 dnl not a library.  It's possible we should let each
@@ -3583,7 +3917,7 @@ if AC_TRY_EVAL(ac_compile); then
   # The `*' in the case matches for architectures that use `case' in
   # $output_verbose_cmd can trigger glob expansion during the loop
   # eval without this substitution.
-  output_verbose_link_cmd="`$echo \"X$output_verbose_link_cmd\" | $Xsed -e \"$no_glob_subst\"`"
+  output_verbose_link_cmd=`$echo "X$output_verbose_link_cmd" | $Xsed -e "$no_glob_subst"`
 
   for p in `eval $output_verbose_link_cmd`; do
     case $p in
@@ -3659,13 +3993,74 @@ fi
 
 $rm -f confest.$objext
 
+_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=
+if test -n "$_LT_AC_TAGVAR(compiler_lib_search_path, $1)"; then
+  _LT_AC_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_AC_TAGVAR(compiler_lib_search_path, $1)}" | ${SED} -e 's! -L! !g' -e 's!^ !!'`
+fi
+
+# PORTME: override above test on systems where it is broken
+ifelse([$1],[CXX],
+[case $host_os in
+interix[[3-9]]*)
+  # Interix 3.5 installs completely hosed .la files for C++, so rather than
+  # hack all around it, let's just trust "g++" to DTRT.
+  _LT_AC_TAGVAR(predep_objects,$1)=
+  _LT_AC_TAGVAR(postdep_objects,$1)=
+  _LT_AC_TAGVAR(postdeps,$1)=
+  ;;
+
+linux*)
+  case `$CC -V 2>&1 | sed 5q` in
+  *Sun\ C*)
+    # Sun C++ 5.9
+    #
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+    if test "$solaris_use_stlport4" != yes; then
+      _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+
+solaris*)
+  case $cc_basename in
+  CC*)
+    # The more standards-conforming stlport4 library is
+    # incompatible with the Cstd library. Avoid specifying
+    # it if it's in CXXFLAGS. Ignore libCrun as
+    # -library=stlport4 depends on it.
+    case " $CXX $CXXFLAGS " in
+    *" -library=stlport4 "*)
+      solaris_use_stlport4=yes
+      ;;
+    esac
+
+    # Adding this requires a known-good setup of shared libraries for
+    # Sun compiler versions before 5.6, else PIC objects from an old
+    # archive will be linked into the output, leading to subtle bugs.
+    if test "$solaris_use_stlport4" != yes; then
+      _LT_AC_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun'
+    fi
+    ;;
+  esac
+  ;;
+esac
+])
 case " $_LT_AC_TAGVAR(postdeps, $1) " in
 *" -lc "*) _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no ;;
 esac
 ])# AC_LIBTOOL_POSTDEP_PREDEP
 
 # AC_LIBTOOL_LANG_F77_CONFIG
-# ------------------------
+# --------------------------
 # Ensure that the configuration vars for the C compiler are
 # suitably defined.  Those variables are subsequently used by
 # AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
@@ -3701,20 +4096,31 @@ objext=o
 _LT_AC_TAGVAR(objext, $1)=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="      subroutine t\n      return\n      end\n"
+lt_simple_compile_test_code="\
+      subroutine t
+      return
+      end
+"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code="      program t\n      end\n"
+lt_simple_link_test_code="\
+      program t
+      end
+"
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_AC_SYS_COMPILER
 
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
 CC=${F77-"f77"}
 compiler=$CC
 _LT_AC_TAGVAR(compiler, $1)=$CC
-cc_basename=`$echo X"$compiler" | $Xsed -e 's%^.*/%%'`
+_LT_CC_BASENAME([$compiler])
 
 AC_MSG_CHECKING([if libtool supports shared libraries])
 AC_MSG_RESULT([$can_build_shared])
@@ -3724,7 +4130,7 @@ test "$can_build_shared" = "no" && enable_shared=no
 
 # On AIX, shared libraries and static libraries use the same namespace, and
 # are all built from PIC.
-case "$host_os" in
+case $host_os in
 aix3*)
   test "$enable_shared" = yes && enable_static=no
   if test -n "$RANLIB"; then
@@ -3732,8 +4138,10 @@ aix3*)
     postinstall_cmds='$RANLIB $lib'
   fi
   ;;
-aix4* | aix5*)
-  test "$enable_shared" = yes && enable_static=no
+aix[[4-9]]*)
+  if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then
+    test "$enable_shared" = yes && enable_static=no
+  fi
   ;;
 esac
 AC_MSG_RESULT([$enable_shared])
@@ -3743,8 +4151,6 @@ AC_MSG_CHECKING([whether to build static libraries])
 test "$enable_shared" = yes || enable_static=yes
 AC_MSG_RESULT([$enable_static])
 
-test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
-
 _LT_AC_TAGVAR(GCC, $1)="$G77"
 _LT_AC_TAGVAR(LD, $1)="$LD"
 
@@ -3754,8 +4160,6 @@ AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
 AC_LIBTOOL_PROG_LD_SHLIBS($1)
 AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
 AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-
 
 AC_LIBTOOL_CONFIG($1)
 
@@ -3781,23 +4185,30 @@ objext=o
 _LT_AC_TAGVAR(objext, $1)=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code="class foo {}\n"
+lt_simple_compile_test_code="class foo {}"
 
 # Code to be used in simple link tests
-lt_simple_link_test_code='public class conftest { public static void main(String[] argv) {}; }\n'
+lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }'
 
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_AC_SYS_COMPILER
 
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
 CC=${GCJ-"gcj"}
 compiler=$CC
 _LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
 
 # GCJ did not exist at the time GCC didn't implicitly link libc in.
 _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
 
+_LT_AC_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds
+
 ## CAVEAT EMPTOR:
 ## There is no encapsulation within the following macros, do not change
 ## the running order or otherwise move them around unless you know exactly
@@ -3809,8 +4220,6 @@ AC_LIBTOOL_SYS_HARD_LINK_LOCKS($1)
 AC_LIBTOOL_PROG_LD_SHLIBS($1)
 AC_LIBTOOL_SYS_DYNAMIC_LINKER($1)
 AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH($1)
-AC_LIBTOOL_SYS_LIB_STRIP
-AC_LIBTOOL_DLOPEN_SELF($1)
 
 AC_LIBTOOL_CONFIG($1)
 
@@ -3820,7 +4229,7 @@ CC="$lt_save_CC"
 
 
 # AC_LIBTOOL_LANG_RC_CONFIG
-# --------------------------
+# -------------------------
 # Ensure that the configuration vars for the Windows resource compiler are
 # suitably defined.  Those variables are subsequently used by
 # AC_LIBTOOL_CONFIG to write the compiler configuration to `libtool'.
@@ -3836,7 +4245,7 @@ objext=o
 _LT_AC_TAGVAR(objext, $1)=$objext
 
 # Code to be used in simple compile tests
-lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }\n'
+lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }'
 
 # Code to be used in simple link tests
 lt_simple_link_test_code="$lt_simple_compile_test_code"
@@ -3844,11 +4253,16 @@ lt_simple_link_test_code="$lt_simple_compile_test_code"
 # ltmain only uses $CC for tagged configurations so make sure $CC is set.
 _LT_AC_SYS_COMPILER
 
+# save warnings/boilerplate of simple test code
+_LT_COMPILER_BOILERPLATE
+_LT_LINKER_BOILERPLATE
+
 # Allow CC to be a program name with arguments.
 lt_save_CC="$CC"
 CC=${RC-"windres"}
 compiler=$CC
 _LT_AC_TAGVAR(compiler, $1)=$CC
+_LT_CC_BASENAME([$compiler])
 _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes
 
 AC_LIBTOOL_CONFIG($1)
@@ -3878,7 +4292,7 @@ if test -f "$ltmain"; then
   # Now quote all the things that may contain metacharacters while being
   # careful not to overquote the AC_SUBSTed values.  We take copies of the
   # variables and quote the copies for generation of the libtool script.
-  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC NM \
+  for var in echo old_CC old_CFLAGS AR AR_FLAGS EGREP RANLIB LN_S LTCC LTCFLAGS NM \
     SED SHELL STRIP \
     libname_spec library_names_spec soname_spec extract_expsyms_cmds \
     old_striplib striplib file_magic_cmd finish_cmds finish_eval \
@@ -3905,6 +4319,7 @@ if test -f "$ltmain"; then
     _LT_AC_TAGVAR(predeps, $1) \
     _LT_AC_TAGVAR(postdeps, $1) \
     _LT_AC_TAGVAR(compiler_lib_search_path, $1) \
+    _LT_AC_TAGVAR(compiler_lib_search_dirs, $1) \
     _LT_AC_TAGVAR(archive_cmds, $1) \
     _LT_AC_TAGVAR(archive_expsym_cmds, $1) \
     _LT_AC_TAGVAR(postinstall_cmds, $1) \
@@ -3920,6 +4335,7 @@ if test -f "$ltmain"; then
     _LT_AC_TAGVAR(module_cmds, $1) \
     _LT_AC_TAGVAR(module_expsym_cmds, $1) \
     _LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1) \
+    _LT_AC_TAGVAR(fix_srcfile_path, $1) \
     _LT_AC_TAGVAR(exclude_expsyms, $1) \
     _LT_AC_TAGVAR(include_expsyms, $1); do
 
@@ -3966,7 +4382,7 @@ ifelse([$1], [],
 # Generated automatically by $PROGRAM (GNU $PACKAGE $VERSION$TIMESTAMP)
 # NOTE: Changes made to this file will be lost: look at ltmain.sh.
 #
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008
 # Free Software Foundation, Inc.
 #
 # This file is part of GNU Libtool:
@@ -3984,7 +4400,7 @@ ifelse([$1], [],
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -3995,7 +4411,7 @@ ifelse([$1], [],
 SED=$lt_SED
 
 # Sed that helps us avoid accidentally triggering echo(1) options like -n.
-Xsed="$SED -e s/^X//"
+Xsed="$SED -e 1s/^X//"
 
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
@@ -4030,6 +4446,12 @@ fast_install=$enable_fast_install
 # The host system.
 host_alias=$host_alias
 host=$host
+host_os=$host_os
+
+# The build system.
+build_alias=$build_alias
+build=$build
+build_os=$build_os
 
 # An echo program that does not interpret backslashes.
 echo=$lt_echo
@@ -4041,6 +4463,9 @@ AR_FLAGS=$lt_AR_FLAGS
 # A C compiler.
 LTCC=$lt_LTCC
 
+# LTCC compiler flags.
+LTCFLAGS=$lt_LTCFLAGS
+
 # A language-specific compiler.
 CC=$lt_[]_LT_AC_TAGVAR(compiler, $1)
 
@@ -4106,7 +4531,7 @@ max_cmd_len=$lt_cv_sys_max_cmd_len
 # Does compiler simultaneously support -c and -o options?
 compiler_c_o=$lt_[]_LT_AC_TAGVAR(lt_cv_prog_compiler_c_o, $1)
 
-# Must we lock files when doing compilation ?
+# Must we lock files when doing compilation?
 need_locks=$lt_need_locks
 
 # Do we need the lib prefix for modules?
@@ -4194,6 +4619,10 @@ predeps=$lt_[]_LT_AC_TAGVAR(predeps, $1)
 # shared library.
 postdeps=$lt_[]_LT_AC_TAGVAR(postdeps, $1)
 
+# The directories searched by this compiler when creating a shared
+# library
+compiler_lib_search_dirs=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_dirs, $1)
+
 # The library search path used internally by the compiler when linking
 # a shared library.
 compiler_lib_search_path=$lt_[]_LT_AC_TAGVAR(compiler_lib_search_path, $1)
@@ -4282,7 +4711,7 @@ sys_lib_search_path_spec=$lt_sys_lib_search_path_spec
 sys_lib_dlsearch_path_spec=$lt_sys_lib_dlsearch_path_spec
 
 # Fix the shell variable \$srcfile for the compiler.
-fix_srcfile_path="$_LT_AC_TAGVAR(fix_srcfile_path, $1)"
+fix_srcfile_path=$lt_fix_srcfile_path
 
 # Set to yes if exported symbols are required.
 always_export_symbols=$_LT_AC_TAGVAR(always_export_symbols, $1)
@@ -4365,6 +4794,7 @@ fi
 # ---------------------------------
 AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE],
 [AC_REQUIRE([AC_CANONICAL_HOST])
+AC_REQUIRE([LT_AC_PROG_SED])
 AC_REQUIRE([AC_PROG_NM])
 AC_REQUIRE([AC_OBJEXT])
 # Check for command to grab the raw symbol name followed by C symbol from nm.
@@ -4380,9 +4810,6 @@ symcode='[[BCDEGRST]]'
 # Regexp to match symbols that can be accessed directly from C.
 sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)'
 
-# Transform the above into a raw symbol and a C symbol.
-symxfrm='\1 \2\3 \3'
-
 # Transform an extracted symbol line into a proper C declaration
 lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^. .* \(.*\)$/extern int \1;/p'"
 
@@ -4404,7 +4831,7 @@ hpux*) # Its linker distinguishes data from code symbols
   lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
   lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\) $/  {\\\"\1\\\", (lt_ptr) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/  {\"\2\", (lt_ptr) \&\2},/p'"
   ;;
-linux*)
+linux* | k*bsd*-gnu)
   if test "$host_cpu" = ia64; then
     symcode='[[ABCDGIRSTW]]'
     lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'"
@@ -4417,9 +4844,18 @@ irix* | nonstopux*)
 osf*)
   symcode='[[BCDEGQRST]]'
   ;;
-solaris* | sysv5*)
+solaris*)
   symcode='[[BDRT]]'
   ;;
+sco3.2v5*)
+  symcode='[[DT]]'
+  ;;
+sysv4.2uw2*)
+  symcode='[[DT]]'
+  ;;
+sysv5* | sco5v6* | unixware* | OpenUNIX*)
+  symcode='[[ABDT]]'
+  ;;
 sysv4)
   symcode='[[DFNSTU]]'
   ;;
@@ -4442,8 +4878,11 @@ esac
 # Try without a prefix undercore, then with it.
 for ac_symprfx in "" "_"; do
 
+  # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol.
+  symxfrm="\\1 $ac_symprfx\\2 \\2"
+
   # Write the raw and C identifiers.
-  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*\($ac_symprfx\)$sympat$opt_cr$/$symxfrm/p'"
+  lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ 	]]\($symcode$symcode*\)[[ 	]][[ 	]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'"
 
   # Check to see that the pipe works correctly.
   pipe_works=no
@@ -4533,7 +4972,7 @@ EOF
     echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD
     cat conftest.$ac_ext >&5
   fi
-  rm -f conftest* conftst*
+  rm -rf conftest* conftst*
 
   # Do not use the global_symbol_pipe unless it works.
   if test "$pipe_works" = yes; then
@@ -4582,13 +5021,16 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       # like `-m68040'.
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
       ;;
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
-    mingw* | os2* | pw32*)
+    mingw* | cygwin* | os2* | pw32*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      m4_if([$1], [GCJ], [],
+	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
       ;;
     darwin* | rhapsody*)
       # PIC is the default on this platform
@@ -4599,6 +5041,10 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       # DJGPP does not support shared libraries at all
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
       ;;
+    interix[[3-9]]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
     sysv4*MP*)
       if test -d /usr/nec; then
 	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic
@@ -4607,7 +5053,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
     hpux*)
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	;;
       *)
@@ -4621,7 +5067,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
     esac
   else
     case $host_os in
-      aix4* | aix5*)
+      aix[[4-9]]*)
 	# All AIX code is PIC.
 	if test "$host_cpu" = ia64; then
 	  # AIX 5 now supports IA64 processor
@@ -4632,7 +5078,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       chorus*)
 	case $cc_basename in
-	cxch68)
+	cxch68*)
 	  # Green Hills C++ Compiler
 	  # _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a"
 	  ;;
@@ -4641,7 +5087,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
        darwin*)
          # PIC is the default on this platform
          # Common symbols not allowed in MH_DYLIB files
-         case "$cc_basename" in
+         case $cc_basename in
            xlc*)
            _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
            _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
@@ -4650,10 +5096,10 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
        ;;
       dgux*)
 	case $cc_basename in
-	  ec++)
+	  ec++*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    ;;
-	  ghcx)
+	  ghcx*)
 	    # Green Hills C++ Compiler
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
 	    ;;
@@ -4661,22 +5107,22 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	    ;;
 	esac
 	;;
-      freebsd* | kfreebsd*-gnu)
+      freebsd* | dragonfly*)
 	# FreeBSD uses GNU C++
 	;;
       hpux9* | hpux10* | hpux11*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
 	    if test "$host_cpu" != ia64; then
 	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='+Z'
 	    fi
 	    ;;
-	  aCC)
+	  aCC*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
-	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)="${ac_cv_prog_cc_wl}-a ${ac_cv_prog_cc_wl}archive"
-	    case "$host_cpu" in
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive'
+	    case $host_cpu in
 	    hppa*64*|ia64*)
 	      # +Z the default
 	      ;;
@@ -4689,9 +5135,13 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	    ;;
 	esac
 	;;
+      interix*)
+	# This is c89, which is MS Visual C++ (no shared libs)
+	# Anyone wants to do a port?
+	;;
       irix5* | irix6* | nonstopux*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
 	    # CC pic flag -KPIC is the default.
@@ -4700,20 +5150,26 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	    ;;
 	esac
 	;;
-      linux*)
+      linux* | k*bsd*-gnu)
 	case $cc_basename in
-	  KCC)
+	  KCC*)
 	    # KAI C++ Compiler
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
 	    ;;
-	  icpc)
+	  icpc* | ecpc*)
 	    # Intel C++
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
 	    ;;
-	  cxx)
+	  pgCC* | pgcpp*)
+	    # Portland Group C++ compiler.
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	  cxx*)
 	    # Compaq C++
 	    # Make sure the PIC flag is empty.  It appears that all Alpha
 	    # Linux and Compaq Tru64 Unix objects are PIC.
@@ -4721,6 +5177,14 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
 	    ;;
 	  *)
+	    case `$CC -V 2>&1 | sed 5q` in
+	    *Sun\ C*)
+	      # Sun C++ 5.9
+	      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
+	      ;;
+	    esac
 	    ;;
 	esac
 	;;
@@ -4730,7 +5194,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       mvs*)
 	case $cc_basename in
-	  cxx)
+	  cxx*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall'
 	    ;;
 	  *)
@@ -4741,14 +5205,14 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       osf3* | osf4* | osf5*)
 	case $cc_basename in
-	  KCC)
+	  KCC*)
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,'
 	    ;;
-	  RCC)
+	  RCC*)
 	    # Rational C++ 2.4.1
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
 	    ;;
-	  cxx)
+	  cxx*)
 	    # Digital/Compaq C++
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	    # Make sure the PIC flag is empty.  It appears that all Alpha
@@ -4762,24 +5226,15 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       psos*)
 	;;
-      sco*)
-	case $cc_basename in
-	  CC)
-	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC'
-	    ;;
-	  *)
-	    ;;
-	esac
-	;;
       solaris*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    # Sun C++ 4.2, 5.x and Centerline C++
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld '
 	    ;;
-	  gcx)
+	  gcx*)
 	    # Green Hills C++ Compiler
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-PIC'
 	    ;;
@@ -4789,12 +5244,12 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       sunos4*)
 	case $cc_basename in
-	  CC)
+	  CC*)
 	    # Sun C++ 4.x
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
 	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
 	    ;;
-	  lcc)
+	  lcc*)
 	    # Lucid
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
 	    ;;
@@ -4804,7 +5259,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	;;
       tandem*)
 	case $cc_basename in
-	  NCC)
+	  NCC*)
 	    # NonStop-UX NCC 3.20
 	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	    ;;
@@ -4812,7 +5267,14 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
 	    ;;
 	esac
 	;;
-      unixware*)
+      sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+	case $cc_basename in
+	  CC*)
+	    _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	    _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	    _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	    ;;
+	esac
 	;;
       vxworks*)
 	;;
@@ -4843,14 +5305,17 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4'
       ;;
 
-    beos* | cygwin* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
+    beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*)
       # PIC is the default for these OSes.
       ;;
 
-    mingw* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      # Although the cygwin gcc ignores -fPIC, still need this for old-style
+      # (--disable-auto-import) libraries
+      m4_if([$1], [GCJ], [],
+	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
       ;;
 
     darwin* | rhapsody*)
@@ -4859,6 +5324,11 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common'
       ;;
 
+    interix[[3-9]]*)
+      # Interix 3.x gcc -fpic/-fPIC options generate broken code.
+      # Instead, we relocate shared libraries at runtime.
+      ;;
+
     msdosdjgpp*)
       # Just because we use GCC doesn't mean we suddenly get shared libraries
       # on systems that don't support them.
@@ -4875,7 +5345,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
     hpux*)
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	# +Z the default
 	;;
@@ -4904,7 +5374,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       darwin*)
         # PIC is the default on this platform
         # Common symbols not allowed in MH_DYLIB files
-       case "$cc_basename" in
+       case $cc_basename in
          xlc*)
          _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-qnocommon'
          _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
@@ -4912,17 +5382,18 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
        esac
        ;;
 
-    mingw* | pw32* | os2*)
+    mingw* | cygwin* | pw32* | os2*)
       # This hack is so that the source file can tell whether it is being
       # built for inclusion in a dll (and should export symbols for example).
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'
+      m4_if([$1], [GCJ], [],
+	[_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT'])
       ;;
 
     hpux9* | hpux10* | hpux11*)
       _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
       # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but
       # not for PA HP-UX.
-      case "$host_cpu" in
+      case $host_cpu in
       hppa*64*|ia64*)
 	# +Z the default
 	;;
@@ -4945,18 +5416,41 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
       ;;
 
-    linux*)
-      case $CC in
+    linux* | k*bsd*-gnu)
+      case $cc_basename in
       icc* | ecc*)
 	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
 	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
 	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-static'
         ;;
+      pgcc* | pgf77* | pgf90* | pgf95*)
+        # Portland Group compilers (*not* the Pentium gcc compiler,
+	# which looks to be a dead project)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-fpic'
+	_LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+        ;;
       ccc*)
         _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
         # All Alpha code is PIC.
         _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
         ;;
+      *)
+        case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)
+	  # Sun C 5.9
+	  _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+	  ;;
+	*Sun\ F*)
+	  # Sun Fortran 8.3 passes all unrecognized flags to the linker
+	  _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+	  _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+	  _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)=''
+	  ;;
+	esac
+	;;
       esac
       ;;
 
@@ -4966,15 +5460,19 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
       ;;
 
-    sco3.2v5*)
-      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-Kpic'
-      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-dn'
+    rdos*)
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-non_shared'
       ;;
 
     solaris*)
-      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      case $cc_basename in
+      f77* | f90* | f95*)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';;
+      *)
+	_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';;
+      esac
       ;;
 
     sunos4*)
@@ -4983,7 +5481,7 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
       ;;
 
-    sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*)
+    sysv4 | sysv4.2uw2* | sysv4.3*)
       _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
@@ -4996,6 +5494,17 @@ AC_MSG_CHECKING([for $compiler option to produce PIC])
       fi
       ;;
 
+    sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC'
+      _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
+      ;;
+
+    unicos*)
+      _LT_AC_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,'
+      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no
+      ;;
+
     uts4*)
       _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)='-pic'
       _LT_AC_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic'
@@ -5014,7 +5523,7 @@ AC_MSG_RESULT([$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)])
 #
 if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then
   AC_LIBTOOL_COMPILER_OPTION([if $compiler PIC flag $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) works],
-    _LT_AC_TAGVAR(lt_prog_compiler_pic_works, $1),
+    _LT_AC_TAGVAR(lt_cv_prog_compiler_pic_works, $1),
     [$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])], [],
     [case $_LT_AC_TAGVAR(lt_prog_compiler_pic, $1) in
      "" | " "*) ;;
@@ -5023,7 +5532,7 @@ if test -n "$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)"; then
     [_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
      _LT_AC_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no])
 fi
-case "$host_os" in
+case $host_os in
   # For platforms which do not support PIC, -DPIC is meaningless:
   *djgpp*)
     _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)=
@@ -5032,6 +5541,16 @@ case "$host_os" in
     _LT_AC_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)ifelse([$1],[],[ -DPIC],[ifelse([$1],[CXX],[ -DPIC],[])])"
     ;;
 esac
+
+#
+# Check to make sure the static flag actually works.
+#
+wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_AC_TAGVAR(lt_prog_compiler_static, $1)\"
+AC_LIBTOOL_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works],
+  _LT_AC_TAGVAR(lt_cv_prog_compiler_static_works, $1),
+  $lt_tmp_static_flag,
+  [],
+  [_LT_AC_TAGVAR(lt_prog_compiler_static, $1)=])
 ])
 
 
@@ -5039,11 +5558,12 @@ esac
 # ------------------------------------
 # See if the linker supports building shared libraries.
 AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS],
-[AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
+[AC_REQUIRE([LT_AC_PROG_SED])dnl
+AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries])
 ifelse([$1],[CXX],[
   _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
   case $host_os in
-  aix4* | aix5*)
+  aix[[4-9]]*)
     # If we're using GNU nm, then we don't want the "-C" option.
     # -C means demangle to AIX nm, but means don't demangle with GNU nm
     if $NM -V 2>&1 | grep 'GNU' > /dev/null; then
@@ -5056,12 +5576,13 @@ ifelse([$1],[CXX],[
     _LT_AC_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds"
   ;;
   cygwin* | mingw*)
-    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+    _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
   ;;
   *)
     _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
   ;;
   esac
+  _LT_AC_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
 ],[
   runpath_var=
   _LT_AC_TAGVAR(allow_undefined_flag, $1)=
@@ -5092,14 +5613,17 @@ ifelse([$1],[CXX],[
   # it will be wrapped by ` (' and `)$', so one must not match beginning or
   # end of line.  Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc',
   # as well as any symbol that contains `d'.
-  _LT_AC_TAGVAR(exclude_expsyms, $1)="_GLOBAL_OFFSET_TABLE_"
+  _LT_AC_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*']
   # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out
   # platforms (ab)use it in PIC code, but their linkers get confused if
   # the symbol is explicitly referenced.  Since portable code cannot
   # rely on this symbol name, it's probably fine to never include it in
   # preloaded symbol tables.
+  # Exclude shared library initialization/finalization symbols.
+dnl Note also adjust exclude_expsyms for C++ above.
   extract_expsyms_cmds=
-
+  # Just being paranoid about ensuring that cc_basename is set.
+  _LT_CC_BASENAME([$compiler])
   case $host_os in
   cygwin* | mingw* | pw32*)
     # FIXME: the MSVC++ port hasn't been tested in a loooong time
@@ -5109,6 +5633,10 @@ ifelse([$1],[CXX],[
       with_gnu_ld=no
     fi
     ;;
+  interix*)
+    # we just hope/assume this is gcc and not c89 (= MSVC++)
+    with_gnu_ld=yes
+    ;;
   openbsd*)
     with_gnu_ld=no
     ;;
@@ -5119,9 +5647,30 @@ ifelse([$1],[CXX],[
     # If archive_cmds runs LD, not CC, wlarc should be empty
     wlarc='${wl}'
 
+    # Set some defaults for GNU ld with shared library support. These
+    # are reset later if shared libraries are not supported. Putting them
+    # here allows them to be overridden if necessary.
+    runpath_var=LD_RUN_PATH
+    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
+    _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
+    # ancient GNU ld didn't support --whole-archive et. al.
+    if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
+	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
+      else
+  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
+    fi
+    supports_anon_versioning=no
+    case `$LD -v 2>/dev/null` in
+      *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
+      *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
+      *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
+      *\ 2.11.*) ;; # other 2.11 versions
+      *) supports_anon_versioning=yes ;;
+    esac
+
     # See if GNU ld supports shared libraries.
     case $host_os in
-    aix3* | aix4* | aix5*)
+    aix[[3-9]]*)
       # On AIX/PPC, the GNU linker is very broken
       if test "$host_cpu" != ia64; then
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
@@ -5169,10 +5718,10 @@ EOF
       _LT_AC_TAGVAR(allow_undefined_flag, $1)=unsupported
       _LT_AC_TAGVAR(always_export_symbols, $1)=no
       _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
-      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGS]] /s/.* \([[^ ]]*\)/\1 DATA/'\'' | $SED -e '\''/^[[AITW]] /s/.* //'\'' | sort | uniq > $export_symbols'
+      _LT_AC_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/'\'' -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols'
 
       if $LD --help 2>&1 | grep 'auto-import' > /dev/null; then
-        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000 ${wl}--out-implib,$lib'
+        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
 	# If the export-symbols file already is a .def file (1st line
 	# is EXPORTS), use it as is; otherwise, prepend...
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then
@@ -5181,9 +5730,64 @@ EOF
 	  echo EXPORTS > $output_objdir/$soname.def;
 	  cat $export_symbols >> $output_objdir/$soname.def;
 	fi~
-	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--image-base=0x10000000  ${wl}--out-implib,$lib'
+	$CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib'
+      else
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+      fi
+      ;;
+
+    interix[[3-9]]*)
+      _LT_AC_TAGVAR(hardcode_direct, $1)=no
+      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc.
+      # Instead, shared libraries are loaded at an image base (0x10000000 by
+      # default) and relocated if they conflict, which is a slow very memory
+      # consuming and fragmenting process.  To avoid this, we pick a random,
+      # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link
+      # time.  Moving up from 0x10000000 also allows more sbrk(2) space.
+      _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib'
+      ;;
+
+    gnu* | linux* | k*bsd*-gnu)
+      if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	tmp_addflag=
+	case $cc_basename,$host_cpu in
+	pgcc*)				# Portland Group C compiler
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag'
+	  ;;
+	pgf77* | pgf90* | pgf95*)	# Portland Group f77 and f90 compilers
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test  -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_addflag=' $pic_flag -Mnomain' ;;
+	ecc*,ia64* | icc*,ia64*)		# Intel C compiler on ia64
+	  tmp_addflag=' -i_dynamic' ;;
+	efc*,ia64* | ifort*,ia64*)	# Intel Fortran compiler on ia64
+	  tmp_addflag=' -i_dynamic -nofor_main' ;;
+	ifc* | ifort*)			# Intel Fortran compiler
+	  tmp_addflag=' -nofor_main' ;;
+	esac
+	case `$CC -V 2>&1 | sed 5q` in
+	*Sun\ C*)			# Sun C 5.9
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; $echo \"$new_convenience\"` ${wl}--no-whole-archive'
+	  tmp_sharedflag='-G' ;;
+	*Sun\ F*)			# Sun Fortran 8.3
+	  tmp_sharedflag='-G' ;;
+	*)
+	  tmp_sharedflag='-shared' ;;
+	esac
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
+
+	if test $supports_anon_versioning = yes; then
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
+  cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
+  $echo "local: *; };" >> $output_objdir/$libname.ver~
+	  $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
+	fi
       else
-	ld_shlibs=no
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
       fi
       ;;
 
@@ -5197,7 +5801,7 @@ EOF
       fi
       ;;
 
-    solaris* | sysv5*)
+    solaris*)
       if $LD -v 2>&1 | grep 'BFD 2\.8' > /dev/null; then
 	_LT_AC_TAGVAR(ld_shlibs, $1)=no
 	cat <<EOF 1>&2
@@ -5218,6 +5822,33 @@ EOF
       fi
       ;;
 
+    sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*)
+      case `$LD -v 2>&1` in
+        *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*)
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
+	cat <<_LT_EOF 1>&2
+
+*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not
+*** reliably create shared libraries on SCO systems.  Therefore, libtool
+*** is disabling shared libraries support.  We urge you to upgrade GNU
+*** binutils to release 2.16.91.0.3 or newer.  Another option is to modify
+*** your PATH or compiler configuration so that the native linker is
+*** used, and then restart.
+
+_LT_EOF
+	;;
+	*)
+	  if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
+	    _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-rpath,$libdir`'
+	    _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib'
+	    _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname,\${SCOABSPATH:+${install_libdir}/}$soname,-retain-symbols-file,$export_symbols -o $lib'
+	  else
+	    _LT_AC_TAGVAR(ld_shlibs, $1)=no
+	  fi
+	;;
+      esac
+      ;;
+
     sunos4*)
       _LT_AC_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags'
       wlarc=
@@ -5225,31 +5856,6 @@ EOF
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
       ;;
 
-  linux*)
-    if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
-        tmp_archive_cmds='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
-	_LT_AC_TAGVAR(archive_cmds, $1)="$tmp_archive_cmds"
-      supports_anon_versioning=no
-      case `$LD -v 2>/dev/null` in
-        *\ [01].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11
-        *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ...
-        *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ...
-        *\ 2.11.*) ;; # other 2.11 versions
-        *) supports_anon_versioning=yes ;;
-      esac
-      if test $supports_anon_versioning = yes; then
-        _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $output_objdir/$libname.ver~
-cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~
-$echo "local: *; };" >> $output_objdir/$libname.ver~
-        $CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib'
-      else
-        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="$tmp_archive_cmds"
-      fi
-    else
-      _LT_AC_TAGVAR(ld_shlibs, $1)=no
-    fi
-    ;;
-
     *)
       if $LD --help 2>&1 | grep ': supported targets:.* elf' > /dev/null; then
 	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib'
@@ -5260,16 +5866,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       ;;
     esac
 
-    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = yes; then
-      runpath_var=LD_RUN_PATH
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir'
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic'
-      # ancient GNU ld didn't support --whole-archive et. al.
-      if $LD --help 2>&1 | grep 'no-whole-archive' > /dev/null; then
- 	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive'
-      else
-  	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
-      fi
+    if test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no; then
+      runpath_var=
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)=
+      _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=
     fi
   else
     # PORTME fill in a description of your system's linker (not GNU ld)
@@ -5281,14 +5882,14 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       # Note: this linker hardcodes the directories in LIBPATH if there
       # are no directories specified by -L.
       _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-      if test "$GCC" = yes && test -z "$link_static_flag"; then
+      if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then
 	# Neither direct hardcoding nor static linking is supported with a
 	# broken collect2.
 	_LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
       fi
       ;;
 
-    aix4* | aix5*)
+    aix[[4-9]]*)
       if test "$host_cpu" = ia64; then
 	# On IA64, the linker does run time linking by default, so we don't
 	# have to do anything special.
@@ -5308,13 +5909,14 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
 	# Test if we are trying to use run time linking or normal
 	# AIX style linking. If -brtl is somewhere in LDFLAGS, we
 	# need to do runtime linking.
-	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix5*)
+	case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*)
 	  for ld_flag in $LDFLAGS; do
   	  if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then
   	    aix_use_runtimelinking=yes
   	    break
   	  fi
 	  done
+	  ;;
 	esac
 
 	exp_sym_flag='-bexport'
@@ -5333,7 +5935,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
 
       if test "$GCC" = yes; then
-	case $host_os in aix4.[012]|aix4.[012].*)
+	case $host_os in aix4.[[012]]|aix4.[[012]].*)
 	# We only want to do this on AIX 4.2 and lower, the check
 	# below for broken collect2 doesn't work under 4.3+
 	  collect2name=`${CC} -print-prog-name=collect2`
@@ -5341,7 +5943,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	   strings "$collect2name" | grep resolve_lib_name >/dev/null
 	  then
   	  # We have reworked collect2
-  	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
+  	  :
 	  else
   	  # We have old collect2
   	  _LT_AC_TAGVAR(hardcode_direct, $1)=unsupported
@@ -5352,8 +5954,12 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
   	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=
 	  fi
+	  ;;
 	esac
 	shared_flag='-shared'
+	if test "$aix_use_runtimelinking" = yes; then
+	  shared_flag="$shared_flag "'${wl}-G'
+	fi
       else
 	# not using gcc
 	if test "$host_cpu" = ia64; then
@@ -5361,11 +5967,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
   	# chokes on -Wl,-G. The following line is correct:
 	  shared_flag='-G'
 	else
-  	if test "$aix_use_runtimelinking" = yes; then
+	  if test "$aix_use_runtimelinking" = yes; then
 	    shared_flag='${wl}-G'
 	  else
 	    shared_flag='${wl}-bM:SRE'
-  	fi
+	  fi
 	fi
       fi
 
@@ -5379,12 +5985,12 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
        # Determine the default libpath from the value encoded in an empty executable.
        _LT_AC_SYS_LIBPATH_AIX
        _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath"
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols $shared_flag"
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then echo "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag"
        else
 	if test "$host_cpu" = ia64; then
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib'
 	  _LT_AC_TAGVAR(allow_undefined_flag, $1)="-z nodefs"
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$no_entry_flag \${wl}$exp_sym_flag:\$export_symbols"
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols"
 	else
 	 # Determine the default libpath from the value encoded in an empty executable.
 	 _LT_AC_SYS_LIBPATH_AIX
@@ -5393,13 +5999,11 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
 	  # -berok will link without error, but may produce a broken library.
 	  _LT_AC_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok'
 	  _LT_AC_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok'
-	  # -bexpall does not export symbols beginning with underscore (_)
-	  _LT_AC_TAGVAR(always_export_symbols, $1)=yes
 	  # Exported symbols can be pulled into shared objects from archives
-	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)=' '
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='$convenience'
 	  _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=yes
-	  # This is similar to how AIX traditionally builds it's shared libraries.
-	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs $compiler_flags ${wl}-bE:$export_symbols ${wl}-bnoentry${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
+	  # This is similar to how AIX traditionally builds its shared libraries.
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname'
 	fi
       fi
       ;;
@@ -5432,13 +6036,13 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       # The linker will automatically build a .lib file if we build a DLL.
       _LT_AC_TAGVAR(old_archive_From_new_cmds, $1)='true'
       # FIXME: Should let the user specify the lib program.
-      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib /OUT:$oldlib$oldobjs$old_deplibs'
-      fix_srcfile_path='`cygpath -w "$srcfile"`'
+      _LT_AC_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs'
+      _LT_AC_TAGVAR(fix_srcfile_path, $1)='`cygpath -w "$srcfile"`'
       _LT_AC_TAGVAR(enable_shared_with_static_runtimes, $1)=yes
       ;;
 
     darwin* | rhapsody*)
-      case "$host_os" in
+      case $host_os in
         rhapsody* | darwin1.[[012]])
          _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-undefined ${wl}suppress'
          ;;
@@ -5465,19 +6069,18 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
     if test "$GCC" = yes ; then
     	output_verbose_link_cmd='echo'
-        _LT_AC_TAGVAR(archive_cmds, $1)='$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring'
-      _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-      # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -dynamiclib $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags -install_name $rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
-      _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+        _LT_AC_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}"
+        _LT_AC_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}"
+        _LT_AC_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}"
+        _LT_AC_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}"
     else
-      case "$cc_basename" in
+      case $cc_basename in
         xlc*)
          output_verbose_link_cmd='echo'
-         _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $verstring'
+         _LT_AC_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}`echo $rpath/$soname` $xlcverstring'
          _LT_AC_TAGVAR(module_cmds, $1)='$CC $allow_undefined_flag -o $lib -bundle $libobjs $deplibs$compiler_flags'
-          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin ld's
-         _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $verstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
+          # Don't fix this by using the ld -exported_symbols_list flag, it doesn't exist in older darwin lds
+         _LT_AC_TAGVAR(archive_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC -qmkshrobj $allow_undefined_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-install_name ${wl}$rpath/$soname $xlcverstring~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
           _LT_AC_TAGVAR(module_expsym_cmds, $1)='sed -e "s,#.*,," -e "s,^[    ]*,," -e "s,^\(..*\),_&," < $export_symbols > $output_objdir/${libname}-symbols.expsym~$CC $allow_undefined_flag  -o $lib -bundle $libobjs $deplibs$compiler_flags~nmedit -s $output_objdir/${libname}-symbols.expsym ${lib}'
           ;;
        *)
@@ -5517,7 +6120,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       ;;
 
     # FreeBSD 3 and greater uses gcc -shared to do shared libraries.
-    freebsd* | kfreebsd*-gnu)
+    freebsd* | dragonfly*)
       _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -o $lib $libobjs $deplibs $compiler_flags'
       _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
       _LT_AC_TAGVAR(hardcode_direct, $1)=yes
@@ -5540,47 +6143,62 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
       ;;
 
-    hpux10* | hpux11*)
+    hpux10*)
       if test "$GCC" = yes -a "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*|ia64*)
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+      fi
+      if test "$with_gnu_ld" = no; then
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	_LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+
+	# hardcode_minus_L: Not really in the search PATH,
+	# but as the default location of the library.
+	_LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
+      fi
+      ;;
+
+    hpux11*)
+      if test "$GCC" = yes -a "$with_gnu_ld" = no; then
+	case $host_cpu in
+	hppa*64*)
 	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
 	*)
 	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared -fPIC ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       else
-	case "$host_cpu" in
-	hppa*64*|ia64*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname -o $lib $libobjs $deplibs $linker_flags'
+	case $host_cpu in
+	hppa*64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	  ;;
+	ia64*)
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	*)
-	  _LT_AC_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'
 	  ;;
 	esac
       fi
       if test "$with_gnu_ld" = no; then
-	case "$host_cpu" in
-	hppa*64*)
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
+	_LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
+
+	case $host_cpu in
+	hppa*64*|ia64*)
 	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec_ld, $1)='+b $libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
 	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
 	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
 	  ;;
-	ia64*)
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir'
-	  _LT_AC_TAGVAR(hardcode_direct, $1)=no
-	  _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-
-	  # hardcode_minus_L: Not really in the search PATH,
-	  # but as the default location of the library.
-	  _LT_AC_TAGVAR(hardcode_minus_L, $1)=yes
-	  ;;
 	*)
-	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir'
-	  _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
 	  _LT_AC_TAGVAR(hardcode_direct, $1)=yes
 	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
 
@@ -5624,24 +6242,28 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       ;;
 
     openbsd*)
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
-	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	_LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+      if test -f /usr/libexec/ld.so; then
+	_LT_AC_TAGVAR(hardcode_direct, $1)=yes
+	_LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+	if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then
+	  _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	  _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols'
+	  _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	  _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E'
+	else
+	  case $host_os in
+	   openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
+	     _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
+	     _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
+	     ;;
+	   *)
+	     _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
+	     _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
+	     ;;
+	  esac
+        fi
       else
-       case $host_os in
-	 openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*)
-	   _LT_AC_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags'
-	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir'
-	   ;;
-	 *)
-	   _LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags'
-	   _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir'
-	   ;;
-       esac
+	_LT_AC_TAGVAR(ld_shlibs, $1)=no
       fi
       ;;
 
@@ -5674,7 +6296,7 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
 	_LT_AC_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*'
 	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -shared${allow_undefined_flag} $libobjs $deplibs $linker_flags -msym -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; echo "-hidden">> $lib.exp~
-	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${objdir}/so_locations -o $lib~$rm $lib.exp'
+	$LD -shared${allow_undefined_flag} -input $lib.exp $linker_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && echo -set_version $verstring` -update_registry ${output_objdir}/so_locations -o $lib~$rm $lib.exp'
 
 	# Both c and cxx compiler support -rpath directly
 	_LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir'
@@ -5682,21 +6304,15 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=:
       ;;
 
-    sco3.2v5*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
-      runpath_var=LD_RUN_PATH
-      hardcode_runpath_var=yes
-      ;;
-
     solaris*)
       _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
       if test "$GCC" = yes; then
+	wlarc='${wl}'
 	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
 	  $CC -shared ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$rm $lib.exp'
       else
+	wlarc=''
 	_LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
 	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
   	$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
@@ -5705,8 +6321,17 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
       case $host_os in
       solaris2.[[0-5]] | solaris2.[[0-5]].*) ;;
-      *) # Supported since Solaris 2.6 (maybe 2.5.1?)
-	_LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' ;;
+      *)
+	# The compiler driver will combine and reorder linker options,
+	# but understands `-z linker_flag'.  GCC discards it without `$wl',
+	# but is careful enough not to reorder.
+ 	# Supported since Solaris 2.6 (maybe 2.5.1?)
+	if test "$GCC" = yes; then
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract'
+	else
+	  _LT_AC_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract'
+	fi
+	;;
       esac
       _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
       ;;
@@ -5763,36 +6388,45 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
       fi
       ;;
 
-    sysv4.2uw2*)
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(hardcode_direct, $1)=yes
-      _LT_AC_TAGVAR(hardcode_minus_L, $1)=no
+    sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*)
+      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
-      hardcode_runpath_var=yes
-      runpath_var=LD_RUN_PATH
-      ;;
+      runpath_var='LD_RUN_PATH'
 
-   sysv5OpenUNIX8* | sysv5UnixWare7* |  sysv5uw[[78]]* | unixware7*)
-      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z ${wl}text'
       if test "$GCC" = yes; then
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
       else
-	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags'
       fi
-      runpath_var='LD_RUN_PATH'
-      _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
       ;;
 
-    sysv5*)
-      _LT_AC_TAGVAR(no_undefined_flag, $1)=' -z text'
-      # $CC -shared without GNU ld will not create a library from C++
-      # object files and a static libstdc++, better avoid it by now
-      _LT_AC_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags'
-      _LT_AC_TAGVAR(archive_expsym_cmds, $1)='$echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~$echo "local: *; };" >> $lib.exp~
-  		$LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$rm $lib.exp'
-      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)=
+    sysv5* | sco3.2v5* | sco5v6*)
+      # Note: We can NOT use -z defs as we might desire, because we do not
+      # link with -lc, and that would cause any symbols used from libc to
+      # always be unresolved, which means just about no library would
+      # ever link correctly.  If we're not using GNU ld we use -z text
+      # though, which does catch some bad symbols but isn't as heavy-handed
+      # as -z defs.
+      _LT_AC_TAGVAR(no_undefined_flag, $1)='${wl}-z,text'
+      _LT_AC_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs'
+      _LT_AC_TAGVAR(archive_cmds_need_lc, $1)=no
       _LT_AC_TAGVAR(hardcode_shlibpath_var, $1)=no
+      _LT_AC_TAGVAR(hardcode_libdir_flag_spec, $1)='`test -z "$SCOABSPATH" && echo ${wl}-R,$libdir`'
+      _LT_AC_TAGVAR(hardcode_libdir_separator, $1)=':'
+      _LT_AC_TAGVAR(link_all_deplibs, $1)=yes
+      _LT_AC_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport'
       runpath_var='LD_RUN_PATH'
+
+      if test "$GCC" = yes; then
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      else
+	_LT_AC_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+	_LT_AC_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,\${SCOABSPATH:+${install_libdir}/}$soname -o $lib $libobjs $deplibs $compiler_flags'
+      fi
       ;;
 
     uts4*)
@@ -5810,11 +6444,6 @@ $echo "local: *; };" >> $output_objdir/$libname.ver~
 AC_MSG_RESULT([$_LT_AC_TAGVAR(ld_shlibs, $1)])
 test "$_LT_AC_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no
 
-variables_saved_for_relink="PATH $shlibpath_var $runpath_var"
-if test "$GCC" = yes; then
-  variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH"
-fi
-
 #
 # Do we need to explicitly link libc?
 #
@@ -5834,7 +6463,7 @@ x|xyes)
       # to ld, don't add -lc before -lgcc.
       AC_MSG_CHECKING([whether -lc should be explicitly linked in])
       $rm conftest*
-      printf "$lt_simple_compile_test_code" > conftest.$ac_ext
+      echo "$lt_simple_compile_test_code" > conftest.$ac_ext
 
       if AC_TRY_EVAL(ac_compile) 2>conftest.err; then
         soname=conftest
@@ -5842,6 +6471,7 @@ x|xyes)
         libobjs=conftest.$ac_objext
         deplibs=
         wl=$_LT_AC_TAGVAR(lt_prog_compiler_wl, $1)
+	pic_flag=$_LT_AC_TAGVAR(lt_prog_compiler_pic, $1)
         compiler_flags=-v
         linker_flags=-v
         verstring=
@@ -5936,6 +6566,30 @@ AC_DEFUN([LT_AC_PROG_RC],
 [AC_CHECK_TOOL(RC, windres, no)
 ])
 
+
+# Cheap backport of AS_EXECUTABLE_P and required macros
+# from Autoconf 2.59; we should not use $as_executable_p directly.
+
+# _AS_TEST_PREPARE
+# ----------------
+m4_ifndef([_AS_TEST_PREPARE],
+[m4_defun([_AS_TEST_PREPARE],
+[if test -x / >/dev/null 2>&1; then
+  as_executable_p='test -x'
+else
+  as_executable_p='test -f'
+fi
+])])# _AS_TEST_PREPARE
+
+# AS_EXECUTABLE_P
+# ---------------
+# Check whether a file is executable.
+m4_ifndef([AS_EXECUTABLE_P],
+[m4_defun([AS_EXECUTABLE_P],
+[AS_REQUIRE([_AS_TEST_PREPARE])dnl
+$as_executable_p $1[]dnl
+])])# AS_EXECUTABLE_P
+
 ############################################################
 # NOTE: This macro has been submitted for inclusion into   #
 #  GNU Autoconf as AC_PROG_SED.  When it is available in   #
@@ -5958,18 +6612,19 @@ do
   test -z "$as_dir" && as_dir=.
   for lt_ac_prog in sed gsed; do
     for ac_exec_ext in '' $ac_executable_extensions; do
-      if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then
+      if AS_EXECUTABLE_P(["$as_dir/$lt_ac_prog$ac_exec_ext"]); then
         lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext"
       fi
     done
   done
 done
+IFS=$as_save_IFS
 lt_ac_max=0
 lt_ac_count=0
 # Add /usr/xpg4/bin/sed as it is typically found on Solaris
 # along with /bin/sed that truncates output.
 for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
-  test ! -f $lt_ac_sed && break
+  test ! -f $lt_ac_sed && continue
   cat /dev/null > conftest.in
   lt_ac_count=0
   echo $ECHO_N "0123456789$ECHO_C" >conftest.in
@@ -5996,5 +6651,6 @@ for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do
 done
 ])
 SED=$lt_cv_path_SED
+AC_SUBST([SED])
 AC_MSG_RESULT([$SED])
 ])
diff --git a/ltmain.sh b/ltmain.sh
index e032aff..ce02bc6 100644
--- a/ltmain.sh
+++ b/ltmain.sh
@@ -1,8 +1,8 @@
 # ltmain.sh - Provide generalized library-building support services.
 # NOTE: Changing this file will not affect anything until you rerun configure.
 #
-# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004
-# Free Software Foundation, Inc.
+# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006,
+# 2007, 2008  Free Software Foundation, Inc.
 # Originally by Gordon Matzigkeit <gord@gnu.ai.mit.edu>, 1996
 #
 # This program is free software; you can redistribute it and/or modify
@@ -17,7 +17,7 @@
 #
 # You should have received a copy of the GNU General Public License
 # along with this program; if not, write to the Free Software
-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 #
 # As a special exception to the GNU General Public License, if you
 # distribute this file as part of a program that contains a
@@ -43,14 +43,22 @@ EXIT_FAILURE=1
 
 PROGRAM=ltmain.sh
 PACKAGE=libtool
-VERSION=1.5.10
-TIMESTAMP=" (1.1220.2.131 2004/09/19 12:46:56)"
-
-# See if we are running on zsh, and set the options which allow our
-# commands through without removal of \ escapes.
-if test -n "${ZSH_VERSION+set}" ; then
+VERSION=1.5.26
+TIMESTAMP=" (1.1220.2.492 2008/01/30 06:40:56)"
+
+# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE).
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '${1+"$@"}'='"$@"'
   setopt NO_GLOB_SUBST
+else
+  case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac
 fi
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
 
 # Check that we have a working $echo.
 if test "X$1" = X--no-reexec; then
@@ -88,14 +96,15 @@ rm="rm -f"
 Xsed="${SED}"' -e 1s/^X//'
 sed_quote_subst='s/\([\\`\\"$\\\\]\)/\\\1/g'
 # test EBCDIC or ASCII
-case `echo A|tr A '\301'` in
- A) # EBCDIC based system
-  SP2NL="tr '\100' '\n'"
-  NL2SP="tr '\r\n' '\100\100'"
+case `echo X|tr X '\101'` in
+ A) # ASCII based system
+    # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr
+  SP2NL='tr \040 \012'
+  NL2SP='tr \015\012 \040\040'
   ;;
- *) # Assume ASCII based system
-  SP2NL="tr '\040' '\012'"
-  NL2SP="tr '\015\012' '\040\040'"
+ *) # EBCDIC based system
+  SP2NL='tr \100 \n'
+  NL2SP='tr \r\n \100\100'
   ;;
 esac
 
@@ -104,16 +113,25 @@ esac
 # These must not be set unconditionally because not all systems understand
 # e.g. LANG=C (notably SCO).
 # We save the old values to restore during execute mode.
-if test "${LC_ALL+set}" = set; then
-  save_LC_ALL="$LC_ALL"; LC_ALL=C; export LC_ALL
-fi
-if test "${LANG+set}" = set; then
-  save_LANG="$LANG"; LANG=C; export LANG
+lt_env=
+for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
+do
+  eval "if test \"\${$lt_var+set}\" = set; then
+	  save_$lt_var=\$$lt_var
+	  lt_env=\"$lt_var=\$$lt_var \$lt_env\"
+	  $lt_var=C
+	  export $lt_var
+	fi"
+done
+
+if test -n "$lt_env"; then
+  lt_env="env $lt_env"
 fi
 
 # Make sure IFS has a sensible default
-: ${IFS=" 	
-"}
+lt_nl='
+'
+IFS=" 	$lt_nl"
 
 if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then
   $echo "$modename: not configured to build any kind of library" 1>&2
@@ -130,20 +148,62 @@ run=
 show="$echo"
 show_help=
 execute_dlfiles=
+duplicate_deps=no
+preserve_args=
 lo2o="s/\\.lo\$/.${objext}/"
 o2lo="s/\\.${objext}\$/.lo/"
+extracted_archives=
+extracted_serial=0
 
 #####################################
 # Shell function definitions:
 # This seems to be the best place for them
 
+# func_mktempdir [string]
+# Make a temporary directory that won't clash with other running
+# libtool processes, and avoids race conditions if possible.  If
+# given, STRING is the basename for that directory.
+func_mktempdir ()
+{
+    my_template="${TMPDIR-/tmp}/${1-$progname}"
+
+    if test "$run" = ":"; then
+      # Return a directory name, but don't create it in dry-run mode
+      my_tmpdir="${my_template}-$$"
+    else
+
+      # If mktemp works, use that first and foremost
+      my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null`
+
+      if test ! -d "$my_tmpdir"; then
+	# Failing that, at least try and use $RANDOM to avoid a race
+	my_tmpdir="${my_template}-${RANDOM-0}$$"
+
+	save_mktempdir_umask=`umask`
+	umask 0077
+	$mkdir "$my_tmpdir"
+	umask $save_mktempdir_umask
+      fi
+
+      # If we're not in dry-run mode, bomb out on failure
+      test -d "$my_tmpdir" || {
+        $echo "cannot create temporary directory \`$my_tmpdir'" 1>&2
+	exit $EXIT_FAILURE
+      }
+    fi
+
+    $echo "X$my_tmpdir" | $Xsed
+}
+
+
 # func_win32_libid arg
 # return the library type of file 'arg'
 #
 # Need a lot of goo to handle *both* DLLs and import libs
 # Has to be a shell function in order to 'eat' the argument
 # that is supplied when $file_magic_command is called.
-func_win32_libid () {
+func_win32_libid ()
+{
   win32_libid_type="unknown"
   win32_fileres=`file -L $1 2>/dev/null`
   case $win32_fileres in
@@ -154,12 +214,17 @@ func_win32_libid () {
     if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | \
       $EGREP -e 'file format pe-i386(.*architecture: i386)?' >/dev/null ; then
       win32_nmres=`eval $NM -f posix -A $1 | \
-	sed -n -e '1,100{/ I /{x;/import/!{s/^/import/;h;p;};x;};}'`
-      if test "X$win32_nmres" = "Ximport" ; then
-        win32_libid_type="x86 archive import"
-      else
-        win32_libid_type="x86 archive static"
-      fi
+	$SED -n -e '1,100{
+		/ I /{
+			s,.*,import,
+			p
+			q
+			}
+		}'`
+      case $win32_nmres in
+      import*)  win32_libid_type="x86 archive import";;
+      *)        win32_libid_type="x86 archive static";;
+      esac
     fi
     ;;
   *DLL*)
@@ -183,7 +248,22 @@ func_win32_libid () {
 # Only attempt this if the compiler in the base compile
 # command doesn't match the default compiler.
 # arg is usually of the form 'gcc ...'
-func_infer_tag () {
+func_infer_tag ()
+{
+    # FreeBSD-specific: where we install compilers with non-standard names
+    tag_compilers_CC="*cc cc* *gcc gcc*"
+    tag_compilers_CXX="*c++ c++* *g++ g++*"
+    base_compiler=`set -- "$@"; echo $1`
+
+    # If $tagname isn't set, then try to infer if the default "CC" tag applies
+    if test -z "$tagname"; then
+      for zp in $tag_compilers_CC; do
+        case $base_compiler in
+	 $zp) tagname="CC"; break;;
+	esac
+      done
+    fi
+
     if test -n "$available_tags" && test -z "$tagname"; then
       CC_quoted=
       for arg in $CC; do
@@ -224,7 +304,22 @@ func_infer_tag () {
 	      break
 	      ;;
 	    esac
-	  fi
+
+	    # FreeBSD-specific: try compilers based on inferred tag
+	    if test -z "$tagname"; then
+	      eval "tag_compilers=\$tag_compilers_${z}"
+	      if test -n "$tag_compilers"; then
+		for zp in $tag_compilers; do
+		  case $base_compiler in   
+		    $zp) tagname=$z; break;;
+		  esac
+		done
+		if test -n "$tagname"; then
+		  break
+		fi
+	      fi
+            fi
+          fi
 	done
 	# If $tagname still isn't set, then no tagged configuration
 	# was found and let the user know that the "--tag" command
@@ -242,8 +337,25 @@ func_infer_tag () {
 }
 
 
+# func_extract_an_archive dir oldlib
+func_extract_an_archive ()
+{
+    f_ex_an_ar_dir="$1"; shift
+    f_ex_an_ar_oldlib="$1"
+
+    $show "(cd $f_ex_an_ar_dir && $AR x $f_ex_an_ar_oldlib)"
+    $run eval "(cd \$f_ex_an_ar_dir && $AR x \$f_ex_an_ar_oldlib)" || exit $?
+    if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then
+     :
+    else
+      $echo "$modename: ERROR: object name conflicts: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" 1>&2
+      exit $EXIT_FAILURE
+    fi
+}
+
 # func_extract_archives gentop oldlib ...
-func_extract_archives () {
+func_extract_archives ()
+{
     my_gentop="$1"; shift
     my_oldlibs=${1+"$@"}
     my_oldobjs=""
@@ -268,15 +380,25 @@ func_extract_archives () {
 	*) my_xabs=`pwd`"/$my_xlib" ;;
       esac
       my_xlib=`$echo "X$my_xlib" | $Xsed -e 's%^.*/%%'`
-      my_xdir="$my_gentop/$my_xlib"
+      my_xlib_u=$my_xlib
+      while :; do
+        case " $extracted_archives " in
+	*" $my_xlib_u "*)
+	  extracted_serial=`expr $extracted_serial + 1`
+	  my_xlib_u=lt$extracted_serial-$my_xlib ;;
+	*) break ;;
+	esac
+      done
+      extracted_archives="$extracted_archives $my_xlib_u"
+      my_xdir="$my_gentop/$my_xlib_u"
 
       $show "${rm}r $my_xdir"
       $run ${rm}r "$my_xdir"
       $show "$mkdir $my_xdir"
       $run $mkdir "$my_xdir"
-      status=$?
-      if test "$status" -ne 0 && test ! -d "$my_xdir"; then
-	exit $status
+      exit_status=$?
+      if test "$exit_status" -ne 0 && test ! -d "$my_xdir"; then
+	exit $exit_status
       fi
       case $host in
       *-darwin*)
@@ -287,7 +409,7 @@ func_extract_archives () {
 	  cd $my_xdir || exit $?
 	  darwin_archive=$my_xabs
 	  darwin_curdir=`pwd`
-	  darwin_base_archive=`basename $darwin_archive`
+	  darwin_base_archive=`$echo "X$darwin_archive" | $Xsed -e 's%^.*/%%'`
 	  darwin_arches=`lipo -info "$darwin_archive" 2>/dev/null | $EGREP Architectures 2>/dev/null`
 	  if test -n "$darwin_arches"; then 
 	    darwin_arches=`echo "$darwin_arches" | $SED -e 's/.*are://'`
@@ -296,64 +418,33 @@ func_extract_archives () {
 	    for darwin_arch in  $darwin_arches ; do
 	      mkdir -p "unfat-$$/${darwin_base_archive}-${darwin_arch}"
 	      lipo -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}"
-	      # Remove the table of contents from the thin files.
-	      $AR -d "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" __.SYMDEF 2>/dev/null || true
-	      $AR -d "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" __.SYMDEF\ SORTED 2>/dev/null || true
 	      cd "unfat-$$/${darwin_base_archive}-${darwin_arch}"
-	      $AR -xo "${darwin_base_archive}"
-	      rm "${darwin_base_archive}"
+	      func_extract_an_archive "`pwd`" "${darwin_base_archive}"
 	      cd "$darwin_curdir"
+	      $rm "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}"
 	    done # $darwin_arches
       ## Okay now we have a bunch of thin objects, gotta fatten them up :)
-	    darwin_filelist=`find unfat-$$ -type f | xargs basename | sort -u | $NL2SP`
+	    darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print| xargs basename | sort -u | $NL2SP`
 	    darwin_file=
 	    darwin_files=
 	    for darwin_file in $darwin_filelist; do
 	      darwin_files=`find unfat-$$ -name $darwin_file -print | $NL2SP`
 	      lipo -create -output "$darwin_file" $darwin_files
 	    done # $darwin_filelist
-	    rm -rf unfat-$$
+	    ${rm}r unfat-$$
 	    cd "$darwin_orig_dir"
 	  else
-	    cd $darwin_orig_dir
-	    (cd $my_xdir && $AR x $my_xabs) || exit $?
+	    cd "$darwin_orig_dir"
+ 	    func_extract_an_archive "$my_xdir" "$my_xabs"
 	  fi # $darwin_arches
 	fi # $run
-      ;;
-      *)
-	# We will extract separately just the conflicting names and we will
-	# no longer touch any unique names. It is faster to leave these
-	# extract automatically by $AR in one run.
-	$show "(cd $my_xdir && $AR x $my_xabs)"
-	$run eval "(cd \$my_xdir && $AR x \$my_xabs)" || exit $?
-	if ($AR t "$my_xabs" | sort | sort -uc >/dev/null 2>&1); then
-	  :
-	else
-	  $echo "$modename: warning: object name conflicts; renaming object files" 1>&2
-	  $echo "$modename: warning: to ensure that they will not overwrite" 1>&2
-	  $AR t "$my_xabs" | sort | uniq -cd | while read -r count name
-	  do
-	    i=1
-	    while test "$i" -le "$count"
-	    do
-	      # Put our $i before any first dot (extension)
-	      # Never overwrite any file
-	      name_to="$name"
-	      while test "X$name_to" = "X$name" || test -f "$my_xdir/$name_to"
-	      do
-		name_to=`$echo "X$name_to" | $Xsed -e "s/\([^.]*\)/\1-$i/"`
-	      done
-	      $show "(cd $my_xdir && $AR xN $i $my_xabs '$name' && $mv '$name' '$name_to')"
-	      $run eval "(cd \$my_xdir && $AR xN $i \$my_xabs '$name' && $mv '$name' '$name_to')" || exit $?
-	      i=`expr $i + 1`
-	    done
-	  done
-	fi
 	;;
+      *)
+        func_extract_an_archive "$my_xdir" "$my_xabs"
+        ;;
       esac
       my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | $NL2SP`
     done
-
     func_extract_archives_result="$my_oldobjs"
 }
 # End of Shell function definitions
@@ -362,6 +453,8 @@ func_extract_archives () {
 # Darwin sucks
 eval std_shrext=\"$shrext_cmds\"
 
+disable_libs=no
+
 # Parse our command line options once, thoroughly.
 while test "$#" -gt 0
 do
@@ -424,12 +517,13 @@ do
     ;;
 
   --version)
-    $echo "$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP"
-    $echo
-    $echo "Copyright (C) 2003  Free Software Foundation, Inc."
-    $echo "This is free software; see the source for copying conditions.  There is NO"
-    $echo "warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
-    exit $EXIT_SUCCESS
+    echo "\
+$PROGRAM (GNU $PACKAGE) $VERSION$TIMESTAMP
+
+Copyright (C) 2008  Free Software Foundation, Inc.
+This is free software; see the source for copying conditions.  There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
+    exit $?
     ;;
 
   --config)
@@ -438,7 +532,7 @@ do
     for tagname in $taglist; do
       ${SED} -n -e "/^# ### BEGIN LIBTOOL TAG CONFIG: $tagname$/,/^# ### END LIBTOOL TAG CONFIG: $tagname$/p" < "$progpath"
     done
-    exit $EXIT_SUCCESS
+    exit $?
     ;;
 
   --debug)
@@ -463,7 +557,7 @@ do
     else
       $echo "disable static libraries"
     fi
-    exit $EXIT_SUCCESS
+    exit $?
     ;;
 
   --finish) mode="finish" ;;
@@ -478,7 +572,11 @@ do
     preserve_args="$preserve_args $arg"
     ;;
 
-  --tag) prevopt="--tag" prev=tag ;;
+  --tag)
+    prevopt="--tag"
+    prev=tag
+    preserve_args="$preserve_args --tag"
+    ;;
   --tag=*)
     set tag "$optarg" ${1+"$@"}
     shift
@@ -510,6 +608,18 @@ if test -n "$prevopt"; then
   exit $EXIT_FAILURE
 fi
 
+case $disable_libs in
+no) 
+  ;;
+shared)
+  build_libtool_libs=no
+  build_old_libs=yes
+  ;;
+static)
+  build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac`
+  ;;
+esac
+
 # If this variable is set in any of the actions, the command in it
 # will be execed at the end.  This prevents here-documents from being
 # left over by shells.
@@ -520,7 +630,7 @@ if test -z "$show_help"; then
   # Infer the operation mode.
   if test -z "$mode"; then
     $echo "*** Warning: inferring the mode of operation is deprecated." 1>&2
-    $echo "*** Future versions of Libtool will require -mode=MODE be specified." 1>&2
+    $echo "*** Future versions of Libtool will require --mode=MODE be specified." 1>&2
     case $nonopt in
     *cc | cc* | *++ | gcc* | *-gcc* | g++* | xlc*)
       mode=link
@@ -586,7 +696,7 @@ if test -z "$show_help"; then
 
     for arg
     do
-      case "$arg_mode" in
+      case $arg_mode in
       arg  )
 	# do not "continue".  Instead, add this to base_compile
 	lastarg="$arg"
@@ -668,7 +778,10 @@ if test -z "$show_help"; then
       case $lastarg in
       # Double-quote args containing other shell metacharacters.
       # Many Bourne shells cannot handle close brackets correctly
-      # in scan sets, so we specify it separately.
+      # in scan sets, and some SunOS ksh mistreat backslash-escaping
+      # in scan sets (worked around with variable expansion),
+      # and furthermore cannot handle '|' '&' '(' ')' in scan sets 
+      # at all, so we specify them separately.
       *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
 	lastarg="\"$lastarg\""
 	;;
@@ -706,9 +819,11 @@ if test -z "$show_help"; then
     *.class) xform=class ;;
     *.cpp) xform=cpp ;;
     *.cxx) xform=cxx ;;
-    *.f90) xform=f90 ;;
+    *.[fF][09]?) xform=[fF][09]. ;;
     *.for) xform=for ;;
     *.java) xform=java ;;
+    *.obj) xform=obj ;;
+    *.sx) xform=sx ;;
     esac
 
     libobj=`$echo "X$libobj" | $Xsed -e "s/\.$xform$/.lo/"`
@@ -742,6 +857,14 @@ if test -z "$show_help"; then
       esac
     done
 
+    qlibobj=`$echo "X$libobj" | $Xsed -e "$sed_quote_subst"`
+    case $qlibobj in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+	qlibobj="\"$qlibobj\"" ;;
+    esac
+    test "X$libobj" != "X$qlibobj" \
+	&& $echo "X$libobj" | grep '[]~#^*{};<>?"'"'"' 	&()|`$[]' \
+	&& $echo "$modename: libobj name \`$libobj' may not contain shell special characters."
     objname=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
     xdir=`$echo "X$obj" | $Xsed -e 's%/[^/]*$%%'`
     if test "X$xdir" = "X$obj"; then
@@ -814,12 +937,17 @@ compiler."
 	$run $rm $removelist
 	exit $EXIT_FAILURE
       fi
-      $echo $srcfile > "$lockfile"
+      $echo "$srcfile" > "$lockfile"
     fi
 
     if test -n "$fix_srcfile_path"; then
       eval srcfile=\"$fix_srcfile_path\"
     fi
+    qsrcfile=`$echo "X$srcfile" | $Xsed -e "$sed_quote_subst"`
+    case $qsrcfile in
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
+      qsrcfile="\"$qsrcfile\"" ;;
+    esac
 
     $run $rm "$libobj" "${libobj}T"
 
@@ -841,18 +969,18 @@ EOF
       fbsd_hideous_sh_bug=$base_compile
 
       if test "$pic_mode" != no; then
-	command="$base_compile $srcfile $pic_flag"
+	command="$base_compile $qsrcfile $pic_flag"
       else
 	# Don't build PIC code
-	command="$base_compile $srcfile"
+	command="$base_compile $qsrcfile"
       fi
 
       if test ! -d "${xdir}$objdir"; then
 	$show "$mkdir ${xdir}$objdir"
 	$run $mkdir ${xdir}$objdir
-	status=$?
-	if test "$status" -ne 0 && test ! -d "${xdir}$objdir"; then
-	  exit $status
+	exit_status=$?
+	if test "$exit_status" -ne 0 && test ! -d "${xdir}$objdir"; then
+	  exit $exit_status
 	fi
       fi
 
@@ -864,7 +992,7 @@ EOF
       $run $rm "$lobj" "$output_obj"
 
       $show "$command"
-      if $run eval "$command"; then :
+      if $run eval $lt_env "$command"; then :
       else
 	test -n "$output_obj" && $run $rm $removelist
 	exit $EXIT_FAILURE
@@ -924,9 +1052,9 @@ EOF
     if test "$build_old_libs" = yes; then
       if test "$pic_mode" != yes; then
 	# Don't build PIC code
-	command="$base_compile $srcfile"
+	command="$base_compile $qsrcfile"
       else
-	command="$base_compile $srcfile $pic_flag"
+	command="$base_compile $qsrcfile $pic_flag"
       fi
       if test "$compiler_c_o" = yes; then
 	command="$command -o $obj"
@@ -936,7 +1064,7 @@ EOF
       command="$command$suppress_output"
       $run $rm "$obj" "$output_obj"
       $show "$command"
-      if $run eval "$command"; then :
+      if $run eval $lt_env "$command"; then :
       else
 	$run $rm $removelist
 	exit $EXIT_FAILURE
@@ -1055,6 +1183,7 @@ EOF
     no_install=no
     objs=
     non_pic_objects=
+    notinst_path= # paths that contain not-installed libtool libraries
     precious_files_regex=
     prefer_static_libs=no
     preload=no
@@ -1068,6 +1197,7 @@ EOF
     thread_safe=no
     vinfo=
     vinfo_number=no
+    single_module="${wl}-single_module"
 
     func_infer_tag $base_compile
 
@@ -1075,22 +1205,32 @@ EOF
     for arg
     do
       case $arg in
-      -all-static | -static)
-	if test "X$arg" = "X-all-static"; then
+      -all-static | -static | -static-libtool-libs)
+	case $arg in
+	-all-static)
 	  if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then
 	    $echo "$modename: warning: complete static linking is impossible in this configuration" 1>&2
 	  fi
 	  if test -n "$link_static_flag"; then
 	    dlopen_self=$dlopen_self_static
 	  fi
-	else
+	  prefer_static_libs=yes
+	  ;;
+	-static)
 	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
 	    dlopen_self=$dlopen_self_static
 	  fi
-	fi
+	  prefer_static_libs=built
+	  ;;
+	-static-libtool-libs)
+	  if test -z "$pic_flag" && test -n "$link_static_flag"; then
+	    dlopen_self=$dlopen_self_static
+	  fi
+	  prefer_static_libs=yes
+	  ;;
+	esac
 	build_libtool_libs=no
 	build_old_libs=yes
-	prefer_static_libs=yes
 	break
 	;;
       esac
@@ -1265,6 +1405,11 @@ EOF
 		  if test -z "$pic_object" || test "$pic_object" = none ; then
 		    arg="$non_pic_object"
 		  fi
+		else
+		  # If the PIC object exists, use it instead.
+		  # $xdir was prepended to $pic_object above.
+		  non_pic_object="$pic_object"
+		  non_pic_objects="$non_pic_objects $non_pic_object"
 		fi
 	      else
 		# Only an error if not doing a dry-run.
@@ -1348,6 +1493,13 @@ EOF
 	  prev=
 	  continue
 	  ;;
+	darwin_framework|darwin_framework_skip)
+	  test "$prev" = "darwin_framework" && compiler_flags="$compiler_flags $arg"
+	  compile_command="$compile_command $arg"
+	  finalize_command="$finalize_command $arg"
+	  prev=
+	  continue
+	  ;;
 	*)
 	  eval "$prev=\"\$arg\""
 	  prev=
@@ -1406,6 +1558,18 @@ EOF
 	continue
 	;;
 
+      -framework|-arch|-isysroot)
+	case " $CC " in
+	  *" ${arg} ${1} "* | *" ${arg}	${1} "*) 
+		prev=darwin_framework_skip ;;
+	  *) compiler_flags="$compiler_flags $arg"
+	     prev=darwin_framework ;;
+	esac
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+	continue
+	;;
+
       -inst-prefix-dir)
 	prev=inst_prefix
 	continue
@@ -1432,7 +1596,8 @@ EOF
 	  absdir=`cd "$dir" && pwd`
 	  if test -z "$absdir"; then
 	    $echo "$modename: cannot determine absolute directory name of \`$dir'" 1>&2
-	    exit $EXIT_FAILURE
+	    absdir="$dir"
+	    notinst_path="$notinst_path $dir"
 	  fi
 	  dir="$absdir"
 	  ;;
@@ -1446,10 +1611,15 @@ EOF
 	esac
 	case $host in
 	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  testbindir=`$echo "X$dir" | $Xsed -e 's*/lib$*/bin*'`
 	  case :$dllsearchpath: in
 	  *":$dir:"*) ;;
 	  *) dllsearchpath="$dllsearchpath:$dir";;
 	  esac
+	  case :$dllsearchpath: in
+	  *":$testbindir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  esac
 	  ;;
 	esac
 	continue
@@ -1458,15 +1628,15 @@ EOF
       -l*)
 	if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then
 	  case $host in
-	  *-*-cygwin* | *-*-pw32* | *-*-beos*)
+	  *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos*)
 	    # These systems don't actually have a C or math library (as such)
 	    continue
 	    ;;
-	  *-*-mingw* | *-*-os2*)
+	  *-*-os2*)
 	    # These systems don't actually have a C library (as such)
 	    test "X$arg" = "X-lc" && continue
 	    ;;
-	  *-*-openbsd* | *-*-freebsd*)
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
 	    # Do not include libc due to us having libc/libc_r.
 	    test "X$arg" = "X-lc" && continue
 	    ;;
@@ -1474,10 +1644,19 @@ EOF
 	    # Rhapsody C and math libraries are in the System framework
 	    deplibs="$deplibs -framework System"
 	    continue
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
+	    test "X$arg" = "X-lc" && continue
+	    ;;
 	  esac
 	elif test "X$arg" = "X-lc_r"; then
 	 case $host in
-	 *-*-openbsd* | *-*-freebsd*)
+	 *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
 	   # Do not include libc_r directly, use -pthread flag.
 	   continue
 	   ;;
@@ -1487,19 +1666,26 @@ EOF
 	continue
 	;;
 
-     -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
-	case $host in
-	*-*-freebsd*)
-	   compile_command="$compile_command $arg"
-	   finalize_command="$finalize_command $arg"
-	   ;;
-	*)
-	   case "$archive_cmds" in
-	     *"\$LD"*) ;;
-	     *) deplibs="$deplibs $arg";;
-	   esac
-	   ;;
-	esac
+      # Tru64 UNIX uses -model [arg] to determine the layout of C++
+      # classes, name mangling, and exception handling.
+      -model)
+	compile_command="$compile_command $arg"
+	compiler_flags="$compiler_flags $arg"
+	finalize_command="$finalize_command $arg"
+	prev=xcompiler
+	continue
+	;;
+
+     -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
+	compiler_flags="$compiler_flags $arg"
+	compile_command="$compile_command $arg"
+	finalize_command="$finalize_command $arg"
+	deplibs="$deplibs $arg"
+	continue
+	;;
+
+      -multi_module)
+	single_module="${wl}-multi_module"
 	continue
 	;;
 
@@ -1508,13 +1694,20 @@ EOF
 	continue
 	;;
 
-      # gcc -m* arguments should be passed to the linker via $compiler_flags
-      # in order to pass architecture information to the linker
-      # (e.g. 32 vs 64-bit).  This may also be accomplished via -Wl,-mfoo
-      # but this is not reliable with gcc because gcc may use -mfoo to
-      # select a different linker, different libraries, etc, while
-      # -Wl,-mfoo simply passes -mfoo to the linker.
-      -m*)
+      # -64, -mips[0-9] enable 64-bit mode on the SGI compiler
+      # -r[0-9][0-9]* specifies the processor on the SGI compiler
+      # -xarch=*, -xtarget=* enable 64-bit mode on the Sun compiler
+      # +DA*, +DD* enable 64-bit mode on the HP compiler
+      # -q* pass through compiler args for the IBM compiler
+      # -m* pass through architecture-specific compiler args for GCC
+      # -m*, -t[45]*, -txscale* pass through architecture-specific
+      # compiler args for GCC
+      # -p, -pg, --coverage, -fprofile-* pass through profiling flag for GCC
+      # -F/path gives path to uninstalled frameworks, gcc on darwin
+      # @file GCC response files
+      -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \
+      -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*)
+
 	# Unknown arguments in both finalize_command and compile_command need
 	# to be aesthetically quoted because they are evaled later.
 	arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
@@ -1525,9 +1718,7 @@ EOF
 	esac
         compile_command="$compile_command $arg"
         finalize_command="$finalize_command $arg"
-        if test "$with_gcc" = "yes" ; then
-          compiler_flags="$compiler_flags $arg"
-        fi
+        compiler_flags="$compiler_flags $arg"
         continue
         ;;
 
@@ -1543,9 +1734,9 @@ EOF
 
       -no-install)
 	case $host in
-	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin*)
 	  # The PATH hackery in wrapper scripts is required on Windows
-	  # in order for the loader to find any dlls it needs.
+	  # and Darwin in order for the loader to find any dlls it needs.
 	  $echo "$modename: warning: \`-no-install' is ignored for $host" 1>&2
 	  $echo "$modename: warning: assuming \`-no-fast-install' instead" 1>&2
 	  fast_install=no
@@ -1604,7 +1795,7 @@ EOF
 	continue
 	;;
 
-      -static)
+      -static | -static-libtool-libs)
 	# The effects of -static are defined in a previous loop.
 	# We used to do the same as -all-static on platforms that
 	# didn't have a PIC flag, but the assumption that the effects
@@ -1765,6 +1956,11 @@ EOF
 	    if test -z "$pic_object" || test "$pic_object" = none ; then
 	      arg="$non_pic_object"
 	    fi
+	  else
+	    # If the PIC object exists, use it instead.
+	    # $xdir was prepended to $pic_object above.
+	    non_pic_object="$pic_object"
+	    non_pic_objects="$non_pic_objects $non_pic_object"
 	  fi
 	else
 	  # Only an error if not doing a dry-run.
@@ -1870,9 +2066,9 @@ EOF
     if test ! -d "$output_objdir"; then
       $show "$mkdir $output_objdir"
       $run $mkdir $output_objdir
-      status=$?
-      if test "$status" -ne 0 && test ! -d "$output_objdir"; then
-	exit $status
+      exit_status=$?
+      if test "$exit_status" -ne 0 && test ! -d "$output_objdir"; then
+	exit $exit_status
       fi
     fi
 
@@ -1935,7 +2131,6 @@ EOF
     newlib_search_path=
     need_relink=no # whether we're linking any uninstalled libtool libraries
     notinst_deplibs= # not-installed libtool libraries
-    notinst_path= # paths that contain not-installed libtool libraries
     case $linkmode in
     lib)
 	passes="conv link"
@@ -1982,16 +2177,36 @@ EOF
 	lib=
 	found=no
 	case $deplib in
-	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe)
+	-mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe|-threads)
 	  if test "$linkmode,$pass" = "prog,link"; then
 	    compile_deplibs="$deplib $compile_deplibs"
 	    finalize_deplibs="$deplib $finalize_deplibs"
 	  else
-	    case "$archive_cmds" in
-	      *"\$LD"*) ;;
-	      *) deplibs="$deplibs $arg";;
-	    esac
+	    compiler_flags="$compiler_flags $deplib"
 	  fi
+
+	  case $linkmode in
+	  lib)
+	    deplibs="$deplib $deplibs"
+	    test "$pass" = conv && continue
+	    newdependency_libs="$deplib $newdependency_libs"
+	    ;;
+	  prog)
+	    if test "$pass" = conv; then
+	      deplibs="$deplib $deplibs"
+	      continue
+	    fi
+	    if test "$pass" = scan; then
+	      deplibs="$deplib $deplibs"
+	    else
+	      compile_deplibs="$deplib $compile_deplibs"
+	      finalize_deplibs="$deplib $finalize_deplibs"
+	    fi
+	    ;;
+	  *)
+	    ;;
+	  esac # linkmode
+
 	  continue
 	  ;;
 	-l*)
@@ -1999,12 +2214,13 @@ EOF
 	    $echo "$modename: warning: \`-l' is ignored for archives/objects" 1>&2
 	    continue
 	  fi
-	  if test "$pass" = conv; then
-	    deplibs="$deplib $deplibs"
-	    continue
-	  fi
 	  name=`$echo "X$deplib" | $Xsed -e 's/^-l//'`
-	  for searchdir in $newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path; do
+	  if test "$linkmode" = lib; then
+	    searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path"
+	  else
+	    searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path"
+	  fi
+	  for searchdir in $searchdirs; do
 	    for search_ext in .la $std_shrext .so .a; do
 	      # Search the libtool library
 	      lib="$searchdir/lib${name}${search_ext}"
@@ -2178,7 +2394,7 @@ EOF
 	esac # case $deplib
 	if test "$found" = yes || test -f "$lib"; then :
 	else
-	  $echo "$modename: cannot find the library \`$lib'" 1>&2
+	  $echo "$modename: cannot find the library \`$lib' or unhandled argument \`$deplib'" 1>&2
 	  exit $EXIT_FAILURE
 	fi
 
@@ -2202,6 +2418,8 @@ EOF
 	# it will not redefine variables installed, or shouldnotlink
 	installed=yes
 	shouldnotlink=no
+	avoidtemprpath=
+
 
 	# Read the .la file
 	case $lib in
@@ -2300,6 +2518,7 @@ EOF
 	    dir="$libdir"
 	    absdir="$libdir"
 	  fi
+	  test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes
 	else
 	  if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then
 	    dir="$ladir"
@@ -2382,14 +2601,16 @@ EOF
 
 	if test "$linkmode,$pass" = "prog,link"; then
 	  if test -n "$library_names" &&
-	     { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	     { { test "$prefer_static_libs" = no ||
+		 test "$prefer_static_libs,$installed" = "built,yes"; } ||
+	       test -z "$old_library"; }; then
 	    # We need to hardcode the library path
-	    if test -n "$shlibpath_var"; then
+	    if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then
 	      # Make sure the rpath contains only unique directories.
 	      case "$temp_rpath " in
 	      *" $dir "*) ;;
 	      *" $absdir "*) ;;
-	      *) temp_rpath="$temp_rpath $dir" ;;
+	      *) temp_rpath="$temp_rpath $absdir" ;;
 	      esac
 	    fi
 
@@ -2426,8 +2647,12 @@ EOF
 	fi
 
 	link_static=no # Whether the deplib will be linked statically
+	use_static_libs=$prefer_static_libs
+	if test "$use_static_libs" = built && test "$installed" = yes ; then
+	  use_static_libs=no
+	fi
 	if test -n "$library_names" &&
-	   { test "$prefer_static_libs" = no || test -z "$old_library"; }; then
+	   { test "$use_static_libs" = no || test -z "$old_library"; }; then
 	  if test "$installed" = no; then
 	    notinst_deplibs="$notinst_deplibs $lib"
 	    need_relink=yes
@@ -2540,11 +2765,15 @@ EOF
 	      if test "$hardcode_direct" = no; then
 		add="$dir/$linklib"
 		case $host in
-		  *-*-sco3.2v5* ) add_dir="-L$dir" ;;
+		  *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;;
+		  *-*-sysv4*uw2*) add_dir="-L$dir" ;;
+		  *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \
+		    *-*-unixware7*) add_dir="-L$dir" ;;
 		  *-*-darwin* )
 		    # if the lib is a module then we can not link against
 		    # it, someone is ignoring the new warnings I added
-		    if /usr/bin/file -L $add 2> /dev/null | $EGREP "bundle" >/dev/null ; then
+		    if /usr/bin/file -L $add 2> /dev/null |
+                      $EGREP ": [^:]* bundle" >/dev/null ; then
 		      $echo "** Warning, lib $linklib is a module, not a shared library"
 		      if test -z "$old_library" ; then
 		        $echo
@@ -2575,7 +2804,7 @@ EOF
 		add_dir="-L$dir"
 		# Try looking first in the location we're being installed to.
 		if test -n "$inst_prefix_dir"; then
-		  case "$libdir" in
+		  case $libdir in
 		    [\\/]*)
 		      add_dir="$add_dir -L$inst_prefix_dir$libdir"
 		      ;;
@@ -2648,7 +2877,7 @@ EOF
 	      add_dir="-L$libdir"
 	      # Try looking first in the location we're being installed to.
 	      if test -n "$inst_prefix_dir"; then
-		case "$libdir" in
+		case $libdir in
 		  [\\/]*)
 		    add_dir="$add_dir -L$inst_prefix_dir$libdir"
 		    ;;
@@ -2709,8 +2938,6 @@ EOF
 	      fi
 	    fi
 	  else
-	    convenience="$convenience $dir/$old_library"
-	    old_convenience="$old_convenience $dir/$old_library"
 	    deplibs="$dir/$old_library $deplibs"
 	    link_static=yes
 	  fi
@@ -2789,12 +3016,18 @@ EOF
 		  # we do not want to link against static libs,
 		  # but need to link against shared
 		  eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib`
+		  eval deplibdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib`
 		  if test -n "$deplibrary_names" ; then
 		    for tmp in $deplibrary_names ; do
 		      depdepl=$tmp
 		    done
-		    if test -f "$path/$depdepl" ; then
+		    if test -f "$deplibdir/$depdepl" ; then
+		      depdepl="$deplibdir/$depdepl"
+	      	    elif test -f "$path/$depdepl" ; then
 		      depdepl="$path/$depdepl"
+		    else
+		      # Can't find it, oh well...
+		      depdepl=
 		    fi
 		    # do not add paths which are already there
 		    case " $newlib_search_path " in
@@ -2828,12 +3061,12 @@ EOF
 	      *) continue ;;
 	      esac
 	      case " $deplibs " in
-	      *" $depdepl "*) ;;
-	      *) deplibs="$depdepl $deplibs" ;;
+	      *" $path "*) ;;
+	      *) deplibs="$path $deplibs" ;;
 	      esac
 	      case " $deplibs " in
-	      *" $path "*) ;;
-	      *) deplibs="$deplibs $path" ;;
+	      *" $depdepl "*) ;;
+	      *) deplibs="$depdepl $deplibs" ;;
 	      esac
 	    done
 	  fi # link_all_deplibs != no
@@ -2942,9 +3175,10 @@ EOF
 
     case $linkmode in
     oldlib)
-      if test -n "$deplibs"; then
-	$echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2
-      fi
+      case " $deplibs" in
+      *\ -l* | *\ -L*)
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for archives" 1>&2 ;;
+      esac
 
       if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
 	$echo "$modename: warning: \`-dlopen' is ignored for archives" 1>&2
@@ -3072,7 +3306,7 @@ EOF
 	  # which has an extra 1 added just for fun
 	  #
 	  case $version_type in
-	  darwin|linux|osf|windows)
+	  darwin|linux|osf|windows|none)
 	    current=`expr $number_major + $number_minor`
 	    age="$number_minor"
 	    revision="$number_revision"
@@ -3083,9 +3317,10 @@ EOF
 	    age="0"
 	    ;;
 	  irix|nonstopux)
-	    current=`expr $number_major + $number_minor - 1`
+	    current=`expr $number_major + $number_minor`
 	    age="$number_minor"
 	    revision="$number_minor"
+	    lt_irix_increment=no
 	    ;;
 	  esac
 	  ;;
@@ -3098,27 +3333,27 @@ EOF
 
 	# Check that each of the things are valid numbers.
 	case $current in
-	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
 	*)
-	  $echo "$modename: CURRENT \`$current' is not a nonnegative integer" 1>&2
+	  $echo "$modename: CURRENT \`$current' must be a nonnegative integer" 1>&2
 	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
 	  exit $EXIT_FAILURE
 	  ;;
 	esac
 
 	case $revision in
-	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
 	*)
-	  $echo "$modename: REVISION \`$revision' is not a nonnegative integer" 1>&2
+	  $echo "$modename: REVISION \`$revision' must be a nonnegative integer" 1>&2
 	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
 	  exit $EXIT_FAILURE
 	  ;;
 	esac
 
 	case $age in
-	0 | [1-9] | [1-9][0-9] | [1-9][0-9][0-9]) ;;
+	0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;;
 	*)
-	  $echo "$modename: AGE \`$age' is not a nonnegative integer" 1>&2
+	  $echo "$modename: AGE \`$age' must be a nonnegative integer" 1>&2
 	  $echo "$modename: \`$vinfo' is not valid version information" 1>&2
 	  exit $EXIT_FAILURE
 	  ;;
@@ -3144,7 +3379,8 @@ EOF
 	  versuffix="$major.$age.$revision"
 	  # Darwin ld doesn't like 0 for these options...
 	  minor_current=`expr $current + 1`
-	  verstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
+	  xlcverstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision"
+	  verstring="-compatibility_version $minor_current -current_version $minor_current.$revision"
 	  ;;
 
 	freebsd-aout)
@@ -3158,8 +3394,11 @@ EOF
 	  ;;
 
 	irix | nonstopux)
-	  major=`expr $current - $age + 1`
-
+	  if test "X$lt_irix_increment" = "Xno"; then
+	    major=`expr $current - $age`
+	  else
+	    major=`expr $current - $age + 1`
+	  fi
 	  case $version_type in
 	    nonstopux) verstring_prefix=nonstopux ;;
 	    *)         verstring_prefix=sgi ;;
@@ -3296,11 +3535,11 @@ EOF
       fi
 
       # Eliminate all temporary directories.
-      for path in $notinst_path; do
-	lib_search_path=`$echo "$lib_search_path " | ${SED} -e 's% $path % %g'`
-	deplibs=`$echo "$deplibs " | ${SED} -e 's% -L$path % %g'`
-	dependency_libs=`$echo "$dependency_libs " | ${SED} -e 's% -L$path % %g'`
-      done
+      #for path in $notinst_path; do
+      #	lib_search_path=`$echo "$lib_search_path " | ${SED} -e "s% $path % %g"`
+      #	deplibs=`$echo "$deplibs " | ${SED} -e "s% -L$path % %g"`
+      #	dependency_libs=`$echo "$dependency_libs " | ${SED} -e "s% -L$path % %g"`
+      #done
 
       if test -n "$xrpath"; then
 	# If the user specified any rpath flags, then add them.
@@ -3350,9 +3589,14 @@ EOF
 	  *-*-netbsd*)
 	    # Don't link with libc until the a.out ld.so is fixed.
 	    ;;
-	  *-*-openbsd* | *-*-freebsd*)
+	  *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*)
 	    # Do not include libc due to us having libc/libc_r.
-	    test "X$arg" = "X-lc" && continue
+	    ;;
+	  *-*-sco3.2v5* | *-*-sco5v6*)
+	    # Causes problems with __ctype
+	    ;;
+	  *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*)
+	    # Compiler inserts libc in the correct place for threads to work
 	    ;;
  	  *)
 	    # Add libc to deplibs on all other systems if necessary.
@@ -3396,13 +3640,12 @@ EOF
 	  int main() { return 0; }
 EOF
 	  $rm conftest
-	  $LTCC -o conftest conftest.c $deplibs
-	  if test "$?" -eq 0 ; then
+	  if $LTCC $LTCFLAGS -o conftest conftest.c $deplibs; then
 	    ldd_output=`ldd conftest`
 	    for i in $deplibs; do
-	      name="`expr $i : '-l\(.*\)'`"
+	      name=`expr $i : '-l\(.*\)'`
 	      # If $name is empty we are operating on a -L argument.
-              if test "$name" != "" && test "$name" -ne "0"; then
+              if test "$name" != "" && test "$name" != "0"; then
 		if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		  case " $predeps $postdeps " in
 		  *" $i "*)
@@ -3437,13 +3680,11 @@ EOF
 	    # Error occurred in the first compile.  Let's try to salvage
 	    # the situation: Compile a separate program for each library.
 	    for i in $deplibs; do
-	      name="`expr $i : '-l\(.*\)'`"
+	      name=`expr $i : '-l\(.*\)'`
 	      # If $name is empty we are operating on a -L argument.
               if test "$name" != "" && test "$name" != "0"; then
 		$rm conftest
-		$LTCC -o conftest conftest.c $i
-		# Did it work?
-		if test "$?" -eq 0 ; then
+		if $LTCC $LTCFLAGS -o conftest conftest.c $i; then
 		  ldd_output=`ldd conftest`
 		  if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
 		    case " $predeps $postdeps " in
@@ -3475,7 +3716,7 @@ EOF
 		  droppeddeps=yes
 		  $echo
 		  $echo "*** Warning!  Library $i is needed by this library but I was not able to"
-		  $echo "***  make it link in!  You will probably need to install it or some"
+		  $echo "*** make it link in!  You will probably need to install it or some"
 		  $echo "*** library that it depends on before this library will be fully"
 		  $echo "*** functional.  Installing it before continuing would be even better."
 		fi
@@ -3489,7 +3730,7 @@ EOF
 	  set dummy $deplibs_check_method
 	  file_magic_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
 	  for a_deplib in $deplibs; do
-	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    name=`expr $a_deplib : '-l\(.*\)'`
 	    # If $name is empty we are operating on a -L argument.
             if test "$name" != "" && test  "$name" != "0"; then
 	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
@@ -3558,7 +3799,7 @@ EOF
 	  set dummy $deplibs_check_method
 	  match_pattern_regex=`expr "$deplibs_check_method" : "$2 \(.*\)"`
 	  for a_deplib in $deplibs; do
-	    name="`expr $a_deplib : '-l\(.*\)'`"
+	    name=`expr $a_deplib : '-l\(.*\)'`
 	    # If $name is empty we are operating on a -L argument.
 	    if test -n "$name" && test "$name" != "0"; then
 	      if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then
@@ -3688,6 +3929,35 @@ EOF
 	deplibs=$newdeplibs
       fi
 
+
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $deplibs " in
+	  *" -L$path/$objdir "*)
+	    new_libs="$new_libs -L$path/$objdir" ;;
+	  esac
+	  ;;
+	esac
+      done
+      for deplib in $deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) new_libs="$new_libs $deplib" ;;
+	  esac
+	  ;;
+	*) new_libs="$new_libs $deplib" ;;
+	esac
+      done
+      deplibs="$new_libs"
+
+
       # All the library-specific variables (install_libdir is set above).
       library_names=
       old_library=
@@ -3732,7 +4002,10 @@ EOF
 	     test -n "$hardcode_libdirs"; then
 	    libdir="$hardcode_libdirs"
 	    if test -n "$hardcode_libdir_flag_spec_ld"; then
-	      eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\"
+	      case $archive_cmds in
+	      *\$LD*) eval dep_rpath=\"$hardcode_libdir_flag_spec_ld\" ;;
+	      *)      eval dep_rpath=\"$hardcode_libdir_flag_spec\" ;;
+	      esac
 	    else
 	      eval dep_rpath=\"$hardcode_libdir_flag_spec\"
 	    fi
@@ -3771,6 +4044,7 @@ EOF
 	fi
 
 	lib="$output_objdir/$realname"
+	linknames=
 	for link
 	do
 	  linknames="$linknames $link"
@@ -3799,6 +4073,9 @@ EOF
 	        # The command line is too long to execute in one step.
 	        $show "using reloadable object file for export list..."
 	        skipped_export=:
+		# Break out early, otherwise skipped_export may be
+		# set to false by a later but shorter cmd.
+		break
 	      fi
 	    done
 	    IFS="$save_ifs"
@@ -3868,7 +4145,8 @@ EOF
 	  fi
 	fi
 
-	if test "X$skipped_export" != "X:" && len=`expr "X$test_cmds" : ".*"` &&
+	if test "X$skipped_export" != "X:" &&
+	   len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
 	   test "$len" -le "$max_cmd_len" || test "$max_cmd_len" -le -1; then
 	  :
 	else
@@ -3887,6 +4165,7 @@ EOF
 	    save_libobjs=$libobjs
 	  fi
 	  save_output=$output
+	  output_la=`$echo "X$output" | $Xsed -e "$basename"`
 
 	  # Clear the reloadable object creation command queue and
 	  # initialize k to one.
@@ -3896,13 +4175,13 @@ EOF
 	  delfiles=
 	  last_robj=
 	  k=1
-	  output=$output_objdir/$save_output-${k}.$objext
+	  output=$output_objdir/$output_la-${k}.$objext
 	  # Loop over the list of objects to be linked.
 	  for obj in $save_libobjs
 	  do
 	    eval test_cmds=\"$reload_cmds $objlist $last_robj\"
 	    if test "X$objlist" = X ||
-	       { len=`expr "X$test_cmds" : ".*"` &&
+	       { len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
 		 test "$len" -le "$max_cmd_len"; }; then
 	      objlist="$objlist $obj"
 	    else
@@ -3916,9 +4195,9 @@ EOF
 		# the last one created.
 		eval concat_cmds=\"\$concat_cmds~$reload_cmds $objlist $last_robj\"
 	      fi
-	      last_robj=$output_objdir/$save_output-${k}.$objext
+	      last_robj=$output_objdir/$output_la-${k}.$objext
 	      k=`expr $k + 1`
-	      output=$output_objdir/$save_output-${k}.$objext
+	      output=$output_objdir/$output_la-${k}.$objext
 	      objlist=$obj
 	      len=1
 	    fi
@@ -3938,13 +4217,13 @@ EOF
 	    eval concat_cmds=\"\$concat_cmds~$export_symbols_cmds\"
           fi
 
-	  # Set up a command to remove the reloadale object files
+	  # Set up a command to remove the reloadable object files
 	  # after they are used.
 	  i=0
 	  while test "$i" -lt "$k"
 	  do
 	    i=`expr $i + 1`
-	    delfiles="$delfiles $output_objdir/$save_output-${i}.$objext"
+	    delfiles="$delfiles $output_objdir/$output_la-${i}.$objext"
 	  done
 
 	  $echo "creating a temporary reloadable object file: $output"
@@ -3992,13 +4271,30 @@ EOF
 	  IFS="$save_ifs"
 	  eval cmd=\"$cmd\"
 	  $show "$cmd"
-	  $run eval "$cmd" || exit $?
+	  $run eval "$cmd" || {
+	    lt_exit=$?
+
+	    # Restore the uninstalled library and exit
+	    if test "$mode" = relink; then
+	      $run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
+	    fi
+
+	    exit $lt_exit
+	  }
 	done
 	IFS="$save_ifs"
 
 	# Restore the uninstalled library and exit
 	if test "$mode" = relink; then
 	  $run eval '(cd $output_objdir && $rm ${realname}T && $mv $realname ${realname}T && $mv "$realname"U $realname)' || exit $?
+
+	  if test -n "$convenience"; then
+	    if test -z "$whole_archive_flag_spec"; then
+	      $show "${rm}r $gentop"
+	      $run ${rm}r "$gentop"
+	    fi
+	  fi
+
 	  exit $EXIT_SUCCESS
 	fi
 
@@ -4019,9 +4315,10 @@ EOF
       ;;
 
     obj)
-      if test -n "$deplibs"; then
-	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2
-      fi
+      case " $deplibs" in
+      *\ -l* | *\ -L*)
+	$echo "$modename: warning: \`-l' and \`-L' are ignored for objects" 1>&2 ;;
+      esac
 
       if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then
 	$echo "$modename: warning: \`-dlopen' is ignored for objects" 1>&2
@@ -4068,12 +4365,14 @@ EOF
       reload_conv_objs=
       gentop=
       # reload_cmds runs $LD directly, so let us get rid of
-      # -Wl from whole_archive_flag_spec
+      # -Wl from whole_archive_flag_spec and hope we can get by with
+      # turning comma into space..
       wl=
 
       if test -n "$convenience"; then
 	if test -n "$whole_archive_flag_spec"; then
-	  eval reload_conv_objs=\"\$reload_objs $whole_archive_flag_spec\"
+	  eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\"
+	  reload_conv_objs=$reload_objs\ `$echo "X$tmp_whole_archive_flags" | $Xsed -e 's|,| |g'`
 	else
 	  gentop="$output_objdir/${obj}x"
 	  generated="$generated $gentop"
@@ -4180,6 +4479,35 @@ EOF
         ;;
       esac
 
+
+      # move library search paths that coincide with paths to not yet
+      # installed libraries to the beginning of the library search list
+      new_libs=
+      for path in $notinst_path; do
+	case " $new_libs " in
+	*" -L$path/$objdir "*) ;;
+	*)
+	  case " $compile_deplibs " in
+	  *" -L$path/$objdir "*)
+	    new_libs="$new_libs -L$path/$objdir" ;;
+	  esac
+	  ;;
+	esac
+      done
+      for deplib in $compile_deplibs; do
+	case $deplib in
+	-L*)
+	  case " $new_libs " in
+	  *" $deplib "*) ;;
+	  *) new_libs="$new_libs $deplib" ;;
+	  esac
+	  ;;
+	*) new_libs="$new_libs $deplib" ;;
+	esac
+      done
+      compile_deplibs="$new_libs"
+
+
       compile_command="$compile_command $compile_deplibs"
       finalize_command="$finalize_command $finalize_deplibs"
 
@@ -4224,10 +4552,15 @@ EOF
 	fi
 	case $host in
 	*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2*)
+	  testbindir=`$echo "X$libdir" | $Xsed -e 's*/lib$*/bin*'`
 	  case :$dllsearchpath: in
 	  *":$libdir:"*) ;;
 	  *) dllsearchpath="$dllsearchpath:$libdir";;
 	  esac
+	  case :$dllsearchpath: in
+	  *":$testbindir:"*) ;;
+	  *) dllsearchpath="$dllsearchpath:$testbindir";;
+	  esac
 	  ;;
 	esac
       done
@@ -4341,13 +4674,25 @@ extern \"C\" {
 
 	    # Prepare the list of exported symbols
 	    if test -z "$export_symbols"; then
-	      export_symbols="$output_objdir/$output.exp"
+	      export_symbols="$output_objdir/$outputname.exp"
 	      $run $rm $export_symbols
-	      $run eval "${SED} -n -e '/^: @PROGRAM@$/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+	      $run eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"'
+              case $host in
+              *cygwin* | *mingw* )
+	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+		$run eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"'
+                ;;
+              esac
 	    else
-	      $run eval "${SED} -e 's/\([][.*^$]\)/\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$output.exp"'
-	      $run eval 'grep -f "$output_objdir/$output.exp" < "$nlist" > "$nlist"T'
+	      $run eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"'
+	      $run eval 'grep -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T'
 	      $run eval 'mv "$nlist"T "$nlist"'
+              case $host in
+              *cygwin* | *mingw* )
+	        $run eval "echo EXPORTS "'> "$output_objdir/$outputname.def"'
+		$run eval 'cat "$nlist" >> "$output_objdir/$outputname.def"'
+                ;;
+              esac
 	    fi
 	  fi
 
@@ -4398,7 +4743,26 @@ extern \"C\" {
 #endif
 
 /* The mapping between symbol names and symbols. */
+"
+
+	    case $host in
+	    *cygwin* | *mingw* )
+	  $echo >> "$output_objdir/$dlsyms" "\
+/* DATA imports from DLLs on WIN32 can't be const, because
+   runtime relocations are performed -- see ld's documentation
+   on pseudo-relocs */
+struct {
+"
+	      ;;
+	    * )
+	  $echo >> "$output_objdir/$dlsyms" "\
 const struct {
+"
+	      ;;
+	    esac
+
+
+	  $echo >> "$output_objdir/$dlsyms" "\
   const char *name;
   lt_ptr address;
 }
@@ -4445,16 +4809,32 @@ static const void *lt_preloaded_setup() {
 	  esac
 
 	  # Now compile the dynamic symbol file.
-	  $show "(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
-	  $run eval '(cd $output_objdir && $LTCC -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
+	  $show "(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable \"$dlsyms\")"
+	  $run eval '(cd $output_objdir && $LTCC  $LTCFLAGS -c$no_builtin_flag$pic_flag_for_symtable "$dlsyms")' || exit $?
 
 	  # Clean up the generated files.
 	  $show "$rm $output_objdir/$dlsyms $nlist ${nlist}S ${nlist}T"
 	  $run $rm "$output_objdir/$dlsyms" "$nlist" "${nlist}S" "${nlist}T"
 
 	  # Transform the symbol file into the correct name.
-	  compile_command=`$echo "X$compile_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
-	  finalize_command=`$echo "X$finalize_command" | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%"`
+          case $host in
+          *cygwin* | *mingw* )
+            if test -f "$output_objdir/${outputname}.def" ; then
+              compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP`
+              finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}.def $output_objdir/${outputname}S.${objext}%" | $NL2SP`
+            else
+              compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
+              finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
+             fi
+            ;;
+          * )
+            compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
+            finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s%@SYMFILE@%$output_objdir/${outputname}S.${objext}%" | $NL2SP`
+            ;;
+          esac
+	  ;;
+	*-*-freebsd*)
+	  # FreeBSD doesn't need this...
 	  ;;
 	*)
 	  $echo "$modename: unknown suffix for \`$dlsyms'" 1>&2
@@ -4467,19 +4847,19 @@ static const void *lt_preloaded_setup() {
 	# really was required.
 
 	# Nullify the symbol file.
-	compile_command=`$echo "X$compile_command" | $Xsed -e "s% @SYMFILE@%%"`
-	finalize_command=`$echo "X$finalize_command" | $Xsed -e "s% @SYMFILE@%%"`
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP`
+	finalize_command=`$echo "X$finalize_command" | $SP2NL | $Xsed -e "s% @SYMFILE@%%" | $NL2SP`
       fi
 
       if test "$need_relink" = no || test "$build_libtool_libs" != yes; then
 	# Replace the output file specification.
-	compile_command=`$echo "X$compile_command" | $Xsed -e 's%@OUTPUT@%'"$output"'%g'`
+	compile_command=`$echo "X$compile_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$output"'%g' | $NL2SP`
 	link_command="$compile_command$compile_rpath"
 
 	# We have no uninstalled library dependencies, so finalize right now.
 	$show "$link_command"
 	$run eval "$link_command"
-	status=$?
+	exit_status=$?
 
 	# Delete the generated files.
 	if test -n "$dlsyms"; then
@@ -4487,7 +4867,7 @@ static const void *lt_preloaded_setup() {
 	  $run $rm "$output_objdir/${outputname}S.${objext}"
 	fi
 
-	exit $status
+	exit $exit_status
       fi
 
       if test -n "$shlibpath_var"; then
@@ -4560,7 +4940,7 @@ static const void *lt_preloaded_setup() {
 	if test "$fast_install" != no; then
 	  link_command="$finalize_var$compile_command$finalize_rpath"
 	  if test "$fast_install" = yes; then
-	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g'`
+	    relink_command=`$echo "X$compile_var$compile_command$compile_rpath" | $SP2NL | $Xsed -e 's%@OUTPUT@%\$progdir/\$file%g' | $NL2SP`
 	  else
 	    # fast_install is set to needless
 	    relink_command=
@@ -4597,7 +4977,7 @@ static const void *lt_preloaded_setup() {
 	  fi
 	done
 	relink_command="(cd `pwd`; $relink_command)"
-	relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+	relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP`
       fi
 
       # Quote $echo for shipping.
@@ -4627,10 +5007,12 @@ static const void *lt_preloaded_setup() {
 	esac
 	case $host in
 	  *cygwin* | *mingw* )
-	    cwrappersource=`$echo ${objdir}/lt-${output}.c`
-	    cwrapper=`$echo ${output}.exe`
-	    $rm $cwrappersource $cwrapper
-	    trap "$rm $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
+            output_name=`basename $output`
+            output_path=`dirname $output`
+            cwrappersource="$output_path/$objdir/lt-$output_name.c"
+            cwrapper="$output_path/$output_name.exe"
+            $rm $cwrappersource $cwrapper
+            trap "$rm $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15
 
 	    cat > $cwrappersource <<EOF
 
@@ -4655,6 +5037,9 @@ EOF
 #include <malloc.h>
 #include <stdarg.h>
 #include <assert.h>
+#include <string.h>
+#include <ctype.h>
+#include <sys/stat.h>
 
 #if defined(PATH_MAX)
 # define LT_PATHMAX PATH_MAX
@@ -4665,15 +5050,19 @@ EOF
 #endif
 
 #ifndef DIR_SEPARATOR
-#define DIR_SEPARATOR '/'
+# define DIR_SEPARATOR '/'
+# define PATH_SEPARATOR ':'
 #endif
 
 #if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \
   defined (__OS2__)
-#define HAVE_DOS_BASED_FILE_SYSTEM
-#ifndef DIR_SEPARATOR_2
-#define DIR_SEPARATOR_2 '\\'
-#endif
+# define HAVE_DOS_BASED_FILE_SYSTEM
+# ifndef DIR_SEPARATOR_2
+#  define DIR_SEPARATOR_2 '\\'
+# endif
+# ifndef PATH_SEPARATOR_2
+#  define PATH_SEPARATOR_2 ';'
+# endif
 #endif
 
 #ifndef DIR_SEPARATOR_2
@@ -4683,17 +5072,32 @@ EOF
         (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2))
 #endif /* DIR_SEPARATOR_2 */
 
+#ifndef PATH_SEPARATOR_2
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR)
+#else /* PATH_SEPARATOR_2 */
+# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2)
+#endif /* PATH_SEPARATOR_2 */
+
 #define XMALLOC(type, num)      ((type *) xmalloc ((num) * sizeof(type)))
 #define XFREE(stale) do { \
   if (stale) { free ((void *) stale); stale = 0; } \
 } while (0)
 
+/* -DDEBUG is fairly common in CFLAGS.  */
+#undef DEBUG
+#if defined DEBUGWRAPPER
+# define DEBUG(format, ...) fprintf(stderr, format, __VA_ARGS__)
+#else
+# define DEBUG(format, ...)
+#endif
+
 const char *program_name = NULL;
 
 void * xmalloc (size_t num);
 char * xstrdup (const char *string);
-char * basename (const char *name);
-char * fnqualify(const char *path);
+const char * base_name (const char *name);
+char * find_executable(const char *wrapper);
+int    check_executable(const char *path);
 char * strendzap(char *str, const char *pat);
 void lt_fatal (const char *message, ...);
 
@@ -4703,29 +5107,51 @@ main (int argc, char *argv[])
   char **newargz;
   int i;
 
-  program_name = (char *) xstrdup ((char *) basename (argv[0]));
+  program_name = (char *) xstrdup (base_name (argv[0]));
+  DEBUG("(main) argv[0]      : %s\n",argv[0]);
+  DEBUG("(main) program_name : %s\n",program_name);
   newargz = XMALLOC(char *, argc+2);
 EOF
 
-	    cat >> $cwrappersource <<EOF
-  newargz[0] = "$SHELL";
+            cat >> $cwrappersource <<EOF
+  newargz[0] = (char *) xstrdup("$SHELL");
 EOF
 
-	    cat >> $cwrappersource <<"EOF"
-  newargz[1] = fnqualify(argv[0]);
+            cat >> $cwrappersource <<"EOF"
+  newargz[1] = find_executable(argv[0]);
+  if (newargz[1] == NULL)
+    lt_fatal("Couldn't find %s", argv[0]);
+  DEBUG("(main) found exe at : %s\n",newargz[1]);
   /* we know the script has the same name, without the .exe */
   /* so make sure newargz[1] doesn't end in .exe */
   strendzap(newargz[1],".exe");
   for (i = 1; i < argc; i++)
     newargz[i+1] = xstrdup(argv[i]);
   newargz[argc+1] = NULL;
+
+  for (i=0; i<argc+1; i++)
+  {
+    DEBUG("(main) newargz[%d]   : %s\n",i,newargz[i]);
+    ;
+  }
+
 EOF
 
-	    cat >> $cwrappersource <<EOF
+            case $host_os in
+              mingw*)
+                cat >> $cwrappersource <<EOF
+  execv("$SHELL",(char const **)newargz);
+EOF
+              ;;
+              *)
+                cat >> $cwrappersource <<EOF
   execv("$SHELL",newargz);
 EOF
+              ;;
+            esac
 
-	    cat >> $cwrappersource <<"EOF"
+            cat >> $cwrappersource <<"EOF"
+  return 127;
 }
 
 void *
@@ -4745,48 +5171,148 @@ xstrdup (const char *string)
 ;
 }
 
-char *
-basename (const char *name)
+const char *
+base_name (const char *name)
 {
   const char *base;
 
 #if defined (HAVE_DOS_BASED_FILE_SYSTEM)
   /* Skip over the disk name in MSDOS pathnames. */
-  if (isalpha (name[0]) && name[1] == ':')
+  if (isalpha ((unsigned char)name[0]) && name[1] == ':')
     name += 2;
 #endif
 
   for (base = name; *name; name++)
     if (IS_DIR_SEPARATOR (*name))
       base = name + 1;
-  return (char *) base;
+  return base;
+}
+
+int
+check_executable(const char * path)
+{
+  struct stat st;
+
+  DEBUG("(check_executable)  : %s\n", path ? (*path ? path : "EMPTY!") : "NULL!");
+  if ((!path) || (!*path))
+    return 0;
+
+  if ((stat (path, &st) >= 0) &&
+      (
+        /* MinGW & native WIN32 do not support S_IXOTH or S_IXGRP */
+#if defined (S_IXOTH)
+       ((st.st_mode & S_IXOTH) == S_IXOTH) ||
+#endif
+#if defined (S_IXGRP)
+       ((st.st_mode & S_IXGRP) == S_IXGRP) ||
+#endif
+       ((st.st_mode & S_IXUSR) == S_IXUSR))
+      )
+    return 1;
+  else
+    return 0;
 }
 
+/* Searches for the full path of the wrapper.  Returns
+   newly allocated full path name if found, NULL otherwise */
 char *
-fnqualify(const char *path)
+find_executable (const char* wrapper)
 {
-  size_t size;
-  char *p;
+  int has_slash = 0;
+  const char* p;
+  const char* p_next;
+  /* static buffer for getcwd */
   char tmp[LT_PATHMAX + 1];
+  int tmp_len;
+  char* concat_name;
+
+  DEBUG("(find_executable)  : %s\n", wrapper ? (*wrapper ? wrapper : "EMPTY!") : "NULL!");
 
-  assert(path != NULL);
+  if ((wrapper == NULL) || (*wrapper == '\0'))
+    return NULL;
 
-  /* Is it qualified already? */
+  /* Absolute path? */
+#if defined (HAVE_DOS_BASED_FILE_SYSTEM)
+  if (isalpha ((unsigned char)wrapper[0]) && wrapper[1] == ':')
+  {
+    concat_name = xstrdup (wrapper);
+    if (check_executable(concat_name))
+      return concat_name;
+    XFREE(concat_name);
+  }
+  else
+  {
+#endif
+    if (IS_DIR_SEPARATOR (wrapper[0]))
+    {
+      concat_name = xstrdup (wrapper);
+      if (check_executable(concat_name))
+        return concat_name;
+      XFREE(concat_name);
+    }
 #if defined (HAVE_DOS_BASED_FILE_SYSTEM)
-  if (isalpha (path[0]) && path[1] == ':')
-    return xstrdup (path);
+  }
 #endif
-  if (IS_DIR_SEPARATOR (path[0]))
-    return xstrdup (path);
 
-  /* prepend the current directory */
-  /* doesn't handle '~' */
+  for (p = wrapper; *p; p++)
+    if (*p == '/')
+    {
+      has_slash = 1;
+      break;
+    }
+  if (!has_slash)
+  {
+    /* no slashes; search PATH */
+    const char* path = getenv ("PATH");
+    if (path != NULL)
+    {
+      for (p = path; *p; p = p_next)
+      {
+        const char* q;
+        size_t p_len;
+        for (q = p; *q; q++)
+          if (IS_PATH_SEPARATOR(*q))
+            break;
+        p_len = q - p;
+        p_next = (*q == '\0' ? q : q + 1);
+        if (p_len == 0)
+        {
+          /* empty path: current directory */
+          if (getcwd (tmp, LT_PATHMAX) == NULL)
+            lt_fatal ("getcwd failed");
+          tmp_len = strlen(tmp);
+          concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
+          memcpy (concat_name, tmp, tmp_len);
+          concat_name[tmp_len] = '/';
+          strcpy (concat_name + tmp_len + 1, wrapper);
+        }
+        else
+        {
+          concat_name = XMALLOC(char, p_len + 1 + strlen(wrapper) + 1);
+          memcpy (concat_name, p, p_len);
+          concat_name[p_len] = '/';
+          strcpy (concat_name + p_len + 1, wrapper);
+        }
+        if (check_executable(concat_name))
+          return concat_name;
+        XFREE(concat_name);
+      }
+    }
+    /* not found in PATH; assume curdir */
+  }
+  /* Relative path | not found in path: prepend cwd */
   if (getcwd (tmp, LT_PATHMAX) == NULL)
     lt_fatal ("getcwd failed");
-  size = strlen(tmp) + 1 + strlen(path) + 1; /* +2 for '/' and '\0' */
-  p = XMALLOC(char, size);
-  sprintf(p, "%s%c%s", tmp, DIR_SEPARATOR, path);
-  return p;
+  tmp_len = strlen(tmp);
+  concat_name = XMALLOC(char, tmp_len + 1 + strlen(wrapper) + 1);
+  memcpy (concat_name, tmp, tmp_len);
+  concat_name[tmp_len] = '/';
+  strcpy (concat_name + tmp_len + 1, wrapper);
+
+  if (check_executable(concat_name))
+    return concat_name;
+  XFREE(concat_name);
+  return NULL;
 }
 
 char *
@@ -4830,16 +5356,16 @@ lt_fatal (const char *message, ...)
   va_end (ap);
 }
 EOF
-	  # we should really use a build-platform specific compiler
-	  # here, but OTOH, the wrappers (shell script and this C one)
-	  # are only useful if you want to execute the "real" binary.
-	  # Since the "real" binary is built for $host, then this
-	  # wrapper might as well be built for $host, too.
-	  $run $LTCC -s -o $cwrapper $cwrappersource
-	  ;;
-	esac
-	$rm $output
-	trap "$rm $output; exit $EXIT_FAILURE" 1 2 15
+          # we should really use a build-platform specific compiler
+          # here, but OTOH, the wrappers (shell script and this C one)
+          # are only useful if you want to execute the "real" binary.
+          # Since the "real" binary is built for $host, then this
+          # wrapper might as well be built for $host, too.
+          $run $LTCC $LTCFLAGS -s -o $cwrapper $cwrappersource
+          ;;
+        esac
+        $rm $output
+        trap "$rm $output; exit $EXIT_FAILURE" 1 2 15
 
 	$echo > $output "\
 #! $SHELL
@@ -4858,6 +5384,20 @@ EOF
 Xsed='${SED} -e 1s/^X//'
 sed_quote_subst='$sed_quote_subst'
 
+# Be Bourne compatible (taken from Autoconf:_AS_BOURNE_COMPATIBLE).
+if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then
+  emulate sh
+  NULLCMD=:
+  # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which
+  # is contrary to our usage.  Disable this feature.
+  alias -g '\${1+\"\$@\"}'='\"\$@\"'
+  setopt NO_GLOB_SUBST
+else
+  case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac
+fi
+BIN_SH=xpg4; export BIN_SH # for Tru64
+DUALCASE=1; export DUALCASE # for MKS sh
+
 # The HP-UX ksh and POSIX shell print the target directory to stdout
 # if CDPATH is set.
 (unset CDPATH) >/dev/null 2>&1 && unset CDPATH
@@ -4989,23 +5529,23 @@ else
 	# Backslashes separate directories on plain windows
 	*-*-mingw | *-*-os2*)
 	  $echo >> $output "\
-      exec \$progdir\\\\\$program \${1+\"\$@\"}
+      exec \"\$progdir\\\\\$program\" \${1+\"\$@\"}
 "
 	  ;;
 
 	*)
 	  $echo >> $output "\
-      exec \$progdir/\$program \${1+\"\$@\"}
+      exec \"\$progdir/\$program\" \${1+\"\$@\"}
 "
 	  ;;
 	esac
 	$echo >> $output "\
-      \$echo \"\$0: cannot exec \$program \${1+\"\$@\"}\"
+      \$echo \"\$0: cannot exec \$program \$*\"
       exit $EXIT_FAILURE
     fi
   else
     # The program doesn't exist.
-    \$echo \"\$0: error: \$progdir/\$program does not exist\" 1>&2
+    \$echo \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2
     \$echo \"This script is just a wrapper for \$program.\" 1>&2
     $echo \"See the $PACKAGE documentation for more information.\" 1>&2
     exit $EXIT_FAILURE
@@ -5047,6 +5587,63 @@ fi\
       if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then
        cmds=$old_archive_from_new_cmds
       else
+	# POSIX demands no paths to be encoded in archives.  We have
+	# to avoid creating archives with duplicate basenames if we
+	# might have to extract them afterwards, e.g., when creating a
+	# static archive out of a convenience library, or when linking
+	# the entirety of a libtool archive into another (currently
+	# not supported by libtool).
+	if (for obj in $oldobjs
+	    do
+	      $echo "X$obj" | $Xsed -e 's%^.*/%%'
+	    done | sort | sort -uc >/dev/null 2>&1); then
+	  :
+	else
+	  $echo "copying selected object files to avoid basename conflicts..."
+
+	  if test -z "$gentop"; then
+	    gentop="$output_objdir/${outputname}x"
+	    generated="$generated $gentop"
+
+	    $show "${rm}r $gentop"
+	    $run ${rm}r "$gentop"
+	    $show "$mkdir $gentop"
+	    $run $mkdir "$gentop"
+	    exit_status=$?
+	    if test "$exit_status" -ne 0 && test ! -d "$gentop"; then
+	      exit $exit_status
+	    fi
+	  fi
+
+	  save_oldobjs=$oldobjs
+	  oldobjs=
+	  counter=1
+	  for obj in $save_oldobjs
+	  do
+	    objbase=`$echo "X$obj" | $Xsed -e 's%^.*/%%'`
+	    case " $oldobjs " in
+	    " ") oldobjs=$obj ;;
+	    *[\ /]"$objbase "*)
+	      while :; do
+		# Make sure we don't pick an alternate name that also
+		# overlaps.
+		newobj=lt$counter-$objbase
+		counter=`expr $counter + 1`
+		case " $oldobjs " in
+		*[\ /]"$newobj "*) ;;
+		*) if test ! -f "$gentop/$newobj"; then break; fi ;;
+		esac
+	      done
+	      $show "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj"
+	      $run ln "$obj" "$gentop/$newobj" ||
+	      $run cp "$obj" "$gentop/$newobj"
+	      oldobjs="$oldobjs $gentop/$newobj"
+	      ;;
+	    *) oldobjs="$oldobjs $obj" ;;
+	    esac
+	  done
+	fi
+
 	eval cmds=\"$old_archive_cmds\"
 
 	if len=`expr "X$cmds" : ".*"` &&
@@ -5060,20 +5657,7 @@ fi\
 	  objlist=
 	  concat_cmds=
 	  save_oldobjs=$oldobjs
-	  # GNU ar 2.10+ was changed to match POSIX; thus no paths are
-	  # encoded into archives.  This makes 'ar r' malfunction in
-	  # this piecewise linking case whenever conflicting object
-	  # names appear in distinct ar calls; check, warn and compensate.
-	    if (for obj in $save_oldobjs
-	    do
-	      $echo "X$obj" | $Xsed -e 's%^.*/%%'
-	    done | sort | sort -uc >/dev/null 2>&1); then
-	    :
-	  else
-	    $echo "$modename: warning: object name conflicts; overriding AR_FLAGS to 'cq'" 1>&2
-	    $echo "$modename: warning: to ensure that POSIX-compatible ar will work" 1>&2
-	    AR_FLAGS=cq
-	  fi
+
 	  # Is there a better way of finding the last object in the list?
 	  for obj in $save_oldobjs
 	  do
@@ -5084,7 +5668,7 @@ fi\
 	    oldobjs="$objlist $obj"
 	    objlist="$objlist $obj"
 	    eval test_cmds=\"$old_archive_cmds\"
-	    if len=`expr "X$test_cmds" : ".*"` &&
+	    if len=`expr "X$test_cmds" : ".*" 2>/dev/null` &&
 	       test "$len" -le "$max_cmd_len"; then
 	      :
 	    else
@@ -5142,7 +5726,7 @@ fi\
       done
       # Quote the link command for shipping.
       relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)"
-      relink_command=`$echo "X$relink_command" | $Xsed -e "$sed_quote_subst"`
+      relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e "$sed_quote_subst" | $NL2SP`
       if test "$hardcode_automatic" = yes ; then
 	relink_command=
       fi
@@ -5281,11 +5865,11 @@ relink_command=\"$relink_command\""
     # install_prog (especially on Windows NT).
     if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh ||
        # Allow the use of GNU shtool's install command.
-       $echo "X$nonopt" | $Xsed | grep shtool > /dev/null; then
+       $echo "X$nonopt" | grep shtool > /dev/null; then
       # Aesthetically quote it.
       arg=`$echo "X$nonopt" | $Xsed -e "$sed_quote_subst"`
       case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
 	arg="\"$arg\""
 	;;
       esac
@@ -5294,14 +5878,14 @@ relink_command=\"$relink_command\""
       shift
     else
       install_prog=
-      arg="$nonopt"
+      arg=$nonopt
     fi
 
     # The real first argument should be the name of the installation program.
     # Aesthetically quote it.
     arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
     case $arg in
-    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+    *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
       arg="\"$arg\""
       ;;
     esac
@@ -5319,28 +5903,31 @@ relink_command=\"$relink_command\""
     do
       if test -n "$dest"; then
 	files="$files $dest"
-	dest="$arg"
+	dest=$arg
 	continue
       fi
 
       case $arg in
       -d) isdir=yes ;;
-      -f) prev="-f" ;;
-      -g) prev="-g" ;;
-      -m) prev="-m" ;;
-      -o) prev="-o" ;;
+      -f) 
+      	case " $install_prog " in
+	*[\\\ /]cp\ *) ;;
+	*) prev=$arg ;;
+	esac
+	;;
+      -g | -m | -o) prev=$arg ;;
       -s)
 	stripme=" -s"
 	continue
 	;;
-      -*) ;;
-
+      -*)
+	;;
       *)
 	# If the previous option needed an argument, then skip it.
 	if test -n "$prev"; then
 	  prev=
 	else
-	  dest="$arg"
+	  dest=$arg
 	  continue
 	fi
 	;;
@@ -5349,7 +5936,7 @@ relink_command=\"$relink_command\""
       # Aesthetically quote the argument.
       arg=`$echo "X$arg" | $Xsed -e "$sed_quote_subst"`
       case $arg in
-      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*)
+      *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \	]*|*]*|"")
 	arg="\"$arg\""
 	;;
       esac
@@ -5484,9 +6071,9 @@ relink_command=\"$relink_command\""
 
 	  if test -n "$inst_prefix_dir"; then
 	    # Stick the inst_prefix_dir data into the link command.
-	    relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"`
+	    relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%" | $NL2SP`
 	  else
-	    relink_command=`$echo "$relink_command" | $SED "s%@inst_prefix_dir@%%"`
+	    relink_command=`$echo "$relink_command" | $SP2NL | $SED "s%@inst_prefix_dir@%%" | $NL2SP`
 	  fi
 
 	  $echo "$modename: warning: relinking \`$file'" 1>&2
@@ -5518,11 +6105,14 @@ relink_command=\"$relink_command\""
 
 	  if test "$#" -gt 0; then
 	    # Delete the old symlinks, and create new ones.
+	    # Try `ln -sf' first, because the `ln' binary might depend on
+	    # the symlink we replace!  Solaris /bin/ln does not understand -f,
+	    # so we also need to try rm && ln -s.
 	    for linkname
 	    do
 	      if test "$linkname" != "$realname"; then
-		$show "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
-		$run eval "(cd $destdir && $rm $linkname && $LN_S $realname $linkname)"
+                $show "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
+                $run eval "(cd $destdir && { $LN_S -f $realname $linkname || { $rm $linkname && $LN_S $realname $linkname; }; })"
 	      fi
 	    done
 	  fi
@@ -5535,7 +6125,16 @@ relink_command=\"$relink_command\""
 	    IFS="$save_ifs"
 	    eval cmd=\"$cmd\"
 	    $show "$cmd"
-	    $run eval "$cmd" || exit $?
+	    $run eval "$cmd" || {
+	      lt_exit=$?
+
+	      # Restore the uninstalled library and exit
+	      if test "$mode" = relink; then
+		$run eval '(cd $output_objdir && $rm ${realname}T && $mv ${realname}U $realname)'
+	      fi
+
+	      exit $lt_exit
+	    }
 	  done
 	  IFS="$save_ifs"
 	fi
@@ -5629,17 +6228,15 @@ relink_command=\"$relink_command\""
 	  notinst_deplibs=
 	  relink_command=
 
-	  # To insure that "foo" is sourced, and not "foo.exe",
-	  # finese the cygwin/MSYS system by explicitly sourcing "foo."
-	  # which disallows the automatic-append-.exe behavior.
-	  case $build in
-	  *cygwin* | *mingw*) wrapperdot=${wrapper}. ;;
-	  *) wrapperdot=${wrapper} ;;
-	  esac
+	  # Note that it is not necessary on cygwin/mingw to append a dot to
+	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
+	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
+	  # `FILE.' does not work on cygwin managed mounts.
+	  #
 	  # If there is no directory component, then add one.
-	  case $file in
-	  */* | *\\*) . ${wrapperdot} ;;
-	  *) . ./${wrapperdot} ;;
+	  case $wrapper in
+	  */* | *\\*) . ${wrapper} ;;
+	  *) . ./${wrapper} ;;
 	  esac
 
 	  # Check the variables that should have been set.
@@ -5667,38 +6264,25 @@ relink_command=\"$relink_command\""
 	  done
 
 	  relink_command=
-	  # To insure that "foo" is sourced, and not "foo.exe",
-	  # finese the cygwin/MSYS system by explicitly sourcing "foo."
-	  # which disallows the automatic-append-.exe behavior.
-	  case $build in
-	  *cygwin* | *mingw*) wrapperdot=${wrapper}. ;;
-	  *) wrapperdot=${wrapper} ;;
-	  esac
+	  # Note that it is not necessary on cygwin/mingw to append a dot to
+	  # foo even if both foo and FILE.exe exist: automatic-append-.exe
+	  # behavior happens only for exec(3), not for open(2)!  Also, sourcing
+	  # `FILE.' does not work on cygwin managed mounts.
+	  #
 	  # If there is no directory component, then add one.
-	  case $file in
-	  */* | *\\*) . ${wrapperdot} ;;
-	  *) . ./${wrapperdot} ;;
+	  case $wrapper in
+	  */* | *\\*) . ${wrapper} ;;
+	  *) . ./${wrapper} ;;
 	  esac
 
 	  outputname=
 	  if test "$fast_install" = no && test -n "$relink_command"; then
 	    if test "$finalize" = yes && test -z "$run"; then
-	      tmpdir="/tmp"
-	      test -n "$TMPDIR" && tmpdir="$TMPDIR"
-	      tmpdir="$tmpdir/libtool-$$"
-	      save_umask=`umask`
-	      umask 0077
-	      if $mkdir "$tmpdir"; then
-	        umask $save_umask
-	      else
-	        umask $save_umask
-		$echo "$modename: error: cannot create temporary directory \`$tmpdir'" 1>&2
-		continue
-	      fi
+	      tmpdir=`func_mktempdir`
 	      file=`$echo "X$file$stripped_ext" | $Xsed -e 's%^.*/%%'`
 	      outputname="$tmpdir/$file"
 	      # Replace the output file specification.
-	      relink_command=`$echo "X$relink_command" | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g'`
+	      relink_command=`$echo "X$relink_command" | $SP2NL | $Xsed -e 's%@OUTPUT@%'"$outputname"'%g' | $NL2SP`
 
 	      $show "$relink_command"
 	      if $run eval "$relink_command"; then :
@@ -5718,7 +6302,7 @@ relink_command=\"$relink_command\""
 	fi
 
 	# remove .exe since cygwin /usr/bin/install will append another
-	# one anyways
+	# one anyway 
 	case $install_prog,$host in
 	*/usr/bin/install*,*cygwin*)
 	  case $file:$destfile in
@@ -5818,7 +6402,7 @@ relink_command=\"$relink_command\""
     # Exit here if they wanted silent mode.
     test "$show" = : && exit $EXIT_SUCCESS
 
-    $echo "----------------------------------------------------------------------"
+    $echo "X----------------------------------------------------------------------" | $Xsed
     $echo "Libraries have been installed in:"
     for libdir in $libdirs; do
       $echo "   $libdir"
@@ -5851,7 +6435,7 @@ relink_command=\"$relink_command\""
     $echo
     $echo "See any operating system documentation about shared libraries for"
     $echo "more information, such as the ld(1) and ld.so(8) manual pages."
-    $echo "----------------------------------------------------------------------"
+    $echo "X----------------------------------------------------------------------" | $Xsed
     exit $EXIT_SUCCESS
     ;;
 
@@ -5909,8 +6493,10 @@ relink_command=\"$relink_command\""
 	if test -f "$dir/$objdir/$dlname"; then
 	  dir="$dir/$objdir"
 	else
-	  $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
-	  exit $EXIT_FAILURE
+	  if test ! -f "$dir/$dlname"; then
+	    $echo "$modename: cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" 1>&2
+	    exit $EXIT_FAILURE
+	  fi
 	fi
 	;;
 
@@ -5974,12 +6560,12 @@ relink_command=\"$relink_command\""
       fi
 
       # Restore saved environment variables
-      if test "${save_LC_ALL+set}" = set; then
-	LC_ALL="$save_LC_ALL"; export LC_ALL
-      fi
-      if test "${save_LANG+set}" = set; then
-	LANG="$save_LANG"; export LANG
-      fi
+      for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES
+      do
+	eval "if test \"\${save_$lt_var+set}\" = set; then
+		$lt_var=\$save_$lt_var; export $lt_var
+	      fi"
+      done
 
       # Now prepare to actually exec the command.
       exec_cmd="\$cmd$args"
@@ -6068,9 +6654,17 @@ relink_command=\"$relink_command\""
 	    rmfiles="$rmfiles $objdir/$n"
 	  done
 	  test -n "$old_library" && rmfiles="$rmfiles $objdir/$old_library"
-	  test "$mode" = clean && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
 
-	  if test "$mode" = uninstall; then
+	  case "$mode" in
+	  clean)
+	    case "  $library_names " in
+	    # "  " in the beginning catches empty $dlname
+	    *" $dlname "*) ;;
+	    *) rmfiles="$rmfiles $objdir/$dlname" ;;
+	    esac
+	     test -n "$libdir" && rmfiles="$rmfiles $objdir/$name $objdir/${name}i"
+	    ;;
+	  uninstall)
 	    if test -n "$library_names"; then
 	      # Do each command in the postuninstall commands.
 	      cmds=$postuninstall_cmds
@@ -6103,7 +6697,8 @@ relink_command=\"$relink_command\""
 	      IFS="$save_ifs"
 	    fi
 	    # FIXME: should reinstall the best remaining shared library.
-	  fi
+	    ;;
+	  esac
 	fi
 	;;
 
@@ -6327,9 +6922,9 @@ The following components of LINK-COMMAND are treated specially:
   -dlpreopen FILE   link in FILE and add its symbols to lt_preloaded_symbols
   -export-dynamic   allow symbols from OUTPUT-FILE to be resolved with dlsym(3)
   -export-symbols SYMFILE
-		    try to export only the symbols listed in SYMFILE
+                    try to export only the symbols listed in SYMFILE
   -export-symbols-regex REGEX
-		    try to export only the symbols matching REGEX
+                    try to export only the symbols matching REGEX
   -LLIBDIR          search LIBDIR for required installed libraries
   -lNAME            OUTPUT-FILE requires the installed library libNAME
   -module           build a library that can dlopened
@@ -6343,9 +6938,11 @@ The following components of LINK-COMMAND are treated specially:
   -release RELEASE  specify package release information
   -rpath LIBDIR     the created library will eventually be installed in LIBDIR
   -R[ ]LIBDIR       add LIBDIR to the runtime path of programs and libraries
-  -static           do not do any dynamic linking of libtool libraries
+  -static           do not do any dynamic linking of uninstalled libtool libraries
+  -static-libtool-libs
+                    do not do any dynamic linking of libtool libraries
   -version-info CURRENT[:REVISION[:AGE]]
-		    specify library version info [each variable defaults to 0]
+                    specify library version info [each variable defaults to 0]
 
 All other options (arguments beginning with \`-') are ignored.
 
@@ -6388,7 +6985,7 @@ esac
 $echo
 $echo "Try \`$modename --help' for more information about other modes."
 
-exit $EXIT_SUCCESS
+exit $?
 
 # The TAGs below are defined such that we never get into a situation
 # in which we disable both kinds of libraries.  Given conflicting
@@ -6402,12 +6999,11 @@ exit $EXIT_SUCCESS
 # configuration.  But we'll never go from static-only to shared-only.
 
 # ### BEGIN LIBTOOL TAG CONFIG: disable-shared
-build_libtool_libs=no
-build_old_libs=yes
+disable_libs=shared
 # ### END LIBTOOL TAG CONFIG: disable-shared
 
 # ### BEGIN LIBTOOL TAG CONFIG: disable-static
-build_old_libs=`case $build_libtool_libs in yes) $echo no;; *) $echo yes;; esac`
+disable_libs=static
 # ### END LIBTOOL TAG CONFIG: disable-static
 
 # Local Variables:
diff --git a/make/Makefile.in b/make/Makefile.in
index ae96e13..cffd561 100644
--- a/make/Makefile.in
+++ b/make/Makefile.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.14 2004/03/05 05:14:06 marka Exp $
+# $Id: Makefile.in,v 1.16 2007/06/19 23:47:24 tbox Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
diff --git a/make/includes.in b/make/includes.in
index 304305d..8e5750c 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -1,7 +1,7 @@
-# Copyright (C) 2004, 2005  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004, 2005, 2007  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1999-2001  Internet Software Consortium.
 #
-# Permission to use, copy, modify, and distribute this software for any
+# Permission to use, copy, modify, and/or distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
 # copyright notice and this permission notice appear in all copies.
 #
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: includes.in,v 1.17.18.2 2005/06/04 06:23:47 jinmei Exp $
+# $Id: includes.in,v 1.21 2007/06/19 23:47:24 tbox Exp $
 
 # Search for machine-generated header files in the build tree,
 # and for normal headers in the source tree (${top_srcdir}).
diff --git a/make/mkdep.in b/make/mkdep.in
index fc3e250..bb536c9 100644
--- a/make/mkdep.in
+++ b/make/mkdep.in
@@ -1,5 +1,13 @@
 #!/bin/sh -
 
+##
+## Modified to handle -vpath <path> option by Michael Graff, ISC.
+## The purpose of this is to allow this script to run outside of the
+## source directory, for instance when running configure with
+##   ../bind9-mainline/configure
+## and still have "make depend" work.
+##
+
 ## ++Copyright++ 1987
 ## -
 ## Copyright (c) 1987 Regents of the University of California.
@@ -60,6 +68,10 @@ MAKE=Makefile			# default makefile name is "Makefile"
 
 while :
 	do case "$1" in
+		# -vpath allows one to select a virtual path for .c files
+		-vpath)
+			VPATH=$2;
+			shift; shift ;;
 		# -f allows you to select a makefile name
 		-f)
 			MAKE=$2
@@ -76,7 +88,7 @@ while :
 done
 
 if [ $# = 0 ] ; then
-	echo 'usage: mkdep [-p] [-f makefile] [flags] file ...'
+	echo 'usage: mkdep [-vpath path] [-p] [-f makefile] [flags] file ...'
 	exit 1
 fi
 
@@ -107,11 +119,26 @@ _EOF_
 # egrep '^#include[ 	]*".*"' /dev/null $* |
 # sed -e 's/:[^"]*"\([^"]*\)".*/: \1/' -e 's/\.c/.o/' |
 
+if [ X"${VPATH}" != X ] ; then
+    for arg in $* ; do
+	case "$arg" in
+	    -*)
+		newargs="$newargs $arg"
+		;;
+	    *)
+		newargs="$newargs $VPATH/$arg"
+		;;
+	esac
+    done
+else
+    newargs="$*";
+fi
+
 MKDEPPROG="@MKDEPPROG@"
 if [ X"${MKDEPPROG}" != X ]; then
-    @SHELL@ -c "${MKDEPPROG} $*"
+    @SHELL@ -c "${MKDEPPROG} ${newargs}"
 else
-    @MKDEPCC@ @MKDEPCFLAGS@ $* |
+    @MKDEPCC@ @MKDEPCFLAGS@ ${newargs} |
     sed "
 	s; \./; ;g
 	@LIBTOOL_MKDEP_SED@
diff --git a/make/rules.in b/make/rules.in
index e1488e9..0b07980 100644
--- a/make/rules.in
+++ b/make/rules.in
@@ -1,4 +1,4 @@
-# Copyright (C) 2004-2008  Internet Systems Consortium, Inc. ("ISC")
+# Copyright (C) 2004-2009  Internet Systems Consortium, Inc. ("ISC")
 # Copyright (C) 1998-2003  Internet Software Consortium.
 #
 # Permission to use, copy, modify, and/or distribute this software for any
@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: rules.in,v 1.47.18.15 2008/02/18 23:46:01 tbox Exp $
+# $Id: rules.in,v 1.64.130.2 2009/01/10 23:46:57 tbox Exp $
 
 ###
 ### Common Makefile rules for BIND 9.
@@ -34,6 +34,7 @@ libdir =	@libdir@
 sysconfdir =	@sysconfdir@
 localstatedir =	@localstatedir@
 mandir =	@mandir@
+datarootdir =   @datarootdir@
 
 DESTDIR =
 
@@ -150,20 +151,38 @@ depend:
 			(cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \
 		fi; \
 	done
-	@if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
-		${MKDEP} -ap ${ALL_CPPFLAGS} ${PSRCS}; \
-		${DEPENDEXTRA} \
-	elif [ X"${SRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${MKDEP} ${ALL_CPPFLAGS} ${SRCS}; \
-		${DEPENDEXTRA} \
-	elif [ X"${PSRCS}" != X ] ; then \
-		echo ${MKDEP} ${ALL_CPPFLAGS} ${PSRCS}; \
-		${MKDEP} -p ${ALL_CPPFLAGS} ${PSRCS}; \
-		${DEPENDEXTRA} \
+	@if [ X"${VPATH}" != X ] ; then \
+		if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} -vpath ${VPATH} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} -vpath ${VPATH} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			echo ${MKDEP} -vpath ${VPATH} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -vpath ${VPATH} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${SRCS}" != X ] ; then \
+			echo ${MKDEP} -vpath ${VPATH} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} -vpath ${VPATH} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} -vpath ${VPATH} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -vpath ${VPATH} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		fi \
+	else \
+		if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${SRCS}" != X ] ; then \
+			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \
+			${DEPENDEXTRA} \
+		elif [ X"${PSRCS}" != X ] ; then \
+			echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${MKDEP} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \
+			${DEPENDEXTRA} \
+		fi \
 	fi
 
 FORCE:
diff --git a/version b/version
index 1eb5a69..10a1d31 100644
--- a/version
+++ b/version
@@ -1,10 +1,10 @@
-# $Id: version,v 1.29.134.23.2.2 2009/03/17 02:23:49 marka Exp $
-#
+# $Id: version,v 1.43.12.4 2009/04/08 06:55:37 marka Exp $
+# 
 # This file must follow /bin/sh rules.  It is imported directly via
 # configure.
 #
 MAJORVER=9
-MINORVER=4
-PATCHVER=3
-RELEASETYPE=-P
-RELEASEVER=2
+MINORVER=6
+PATCHVER=1
+RELEASETYPE=rc
+RELEASEVER=1