From 90c5127f2adf679af4cd90046e0cbb5b3b1e82db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Wed, 16 Mar 2022 10:49:17 +0100
Subject: [PATCH 01/15] Restructure includes for ARM chapters 1 (Intro) and 2
 (Requirements)

We have had perpetual problem with Sphinx implicitly double-including
files. To avoid that problem all files with name suffix .inc.rst are now
ignored by Sphinx, and writter can conveniently include them without
modifying conf.py for each and every file.

(cherry picked from commit 1322372a0c9b6efd3af866455bbdb25e6d55c650)
---
 doc/arm/Makefile.am                           | 31 ++++++++++---------
 doc/arm/advanced.rst                          | 12 +++----
 doc/arm/{build.rst => build.inc.rst}          |  0
 doc/arm/{catz.rst => catz.inc.rst}            |  0
 doc/arm/chapter1.rst                          | 12 +++++++
 doc/arm/chapter2.rst                          | 14 +++++++++
 doc/arm/conf.py                               | 13 +-------
 doc/arm/configuration.rst                     |  2 +-
 doc/arm/{dlz.rst => dlz.inc.rst}              |  0
 doc/arm/{dnssec.rst => dnssec.inc.rst}        |  0
 doc/arm/{dyndb.rst => dyndb.inc.rst}          |  0
 doc/arm/index.rst                             |  4 +--
 ...{introduction.rst => introduction.inc.rst} |  0
 ...egories.rst => logging-categories.inc.rst} |  0
 ...{managed-keys.rst => managed-keys.inc.rst} |  0
 doc/arm/{pkcs11.rst => pkcs11.inc.rst}        |  0
 doc/arm/{platforms.rst => platforms.inc.rst}  |  0
 doc/arm/{plugins.rst => plugins.inc.rst}      |  0
 doc/arm/reference.rst                         |  2 +-
 ...{requirements.rst => requirements.inc.rst} |  2 --
 util/check-categories.sh                      |  2 +-
 21 files changed, 55 insertions(+), 39 deletions(-)
 rename doc/arm/{build.rst => build.inc.rst} (100%)
 rename doc/arm/{catz.rst => catz.inc.rst} (100%)
 create mode 100644 doc/arm/chapter1.rst
 create mode 100644 doc/arm/chapter2.rst
 rename doc/arm/{dlz.rst => dlz.inc.rst} (100%)
 rename doc/arm/{dnssec.rst => dnssec.inc.rst} (100%)
 rename doc/arm/{dyndb.rst => dyndb.inc.rst} (100%)
 rename doc/arm/{introduction.rst => introduction.inc.rst} (100%)
 rename doc/arm/{logging-categories.rst => logging-categories.inc.rst} (100%)
 rename doc/arm/{managed-keys.rst => managed-keys.inc.rst} (100%)
 rename doc/arm/{pkcs11.rst => pkcs11.inc.rst} (100%)
 rename doc/arm/{platforms.rst => platforms.inc.rst} (100%)
 rename doc/arm/{plugins.rst => plugins.inc.rst} (100%)
 rename doc/arm/{requirements.rst => requirements.inc.rst} (98%)

diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am
index 9db674b8d6..bfc12db128 100644
--- a/doc/arm/Makefile.am
+++ b/doc/arm/Makefile.am
@@ -2,29 +2,32 @@ include $(top_srcdir)/Makefile.top
 include $(top_srcdir)/Makefile.docs
 
 EXTRA_DIST =					\
-	conf.py					\
-	isc-logo.pdf				\
 	advanced.rst				\
-	build.rst				\
-	catz.rst				\
+	build.inc.rst				\
+	catz.inc.rst				\
+	chapter1.rst				\
+	chapter2.rst				\
 	configuration.rst			\
-	dlz.rst					\
+	conf.py					\
+	dlz.inc.rst				\
 	dnssec-guide.rst			\
-	dnssec.rst				\
-	dyndb.rst				\
+	dnssec.inc.rst				\
+	dyndb.inc.rst				\
 	general.rst				\
 	history.rst				\
 	index.rst				\
-	introduction.rst			\
-	logging-categories.rst			\
-	managed-keys.rst			\
+	introduction.inc.rst			\
+	isc-logo.pdf				\
+	logging-categories.inc.rst		\
+	managed-keys.inc.rst			\
 	manpages.rst				\
 	notes.rst				\
-	pkcs11.rst				\
-	platforms.rst				\
-	plugins.rst				\
+	pkcs11.inc.rst				\
+	platforms.inc.rst			\
+	plugins.inc.rst				\
 	reference.rst				\
-	requirements.rst			\
+	requirements.inc.rst			\
+	requirements.txt			\
 	security.rst				\
 	troubleshooting.rst			\
 	../dnssec-guide				\
diff --git a/doc/arm/advanced.rst b/doc/arm/advanced.rst
index 30fdcdb7b7..10457c87fd 100644
--- a/doc/arm/advanced.rst
+++ b/doc/arm/advanced.rst
@@ -779,12 +779,12 @@ according to its parent, should have been secure.
    response; parent indicates it should be secure."
 
 
-.. include:: dnssec.rst
-.. include:: managed-keys.rst
-.. include:: pkcs11.rst
-.. include:: dlz.rst
-.. include:: dyndb.rst
-.. include:: catz.rst
+.. include:: dnssec.inc.rst
+.. include:: managed-keys.inc.rst
+.. include:: pkcs11.inc.rst
+.. include:: dlz.inc.rst
+.. include:: dyndb.inc.rst
+.. include:: catz.inc.rst
 
 .. _ipv6:
 
diff --git a/doc/arm/build.rst b/doc/arm/build.inc.rst
similarity index 100%
rename from doc/arm/build.rst
rename to doc/arm/build.inc.rst
diff --git a/doc/arm/catz.rst b/doc/arm/catz.inc.rst
similarity index 100%
rename from doc/arm/catz.rst
rename to doc/arm/catz.inc.rst
diff --git a/doc/arm/chapter1.rst b/doc/arm/chapter1.rst
new file mode 100644
index 0000000000..a392637fdf
--- /dev/null
+++ b/doc/arm/chapter1.rst
@@ -0,0 +1,12 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. include:: introduction.inc.rst
diff --git a/doc/arm/chapter2.rst b/doc/arm/chapter2.rst
new file mode 100644
index 0000000000..2e50f15b75
--- /dev/null
+++ b/doc/arm/chapter2.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. include:: requirements.inc.rst
+.. include:: platforms.inc.rst
+.. include:: build.inc.rst
diff --git a/doc/arm/conf.py b/doc/arm/conf.py
index 742626335b..60131b41f6 100644
--- a/doc/arm/conf.py
+++ b/doc/arm/conf.py
@@ -142,18 +142,7 @@ exclude_patterns = [
     '_build',
     'Thumbs.db',
     '.DS_Store',
-    '*.grammar.rst',
-    '*.zoneopts.rst',
-    'build.rst',
-    'catz.rst',
-    'dlz.rst',
-    'dnssec.rst',
-    'dyndb.rst',
-    'logging-categories.rst',
-    'managed-keys.rst',
-    'pkcs11.rst',
-    'platforms.rst',
-    'plugins.rst'
+    '*.inc.rst'
     ]
 
 # The master toctree document.
diff --git a/doc/arm/configuration.rst b/doc/arm/configuration.rst
index 6ef62e2b38..807891c5a3 100644
--- a/doc/arm/configuration.rst
+++ b/doc/arm/configuration.rst
@@ -312,4 +312,4 @@ described in the following table. These signals can be sent using the
 | ``SIGINT``   | Causes the server to clean up and exit.                     |
 +--------------+-------------------------------------------------------------+
 
-.. include:: plugins.rst
+.. include:: plugins.inc.rst
diff --git a/doc/arm/dlz.rst b/doc/arm/dlz.inc.rst
similarity index 100%
rename from doc/arm/dlz.rst
rename to doc/arm/dlz.inc.rst
diff --git a/doc/arm/dnssec.rst b/doc/arm/dnssec.inc.rst
similarity index 100%
rename from doc/arm/dnssec.rst
rename to doc/arm/dnssec.inc.rst
diff --git a/doc/arm/dyndb.rst b/doc/arm/dyndb.inc.rst
similarity index 100%
rename from doc/arm/dyndb.rst
rename to doc/arm/dyndb.inc.rst
diff --git a/doc/arm/index.rst b/doc/arm/index.rst
index 431f0cd598..7dec5cf947 100644
--- a/doc/arm/index.rst
+++ b/doc/arm/index.rst
@@ -17,8 +17,8 @@ BIND 9 Administrator Reference Manual
    :numbered:
    :maxdepth: 2
 
-   introduction
-   requirements
+   chapter1
+   chapter2
    configuration
    reference
    advanced
diff --git a/doc/arm/introduction.rst b/doc/arm/introduction.inc.rst
similarity index 100%
rename from doc/arm/introduction.rst
rename to doc/arm/introduction.inc.rst
diff --git a/doc/arm/logging-categories.rst b/doc/arm/logging-categories.inc.rst
similarity index 100%
rename from doc/arm/logging-categories.rst
rename to doc/arm/logging-categories.inc.rst
diff --git a/doc/arm/managed-keys.rst b/doc/arm/managed-keys.inc.rst
similarity index 100%
rename from doc/arm/managed-keys.rst
rename to doc/arm/managed-keys.inc.rst
diff --git a/doc/arm/pkcs11.rst b/doc/arm/pkcs11.inc.rst
similarity index 100%
rename from doc/arm/pkcs11.rst
rename to doc/arm/pkcs11.inc.rst
diff --git a/doc/arm/platforms.rst b/doc/arm/platforms.inc.rst
similarity index 100%
rename from doc/arm/platforms.rst
rename to doc/arm/platforms.inc.rst
diff --git a/doc/arm/plugins.rst b/doc/arm/plugins.inc.rst
similarity index 100%
rename from doc/arm/plugins.rst
rename to doc/arm/plugins.inc.rst
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index e3cd0f1149..4b9b7ecded 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -760,7 +760,7 @@ The following are the available categories and brief descriptions of the
 types of log information they contain. More categories may be added in
 future BIND releases.
 
-.. include:: logging-categories.rst
+.. include:: logging-categories.inc.rst
 
 .. _query_errors:
 
diff --git a/doc/arm/requirements.rst b/doc/arm/requirements.inc.rst
similarity index 98%
rename from doc/arm/requirements.rst
rename to doc/arm/requirements.inc.rst
index 09f0f427ef..90bd0e965a 100644
--- a/doc/arm/requirements.rst
+++ b/doc/arm/requirements.inc.rst
@@ -70,5 +70,3 @@ much memory or CPU power as in the first alternative, but this has the
 disadvantage of making many more external queries, as none of the name
 servers share their cached data.
 
-.. include:: platforms.rst
-.. include:: build.rst
diff --git a/util/check-categories.sh b/util/check-categories.sh
index 6a4b0232da..c8c6e3cc2c 100644
--- a/util/check-categories.sh
+++ b/util/check-categories.sh
@@ -19,7 +19,7 @@ list1=$(
 	sort -u
 )
 list2=$(
-	sed -ne 's/^``\(.*\)``/\1/p' doc/arm/logging-categories.rst |
+	sed -ne 's/^``\(.*\)``/\1/p' doc/arm/logging-categories.inc.rst |
 	sort -u
 )
 status=0

From daaab5fc5245928412ff5d850173d4d0dee0adcc Mon Sep 17 00:00:00 2001
From: Ron Aitchison <ron@zytrax.com>
Date: Sat, 2 Apr 2022 01:06:19 +0000
Subject: [PATCH 02/15] Add link anchors into Configuration Reference section
 of the ARM

(cherry picked from commit dc7efb8e60ad52d28d36d2ec77fa444c71f5e144)
---
 doc/arm/reference.rst | 44 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 39 insertions(+), 5 deletions(-)

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 4b9b7ecded..ed72dfca50 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -9,10 +9,10 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
-.. Reference:
+.. _reference:
 
-BIND 9 Configuration Reference
-==============================
+Configuration Reference
+=======================
 
 .. _configuration_file_elements:
 
@@ -245,7 +245,7 @@ line, as in C++ comments. For example:
    in a zone file. The semicolon indicates the end of a
    configuration statement.
 
-.. _Configuration_File_Grammar:
+.. _configuration_file_grammar:
 
 Configuration File Grammar
 --------------------------
@@ -284,6 +284,8 @@ The following statements are supported:
     ``parental-agents``
         Defines a named list of servers for inclusion in primary and secondary zones' ``parental-agents`` lists.
 
+.. _primaries:
+
     ``primaries``
         Defines a named list of servers for inclusion in stub and secondary zones' ``primaries`` or ``also-notify`` lists. (Note: this is a synonym for the original keyword ``masters``, which can still be used, but is no longer the preferred terminology.)
 
@@ -311,6 +313,8 @@ The following statements are supported:
     ``view``
         Defines a view.
 
+.. _zone_clause:
+
     ``zone``
         Defines a zone.
 
@@ -586,6 +590,8 @@ handles messages sent to this facility is described in the
 version of ``syslog``, which only uses two arguments to the ``openlog()``
 function, this clause is silently ignored.
 
+.. _severity:
+
 The ``severity`` clause works like ``syslog``'s "priorities," except
 that they can also be used when writing straight to a file rather
 than using ``syslog``. Messages which are not at least of the severity
@@ -982,6 +988,8 @@ default is used.
    administrator's responsibility to ensure that configuration differences in
    different views do not cause disruption with a shared cache.
 
+.. _directory:
+
 ``directory``
    This sets the working directory of the server. Any non-absolute pathnames in
    the configuration file are taken as relative to this directory.
@@ -1819,9 +1827,11 @@ Boolean Options
    unnecessary records are added to the authority or additional
    sections. The default is ``no``.
 
+.. _notify_st:
+
 ``notify``
    If set to ``yes`` (the default), DNS NOTIFY messages are sent when a
-   zone the server is authoritative for changes; see :ref:`notify`.
+   zone the server is authoritative for changes; see :ref:`using notify<notify>`.
    The messages are sent to the servers listed in the zone's NS records
    (except the primary server identified in the SOA MNAME field), and to
    any servers listed in the ``also-notify`` option.
@@ -1845,6 +1855,8 @@ Boolean Options
    ultimate primary should be set to still send NOTIFY messages to all the name servers
    listed in the NS RRset.
 
+.. _recursion:
+
 ``recursion``
    If ``yes``, and a DNS query requests recursion, then the server
    attempts to do all the work required to answer the query. If recursion
@@ -2310,6 +2322,8 @@ access to the Internet, but wish to look up exterior names anyway.
 Forwarding occurs only on those queries for which the server is not
 authoritative and does not have the answer in its cache.
 
+.. _forward:
+
 ``forward``
    This option is only meaningful if the forwarders list is not empty. A
    value of ``first`` is the default and causes the server to query the
@@ -2317,6 +2331,8 @@ authoritative and does not have the answer in its cache.
    server then looks for the answer itself. If ``only`` is
    specified, the server only queries the forwarders.
 
+.. _forwarders:
+
 ``forwarders``
    This specifies a list of IP addresses to which queries are forwarded. The
    default is the empty list (no forwarding). Each address in the list can be
@@ -2394,6 +2410,8 @@ for details on how to specify IP address lists.
 
    .. note:: ``allow-query-cache`` is used to specify access to the cache.
 
+.. _allow-query-cache:
+
 ``allow-query-cache``
    This specifies which hosts are allowed to get answers from the cache. If
    ``allow-recursion`` is not set, BIND checks to see if the following parameters
@@ -2461,6 +2479,8 @@ for details on how to specify IP address lists.
 
 .. _allow-transfer-access:
 
+.. _allow-transfer:
+
 ``allow-transfer``
    This specifies which hosts are allowed to receive zone transfers from the
    server. ``allow-transfer`` may also be specified in the ``zone``
@@ -2720,6 +2740,8 @@ BIND has mechanisms in place to facilitate zone transfers and set limits
 on the amount of load that transfers place on the system. The following
 options apply to zone transfers.
 
+.. _also-notify:
+
 ``also-notify``
    This option defines a global list of IP addresses of name servers that are also
    sent NOTIFY messages whenever a fresh copy of the zone is loaded, in
@@ -3120,6 +3142,8 @@ system.
 ``reserved-sockets``
    This option is deprecated and no longer has any effect.
 
+.. _max-cache-size:
+
 ``max-cache-size``
    This sets the maximum amount of memory to use for an individual cache
    database and its associated metadata, in bytes or percentage of total
@@ -3948,9 +3972,13 @@ away from the infrastructure servers.
    This specifies the contact name that appears in the returned SOA record for
    empty zones. If none is specified, "." is used.
 
+.. _empty-zones-enable:
+
 ``empty-zones-enable``
    This enables or disables all empty zones. By default, they are enabled.
 
+.. _disable-empty-zone:
+
 ``disable-empty-zone``
    This disables individual empty zones. By default, none are disabled. This
    option can be specified multiple times.
@@ -5581,6 +5609,8 @@ Here is an example of a typical split DNS setup implemented using
 
 .. _zone_types:
 
+.. _type:
+
 Zone Types
 ^^^^^^^^^^
 
@@ -5834,6 +5864,8 @@ Zone Options
 ``allow-notify``
    See the description of ``allow-notify`` in :ref:`access_control`.
 
+.. _allow-query:
+
 ``allow-query``
    See the description of ``allow-query`` in :ref:`access_control`.
 
@@ -5930,6 +5962,8 @@ Zone Options
 
 .. _file-option:
 
+.. _file:
+
 ``file``
    This sets the zone's filename. In ``primary``, ``hint``, and ``redirect``
    zones which do not have ``primaries`` defined, zone data is loaded from

From 2f53384e84c54ba7d2fe5260adbc0bfde4809c43 Mon Sep 17 00:00:00 2001
From: Ron Aitchison <ron@zytrax.com>
Date: Thu, 31 Mar 2022 12:51:57 +0000
Subject: [PATCH 03/15] Change title and add extra link to Resource
 Requirements in the ARM

(cherry picked from commit 0c3b75f80b4335fc5b83efee4cbd37bc60fe8020)
---
 doc/arm/requirements.inc.rst | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/doc/arm/requirements.inc.rst b/doc/arm/requirements.inc.rst
index 90bd0e965a..dcb080ec33 100644
--- a/doc/arm/requirements.inc.rst
+++ b/doc/arm/requirements.inc.rst
@@ -9,10 +9,10 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
-.. _Requirements:
+.. _requirements:
 
-BIND Resource Requirements
-==========================
+Resource Requirements
+=====================
 
 .. _hw_req:
 
@@ -45,7 +45,7 @@ Memory Requirements
 -------------------
 
 Server memory must be sufficient to hold both the cache and the
-zones loaded from disk. The ``max-cache-size`` option can
+zones loaded from disk. The :ref:`max-cache-size<max-cache-size>` option can
 limit the amount of memory used by the cache, at the expense of reducing
 cache hit rates and causing more DNS traffic. It is still good practice
 to have enough memory to load all zone and cache data into memory;

From f82a42559ee0a31a3a0755b2034d5deeab5c133b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Thu, 21 Apr 2022 08:14:42 +0200
Subject: [PATCH 04/15] Remove build from chapter 2 and move it to the end of
 ARM

(cherry picked from commit 9d15decc41d96869217fb82d168757b33c1e297f)
---
 doc/arm/Makefile.am   |  1 +
 doc/arm/build.inc.rst |  2 ++
 doc/arm/chapter10.rst | 12 ++++++++++++
 doc/arm/chapter2.rst  |  1 -
 doc/arm/index.rst     |  3 ++-
 5 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 doc/arm/chapter10.rst

diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am
index bfc12db128..57612a6fcc 100644
--- a/doc/arm/Makefile.am
+++ b/doc/arm/Makefile.am
@@ -5,6 +5,7 @@ EXTRA_DIST =					\
 	advanced.rst				\
 	build.inc.rst				\
 	catz.inc.rst				\
+	chapter10.rst				\
 	chapter1.rst				\
 	chapter2.rst				\
 	configuration.rst			\
diff --git a/doc/arm/build.inc.rst b/doc/arm/build.inc.rst
index 9ea1cd307d..5bad09e2af 100644
--- a/doc/arm/build.inc.rst
+++ b/doc/arm/build.inc.rst
@@ -9,6 +9,8 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
+.. _build_bind:
+
 Building BIND 9
 ---------------
 
diff --git a/doc/arm/chapter10.rst b/doc/arm/chapter10.rst
new file mode 100644
index 0000000000..1e8425ea4b
--- /dev/null
+++ b/doc/arm/chapter10.rst
@@ -0,0 +1,12 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. include:: build.inc.rst
diff --git a/doc/arm/chapter2.rst b/doc/arm/chapter2.rst
index 2e50f15b75..bbf847736e 100644
--- a/doc/arm/chapter2.rst
+++ b/doc/arm/chapter2.rst
@@ -11,4 +11,3 @@
 
 .. include:: requirements.inc.rst
 .. include:: platforms.inc.rst
-.. include:: build.inc.rst
diff --git a/doc/arm/index.rst b/doc/arm/index.rst
index 7dec5cf947..771e8405c7 100644
--- a/doc/arm/index.rst
+++ b/doc/arm/index.rst
@@ -24,7 +24,8 @@ BIND 9 Administrator Reference Manual
    advanced
    security
    troubleshooting
-   
+   chapter10
+
 .. toctree::
    :caption: Appendices
    :name: appendices

From d012689eeead06c5cce4e5abe19866045d6ac4e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= <pspacek@isc.org>
Date: Thu, 21 Apr 2022 18:10:19 +0200
Subject: [PATCH 05/15] License PNG and DIA images in the ARM under MPL-2.0 as
 usual

(cherry picked from commit 647318c9b70358ddf7e9dfbe6484b793e312e05f)
---
 .reuse/dep5 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.reuse/dep5 b/.reuse/dep5
index 147970dc81..de69b93035 100644
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -82,6 +82,8 @@ Files: **/*.after*
        cocci/*.cocci
        cocci/*.disabled
        cocci/*.spatch
+       doc/arm/*.dia
+       doc/arm/*.png
        doc/arm/isc-logo.pdf
        doc/arm/requirements.txt
        doc/man/*.1in

From 7a57b242897fd9dda03117d8fbe293547d675200 Mon Sep 17 00:00:00 2001
From: Ron Aitchison <ron@zytrax.com>
Date: Sun, 20 Mar 2022 18:41:11 +0000
Subject: [PATCH 06/15] Rewrite Introduction chapters of the ARM

(cherry picked from commit 0951922028ec4cf5b963034bbf82074d41c3935a)
---
 doc/arm/Makefile.am               |  12 ++
 doc/arm/chapter1.rst              |   2 +
 doc/arm/dns-security-overview.dia | Bin 0 -> 3495 bytes
 doc/arm/dns-security-overview.png | Bin 0 -> 25862 bytes
 doc/arm/dns-servers.dia           | Bin 0 -> 3233 bytes
 doc/arm/dns-servers.png           | Bin 0 -> 40019 bytes
 doc/arm/dns-tree.dia              | Bin 0 -> 3019 bytes
 doc/arm/dns-tree.png              | Bin 0 -> 40307 bytes
 doc/arm/intro-dns-bind.inc.rst    | 197 +++++++++++++++++++
 doc/arm/intro-security.inc.rst    |  76 ++++++++
 doc/arm/introduction.inc.rst      | 313 +++++-------------------------
 doc/arm/name-resolution.dia       | Bin 0 -> 3084 bytes
 doc/arm/name-resolution.png       | Bin 0 -> 29727 bytes
 doc/arm/recursive-query.dia       | Bin 0 -> 3377 bytes
 doc/arm/recursive-query.png       | Bin 0 -> 42576 bytes
 15 files changed, 338 insertions(+), 262 deletions(-)
 create mode 100644 doc/arm/dns-security-overview.dia
 create mode 100644 doc/arm/dns-security-overview.png
 create mode 100644 doc/arm/dns-servers.dia
 create mode 100644 doc/arm/dns-servers.png
 create mode 100644 doc/arm/dns-tree.dia
 create mode 100644 doc/arm/dns-tree.png
 create mode 100644 doc/arm/intro-dns-bind.inc.rst
 create mode 100644 doc/arm/intro-security.inc.rst
 create mode 100644 doc/arm/name-resolution.dia
 create mode 100644 doc/arm/name-resolution.png
 create mode 100644 doc/arm/recursive-query.dia
 create mode 100644 doc/arm/recursive-query.png

diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am
index 57612a6fcc..52bc19b9fb 100644
--- a/doc/arm/Makefile.am
+++ b/doc/arm/Makefile.am
@@ -13,19 +13,31 @@ EXTRA_DIST =					\
 	dlz.inc.rst				\
 	dnssec-guide.rst			\
 	dnssec.inc.rst				\
+	dns-security-overview.dia		\
+	dns-security-overview.png		\
+	dns-servers.dia				\
+	dns-servers.png				\
+	dns-tree.dia				\
+	dns-tree.png				\
 	dyndb.inc.rst				\
 	general.rst				\
 	history.rst				\
 	index.rst				\
+	intro-dns-bind.inc.rst			\
 	introduction.inc.rst			\
+	intro-security.inc.rst			\
 	isc-logo.pdf				\
 	logging-categories.inc.rst		\
 	managed-keys.inc.rst			\
 	manpages.rst				\
+	name-resolution.dia			\
+	name-resolution.png			\
 	notes.rst				\
 	pkcs11.inc.rst				\
 	platforms.inc.rst			\
 	plugins.inc.rst				\
+	recursive-query.dia			\
+	recursive-query.png			\
 	reference.rst				\
 	requirements.inc.rst			\
 	requirements.txt			\
diff --git a/doc/arm/chapter1.rst b/doc/arm/chapter1.rst
index a392637fdf..d3d0c708c7 100644
--- a/doc/arm/chapter1.rst
+++ b/doc/arm/chapter1.rst
@@ -10,3 +10,5 @@
 .. information regarding copyright ownership.
 
 .. include:: introduction.inc.rst
+.. include:: intro-dns-bind.inc.rst
+.. include:: intro-security.inc.rst
diff --git a/doc/arm/dns-security-overview.dia b/doc/arm/dns-security-overview.dia
new file mode 100644
index 0000000000000000000000000000000000000000..77f00f34a5098c1a999f447b023e8ace8f753d6a
GIT binary patch
literal 3495
zcmV;Y4OsFYiwFP!000023+-K7bK5o+e)q4?xHCJ+i~{3+shV`s^tQ9zY_?7xc3(V{
zM9bV#q=%yIcpvt+FAgc&x{$U+5{j8XZ9JAt;Uhqt4<8N=4!-;T(>xwrhuI=Zlh?-t
z;p0J=OwwtT%w8Y=@$u(Z`uO`dN8e4O;9L7|mId>H{YJ8Ycdw5x^8E7Klarg98x-Fz
zf;`Po99^MBc=Ep>j)N0>(aG_fqrqUcfN78i@Y(XyAkVXCe3gfTB$$V<kH^8}&smmU
zCDY^bs^xW)G)}X@br8Qk{^q=R9iJ?VIaw>`k+Ls?SvbzZ;LrM^v3(iSr0B~q+bni|
znJyxGNq&2|bxBP*@N?yw<y8xNQ8Ih;&0GFWc}vR=9?Gh^(OQsv9%Qp9*~YPL6PFD^
zk*1W|#t=puthgd~ZL&Yy_^@#CVd1jF!bOX-%QVZgAj-EP$7vdeK~kdT*;UvaXE6z4
z+r=KMR*PDkM|qw;asTH*yx64z<;VBdwy)*RvS|9a;jUd#Q_4*=%`eVAIcl!5^jk-z
zUq_2*9EVkRA0>Hb#ou;Q{N~ds*!$t@Eqg;*TJ7*K)u9N*{=>uUDw>9iC%W1CH8mw&
zEH68Gs?|5I+qGfJk2VJD0wNA>!)#gn4-doiVEKTTj57!(d31gEZlz7q@qfZezO3wN
z9wgHsn+{$Len>wZKWGrEK%(jE<A31w#@ei&EzI)ZR%>0R_gxBG(j6M4xY%riZ3d}B
z7>_prGFycpnZ@B9h*B0r8ZlBxs3D<9HU$jhaDFyPvt(N(bXctdrQnn8s@-vkv=v%=
zu@+btVKlqQ>%r{cDDdj5Va3L2HVw0<s)i9+!VqpSA(GH$a8Y8P)7d&*R1k&;CX@4q
z5Q~fS=Bz>wKRwu26Vu6q6*e|Y($*{qM$`-mM}j-FOF-d(!p(>%#KjPPa+ikLx?;On
zrb2|Q+KM+!Z<wWF($<EF<WM8+(kPJ-7D9=UM$B3yLCUE?wyBUGCcQQ8WQ`xgPx*>D
zlBGGa_U5RqjTrD82&Xn#!e9ngNeoye*0`b7<j@#T%-1%qse7n}gKO=&O<&kmevxKT
z9>8ql=tCCGgY34(J@&|)vd%$~CV3S)d_Fi2=23iWZ!$<0$Ad+F3zHvhnYjG!uVH*0
z=Fud0^+Os@S7&Pb-^Ug$R89R67Mj7!2uv8kq#fpZ$K1VhHo@9thFYgA#_fQDIGQE%
zu==Tn$<=&Gd^@64&ZhS>mh0k{HqGVXR@gy^ink^zf{YYHYDahMma3LO*bcjxjVMFf
zPzu0G5cB*A>*MKPe;E!w{_UrK4F~qu7x?AiFTwnBH2C=2spqZ3@K#M<^~}{n<`Qk0
z%Q6WJW0WG}R%AT@+1a~gE@c@Dn2RBz`oLU2zCS(v>78e*1G80K|MYCtL$;Ew*$Oc=
z<cJC7l&S!QA*HDp3H!SkDkQNqyaz0GYp;wZM}J&SgFIXuz4+1c*2^RNU<OCOzyI;w
zSIJtiKqU#hgk+o=PPlX0s_LkovwFx`sx4;;J7yL$He#F#tP+P9#IYC|q$FUn#+Zj>
zt<&4Z+vz+?yrw#crmE?Yo}QjFJyoxG=?<2n3$cT#+m&c$r+Ub!5s`o=teSVc4&AC&
zyR3ZKI;<^55#m?A8m@d{e15)45WQddG95USrM3bROXb*|Y+)FpdPM9@M^Ir+lTkY!
zJ%7>gdpJ+?@W=~?gSw6@dZpJ5{nHJkb!e$U0;U@bDeRJ=EDSDSq!1t;Ac{>QiJium
zwy)c6p);DV4(gP90pUYumi9^7+oys)%#q^Mt%0i2R!nK2gn)tCC*Qm9nbUBR!ej9P
zG>1_WH9geJi5|*{_K~+7QB_37x}ES?7+SzkF`^72{Tk1(c63FwuGlVGLPIrHMtA9@
zL_;Yt9xEBDFG)(U4s28Kp+UyEZ5A-Zj3_}AWWRm*jWG`@By4{j{2ne+J7#BIJ{-mw
zQQ0fKdU$r~;eD9jq}iXAp-%HO3ua*zNwp5aWrb@%Ac3`Z8XKZ0z;L1UNFvE##g+1=
zgVH?AgQrMp8clMS3Z;F^?V?a9;_Irxu|(072?+HdN^(USjv;ZBga;ES1sG7y)f0;)
z>qN8<#Ca6QJ3y@Gmieq2=&`mc2EBUj!dv+PDl<jw1A7@vr|VLnwlmx>3qF7K^6xYW
z2R}z~xcExL!}P{8a~>YXVY)UX8X2?77GHvRA%_z$=W%p-1`fRc+FljJk5bJ>BAvZq
ztYU#K=?r9XHHK_M;c;Wi>c)}NenWvogn_?9YNs)}5@B7yFfpQLxtCgKr@ox_b=yTL
zF+?O^*-<ULGpDIDXFXL>Uxf@gjGst$VEPiK5)=tW9UK1=2xC>4zb?j8hL~zPuQ+Iw
z{^@Tg?}Bk09{oL?hV!pAC?AXBWu$$0924d|D8HtEdY@4b<MN5>fUX!R5|=5*WMyHj
z)F(hxm_f<_(+8*ahb;Z%*TN69&9SmCdSZIc#Pl|sRL!7Thvai)gySq!9C68s9CAb%
zCv-%xojPFyIdDj0FYqKylCv<G7FF4=f^`x6_CA~Dcnq@1)AIueJ8$Ysom^$t;n_4=
z*oK`vGH-uH5I2NVsu*SVf78?@xSKPY-R(v&6dS5dLpf|~mE~tamZdlK21RM>!q4I`
znLS=3(H`W<R@)H+y12C@Yw(M$UUm1E!G&cA7{4qd<Y|$WZt(Ee%{0F?-zCfM>h<rk
z?NqiKH?${*{bu`A6^XUpz@UpoB|G1DDXlc3Mk`1KD-@S<1i3CLEXl!+U%?#HSXC8k
z<9{GCX0!XT);77^yp5`)(T&!coYA9atIy6>TMofw>Z*<Ii+0yS4-lV)&F>hQP{)*9
zEh{N*&&aayk-JS$W=WB=lJ1nyBf=2Tya*2`O^1R#2)Uw$6^u-an4wntJD!ia#K=(l
zpP-6RsR(bH;Mw!F=j$($uW_yXb}FGMY3~P+1f11|38$_AA~BZ$q*;;hh)^y#1cXUK
zm~&S^MICG7CECQOebF+S-fbZ?8dFA_?j-cI>}mN>w9MCO8Fx*~HOoenw%5^A7vd3X
zx2_FcELCzXMsP|1p#>=IL1u=JS&%HwZOi*`!o!3UR(46hc+|sHZOS@G=%h7dtaQ2!
z;vR(pJuxfKh8p1>aMM4p!YuNE&WB>A%HHUisgKOWyNI`;wks&<I@|_Oh=On%f}!&n
zB0MvBW_r3edS-fd%=Al`&O`gHiKV6wVRjCGc^74qxM~|I745V27Rwh53FbCgFDn&0
zOz$Kzy6|q{rrQdh!#2|PEw{_&2spK5ZF`+|xH+OLu&;C*X&Z<ydK;<VxaL5g%J$S>
z&@gvS{idXT#T9TrBwd9hSgZ#cm3&5Zx-Cw>%-rl%ozR&s-Q4N#b*UR&+QBIjl0kB2
z>X@5^1{7jdse+$FiB!KuY0GBwn$&AjuSvZoZKg?E?*)>;T$Y3>ame~5h@HPv3W5}3
zBPHTJNL)j`9Ca*5tNNc8qkUYyF&!){D_z7_OQ#z24hJI*6J(3WXaTGHFhll~bbux0
zs($EM>7cCCW<w;~2+7u+#QyCyA!oP)I>hBh7p>i%uV9vJ$O<wP%dkM!<5_tJZRh9Z
zeqQe9<$hk?NDMR50sBi_s#3>VcnO0gE$E*t^PcrU3NtT--Amz$Ug(u@zZZ)b?Sh@G
zOf(Rk?U<cd0Rz&M7OtXFsP<Z#wro1DOuaJo%G4{<X3CUxaB?)(%6;yoI~;@9Qku$T
zo})gvX}Q;??$3&@>W5yOKIg@wnp_sF_1+)oe{fQgaY;!S66+d90ElBY;@~=EdPp%6
zin-2eSyjc#Ocui4&~wXSaj3*UK6gU5hABFjDw-iBh`F^(ZYbwqh{_HMAQrH|8gR8T
zuG4~5RI%bBxT0xhwEo+r&-~)TI@_P9frpeLDO?+;#1eq8Bw|ECuwiSgkZgpyP5`xC
z!%Ew<mw40kra9>7m@C#g9-rCqq&NynId!pG7+M^2rI;8owLIoZx;^Hqecg8PfeK{g
zs$-IIf6SFXvwUfvx&!+ZaGrsp%CUVGFho#mpRzc=16&@G>mHm#b(&v|2QMbU<ifsv
zd31Mx`QXKecQ3!zL#dP`@Dh@7I6l~U9*XLY>Jw4)(M@JLQWcOr+vSE2E2ot)8qOOc
z!kCeT<yz3<+yuiNEB@*_R?G}2924WuP4IIIpYXNE319DnzE$nH3Hu+qzz>uymbVWR
z=cpuB?e^S-dmLJvh)S0yqGHRTv<K_4FW!|RbnxDOVQ?B|_EEg_sn8CTq_Mh>dJWp|
zI6~e!%9%pm{UI!-x;-J)!oVS3OaOIBL}^J}s>gAJ?VHZW5&AenA4llp2%8Dl)-mK1
zvH$@ObGO2^#3?)xBm28jh5HouL9_~gIQC%<$FA;*K9sQM`m}YdGlewYMaK|s1**lN
zWd{U>3dhbC>##!8K1<a0t+$&-#fqDimvX96y8+uzquwjxzH8J?=JOiWYgBg{m3P4Z
z0#gQ5Ofh#n0+dLgO^qD`6f&@a2HA-O?}1i*>z%0wI#;5uPkMLiXO*kv`#87_vo}ZO
V8~bmT1@kvY{|C);%+>?o000Cf#0CHW

literal 0
HcmV?d00001

diff --git a/doc/arm/dns-security-overview.png b/doc/arm/dns-security-overview.png
new file mode 100644
index 0000000000000000000000000000000000000000..28e92202dc9bc663c781b050bbb5e6b1b3ab65c3
GIT binary patch
literal 25862
zcmZsDWn5KX(Cz_=Lw9!w(%mJEbV+whhjdCKEnOla(j{FYEnO1QNOyPL#s7Wp?|!-G
z1F?g>*Q|+WW}YERRaq7dnHU)YfuOySlTwF3V09o67)2;7IFeraHVb@v;U@7$6AFdS
zud1woUy+>Ublt%B|2{CgmiXTw5K71!DRE7&?EM^H1C0%eJ~2sLr!U`9KJYo?NKT^S
zkuBk+sC~3bjmof8)rvbMHv9hdrHwd&gH6WOAN5HS#*NX5;n)3AxR!$ojNh?0d0v~g
zi;)YEkFeUCo0Ir0vl-Q$Wp4?OUJW_qp82ybSIQMmekjt7^ppPWS&KCiPx8Lte3c#w
zdl<(XRD}@_6GG+?!sQ0x-?AZr20Nq6LG50B_(d!`zcM8C2@@O6g@R9(<TWOoIA&aE
zXaXfPxM(T?92Uo{BgU2pri6agl9Z4Gr~lZ>L6K-8&mS$O?1GwGjln5j2?@D$Dfn#&
z879K3QbQD^V9I?ABq~#K7a+e%DYV~Sk7me~*(u%0?FkTu)`3qSSy1MpU?AThR2z8L
z8+5lXp}|$i*b<$35)jL#K|%znv)Yf6h`(W2Fwtta$Od9+X%Iib5Mja>dBtuA(JDM&
z&rSla7ybtWS>1?G^j#0aecjZau6Oc@qxI>lK|d_av9Q9lvW~Y<Ssb=12}f6U0C*|p
z51|R{Z{%*E->{);O_tt}p!L%ldqNHU6TM=hgBp*yGx=^v5NXnd(v<=xoGB8I6x5P4
zLr!WB<p4tRK@-O8buk~5fsLYJ{jmg5_Cf(uN~yb7BK^}R>VH@`k~MrhunbkikOTvx
zPQS)h#)h(GbhjhH48vR?JlokG8qHU@f;q~0s<ia<gBDZO|3q0>VzHU#2pBLCzAP}T
z)15U+XEA6wRA4G1pBADvCBCi8yM4Q#2JR*mLXVY^mJSOGV@Q#&(?bioiL|ZD^p3@j
zqNSsgS@vJQOUCYh2)hi<#EuGWThUAv;~p^L+V}LV!>Z>Db3=Z+5zYJe{h|luaEX<!
zkUb|SQNr0=;)_>eDeBb$Q+Gg|5R)T;&dURevfzZl4amQ>wFakUbd%fj9fKz2LY(NH
z{{DW**RNmSg9Q|76l?00ryi;P$b{7Dl`9t}4Q|L6aK0?)6y?lN{I1EEp&&16mSW=O
zbPvxq@e#*WoidhBA<e3l_=z2P?CnDQD;xSKPsS*1^0&I}K)<w1jj4tPec3aTl9S<H
z7i%)6$V1fBt^#LaU%Y^E9--L63J(p1>Y4MvME01Oi`a4#2dshH;7o~ykWJ;~KdKj_
zqM#(nAGP2OF|4<b(Q|NMLC&D%+sQ~Jzm&?<l2iX38sZYHwLg(MAd7=7`?W|OD<k{-
ziS99LG8iEh?@i}0pS|7!Ut<h~{BO^<w{1!buO=oYEI5g{AVGVval7w-kMtHO@cZI7
zHN9f)PGM?vg`cThyLDgq8T;=a^2OeaY`)C#xm1mn%`~b~=4<MxpCL|1tIZ*YL6p$W
zI?T6)n%&*qVB;gg!U_t;yOjlAzU22Kj6h!<qaqcHGw)N?)4R~}_oWF8oXRS0l7c14
zV{)(Cq6LN&WGE~V^6lF<aC3CezsAN!+r2+;7?`@2+OC(Ms+=e|xm=DuJ7l#pbuM4n
z&(nex#un&_bj~TeaPT^I*E`I%>GOBK(-@ilU>vwYe|KR5CHexlj+f@IC6Ahb8v6F`
zpUNo|Dfm_4t#Ieu;9|>c6^z}q$+Bp2itcipT<CYD@gl5+1xoCWVKiy!>mxC+;ug;v
zywREBl70-6Q-s$BE~77=<@zCX?DPI&bTY2}vg3!Rt<CT_vXkqz<1@+mdYegvc+rot
z<Q-iYU0q$<ZyTJ}asyRWgQ5vs9$Tpom9o+?l1nKeEMIup;_9Vob+^TV<C!I<$Cjuk
z_(_L4Wz-($^s{3tSJF;K4=xd^&hXg>d9fwmPW$~nlu2ud*EUopcC48P9Q}10#)~b%
zx}xh#Ni=Jq2A%p9dOG&S6pu|aZ7VDxP4+9+i^&fMK92<^HpwljFj8p^S`RM@fmfrm
zZ;emrkyxugskX6Z?#^`3_fTgw?yY@i^B0?gBc;fsP}%E9<W<Tm#?B8fuFo}MDB_iK
z%GAW~I!^DUlecgcE4+B&#!?FlBUf(XV2ApLOGht1>au0u<>pXA(|V(XC1y5z(U^6D
zzR_wZyq2auKa6!*!z7B5i7grDFI7$R^<|ciCme%i*oX)YZB~2zHLo?uz|n~AD}vh@
zacDVnDlGPEl<cZUQD`uwqK4896s>p0${DLxcbkXsW6N;85yZszV9J(<KsO6ThVeJV
z5{K^(bA?e)%hA7a*=ma@H9Y%8;=#1FONaYgrmy*iui;_r5md=9i8q>d8qz3s>Hnk<
z+IH^>NN1_Y0O1qn>EWFHDEjN#BrG71f#y13!C9_Vs$P7p5pwI&kpK0ojwUa@l8~sV
zQL$#pv&j|!yDy`oqYDoU+ZkB>*Zeo}6E-cK1amKa?w6w9ufv+%IqdL(t{##a1(Kl=
z&o0uEd@^`6R`WK39-qF%0y}_P@)oN5$DY-Lcfj0&YaAJ+rTt&0)Plp~TPiB5GFX%Y
zGIH_?O~#klQHpe>=$_73j<t@lL|o2m;U8+yNX#zn4O+r6#H6kcJ@|Szs{{mGdYF&*
zmm|DC-XgiabAuPhtcZ#YOMu6+j7n8i+k#~Cy9D2{g~a-CF8&LbVTx@Tt}qMurd((a
zGymz+r}u)3yHlk+#7c5<kz{qpN9`x~XN0_{X>26?^YtvLY_g_Q|JDr6p?@g%DcD=h
zOyPn~@wmapF@)0rW1=*G%_&!Vg=?^8R-N9TLb(V>LSqSaWkk}0{6Y}E`C2r&!+(X<
z8WSF@u-_R$vAa7p`Sv{d@ag7uH<fKBC3&{guI2*<`|mGNR!@t8`4^9~zGeSdc3Pj}
z((a;9Pc`oG;Ue~PwGDm-CmT9eeXlU9;k_q8Z2bG!rGgpCq^?9Yt<&fbCb8O?0b6Mx
z{+_$uiO;!2`~|a7On;JEUpR+hnd~}K=h_sx*>K$#OglL7WXXAY$d{rbo4ML|0s;aA
ztOkvKH?CdbX!^A_t6N($#Ttdz*Ip3SQVv(z3Ih)36BM?UNtKi1t|@!2XIG44>pON}
z*y1sqEpRqlZQi>Sfq+IVy!_MuU$y!0MOP>S-0Qs8?ExMQ6B55^%1Hmm;pl0{3gTTI
zE|PFs$m!_lczD!D6@GYnygSOum-QbQ__>zW++^ATODc94%J_^tbfj3wh#$^I#R}AS
z@IoYW!W&V95nGYV;KqK6OqYo}SBap}0_!M2n)eO0t!thO4*o$Fk$UOA)*DOz*{jnJ
zZ~YoMof3cTH<r41Fl8ih$U&HMXDAZbqH=V+P?0t2QX;0UT(gM#szn1G9@ZavnwrTv
z%vN{k!-dwPpPwGCa@{=}WJ(`A`q1|(K+L4f#w0<>(<`60ty^8i^DwJvv_TG|2Ihi-
zX8Sd}LtECPNR#pJOU9HE|GPU=R^a*S^vZAMx3-2dlCrYwPGV0YV`5tEotZ>{2v>t=
zb)aspuBsf7#Il;2nmRh^>czN`sU5CO2A?xCOO~P0@-!*(NuLf2-7Nj91DH0J+I*u4
z*m%{b7#ZdB$E#RUnN4Cv3knLH+AdNB7J)@!j>H3nrw~=57>O;d6=r8wrA|Die*)Uw
zZRX<Y`s2~Yw&1~)mX>y*&39&2w^)-H3yZ_F6VA~-H7s({x-X8*^0tKmtP@HAV2;fg
z!Me$K^)PdMbTp3QBZsk4fjWoux^KewyN&Dpno-4U%fC5|R%>f(J!aJ%%=j-~zGP;>
zeO}q_tk<1Xp>mE%x0u44H)@P2rlzLq#mQoy`q{Q-(&P&OW{K`5!@<EJBqYSc>lvuq
zxLMXUE?btbUR_uk$q`!i-Xhblv+`wy43Yu}Ykr*=Lm8<THJqRJ5j;v~$Or}2*{!-h
zHpQ*5QJSMHPQF0>74Ci2Tv_lJp~-Af|GBT8GWp|#S#)q?6^26kKkazoMe!GH9KwPf
zap3YMclNQ~>z8XqgobLW_#GrCCxh_Mb*I<hxOjcCHf%4z!lFc-SmmdJ@NVK;fBVy;
zT}9s1;8FXNk-GXn8zzIG&mz8pb8x|wq$(^Qd73TyKkZBwW@*%@<H4;Q92n~8*w9Qq
z%P>MMTB6MTU~Veg_T9U8Km-eM0p@?o^=I&9p7#p<J3f+W6_Lw0H*u^EbA={6Os&m$
z=l`DTW%!{|HT&-Ju)t-l_xmD0eia%X0VdIcC=4Yf<u6vPXP7<}tpPQyGo53=m3nPS
zh_ZxFKwwQl0(?=VZGi{U>Zg|q_7lo`)8#^*hxSR|pWmp@%$#an=<PzuV0t=XNE00`
zHWJgS$MAgC$`{I9pNo>Ek)aH((k1Bg9-;#61YUpkPo{jqgl*k@Hn#nYaC98PYr3R&
zb$TiCZ_Dra@LA^c)YW@@(NR&eg}r|`>{EfKkjAzNcP1oYb}-<hC%fV33ftA=zGP+|
zs<$HCoaN~5Lws@a)+XPyD;yDnyf)(vSV(Aobv5P>_P>Hg@43y{r7aZHO3ZC)YjG>v
z!dpCHS`nr6ro!cD=h}Q5($dl#lxUtG5(yMN%#mXo3t3J<0l-xdF{Y|qU?D%RVTp(q
z#`R1dBeC$^AAZxs+i+(B!<p~k2Lk9c{S$|2r(N;I-`Al1@r%XE>-+O0nNl<~G!f53
zg95bk!^OKa;{X@8Qp0F_AW7R7b!%xNy!FAzyf%<9Sn5P6Y60KNeYW=diE{l0LHFHl
z<C!A0{Gy_wy_w3R<@Q`nkVk!$QAZK(%$FUnW4dl=GJ!#Lh-i1;n~ozBLMIoV{b4!i
zxY!Kv<LF`=e%KeVn4+9NuvDbHs4bpi{O4DFCu>E<%Pt7dDxxf<L~(ex{KQy98T3*?
z4j#M_G%oWH3ju!hYMFxc@-X({j?5bEdAr^N(GrVg5^Im3>oz0R={b~%N|tN6na)a4
zs{zPtIlaHAFAfjmcbzxYAoHBm$?bD;m#DsaF9;M?2lxg`-;me4*B5xm(yp$Y1Su@Q
znrUgJfE}beAcu9D3E{JrIloH!-~scjdU(}qq^5V52QcgF>&`C$WZ>bM(s=-4sH$Qw
zQ17pG1Lq(BPB+%5sj1<=54>i-JS<n0h)R0aLXrJfq2Au!kn3GMLc&*xa*8p|oCg+F
zCf}x$vJF<9S6-j*zAZp_*5k}b!%%iX!OWN16BMH{(b487a%i2kNgZKZ_2CL>Ro-r4
z*z(y@n4wChc4VXu@TM>Jd1QYFI|87OvI#9vFP5U_AhZ;E`BJ)A6QGppWLzvPEXcJ+
zI6iZ#ZWH#)ml)_TUSJX1_QYbssd24T4z3kO&_HLMYyi9&*l>m5&?#bOf1J!JH7B<)
zGy7`5x}|~)piit!muSoQ`1t0fp;q|YQpRM(3|JrM8v1h^MSd;@1_p47`DF?4NsK9P
ziJckgSy;-$oy1B-wr$CGb_7>CatjL&H<e`P*QJj8O1nBc?I-94U%dks+PMi8&D|%;
zv4pp-YzjLx;9-5k_$1WH=(h2F4}~sV$1~JT9fxMHOjl#|_-1Rou{uQ2MR0pOy(kQ-
zwNy>JdJlg9Yr&bJUaVQHxi3ULd*1U?bYV87`Zg*m$`8wuOElE&U#7(Myc2Uz1<c2f
z$6XkB@<#r3#LTXEv)_|J!jX(&Y*(kp8&86R(<RNag5mySCO896D}#y8&=`|foZUeY
z^HS!x*7ILC(&R;kGsx1aT1)Pw{a($C%kM=*MARTEWhlzzdeisugjEIj3qSIsZq}(N
zbj6ZjpwHJyj((o9N;{K`@0DT+EpIi?m8sLq$<AiRkG{Bi=@xyR?(7<paj()SjykO(
zFF&#KzErz%+J+lg_P4N+7(3+EB$cnaT)!;{MToaXwfQd|uJF)v10NrwX=IP5_4$44
zeNf-){U;77X=w)BkAMDXCd%PrV^iZtYgZZ#D+7&=>M^S~iZ9JgO~nTvY-}_3^L$Z+
zy_(|$@Dz~Z>Z7XgGfZ(4ymQm4Xl=*;?qY5z5nS<2s&I1WaA`{9Ts16()3#1IZ_It~
z`-}HSKlg0%$uP2hZEZrIQ&o?T?Y2R8_Ej$-w`ceF1A<G8FU&7=J<Y0TXLW;%$l)jq
zgU5E>voeJ?IPSEzl0%IOm79$N#ve|jo!g2Ew;pDG{%j`UBXy|N_@eqMost7@eGprF
zBv9^OYL^Rg2^VW9!roa{-IU;4U_|<>1Mkx5RC-T0Fwmu`K~`iwX_&=pI+VU!J@_^<
zD(a20veqlyRCpHvTZ(iWe_%eIAU1pOlx`+ab)L5Z6NZENRTqZ&+L@h`i>Y{R^@Dkz
zN%W#CI3YFM#iJeTn$Go|&m5tc5?pDDN^k{rS`Lp_35yMZy?;nd3PC_C8K--8s431a
z@l|Rxt=C_Rk#qfJ{)27lzk0$j>3|i+!ENY2hXloc|0MHc$VHsD6RN<)+58`-%gIbJ
zpZykR<4;*Ajq>W<Q4;dAXGu|~5$@D)SlQDz?N>CRe7t_)z9%^H-=lbnu*gl<dht?+
zBBgZdW1d}YFna_sRcH~vATd!?zyql@NcZ7Z<^M$HsUhfdPS!Fgf9}qY7n~yo0i(Y^
zi9Yb*Li=p5rKP3)bbtxpz1nW3qW$r9@c!1U+H2+42Yh#NO$<;x`{f}e4bt@PKJZFX
zEc9YxPvz<9xhzra3sq|Q38r1lyOt*t1$P0r{r9&j@uWNRc`tm)R@Thbj6)4M25E%d
zHirgMm`Xb`OH?brS=^_xlp6U}$E2A|BAuL{XY<&l=9fDgJw9A5PsiT~%prFgXjN#%
zxD2$i?&iym>VArxA09sF|3Vqve9gsnbbGP4ITKi<TT}n|xL;=&#?HrgRX1Z)V|>RG
zPN$Ul?fdsmMXCi*ya|GNvG4Tu?K`*yk6N^pi7(#KLfUNL&u<k}RaNQMSg~Z*I!?B>
z<vUO*x;!Ya_A9hkf}{7>Cvo*Xkiye5GKXM>ea6s?jEs(s4kcpYKVw~!0d0+fVGWgD
zjWg{5g_!tgu^zEePB^z^i)AHvMON*ud!0nG`m3<#*cchYHXriKDHTud{u*051}u$h
zVagCua5{8r;E*|lopIi^{7y;>u&!jml)zv+3Xi{?>-#n*k>f)i$NS;A^!QrouPE3&
zP#hBf-=d@K*yVG)lYD=SH?nh1#?Nkfpcg?X$xo%ciiK}sZNI%)mzR~Mq&KK1=qAZm
z>91kmRMAK7fDNaXV}HLIkwn1uxz+2W;7wA%Vv8q8>hf8rv%?sXR(~>#a>C3DoW41$
z{87IDx3$HVceEN87xxwJN4_O5^RX}DD#9n-kytcKzDI2o0oNVl9$2AdQ8|2-?(_A5
zIU+6Ii_J6<7@o%$2P=Ev7r{%j@r5Qx9H}TNPk=DfDl$=7_N3aO#HHu@v1!F7Ktj{5
zJj-9ubT7~D@{r;S$a&mR`q;=zYUA9=h94abY&y+Tc~gAe=M-FOzO&&r&KWUU5Dsjn
z6w3GBS}CcuVhaAwik{g#do%x@8DNhL9=mCZ!26D6xy+=b8uLDM2st@9h-<lir~T&f
zy7vsU(5=Gq_9tV!hWV#j->d#;f~Kx&8X3s!br*(Vi@QFz=V4|F)97c>VHpjL=?XGz
z?9-XQHPM?RXug{nSJoqN?13j{<uWx^8v`5t{bh5BT@ktj=F~K$N4+szcP%a%g;zgj
zMD7t;N!tScjvhG;>S1wlbF?a?Fe}O>-Fe-;t;Qn3UV7>3w)tZ?V{nMC-zT2kZbuO!
zIx!Yh?F8XZ`<WtCaHPqx%mI!bOuzLtLb41iL$`~_TWtP_hulkr@`H>2NW&RvhTuu>
z&=qI#gz1R%hL(v>D_4xW*=;?Eq}dzK!g_l-N8GMXUt9NqZa$>5v$Nh|9-U0^{C6Tv
zZzlsT0fEz8ZU4-S=jHz2DSIQ92oZwON5|}ZG#8m4KYrk|=y7}O&$1dehlYkKrn8&w
zOcVe_qQ&igdHznkpTt$*D)T1L9}#_juAC%j*82={-|We@b-<#mj8FySlHn>)DnQ4{
zxu0RJ!=okJ<VG)K8RpGv4a8ynd5Hvw!@sxSn~RWN+x*{>jWq&{4PzmkeX&_Bv{PMv
zAOBlayUuvHJB*QbkIif8w$KBaswJ8su_}_+gO4hFc!;0p8t?z~ZfssF{!_!r`uHMa
zw$<x806|<?lXd^@q^FAy`3D#JNbHDqp<P1-c6=r@Xo}+0-REqiLs!B2`Q}XlhbNWx
zt%jir_+O0a+i@LY3w#@YHAvF<PWDW`ibkj$<rVU>j_PLoLVfjn#N;!F=bfM3m6A8F
zTjKp~Mw0SB)x*Cv*1!g&rKLADr+3~*1EgQ?kfm4dI9FTT=1_`zm^j@x?{s0eySt+q
zXb~==q^)uU7X%Vb@3T!1dIKMCB8)4vN?{bUc*_Cyo&2ukdw0+<Z0`(A1=!Ghv%@?`
zVq$hZ$FMnj#(HNSjEQ7%W)i(_UBzN^8~3{jprN`#L-0WU`pX|)1Of{_Yjy`ps7pA}
zAsL~yvE(q=6f6uO^KbDyKltqPezCp`5Aw-FMP*Jz<lRD?vGU<Msnn(6npETz3_Is`
zU4O{t*}Sm6GcrUB9e4RcG1rCRVq4IIg)zVlehSs2JEJ38y8`7W5ssGJS*1v%dS|BD
zWi|`{)ObUSz)?&Jxv98E@9<e6Or)%m{gS|JO^R4hNsDL>-7sXV)ve09)B{qHD}eNQ
zuRq)<<Li3q<c%niXSsXr{u6f)%3T0=p=;Kd+6o#9m-eiz&vLxQG(wDji0)vS83r2q
z7DzaVc<s|O7=I^bWzCnoWm2g8fw(Z!`_)<`D}mcl_BKXghl};%m?GWVht1o5sux4-
zehg$C($V-xnhB%Efe$>E1IaS6#AE`l-BKFnvN0x;UUpg)`$Enu<S8YL;Vz;t10z%V
zmj*Tla~urbpMJR!T?&~0p%qFejGuWt`y+Q5;|N=TbDIY;q{PiaNE2eDkn8f!V$2R)
z1KnIoZ**nfF>~NlLO#OoH=>W7PYgUjy*u32Ui0i$<gr3{+TTCw1sdM<^YiTme0|0*
zc`A$cM|)M=AfRXL`f`dU&Z#Gx0xXbGUbBkOox}DyoD?HF*vD<lO=|BAf@8sdC}LYg
zXXPSwE&_HL-VytG9n}WS@8A7Spz7_Fn4FjZISQ^=IZeENgX6{F;{507w<F-45y!d$
zDeo>HU0vxtKMqgT?6@5Ijtu;@5b{iI31vc6^0MzlW+-(+XS@6e<NV<Y&h{%oz)dKg
z`eE`4Hcp$04i%b`S4`#YzQiP-%|4oo05uH_4K?-QVvDu%21uFV;NgdJ#g=v89jCT|
z4^=wKG5JXuc%59F`Ayifd((Yy7Sm?0-T}rL#X5ce!ToaoblrlGh`_MTOgg@gqQOzB
zfw3$=Y4}ehQj~Q3r=bo`!bfe@-#>}(`vndq32OoxqipY|^?XRsTPg!n>$)^sBifG_
zdBu#XQzU-(k~ii0dK4WM2(SQ)-YlII(Z6Z;y6%mRa5|4vs^32C>l=hIn7yJ|=GxST
z65b)$W!%+#7=L<*7!~cx<e4@k!^PE9S2sHbUp`4ukK5MKv5pQ5e2k8+DH|-+cG>u7
znMO#zcCG^X_Ngj>>@$qX@dveXwI7Izy!O~N0bZLsZTs)4Bc6VJTbvXSF`1e*R&Ww~
z*fKcdm`2G;*;y4!xZspbEt`Jzw-VzC`!d;KsK-KsjRc*px(hfvj)ukw67K78eyqN@
zw|XFpw0Q6t4FBRTxVX^dw(PZrW;fg%Z=$ZsZV3%yN$`F*LA$B-BaCbRk3te%p5OPe
zl|~yEmy=i$K6wR&Va|=|a>gYTbKqKQRJ>%D4|^@bG5BsfO)65v5lbD;Add{w{7>_>
z0&YZ*?;Qqt0X%yq2UV4L%T`txHN&I}j~pQ+e2n*TTq=<oSeJdh2sa8=_V8!$8HGJ2
zbCa5+HttzvJe$A2`k_wyrSET)PP%E)1#J<L)J`LSzDI$=>QOvA3cGDG9vZWL{r<$u
zF1HboU$Les(0-C9(QWmr=3w9%>cXI*hQ*;<85Lt`9Kf`fAb;(Z_B-z9qJNBEbb3p#
z$tU1~crI&yD|7JRQKp2#sM;lO>U45P=@XlLO^cp+g!@%4zr8*0zq)+^JepetOH1e*
zO|S_Fxnmi-Zp+S_h&A-aZjK30;ru8&JKKvb6ZGF28~J(RZQzXqZZ<rZ{jC@4NJ#>(
z^NxOfu;+Fk9!OzR%Ip?MR9owNu`T3GIXQR}P4Gge#`UF!QoTjEX^6`>3IY53SLmcg
zW?T-L4a?b0G2T}8ia+w5JTG_T=R|UpLTgqv4ihj)G!|3q%z!U|<%{#DXu??P9N+uP
zMYM<VE1f(E1}ZG^U^`vyeC|Wx)SiCP1s`jX{n+0(KRSdY0XZDb;%lgN;)NS1hUQy7
z6`oD)+#q@&Dj5#Ns{fc`ohvVGB;q;lWglK}!Qys5DUKb?Xz9lv4C1rYVL)g(v!@9c
z%;|qC?t#$I*z0%Z_bu;c_q~U){j{nHOT&b0i~CfVzZi1rW%}T7*7ZLWzk7}fBlw_h
zDQ-u5X)Yurq+Vsvr~s8cH{vGGqorVY6ny3?T83`lBhzbV`-Mm(987`;UI*sJR74yI
z?<-`=*}!8EL~LW#pM?6`tORRW?BJI@*XgEia4t4~J)vJ6Q~Vatq4PPpa75g<Ec9!A
z(DS)#n`QbAME2n|?D5IvV7o`}O1J1;iniJ=_W$Jq^tXG^U2HcWvnFQi8|<L%wo}Df
zkCG2%A=VN5-<ph3;^1MB@>ki6e=T{>10adAVY6bUu=jD5DdhT&8t(nU^zh1G5EF?=
zMDdd2qhi)k$Qvxeo5J4~NFs7O#fkc}d$EgNL#7d6phwunV(5QCz%sE_3PhV*7e8Yn
zQ%<K+h|?9z_LqWzrhX#Y*J~$kr#ZyE>Ri$NFuYKb@h5-pv@$1(DAQ)nUi1*sdJjv!
z_ioqCdrSWDCbz*YB3Swp>Pb;llU-61TA1WdWifs}LAOL<x5Ncm;sJ}0Qd0KISO6<(
zZfeM@`%`W`z$MS9!oeOmrEuwJcKF38StZoW=4*gRehT_a^0AF-J(dMW-QGHIt|G4d
z9WefqHl*iq1OdA{U9{5v^lwrnF*~NS^X?^!p2?|2^gN8Kt1GAoTOVuc>FI%=K`kpo
z$^T{}Efr~XQUx>wNd<yan5wPNjQsJct8M;H1mi=JF+!08&NB$!?$EYB&ZML1xuVQo
zm(Il`f?x_f2ms&ma!CNFwd`+Q-3$}&ho!KGoK@z4tqN~P9rf!yPtUIPZPv@TpBJVy
zcCzX*nNjXLTukS~K*U%QyI*-RIc4m#^V03~TjmO=ECyOw8uD@?n`wg#V5nF6rouEO
zGP>)#()AAg{W*?=B!_3kl&cN>Iegt5f4~XmRl@GtL7$9q?3+rY1sHDMR=cr3@rs(w
zpWK7kLVK-RKmWZ%ylVE|GI`8{JUr|K^TH2|1Bk)F@@`2$$GJRU4WXe6g?L??y$~Mk
z3<CT_ZJpK0sF<95r**D)!oANlGq=5sv@a-(G<CT0^1MpwA95=B@?~YZTt9aBN?w|}
zyJz*UHO!Z9aD!>)Q;brw=F`lzHl|i2_E60#%iyN>?b!?O6rmZCy$f_OWeFrp+=1_O
zfz<X_J@u!N>BQ)KV2(Ia@0!Wmz2u&->705uxjI{<=ng)Q+*D@k+c(=;o6fKfWkoCp
z_^M7cuqis03wfWeXK=~5d4NVfDBiPyen78im*r;pk7_FWe32mFn$E7wHKY0{`qDXO
z8?hi0lZl_>##H@|VZN!)*B%Yb%7^4oPrq`>WzuGMqr1Pyq+rwRNM$iyf_xVxj_oz^
z2GvH;7pNeu)+tkc74vqp%4?I38a78zgrAvF!j*HbuIqf~s?V1xWOxb5WB<phc!*m7
zs^ej7mb{`!b6oiw)2>g75^=`D7S4;Y9D=tVTPouj+m@G}Yv<M+Lbo0Sipa>{QPDbm
zEcAYFx+{7f;O@_b8MR^JYl*|FH3?mh2pwt8dAxsLTSSVZ;(GUZC03(YN9L=^SkE}s
z+d{WF^nv84K~RK@ii%M1{6mtGCK|TH*2=`o);rew`-Fs`EIu^N$XMxz+vz$7djn0n
zq$n?&y1DJ`ZF%isQbCJV1W`V|?TErAH$;WhU&|CV)?$QrJg|W|w6b1la=hMFW_Vr`
zjb!&o-gPqlRs?hynWObD!s&!l6X>@5n7K@uRQYeXrw4)K9>rUCLFsF9Avwh6?Ha|W
zOkc_y)uaeAd0f_+L6<3(8vTqwiwU}RgzUf0r?e^)$G6r`*6M8sI@k+Ue|;87kms-`
z>^Gglf;moV8?*aatoxNo7ct;t>V@AE%G2sv>0ni6|5ATfWv;0A7UO7|SRgqPl1>vg
zokv-;l+7QgqocE%WRBpKF`+QGX5J0xsF?Q>Cd%Z$QB*8@|I^vA(uhK?fUcR#8A>Ti
z9{A+Y*h8m;i4)?vB%VYEK}JEz;<4l9w3%2JPgRt`o*Fr_4$Nt~xdHib42AJyO+sq8
z_gO;5yYoyH(T=1Im|N+uh#L!biABm!kCv8}y~LQPv6+Mf@MB|LYk(!uscvMv|0GD0
znqIFl8`;l#9c!=G9*`oDn3_5r*MjACJ7Eh}8`H+s6>fTHaK7Ik$H~PN5)!gZ+-lRU
z5nkwIA53|xh-W&9s0Al#>2|MW!2drrj^|2Aa{O3gwm?X{XeZzDmkALhLBqH8INmR0
z%w2Wj`Z_{*17O<%$j&x_2jg%c9*X-U%}-EVoG!MU49Cexa>)!AV@nBnoj(pz(+}RU
zZ{EBCEkV%FBI$j_!0Kq;kLz{8j*<@lt3Lc-F3hln-JTGHfDVM|W)!VZfmLFrfOW?Y
zbq1=E^?I@T#KYaAA2H`|$Ht068eLxa-%`FTaK$U*v~tu<kfYsXrl=c-g@{xbcJ2Q?
zzN&n>*_tkcQj>mw9*g+kiukPT6f$XxbNwzZ3s$6C>s2;4GXn%59cEs9tYUc-6~jcs
zma!Uoiyt!d%7ntB5}6=Lv3X}f<ZI6E%2&f{WkaoBnB()_aOifGrR_l{2KsmiRgkpb
z(@-L(LJ4))kO?M^N+TG_0d41WF$y}#X3ZSPiuHV*)pFQ8JUsbwz+I?e3#EM@P0-Va
z7rzI7ybZ}=tW<}2kpAW;)vNr+K6xN01d)O#;Bz_O=4H97udP6z!b(DQn<SmYQqA!G
zn>7!R!==>v3TlhDTL$dg2ORr6{9Yur=eg*y3;Z$Vu<+9FX><ZeM`s7?)Qxb*T8Vn-
zt1=m2dMp@}8AR1PC{4Y03n`>0=9PN5Ez-s~Jj6>)cpDDyqRF(T_ABmCPY&vF&>XN5
z6p${OW$|b+%l>4|B9(A@&RO*|%$JxGyOrCp&GjxOg8BXpXIuSX&By6R>VN>9>VI;!
zyOwKj)4#G)nd+s0umtRP=mfS3pjZOpgr2oc?KN0yx2g>*fT>Riyh!XbN^?cmumerg
zqF59aY5d#f4I8cAYbX`OYRabwOQgPoZlEuZB&rb43+bF;&(EQHdbZv&_Qv<k7@Mz3
z7&MxEQPw2_tugyI61I%%t`^q$rjp62U(5C%DW2SWx-Km(AN_B$MFW5C_9_P)3d9gw
zHVeIYd3CsYHmas-QoH#0z+pY|a9|mZpNPyENSw`Bbi4Q#{*WrOoNOfkexG<=T5PK1
z;ns}sbNtRM)^b3!fE#<D=+C>6?O=3IPvNtnhn~@e0Pi+}*an9dm#c~n1VAmLrltn8
zvnBxv;I^l1W6^eeXG%Rw0|Q_9!%(jw{8}-3Ea6tKK2{HS>}h}81@TL=o@Mr4CXT!(
zM=0D87qYSy@wet=LZL`s+u9;MQ^B=6mWk7S_41pWzI}sbd3u$^K$zsezWU3POPpt~
zaRv^qh<>!c95)$6^&cJm!uDHt&`iLv_0sz18y0S{?t0OBB4V`6X8xyNhgn-Hpt$ny
z^yVT`$tv%y&MW1|F&ltIOS{6}pV)6aU3=XC`02W;$FH<Oe|=%UaWv`ss<7BV$iNs?
zIS*!^^kyB@3u56TUGR6Oy7ns9HqsJ51;>j92S~+8M`L1rAmaL>y3(|DcvM!Yf#|-Q
zK6&p89O9f^ssr{|-{PW(M;Ah){$qx2%XASkI#IBIn+azfe3sY>uK;`ha|RZTVqPuc
zGpi~ACvLrum}bk<s<3_%9dW(GzmI&E!p%-GSxv+1Afb%DIofx%Op?&$d$n>D|58D*
zVfiY<I^cfXnVf{q3$$1^!zGm}i5-ZrU0vR$xOOczx~$n~O*hq8kLC(#8)$Oxg<$OJ
zw?s$LYycw0<8c>`-L&xI^%}lG{W}~Zua0Aez`*WaP9*L{nW3@n`r#L5(-@!%(*{yA
z{GhA?j(=j+)vq!4UAU|sjzLLG@3fu~)C%%*w>})m!m`1KcBIBqMJ^2M4hAlLlJC?(
z;C8&n-v}r#psK&9{!5w%N-Mz@k_O)mlC5{ReuD&<J%SS;P?LQUwt!m^AyC)S{hry&
zxlOzuZ8$iZX~!-Unxx(?`dzW(+Z&yqq|pT0vrYl0w6L&;DC;%&@e(ST-0xO9!>qld
zCd*7lvIP#cidNcu$3|mlu*K=RvIP*d8<8-FD5_Qo9*SYJ)}N$$-k}~(&kzkgF_?fX
zh^R0S8=5EH1=m(3l327oyQ5OQ-KA1zyU+L#MHG@Gh|n_Go|+Z!UG~QA1%mr-=x`Qj
zmUy34xtFS<x8GxPS*;|>qAsDVt;LJ+(uG3Q)zydMp|gd?VqA8+ZVX~#mpPsR8pYQg
zOFs=;rUwU^8a<CJ!a9fXB|A3NwGcw`(EchfoUAdWyp99urEX_ZDEH0o%pVll%G`%V
z{t+khT#rZDoG_mi?X#21$tUigvrOUsUXA=m2>QIHc+m?EUzI^-3N{IQVts)bVQWT@
z*i4@y3u$%utW#BG(_+AKwPZdt&Mbh+?IQEqoqd*afX2^g_A3ANY~xQIjou%d%?N;b
zwW}#5yH+z=Wzip!C-FTPjf7fw;iDE87ngpW?OOu_`y914p9`NS|5Deva$OBmo&>qj
zNGQOa#f3xmuaC2B>`Q`B*njiVR@2L}J{6kmC*O6tbxgoP8J%y$0N&!`$eR7`eFqX_
zT>fGNw6!bj%wwI$IxYiZNBq`w5(9WlP(JyYFW^0PA2TWDa-x0n(eaq^kqzsPVf}{?
z{2d1GV$NgbEGQ6mN&MdagQQ=-GRrZPYb=iLv@ByrjjbdtnJPznFjse1GeD#OY1BPg
zK!8O0UoDnr@xnN}xh2ULJU%{x2LI21huh18c{Zcg^v|i&H5!HP`VIALDk?TuZFd)E
z=cl%&9+BdZ*&p!1E0BY^#kALFhlvyc8kn;B##85#P9$Z$Y#fBUici=$RIN9OEwS(@
z2ix<8%e+hy_Iu_eR6}}#XPY;ZpUdxi^66X|kcRuwO_g)}H9l`3?(;4xgL*FWFFu7w
z%HNrL^4yLwS4&-0ri7xco!zTdrZ#_mf4n3QxLySXfCA9o)C%Qt1Z<Vc_D5Uk!dDF5
z$FzH!;p6#O1QGPi`uL25w@$i;!bt3dLM;>bxxH3oaCmSxVoDYjUe(%)5}Db#r^8aJ
zPKVQe=jz=V>1L}YV#xMTJN@a8pgP3iW+oG;ZrzDo9CbL9{Riu`8wV`;@87G91pnhy
zw!ZV7?>U{I$or;XqNIDVLcihAkOn6<h0}Z>nQS@G7|?3?mi@RmI1<H>PybryE;hMY
z{|bTueI^<NjK^0D@4C0gQ|l?NyKz3K2(KO-I2^)TTH^I;cAE`-j{PlXN5_y&SehTM
zhh?Up%jkUt+65cfXSZ^aN>YF8iJ3UJIsXnCX6>7;eT985_zHJ>Qnt~r_mquX*4g>^
zr~e(X9$`}p==0s&+)Sf>guTAC%NB_ibO$`lY*PC<i(+I6r^lcklC|mb0&>GXVfKji
zr#}(HEysI=+(Sd;x)X*S*h1kQnx!d5JsravRRo*HHYa|HTO-$pLiZ<#GO@vOq4Nz)
zIduDfYqnaw&xRb9F)92l7^8!bQke}J*Y1u)goRz*+{A9yaUSCR0np*%<P?24*ML-O
z6yiUccbVYH%(fEQ8-LM>d0U#06`f{WVamAeTtXWPa_KGXv$=O6U+{?DXY4Nu2WDCh
zyH~rY^==G$Z4$LU3OX)Vs2(1ok201c9nCi!Z49O<*|+_p!H&XbGrGS!YS%Bxxnf|I
zk$|OBmU3jBt_YJ>c;N-*3=H>-QY3Cz>#XBq{zbQCFF^ZLC=R#dj7Dsw9B&{zF&5ef
zSG;9PJ7rs-y+hJ(lpdIua>kJ(1Qz464wZ@PKHW&^)z9U!j+6FQy9O-h7-F8?o8NLS
zL6)WT6-GZ>UH@`=dR{%;T{YOvj7SYP035fGX3W~=d31q<Q^qx6kS_EpaV5)14)!3T
zroE7kb2~GLMaJ?)Nd+Hkv%k>Suc%Mzp%L05oEm`0$3q;eSN>Vl|JJGf!HT`YJYOdE
zGiWb>$3~F*{J#A>lHHLfX)`@^i$8#6@yN~p)+7liIO8wXM-}rn6a;Tn;@+dMQiGlK
z*lO~dbODZhF>K2!p^mz@Iq^Fa@cIoB`QlpmU|S6NczAdi8Et!zQCveBo0?dRTD<@_
z60*rs@71m);U^q4V;tD#dxgx&mMEtKB?)j$O<~doR34tY--)Pog0lfciJV-3^4c5A
z<>t?CN;bk8`kiZ=I7Hw7#SAe)n>Wr;Ye?l!PQ5%0`t=QQYK|v;HBHT0P@3wBz_7Nq
zzPr8kIGB6Om{RYwYy=pDnkAsz{cyb&udA!u)YLSj;rB0!UP40R_N{5t;)^mpc@s=T
zt49mMp(kCG>V7{|T5QeK_0YsmpH3ItMnxXZCtq4gQJ<fm-ybwA!@gkZKXnMs^*F$e
zk_!GaX<MgPIt4psTL*s7tMGPobadMq0shaE&+jajEUd~}g*BPiRIChF!o11b^pytd
zIqx5oT_`%dfRmEN7|$$$mx9$SzRb+)f=&gt)$?~6?)a?TonerbwGdef=?L`gF&HzB
z+jH?!t^1E4^~w#n-RYwU^jjJe^})c1$D)z(yFcms`ST}R>v1Pa?<GCf2ERd+9ZOzb
z9_V8$%gH^n3m<tu{rUz7rq$Kem93}pZv_WH9id&w6U+!?@j48!Ew_4eT?vYcKF?GL
z`K^W#EP(}RG&Q~5NpnWXUZkmw3*JZNWgV!u<`?ojGFuY%JI9h&7;d8#qqw=@cU>2M
z^KhHcKi0s8fHvoL^6wanMsYv+6)Wo!u;R_(tQOBB(7!4-fJ$Oc1-G>L+CP8x0f)fz
zV9tFXFkbuOK*#V6?I-$NKXtmKx{_;L8?rEXc*waY4<PQpP<@39ctG+6p8|KQ`^Zay
zQ(V4XWrJ$xBRs<XQ00X9bkk+kh;(%T6mF-zN=L;6Xy()9v&|RYCT<&bM{e6=d7w*K
zG_`wqP#&)=g*hb|0ot3hj;)KNjl*}~Pa7bK{gqy927b3xJBJSI@(aRuQy;5&3VW(j
zyCL-H;t=z`FIsDhp5whkF>hqv*+n69KHhBQ{`&R$kr5JHR0r)<1Db~Znl)|jy<nIG
z3}qq#8sGzOgJK(KC{Nkbn!4G3!E7d{#`3x7oG9RTLm(nb=Xmk>_<eV#(#aX=f`29Z
z?L%5>s_4ZZjfRqhyEICJ9Qqb_H#fJzl63Wtv0-#CU&5HgQR;JcjT|nukp#7SXC*?d
z!$Ze1Fr&uu5%Jl2a|5ZFP>$NHy<7~{u&}X#`*WB-UX6&145~cRGm*se`RTr=B^T+h
zfrcH*rO_Vn0Lr7dczFH~7c&NV%7tr)jiwO`ooe+zxo0hYdv(5~q<XIfMgpSosn{?A
z?>{v1uWE(P>LjO9Q^VF+na=YXG-5h%z6t;=UzvPUWAj)U8lKuYAt52(ML`k^SHODR
zI4IV5?pYpyx?YOb(ho}oEv?kFH0^VJr@zbGoj(&W1w{;-O*&xLH~#@hkrN$92J@u|
znwa=%+2CTBZ~0zZ)8cDvWF)9A(?tUEoLn*>@`7;{EqxRAP7(1x=(nhZW7Eq|b9Ht=
zwRsHBmII%ji<vOYH~*q-l_bSy5pU_=lL@+aB2rM&Bho9IJo;_Ff2D$mMM2?otDd3Q
zt7Kp0uZED*+1lF5WzG2Jg%T!DI@!+7Fhu}AJv}`;`*AN?S4%<r<LzDq;4Xm8l<exd
zL&vq+q%pw4mLOO^>3h!Ps5Eja%F2emX7iZ$#;mGbqv+Usn=l3!ar`MY7CV?RCgHJ7
z2EEAIcat3<h)&BtA5J$0A;`$cR>PT76^1R^#{PA+wcM`%x-DwBXt0%)(H3NNqHPuk
ze~pU`$=@a>C)1`4!hjkUQZEhsmU=qsSF4jQ&*gIUS3{LYi)FgKQ8-a2CnPgvH$WqS
zGq)CpucTAbDl?pa`6`kr3K%j@UtGp=PtjIxu82csO7%XH&})h9Qws}=bPX0Tb3jLj
z@EWwXo|(i_2&IPnF0g`RG1=w3thkR&Y*&bVbFb4k&!=$Wcsp=mL`C<dqrWTd>0%2N
zCq~HjO_#U7d2@3+$OhQ0wR#6rAO$jPp~H>}M<e02n`Vw$(mSL>BhmZQ6TciN_U_(G
zOw1HpeqP;~Yq|d^mUJ-iB?fOy6y&<!Xq#s_IX>{^-Y=DL&Z}Frg<W;jFh-ZFk%QZ%
z;Uj}OOGP>`YxE;OBOX+^l$0!+Ur}Q6lM{bDYOgf=Nngsq%xrHJ9f~J)Q3a%WveqXw
zhx`@xKlY6>h2|jAvF(cggEH07IdqTb<njQ=$~ws)D{Jei)rHpyz$efi<29_2kBUWI
z-P^P4ns$W9smK;811u4D&Fbyr^ZomGt-$tB_xC#!J>ztk5`f*@_U*@hA6(GwM$5?1
zDKtu6;PK*9{@`Y=pnJ(}h{xkm;1h|B>ki<+Ynqr)Zar1^OPEXMFMd$G92iDpVDP$l
zJFf?Z<W}v+O4QN{Cpa+i`E|6Fy}TNuC^<2##0Cb~-(fHL&je=^0u~P|6e(|TvdUD_
z$;oNb-OS8PYD10|+uWBP(#p*LxQ>HLfzAc%0Qf$QuV_PgKFk>T4$~cQ`)=orCDMcy
zyn9E;k2zC0{|yBYfUHA8tLWIBmRbSbR<kW<=IhrgccxECVe|BtN3xYh*IT(Ip3k%|
zdqA{-`_DJAg-UbVjF|vW4q>-M21#%T0-o~LrrEIxF1}VZL2!}7Zwt<jIqnDS&T4QI
zW-7C;dJ23g2!nT5N0ogWbD#vWzl_0FiJSuXXI<ePauAtdXFNs43<X;3itJK`bPes&
zsfEwC$;r4C#U)}f*m1$3RhtQkiE7IhoOC#TCp`q>tqE!nOx)0iyYa8mVV#l@pxc&q
z0p>&qa+Lcfs+^;Xz@VX4=?1<wNsBWGIQ#bU^78NBa}OFjG3TSKVuSZ0&E$3PIbH9^
zhutYb<>PBm5xrTzm@(#au5hy^<%fvF1uX}3g(9t3GQETnNHeA==ZcbT=*Iv=V6MA^
z_9-({&}xVfGT-1t5ZzM-ru3BL<vCX=Psx--voSIys9MPokxXO1DrNB!uo-cmurqym
zlSC&QN6NwTZL)$4o%9z?yymO>Oa1O%tq#RtXM7<3?zT8E3h*D<8UZi5!{U=A$D|E+
zuq`0@4&@~e0=iKDy~guskUF4<Kh7x8CBc|n<mcx*c<P5*f)#NuEGz_o&>w<`0j|Me
zkOadf)u8tU=sUnuX;1uHi>DC*LqB-PVz<yN-oKqj!OpZ`I%UBQwDQJn(wUKPqeDmt
z;3*U3xQWr8nECF0YbJ;_y?TCPu@3Xd;NTiEz>8X?JUY2W%3$7=PQ>>TkYRgzdQMJG
z@@3->=j!(I<3;B{VlXx~*0AKW2f%3yun|D@vUYSm7|F@g{A$#buvhu>qrArG{*uE6
z8fNH&TIm#^(3(~AGcqE-R#ZeK$wfs)U4LW>0`G!}h1IcBpjRFTIG0LFc+owI@)vjN
zrBi@S+FtZLM{tW8vhyR#HfVx<%3@)05e$|%WYr^}{?a!7kZZki=@3H-QV~M^JT70}
zg+-3{MGmNx(5y~g_Rz2}@ZK(AAlBPQaxybBGctaRB5lZ&$y5E}XMhVy8tv|u+8piQ
zI6Xc-USGEe(WlX&u~$xvjf4f1cyqVV{p4Tmv?XX*kfTeLT4Mgr@zh3M?H`v<{@Vl*
zaEldMRwGgp5@DaBa852}5Nt;>!+N5tJy-zItB)I)-QE|aoceC>P*u7lFoFsJjOf%g
zmVyF8LEPZ%Mg4k{^KImplZ7FcANqg4jwk2c14D0}=#kf44N`dT0Ntm}CuN=0$~PV^
z3^^<qt!5UkP7g56sM7|Om|+?|2gAa_X+k;9#w7XOk%zOE#j*wQ06=`YsI#+~`*X<)
z9K$TSr+H~8k`NXc5aCt<a$IcTJqm8e9JvI2Pp9^tu{?}=Y<zsP0bKi8NDlf@>kG%J
zYnu23WNaR!J5e+2xDc&aLHPT070!&9c9t|>_0^eGr<o0Ht9jRqzW&@=>uNOJwUo;u
z3Jqikn3_vwxV|>Ozowb1{a~WD&>MSwV-0BCk4p?&gfHo!F#BC>*9eIUs-@#t=n~BM
zZbxGJ_QPg8C#Ei0KzZTZuV=tyiq?maa)&iN6ciN6n*gH<gR%So8id&<4eiR$=wmQ~
zo}Pw_%~!@X?Q}|vq_EA}M#Y`;l9-pl^Yg#Z{}P0@$953jJ7KCNIa|h8l?{#K&k{N=
zV{hf|6n?UHzgDSSU0nrgPMrvRR|tvg-^~4IW+8E)R{CD`gbV~!>Z>gW9~MJF(e`i=
z+4=$p|C6j7KL?m~Iv@so_Wk}(9X-NpPDR#X_ec4Z+{Ap_oe`~y+8rrj?4smbBLZ{K
zmW1?lsFAA4B<;(WJMWu8V6@}T1P}2iGGCTSk?;BJ4;cMrHtV8Y5o_~KY7G^-4dN2u
z5tD@~VD8Ho*u@!?$Y8+%pC;BHt5Je?8g?yjT$2&cjSmkQ9;HYIOUe*74X=}g@3@~n
zU1(<9V-_ACI{QVo2;-`(WXcvW;m`RLz7-UJq33Go$KFppnsdKjfONAr)|rn6_XQHw
zYWFj-J7wU{pFfe2&<fT3adtzCRrA?qu8IT{MO$X>Oif11eCB)1@1ZCwMI3)iJ|%p4
z@g59mxVn-$$d_B3S>?2}IIAasQPuBvM`E)2Z!i%|l(Uoz!H$`0gaA>snFRMunXbJu
zpyIn5G5k$c)TPwVg!|F9U98j0fU8^2g=6+~V?rGiCJyGw98?e1nzmH+KK_<VP9?4w
zYpxp~vx8eD-B!UlHvine;mXV1$<{o*xb%Oy0DmfF^2Ti;)HzIasruEh_Xk_HJU$n$
z**taWXe7rI3gLCmzcD{HDq)5ytOUD-78J-SmZ_dD`J!_cOrQOW)~Q2w-zDUi#t8*s
z6UzE36eO?gm?wj5s*Ge7O6At~UVayN=aT}7V2FQ}y73DptC9T|cHa6;2d4K#bc(+|
z;z_X3Qqe*?rJZ@G6jfxkQa_xEJr>D#o&!oGV3F0ueEVZ-<PDE34gdeHyWghCFWel$
z>J{X8BQD+nQp=gI($UXp2bd5vZVzzZ{ZkAQRX`B@?0@+eV5zxZb9z0X_F9i>Z<!N;
zsMp|8D-HmG)v9`_3>Oy`seMT&fw9Tyx_nmuzyPsWfS;pd#f~iu3=Fszop+Ij%H+ni
z^@a}ih3O3HGm@z9DhNIPYhCSLT8zx1_qtR%Uxu!PS@(y<=1_)JT<}M!uh-Ytv$HzU
zL$x?h_h%|TKF#^%MWp?oMdCNtNxiNNWl7BN!HD<C#f5t<9-KHoE~3*mU+#iIPS*TG
z(MvMH?Qo3tCqY^%zJU7>MJNhErj7YRql;FnG=Rp%^)1{T00KKaRyxto3C=;z{#Khu
z<Ug4r1v|4>;ONqEU|Cw)Od-2%nRUXoK8bqlLxOw&phLrF{xwl>y~{*P_wQonWK8lF
zt@UDB9}EdKeBA=H7+)Ws3WKH}A3aTQX!GfBF40O`Kj**Ovw6X|v3pdqw(PfW!vy|i
zgD@*~C;{v1;_go`z0QX3KC}o6ALcT$A_Va|9PbpSb0OviAcsi=Mn8b)*$y}`rFT!e
zrIpV>*5}-&RKE&Ospo^}gsQB*8cw6<R(-w_@X-v;SX8ZkM1?Bak%s+0{=tA+q3ZQ<
zmrm6e2_(puva+&W;>&;0Y;nXq14@Bg{Ljd0pz-&pk7@#YaLq58^{#go0w5T^^x6HL
zH*V9IXof=vrU^YC?{7AV6`uhe6uk5;;W;$+muomth;-tX^$d3}n0gxGiUUM%XCebF
zsFGJGUjN`A2)v(^Zd-jWY{4X`QYJN+6v&24!;`2H=>*x)->P{q!9h~LsfqjlV|#zD
zdt-NLmjqU18J2JcWx@dySMhUI^J{(a^Hn@qRZasnioZPK{3h;8?U{Uek18^UX`o+u
z!OW-3#j3CbSGbJB>;c#chuKV}-`dL<d~Rp=JHh)gn>jhubOvL8dc-x*HjrF?@B$LL
z!88rGuT3o|_VDgsg4~VQzI@k$B?sx3EHN?rB^qRFf+F<Gq-RO`QF`6`?;d+4B9#lv
zF~4`KJO}~HNhi;Q^arI-$eAd7nzR2&<;MT%?7PFU4FA3_qExCoduJ6gv$xz<%2xKK
z+g_2CJwqsptb~m0Jrbf}la-Yfk-f=&zIVUpec$8#>p70+JRApy`*vQ}eO~AJ9iPwV
z`^6>HOWU{!bY0ma^PPQ}Ofdz?+Vo^?X}8dmamos<y2lR&C#<3Pi~~wVj?&fR#^{)d
z!Y|eBY;BdB+CE@8{p5gf9!ibha3%2v@lCSJE02LM491gtOvd8gGawKC`{oC5Qw<;(
zd|r%|4$kNIi<}?Xx@!dzoYtWQZn}o6|IzI%sScIe>f*b6Fb`YqDSuE0vjOSFYftw%
zXHN|gVJ992-Rs${XSGS*wm$FD6C-E6f8QVooO04-m=#B-cDwFofrfgxWDNG-SV`qg
zjpwP(TSwLiR<`VZdDrgumA8vUsyT{$2>%+*@<<-7|B|Ij;JjB^x^}h@sJR+czZu%n
z!e_ZO)!cBc>wRZ%8Z{ZFh=<%IOqUuK7Q<N{A;Axuioj_^1l`Sqr)E&l82*MyT>J=<
zZT?;j&;;oWAOA_UQ}qFbzh0rBj_2R?X)Ov{mf>Ql`6v6^bY3<yo1nlYiAmCVg}Kzt
zJ0YHfKQ$uX`O2eev(fWp8^owb2l3r%tI3-jESPwzHbN6R=KrHcos`2|xr7TOrFMai
zsc+-)!A>$HOQdIs@un+ko}x|;xy2>abGn0w8a6j_&Oa8l8wq^Dq%J8ioUNP;dUU80
z{h>3)o7kzuu2*GeJr?leX0z{ae5t+8doHop`Lf&eMEQ(US4Y}U6Yc$w?+%8qYVSCl
z{Emr9u;hw09^Nz8bf$+}VaI#sliBxGpz&IVbBDx3Ow4tmVlW^{jtr1z1w;}+O$-GO
zA`@n|Y2oqY45<WKg+NpDDs?2C1P_MrbTN_7vSH&JbuRCksAjapKQ&&Eh|YXp^{4@X
z#Mskx70WkdLDs68&Tj|p%YF>oU2AVK=~584F`Hu)nOEDiyuMQ?Am5ttpuwlJYp%33
ztXhr?{0mV{D@}TxShkY10nKPd)AmAZPw~`MGIE(L^kjp_fi?8FSm?*s#sU#hN|+@9
zY<c*{t!}Xgc3(nEYWY><DD3Q>M-e~LYh~7~drazwiWOsjJ<AvRPZx^S|CygDR4M|Y
z`(NL}#JN&M>Hk*#37O|XnSk3bVmwn6`BgO1BN@3m?!0v)o+F@9YQpcd>Akj*^xDL5
z<26J+TJ~`FKznVZT!EQLcf9rvGgRbh89Q9Ti)5yREjrRk*?*;Klh5UaH`I?{H_5D{
z8P~uYZFJX9L!Q|s*K5|S`F^l}plo6Lbo<HHr5|ftR*PoWtg#0P{v^mHbDt|Uan3m|
z5I7wC*v^87d)*F`jJD?kb0wZC<rp||`JPY)ozvEsUpK|WrxY(YX$sui-?Tmt<Z5(G
zO!cas{>GSN;|??)I4p>{p2;HeBQ~kYSjt|CXDQ1!&92PK%60i-kAA{LB0WLQ*T>>$
zB<Sn|#^9iH)SA)=lo^#e#I6-qPduvmS3Bj_oE41v6n3ro3&DJWZg#QJ2iFD2Z)|-F
zC;^YJv>o!@9kHCF##YwXkQLns9{<p!Q?$Q2e#=TN>ykJ)Pb?GzD4UWhCAd|9+-HCP
zmXnv)vt+}10iv2D6s}GQvKs2<)5$O7ua&P=2;`Xd{rmh71o-<S+}zwkLP7|n(Qn?o
z0f+vm_9NhlfSNz9^0xs`9^B>p!Y9}p7njGG5wG_)e1G&#u4^D)+p!I5mE$=~!=N>Q
zi%@PcyjM2r8@>b@ahcDM4#MUcp9}Bqp>JC0<JE!>p-&+jI@;OW`Ks^8aBHJ!`tQbN
zf!15#C1wkhrX1tQ@shAbXE(nJzzpS>bnE`Z;z`dI+3zb<gi`&ednvP4k?^{~m7#3{
z9Pw=wrt`KP$H)4sq`$3fX%KSTmyx-BA6<ARX-WP@N|?p%-+I4qeeG`!p0=}dKGde@
zl>G#;qk)wjY!C9HEPAn-sh?J4{`XPMXAvo>5=(Z!v<aCgfev0;T#C)dqVBd}-aWx8
zHgUqb591~55a1{!2DZ?BPIk;7W5KHdBLuF%rn;yvrp=m>Zza^hXn%1VF46gFHU}x-
zKP(Ebs2A!<!;n`kpH|S<#x~)7Jm@N;`N&a2CACo0G>a{p6KoohK&Ps>gY~;e&XofC
zbs(f5kcNSej}MiPFs8Gz8hsB}R<8Nx0$~Wy@wF$*r9h(OLf#LL%YL-NbM}S82e*~Q
zKVl{12BTr1fpFoXn*X$5ncbzGGk<NEmjCfBa_;1Q((e5Jo`xqjGmoTq4Sh!^;EmKu
zW9)PSx7_W^nvVRC*U-@D#wOoE)p^>l2M@yn-_>Cwxv!KV>wQ`Gpoj@1fRNU+sHC7|
zWp;LVec`$w@K~CjcD~KQRp(x;qS&?qzy+ig0JXypTkKG@cZGuIEiie&D*@Z(IOw7#
ze5Fh5+?E0xrJdR>IG4nU);pTZlDQ`0hg>;zn4A^+7V_r1#OoKz4$Dk_o{d|Dg&HPf
zA!^2A`#Pm&Kmb!xQYsxW6SZCB{)nQXSzcNi%T}f?)mdIKR7BVO`t|Ex0#~Y-yGmv+
zV42Iy%YfEOz+hlVH>&r7nkyK<0~E$nmx+Nr0TLJL(vI>aoJ}WVl&t?M{_Sj2(!Zqh
z!au<?3M8~q*T<n4vxHQIAs9#z03-mQH3jGdNWmP{v<ZlRO+SYY78_6YWs8f8L%q!y
zd;tUP90E)O7U8(>3lvSVkRw11BNf(~rzgkuo>!u=Wny!wL2z{pXKLHN-wob=J=gZm
z<+@O=qpc>}4&wE)cXinP!xzHObr;YKrz5jOsMI+*KI};qtA3EL1-s=V1oXeYMnVBZ
zfts{=1yE3232OkBfFuPVANHF!sf3-TAc(UYY>>g040Tx45M>M55%kJp^o})uGE(K2
zuU+68a4`IOja=Y`{}7&C8=;GfwZThzg2QPK25%_-*;|{Gf`$qJ0p+Cmez>{d!v1?Y
z?3z)DNfWeBz*esT9CI&AW2Crvk-^=b_nvrNdh$@$mfxlj#p_n3jzXq~IUq@xqN)%*
z<kDAY=OSUo5lr<TqBwfC_1~Y%$;>EKW&Zc?>tvBJG$I<Q$6x^4T3T4x*c7>nEy~(G
zb3?*CM~JA!x?DBPi~{K?F7Fa_w6{Z8m(^<pT}T=imxWkZ&V7P{9NpAZA~N;osZCfx
zFZfxoT}R(p{bAn$|FbjO);^>*9L%X-1=QzVW}^MWLv7WV;4D!6Fq1oH_fg)3;`O{K
zl6-kU!Y~+&iOCe0c?q*GPjSwi9X8J{sj2b!8bJz46If^s_y+vQ7=We8d+1@j3$!XI
z*~)1WI&6V`44uRQkYT<+-9XLl=EjC6umx~>eYXGf-mEeJb^;LN*RO>=)~6usZ#do^
z1G?P{I+v)XivHHBtWd_<(ymWz;5h;U0`#lwYCSf7K?Lg#=gJG~ceKysYUXr9?Wi7f
zpMbChI7rVYPo%cL%RrTp6UaE=J@eDk>JVvxSmpkGSGXxaJfJJaAt3i6&^5uxXaaun
zTpVDlqH68xvWK!Ah{0o?KBZT{R_IPSkug~OJviu20-<JsE<jpX`mUp+qq|$uYx|F?
z)Uk!NCgY1-i1>l+T>|0-ya4Dd+wifiUACRM7-j+A@>s}9sF48!x4W!+{B{gx0iR<!
z!9eah*3q%F0qi1}5E?5ftfRUq{2p}y6)x-hZ$t|QW9v(;zgxj$#8b~_fD9O7Yk{I$
z{CAyF3{Lk)#wSHaBa&`!G@c4$yLzPH5}^~CK7Y=9p}JJo_r#sc*r|e3AXr|qaA_c?
zo*z$rjDf+G63nF6(l3$z$H2-BK<44lPdp}d%}_!M`Zm;v@+<t`#(A(4^e&zM|F6vq
z89Yk1F!X=yy7%voLv->3Uj97V>;4@XT?NQovj9CqL4bu{Eze;`$p8C|I^@A$zI_vg
z&!UvTWk_R>3vMAaxI`WZf;uOL{Xn=T+3m=O@ag}zcSOSx{2%WQg!JIgwf(L6$cTs}
zAxERGW2_VE4h;%XV<rM>f{TgC9LRIg)FLm@dXEh=E2~_U9BMH)yPa+9!U%IlU!yWC
zvuK-Y3W8f*oSEVCJ2_(4E*dT_2A&gQj)TKPILJPL75g0SRvH__?7{cw^8}?j@!;7T
z`|J!t$N=)Knbp-3kYD4SJ9iErzY;9wViZu47)#6i`*|Q3(8|&Xmt{;;0%E5Cc9wR%
zGj{z3oi8w0{Bae{(nw56NqO_8yTGRJogy5yz`(#aUW*{ZY6J#Y2#ggVnE<%yT!a%>
z?|bY800<DjfR^~e34@0YQ<C3?U5hQk!2-!}uY+FZ*n1_Okwv#Uul}qB?L$=C@bu@f
zV&g`x+^K~Hu-yGnx6N<+V;K%n9oTpH_5@N35JdV4ytp$^Wv`!|DJ?Ax(DnA_X5P0$
zY{X-LSdyS|ux<jpB1CepM>l{#DgXc`E`r~FbYN_(4i*jzbF8mBRqSJLL30KdtwZ{+
zAB4qTtDiEgJL;K@p1{o)cVtOHQ(S6K4$Uf#c7cbmA7jCu3FblOV5%s2Xm;Q#3e?qI
z&}c6AzCfp&&_a_T8~~M>$p6*cOINNkDZva-4GWD5YS2JSdJBikHs1xF=Wm0dlG3xc
z+4~c8bzgKu8rcG5-UE-`pp0GkSKl8n6)3>euK?V}QNworyKq}ahhko!%m&amO19iK
z$KWP%?IPT|h{=S~>@Q}wu()zy?t>cb<X^mD+<=0!v4yh_Sn(t8G}sWRCb&!qc5V4)
zp;pHr;ra8XmRp;fgu5APtT$<01%~f?cz8f-6D$$S?Ck8^3ElMwGQMdl%VYv5yg-@!
zVa8-JS1W(erV^MKd4(O*9Dpl{outLcOiSKFKa5nBY5*sq<cW!h&@!2)j%yQUnYkyz
z{%P?cRsPa}Bmt;6UVY{A^XqQ|M%38Ow%VC%T(`bYr-dH*s$X?C0k?9PRXvWXERLeB
zXe0f~fq%GQ_6n*%_7kmU<}LL=MP2@lz%25yJ~FSd?$ha`Clr|M^756c^08xIy4F>L
z?jwxV{E*As@(F^JeQ8#XPv_=WJsBMx#glfb8+WKqo)M1Q{#G?0E}Vk@Is4B?t?Dt_
z$gg<Pw_{KU{XLG&o~zKj^mTdT0Um<*M?ELNLFn@t;CHvRWEk-f|AJ6i0tC^$6pn)F
z_4JsVv4x~`F=Mp&2x5_0aVMBvtH5KsR{^9;acymib>=vT|8gu@cu8(<>x!H9g9oo(
zzVwEKLQ_-IO#v=3!pKR)z%ctIoEWUbP_eO;)6}PUPW^_X&5ma$?bLd6Y$Iy{nL9aZ
z8We~LL)JY;@8!~#-L*+oV`FeLAPmEv_UnpChPGuK<q<(iW??Sr+^KMjiCl)*iD%p5
z78yTC9dF0A%#75!%)^08w$pT|){kY@G7kJfn<5tf+Prkw`(@5sQl2>toihj$`$|6C
z2|6JC{{1^CWYTBPP*-;Z+q_9sl%t9`T$X@=rls@(k$8`7yK!zmMWLAVp2i+istSwY
zonB`ZX_VFY6zF2!U%A=AYp)<x#n!>g?vn1HJJ~ou7*$5g^nxJr!kHWddH>khbOQX?
z_TP<}%VFk_%!HmM6_nKk>|@~EaB^}Uu#Wv3SRIV}gr{XkJg1h*Gc6&)vq4ZuXsF4C
zB6ynNaj<PYx{>i1b)G>ot@y(Sy;x>x)Nmev>*eG6`ugV?NJ&ZI-6V4AB!i@()`^o=
z{Ow!b%tRZ9$D!(M5gLYuoDmt5Ygh1a?d|Qi3tMJxEf5F_39&~oc9ab*y<%pA)}b7d
zgb1SbzGE;Akcm|%B5>D*1qE1z(91;1%fV-Hak}&l;@#Hpq}52|P<T7>q4s^%G%Z)r
z&C?|fS9i`<uvKx><_+?bUJg4CYqv1gyKF_rfFPaSJ~EjLr?(p3zkd%aR%=j1ZtT4g
zBXz>_Gj!fF$#6hc{hfKTcu&78I!r=WDh8!tV4zg}?(-|Un6Rj~eF17oxdaTZ1l6^*
zi47~u%NBK-q2<;X!)5XZfjG!qk54#{X2ZmFx)_jXNr2h}3Ux!N|9VTxsb}<B3Daa-
z$0+5n^QP`nQBx1jWCTA~WBsCG$Uzpz9Ddn@2raA5+%LiljW`=#F<VP!cOu9qbbARM
zLnVan@$vE0LJkEwrOg(6Z{~d@jrH}Z?>UkvKY<)zd!auV70=eT{ZUy?fCC<WvQOsf
z-Trzj)fc<?x*6AlOKL?B<oVocGKUL9W4Gy1F)bj$*g2)*QnCpOPTtws@qw`I#w15M
zgft&Me1IbM<P@UR`$U9iN1hQSWmqXZ&(OsDX<-<C6w{)quAZJ4*1RR&m5@YP2+ul}
zxw5J%6rHZdDytv&Fi|BwomLq^?)Y6^c@p+{+6hwg5uz?oWIMjbhbD4((z*Hh<tG&d
zrKK;F$7hAPXfEgT89aP=opyq`pH>!4kovhzvZK}6KvR=A@#ODYuV~ise0Z<#+voH9
zR{V=QUJGh@SVz-&Fa`~cO&ET&T5l<18sYFl62c#j?K+ZZ`R09oJ|rdjHdp31JeU<P
z;Nd0_o&y^qH^x-a3w*$U?)PaY@x7leklC?9)V*J7p_?sH)!yFzQs^>*P%;}5O+#3@
zKB#TnI|Qd-%d5V!vJx_yH!<cSsVWDA+%%VG;?Bd2T!x|Ydn;q^Ak_w^3<|lSfdM<{
z=&<?}$Q1T>axv?mNP%?h82s^s$4nHYFC(;Y35yqCxC{*qg&ZdgY9D2d2O!ApABqX-
z>hPiT->FmH08<zeCj0sYHlhYo`sNK?-5DID)#FYur8Rsssgu9v>gv6q^8!8I^5t^~
zeGtP{Oy0r40nl%I6Hkhv#}x?I8XG59pVGhjQ+?b!YI?pmgLR9R=u<}JcYGAXW2jml
zIi1OSkPqx~AvmXf;pYtvOiTo5eyRuB>-2edX)9L48e*OJsj?~~2kS}>K9@%aH$c&H
zl&(16@r4pIrh?%zFL(9?){)5P>lY~K^n3^&=N|NZ54~E(bmQab+)!eOB~&bBf#L)1
zx}d(^&?Qa}Oei+R5Ed5pJC`M-dCZy2nJ#2-Fv@f8dvd{nk&<Jo7E$`n9i0`<9mC<-
z-L9%3yMk_^8?he<&KLWenrWtSkKd-%Z%!$Ueooij?#U)Ur0dskBYz+PmtF!^Ku}9m
z$G$5`V6EYB6_|5x8g&<ai#^xRQ9C03JM|iL;Ta$B%L}q=$CH0H=mxoxkLHxV=7h<$
zijXMTNr?w7nIaj!<d?QwR4JZ)m9_F^gCf8BD+BIsZi4*$vvYHO^Ou%G4l2J^CYJFi
zH-G>5gGG=S8VHV7JEmbwjg2Saf%K$^5EGs?_WVt{wfU9pYUI}x6-yop*II))<H@`C
zC~ZT#H9D4d`qpAe@zM(myAGn2m6iW_2ff5#RP4Yi88;M)-kx!<HLz=g2&&cfyj8@E
zuonI^l!lQJR|MmDCu)3RX@~3fpw*Jp6~sCq>kBp_rM-wk-*IqQg?N+Zatoxun=rPv
z61a^U%)Ul|1XObU(;0xmyw;n}VZ%fa^8lt|1>gdJ2LjfGB_-=YS0pJYDHR9PRFY0`
zmL_vcCt?~D?hyO?o_}@U?_oAw`i-*!KDkK^7nkl5bp&O!83hMxe=6z7oxInN&+n&{
zD=DjSeCK)_UHU%uneSnuZvKr(+~yGwApK`?T3~$p1`Uqae%6Azm>0kUetv$~2|PUC
zCnqO|hK9iV^!I}T+q6&5-Q8VTxeLNune^{qkTmHyd$tb3Ni$gWQdaK}Slikr$D~Q9
zlRVTFG{|c3vHhTsuJ-iO^E`Hu<m4H-*E#H;WEroHHf8DFB#ZPEr$ayG=r|~vr|CML
z$1$0PeG*bsR0N2h4+O>I<Kt|OKj*jDB8Z@4+BDCSr>mPAm4ni`J&ay5QGxcnTb*Tl
z$c+>gmRdhl--RV|hG|k0^YFzf%Ls+I&xAs@4h}bh@o;h8%r6v+(4Opg)d!=ZXEemT
z5(j$D+!n1#AP~r!HoXN*U|YbMbKnU~O{c|a1Lr-{dWL@d$fh$KxEO*CMk&T(?y8q@
z^!(C&uLt&U>1ECM>K$g@rR><K_I9~D9{2<d721&IKBx+g&(X?>)8WYOHZ3eHwBx&^
z?Dp;$tr%<NUh?td&!cykmS6uaEToHpm;yvI_embw*hE~SDIKD$hFz=UU;eaZ26NhU
zxdrefHErz#JMtDr-S~PVM;;1`GvV79Lv{6A{an*d!)tqW<Eu`>N_$Cija?}{^Deap
zu6GM3*K+P@JRzvG;6^vI-?nVv7ZNHz3r@-0oJlziyyuH=COoZf>AGF({Os)P5D3VX
zzIzwEOTX}i@<aTMx%-J<d(QYDleAhuB)6k<S`Hgf0)T;?r6J8Hvd0#b(K7>Sm*$04
z_<}yKpV>L+G3dY2*LxE2YJX2lvbS|K=N5$#YuB?Y#}y<$29(shelfl_z}cy_x@>V0
z;1wsrmh{=VzresIu8sGA-5Ps>iHS@xeBK|*?MBM-^76nMkFWm0$egNgxR$J|U+=WH
z3DqS=IM5Q!gl;ECp323H+}vxB@wLSK%hs18Y@)^Kdf@KJr^+1^6?<|K`s>dL_=W*g
z784cyvvhQH1Ub#%j~~!<rfnh@L3ksXHf}tR*VEUxCgWgb754tS4(4Cb;ir|m8ia}G
zB$}VSV{Io^6?a}46=<BiMtBy&P)B!Jc<lnb=DP9gE1(RZTrAM9?p}rd{=C#)VD@cn
zZVHjhy~05>kbki-l@}@a^+5=j$@Cz&)p&Io$HWK%XO0R;$(AP@{Qv@)?@6l`BSUU8
z;^{b13)<!8<t_gC1D(>Kg(|etEfHgc@Vbo`5d?LbpP=J}xS*i?<R%7xP8&h+La_fM
zKz#E1_Y&v?@FWwrRprlB++h<qG7la+ST5w~z#<?J;6l|zT%OGA&z=R>#d~~Zl?Nde
zye~OA=wcN5qeboFDn;Z6&hbtf%EUj+>2DL{V;d(8mnFQC8W%US;la<6D;2Tx++?F<
z<6<LD*$5ysi3tfgr>~#|2TLKLs6vH+mSniER9*HTBC*^LogrQd%1jmQeM(_G#`)5b
zEG{%T6NV@}_8jwutR%%tY@a`M_7ITeKat54a`-9iGDmnE7j?WMsLD+?$GY24BH=IR
z7Hx6M3&5$KHxjlri)}1vc2-uyU}p=cbI3WVqRR9P2L}f;ST6*Ank&fT<`|1z@qk0u
zIN9TzVmcCahuN&`2M=<r_jNOqa_a}?m#e6G>1#}JV$xj?`4XM+!-z_7_Ise+D!WC3
z5J&Qk#KgqR&r(R`Gy;MK5_uRhGBVI-^=^?VD+!UDdMtC-BWV<~;-*)9=y`gwNRiZT
z6P`bhYPS_zy;qd-^79v*3(xg98*q>%v$c{WjZ;cv%zZw0Byf+>UPLH{0fqwG9!tBD
zerR(R5s(S7qdo}KqQhJqc_bkC)TZGFPhGjGd=f5aJS}F-mdZ58T!TmCeR^-OC0^uU
zy{yMV-}Q@)v4}|wOcWg*ePg3enV>X<V1ZaHgDU^sSjlf24x!h@0)+l|Z(c3SERmJF
zhAOM(lL#G1b8P;%*6f{B_;=g^`2|VdK9m7mVi{rvVDl<^o5@!)E#?M`Xt74UfjUVN
zn{IVMd3k@k9x)&zWYx^UU^a-+xB*DdRzwC04J+UwZd9CrYIZibaE`~)NB(*5sst0{
z(I7eIw(?@`m&ukDaLY5UX*C+AL%MJIbl*~j=#o~{^$#R80M;cvv7J+$oABOJR*c<N
zh5SUkXG?r-YyXdH^1B~YNek9l>A!xN?Zo$54Xn78Ux#E%i%PMbqnm&?85a?S6SUzW
zP8Xx9qN1XN9nav&Mg1Gm(f>jF>fBd<0uqlMAU&tTjt>B(O#K@mSogz@Q+WR1%CO^~
zJL`urKJEjS80069A3q)(8tU1OOiW9|N+3=^Cs{6uKN|fiMzzEq*5abSB-5<0$}wKF
zAUff7@t{zV>G2HlqQYyAo00A%7HL<L(ynr7-3dl^DX6IQ>f8!VFL<w14xIohEK*f$
zt>qG_?U<=@o};DYWoEbNqI~Dj;+gN)A~BN6&qL=kMq-mOWswK2gv9BRCD<K6+F*9+
z6CHr(C*i~_1NT5V?JYTpwN-Y*CffHAU4n4br?aqMp}$sref{<d1hdD!emoQgjlT8u
z0XP;63cr*Q`a#K~b(ti52sM0XTVI&)fK21c7%j=|cytWPBz?TWrw;meySi>?B^c$s
zf3I8ZkUD-9$3lP^?H_U@;uj!T0BPw#J7RYZ#9x-6WC}urt*xz<Xj}xuzK`poX(JSw
SK4SlUiK3i}Y!TWd@V@}uLJ$l9

literal 0
HcmV?d00001

diff --git a/doc/arm/dns-servers.dia b/doc/arm/dns-servers.dia
new file mode 100644
index 0000000000000000000000000000000000000000..caabefe1334af0f488a30d6ccb8c146de0d371fc
GIT binary patch
literal 3233
zcmV;S3|{jeiwFP!000023+-K7bK5o+e$TJaC@<}d3gdpMnskz8_A=A%?rhR$4=vF$
zH?-)X=p^2U{p|~Ya$-r8EeV7oBu6u8Duu#FLO9=dfOBy0%delV%fW}dUKG{*#gHI8
z9OUy!H7(||7sEf_{pBY;{PpFtU#3O&v;8xxv+IHV#(d%4y%=6K&CSneXCFU)MCIKg
zYpNQR#VuOoXaCE}GCQ*uoef_;8w?&cFwL6GeYX5GYnr;axNY*mJiE?c3@@_D`&nJx
z&Zoons^xW)s;uh4hpc=te17R)!?R^GXDjVI()LX@%P;CYd%wMDY+uG4()3MUuQz*r
zQ!NU6Npp9zamki;+<zZjv%G3yFPhI@K7YlZx3{$X;7eOwH@X$1xz6fYG2g_oeN(m_
zL6N4E+RhM08?3k@_kFTI+{JO>%HzV-$Av2v=QmZ|)LGGNLS9r=nP>ABwW)9O!*Ldq
zth7VyvBwH{ip!#DsweLMGAkFmJV5*LXKUNna%XihecW(YuGrGb$70%CoqvkdU2W@k
zky`&yEQ*UV@4EY9-t^Y|T|dpQ|2m$%zkEG#G_<X4m4~U$MK1Q2huLj0%@<D$v(;<1
zv~;z+?ChytU%zhGj%hzy6KfAqW_NkLZ2t8ZnI0^E;3eY>vPn~XxPSMcPpXUm<dbIk
zuz$^~>)fJF20sn{mDiW<Uw$j<NogDS;*Sgm#q`DSpLn(7)*sb2Y&mhG=WeRc!%HDE
z5=bkt-W{7{vJK$kV!i#^-g7pemH9n}77m1pG0}*Rh(zpAK-)Fh@QHChEhf!jt><Na
zeLkt``KCM4U!Qpp&s&@Q_L;LV;sQT-g<xIf#q6qy4`x*{f9k<7B1;g$4JJeq8UW@9
z=(gS*5361)#)m;%7G=2u#47Xc2eG)SKAv|t_D_2)d-v6%xhwN^fP8*?z5HP|c(YSM
z_v*j0xH-S7>f*oEyvfQ(A8yU1*&D_(V^d7xfh=w>oZpuZ5ALM)!<OoM;eHaz{RSB(
zMuZ^7V$#1sT6-9(tpE^2+&hYdPFMoMyKW~HKoqaMXiOF83G6#nfe;8#0Z@TMRe*-7
z01-&2kw#QS)Bp!U9S9v;?_blAvG3ER|Ij`I@(1z<@(1z{C4Ux7{?-r2ts{$L&H*eA
z7wsfK*hv6GO0<&zk?<s-ht2~b03iS&03iq!0^WxZaOcsQ$SPnQ2=@|T+$?~n&Ho{N
z2ILRq59ANzA4>irl>9X^N?0OeQNzF%g?bbh2gZonHwH<X@B|>Z-*!^~Vpd)(ssi)_
z1_}TQ016PI0B<dIPP2My1>jx&sp+778SL|8$6O=N%Q3zFdl<&X)@3Hx@jgD3G8@+!
zPw@WQHQRnipDDa@-C9yHvJG!ZD}E#wZ`;_kBfksGeLlF%u8Z={-cvST3<usmt-Rpj
z^1FY_%MZC5)IYth%IQP%-2Xl{B%qU;_3A_b^DxlWfw=o%JOpbsQE^A6J_IN$i`o1-
z@BUf0(CK42oLy;%`x(ave@ok$ogIakR4_4dgk7{y%c#7xM4@U-1meom5=nuUs(J>r
zbR=5p8j8S5C&x;AO_+5LITKhPA$88-urIlD(!nL4JJ&<!!OAJjn_=Dz^X5<?Fu_8g
zky0auMAYOt3ql<T9aHSw5sq}q$#a2y2ILRq59ANz|M=R(@Afx)!1(xn(@gM=Nx~4}
zBZIh!yJpHc(+-AW=CUOyHp=<T9P<Ntb5hOc=lOi<pJm@C>|C%DfqP)A@l0;kZ=`GI
z^InuapPpxRU47hctCR*deO~7C+2b@VLLr_Mf*ldu&u#~owSvV43E%(A;L6&KTidZ_
z(o{a5Xz=A<yU4BMyJY!Yvie=JxzT#<hI+DWl7?kdm-|W_3^Um0!gAG4hdGh@G)$ZM
zC{0LWE134TXxi*6nKn(sv>C$EFb6{nb3p}aq;_T`BqgU|+4i1@q@Hawmtfmq+xNDu
zSHG+Kw(Tv!Lc)5;UUPmZvwmpY?6r37T`}R(7^sU@JMq>D1Pt>}+4W7CL(uRzLBq}w
z2|>dIQyEAv8!M<A3sgqlVCP^clFF|Zcu1Z^Hp2zb(vfl*I)@_gQi{AJdPrd)!iyA*
zoWVfat-jK2{1r&4rQei7`X?~ck(jA-Fak5B$V{?_m^w2fhDhAhDv#oJaJrzn;TDkU
z1l*;%s+z$M=trQYBT-Y=Xar_TI{}o0r>GmGnX78cbySuzNcrNqoQW~RZT_b~Ch7do
z;I4xTx==wEGJqfhC|Cx9Hv&+Cv>FlTK*p2-2SXi<HeyVzGvb%}h)Gxl!g~(#Kp_tl
zQ~*>USOtQ20Z`=&0V<?*Oc7ANhN4AbW2$`xMPsL>2}?j|w}AqH0)PU50tDAk58f0&
zIpW-Vvn1*~fV;&=HxH0@9w3l3ejXrGo(BZ?9H;=O0H^?{K(GpsK2$(Cht|Z^08YKv
z>?J_?GKwT|1qkUi;D6wM;D6x%VEzx@W#ke`h$FJ7F=6W5e}}@X066d8@;_xM3qWYM
zK^a|808ju>fP)eiY48R#OTvtdv@3@YllDD|Wl8QLz)bsMsWOF>MRdD>Y{lbbD|QY=
z$W}}+kD3PWJfi{`;Yfl<J=S3f<Dz(Dst{H!G0`N5={*qBk%*~tFak5BokvYY52+KF
z9wC8FBBMSh(7Br5=_k+y_Z%#o!n7Ht%`j~~s3sGYJ@}{CAG$yy&zhBXg%mNv%mvH{
z=f04lwfoqG6uX|VbI!)YGNGX$)2S9@q9mk{qW(JN)~HIuv^kPixt(cqS4q)=a?(~L
z#WZ>)#T{+iUKN(z1h)N6+BU^s$+mSGwrxQ$ccm0DHO#FmQAT_zMWUjYQrywB6(WN8
zQi|9>DMhgEht@5=PBBGl`iN!uwGm}vd*#a&7#GdrjQScuCW)#*6)YMbFPgP67-7vg
z!DtriWrsyuNKC89TP&71RJ$pKAg(MGP9mI@LBX<PF;n+w1a3-^n@Ar)EWZ;=%eec0
zTNEmN3`=ldF%J_su@<Q5iNOfObjrlEWvzw<C!`xBd^Qe?>M~grY#1AH#Dp<&Of=Hm
zpPI}$ma&5@ozJ-C)Ilyse)p7QC$wC%XtKJAwP5q0@pwx%4?(`_qK(+PsQUDpjfuQu
zv(3m^KWE!$L}Q<Aqp))3Biz|G*2Il+nWom{4+Y-yY@5|5?6h!AmA1Dis1^n+{9Cke
zo}h(?pCKU;QEvQ4J!M#0ztL!~;u5PdF^IM*&NwE~52ovQ#Lm*8#B&fmIKLPS{Im_6
zCTQTIhcc2P{>D*jJ(73}mr_eJcBo1_5yyhz=*duB&)8|=QY&L`QZcE($iGb^PtnTz
zN_dQ09>i7Gb{US&QI~v~@JJn~G{?%ESb4%u6E}nz@2Cq&z{I~v6DJ9pczEKY_9rJt
zt_11~2vg%-buEbt1`vgPO$aVTbRqA0#%?Q@T6k}rA3A>kD?e>3C+38$d|SLv_i&~o
zb&1AqXw%52I@0zeQRz;d<<?R6u#%>bkMQpIH{WH@kJz6{GxstA6GkvO!pV-E0}{f1
zDdr=X9&)9Ka-)HY*tt>;has-UZilUDhv31W$0Vo81nB8l^t5F>0y`zhP8|1;EyeBp
zfg#MJI!{X+VtI**F|(5;S7wwWMF~kDXX@2$<F+g}chBDBWj@QCAN-y26({Y>Feb3Z
z><B4TT_Y6uD#0Ww9-Q6DEQ7RuO+>O{uJ#4>u^G!%6bYlKpXrInt2tdyx8*91^eM$-
zcB}Hi?@wej5_8G9hBc!e){J(s&EJZ}q_T$j_t$?6{wU_f;D=Xl?XU4;ms1g(>4=e5
zRBAhvQA{&+FobJqVYt!Cj2RMED#%D6Cdi@jl~X7u6yAZmloO&z+7}T-5y2={hbFJ@
zR8ELlzIvE?P53d&34KOOy`0dce?d7RC?|AODPZAJV3>3fZ)X3Bss)B|W0Xg-|6{el
zx)|731Rz@Rl(itZ2SE%#3_uJ(3<AX<Jarmj+MbpzDT%2D#8=~VFir=waqlGJiYBZB
zeRLiO0SEyI0SLii!KUEMdhU+M7*V9-ChFY7U?#>A8SDd1SYypjKhX5=s%oCS`Nvxb
zh94yu-aR5Awv=KlT!zz=*8aE*6`7tKjLX>lOi#wn@spsZcfY>@b~++Ebqz>hrxe*q
z^}tR(ZHr(PnVozVA){l}W;hGPq|m3&O@A)(8p!FG<kT@9ft<c7IkoT0>@KfgK5O6D
TKeIZ!e);VG<4I&!M)d#yGyN^+

literal 0
HcmV?d00001

diff --git a/doc/arm/dns-servers.png b/doc/arm/dns-servers.png
new file mode 100644
index 0000000000000000000000000000000000000000..14a7bea765ca4a73af33be30d476174a88c6b469
GIT binary patch
literal 40019
zcmXtA1z1&Uust9Rl2XzksDL2dNFyjn2}lbFN`th3(xEg;cSs8=-AFe`N_ThX8}55=
zfA_n3Ih(WNpINikn)z?w3q{%6Sa-1y2*mBDa#AV?1hOUqfrNvB3_tm{uYU}G+_IN=
zs)m7q@o!dX2L2P%Mo!Bf{`~JiS~DTZKp<!lPo>1woD((@U4;MsyKe3MT(gm?E#E2a
zHmUOPq2<FU`3MR6*a)__gK59~OP)0ww-dg~@u8QGC2@!(k@)Iktl!AdxgFYD)@%L9
z=(AS8i>T{_kZAJ0z_N(Z2fbwb9=C=*Gw%8*)80816%}I>lUTm_gv!eCgoNJy{`SU3
z`f6%y<WEm%@lgzyvXe!E-7ZdcBkn2uX>N9TCoA6YEkD1j?&>a<I{wW`7bu+zlxbeU
zr0h%HSfU?dzUK?01e?6UL%I1-CtG`VHXh64GA{HxEt>c2>Jxkn_~5;7F+Tmna<hJV
z(eDN-1Gm0=-Tau~4vx>x>3&rJmb{$Y&ijqVM&$qdfHl$g=7R?h9(;Jwkd{^y7`Xca
zl@5M~Uh|5<=Ywj)++3rN&v}!-B(V?NcEHC|PdX_zo7qNRI3FEv>o$!jO0e%kjGJdd
z+83jfQn%?#5f`Sy%cZ@!&9gh2^|HjQ4<7jacS@KjDlfx4^|Ts?s3`9LpV6qSth~0i
zCLkanOqG?MetBp<*A_1SzjrZ^UEk3r*U_o)R6c0;Kwna_;PYoj8a4buR3084`tY`9
zx&SHq0WPO1U%0-j;AE?_;Mdw(QBO1pTSrHkX(~?{W3Qc=25(|w{~gzuxVSYMF=vss
zYa%i-Gjnrn1T8)WKc%9!wh#k@q=G`QCkcED20A?b84WfT7JM}`-(z?8%Rhgl5Fc}M
z-+6e5W*_aMiIWS|N9z0=AJ5IrMMhXnl+&4M!|(a1&&|yVQVH13`8;7gB_f-Vz(5%A
z56X@pagcqkt@X&3R%9~8MDZ#u<=uOwtsS4tf{Bl@(2EpHhJ*-{bva|Wb&H0EX51RZ
z61$$4m)F$9ede%kZ%<ylrm1k>90x5jCWefROfJ12`PMBWA|hqW_1*k}0!tYgv^_xv
z25*`4!!c<z43q(-n@88DAR|jD5-RxSWp#A)LJSQDO%iSq1=&tpvWMi(ofOkm^fhC|
zrE!Y+E#yxrSy?i5zGJ`h6iZXZ=-Gre369Jd1$CI+!mtGn{^64lgv%){7Yw4Kd51?*
z&@(W645~swPEAQcAZF(0y(z^-RYgQZjEVY(hj|}8di3~l|Jc}AYpegM*400}PfxC%
zPzyVMtUcP@-90>%)@yBUrYmDg^0N9%$H>IAw!Y5H$e1Gg_wV1Z^M~@{;-89&w!P8u
zD&xuC*JPBz1Jfo;X2(9R^vlo9?Kq;&{Snl0|6ZnH!e}cNJv}{**j{fdp?}k?4gW!F
zef^UI2R%J%#1mazDv`9p!lam(07_F25(q@++u?FjJd#REc!-qT+#pIrYlpwXH^*0L
zu{*}Jf2#0n7#}|-a2V<z8IkRlj3Wq?G9JrMNqO@8d4c&dDk>_hb(aW<8+XLjr;kr)
zQ}9q$OiN6AslSRv^cdvj*5>8m%^!*p=J;6>jUlu~rA9bx`6+Q6K0a~vnH3}}=^389
zd)H^Z&+Ui~Z?Q{5wn9-;lPpcsAD2o3&*S2R0P%#8P<a*;2S+OI?c2Ahkzc&Lko`!~
z-0hI}0OocM4y5$@LYv!lTxf+l`>tJI__HhoON%w7C!=zTVShT%4=cFC<m#7@R(DKi
z_V#T~Zf+XhJieY}-J^G}Un3)8_-*N3QHBuI4Ie%cgiHFgM>3}utxB)#FZb50MLP7c
zGZQ{TUKy5F{$d>ZiPh)hqYucj<KENpzJY;(ZRseVo;;zp37hZgrBA6-KHEk?8JLEZ
z+}!f>?UFm;ApO)=6znzaMBy4M&hvz}FPQS0;pgvPzg{#*E_JUQ{93=IQ*@IHD<mQP
zPwBqM3=R&$a*^Sn`8TbuuBHZm7fF(~v9m))&{~pJs)^I;_)iJpI)tS=)ufZ=Dz=7q
z5h4)!`ucwR5*cM%uRn#kJRND{#TZ$=!`jAi9E3<uTV2jV?w{u|AEssh;O^efF1*au
z^NGnvP7UkwR#ZU&n_bw{`U5&Tq}zs1<>Xcl=-`cAQ6Nc9v!OJihm}*Yv9Xz&n!**B
znVAn(Z>zT|wlXUveYPN?MX#!S!q7?4RfaIgz^5^2rt<UHyyNRZ-7b`wp^uxXPnhnB
zkxr^m=>2F93GpIS?o34Oh|Ej^;}ecWLPA0xGuMJ&z_Stj+mc%!C#n1oYz5gw2d}VQ
z6FeNEuEtO+666>;C;Ftd?Mlk!>-YmjogwDbBGuH@1#Dj#Hn$a)_<tA@K*FL!K|Y<1
z6y4{bi;)T(>0=jVIA=fTJNHge;ys9TGyW+9P?EZgaVd4XJ*Zg^#Z^KAS&&)sOk6d@
zCW$tRm_ew(bY*qbwpRPW=Zo#0#P@WmNva=>ILPRCH)FXJQ6wh%Qdu+CAaCvMI2YSw
zFi;vX82_BKe4%*t>Q#UrU1$qVDA)0(gw?$jU7Ru1_jYy?R)TGoq?1XXb}-Hy`U`(1
zz^hNW4X<8Vq^+&($FE;fUuD$Q)sHvExLo!Y3KjC(q`C(OBb(|S5l;X?KRrp=mRDCF
zs;~dJpU=R0HzzyWzgE2P1KVR}MgDhY&w@h~1HNp!6e&D?`c&0^YpJ_(q=<R4ma4Y{
zA>=s9_KN#4-?4(n6{*%(Ll*@fpQ^iix)vuT@@dlwqasF|BkkT@w#tD?Tka}!_fAD!
zI_2KP7Kuk2*aCEP_&ev;NG{#cMT^&Od^A~0b8>#S4s&uEAMmhjA|YZ#UzlSdlOt$z
z_ynmAc6SX=$a;48_f1$B?OOwhm<b69S6U?~&#DUliqm=_-_BYX9#M&5sd+*hhJ<MH
zH-|9dC-pf%U19dZn2<*j=}R!-xJGRcoN|ziF)X!XR1BVC_*hF#WQQelTLKDcy&>6b
zH}7>kL2jPXc$u|YXu&;3#;Mv%QUon~(J$*{7M5FKa*T=_MtJYBrS$cuM{bU9vsoAj
zgcio@QOt-d;u<(%s@(S0n`u9&Tc7G}oIbK#C}CtP(X`K@{xl6mL#(Xz%=q%?FhlhB
zb1`O>=Y3;~cwVsXAH4KcS_yz=S1c3%rc66`KheIsi52HvsJcbJQ+2@A#8~>h$Ytd0
z@TO*v%i(;WlghT$)m=K;81ue!wif3~(9P(h_Fa}2!*Iax<`n0fQw+&c$w^4yvT@-7
zqLKKn0=WL(?L4&Z3DwoY&!2Y_FvzsEw?h)b@hpz}?fKDWY;3F-?``DO^b2u`fGpHB
zbmHp5trSd5OkHoaN){o^PZ*Te*4EO}&9?I`CU4$+jgB4~87cdHbGTn!2yk$`P*t^`
z`xB^Z-YiZV_KDqR1y|oGQs9p{_v6RK>mtYnoZ;c&4TiI_7(Py6?Z#A8R2mv1YisYA
zy6x=jn4ZV|eL#pkkeyPLEKO7HE9GUIXKJO@se1Bur=C>eudLtGMH%Cz)(o_=uU|>x
z-hHjb$3&sGdC0;-eCN)<;GmX;5-t94fp)8EB<)0I%6~`ItB6Zd?iboK+KRVyFv3SM
z5l;*ZXd`FPX=suav9qP<33fxonWO$IpC9+J!tgPiw0;<fOG-)>J*u!@?m620=VFZK
zqn&~pv!am!NrfIkazucZg-^dI$3gbY!=pAbQdLGqCe$#-jLywfSVW{>g;wsjt7iP2
zfo%Q{Cme21sevCPi+T1qxY1T4w8ABHNmhb?;u);0C-1xF1287aYb`A=pP!t(Pi%Vp
zz&KPc@$1)@9yf=myY&w;kqjjuWVU+?PfOX$N=uj09^Vuan<1XF*eA5#b8`BvSxO##
zWz|z)BwQus3P<HSczC8jw)K9X)tKRwwO>UZilrIX``S+9&>wjXx~A=k!@8?(>uYxf
z`h4(_Pwn{~*6uLlb)KG{a%f3iBeV5P<$SD)i@S^KpB{>DBr*})Y#u0;1|+HGJyi8y
zq8u!=kH->vO~~(Vtgm-2bkkSxuClFW_`blP3%ly5aXaSU_!Njvo`EN!Ur!~iuTN9Z
z5g#7@Y2yLCeJfPaB?n~9y5WHVLiaDfaBy%odK$t!)QONL=cSfP+OQ~HU#P1STeerH
zpuFRFhZg5rm6Gx?l>`{l!tyf1mwo~uTC2&7Dfkk!mk~=#O9KNcxI(klngTw_eO37k
zZ)yAU+Yldr{NOOAkW)~=c5q#Jl}qh=XdWIH)n@*8w-5Nmq1{I_Di_6Cy92cJH&C2W
z(a_Qoxe{#CwnMJk@w(G7|NHVNrDRdtEvb6pE&PFzlsYGdG&xU{!wt!V^S=4X0+|vI
z%Mn`wvYr<N35kiTWxFfq#%|)ZLR>2~B9(sLKj+r)u=gcsJs+t(RPSSY;wnB;CCr@T
zrCIm2_Fm2R_oQkCSy?T?&3;>5GnD)cK2NT6?%xSYdH(Uh3muP|mc364_c8%z3~gQB
zslg~;Utv1JLsV8wT2fr1FnmN&QBh88W$hmGdsDRKCv-kf&hB|$9+EC6wsmyaO=0?o
z@e2v1BYRuTJ52HzQw<kw7T#+TxOXZ3ci)%gsZ|x1x5wtU_IGSV|N9P=(`9Z`3&%7m
z`r*;^5F617qhiiT>T)M0B&=Zjr6+~)Q-<gf0`V?U9?>n!*U!t$^!4MIv*9=9m7&Ea
zbNw=)KrmqH#5OcE6i%9$Ca%d%R^cPZm_`u>{A?rohd)%`0|j7Ij}049aD~W)94#y@
z*)%pj*--r*^b!5o+uoj|`VlD(jlA#PkVN6@2(gN?5qjcveEi<Kl(?;Z=23b<VWQ!`
zbab@`6qwcunsf+OZ_7LaW-H?XmDxmSpY)CdMuwPp>Wi(ZnyUA!1G7#3*B7Uek%ge)
zA|oQAqN0ZLwf0YTjYJtsyngt@ZRO@ZESYZM=z1h3CdR?>L$%R(A%gn%r)F~?Nh_*J
z@HrY9T3k#F$Hq_9&jvu}?~00t0<j-Sb<4<WV69bUGEhvg`P&!Ma&*WV5r2M9>^eB#
z0*^(YyIW0v+Dwn))~5qm;L+aR-t2nSnrdn&h!`QKt*qzqk95jkXll0U`3IA*adL2A
zU}B0NSu-gnlmpOo$MY%3%i9fFwbeI|jgcqvAFZQ5xQUH3K>&}bVx!go0tOvj-OkQV
zHdfXEskwnn1zjDTxcGQ!DXGyFRYk?E)xqqotu21aM?5?Zla&rGE-r9c%EzyLe*WZo
z_6TnkMJ3GNV=}^Hxv1`&x$n)&D1TR5yF5R3aBu*MMTw73%f{xuF<KlEK`1LLONr}r
zabgSTf&2*{AHVNkQf5YmoxT07Tep0DeIY<_X+%E&)HgOZ-a^L>2nsqoI}4!^(^FDn
zhw_GYSK<X078Y5{WL|FW(XkhbyBx+-#=W+1<VU@5VN`fO>^kKjbl#Ym#Y9AKx*ctp
zj}#J<l5YPi>m3<!+M1|<uOF>;+0Rx=ep#evX=zyl;(u6(l$7*(Z!tI`BI3)J?wijF
zbz;NAAG@C&!0)>_JAXJoV&mq1e|E46d<7PAzU51m&8&pGyU6wwYleQ`+faO@u?Lih
zb#!-=&@ibrGEU>JTKDYYQPGTUe2nDw_V(T5<IsQrGb<|+Vq%`hk8N#i`u_e!K~%dQ
zc8rgo0Y_($`3$bc6Knz~#+0~xhK)Y(=s`hPOo>JuF*npCPzq}K**w5DBrBxG-Me=i
z8X5+(p5H=LJMT75PhUe>+1%U&T~+$y$B(kIWbU_wy;FiH^c-hCYfp%ME@ofk{5?52
zG3osJJdS&HZ?O}eS2mQI?ZJb<fB?81$fC(Ar=rqQM@7Yu-@gxALur(WKU|*uPESw&
z{J9H0gE&!DQCaGW9X#BYlb4rQQ0N>RI~~kc(&bXJ8vg~cqQu0+WIbJ*2y`)=K~|1&
zV4}i4JuNLLI5?DA<RKdy6+S+PNk`N@g|B~FS{grahavgRnEEghYUz3Wy}C3_!IHRo
z0#7C(DY@%>F;b+Dgoula3keBXA1NXwCYHWyY;0^XS$Wv`js4-nhbYK~r+bSlzuPDa
zfBoWq^r)w=4_`!)DRO^rFDNJo?hn2R$P5E3D-Po1bUzyk5J_-%Z?DFS7c1|cSy*iJ
zBnq)Sd<Ycb4ke|q+mXeBvzy!b=D)ICXW==P$M61rrvhx5tc*5f#>XIn=&JI&#JS6D
z_9uV<xfor%UP6vOd~rbymy#b_9e*!7JU%|Sb-t;wF-*PhaD7CGpFd^%76Ph)fb&jD
zaxzWC-Y&e21BJLdSSHOu#9+r*Sy|<e<cPVS{fdu|uc@i2s}pNNgTw)%u2G~%Oh{<w
z=y<fVL&j}}?|L-td3^{`6d3r{+&nTYjDv^gH!SjFBQ$Lq#DdZSq%LIU#(SHw5)(Wc
z(K`Vm7+z5{ggKHgNpfiydcEW`MV)sH;JQT2iV!eq85tQ>Rc^Mnw#LScHCS2M*-G)e
z-L0*%($e<?1ju*qW^OO<%r?PIR#sM0Q&Z=M)<P}-vO{U}INkF#yd@w|(bw0Pk-=zU
zVq$H*{dO=*#Qp4!h>%gsXZZQRzyL%8yj?#(zjtP4UGaSEOibYXq<>2WZK;7DgM9f?
zyqq5ERMpJF;^6R*iqC4IBbo*Bliz-+D<B{Mf-_w<6qkY*$8vaLVq<3JhgpAGk$xQ{
z@qUv(o^GPV_Ee4AQWrTfarF1^_vz^9hAr_)N#SL_mz712`yERML2`Yvo1U1cYiKx|
zCLO%7u>rx<_Y)xG{CNBN>~I~Hnw0I86eA&AoZt1p3=c1qM$F@f6%NXPEdFPVRQm?K
z%iEH)mr?Bcwfy}2w8d-p?%ku{v-+?**9;Na-QC?^^TY>ijU3hNx!se;MlBgxS@4%a
z7rnjxeNYS1($dzGmCY@W5_57^H^zQ$PuC^K#dT!FMn(N?4kjHO7=VHUUoH$H3f|-y
z8UP;<znq*La98*#3sX}YCMVthepi0;<_(;-QJ{_=fFSsYA0bD@$;pt4C4nZa_K=5;
zPFzXJy3q&IS=a-NIe$DF2%wOlpg1m5#q5^n&z}o9ZfI7%fBW=lU}WSVJUi(lozdUD
z`gI-!+GRJ_=<T(Jf@Y!V+h9;#Q}dXtYiqK~?ejPN9|jF@wk{Nij*f$agHnqz6`<BR
zw+Xke0pS6)LMa6}A3l5sYx46=Hx@Rwxw*MflLUrO?~XPG0r7i#A#`<o&W~?lh4=U4
zISjo%eG*quiSYB2(bUw0yYcr&Z|aZ*cvQ`LhKYdzJm2l?ASX0b$?4u#8~zD+ko^4o
zQ5HV$6eyJz775YO()ubXLX3=zz=;E;<`&u`A>D5BmxAKo@7VnOjY8e3y}iA;`FV|e
z&0PRQHto{y-@j7|JA-76vQ(wR7p>QzV+<EGHkPTcpfyHBe*3n(vchk-Ajiy{ot8$g
zsyg@?u&%2MN@s9jpo8UfU*8YQf2E6^-#o9c+>f^=wY0SMm%7&r?L9rOAtSnD9?#D;
z2UCu_Kq!J9k@UyCJUa}IK7vpKAQbs<V&mZOJ3PGK?=}V5aBcnTVyGWrxl~kC0IUJM
zhS)J`4dLPC&2p-|@lr2{8bfePejNndLhqrYdye1s#7ia}!fthaT`7j6VR~9$N9Uq1
zRT4t0zrP>!`=oAkObkDODrgf>P$F(eU7ei@5)x@uEmHLTLqqC%dRHJ|p2ZcnjTReG
zQBrnvc7m0sRV}5a_P42tfs0F3QW7c}MI_VnO2^GtPG6w9xVyX8d0vOK&JX?lYc*Y4
z17<M9I3b1)h$P%E{!hxWTc)Pev|^XlbMx}@UcC~$xS$8{Mk9l0Gc+`G7N*9O0~D~a
zu>qVi;lGv?Z#wkx^>x~waz9v62Gn8NWMN_9;pPSyht;ZxUahOG)dL?6>JH>>M@L7#
zz8q6zO?7n$l@K_1rFM%Q@N=$EzpQ>UNYa*ha2j{-U`Z<~_Kc5@_w-l+#h|RiloLz0
zZXrM>)c;;kkorQ<48ILQ&(02v5EFBoh=5@1hhY<htyaYjU`LzcY{t__y*iIcqw|mu
zT+oe(`u=oTfzmTETEj!_QVYX*@boD&_{%?k#sNn|B}YV0MN_jJ96_K#2n0#6?(cU)
zfJIsr_?!j?<+*hhW1J1Id{YmX-v!}gT&KdFQj6>zA1gh3mZ6dZC8@Nu6jIT^L`7X&
zdwpTy4mtS)R@Q0=6ZjIYWPbYc%1T!^xApb)={nEkD%&!+CDm-j?#@m(2)TpRK{q#n
zX!+*(U8oy%9+$65jN7AGG+I8B56-It*Z?(f7QTYSM0|ue*qo>UcqvhBLFny3Is^D!
zTwDMu0~G~C&&pyV4E#HFbA<2`5&w4(5dpW20O_fwMk!#I5f?WOu{m}UMSF12Po8Sv
zK!&_3%gw_xyL+-b-^$=A1o)13`!<j$lifWiJr{=~`iPGZCAIG7Uz_u+rm6!Q3|c~{
zv{hA`3TL~@owlhF2K{N$7RSI>1AH#<sD($tK$b}T;cV#YdIoSDzDWr621+oz_0sMY
zlt3vg42;oVZwKKY;M}7u`d#=01O)f)WkRt5R{<3T1>6y<u?uE|sSm!KC&=>|$i>vu
z)Z4dj1Cl~|I=p{xJU2BK2zCHEx<8of@cVo>N13AS!DM)3Bo~x@&e+dUI14jW97gRC
z_W*k#N;7*WCRxn5U)k9F$jdXAl=KGq46%Gx-p2st4habf1$lP4H<=7a1^^LWVtsu|
znf>(9(GipdFu!X&udn`<S?j9S1_lOqf@9X!@$mkGOCF1ui!eH@|Hw%M03jUj_xqPx
zT0nI!Wo6|ii{<6zzRS&H@x1tcb^0^4wl+2O)8BjiDpFEX($b5`o>y8mu7`jmniq>#
zu?OAcbT>jp8}8H2t^~+~N}jH`xZ%H2OGih?nvN*X{iWydHi7EXbIE0l)3Ctmbtj1k
zfe8w1w(~37Mm5qfD7=BbK7iiyo!MK=T-hZhCBS+n>O28wCMG8*hlZjZmiY+--_N()
z7N&-(X^yA|9NFC1fX2k)!a|I`GXNfdEGfGl6tjMsZ&6Wd<XlVEJik}(-nA!XC2LY|
zO-O5O{G6>ceSN+?QeAD`+zh4jz!aixxhJs-7V|a*uZ?ZrC#0LlneLmIprob-?6J4A
zLm;j%_CvkBn?UKroI5(s!Apl&t9Do?AuKMlo)#T8@smln9Q`r7)Ey5hg_ibX;&C4Z
z+#0womlqe5l$87%SZw<@tRyT9f7q917O2_P)fJ!h6l1uYH`;AZF0P-zqXZoux>In*
zet=#bEZp+KLQ1<W0G59!*>0$xUv27aW2S<@2hy6wr}FZRHE!Ee)eqQN(!<)@#92v%
zZ0DpH7#N(KoMP0-Z_L~Qypyv-mJ+O2`ugmU;BUI`LhzwtlN^*LudJBK%C<r)OzY<x
zUmu@mNx~Hx-`w2Xswykry?X~V?C0EzCc4GNMK}doP2ix2C^ot-z+>a$;sQ;91Q-Kk
zZtzBTJ0}5`sz|4T5Fh`=%a>?~zW)B=vNAqyZehobQK;-dLHa31R*H?X6_c&1-$uUq
zmha#-M;z`f#Kd$ySvA)vv4DZ*t*ol5UFT8b@83#O7;xja)M9^;ftF=)a`H522@rE(
zbdtbmfzBV5=7Ay+5~?aM=jVNiL69WsUip4i1&AQ5M2R87jS|ppr9ZvOY5NF@u)IIu
zJVc^y=S7JkXg>=JR_ahsAmpBk1{|Jwxjk`0$1}x7^zP1*h3Pey3*ij0?D`&T_YvH8
z5s2XCo;aS)rY0kxvtFf&9AHXZtb%~~_3IaK0!VHs5fIqC+}!Y!U%!7tqSH?KArLrd
z4A3%y0}2bQ2^1N2cCmMV?}Hf)sMVV+mR!~Q7r-+pAYkYC7*stM!eIQ@+qQ@I-Nv-x
z*T8xK60_VDOGHS>2`X&r=!Kr1C`1pe2T<nB4?1(_5JBa(^HBJJY#tm>d)j9zEtz<@
zp*(m_NkSr%ys9lHXSNu}L!w=#xV4y;he%b)F%=P3p#cH(Ks*HOQQ#0%Vjk5RG;Ih3
z7TrSc9MB6;cfCm>ps@0Ca)2;x6b~Z>V_;(|C@6%IJ$?=34ruXMt-D)M>DCKiTI{-&
zAX+}>dll-{j5jnOVd|QCL+S#fZEbB;kdt$EcHS8O9sDJs5{d{m=_5wMz-+}tL7N$b
z+t(l6LwOnn`T3u}e6gOYZf~{%)*a9^3xWv}*xSoX^VA1y1E?6(q95c^Umy?=2YS^X
zD%KmkkGCfRaq-w$*iaGA;vY9njJq~>MC;&unc;yt;IE^rN+a^_^bne^jEuitHwQsm
zJLE2pd|%cs=6#<qBt<yMz`y{y=HlYwP(!nSN=Qf$dZV?sb>J$$AUhk;mzVT^c$+FW
zC4*Z^TwLbmOBEHnA5nM4%ZpP}i;IghD=Mn<^Rseuv$C=-&X03DIzS|!jgLcJRh-ra
zXa{V*eftZD&zKmB7pk}Ze-<Ey<5)kt-wdD~GGDHxh)&XP6ppd6obTU%TuuR0fa?MJ
z4jgAm35mZ$Lu2c$K(3~zJrCE0;JRcuewJ>d-tw6}2?AUYQX(RWhcoyu&ECBmuk-YL
z@&xfk<{wnOv7e@yD;|>v3yX`f@$q#o`)H@cq4E5?2fo-utB#rv?sP;(MYZ+yed|pg
zG~-5<mL{^dSH;H8OqHxK<0v|fO57}UJBAOD5M(%SKxK~<>Z+=$68+K@M#rKvMtCid
z0C8;Z>B%ZG`q=z>abZ#R`ttbC)5teHv0R@0^jnXR)HT#I8JTL`&P#u!q^zuuys11}
zMIeAZvauC7tPjIo4bog6u4@<@XVleQgVTXP0Kss8%ErYt&*<*}ZAD<(Dk=jh;@*l$
z!mBGQZATrJYHCqXZR6rzy?K)bROla*t;DNW<4|d#Kd)c=q21x0qLNZsadA6HYh`6<
zaOxDlM!g(^423wWb3MdDd~A4a+MDRM*62Gsxx9WF_l?x$aBWh%?3KqQAqmOw&`8;j
z(xir$Uu49UU%pyfn%g^DRJa?Bg?NI+1QHT!{1G*>FFvOYXlZ!Iz2FDe0y(9Qii%Jn
z7jZ59`ZYW-@NVbs-wCgi4Xugp_#1S-zM|4nx`i+(9)(V5(W~EZHxFrPY5Dof3kwzH
z<X{;9FT)KNwTFSHK{yr`7Jm8iMNm)>{tg_;;`j($KXB`j5qj0mk4-x6DB{eA!ShT5
zx{d!fkLR_Vb6qYdD3A@Itgx9y_LV69^{d)u)+-@F=k427pwnEOoCt&_tK)8o3A3<>
z$>O5c>W`e92S+VmzUOHWkalB6GRJFck>_hQO}(pl^1UEOU}G)rYlPPZ)&GfQjkkU0
z1c1nwNnn(NJOR}GMM8z<9n0}HV%Q7ypW{|kcr<ao%YF7_F+5D1uG5p^wK|@C@F>9s
zf<s_B;=!XwQ>B*L^726$84Iyorcf9f0<o1OC7bfKenNe4VHB&G16~dKi=5X&)5_}6
z@?jF$9&j<JAK<XsuJonC%K*y}*e?WS``%*qBOL>V)%(%%-EvBy7`Pr+3z*UJ(b17y
z(4~sZT-=$;5XEPOH;JB*pb{DRmK!V=2ooS=RL)P|fj@lq7<?r>Z0vKWkb4Xy!HIP?
zvkw{4qs>RKhJS3CnOoL4Eh{>|cp<JweQC=|l2=gRKKBQcSK<}{(3~ev>LJfST9L5p
zQQo=pM?UNA5*28^BVf2tAECXG@V=QXte_*3S*fz3V%IDHC>cBoXli<~o*15Bd~#rz
z?S^I3LBU13HFw=EU5$*=!@~OLb#?8{*T-JHx|p^x2?aJrrCn-V>x_f|OCdBgRCcc%
zm+a=|X)-f2dwP0~x2I(}`CfCxJh;C2X|t*#WNIoNKg?#5nW=1OSeBMfv9=zro!UHH
z!1bnE(DUq|2_3J)vuF`&lAwS96{t~-L{bux@zK$Y%uKKpU0hv3#MpWGgM)Ho1%U+z
z!j8uFV}4E!)MtjscHjY$E;BxRyYsTJcpy{}9|OLd$+}hLCrmWVw`$m~R^<N9T-@6H
z7fwglW)ub-zvB1r)bRe42Jeaiv7*zRtD2t$mSe};h>vyGSLYyqzz4eXOL+qLN`~0(
z!Kx}m*v5v%0!144`xQ=i_p;hV()q(+(phowx9#nqv|h=yIM2)cWYdnirU;uF7?`WI
z)^D7wY7<Qh2xway%G-7R5L)K;FxnN&5ioBrfGI-l)+p4O{nL2|An3;P0_F>9M>^=v
z5kc5rUV!aSpFT}&lKVI5R@nK<qz48CZaO(l8@wSQBnvn`VhWeT{`N@3b*W3g$<Nk=
z_U@OXv*zG{nVD<%dl{J{V5e(o<$R{@j=pkv{&y(PG=$3B+Pc+%gP(E>+)c020Bm3l
z2YA#Xt}vwK+ahMxmE?Xk*PN<T$+zoOIy`(*UcQr(QazyqgFls(uv&gHGK9}A)vR0p
z_@JULE-oMt9AsUMzSv+gR4U9zBq!Gah?@2$wYRl_Q>d-2ZEunT71x@}v?o6=51QGA
zLLT9=zsky#68MWDU0GQ2%1&o1=fOG!)hSyYyliH!ANW~nzwwUyrK`>HmM0e%7~n_L
z0<WuW8AwUFSUNhwq`fM~UjeDKo|S-*bP*JEKh42SO|Nl}uQ=`ejDx6$Q76C_*Z8X6
zMM%ETNrH;N%fll*@GLkWs8HwU(oTD%yTHEm>G5{k?ZVm{urr$-$Xps8w*U28tInT<
zm_%@Vbiwn~>w+IF@sks07eP;HEZ@2Hb+?n9SrGUz4OL%XuNR$UfE+0G3QQmnHK4>D
zx2L+JMJqbti6OtgvFj&AMg4KH2A6&J=m=yvD4N<&pT>24lI1h?s$35nW4YMsJh~J4
zdYcCA8Tpnb?t|SSuA^gYwz7;zgFvLWe1811<dymB0bMDh=~=B;<At05Ao{_7g7EB3
z5MVG19)-%6u`R(!2>l6QJxGYxb8{4Y){Y|1Kg!5CPoFMzeuDtb38kjXOId&Ryt~wb
zykX1zXIk|{cQYzxUyA_;%gcNWJUp;`+q%1<fx!|k7Zn)^?!8xL<~`EsM(~KB`2bF{
zC#V?F^^V7$R~JCGnVFazgHG3pK~_U%0$)RXRF{!Sy1IIH*At9(un*XiL?XeM9l5$(
zdihc(x$H7NmYn?V*-FDL&RAiyotYshx7u2l-B!3LwX^T6X=o_05hu&Zo}8SVXM02s
zZ(3z%^uSjDn&b%hfxEzBi}>Rnj@?U#yf_&hZ3_#VxZwhxd3oBJ+C_S0A*T=T2dk;S
z+_JTCmS!9<;|9+YI_{uWfwz#~y{lLIA-0ObS&s83CJ_^K7IN8p<-pw#G3`ls8p#Bg
zDh_{)iwFw~`(ZU%2_*&mg5>)8W>&^{SiCZ$*FDri!+-yByDxP`PE8pJVDxQ-fFd=b
zr!SP1Qqxd3<cJX%ABTs<c5oPTi@%_|_u%bF2o=@lCg>C(NeRM<7+ApaYEh%*A)QTL
zzorM~*uXkCa$Ng9r?&?=+%hR%S^3bx0g567BnbrMQuq9sPHt-L)cD_nL4Uj(`aTcs
zrmd}>NjivuY?$m}WxZG%V&N^Z+b6fT-v>z#s(;3&d`hp%?RX2a>J~yKl*;Y$>QYZS
z?&Z~q?fdJiUkk?I#3ep@q+MoBI@j>+XL|a);fD{#W@f|x$`FXfa0WiBDT`{`bk^42
z-<_r0EeqOn)uAFFA%FxVB_(;4es{V-4mx-+RyH;Y3JN3y0C^)idM6$^y;(Zh{?bq$
zz)+Mw-UH(jkRRbWIkC~iPEMgO?i<_nEq0RjCc{JnG%PHwt<e$B5(RlgMU%7_!`_*j
z!(wRZ=zIV%ZDeFrc+jp2^^Di!!WlRN3{VV9PPQADfEg7o2MxZMSeFE$)~S`<;$r4d
z%ACA{M6mgC_Lp1tS%YTg&yT}XQv;8;!sQr2XL<9Ov*s7HD#iUtpXLA4(zS6K$&C2u
zvcCic>u_v&r10Q5-9|c#0sd6~#6*62`cKEr@s<{uQ##2;tEtaH!Ry`+p_^gV`X^tv
zv}>YmW!4)#z4fy#D4h0qzVpdRmkckLiVCK@m%9A+GAi<Gjf<UQ($Ys&PT1JkFj^H#
z&gI9lFYz$?ouQ$!n%XZ|8;?{k1Om)?-6}`*moH1U(v`Kf&qwq<VFC&Qmt8o?k{AV%
zuT#Y<%J#gsZ)e{huf^51HYurX5OX9}*m9hlCiz!am+tv-XGiCBNTAkFi`cR8-!~8J
zsgbZPgrZxuw7SjC$arvZx^LLz2Qwqs<7rp769}%fbimV_m`HfWbPGpjx^L$qQvr$r
zl2}J)xcZAfW9|)e&GBVci9(*D+rsi~#+(h)*Cj>Pva<eDx$6E(Nm9u;kn^Qh6DLPE
zW(U~zz`_M=Rh|S*L$j3w<Sva!GanBR$O*7*mlhTdViLE&c7u`)aN&LLUgW?aamAg`
zYyJnTE1zzui+See<|PYydaNC+>a2dHyTf_9n=VVx&;W858R2(z_$|lRH!yZAO!O;m
zRc?vh>BTAF=1m73W`hz1)%!>epG_waNYGuV(nhvJKcy{X27@@dFD543y$EIepGFbA
zghWJS#C_uuaLK@EeltA$P`H%qcrg1`mE+=vGj1v6{>#5PCTC~5|0e3}m&5W{0;OQq
zY46}*;<q^|#jSfxOociXcB4NGp*k;0SCS;b^b#2GV7dUgYRMoEm(%%SfaEKoO#OIn
zYrZuh`&oK+aq8?rf4VK7_3Pr%ZeCtRx1)f4CgO+kdRA7(a&4ERqr+cG0M=^M^STNO
zTyh&~GK-6C4+k=dO-w+(gVv4bG7U*#TSL0<ga1hxEM%~-{rq5vb-vn(y{BKfkK_`a
zv7UvVk#Tum7E!OMu5Qng$Fn}NFG%+iER=gR$t=#ovCs4>95++vTVu=RAQ3e!M|ZBK
zJ^$+(l9Q9y#0`MQ)SV#kv!X(PjqN#%|6&jClVbVq^@?48fOanEZXlC5|G;0f7%TCW
z&%8=cB_JkkWtg5{hUWEHS<%J0Q*?j2lB-+q++{%>JhS7oXTUWwr)!ZAS<m9%SXmaB
znvKeGzE;io`vug_^|3xH2?c1HoC8h$TUc~b90?+B!`<Cq<TE?kI%KA6I<b}Bm!2vs
z6Ht*jay`r~%|ZjKL;qJ><M=CWS${lR2b$?RCwtrW&Te%z6+z%W5sRH#6>E;qy25MR
z!awLj)InP_UuOtLlM4ziw<d)=Jw3rd>cJr;gT5a~FW=JABTz||S6+Z$(9JO8jw`IK
zy^dxP{=J}K|8pcqb%cQ)eh5(qir%|I@X#0|TK>7x^Dh{fbXnPhX20mLu-5r3IVY=Q
zwJ`xrJl2P!G8l2t?4kXkp7#=SJi+Rd1ja0%+Cv8r#2^h3h{Wb#c7NZ)L_`Bn8U`=#
zNFpKtvW%!GP-Ydsc|0SYl$Mpv*VK65LcVXj_s(eEo0@u{CdW(rl}d^2;o4g6LwIXM
zL_a+)&#2jpOG|NY-{#@sk_=`$P=&@5_@rPbkF^hiw}GzpsPspvsPhHC=VzDwwV{T|
zDutjRzXvRC2||3yKi4AiRSyo=f9Gk;1IAmuBP1jl)-7%Xqhe`e?1DTIvlWlJ+VSuq
znm6<hY&VSZMDK&d`jA;tVh2V#_->l4M=EA3;P#<f5+D#^av6WzjvKwb!?`t#uC6Gw
zP#2qsL?i(B&~<cbmlkhduCs^QFTWqnwUx|N;VaPcmP#V0pqQ?9iF|5g>}1&y^#H^Z
z*@RLq&HGl++mKPb&{qZ@3c5>l=-^Po6e$An^<OC!ziU+T5ja_=F0OvM6%wg0hV%73
zXI7MJiJLEmCMccum*AnWv0-<_JhLKqS*c#do7+WYY_axxJF@{{_=u0m$;mJtf?!+4
zg^aoiPfRSx$$3g2j&_@x(q*|v>e0RDOFkVmVy_#UtaYkhs_K4W6fGUCbfDIMDNX=@
zcTrPaNQj~KaLBC5?{aHPrG_1$ptO^zpqH)KZ}tlsBVdYhum)a%I0P#*AUN3c&70hu
z99vEu8l-j{|0UTPyG1M*@ai|?b#yGO$$#6-R`Rn1x3V0lW?IVk6_2xDg-O)YHw~OW
z2M3_PvqNbZs_=ld@oBv(N!$#z7gkEZsQp0h-GG9Ms->-s-SK(rBg7dI5S4g7>#P^|
zo1&s=va*9YE5-LCovf#%e0*qgsP1KE3>WHKTUm+({d`?&F*>s}rveecVX`<66EO1w
zoUfiL_vbbT|NHk3M*6@bi;9k3?R}}CVQyv?_4R8@b2D%!I}@o-s-Pwc3qzV;@9*z}
zwO9+iFvQ1-=%G|1W)w4ZfE*KjeXlw(fSh8x#o0(^|NHlM20sp1Pp36CT1m_D@p8lP
z%_^(bYb%rH!5A7Q=kf|^Utc5yWFZWjbbH>4LHOb~;`K4VFF?hXNJ~dGdkT3wSK~%N
zM+Zrdj`&P1M52Wny<q*W8`KH5X|D_lI%MNvJnyE+hnOlfwWx1J{X>@Di%5xxI(vFv
zUME(?N~Gp%7SrFm2aftCv_o|$m1k(9eMSnjNhv54GF3((hFV(D5ief8%I(U$5Zc(i
z$K2Z8yr}Bv7;54XzOkmmms0Ti(8Iz4F#B5q<<7rrm*2&Yr(a$v9|;OhRk?$gd0#}N
zM#<%YB%RMr0u=MplM@7@baZ@c+0pOW@Try-`ImgJmpAkfv<e9?FY<%yqopAhKGJXC
z^LH@FChhFS30YIK%dDDN>+@RcNo&Oh1jyOhajIzb!A(P33;I!DY`F`Ba#8#$Erpnh
zj*dn`EV1d3z2CfxNJ&p`vb#L{Ue4bzE<+b7iHYLL&JKPnv`PY2SN+z9ciTR9ePd^k
zlnAT-2pYtExQOpxiAmSA=e`-gpQiPM+%qMhV$gA*YMMqRV|qeoOiV43f7`j#YVs~2
zAu?k0w{>y~J?hV?S^z*7G8!eONOT4HLan-~iH@LN&ufeVHnyp3C0X4X`Skv0&^WN)
zp;byJ%u&k?{M698VZlmr4jch&lHcYdA(R4pppURFbkpZ=!6l&`Z29(WcvRGf{i>++
zqHNQTMcb_r5w$62B41B0cdjlKS@QlIyie*G3R_9h?(gRr8iJmZwruM}$2*`YBBBI(
z*tdCpmds6jR1YRy_B^F$VbOm1a#*&5_t2W|U{|0k{f;M0>AAYC4&2t#I!%g~Sa~9k
zf<P!byO3K?v@Q2T*hg+ngHv<0b0u=3yZ5*4k56x2%Kf5%Kay2W-#pH<IN$xnw6^Z9
zus`K0^ewhs3MSQLeW|09Adz}A69a<*7vyotpDFkrv9l}5X~sw}>DSmAg_IuoA8$X`
zC`fy8-`dU|^-y6OC0hPVrR(9v|H{7pVbQHc>EyH{WeKnOQp*e59q}U!dRU}7+-T)=
zUdyr9zYK3hrX>1unNkaTB-j@vha4Tb3}*BF9SMbN@$r3YnkttNBasjjJ5H7K-*dHl
zp85h<$}^@&Z?CQ6@Tl9Ds1y|OGcyKIn0k7xqr(Zr{0q-cxdeqTT#Xq^uyPC1jSMYC
zz!()rWxaZ5btLG*$wZIr-4J6rHfJ}3(2yrC!R=|Bd;9JoVg?%Ot*6AwtxC`-cUtbD
z0{wuEgd|jO!>I2NlbYsdAM=ROAi}P;>*U=Zxal~Vcr<x?DOOYk2LuQ^@A-)J=OI2G
zUtdv>6Gq&jneOkWdu$e#8Xg`S9esAPtE+vN^_AMuruLsiA=Rws^EQ1QL0GzM1z=85
z&wn_PoW9eTv<>6ATVTP%maCMMPCGkq#(U>ZDa6+evo--(GE)^zO2l0r$2~(+9>rNp
znb@R27x*m4_Ga26Q_M%+e`O_z!Xg|T)L_#hq@ph5bbbG4^B;OB&2kPFC#(EN(Iseb
ztw95%nnIUW2gZM3@(JNx;X2<k2jgI?>&qW5R?LjNztbX87Dw0{UX2D4JbXyk-_KlK
zE#>2@L?!UL)RB$wNaN^I=q4ZMxoK|EWOv8R2DWCKyb-Ldlz;kEH}o^NPKoi);@xx~
zln&221?V+{-7mz-2Bro-<@=Q%hN&Y(w-BH`iShC44XtlQQ(I|XUCBmAMM0OiQ<VXq
zI4YWo@ewYwSIs=Mm{E|Cyc-f~ZN$^#al$4t;i?`M`GKE4wRc2=Ac9gb8A9c@x6~aT
z$&4CP4Yh7{CrJd}NpAl4(bwi~eD{1ul4T^_-Jdx-XM4+eEd{D(nXRw9$WeoN7RG|!
zdRi71?7)7#$`7YieAX8=HJKTi#hM#GnU(se%4?Z?ZnUUTwe9@nuV2!YmEb6ARauZD
zg|dUMED--S;bNnm$YVS`<-1v#xyIW12<apJq{rsN>!j?IWtQ5UPLGg6iwbhY$7u-)
zht$>i6*~31yD3Ayr{=8wvZg`Q_w)db4y8Qer8O+&UfcFm6BnPgrgjsAjfKdwX`j1j
zF)@{Iwm9X5D&gqdH9-ZA#~2<#N?ljtretfStgG%ILQgL!TwR%q<=tS$rfFbk+1=42
zwhZ&{Oyq@wg99NOljrHxAM$h8Krmh#vRyO#S34hVd<<6L48KoL??vfyywv^1XkOeK
zeOmDuWolZ<+wM5vZq0xGz|{O%NH6uju=WK=JQ%)!UfFv%Mp*ZH5^KXO@`d_1>t4^z
zWt8$R%s_i_9#!KX@A7;rlyr1kTUhhguV0_#X@I%yONaqWCFhMAOsZe&8f{OS!N$bI
z&c*46L%uiPiih+Sv2Lo6?tJn1Dv#F30TfAC^-IT|p6Ztk8~OP)xVXV@y7!Kctibg*
zdrO}Dm4uS`H<+!W-)D}kr?)0+yLZ%7jpje;R#|j+=RIVx+}L<cBQh6?g^Un=V|sm`
zUG{cfPOe?cEX+YOQ->N82L=UG<mJlKhi54!g7?}+ljqzDGiT86Gg(|v(XV@>nS=Fd
ze-&FvtHRN8AyJ4y_KSo%KH`OrCK&-G>-|WkXGtFh{+)v$E=0$}RaW~9IGC6;)w$f;
zkG7hVqoY-KJ18h3JQ`w=oTGxO9AmzUjM~$pEsXAia)SaVC*ccJH#j*NX8WF}_v4Hd
z*iZcQmraLP`=_-fE??*EYXckDy<^zqPXp6vtMPnW*@~Cltrmt!%!;(<f{D%%5wCyP
z7;b!_$X#3OKi;aK77ln*w{T1D>qiz+c9r{guwpl=-Q5;LX@s0MU;Qv67-!m=l|+?p
z20t5`?8-T6wPP&~kbs9fvy#BKJ=VXbMMO+Tv*<YsOJ=u<mU9P5&_y<RdjqUPt1?wA
zq`}}(l9;}#`n~&22t<jU9Wc9gsk!DEgWJ!$-?_qMDwtGlVfeWI_#`B_RW3x{%`pGj
zf+;xhv#8+-#_ov`3}aoWh}&XfUQJe`p@D4(Q_1%t+Xvrt@h>m8p84V=3X!R(synPU
z`ZmYK6&@YYl$0#>BzvB&4P`9%vXxoRbBLK*yIjsS-&p9^>zsWr^y@|%468Ct!1{8O
zZ56_!QM_EH@py&mfo*7OI1AuYq?*mCU#s)Oc^B8z^o%!cZf-Xx2jaE4xf#sBnV-HB
zX|=V~4{XcMXT<+D+b)j(-hKO4uEXvOzee9(9YbH(?M?an)f@&{kcNVZY5itU$CrB(
z2m%ZbfZ$#7d^jnao4cmW><4rBfz$E9Up3rw8Zq0n&Z|pkr>PE}ow?$=QOLa~X$&S6
zfnK1x%f{i8^!`GfPY>IeV94s7g@qcW;KBH|F3L+Y%eT8CPKB*+Xr}6>*H_BrR0n%I
z^C~LF{x;H!^6+poy$LUTbnPw<y~B0}Sp?#{`7OkZtx7~gqwn$71UbwJcb_;fyPu!b
zrR(TxXdL}x+=gx!AqIoGn(*aim4{Tx-d?!V7IeWD78Zbv?2aiG{(zo6VIcR?c3qj(
zw4$fZ+m*ihogMJ}4q~yu!#J@r=#}#KrxAPqz5GYm(|DngA_iLz<OR5DY`F4JZ*pP?
zbT1!9uT{GXMO1ttD&3qAaNW=(4EzP-Pq<Zg<t|J+59Xxtz%;%3p7M)ZP23UYkx#BJ
zt72kCjp)M<sjMGHSGG2Mdg{g*djXq-=^0TTuyLzMH+OZsOU!wYyzH4+PDQl8xNizm
zgzN9jLumw~Y>o?m{Mb<>{k9nr@;x0Z`BcuS^+NAeQ1k0=YpaW%r<^Y1zY2NogCbw@
zZLJy|OB8gFhmivfjc;`=c2b&}qu|oRxJ6-WE0@KOp1<$6s$I~Xwmo()1Xl7C(!o)l
zDtF;Rq|_D`rse0SRa2f?yJ(GtLiCoDK&ig_rPOke={F`30^yqXlH78%{zn4FHU=if
zj-X3KJE3c5k-qtR2bf@gi?|QndiSMg463T#0`{&#eTV1Azq1s(yShM#Z_F=loVHxM
zebK9YuOlPlHxm8YRZV<_r^5#f_V~Cs=qJsrm=&DvYt`ZBbU{mC9+SODF&hSgtfgdR
z{Qa-<^ZyudfQ!#oYBi))A~h3O5_gy4+gtOIk)eJwZXA+z-_~S7yNs+#*T#kRY<3+o
zh)RSd_Q7#oz1h9n-pwJW=i4{4ma(Glk(u`{O#>LkNk~bH^77{QslHmm+TXcz2X-wd
zf+^m>{g&p7OfW9?zOc){L`TQlZ9OExdq+V75fS#xio(yI8piM{yj0wR-gfZG-VEW)
z@-Zvhb9wlVSFcq5`}ZpunO8DPi~Gwt?d{K~+0|r1kE-l4%RF&U_Lq03rU321w*GL%
zd-S}h{~D7{O#KCrpS~2UWv>?)Rq6Tp7F{uqVRiwa%+AKa<g)SK<HxXMXb8<&oAVG#
z@lel>9$Y+J#cHRbni{Hhd&6RfytVB)OyuRRVj~Sql(U;T5XUM<%YPNB<Re66|33>b
zbF76<5x?+9$}bz{NS}3e<(FD-$E|D0N~Z6%hSo-I<jTG*ctuP@QzZQQ&%8!a47Zy!
zW0IW{JKF=g-@ldb-$8u*lOhh@Xl$8{p+1Q;GPUPyS1h%vIdr1F;NiZBx%PDcUg(dG
zYFS!rE9CgOSwV38U-w9X+x2!`KDP|^#~(fP&%1+4IH8euGbytsfx8+naUTb<b1Vk&
z3_g9H^9CO=g`0N;mPAZSX68_T|6|yyrI#}U>|)}0TUHN-LT(}2jA5ImgtN^K&=&-P
zK~0TU>(yPL{EYi_*ALFlcsLnRyic!*v6UYe*ZAYb+cOY7UjFdmI%$e`;dj)pUm$GX
zP*4cCw8YwNGcmLG^_@V^4BS4jIO}EI#%7^s1rvJp1{@lNy6c6vkwWoy4mT^=N5=;u
z_E%MVvXxR%yf%9htL-h`;6Xl54n#;#M}p!r|Hc+vZEt$k6<f`VlUb4`p(N{n=&)2C
z&$n)Feyh^h*`P7Htt~p36lNU7goNDI{^nT33fSOhspP1r!2j|=FON3%8QRAVK4N2)
zI@pH}d-fGzE;J>DmV*PfT9vkT!oJhnI5^LqJws6+Gl%_!)3xp}50A0UlompF4?Jn@
zvb3>yz-ANu>6o1za6GQcu-;kLywK2?$xG1{u;0*RrWtW0T>X<O35}x)Dj}xPx8|15
zpG&)(UVGFVAigk(83z#Kn!Yn^5T5>(UtN8isesGNTU%QTE(FXx35s=@e1k?Hq@1q1
zyC0_aceUIvvE+|M5?z=VLP8WoMf+!G@whlMP%EdOg%0`ME((wu{-=8X4z|(!Xa*xs
z&ysJxQLUA(wUc(Tut)XuSnQ!oYHsD(z+$IrL<Haj7MU;erLsY>rUmTY)c0)PJxi{>
zFz_JJNV}BzZ*x2BrlmI2?Segk;R-N)4m$`Tl`yY$^XKuvjcY6aR-_kgT=DLiq<c+)
zue6cmEkWDe{i7o&G%)P_r)y&hI>y!$nkBELY1A4_m6C)vnG~2Gi@1Y3+loi^4nJZ4
z7<BEyp^eER1GAE-$6-fHPe^nwcBQLpCl1bypIB(6AHs@*jSbTogaiZvp1ZF{ej0PS
zKqiRf(#q>vZW2C!j&#+rQsK7#vPcd8(?oyqRQ*R6#K4!fw%v}7?1{<#kx~*8-FUXa
zVd|p%4-A|oRUSRbqLU8>!lmb|rZ$GOt87k7egw2ZYmT9cZwXJFqdokb3KJ7EAO*IH
zz23eK;x~rfAKZ5>V?Q-eeqHZ~Xg6-P{3jn2w1S6aSX_E^q%>W<%kQLUIl)h@*@4<-
zy!STio-a(zh#8wC3OME${EoJM*}wllhyua!^7-cH&|cW(@?5+0pkuP0nfA#m85lBZ
z0o*p_wF`pHPQcllrG5IXYNB&idpkPx97g~C%_vGAl=;@1N%Tx@VKSaCz?t@%EEhYN
zo0pgRjZ<Q2LBS?YE4kj+x8|NKkB<1=hBGLfx;uh`SUyvWYNG6-84wUC_d`KLAY_rE
z**Ap_`rS7~+kkTu5)mOGm=zOX5ADpqa%cy_o)B+zyrb3UODE~)$4>6N8!Id2#8fqM
z8sCzusPdm=s<`(io`X-Ot-61Yd3iaM26}9uxH=eQaA+P&xctF@rk6hp3m(nm*D)oW
zVuP(IQog>r_wd)&*W@fMVORtPv7j$uBGb~QobDPwNfF$P=I3v%Q*$$y3%d#2e;A~~
zb`f{?n$P*Hl1lyOPFpY@(I8U>hQ&E0mAhMAR!MLBs<tgm)m9~VTK6W4c0bh}f_|SB
zHMIr$Uq5tI*nJK9lD2O;Ir8=Dbe+4~<=(yZ$HYgE9zh2e9uPK}$gT*lUUB;%AvQN*
zKJH-aH01X9xLh^0S9S_^?r9xM&(5cbi3xxLM13<1b6#H{UtECm#wDz-t!h-^aoN7V
ztg$Qll#iv_<8<JBp&d9#;xJ~8+B<12Ep78W@4R&jq|Hux{;_c;W+q3@P>Iy2JH*j<
zh?^&?1+3<zKD_9Ir`O!J2k>HfS@<j{6ox7Dzki=8ZKo8^RDq#+Se2R@a^97pgmj_@
zPoF}&$0ABz|A+Hqjijk0MrM0E0hn3d+5dTNeU&m5vA07<ME7jIO9H&vY*S-vVayOW
zSHZFIB$&|$!@=ue3X=^ytY-eo7mDiVBL3w=U&vD129-~4iSd1f!HK8o{Y&hx{unDq
zJ!A4mL6Jg19~l}_ZZlr6jhM<VCW2LSqoTyZ#-h~KJ*_bR7p?oRjCrcAH$z<4vS9J-
zaGpuA`VL{5upQ$xj^y{;e4Xs<k@>qbFkt5J`<I|^)<M8XbMWfhw_+X_{5CW7uzO43
zXH<N7MaA#ZQW(Okj8axChdQbFM(qw(b5nOgS;&>CyZf<#z!!~|FJbQLV6<2$Az_s0
zMqU8Qj+TcdX^@j2NH{Za?zPprAJ`JeUB%szX+XqVS_ENZ52~tKvaw<i5a?1sr{-ej
zq+!L4{h0I{1=;=k4_|7iQ;B{!0SA*ZWJ-wu4FMz5xw(6etr!*Tk#Y{gRK8+6g8R7g
z1_m<#2)@!%7v5f#=0@g*yR2*lc}uCXfByW*w<&M#{K^A8IT$$N<GI|HHku!74JCb~
z+tI|=Cj#OF8jOkd4;`D}6&yOeCrlDu%qFRI+i#g@!w3vA^6jgCVkg@w{#9WBnwoC<
z)#XN=B<$=(uv%?SM79m4fb*fDc!>J$CT~OU?>{(j{pB)MF-X*nAznf`IqSF0s{4&v
zOPGB^2?_bN9Hj1F9u-unGA%7VzysSlD@5bvR^e?r`o`hLG$FQ&xa9w#=_|vsT%xsK
zQV^96X#@#L>1NYNDbn5D-60{Rq?D9^fI%bO4T6Lq-5{W}bbpKUox>mZrTcn$-g#zb
z&D`sbp}H{ls;Z`@&h5#k#6k_w%)S|skjqba^VZuSH4k==@nRB#*mj{8R1XabDgJ{l
zFA`#Fx+Ob@9dM1SdP3&rlw{6bRPBLh;GE-s8ke&Y^51Z}SW7|u`=etzygsMCgjHhp
z)$n^und*$&_V(jsd=(|Z7yviBNWLy>cBq!q)bwu;ZOkAyHC<7QIbd=P15SUU9G&#z
zd_rbTPP@J9ZQTdqRyzgC`1pk4?@+v(jP^~&O@9iFw6*CG<tOfbjjR*65@hJ`rbM*D
zml)gHnRdeB{ip`KN!6Vl06w7QAqt#R_M*Ql7$^uhTk7a|8L$`U=Z77HQy{qjvuhPC
z@Fl~{<Rr|AdlbAyss*N@Ko(EJBCZH1Wb5tMEhx^sT$VPJJ8(X1eP!^Ox*arN;~Req
zPTpCeq;XT1s+6Ldt-Y!ipJm%{EJXwX)R5=Nn2~SJtlO7&)zk=06tTt&OmPMP+}EFH
zXC)`!a>bf)G&X+!MngDFH`Fws+tVp~p2IF-F5NY3+=1wS(r){EgRls-4}<8guCV~@
zP_o$M;Lmc&6}E>xN4m`lq|=CgE71H?nfwLxpwyu0E@H29<sokwH}B52Up~-Joci$A
z?BN`kr~J1tpoe3aN-889=Z@!j;HMBF*WKgiQ&SUDO{G^wMUAd2=&l#>QW|yU=2%4R
zq7{x*2_knMpYP1gR#g1qvV0_MKb(AMA2F2G^np2g8bk@xujaj8!kT#`?Eq?<DYE!z
z5C=f}8~8`JkniX#LBe0lWP09rJO8=p>Wjx?84zqeX5*M^)P5=drKDsBcJz#y;oZ~G
zFr4rX<Bg4PTaj6yiu81G`QF=Wl=}MhW@=iR3gf%TL<TOm5K*7S{~YsbabTa>TOacD
zBvOfoF<wtj`kkCa!z?h6FKvEkr6va?jOa$?=StgjVu$2nZV`!LuMP^8p9);iJw`)(
zsIeh5!A1nlKeViTd%wO$YQY8cr-zxRo_z}Q%myu9D!<Yf2DQb+jB(?E1rgA_%7MC{
z#RvVz2^8nw9z*B~wJKg#{Oo*R!oiCwwWNU1ml5RYzQhh3e0LD!V4Ee00@g}~7(m(v
zmf%DKcqoV#V_8{AO{|EDieC1WYG`P@Ud=WqaaPw>!5vM16P$^0|K8RPLGFFn!s;ov
zlyz_n$yWLQ8HQf&B+3U~@4eEWK|*|}|MK@oe@e#TFl{z}Wt>c&{?=Q~kF~Y6Q^~9d
z1Zc_oYRQ2WcFU-xF*cShNV5|t^#u`~51~!FwAt_9gh}uCx1>UPoU=(QEnO#3D!N<I
zl}k#X*7owfk|aB)fJeTdNKQ`XCRLJDO<cNqRLf_4q<{8n*6-*$p|a0nDC|_O%YL!L
zOv}Ndw3v?u<WM?qaN_q$hHE~asQ6u+y9@Qq7<o4pW!0|_(*S4<0>g!R_vntCDGOi^
z0|5k!h~wnbdwy@ua1>|Jm8H<LXd-8qy0Qq6ml?k+GO{-9==%)~s?02NZCN!vzn#mo
z#hUbaDl~%jW@#wOHa5^H6#%HFOkDmYUby5igTU68M=AdPf5<A?Sc_VPZQ`W=HT(V9
zc{fvT3j2I}NN_hZb75hDPlm`$W_A<&Elg?|-Q1qadc!euif>*bx2$$uyScjoUvY1M
z84v0|1Y#oOPFjuLkh2bdTY;>TfKyQ7YCVwg8a<lE$48b{tvd$3M<sqZg?kJN0#z6H
z8TIAOPI<$HIgzJ!bX3&-X~^K9B@l7j<S(F?gwL=w#l45!F+KfWChrH3K8*+TWPN?T
z*&QqNKcAl^E;*a2;*6jp5O{N8lv0(F&IyYl-h(DY)()4k;jRorl0ITbJJZx3nj@^-
zNY|@r<c{Xchkv)e0<ItoFNkLjT0;H*`|m#xZTuY05z)}pGPU!Y{8d#Gqr*sYZ;jtl
zw~QPbo?eTS<@k020ni~JH&uI^wi#;BBD$L$2oz%<-<-zacFIA&>0dpun&g7tzEps8
z|3#VYk>A=)nA0?O)lhbW|9FArTzwTHNIH5g;QTONetT+P{CO;v?^qx*AX2>s1wD1H
z_sF=pxt&D6v)BK}rlIyx)_TeE4S|u4QMCJflXs=_k<Fp3a_(sTOI_8`8HF;fEgk&C
z&G>jw9tt$+Y5yh{ro={QwOFghvX*NVMW?4T^n0TSKJ~ozyOs*(Y@7Z5<oNt(eg_o`
z6Ekd~zAIZ!@1gdT>iW>Gv(v^eb?CK4KF@X$Jr`6R1^1@Fz#B0&3?aeZhYwlQCA0V(
zpCW?f^PBuH%JcKr?-PC$`6vqvLTKWQb-!J)ZW4KtB%l8hEkP}g`Fb;?4!4&Fh-Z2-
z%9nS^g;WuU*A>63JvUDG(?>=?DhWR;XX+;p5TFgp0GV~0QT0^iH@iyri{pkGha(Rv
z0t7V;O<UO~{F}%+Psh>eD!>u7>|z1Gd>y*SrG5ok5N!bgAzNFbL_~yw9G!?SJuP$p
z*)UuaUIhdQ2ncMMhiw<OinNP%LKm-f*W73RRhJ1`l8&c0-<iBmm>@fr+$~l6ESxL3
zcvkXJZtj7*8+6&W1cl0afRk>`{r*e6;AYoHht3{si#j&?;7_TOO+B&Z7c%q$aLP}|
zzAkOziVe33Tsd_`4~dkhW0fCI(AD{7^Bhy3RX#sg=^fD%>pZpZ#RSudj0DfpB`~#f
z6NsK@R=-Ff(ncR8aSaH}n7Lfj=^029Fdew~jh!j5e&N5tpMBuhGK6RSLt88AWh`Y%
zM+chW8>i*5&wcC$hYnx)QG%%}*9QHwlEO4!-VKu&8UAU)nI@~Fm4f%IQ-YC2uhuCC
zeBo4{eNJkvF7e`*Bv@`gzDKW2chFeNofvMF$qTJZHFeb$=eWoHDXyM5(G5ZfQ0`a%
ztikpKk^ZYncNHRFH1?GmI5#`cfYXDRK-#CG$YkiL8csI(o||@mJNyeOoQCzqwy`(&
z1{+A1qJtBD=6(BSi;J7r{nnOrg?6E8lLRHC&~brM$e(n9N4F?fLJo_<PAcJsUH$W?
zL*2TBJTW7?#Mct>m1SE0J*sM&%vXGIZI}0h4pa>wqhi&oEmIMs-u(9N9l^LPT+=~w
z1PD~ofP{wg!*MI1Ht^Gno9-GGi%IrzayDHYGF@G!r9?)^TXqjqaIW%TA3gD9WInj~
z%-z%8zP@K%!oE9GYUnFOP_Z%5((?YbjInszE0jB^s@JJ9dB4FjhAsg-LN)-BZIX@E
z%gE5NISqS79q}haAkfzv^LeJO$Kh-27MBD1#6G=ByD5+^qNAfAa8T1M%)YHJiWfZ~
zU%K~e0{bquC1;wUyn+}JVUpjuRPh&`Y8%3varb04!+_P+S5OB9GY2oyZNnFDIC;&#
zb3Ew40pd^U06Ko+2s!#At~4u2$p+dFd&|Io(-I&7jv6=%!q0fT%(tJ;#H!-sVZapv
zF)qw*uZL&1&A&!rOw7nC`>LocK~wZt3dEYW)}D(%Y;Ao5I|tA2`r3gt3ZcEKLZ(e#
z`+8EG;g@#y=}z-Ox!QJH+xi(9YzB>tBs9<yW{JwR`TKVkGpV6)eO@x$?|F7J5y9cg
zg{KBLQ!w@Sz{?ylpF?1!hxuiH2Em@l;2=|E<U2Nf?(53~dzsg7-Y81g6#-PR7EOd}
zKX*eDFXykO#?Nlrk7f2SE#T^cn3yO_$g?DoyY%Kp2rWd#(D3>CYIL6+0zqH-s^b6?
z5arz5TmXP>`)F)c&rUoL5iv2x_9dwbP_NdoDpp5<zdSQTChLjA>?UNl+RK|Q%L~jg
z&UltE6WNW-tHP}L+~kIY>KK=ytOK-{iKAk4p$(H`IkYm0zgf?WU*$j6)~PQlV&URS
zOmXH%)xBP>C&EO?#rJLUIV$^{{nH0w+q1rov9bP%(i?!oe)gvrtPf(=-4%VNoW<qu
zqp0?7zRb9WQh4K610RB1$n~{E&enWAPw0A<Dn-gedU}M@(O>o4`?xrnwy|-)_=A7R
z2cwOf<81zzivTU1$wKP;_q<;}Gy>yFAK~P{ocR!O{^`?zZf)FVWRXVk^0`i<)5V2j
zKBdUCFJZnyif-`tgJ0t#&USSuk_w+}ZC=mTbzE#|^}aEZ7i|U|5~7UMv39sLFwjJG
zO(0ac5V{S4M+uMN7OuO#=yWugdHwgVR@UY)E-hPFn7itW$rj%lF~_hBLAHL4Vq`>H
z<6BIWOa%;W-JqgOF(MF{g0vW9<gRu<MU3`#C9pv(1?|ip8&|$fAs1N?G6F`I!lwWF
z@20Cub9f3du>>-rNnMS6svZ|t&dtQ6!Q^G{&!3)@q6Diu1#<;T;f;;_r4s*Shq63Z
zR-C7*wOiboZ}*vhqH3FF78XCPz5z0Mx6dNAwYR@do8MNW_3QvX54od*A|tcBlTr}_
zX!O@(qgeN_HUEyR^u9u|Y;26EPC@vb{GnxFht5ck3yM_w;Nwsh!1Ui!Hu{}$B2F)B
zx=9e=K51n8Wh-T7YHI0M4zcU=8FjS%pH;To{%glCGy>w@NvVOlv!02u^W(>X44&x3
z#5)@sQVjHWMc0P?mfC?YdO1>QxmgG@4tqBjd7m@9QiIs~kUO5LFF=E?)JZE=PY9SQ
z0ulK4&%QfR4zlzJGZGS(q9Tx^EYi~#0#4&ZDk4=3v0Ezj;geApYDd0$?&1RtIkUp?
z0^}P=t-GF{&qrh!DWik$=wjHTD(oqy+oi#opXbL8yo8P}c13x4<e;PN&s+lk$pVho
z^uv-HD}QIsG+XqsYX&1diJzZ8yJ1TSpP!e)zoJhc-Tq8hMby?>U=3mhi9UJqjNQ<n
zIlw=)Ilz<_cQrOk#4<It@q54R#0>?5A}=>80vj9KFWg>APmdfyLP~bvPPDXiQRC>L
zp#dB?fYtVa$C)8K^@+qlBm@bO&?009GZ1~QaY|GD*X}@CNJ$AreJMZj00%Gnt0F~=
z|CvZaeyjqnT9*pY`-G!;UM$#7lqV~KHs>w5l!4dvrMHsOTToJ^n^ThI%vM@T_?&-o
zUeOV|f1vr2i%Z~n3K5;@y?gCDbG~WmLW+jjgxQa1Xv*z=eVI5rdp_UzP{<g$oCvuU
z%F1v=L{ThNcC$CW$8OfdR3*%`3Ne3pP5(Y-QyIii3)yaMBP~9yxq2n=5zI~l7~Vz-
z$5M)B*juF@Zj5{?H{I>*eqTX2Y1+1fYjUWne!tmSQc04wcVWSOhL>LR$AS<eRx%4x
zkn+!j&#ss>%rf2izkhy9U7v7!^)3wTF4WWr)>I#?)iJ*<EM!2uaZng~A13t(EiBw}
zZM{^x#Xwvoe$JdGvG4Eu_tC{gr%R=a{o$9F=4)%EhK(Cj4K+45*8q!S1cw?ny+2;X
z94X+D5r6i~@zg1Cs`7_-gyu4;Jq3k;_Zjpmp{=}c9R=nHK+*deosr?xOtXYhTrz0i
z^WY+h85-m@JJarG=SRukt2jvRK_!qW2`m-$4|bd%qvYohrZWo<kwl>kTM<GfxEuB}
zA7sGHtgMfxiJC_vL*tTgK^SqSp|b@B1$;XEaPjQQHPw2MUs~#DU;wvjqTOO2xP2j7
z6J~Vi5dS5|Pu1H_jMg|-iUtg@F?oX;C~tj;OUy4qS>6S9u7Fc!emsxgQFZ0}GjHzU
zb5%x6YB5<`1DQUylpX43i_7C(kwQT>TA8=VLHMk0E6Wrt&beYk=5C=Go@r?yna>dy
zw;?5+*qPU_4De^3S$%VUZgFGa!^nK+b@=9khj`8hYisVCwHsI?;wsw<RD!a2VH;RE
znVA&9)EL35Yiol1{GjLMPFETlthS$dPbutk$VkK)MIDiunHd@RY;<_^_@%n~5nSzH
zWm8^+Rg6k%*Lh}(dcExygA%9JV)KjA(h^3oLsS&@e)sM1`@VP&2Q$0{ssEFZXm1;2
z`*&=g%la6dB|SY*h#Q<Bf)`wv6FAZoTevKVhO+eIQfjQGD$-AOYaSAHT3H#{<M2wT
zJp1FKHOb+BmHO$^{jZug%XPl4;fMy2<tb8+s3#KJY<n2t=`%{tE32x^i4{P&GS5@0
zU8Y6muA~%jk8OaCfo{vq?ecniW-p#L7S`l*bwZ&*BaSkLkxnL6zmSj#Hp87pYy7t|
z_==QGFO1D>fD8egBQR<eoAt3H_G^E~R2$23?_KgcJ5MJ$-+xk{ePQnzvX&ut54P>2
z?Tp)<K3e|ubyK5A?oG6=t-U`z^?w?*{b+lGp-ieJ2F<hFMiPfO{;@Ao!BPq_;!nZ@
zt<jbTV2;hEdkpxNlCp9epF^1%4ua(9=w(Z`R9?^918mGcKl7ub6Gwk3q(nST;g_R(
z=}1UOAPuUk)29KzFGP@Fh_m4BNXbeKq&=nG?n?wJk5p%u^QYj}W6E(n{nb^!kYIYn
zw12Dnrs??#pMU-Gnq+PyQGAbz0C_6SG)^-uk;J36yL@hxp6gd)H!K`aG5?+H7Jl(L
z8fU%uk^cDl0(pMp8MmV0%}cG+;N0cwxdxE;Fgy8TTCAo%MYLkmd>pX?(Kv8B2&><a
zQs!uA3OP=H^Pa0W<bL1(3Z=QNZTm@k>oq(KXGMi2GV(pkLBIIqYL}5*=pN5264`)n
z75rFnlV(;{M^F%#<KW2vQO4Z-ahl?qEtvrglJrPFF`HKE`?cmk$7ZXM;?z_)jBtw-
z!*N#SDe)YQB-A=MrBb<jiuqsGe%K<s3&jJa6~@$=>LJ$1qegAv=0?A3zmj;B&bMSh
z$yyp2f!b~3*fz;4B5{v1ZEI!I797#i-@N%vL?qT6xIVu6Ajsro2hqAa{U8(usJ(Um
z@ZxY=;Tw(Lx~=xq-^U8Vv$JMQ1XP9#l0C6CW8+m*4DrXUuiE$=kN?hHtd^T*e(CP1
zjl{=AZ5!v<2ZbLRBI1c^kkI{muZKqRG!E7SuMe%mitV+`KJseLrElua(VEGEw)kM|
zvo{v8g{8SRyVhP3_KmCr^7t-tgRvCJ?XZ9y6=LH)mGU>5%iqRshjx-3V;?^{<I}?n
zuQJdm&aYzPx&L-?fk*T~ZLM1ZDHR>wGq}Fw<REz#;xJQxj#Pd7p9vEi%eM@nlcE~W
z6G{;_gQj}ZU4s(cji<2d#jGSi+xG#bkcG8<W_Egm-FzeTDxCQ~$AuJYM*4NBz%!sH
zGmE&NyXD?rBCg`$VN+Hnv$wOcwW;2na(zno(X!N_*zo7~X*EOjUyJE{zj$~`QBmEp
zNU7eVpd(t}lJV_PRM*y$AkdwD^I{V6Nl31fJ~VIk;pyn4d&K52+ZoyTrn`@lMu-m2
zdMHPd+0H&XIx6{nIvjfcaW*&wH?e|b0oNWQ5EqNa*zfxCA%Z^o6OKi5fQaMTz+N2A
z4<r<*d%D(^6BbRopqHReoPuX5oo@<poF(~?hfj&O+-R+8`Dy>DT_*+t3@bZ4Ct(dD
zw*s5YFPxB$P%O|vr_$nNycn^#^T+$=&~qq3Jx>K@Y0d74$5Hs6l(;%EvNCB4IvR)u
z{HPB@-J)OWId6PHLnL7W2b$uqUlU=s|2LSgckAyn-ecL9A<z{Trl48Uh)Yp?u%4Zv
z7s1nJ?VniCP~l?ab(-ztbK)@P0*v!jTR)@EJOH8ecus!*F2B+1&v3o)!t-<wI{ULp
z3QB>;EIZf!<D9;gyT<T|3(W!cu8emq*I9);11`>g*|Y_3dG6M7$XK;G;BCFeHSUy<
zyQj5uLm7A}{*8uT_1}KpQ81dQY>b<#nlKf~#^0SmZ>Ij&3v-J)VoKsF`!BU7VOONm
z+E$DIKQ4fbY^h;YluX{f%{Lq_n=LKGX^f}dqqj1WI8v!!-^^oTJ0A0AD&P1nh-ygA
z#m&^r{F+S2gmt;K(BwN}7%1{g`8EBn@#kmH#<7UDrYoe=D#c#T+$ZzcUbv}joSkle
zl;}ukf))#QHo?@nSDNT1G<0{1>^^^K_1)S}ib&^MA57hU#A^Tj@DFZzd18T*?Zod4
zuTT;=q7s)HP?#FU5m2>^PuG`JCo4pUQQ}3?K|8!~bl)Fu|Fh10gOBu&^)WH5e8_D-
z`SwlJJYQ%Q=X2oa7jmVX`ANXU^jY0@0;Wxq%l<MU7ICxu^PUIY^DU0XHuc|sa>6G1
zL&(EP^aB_iTs)vE(9kTc_~y62rCqtsA-L$%9QyHNFMCr&SRBcGqc=(mZG}|O-!ETS
zkB<k*_{O<Nd_{x@4eH0>{(Jl&_^RBw_L=0LpTD7h24yCz;A4?N#YY`CTR+ApOi2F$
z)7t<AScJKZ^1!yY{m)Na<uEl|wk@#X<^v<?*6xj?<lNZ-Xl@r@K6VFP;N;*kT$$mK
zk^eidv?S9g4M>bfLcr*lI?nVj1%cKDx?sfy_1rv6pZ{PID`zgx*&#{NC#nz-ZfE$w
z@<kcH>##SRBSjXB0!uqn#NTHuQ>b3@^=xC{!q4gYrpN)34Bt=^fGrA9kPFDjTKul{
zLSb%-ggCuPX{-P1lxf=PxU<l7!N!%SqknZZ!?%So{$gV8*U`f3dIsg*tC}3PiQbot
z{q}Z~v1NKxsN&V%dMM1E`d(kISPpV?kldEXQ^y~NFk+RWq7-Z+$PMaJLIyImp*Yei
z=qRMWh;W~k>1We)yoPoD9D)N(!ymBLlrb{1R+ZPZc$}1U2MTFbIet5axnRaQwSMV6
zD&RVAVW!2dMV-JSdJc&M|9N=u8lVJR9N$NTj?$WOkj%@*7%c?$4&4blO-<z``}?o`
zXA*NmZy%4pI~On43P<l(CN9e#f`8WUAYe$F19vGmy<YkWXDYW$jF5gYl3<)Blns-^
zP$2-)>fEfd8#+yA^1m@|?g-vcU(wZdc22Gar}IOqCLjH~SgzAe4L|r(#@mG3Js!It
z1%-ZG9Z6*PLCorNGb9H4eoEwQHnT?}!E#F8G0;2_aYXVo_pmXU&i9ZmuKhK}=fS8_
zv!tlxi%nAw8@t=~_>Z5{=VFgZairkjlv8J5m%(Lze(0LQt`Og+J5d^Ynu#8DH1VcY
zi22=u(XQg8J?$5aXdII#wf+|)qW)4Xt0V|GUn)R%<Hwj_&Tk#3GB{Q?3@E}8nbyQq
zHkPcXi+aR!SJZgsyj@u0c<&B<;zQq?fb@N|oAFbv=0<Avq3^Set1Gf>Z*X<WY>fHY
z6u|;b+&B3Hnha1GKCkp>4^Ck|AF^$0gJXIQE^aa3*zb74>S{C2vm0fas6n`wpQMaA
z<1?J2-Rb}SeaFe|UV}@Rav_6=4=Tc2KwygEOF6E`*9ecrPcMWco)Wrwh|WG!!->|w
z8Ps&SCzv_^)7SPamg<;U6IiWRFv~25JhsQ*HfTdvrNN;q3M%$P&<g%1GDArd(pKxe
zJzd14`Z6Jb-`k89qXM8cSn5Q?gskae*}v5z5CF~~!16e3B1mg21gE3{)u8e8YEv`W
zRYP4{K+o`IdamJe&~q!NNO<8VUOKTj4rf|pz=4IH%s3TSw-~pYvO&P^@%EjQt<O0x
z%U3{X(`oM47Bu%HcP={Bi$+T2oxF5rCid4)pQ`<<<$|itK(6t4I*tgl&hN}wLSl3U
z%+@OJ-(N8`c^ymcEktiI7>w39@KaxV3VahSKYxxM7}(M*>HOkCje)ndD`q-dtFK%A
zF5ud3ccXX73L}`mp?=zNUJsOE1GB=VVWd<PY&eZA?@19rby?)0J|_Dw)Q%??fF-QL
z=Qoz655x_cyq<b?znPgRg?{~>yGOeFW?7F&RBrP4IDbjo-}_`lURU+G2|ueoP;X%b
zQ=d32?EJ@r{M0aG;RdZ!Vvh=?Ab6(cX3iUqrO<;$AiSiTmmXBrpBKdrh2M0Sg6CC#
zW>e12k92=^=Tr7d?V1O!r^}`$8N7Cgp!A87x`z7Xfa`mRevOh<j?A<!dT>&hYiRMm
zvS~7E6H|JEmdEJRJ(KQPiH4~ygD#FkzR*)%tf$sX*$EoMj~be{-$5E_(e+v11KFNB
zE{o2d&OJwuq=2jI_k7q0IDyT)CEF)GhQ2p;Ufy$GZ!md5LeL*DMkOaD7u3XAF@_qw
zXAM=r;FtJ_1Dk9<XJ)2|nwr#;(nh7SGLf7k3^>c`?jJDtKGO8i7)QoWGzz={l<j8b
z1#w|Zl&JrO2{sTaD1(bA#Ni?d3QO0g1#g?Kc2MpFB!kKyz}2_0aOV;yX7{L_dw>@i
zx^lr!gvzMKerhNh=)fD2C2cM({ULh+n#X6BA=~FiaI)!o&!hLTl{dK0OjJS1-Pz?m
zhux$MS$g=$NGkCl+W`fm8G3_ys5f)CC&mnitjdR%DwgXl7su+f-_dhhT^Jbk>v8Pm
zxcoqB|1%5=@j@~`fR%YOr-*!G-E+1hM7c1XUFVzc&2_R4rpw#y*Y`c!JJLNgbebIW
z`OwgIy1(gE$!lnM#8w`B?}{F}gKknhk3_xGhGOIH4#*==s`kyk8O6uNwLZ;!=!=4%
zfXARnUs?8{b?#Tv5sG|&@2AgT`eyUR*4o<2`m?PSz!}Q{6XmX~{QOUOtGD`z<x|*}
zXlNWcIqAVP)p6vJfCB??zM0NW_bt5zu4<@asiCbGL){zF+Y6F@p7bAmW}I06{)rM2
zKgW%Ux|}S2G=O&I6;1+c>BCF1j10lNyY0JotJ|4EEgPG(3HuH53&YXT;CQi9@L|#W
z9Q5T(Vise=Ki?ah;NcT?2?kR~<R-k#Q(Ql;X#JVM!rJ6|U;!7O=Z1~^0sqWSDOv)6
z+#mBe^wwWaFtg8W8BbuU$=8#b`}kF#nL)D?P4B`D5Ye}E&Ef8ZzWIkj#QR@t^|bqv
zgtqnPhOe7>;n-6Pn4f<Af-{(ZMx2w=P!>`MdggtM#a#dL#>U38Txq~=NB;hOiHC1W
zCG2&$XWTWEU4;LFpt$6V{F~@>W0PPCW6m_B^+7bldNmE5@7F>qFVx6+O+qiqO-0@%
zd7o-~BPY6URpY8-XpvqO2U9}wPH?t9N$dEt>2wYTL{xNCdvJ(064nd_IS^}1@4KIU
z3?}ionM)E^aoa9XYHVQ~;N?3J^d<VbzrV56v7DO=%t$0^Cedcoq@1=x>{3E~U{ao5
zx#0^l#86(Tsvm*aDqGCohJfRxWIjyF%#Wpx0+tWH7TwE^h>d(o&bMRi=Ej`mJScXf
zNX0kU)fc&`ZDwYE|Lt3m#>SVNoWTyWTFn;s8;UASWMe4=KYsn<bGX<BbXb{|#HegB
z{N-i(dt}vi*OyWMTuNA%&<3<`Bv%Dd%V@1=%v8nQk)E>(8?mq8HRfj@pk&j^!j;?h
z{yOnni^~baW^r+QUZ^NyM~7trl87K`IXKP}YiloYR>Xh)^EsLr7j??Y)b;$-dCLgA
zIYN5n^ty@fo!&JD2i&ETQKdM5bH1Ws4SM<V>7zS#emy*VMl17C%>O%sLJWnV8DJ?P
zA*aT0p_Y^&N=w`4&kGIh1Z2yzzOD-nM-05<#xuNd!^B%zh6S%XnC7~4Xl=FWnQ(ph
z=hV1^)1Yy21dpxNf$;Wqp*{&^jMC8Lvzznz#PyZ>(!ezZr{eS|5X5u!uHjc0QMo6(
zb6i~9Zz7{?4wkxTSqgEaNABy^EZ1_0O%3nq8GRr~8<?LeL<xJ+x~q1l5l;+c3&GUL
z#~5%Eeiu)hE#}>Rb~a8#1TBMFT^C>^9;45hf%(|@G$}g@`UBE$gCqNER~NB{Exc*m
zn43OrnBXmx?79xGw5uQQLC)wOEuZ|LbwauX#0y=8i_5xq3tVt{f5N<}r>A_lyYOl=
zY6+RBWuDq>f3rtK_`P~VdvLIl?fAWiyaU!JJ5SNk{oebJO_l@l<a2ge_rCsI7z?ZM
z^%Xc&-^@1w*Y@Y%zmu^oath3>OiQwTYym;6Df?P&F%$q3A>HY>(`%}4`kJXo@A{*{
z9PZ$N1h1HPgI?vq_FR8g7^bsxbD{E-!(>p(V?<fke3t)89Db_e8t7Bu1PuD5MXP6<
z+!&stY<h91LHP>XXnUG%MjRFcWooJ`&5V`3dybd&9OfQkz=?HW3!w~=dh~023{}5z
zvc^!1&EyV$r^AX2v^go$2aJcoLD1CXk;A-SM%?gL)7xAt(6sO#9}6qfk(6bKk#`(}
z`w*CoLhsT@0tw&5bfxw?vKePux}BZLzAmkPxf9LAP<`e6JpbJ#*vVF9V{2>6a&nAU
z-t(O7+xGtwRC_`wt&;QOs2%GWf<)Mhf5gI#jf3VRRyYn+CL&^@9b@LFMPp4+9+T_g
zrb^UO@_7m#bH3~IW0HH_C9JxlM1<<<8sN-DIa|5jU1clWT{<y7ZsNWrhlkf{^k3qs
zJ0haiIqxwI3p4ALmfB%e(ZJ+@BFW!2&V3>YFp+<fbk4?A*>rVWYuXTkGBFVVT03o<
zCu|D1;KaoGi)=X*=l}-{%9HlfoeePFKt?SoWo2RP_1ZW2)GW%D{7w1R5oGx73}+Mt
z8m^~T7(RR|;!{_tm4+{H6AUORJss!1d?_*$V}qj3XVSSpT1fcr9jcMc+E>k;k`hOQ
z7K@Zm@Jo6yF|{tw;ePr2;)1zK%t80F?+IFRG8PM~t*s3u1AVuQEJJ5E?~{qN#LTPf
z>_C{vp;w?8{aYK})1+JT$xbAoW^#s^@yXx&Q~{kmvK%dm7RDST7{QB-eSw$zx6<)>
zOLNTsFb-T?yxxq=)wo&`P^O0w4`r@6hxP{q)M6OJH&L6{dDb8(B-`1w@9-?WF%TN&
zKF3>3L3J3Rr!{lR;Hiy=DEoPYI*?H3D*J%k>-W!mnI{+su#o0qvd+lLDo!Fi@_c0^
z>fAl!8=s~P-?2D!sZstpXhAldv9U`mbKL%znA!NOuJ$p&3GFVHZncd%Rkgo3O8`_E
zHsCcLeh|-j^-78AIlv6`T|Kd*qm_o`xyc`HDqsTa_)yeH0gQ$SB0h<5z4T7bmicvE
zi{Ag}ci6GRpDNVdmP9aP(qpmq&CMW3yy(iy%H;rH3b~cj1@%Ua^=9An@5Tt2ojG1{
z6G$g6uk<{i94Nd4aw0vj@s9-O-bg8Fm9dkt&&7JbbWCL>Ub<|Z?z7!_&?(~UvDt<K
zNT0i#JMHf5nT`gp``D)md+Gc<M$((TB@+EPY&0}sopv-udi(|XSjpG-kb?AHVbJWx
zXER0xusm6wOK=pfses;jBQ`Pu#$)YQ!fW(^LLC#MsOUM4M{l$+FmD6N5H_b<E<CwV
z%>I5-$$$KqJZtDvX|}D|yJ$mGH=@CG-l~%&67P#+aZOD<3t1eq;l;M}j0^`cKN6Sq
z!NYP>f!*J_hK6D@!!KHOAO!9OK^NZ_^VwQw#GW?wTQX<uGaSFc{}c!om$JsM_+F<8
zd1<ODpI-jKN098X>gmbhV9_9fN8T&oF`&`YZx?^*`c%rt_q6RdVQN?9*qCpPgR`@7
zT+2<zh7~z0Qc%9@dNp5ZW0rC@v@Gio4eo$JAtS;h+MEYKE`}6D9e9@#Hw$kG)nS`Y
zf@8!(EbtN$#MH8>AMpf`3`CnHw=b1Iu*mZn1(D3=uyyli9^<7tT}M^3=0R1ROIH^P
zqW;Uv66d9cGkcq3qx6#x9yS~M!nGTep+GG<LM~<RpwQoA9EeuH>Q-6l-WSDSbK9Oy
zT2LLf=4R=U`BwQyoF!BWSOq_fI8aA365EVUvxNJOe*bx%z5JViH>%H$9maSz-+(7S
zOSxrrv;XKfU@^$9g=Lx3240$V9m|O9y+H3`W=cF!k9O4gJ1V1#Rqw(-ex#dV64_eJ
zHO@P0(L3X3!aQ}_#iW6+gnsMm+)FI?O+w3wgFPxbcf*15?}JKwQu2WnjGhM+?Oh4~
z1qK>Kb>}eF_e?z`R+#=+1_60+FWIB;0Oxf?&_uK}v*OL1(JNa(8J+$#867tqJf1lG
zI~wi@Mx%e<JQR+hhAtN(7H6iP>QJalE)-zCr$!VApzF{E)j1e6bgy8rkN$KjU)|oE
z5RTbP``R^7F#Ef1+={fvoXZ;(D|M``;o~?sGb1fZ>(X>KR{Ct~P|A{U+L5p&YZV*(
zFeUo_AcJUKvsAZd1*1duEj;sh+oJ&}l4u;n<+q3qxBw$9-XCgj#S{>h4H#d<rEUf4
z{%&@VrU&h=wU#iwl&kWe^&tcYxW@a1>x26tf*|lTXtzvBWoN3A&oSm*Lm>lOGB9)%
z`FPjPU4CbYc-Li6z=h?Vx15SB&gyWvX|2{zLFurty$cOo`&*pO$H#~I(;JI<tiI)>
z-Y%iqPfQ5zy-T4s=KLb1GP)fgC#(qB-CSRRThV8=CkAtwI!k^pa3)G7KZxCok#Zo|
z6&eRKSA3+MZ<ac|(vT2<vDaQ_-lG)!W_WYWPdds10tmorVP-v{_{b~5e)~Pk8Z%6m
zUJxsvK6{}$T!2B}9)TaQCuZ=v&+IyP1WMl-ZgnBx#t1%1NoT4$TogCAB73{q+84<Z
z`}gm*kKjFf*4IkLSNq~aaf8Qxb9v8T92j-l)=xpd{ovIrex09qd=e6iC(}v2ut}M;
z;?)IUeB?!CJ0y%DRRC_(sm0iSFf<gOtG--3iQ(Ka;#-o;!isfnSLUm+-X_3f;yham
zxzor(!y6q_QUWT>ZJ%;2FhC*ION`){6&CJR%9t!sfaj!LUatMr+>fRuT@M^>EF-q|
z+c^Wn|ALVKC?dNFSqSP5S1dx%M$F$F%h4q~8gl>Y9NBdTF;8~0O!#a;P-~KMC!UkU
zcDx8F2ySwhB#lg#Z2A?;{L$|qHp0&4i{KC@_7Bd0f2*h8xRoENfJh=XOSsN`f-N8w
z34xT86D{Cy#>~J#e6fmobN+$n(dG{_gjSPJl~DmL(Jg47E$WY0#MShlp6-Gg=uIw8
zS@@rQ$g@N*a^tcrO19*C4+m{G%S-Owy`2|YxMPr%uxGjlN(W$^f}`18i%NWi2NnO~
z%I4RxJXz-TI668aUEM-U%ag6S^uXjpXv71;L&MH~pS9Qmg!=@9#Tv!(Lxa3reCyc{
z5sPa}&X)se<A&Ujua;b_mv%fPR(sLI3TC1@`ueQ2w0Ys9h8c0UO^)G-i9124*C#Kv
z>j9aiO&!d78&1=@a*h{Fec^Oht8CTA_jTr!Ux28|>iQaTP*@mRc6Uz{)15o0d)Ai)
zKmcIop{0HD)Oj`(^PheL=-!P5>1dgSjE1Snd@tTK3iDxOw|#rXZCK0k<muB&xKfUe
zcFzX@0-{>@+|$`}XkaMt{CFGg)~H4(h}6Nf#P@05d~6P5wa!~D_}X`+Wi>s2oF6?z
zLu1?73ATItaCH~E#q?Yd<!wV!6fOxQzCgSDi;c}wCZ@|Q+tdR3iMCg8%VP&#;)>d#
z_s*M#Q`*|I`a&jSpT5>Ou9!eho3)jb{%>V@`M>H0S#%5U2~9cD2E^3WpV8s%I=8So
zZ%sZ0N~62dkByIXqDnLcv?jvNCdT5gQc_a#@@SiBvjto&{1b^yU=SfkYEej~0mnBq
zv>f7Z5Q~izsO;n-?opezHvm<z6QTwwOq9Sm*x8vTn3~eS;C7`pnwg}5h`|y5v9p$+
zK-%}fHOvW&_%MPA{7;8fqGF<O5pJZ#8y$C0#mE2Y-OI_NhSvl}SKt+SbabTWE0@95
z(P;*hHa)$`LPx{KpJ`7C-o2Z>zHVsJ1n;vJX3cXDFk1B)9<06n{Y2oox{^IRc2lsx
zI>3yrHTNa%-3`kH*^?P(seWC1i*~0QO9?t!4&xW#pgSJ08_Ph6;k29NXw5?<Wyrw3
zXXl7l^73Ry1+E_rq6ft6*E2Ke2g;Qg!Csj{d~mz=`vIQh!@~fZRBz(_7Q3z`CT2*T
zBQ0trY}xcNS~2Y4(SNQOPJj7V9RZmWbkjI(&^dXOCgjP65LTAMY1IQ0L}QyTBSqTe
zS*3Yj$+DBX3pLy8h=@+`@K#rU&j_pL8@817_NI}i&#^%(^s>?tn6U8w3VAurCNl7|
z5!4_j_Feuv;|iu;^Naa@8w86($IhpTcx*AfIy~Pb_~gkX@z+hFi#Cp|&FW}t3eva9
z+3C^Lz0l^4sFrqutx*mXj$zxw7<S$G&CMXtnbWy{l@gyc=eoDJ9gclg&yib_6Q7(^
z1)SnvMCVTq!Ak(TzRu6HA3PL%7ifWK{S$;B_B<KqA~0uq=O2!};J5c52OK2hYaH_!
zr%MgR0(`T<DTadIiTb;lfv|6KDSlO7PLnUn)g`@Bdb0k@1pSv4wqV{aZcCQFm5}gk
zv|xLx`AXeKu-xNcq{Wda3xBHn3t4Hjiz)l!qDk!Of8@wNVs`ry8KeGgY+z6;X?Vd=
zCmx)%kHC2)Cx<5MW-62gb__A!6E<kFb$(Kbl9xBLwg#|@T8<AbEZ(%oVWD!}-C!Os
zi;Io_mDD3v?Pg*6$G=Ao*6+lSYlBxaI6f(@4+#8OPdVB*HSrM?OO{MGpZcC;t*u={
zB})Dw4|s~qo1Q@I<?n7af-d~m*;(oSWXx`oH-J&2v<{?kp>d=%HHjcXahsG<alr0z
zlbrlLCHGUVkcInbdAsvn=Jhh99XqzXo2mbjc#lL^2Q%TjFVV_UPB-u|iDtRe?<9wY
zhay_R;NOW#JJq`9__>bGA=vYhk&>QT-bathRkJyYq44Uq!e9j(I8X>--oN|4dmovC
z?cVT6+f%|<vcPvTEq7xY(FlquaX`Hp6%;^K$Y1zoorqY|0hf0OchI)BHc);LLs$})
z5e5+emsc*Pw&qoq7aqVPQMBghAz0unEFP8Hh4VE$vw2c`S#`Ow|4_i%VHy|woijHr
zpU{P^_QN#A9pU|4l8n2?@Qit~vEW>l<W-XJOOTtCmH+hR?tHG{F1aaC#cqX6fyZyG
zBs(#1cR9J>J_MS0*h*M}{y;ty*#G3^<_gcv4Pk!#z!hD#xF|AHqdPOX1$mj!7Xxyx
zrN7@KA%;-IXXNobl2OFGcT!gKTw6|US=q?G1;wax`$)(gq}JYExwyWIc7&`L=$PFk
zB!XjNltCEEbQuaw1<4Sf6OF%9mHy>^6e+h=r@wz<d<=s+QbJL-ZFk@yB9-M+k}+cM
z-#_G_p2$d4dV-zlnxW}#dUz}TN_avf8|#I6xnS(la<gYVuYhi1^rRO4OSJfDHD)z$
z^i`^A!SnEiug%4qA{S}pwe&d?fI`^M03~jP-!A-vJ&mG5w6dZiIfoI#5Z@OmNapLo
zNy~?#*|&;ozF#U{+`3C6_#ek9r%Rw+g#33;NQ?T`paqS0B?t)x_}y?>W@-~fC1%s@
z29wGl{flGccurOdz1|sR`%ztGUD<V5ITy&Z1>7)JUTL42oJvj_j<?gf?MXKk$?f@<
z{!9%IgOE7CxcKc#8AUK}D2}Q)sQyG7k5V1*1+P+CZqUqsmt-oTAsGRrgoyizWUFT!
zOXwFe-f7n8r2-|Cfgzlyn1BR=M-VtJXBE^8kK=&%f-n-WjQO1*u+@|9u6QQS%#Os;
z<mmR`wc`sM57P19D)$R1Dd0MYDBEpub;r|Dr9k>ZJvX%Lx2`6RfI_UPrUu+q%k$Af
z+Mbxl(;0(UM2}zj$8PK3nsi$`I^w7`G73StgTN)Q{BOi170e#ezLaXCq~`Kl?cE}}
zOAc=-_S4N3FHDKSl38dGc65zxYL=*JYBDo2vS?R?o{R{Rv-*TuTaQ3h0!}cpN}KEV
z@BcDY(VmtKoYU^?NRde(CLhH@SQ4%#+R$F^6di9{hZ$!!9Ro@$OcYeHi)2<^MC*Dl
zZrgL#*ODAp7XC|w(?0E^_y{m=b9z|ZG13T~D2UAboZG&zp~OqLT7Xm8ySTLUin@2^
z&6{J56Qlfb(zjGY^1|&8ZvXuLu3glI*ZIqc_*T12Wc}Mg>u2Tfc?y)&evMTq$V=?Z
z0(pV%1y&fH1_w7s8PGpKL4^__XX@na9G{$gt)p?wA*i!g8BG&)akAroajveT;{(2Y
zQZo|weqhiP1OrDnSf!0pM6ls5@_*p6c;^8*SX@4@VNgR-DDG;XM+8+F1vk;%!ZTCN
z6bLP{-N^uy<6n%{#HzF`9?D9RC>NqI?e&LrG>ekoSmU$sB2|`Iv-nze++2DisGmef
zOFgomt;I#m>g!=V{qG(P`E2DKgws~78u%frsdZlP1NRf2`L}-tuQki<(1XGQ9?E}4
z`%P_Anc54T`pU1=-EFXF7j=B)nM{-ivbJa3)zmmJjsIx$W(rO6-S&FzqX2iX^!9zb
z{DXt1-D7U*WZt#1k}PvH!KBLM&G1j|0R7hT;I}{rJyX+T0rH>!g-5O(grk;$bHG#z
zdvK8l-Ru8Mb{B3mH0YU`qgQN%!z8rpT=LV>v;}LhUsY6aGBCJ`HdY`IWZloC#MKyp
z(pE(z&#~Mec)L8{f?9s}E~TrhtGD+V1Px4HoXoh>X!v4Yn1tz7qTcI&){gVvvRY+#
z*(i4ah3X4M9?WO!?KoORM$AU+Yv6)n#;LtmX$tu?c7;w8$*fXS)G~2E0VYI18Gh}E
zcLnygyK@bEK8G8}-)ZPy!3g!lP*he_fRi?Hj7C-GO`wY+8l*3weh4OJk5Vst2%&_S
zh%89=b5T}!R{M7HU?!iDjm7Rz(eXWh7fms<26Oi}WoP3Yn9Hyv;fxr}VuP0PxE%8y
z_-3;JIY&8zpJwqh+0xF=JXoRwX6^62vCdK;>2%x~2{a`@zGf@w=|K(d{#T7aS|CNz
z0~2yo@?S85;rXe~FT9)o+3I0agQo%wS<l272jSMdeo^obnC>)8Oxjv6;*O448P+Qq
zmP`yMo$XK@e}1#Rz@|bE`cF(uu}MchV>xb|@atn!(zX(jE#Ks+$B*G0tEcstvvzwD
z4rt-`9_Gf_-Wcz++C*mvdnnG<8H9c=933JTdw`gqpT8st+}+i5@(^HQV{`DK&s4Td
z`ETn3(DjUF#S#C#AV3R>i&KR_3l*y>A#AqQ^%l(+aq;i$@|eEn=GG^wS`Iu09}@6_
zrV@6u@=_xhslKE-4vv$WdGsDy@KD8oK?o{Ruu8_Ye}D*rxC0fHc<2>*XNx`m#%glf
z-pyl6DI*Q7A>uOo4~zW}N(9d0odKxg*Mt-vaNQ@Za{cgv5uDnQ@g@2ey5nWvoT?)3
ze}ZV9X|=Y&fiNs$huPYFUam@N_UDoc(N?aV7!fUVv%rJ{!n8zgFv1B^xFBIqB;w8G
zix(eaRJZY-wo8f|7}&XS2UA1#%i;nH`0Cozg(`t7(R*GVypKW{%K@S7uY-ewBO@_C
zY<T42PfuD`4<?c{ekvS=^DZ(1fJ6G}<eNO;Y1-Mn$=x8O*@%0L?m5n)AC(Kc)*s0D
zJLAKuR-K&xidrWWK~o_S0sKg6*mt(>fcpk6D(=683ZQa7ikAbhbFjaUW}4_}Fm%eQ
zvXnJ7HNgh=F?>7@B_$gz?ZM|-Epi@OlME5(+|^MAZS5%t%?%i;s<}d%ME1BN9vW7*
z0`@9)78dA;7!MB^`PaLUIASc)hJuV7QJw#k;4Yf$OaB;h$hLnpP5$&0n%M5&VXGa?
z5>d!`aVnzkn<>%O5YlSk1`#%qgEtsYkuK+@gIZf#LDRYZdzG%M2R~JZK?Y&BaGMxn
z49-izpr{x4s!<H~XJcPAOIa+3Vie`5;lugMHcDGy)j{?kG&$K)AExgRR0l84i5s0@
zfU7}s0PD)aM2(|iOW@6T)z{phz;+EMH@C6dkl2-t4dCa0KL_0B-BCO^X<x{~{y(`t
zHl}7*M+gnx`<v5M%o=94>uW#wA27>Ip6b0!z#$H&mb0>A9I5^$2T3?-ii1NxApID5
zq#7f*;FsrAOPL~Fk%X!imiveIM7tv2JWJyUbn3l!X2UQ2z#N(cN#nutEE8QP1*%8v
zaCf(|eAI58zqR%AFJHc#iC{7C3ksf}o&xx1tfKh;WgnpY(8A}3G7k+qpb5@QPlKUB
z3>B!oPxo($);gVGVPT-1iKEiyXLz0kl=y$Ky9>}?E++2JiKv+Vi6^ZB$;jZAmTPZ)
z8@dGtQIPLaPPGJHc1BJM3QFmA8cyo+OzCJFf92GB=QA02%E22`oTUCC+wem+)h33@
zs+lE~kQWXD=I1*=%>{VEm1$^psLOmq)z$M`0+J3cnECh=_QcF8!JP<!V0P+;R|&d}
zL~d}~1hoqMdMGMew0G`6g>n2z{|x+m0_Rl08Xg4!1piNJPqGVeB&ng}bP<;gwvA{w
zWv#T3Idf~$k=XaGy3B|(O)7n~Z4dAqUjE7cSu9HQ5aT8zq{KdMPR@$5GMv4w4E`{w
zx{%?t5c4u#KF~1~bv@UJU@C|&ip4?Qx6UCt0K5G&%cTnQe)RjKV~_@@@j~J3^1o2c
zG_P06dD~7-2n585A+7HIQ-)NP+}!1%e=g8~fidF?Ki)B)lPFp<u@4BPEjl(p)o`z=
ztS&h{Q+@V~iIXz{2W9#m)#L9Jp@S@;u)jfog-%Q2IHZ?C^v)z%d}?ayhnvUpi@yxO
z2IU#uOE@P1Go4^>%&Tqw6ceG9>8ShV`y7i_&fZo69*`nolkFF9)xjH#X{XoKC4CDy
zIrXmV%DMJS7+|!tF+z(fo<Jo6Q;K|K?Hfwo{t8^j0P!l*wF3QmQF>ug>|U7rSK@!g
zuN5}+`27VRKgAV~gMip)@_3`jP40zp|9Rp_X<=09u=Tg=JU9X_*pDAwQiGkHr~wzj
zsg<ee>C89^x{~_({-Xs-h%)avLG%#uZvvgPbYB&P6W(XM>FUKfau}ol8>%jwIG_3k
z%Vr<xZvy1bR=e{MMy1ZfqalDXPGrPPwT~?!=wQ+4<vh@Vg7EY60}EhOM?|znh6M7Q
zIF2#RY_&ZZVsdJ#JXZvQ3d;$ViHV635Hx5%9f6nlA6T!0Fbt*-SU-IJ43qxt&jYj&
zz%!uc106o#w|v_WTPQ}y6MXiu(LccLL>T@0qVA`!16RSA7)aV=jM8D%+5_HK?hk9S
z0hA7%Jf~~in-_#~o+2L2NlDteT8Jn(pA&D^D^jxxgmu=3P`681+1jQjB;@Aj^MISX
zUG@+Z&CbqH!n4R?*NUGExp{ezyr{LG4N68h9Dpc!vJlo&HoyWzLbP5Gfe0@c_*ml@
zpA#idpWw$988+3wmf!yMH3gDmN2;A9rKCa&3f9<3?W=Qgypn<?wZ0PD1Q$<#hvwk(
z?CZ@5c3A1UH4d0Af0M1ondrtTP;rSQ5F8vFM#X*=yl0ak!c!?SDg^fL&~OO}yUrQG
zU{fCre00iIF0me(Tkb8kX_byaA5=|44a2DW0TK<oG#3V8VJ1;Z@wm=TDVRoCuu+0-
zeAQ)7EVLJ-W`3fl?r~qBPkooI?a*n`Vwfat2V%Zhe}9Af=JCJZ3gUw^ca<_F+F?%}
zqD2kzzZk@Rn5$yAP>bWG>gI-yO;vIi@$~5sY)B((XLAkALz%X6`B7BMdM+TnfCyON
zO~QoE75v9VAdA}ay^|KYdJUNw2qQS}PCoLxlMiVCfByUlygsu8VvCOLrt7O$Qo3W0
z;O?Uk@wRJP)ztTu7XLuIdB4sXh9Oy*nH1u7k6K4EX{@xEs>leuj!#JNxxTD>Ax+Qs
zor!LiB2-3#kyUB%$5mY1UeS+!Ui)*?Qzv!AD!eMql39m?OHBOk!h&W{q})GA_VA$;
z3z!9NZE#~_%gOf4$hBbgBNUadij7=Dlc_3(&@>x{AQT*XtWua9Vvqz1L1WMW214;p
zR@Uu<!s!S0h_08@NI@b(%}KHR#zV*3zSWMFz*kUu+f>KBsS2yYmW&Lai%a~=B6Lh)
z0YfD&FE4K&w?MeweacFJ?ukQ+nL}bMqpc0vj!iKBZgyL0-*8?jc=!<49``9u6$~6u
z{@8A=n-o&m{!s8vR^dWC4mfP<*E$({$;lB5)MYw2{O`coevZ^)rb7Bpp}v>ROR0~I
z$vVZm)^+&T(OQ))!s+VVed&)=--CXp+utkY8~frAlB0ARJXk+`3MmFgJL||A4g!Wi
z*yZYb5}cV~Rx2vrQ_<GDY;A8}2CxR<bk>em+Hyk=B^ZH#27K`46)viP=S~J#w2!QD
zW3Lh1jTFLA3X79^6yNvKJ|JH1#v@G@CuT4u0WVW5z(m0JxF{>j0C*7KN&SbLbYyL@
z8!ixJ>T%Y`qwT@SfGEWYc}5gZO|t#W675Rv6&4mo#n*o<Hx52lfBs-1fOI81{SiHf
z1nJ<U*<b6R7f!S@n4VNM5G!^2s}UF)E`r=+nlBTo-M<#roslDANSR2;u<rzIY^0F$
z8gOut$ret8g)ac0V4Kds{N#&}K;+G*_u(>m5GVF7B?X&=n^7X;1<mZcq-13(KJZ=-
zfPh>Hyp}<1h^;Ljm;>furZ-Bu7VzuY3_%$NS}$0+Z~?A{p0fmA*8vp`L6DLOO=lPw
zx^HZ34F5U&)7@RjW<Upn_Cr-yR|vY7;3Fg+f^Ke(sZi%F>I~r}($PdYj5a0~Yrk@A
z$|BJpR99m^qQynU#KtC`CRE9hHao$HzsW5wp8GUsls7sl_V4JZi_MtAcvmUH-wbq<
zAF@9RK=hfZi3y;NTUQr%^z|{nNhvCTVx{u4Dl_vFDB)7{{}m9jKqSZIB@Sw2v#;l$
zMsFyvby}RBJ3vdpizI-&cMWki9BrCT{=jSD<g*g6F<DvRf;FD}{UeWkd1pIBj0g(8
z=TVcF{|+Hkrxu)r5P~?hut0@?sQ~`)5xlaBrWQ(RFaQ0)50mKo{v8~KrP66J0JBVr
zivyYWEoJ)kEAjO=>v$YsL4Q734n5(NxHvgQMFOo+Z(PaFusCVZU1?~fH=Q#IK~4W*
z17Fa_&5avT_N3n^6ANu2GM5R~^a%hy2v1_-a-zG0$*yaDy+aJ~a^TIrJ5|XrvW5`@
zcL6YeQPj{lHdPt<h)XLdCGs<-AIKa98=HaWrz-FdX9w%}^orEexiRvVxDu!Owq);J
zugf$Dp>Epy`~ug(az{larF8WdCeEOBb8$fq0zKTa{6~r4%%opm58a^21jj~W2azEL
zIEh9_M+5sG1T3mDF^#~{9U+ROAHl^<l#PJ^S$TPR=(CWD`tgqtxf=<_<5WDFNI%w`
zhJdd;4}2D_D<r5g<>zx-tbSpy0FiT;sz8$-ac9=hYjTUUaupQPz#^jSz6}R#^gVF^
zcRi_e$$Mbqb8Gwtsf`csz0S*=yVh@rsFoXZnyGU=sCU1AuN$&H!GSI5-MfhDPo}p@
zFlhq=gV7Ku1?WKqnH#rGY}dNlB(_V;YU<Gt)@$MD7@NBR3L2EbYzDw|`VCbJMFal<
z3bzb*ev10{jJseg3n5An+6jRx2F-SY-Y)9ugd;MM$Vr5RV2~Mxjt-*~(gB+kAQvMt
z?p}g<IJ`5JDUZFBI>Z4jB!91V01zJjla@Vz4^xGFy>0@ALheNJ7LKYsFHBd?%1BA1
zWnzNu5RzLZb6N53LY5tL-NA|b5A4;LlHv4~NjgLwXwUZd@x!ri;<DKxnI0E+<dbm>
zNy#56iQefY+rG4pWkVRy^a4L`U*Adz8Kuywqc<rj#N(U&plY0>pvlxQ`!HgqD)aV9
zZ$D@vz@x!B+_t7)6O#K5APxjV24Ugy^e1myRa{WNmaG=ypVZMF`Qrw5>L7whPfNqK
zkKY)E5hbMUh<a~*ckPTvpW58m$Owm!FzoD|#Azd-4-L*M=y3UykR*njkXpwt2*%!i
zveLp6P+Q*(1MiX2($eSOq$R>ZENNj;5E24{|C&-mDiNz;uBB)pe2Xm60AYDqNL1qw
zriMskNUp+32xfUC36qtD7zZ(!Ew&)vBn$cNGFXLhTKaz-oq0IadmF}eQkIg&dMXrI
zhEmA(l0-B1?8_WUIE>|Rv{_2g%aFasWXqC9;xt1BS6PZ;oSJNTE7?v$MYfWV3g`CD
zUoMwx{MPSsKlgKgC}%gf-Nb_k<}g}(#X9Th2zLTu2=~AJ!hBFw<DpC|rG5nmWw6ux
z5)yQDbb!EARa0|xaFFj;7;eSly^URV=Z^cI-kkG1vDp-NB=M!XWM%D<Qb+a-GW;P)
zffD*FZuc&QeKfS{Q`B<?2R#5tMf?7O*<43#rcE#xxB<>p2YwT*gwf}HJ)uxow3^!S
zjK{laPek()3@HIv4wH^4UYA+?oD&+{?xnF&RL%oL>tb_J-0^U;wC&^)M`+JUyDY4H
zM$i!q_gkW_Rb-u%4BOc2aF8P^e%KIJAgfm=NCJnWJmOxgU`-~sKBeyl0f4|ii{Sb{
zyiIDz%=K}PD>ZbM$Nn+oqf}GV?BkDy3Bt!fMHiok$7VigEh_swo`1X`lwA%5q&%*C
z`Uz8k4@}*LGh^w6g>v|IErl6EI2HMtXzl>8oW>l7*;nbzSkH@(q#a7a*eUH8|F}Fi
zQ$VAUf`i$V4Ru~%?~%!5I-TyTRaaYi616>~{7Pl}uD^sx0|Y4Mb>%N{$}B)m!QKx9
zX&=dVdOq?Jr;r}kRbZ%sf%41J9Op;^BwU<?Y#!{=T?LxOcdDu|I3b;NL|e!ci{@nv
zVUS@7{O2<A*~TZmN~iTjU<nFil$WnuT4$HRAn<c4D*^b`(A8D$udw|uMUcD`5Loc&
ziF@|Ew*M>TLpvdY^)@~E%NINnut~rsgYpFImjws?<fMrbR)CR4N3Y~){%)^4XX5*g
zC@U*)YygrI^QgEC-ub-XkSF64f0N9ZL<0~CG3n9b<JX?l5O;q#Kni|gzk9_br|^;E
zelDwQ*;%MQF+KZPNq?7Db0XnCeSPSU1&|qQBE^hvp#plC!!S&K$5{bc3qI_@#8eqQ
z->2wjduC;wq?^`+X}O}R2EVhg@%2RrXPHCsAvCuldu(O-hj@tlnCZ_agTL*fTL2`D
z2+XTcT^Hsj2e%#QaX)q-*M>PQ7LHAKyMO1|h*RD#U)vQJAjzbH!ifziCNUuE8RN^4
zo{2kxfCtzZF?wt3>2`K>D)(#u<ncOnQBwW#ln$#3T!P$00wi~gu#*r2yKje?aZP*c
zG_<tvADV+46}hcxJ+IOp#@q-frb$OgXLDj!a`A*+yY>=RfYH&>)-c(nG-NtqG6O9c
z*^!vLd-C+C2?@Ky&W7t7{4Y?OSw1Rhkan-7`_!%UPPEgp?}wsFPVLOk&CXr~#M8F7
zjD&KUcWIoBvN?$aAq%(FiN(@mdm8!wy?L+wvCS!Eh7o2W+a+YS!YKlL<0=qWQBhIM
zv<cGM$~N+IQB@TX4f81L7Q4E^G<@97=|$uS34^lXpw&hO@8HDDp9fDd3vYjbs|C{=
z{&1ku8w~qa43ro|l5{JpcX#fddP$*BV0T*IAb@tx(;r62r%Q)!?BAn){Jsx)&8b&(
z>(;gW{JqgGD*1>`of&FcZB3ExeTc4IG$x{#bYS>{vZ|_OO_+MKm&Qu?8SAJoii^up
zS?`h91x_8oO;}P57r0M#|Nax$UP6aSW-1CLos*J^5|x|EKTY{M+~OMb<35l!hm{$S
z7DZ+B57#*OtcWsrgLP;8@gSR+teY%K$m&6p?tGpe>+7U>QOMM_3qK?K+a~8zq&Ec1
z4#8l9l<!XvMYmLonbI84Rpa6+S9z{_M^hT1WdwW(>#V&%bBXX-SXt(F<lTSWQancr
z9i#ex>aU+aYPPY6m_&j)0YGsn);<GDx6gq<%VJ^7y+5?NP=oer(~o_u?3M9uguCeE
z=sP@8E>Tt)!nO->yM8AcUoP9mleUt~&Hd56g@jabYL`pub0K*K=q*YgCnn0vh%<G2
z15jaa@902_tPmg4cp;GX#=J{J?VB{vY7W<L@4Y~$Q{M6mb}0R0eVU|Hxt@RlOiU~z
zD{HN<XJHf$hz0P^<@8T-pVCnSbDQZCe`48`nc0fn4p5D-WTzauP_`1<H4K3cj4&$L
zkf`YB+o~nR2xg=2Wc=<4v5JZ}$;r&0pCwO&v<lT~cDO}g>INFNA`1;lx;^wp(>F1A
zYvJ|tEH_OdP`hK6=iLq;zLb&iZJt$ZTHGBQ7l*K4oa!823bS(ct^9O)Cc^XbVwp??
zd?4|~!P(Jqrq5~Vit)RK@Jt3i+5QDK<rN5>edXeU2X+}tx#|ZGzRrz>`uV}T=<4c>
zDE_P+$<Vd?paLTM5u9+a62b~gB<LoIw5vQ)pmvf`6jzNXfrN^R6HSQgmP~o>Wbd3G
z955dJwai(dYbOz&#l<Xjq1jm?Lx>Mk22LLDkF;K-xF&+!APHwM7^_QTH!zqwJ3GI9
zHE)U0%*5m-dimih#maJRzM(7`7&I%;a)j&a&#S5?MfC|104hRhwE>8lqen%;Nl|Yf
z%`#LB8|uT^MlpEVLl<YvIh^-HO~0E%V8wHc<`Fx#w+}zwMH_2t5b23T;x{aw5H<oR
zDNxqHACgO7zzzJHKTIuj9*XCIaKoV};OF<g@#2r5z(A30TE0`g9R3wSpKmmK!JCu~
z@i(vomo+#$-jS!rCVnOqn|EpJ9Ix_;*DzlPR`+s4cuC3a=%wRq;G~1FEJDO5Voa5L
zbTxgrf<oL)C|B*<_oN}h?Ze`fPbBTJS8Z)AEg?aQqx6;)7?3J+fLah2ca?khKyEum
zAk$ygpBZYpdxy>4l3}5U4InT?`i6$$e-r|cO%sWY|NlM7NJ+`2Y%rACys-sz8SIFm
zxUe6s3*46b=HmBpwBi5L8wnp?Y|Uk!ui2YM*|4$B0lm=1nB`|$mS$#DjK`a#_VzwF
zSG{YRfH)X|SPOY9LhB7OSS)<4E^ds7u&|Z2HMrvb#z3MBxw(WrDl$1@p8Bf}HT7Ql
zmUKpATf0r_m6&Y0gEQqDr)(S-pM3=bGpw&557a|Kf&b~P{$Dt3l2|j%o*l~+*b{98
zT4-%;j?s6%BVa<>dU~R*`Eu3i2*3Aoa7aIUmTYwXX<J(aoiW**_0SDPHYEO_FGf{e
z9XosIj&r4U?~S8T`*d@0)w-T)bJPC&;-^qAuS!^TKtgX^E%U+2$tMy_mBq_hM?5?p
zVCf$>bRbz?*q}fTF(}f~*_oL@^|^X_zH#1OcLYB<IB;TCS0LEQLN?A&vNmuPWUXCn
z;a^6U(d@z6T~{k3%_<5&`(;S*+NW2P>gV?`a#jI$>6#h|Cv&8H6?c!HHHf;NT~ni-
z3wjGrSXda-BWAq@XmendL11mYINX{@h}+LE=<TP}(lLDtms$lczzB8A+Ci(WNScOB
zKj!f?6&*J;jX_=i(OGagGjo>xL&Yo=2gE(uvC6ljONQ%mLQ{YbA4{?=slwDN_Fven
B78(Em

literal 0
HcmV?d00001

diff --git a/doc/arm/dns-tree.dia b/doc/arm/dns-tree.dia
new file mode 100644
index 0000000000000000000000000000000000000000..052e7ee766171dba109f7d99e1e4c5aca5f1e65c
GIT binary patch
literal 3019
zcmV;+3pDf}iwFP!000023+-K7Z{xTXexF}qcwSl{!|;AtZ)UOEMYj(NOwpY_2ePd=
z>dICiE6Jn}{p}?wXC}7gI5tJa${Yi8i6irqXrAvJ@_an}@ux5Id~lbR%dA*j3<<)+
zLAsa}(`+%j82<b7-#_T#Paog?IL(qD?4Mbg%m?-pi>3SNVt8FuH$R-8-{0S({9&0?
zMTzq47A@2B|0Q{zoZE}ehacY!22UH9CRO6zTfLi9Rhf-%t8}nP=IO<7oJ{_lmBsC1
zI;^i+T{kK6q8!{M`Ni=4m46M-SIwNSwew8dH_0p=mud3n?xwMQ8FNh2H)*-q?EI!!
zX7-Zm;b!ZS9qqWkpIo!LYH2T8%s#&VnZK`ZY4ygpwwi8qCrC9<%2~G9#<6{q*BwET
zrj**w5JnrUxFU~zayZ<$Te!SixUyTgY<YQ8lvSBz)i&g~DDpH})TmW?n;ws|oFus&
zV$VHRz*AghRaNY{|EnZlzT^Swx4&B3p_V%<v+47OyLQEnR_?QDb$$6IQg_v@KSXN%
zE?Z{fJZ-xBY*Dq={6jm<Z+<(Ty}x}ta5U7d?Q{=Qor+W(?jB~h*)(158D{I(>}ctF
zb=mp8Uf;a#r5#hhwc)HiM4mjP<*NB#zPaha>I+^m&LEjo+1=w$Px_=7|0kVPtB3t9
zE#|33oeVw<{+X6n?l*tS%1Le;_!f^02if#u_zACf+~%X&hAk&<_1sPIb$D?^&ZH$_
zvDqElWU>ojJl<@-wD+7WW_kLEfrSN8N{k3c@{B0Njs>(`lMMHa`)M|*j%z*5)A{A3
zC>Pt|NPB(eK|F75_uE&_!iWp}<Q0N-oo2J^Dn6L?is`-w!-%Xv2sfAzNoW9=BcR)I
zdpxX1tr#B%ah2uy3n12+?=Xnvb#Z^$5ZLdJS`O~3W%ZD!n*izJcE0*zws^DAgC5j>
zd3JMoU6k2>i$#^>&pzBnNOLfZWyUI-!~<F0j$PcB4v+4n`puf^Tj72Z%KZ`%Ce8>&
zRL7)$iLkC=m>5~=cRw&BSdTqGc+b7a2_TBsUNoi?XbJ2)bpjy}-~_-49P0#Vs1qQ>
z2Igl5Q5w+&I1p+<h#Fby$MnpFoT|V4AKGca{=ojg{=ojB?9W2kUn7O<Kvu+@0%#;f
z4THtVAS3E20PgV=AiU?m34jv-Cjd?$)CuqwoB(&hERX8}jGF)$NB_ph|EAaEAJSvM
z{J{Lc{J{L7%r8QjUm&7{B{CK@|7%gGL!nBHB;xk}mi~q6aqu79Z!hxz#H_toR1eS&
z7<d5i0N?>aJis58I;TlFwGQBO`lV{1eHotk6`sDdiktVXQK%ki#IR?5d@NyBt}FJi
z{>C-CzC|w(Ub}8XON?y8JJiI_Nbq)zOgrwIz})+Tt7M+#5B8pt#d0|C)@dgfc)0rP
zKhpdzbwm2YFGW6mYMh7P$Cd+VBxb!n4Zu7MbbT1UcqkqNwJuM5Ax$3xl;qiLF;APn
z)g4^=oN}{Ce0Z2`-1%GDP3x=^R#L&4NQ|gU5^55Yl^#(j9T9@0AACmkft8AK2CUQ#
zD>V*9V5O5|rGsY6x&^5O)g1`t91i=cn6v)~)_=)d3!MkcrZ8!SNi$5ELmhz$b_5(5
zb;gm1s+qGO)Pis|BGQE;0;xVr<^uZ+$REfb$REi6`L&7P?RWNs@$utUnc#hr1~Kkc
z3q0zIspL#ahr<+RBZD}$q-kSjCXSU$Pm0CjGF?plvmE+_P3v_kaOaD)oypDSeKc)%
zK8Udw)61kRi~HTCdbC#ivFXb^UCf?mX%Pys*AKi9!F}s?Y*`~%ZgKGAZwA-aY~0e0
zwUVmvLZZR9-!^eu!)M9rvt<3VWP5k@#tpS(*rXSRt)1i**M_Z~1WGC`m^W-G^+_1E
zsZ%rodR8#(w`kbxl?<Eq!mtgZ(lBq=_FtD#;6`d^MuJds5{B*WiAd`1i8C(2w!yX^
zZCkH@R<~{2J2HiYwV+#bQ7E@jXk6V|z3?uz7-?%g%42fYgJfa)C7IvkDI^TLNf<T`
zNJtp=P{u&o*iJ$HP#|%))HxK(P1G$DctF+*8N(PjsT)pe9EZS3edHw3f^>n2+Cjw?
zF0guQuf)PlhK#C1Ce{npClFId>Z+!}2*lJ!Vv;SS(uFzWu0&YeT)IVJh?@~nh;R!?
z`@l(MQB;G!puYk$b;L|fqY;>?-?~o{u1pt5Ghf0sE=vgqaOP92BPtPdOA6}vOzTO=
zeuBFW%H=}2ToC?%@F&;}gzNt`!s^V<UbKno2DGn`XkoaWM7vGqZbnUbpS?hE&w>0C
z<e%ULzzYO>fnf1JWxn#CwsCDlCty)r$wY1A<`Ly}#YAl9rTz5*!Tkm<09*jL0B`}p
zCDVg915k`4_u;IJIT5fh!gv@WM$`q*ej-46JP`=*Iq(AD1;7h{7YOzOqzx~id_Wu7
z2}tTuoC`2@@kG*Z4-nLA-~hk@fCB&r5bOZLk4{oH7`IGjSk!cYLRdP!)M7+5VtyAP
z>2*#xwBMk5F1P@20pJ3T(kxQeLLOL<GlRH}oCX$-CAD!$V4;1bO4$n~_3aV_iya9T
zn}#9?7JDeArosEpC`Cj#lHgHKb6CN+Jl=>hM3pC|qmOgwmYDtoV(NyNng=5=Q@^Fu
zRJ5R;pftXQ&cYD&sG*~-h+^+Gbm2V*E2l7RhG{cQn~y5UM1!~bQQ}Sj^D?&B^Jb;B
zJJvyC=8|TNbMFg`j9x^s`57DMZ8A&{4HcPAwIUNGA$1h>>(pDLswd`6?PSLKZ)e`d
zV6TgkzV?o*HW0m*;!Ew@T^FWv0{ecG_D%6C*|+YCeY;5kXU@Kr@heQ65noY}(C8Hv
zUu@nCF+qGyMa-e5B3SrS3m30bRgs!D@>+hKMDf`1`D!)BWws=vzGRR#y*L>X7LdEk
zY;6rjSU>JzW{b75-=eN7rfF=gZH+_y!hs_0|E3qItpv)Kb(Pv`9*w|FedH$6MncQ)
z%hDunKC4Ed#OJdV_XE&KIJXw4Y0qE;Vmf7F+Ob~4Xn2kMTA9P5hD;U(8^+EAV%Qit
zA_8HK-Py^^U>Q5z()f%!&K~5_-J}wdozQa4vP#M-)`HEG#^Wv7JOz2xMH{hmVRiqS
zjfuQuv&+a?D~H?|L?fSZqp+O{33nPD^A>KDOTbu*r>2WDZq^^LvB)5%O1nE$S{ShJ
zw`kwIhxQ$;>2)W>DL4M3mTjjtYBbvWaEX<(a9;axYA}hNQf+#~MiaMJxxXY8VBl}j
zz-bQ+T(q!<RCTb2RM;7zw{S_c^hMB>($0rt%y8@|z3~~FO9g9X+)Zk!z{uaGk@wNc
z+mb#;E)_zgQzIxJs7t<5K2m3R#B?Q{SbxL@BbSH}W_+kFBmpCTlSWQ@XyoAnNbZkN
zj$9bj84#w%2kTlAmkeO4E)Zdah^}vLdd6lems<FEogX`c04qOjD<|fJt$bI$PluoG
z$er5QjcgkCd`DiNC@Ngt7wnE@cc|iM)Gl*=pMU@LyG;2JgoS4AWdtUSU=sh3$Hw6Z
zIln%N5ljn0DW=?Lpjbr~N;w>kICTnbV*C)~xDQIH$pqM`D|Xs39)X>D$W9!$AeG{F
z^1v-$(8!zr9gb6&Q!!$8407e>B3cnbPM@HDP4je?xX}0A&$pG^##}vor+mdp{W6RR
ztTF3AKh-osfv<X~pyJ`uPK}6<YhrShvLlZA%*@E*DdWy;w?D*Q$Ju_g9T!>JJfY>A
zmsR@Uj|VdviMixl!&*@bYeg-E5#eQbeKjA9Xw<_uJc{vpYqvM8-W4hstiC|JuxBVj
zw9v=dO?XvUf3gijGHUk6gHR;&$Oft8ap!Cw)?NMpR_ctEwnrk6QXfevye6zWcb6j(
zx7eZsVMuT>vNIQE@wDtiob<0xpFRU6b+fS2Fb;u|UX_ySpY!A)EkC}if3SaMWitQx
N?*BCwQa=9T000eW<{SV3

literal 0
HcmV?d00001

diff --git a/doc/arm/dns-tree.png b/doc/arm/dns-tree.png
new file mode 100644
index 0000000000000000000000000000000000000000..c76ae1bbf7ab1eb310c36dd60dc812b4f1f8d901
GIT binary patch
literal 40307
zcmYIv2RK*#8}~6nHYJ;~N4BylnMH&Uk(s?RvL(qT$zCDK%HEsoJ(4}Lv-jq`J^%N;
z-g7-&(eoSUyYBn5PJr@LSv+hCYy?5@<mIGP5Cruhf}l`hp~AnY#J3*6UugD{@@iOE
zSmU!wGw|zmTe%nZ2!h#n^#`RQXek*%ZX@zi57nF#))HNAf0;b2-|V_A!m*?NkMW6!
zONqbASU7R|O>F7M&&<Lfv%5T!XLLJI2`s$1E{#nhFR8`)qOh6FaPhG9{NOC<ZCCJU
zm%_gL1#hqYrbkb3tlNgr;e@@d8XJk;f7jXjnQI&f#($Teo-i&NTyq-N2KC9{LS+&V
zAU(WcXlVE_sOkE9SDYC9ruzDNJvmcTmQb31|NgbKv{+kPzrVGmg!#XBSgO8w5gQvz
zPDbY6G<$)rxVX6ZaoHxtweJ7E^SXwH#y=%VNy(w1p_zU7tXD%QN0jeYxN+eswR3RD
z`SHWn(b1QSkB`r{LwHug)z#JieQ#Ua%(y)d^+#`S?}j_fN=Z`Mh7}bR{CIEd?L$IB
ze*ga6PiZC=&*PW-u<xnF2yRWfY?|pxsHLT4Fb$Ox0WPl8&j$o--S4^#g_p%y`1!vC
zY}p#Ys1{S`uI`HvcWY^E*96yFLQ6d8LjwvE6I0u?yuAFfHVp3M<OBv385!Bu+|lva
z!^30PBg_&n_2<t}_51lR%*<FP!yi3*v=W*S8=IMz*Sj3wjuJfeJ|ZHbvQjurcVS^c
zkcyL!??%Pv*x1osS?{ZnPWj}>#}<3rhoq&^PgeEG@B3AK_q=|WgCo4Iv$He24nB{_
z(ZI;)!&+(s``r_oQHo#P-FVN4<qTo=iq+E^+S*u{nK5hH{U(Gx&jin!`umAOeI_I~
zagsz`J|An_+S?oM++t&AC(kVC>Qb10=wE>2dcpDoR<xRlnc44n6Q>8OO)0J)%iP@D
zgZ?%~_Sf%@dlMn=&hpGIUIk~opr=nu`qS_8wT{FRPf`Q-pBD)-SypdqRP1W_tx3=m
z#{pC7l~f(ho|pHcMpG7b%kn352aAKsuUL3^(r%J3)|%B{6$_MVIGZvVo;|%iO*fB|
z9Dj8MxucmK+*zJ_&q*<YtdGh@BqiY^+<bh73;{_=G|1P&!q1a6H*ob4v8Jyjs7IR;
ziN{jEhHo#o@JHc|jmx8*;NU(y-FW=?ag2W}w!#!D{V53w$HCF|9J$zg%-UbDKIP4_
zhnxvG2?+^(Ny-jfOqbHuCkA@9j~+k9E({#{^CvGSr>p(y@}|U9&YNFc9H?1XUY0ZT
z+utjz&*P7H#e^W7$!4XR+#kp*t$E6Wd}ik7KTH@Dt2Qs(rl6o$jy7x!O&4LB$ViRV
zImM^QoMFRLdG@SfJ3nEWyZBCkdajrN8LVG;ua=@BUV(!Bn>U2J!|m+>KOeSOzj81#
zQNoE^yp^Vig^SxZRpT~GD;r9Mf|OTQ{#&`a8n{HO+vacC6AogZ^KD#DAY9>m#`6Jl
zkIv_H+^yHJ+xt(A+R&dEa$J{~7}H<2M@;E&BA;Ml)g?(tNZPp6m6Y;QQ{T%gunBnZ
zaF=5q*Y@WS_D9@|&?fW3@8f{kYbA`ae7H|R*f4sVf0d?km}X1~>yQ53$BjJvDk)1=
zO#J~hjcBjv#wH#H`Rab!7%50IX<c46tqiGH3-WGwWa_E2JbfoZyX)a1&SEFm4|<;8
zEL~)jl=QWN#Y_*}T>Bn}a*R-*PsY4<Y>q<sGq9q+rl*p}Y8<eK8LswsP;v0+Oeexx
zr(T*)(Oli5GnNCJq`d^x8PCxfX{ItlGBehrb?M<oxx3dZ#S*AiIM;d5@q_O@Vxpy|
zr>Ai9XL3(qy4lv<9YQkall$<~*IHP0BNI$&+c1n8(je!em;|jyHdzG=(=vV(baQFF
zxIZ#83#`Kiyu&>nqeUR9^TNV6KR>Hx#dDYwtXK*9*zQS&fuXb9@++-OuV1^U%ZBID
zbKuu7eQ)|PiC)1zDyG;z&-?H+0x^%lYi8{%+=;mle_ST+_5JN9iQE__Ju#4z!*boK
zb;jYJwv|ccB~Q>6!ObmO5k5ycYoAuyB~0u!*Xxlo@cJ(rNK0R<4xNfK_GG80M>~$)
zpRjy~qhv%9CQ52{U5rB^HI)ZFC@wB8Je(+DfjpK7>KyD<J4Z+9>|6K#y96H=?c6TK
zc=+8GUE<I4;J?Ityu5uODb{*)*Ik=iZf$Xpk(2jV`+oXFXiZ0ai5Yn>hD+uv|MG#t
z5EDhEaB_UDDYppjqZsc&%*i~?{Ux<VlW=a&Cw+l|{fFy+d<9PRyOhZCf0(T#Mb2h$
zVSMDa-<g+Zn=_=@I&A;nD|x8vrVHqP_V}fQ@G&zp?*$kZ?|umQ_$ZsjVNbLbmXn+N
zLNhod<mv?U5yX5%qZVQn>_5T&xyCIkE4%0SUR)UeqDnwcAVtR7np5}@V;-DNJ-xG7
zH8nLsA)%Gk)h2EY2a3?7@Q6Chi4$To@tY1Ucn+U<KBJO%$KA77zQ0(=1-+^zS>D0H
zp?8@eCLt-=k@Xlm==8OM!K&Gss!R>pLeM{<+lL-^G!-zfUb-2Ab*Qy9-yX4CeO1r>
z?Jy1rQo@K{ORbNJF))1CxKDqz509F@D<xY`ls{8b+gt38r<L$DwXjf15VV_Z^lkDZ
zAT2f}BlE(z`%idL+94*!K<;gv&$YH$40W3B7q7bTo0dfy8yjUpsoIxK(o<83DJa-X
z$$7Xvy=>L)dXl2~P(#hy+uPI9)^@XE<={w+h)B!KY{$%m=~8e`;37hsJ8Wrfm3{Ig
zh~ydu0^dA1JbZ9)uwila3QbrvG@s`$b##;xg_|GBl9EP${dzm8(+9fYDD>&O;c;;t
zv8ZTBg1Cn;BcpHGj^3G2c}2w?l7tm?+zpFQmDqw*q4L&l-dBA#cq%hDSEtrpNPu2b
zOUv_k$5&%V4-37RvtibDLe2Wu49QhXT&Bjv^!xdf(^_Wv-@iAuwlk5UWT@U5F-FG5
zjCp}=I1>YZarFr)ubO_%1Ez?g!oqS|W)YEi1txn5{ErVFER{W~hnG<)`04BIy$=f`
zh?XJypul9PI+cf$vn<m@t0F~{X(OAi;>%$|lF`J??K-=&&{<8vCL|QA@koD*+~GbQ
zzgWa)zMcI3kYMO5&9k=44S-GD9Q(*ADGw=(!sFvDEG=`O4^P#n#Y-m2=*6tla6C|I
zcO#)Ze;MbOYGb$Q{mX$2Lx#)!{3KH2(eL5m9dj03Pf0$UG`<@=VS>hLk75lwIy>zI
zsm3lkySjeO+VXc#Oib+U?*sbizvzX^0-Jm>g$26!vgIL_59h<DyF@9NOX88@|J`#+
zMa2s&zs4En<rgDuZEXVs#4hdWBK`gS;V07$9?Md$V&9LT0e?dgPNW(8YG-f%=q>|P
zu@SO%Qq31H+NDB_U%#f)S;nqU9a#=t4#TRUn2{g7``?_Q21xz=t$coZxb$0@><nED
zXLGVjLrEzt{9@SxuoK~azF{l=ysL|g(2l@Zv!CUwluj{qb#>m)FBBC+G(>bAIv=EJ
zpuK+mdP3qqFjsS%ld~r~g<E7z16^z~J2SH(Yuoe{xnh?`@_Ww>XrXTR^$eE3cFPv`
z81jope`Ob;%gRnoMXhLy$fEymM_i+!P}<qqsiwg8vHAM^CU0|^hq0(AON%x?KYt%r
z%7O1!M|oQBQuUNOLE_2vH)QGRuO>eam-4>C)f^G<w>I|mzg>RqK)=b;H`UYE*Z27|
z@jT<$<2j705p(-IP9Mmv>mUcjH#s?3O@Ze_kpClrOnNFhDvHi4&BXTN!5p^~Wzd=Y
z7vF<h8Q;F$rjh=|*eP~(b6=HIRaGB6co!EpmZ|!kfq|i%R#{T=??i?DBR~AfGMnk8
z-sB2eLLY*!)B$(y+~L1Q*3Yp*QzO}wT-|G0^6&;<z;G+SbxSSUb%yq?E-9)Q(Fw;U
zxP1(c^z?K}0c$lCm9bh6x987)*L$Oxbj38B=MR2Yq7`;nhR+VA5=u=?H83+f-kN>1
z;n%z@BKhc1f9S6y9;{_WYANZIN6e^bXes+QC@4A@uxUMlgP#>&TmAZIs^2e@$dHJ7
zq75&{Kjeb{6TuCSaBb%oHz@#tXH-?4j+I#KE_VB9QwvgAH@v^b%F3FQl=S)Y=fc9m
ziL*W<Bcorxeo;|T!LK<vIq>t0BL_!rettd_FRYVE!#<SU)V}W-gm2!wS$_K60qs^_
zR{D~u!lH>xYkr^7cXGl>Ukqp~ak6|A$&r{mMDhLK`&AL^t7XF=sl<E!{Q0bnf{e`T
z!3@Q`S9P8zd#t#xTIRNEYirR_z5A={sYGdL$;hzwhx7HDe(F@ItE$@1)O+7~^sycT
z4Fh+iz)<%2^T@9f*Ml$LT`(`s&-YpRh_ifDM@*Z)W@JP~L^Mg=P|h4mNTAwNHZ`vI
z#`k#}5**xTn3b8i@8HKv{=a*&e*2)8u@es#`6$iX`jMHL*}Sah-(LY485yCWp*mGg
z0sj67A`?cF7$5&6UBzv3OHazymOJvX2Ta}G%HV9|^K5k>2#!upObiUS<Hyla^|${v
zkB*K4gX*Kj#lYZtxGFRi8oa_CED^r3v9bCmuQyqO){e3#S>p0!e--wk8r%N%T&rPA
zu=iu*KR<P-sj2fd?Cf}|mJ*wro1yge_2OY;zh|@GnrR^AeEIGV4mS4iPn{rK@z-53
zuuaN}i?=Q#8tRvE2&rZM{NKS8nVOpm+x<n~3HlrrHC1kB2uz}Sd}^xJ<J4)Hk4nIL
zB7#||k6K@_FgJI-+-^?unO@UJyr7_<Ro14ex0}$SFvnwJV}B0~)vr1_I*N;n)5`?E
zD}(x6W;wdE*i9+!ewU2Q19MEHy^XPx=W6~`S=iafi_Ic}gK^I|GPANU(9zv5FR0D7
zVB3<}-le1ayRstBKpd`p6Wh4`Gb4h)Kux2btE+Qr6=PlRen8K}^xD9Hn2HJ)QC3k&
zrObPnqTJZjq(2sVaegW*BSUx5^z-M>`FSJg{tl+{T3QsvM9>3COiLS18nMz0gmLG}
zzE@R=h>3Z?ZuWm1BVaRCV)3VsZMHRx7T)PB3KSqS^M$6S9A8_1nk))}hKcWfxIx{W
z3rh{3tE8j^y$^o)wJn#T%%qfriwHU_6Vi`nWoMIe>Ee1#?Jo6tU0#TtY;;C*B_<?%
z`}U16eRXp)Oudqf%-u(U>GCV4Yo;ukmS1LOW`D@7SsJK3XQliC0)Q0gj<MkN35kiX
zYFwoU*8rV!(*YV7>g>!eDvHQ>sIGp?`$7HOHY|<a6U6!K2@G)i)&S$3I}aZ|L_u!T
z)7ziynNhf{o*r&qTwKU?ef#p|OGLyV+{)-@bTpqQg+)ax!d;{sS`3;E+|(bpDPfu7
zyW<7ut((H>Wd}<103HZfjiGmQSy`>ac=o9N0rK#{z%#IZ%G1!;h>Fb2%+yzpLdjA8
z`SN=DJ#KCmF0SupeUp=kQBfaDneg!NfOl3^RtkQ?M)T2u@9^$la(MgJ#K;JM;hh`j
z2}1TNs;ccqZ+ctGtS5oDc#muN5zsP)%ZZH>21qRvyeu{)G8umcY}dfR039{u$B!R>
zTA=Pg6}^VY$;nYkcqaTDv6-qKEi}e?GvoTpp9ppy>_4iukKPT!|MiJST3T996NP=h
zz4O5@gA!jE0?ZE<<7-kpzZvn3I;t*?Z&_JmBO`4EmgA*XXh>J0NOWY&be&gOS(#s<
zVl1z3xFrV%2jH=fm>`h+{rlJA&rc2(mKjYsT-?PgjUr761};0!$i~J7TgN2zjrCOZ
zb)P?Q8a>?IV~+mP(bJ<KP$(Tdf^!B(Mg(nV9v}~3xq@`yg_$`yxK_V>FbNJOQhk(J
zzO1dSH3yN>UzY-aModghR?=EOLw41XwurHPfwh}iTH?MfvK5?I8!gJyt$F<C62r{g
z95B&4rcgjgZ<vBPdy~X`D*mOVrBy`VTGXQEdyTs~u92IY%gM<p_ru83Q#_&ts;P+6
z8X319lA!((m;B94J<6gt0~wj+{}h2fzz#QW@|zE_9NqZ*<qLq@wR=yw#Kd&u<pYk@
zZ$Lvqn_#nda#{@NVj#YLBGj88)TG{uNkDU3cDRrH(eln*Ygm3hH%!}6yMI8yix)2%
z?!F)+d-?uKZ?Mk%PgIGFi13l1F*aWCx;!sSN%3~c1Nr8j#c(|*XdE>eHOm_tAI(Z(
zF<q9w`1lIlym=GI$jHADC`y1emN}^InGeB+bX$LOd2znb8Qo+Qc2y%1fBaxsJRv~y
z5xQFb8A5E|H@l09H*VZm)<i?dC@6F*-uPB<T$5K+^bPlfMPYuLpvPF+*V&1Ka650!
zC?$(;OP*bt4ClN+-X)5>ebaZiGWh)llLCUwY#+h#C@U>J7+Zik>IS7i)S3IN5AIA<
zR8-vksJ>wkC<kowhWjwvCOrw{Vy^su@4u|`^nm)z?y<VMs*$IQCqh9+1_UF2fL%<C
zI;`~u)`#&j8+&FEYHS>wZRhIpazT@O>cS!-HPzL6PV6Kkk!x#~>aIiqzhYuySXDFX
z!z87oeoaiAZA?~CVZGaC_PLtW`#*AWCMq4-|K2}4-K+y$$jy<Gj)9q(osA6@`IesU
z^Zvc2=ol>fwI;eyYLOP-wXS!%-6ZVlwxW`DcH7_NBM?N8s;8mBdw)pP#l>ZKc=-He
z--mYP!}S|Ii6Vc7hg%95$h>a;cc!ReCq_mZo0|ug<H0av6B4=t#|d}V$IIXY>uZZl
zdS6feHM6mScVQrRbt;QDJKlO+oV@_q!>`HihI#+*-wUg&I899Y(u%{Up72F|DUYC^
z_|QIswJft5R|hy+z)j|bb@g?6G8PuAqeUj+kE-B6;N#=x%$Gi}-~KDju&oEZRXfXc
zeXIl&PP~xC#n<<ZO~L@Cq9GZI@h#~YQW`_Wg@p#}&oKj}DxJ6g29xvYy%nXYGwn|W
z9Hmzxz(e-mjz6h}MhC|~AN%@ItY~I!ZBp*TTF-NAz8k2n*Js=o0J`;Ux3QF95|~+7
z_~<jqp(unt)EH7zR-VzT2Q()lDEJ@(#3S>eAD|-E4*w;q`%lX|B9IHc{>#c#PtSH`
zfD!-m2=J;VDKfx7`uh576gQNTM7^t|0s;co#N+t%FbIu}jgx*=@n!vJ7vA6B2W-R5
zhgEC<W%$<_u3$?t#ud)Lkk!`KhJmYKzmSw{oSM2g-d&=?eXgpC_CysG0lF*X|MBu*
zol-&Uw`_CB^1$SznB89~<Xv7KmlDP|WfmeLA_sQ!Li|{Tr}FZ#d?xsneH3ZI?POjQ
zSF`<9{rPjN>Dn4-TwCK3?nkyZHa4O5KY=edrJNjYdR?5k;LF^OXt!VLxrQhtizix7
zoz%`9tdIBEp23&qwHWC>i*VGfaV@c%lUYthmrzwMq`4Wmtqo^CSb`Le<LSXV<CCb{
znPz}o!@qp_Ww)LU5GOt+ranbMQ87C^TZpo?sR<3?HfkgE{&tK1-o0yx<wSXSSraIs
zyqPdHii(O?sw<m6@YtW)WucvWtz>nalG#llBuD-<A|sm^oSLE`B_+Li6QD9GLP$zl
zR#-Sz?ZOvqu!OKhQjn08c$^*pX!Az9BIR_Lv7?Ol?m4auq|?#SK|_<F+dGm6={O^U
zDe^G~C#MW5uZyIP&SVsaHs{N71OZ_Ii-15@ji{=A5Fh$2w>c61^54Ix62jIW?s9Q?
zLB)Z>We>uqp`o@mWw;znyYk9oIk~;nKS~M;mH^EFOi*#_)dMcQ$It(1QWaO+es!3`
zXq==wRXXVBtGXU97ea38gVl#j5jZ$FogE#3DkMBkhJdIH44{5Thyy<4R5kzlCH3Dm
zzpwyX2QKKJ;s(F`>n<<G`}*?pmfjz3PA3c5GXb0eAb=o@jEp8GOZ%&T9^LTf6Zbq@
zUS4*FyG7~;(w{)zIQ{d=%kI9Kv~)8l6woNqP*F>*Cp!w{UKYCSE<)9VWrAw5?Y;%9
zFN9KHcxdRV4~sh6!r}3!?m~fHZPJ?*5*P?tE-J#p%4#)|uMY=Yj+4ETFyL2laWS;W
zI@nxr3ou21>DJfRsgy(nsh+-k`BGioss0@bDEUxuW4QGjfrRr+4*$W*#cy&CkW|#r
z_>=x58q`$a#8AqB47u!UH_vTD8Hb%vSy@?HS_<bX=i7{-ugKdC0Hk*Y(`#!lprHym
zQA)DhgcZQLOWg8;P$;gn^nQ%nr+9aA(UhM*@i7eYV*~?r`bh4<#+tBjy3|bxXkGb}
zmmCt(4Wkan05C&&-!ewb?Ep$utd|B9YADCW!3visXg4oUo|qlkE&yx-wgBs7W_p&J
z%4>PFb*JfL`{5=ROgblLsG)FNdHK=SY?Gpb!r9pwOn%$K_^;*bi%)*(T@eU>e}C;V
z>*s1}?q^2@+1WwXe5l^Hhx3v@eE0xJ@Jnzo05||~@T+E>=TWkQlarI9W4Qb`Ff~FC
z4gixzMcp!xl_d@MWvU5h{Mt2NySbK?fB#&ao#h@sF64A^b8~ZdcUM;K0}P0A1!UOO
zb4Ch{J0&j9ni`hgEkfN~9nST6NC^KQwi^F#iC12ZZjJDrJNj!Q1yHIU(vhP3CMQor
z1A$YSEauh{lKATbv?p2FR@i4j0Rb+qt{YP|luSDFWNeYHhZ~bHd9SLRa;vH+5pL7I
z+f?{}pkU3l62!Ftq}w?^Wyht-$;ryf`uQ^_mG^ZcdSp1gklS8#TwEiw5*s^P?eI`F
zD+hGbbyJ&7Q=9K*Oq`rQQ&V}(1{l1&ysQ<xaM4prnz*T%oX5t;Yieo+2L?bw5fK(P
z-3WXlhf5}Cd*n})_3xiyO9<un^n0#rnj5(VfrW)-k&(ViN!7VIXIiSe>6MjBX{Y<E
z-&0cy^%~w&i#XjL4RGC=ZSsRo_R-Hz;QoD7<Rcy>#^lGB<`f7L`53mr8noZ>v9X&Z
zBmjPVsEih4Kn2r0JO;ENN5qRVFghyav^D}G0|xB4I=tVnIyN>2IH4y=>`96;OdmZR
zo!)?S=pEt!U0vO1PM!DtVawXQyu2M*Sz2RbCwwMPlZ8~jh<LPP8}SOwo*nNL7XBsW
z60dcWWgzZ<3nw4+Ju_qD607n1-dry{ukiIYEo^ZG1qEme0Knkx`pOv6zg?)S4-fS7
zaPueJd&?<7eJ<_mYsSjji-TiP=b4+GD?R=B(<i7Yg{7ssb)I5{fpu>;b(NKs&CS_f
z2CuHHSdA7oPfWa2Q~Tnk4}7r7da@Fr4+^55t3^UaCJ2kl*$Toi4?jOcM0+&XtNQ{1
zOS*DNSN-nElTP5@U!tQAR~SxV<HI~eMn?zv`&&-eo`ZA&ThKB@`PHjBs4ejVHjP$K
zv1r1gBO}sOGP@NO5rl{++@+;u*vUy)B4S}TmXmm8ERvo4&(9jz5_#E=rYZPM`#v*1
zsjja6NI=U;IQritpdbiL*zMc5#l>sO%gH=EKD~e662oIpdYAiE#pg-0^f2gN`X;@%
zNN(N~^SY=hAgTy$npJ!Lyfv6y_4)Jtf4|w02X&t3U&obYW&N1LGL%`M!h_Ty;dw^J
zYa|Dq_syqRN<ar$X=$MI6xlC5ef8?q2If488k=KFFu9PB5KNF5w9aJl?6kBw7$^z~
ziV?5N(2r-cv$Jvo(oC@YP#5oju~kw+Qt{*Kj~|)oB@WGj6*#1g?7cg?bFdQ!2HTBz
z5xuT*yX^I~TO2xUU<mn22H@jVd7V0K2a&F`NG!cWL5t#g<$1KF-!<3<fa7%VIu4Eq
z99=EPS=;geVPOpWML|K~!0Ucf2I%2()r6GsPW%7j2UPZS<NW>G0M%UWLevLI%DTE6
zGc#Mu{q)E?IBWqonDxYNa(cJMZcf+Pn3~2!Mm8J26zp}`nQt#P8w5pbs@f&(+qa=V
zVV%9bZ*6Uzk9Qbp!lr@Fmz4?VoQ5edRaI5JDz{C!W&9;OD|@v!VWrSR1h-(Ny=-g@
zr=URI&aMyR^X9bIm6e&h&iyc6{CQ*~P*;MDiHCXZ0FO&8fz);0x?30yK>qa6F|>kz
zzq3Jh^mFe)M{Tg3s%Gqr>gMAm&at!%PmU&~B(f7>&yH8X0G#gZtc8W#rlU*!{{8LV
z@-ubyJq2JB;&At%X9x=m!&$yXO#B`WEzR4vZ=sMdGNv~+N^S`JJ9!WK3?ma0@Ig?p
zwr1@Zh}*}<$6H(dr07`L+5LQd8@@1pf(-{)cWGha&ZY4+>E`yz$|)3-yA;oLbaVs;
z2Mp-xgObG1B<c=e;T-n&^%K4!nHPI2Uy`RMb8?_aJ4>snIe?Jg(9oc8;BjdSZN9Yt
z&IXiSfLG+Tp!~*-jqNHbP~EpA%+a%a$Ur>!Q#T|i_%1ugH3aw+2mieiJKLDA>Ce?P
zmzU;tMI~s3LlFcU8yhGdl&0DG4!GH(vNEr;BOZLeqN1YR!$Vo#QTtwKpXxc9ci7lm
zFE2dcc6ISOwSl>CyY8712kh;wsOq{HyDb2l0+@Y#d<=|WYHF&tm+Q`*hAh&v!T*;9
z7#{~(PjSC~cH5QjH5CCi1-I>OlQ0%mw!omkj%ugeqM{qf*Q^wME0eNcjgl&l15Ipv
zR0FYb&_b!%op;c!mr;?HFj~0sGBa5<8$J*!_?@!?HUOKTxwSPyj=@>lu8nXo{YjaN
z^O;spVBWoZ+e^K#o+^9@CG~Ca$+fi7(9|Y4+q^)56A=~|7~p@jH;YzH$HrFaurdIK
z)2&FtScQYbLkZg%BwUV4+}&AIbL9Os9OomMt0L$4ZwLqupGnUZuJohdr6M2*11GgR
zLFk4|;TC4OtQ$y&p`rLx8<)%<h&nn}1*~88m{HuMprEASWMp7y`Q@IQiGqO0ez&Cf
zrIpEHSs=Dj%hKn3K9f{QNqEuB6M#?v@hp$hqvAdAGMYTSYTb|jE-wQnx&Fri(2mz)
zmzPrFUuP6{7VKovfB^q;$6Y1|O7rvGu#lSb_tHTzvXq`DTMez9s|}M?{x9x(oa|+5
z<na<Px$pmrOiZLMMjOt11q*B^Q*}3?e{4(`2K6WJ)o!<JD;^MU08!IWt=}wk0J1yY
zRmS!$ge?ZB{Z95z6d#Oh$r5?ZX5!pT4iW8TMTG|RbUV8{2;wa2dD0aNX3wBWH}OZ3
zsfdY*w9~`rI#0Y;&{y4DT`Q}qaMaoEpbYBQ@d18=JF0bDy>-Uj%*b#T(8T&evtI;{
z=(nOGJ~2kd`*eTzvo#Rp*|TT#s;U;4nB4(4UeJQ^k}T{gI(z0aU;pmsPiqH<;*TF?
zdZU2t0D9d30i=Sq>BbMWtn~D&omf&_3{LZ?a3Kc^5YeTzH85FpRa6=m<c-uv;5>uE
zK2zv(n~vAKE9R}uv{P{z0kr+;aC#YuqM6+UXq)A2Z5A3o2}Ohvg#HUuo3$t{t&S~+
zYfa?PWvnUhi+Uar)`B*+yT9-F<_&R<8Y;v`>X@bI`n$StUvHrya-D60mF4gsmO7i$
z@yWsy0|y5ccTopQd==&V!V(>QLq7kY{JD7?(zBYH6nhN6CP<w8YHg*bTm%saa2g=%
zrdivbo*o#ZhaG3f^z`)Pq>ip`?bojlK$TvaJG=({0d!<gbU=pv5Ff8SEylvaVhV4x
z&3t&9FvrsBkV^PN>l|=^u`+v;4IfP8oe<6~=i?(>b+t8ma;>=d2(FiMf?gMct)PR*
zvt~9gF2XvRi>ZsAea|eg`<}fDO6@Fe=Fgv=3muW5AmeCpdV8<rPvh~%Rs&LOYm-|R
z`Vt=LI9V|`*7LOQO@Zv};CH+5a7fVfS^W^QOYN?7#BsByEbQ5R|2|Q>v_6+tl*UG1
zpNNEHVQFb;eO-|*9NK78Q<F(|Tyum;zb%mY3i~Cew{O2^WHhod*I`3+1w<Z@<3Y)r
zX|F(~*xB7xR8-V27sdCBFVbrWn9(clefKzBx5ByqaHauj<qM&TNnPD192}>dF`pz;
zCh9yyIN8_^8_?Jy1Dj?u{;j+iAE)ez|0CO8ruqG6>F{Lp!pdB$Z4yX>?!dB@zBeW#
zaQfH*c2&U%KR9qg-ueIdF_)pJ?X*T%tZdmgIvN`uM?p#c;$(*rc>tBUAyv8*A3x3`
z{~9V%ev|fcbGB*A`ED=;h^<gwp&qJu+(=N@(aDAOudUtbr`mKSAmd!wAQKZ$69gNY
z^yL{o`}$t%3J-%@?2fUc6VwcSxZDk`&xeMl%w`H5S?*16IhywJJJ@b0flb?zERp<X
zMMc|!9nt&oc_8ba#a;EEYtxv431SUdSud%nXT{0!{j>`Vq#YdiX+>)!ufdpZm|Iwo
z-qloAQ$t5?6JoJjS&9<S-uk$1dMoq%1RRr;Xq&I^8?h}c*tNBN#l?BSb|@JhDBN06
zJ$eHy3pD4KNz8`m0aCpD{9WDMi4tC(GBO|Q|Ljn0?JPX8va&+;24TI?ZiR~ipIX=f
zKt}ogep%pSW#{si<^Gz34mm}!LYr5Hk9@uq?>P~KMV6L&oLgP?4@bdJ&W?AXp(BW$
zo!uPc6U(*rR;;nG!>sZV{oh#`o6{%=Ix1k=U8utENdl7fgx8||6qv?GMqXAs6L}g`
zo}756qy!J=OSToAoq?IT7K|$xq}Vr5XlJWwYTn_uFyEP)DyChgUhU$;O!$$N_0F>+
z)eHp}pj^GzfYUqymNV^jsiUbWxTS%EEp6-IfQy5p4c#G<U89^TtFqD+klN-{4H`m-
z^&#!z;&o?q(Ns-A%4}P$2YF^Df+S|DhMgR<+Q&I2IsQ;HhXZH#?Af8s^v9)~%UIFT
zu^#K%fB-%F9Q30jDRj&x>JRM^%%E)BCb#THBTzo>10fRN;qi841ZRwn_{M45dW*dr
z1F-{TEgL5W0%Y&5W^r4~lqcP*r~ObOk`4~TaIdd0MF59%!9-UW>d$0hw=XR^J=>;7
z9=v=h%Eo36=eF9_z}>yNq@<+0{0P*~3WaV?%_}IHk^(K@s;Pr19ojlt>9`7Yk>w^f
zoGS~Xo3@L%CbNZa3k&hrrp|Lq)nC4JFRD7#l9jz6D^C{pR1owMKW_AmT6~Sv>q$39
z-oGC;JUoF;Whbv{IOj?kAI+tUAX3uOh6V=CN7rs?0bs!~w6db6r6oY>Z(yw^BtoCY
z(xQtxQrE_r{D`-|kG%87#*WI?&>kH-(1{_(lkQDgA1z(ClD_8sAm9GY*xJTa-YbcD
zYc)Clx-f!@Y!F|;&;m)$miF`lpq|-a#`)29n$l{_R!Ev`7;r5OS=lAvR#eVgS9ryK
zu?vI_1erfQBnSu{{%buuFgEaJZKi>pluIRZ=(?8H6!X&`yV=fo1!;39zq6r?+340`
zaNiqBm4>RQ^-|;eT#Q?pwUwO%gQF8FlJPXr6}azoRXz@!EO{`NgM)+hwjF`fr*Z01
zHCD}+db9>LHpcj4F?bv~b8t|)xurD+9hc%LG7u|KOVCi?8lIfY%}AN`_=`UI=rxEM
z!%x5|{_@|vsj8@4$#R~i_V&A=tAHj8J}G!rLeaXWAi$7`x$c1~0<#Md!I6KIw{Df{
zH(@OM4)SsPD=5rIs#Orstc_O`oeVNRd)AMqT`Fij)s@YnuHM$$859&Og+J4@c_68(
zy0_zR1HK6+J9~L2J1eUTP#KU0cVFRNyj#hC6*gJ*wh8;nyp8v3JyDED=Xl2TN$wlv
zpS)HnsV_H4P!Ld(7UN?^M#e36|D+$>mGJ5<wc5<i!lI*t6&A1>Z+ZDv*FQk0(1up6
zjLKy2t4ijRXig~Kzx(@L_Ljpx4du<!EK@vJQE}Z}#0zp_i&ePK%L_a47V_ZnV>Usi
z*VuWgQl*zivzv1fWYmf&$}%D3_CwQN)ls)>Xd4m$<OT5XL=zM1nGU@3MvKnVGB&n2
zjlLZfqw)E(XqlDIjTMj?&(F?|xX@_p9Y*q`R8=EtYdyiLMD+4g4J_Xjell`2lmdet
zK8JMfFU7xq2$*(wg)eJd({pqGzVg~u#Wj#^4KQp4j6OTGNKMEcS~8KT!!SVcq|@a1
z7<rfS$PZ3a++?sS)Op~10O9VkuqdmmFFtUd{qQ&)oTPga5|_Ybf#R)~c)%UR#c6>Z
z0te?{&Az|igH%TIXg=V3mB`DS5h3A$qrhV%KngH1$9-O6&M}xvAfoxDWyxKK#XXKC
zCF-wV+XlVuis1pxy;?Dr3HPcLrc_tE0~i2t40%T~JdEj^scE1Tm?Rby5?mb{h0*C6
zlE~dK+|c0MPJBVD+uqx`J5hT+cX|loWoW#BNL6Lws=>~|PGE>XtP$ue;NI~=tg*n*
z$*C0LT#=8vA;D@@tEWE$8VBf~0|Nt)DS7k}SAT#P#2$z?8S#>bwb~qR*)E@=w@T4%
z7uR{InVJg3=A>r1{_0h_T@nuz2lig|_O1rEc^8?5n;W2Y0D(uWAHkD`$%lZkiV9eB
z$K4&}Fs48CfByVwYJyZnpnqTz7XGa<;#a^wVqy1v^s75txt{>Vb8cp<cfS3M6l47b
z1)pcN(u4YCyE#G1tlM0@`oGyUzxg!ZsD(7aP=7yUTO}Np`vCq4y8ZlA1YB``ejf0x
zudgqUc@b#4@7^KEyYg~p6<1+)lR9T<`Dgt}R^uI=9b3+4StS-_>r)(`D%tiO9f66G
z8W`679!5os7UrStzASNC-y)(vVrmL0=6_2{`bLA4CQJef&gPe68Yt`tNLsz^?I;Kf
zE{(eo{iE=eI1S|?un+FsKQOSod-wBcUE;fY78k^yid{enn4FaGI%5H1(%)@W6ND4p
z`W6hyuEp-`<1=!E8$dnS=e*?kMMd_|kbrUp-QswxsCe#+A73O5<`{VG0J%YG8!jp)
z@s$LX#eHiA1$m(Oh@Mp}@p3c-h?u0$`<_H$Xz%wxa%{T1$Zl<RL99XL7$qk!2oLYO
z7t%Us(i3ZFW%AubuReJ!{*}3TR97O75~}4`@d~68+?`qAK*cD7YA$Xz@C{f58q#86
z&XoQgXVy~l?99bd3jHrPIV?#?O-(>->;t+&1d$jUyAX31WED?(oF4jTU<V&-W_E14
zyM0AQivoG@@L>wXXZtrGdaP<{`XejL+|$z&@Sw}S!yWXv7m$VkNn7$2GjRY&WDxs6
z-ZkI4b(tj0cpC);`C6URWj|gTEiDZM)L@}Q=kySVo8Wx)^XKv(KlZ-dqzlJF$TBlZ
zUDvgW7CO^U#8GR5q_irWx3jN=O`vtv_Di9JJ<Mz1In06ptgEP)TTwv{hV@#tk8h&A
z=Kv%y=s7s<)1@9AL)!hJl+je9?|poH)KTXLZ53W#o1xUNva&&AyI)l`E+RzaoG5l@
ze`jIR+FFh6xt5l&goKv^!8LLc5@Q=1E>_mq`1tJR>2kq~-SgA8j*j~uKYrZXbC^eO
z1k)H;ZLQZOC`=QF8zdizXD5x`sF^OCd3n)=3u->wt}iewx<+9=wRe8H@axxyWmD79
zC!K9~UzBzM22bByC0m;)T+n(0LJ*kSHq*5vmaaq_4GuA%Q~(lKjTHl+h1?7A4Zfy6
z<v!wb3E0u3hK5|fT82GNF_2{mz4{$cG;&|ie?kmC3=gYM`(Of3fU*DzgE$IGmPb^}
z>Fi`xkHw$Q?M9%ty?>8doa%aURsn?-JRjg@xw%%f*KeyO2s?Jbtbq_LEiDa&1|UdB
zM~4(0k<x8vDnUI%8!l6n%jCo7&yzMbKw3o*g|0490%`-@>!lzCDHVBw^FQ6)6B-ok
z{y82;b#9fMOmlp+JAv=J62~{-&1W9&NMzQJACLkZBYlo_1XkCF@V|czpa}BD-UY!z
zoK-$Q3NH>eMZxSW)Q!ttD?#golA80>^e5LA?n^n_F7;d_iqv@?({Xav8n=etTm5tB
z*q9Rc&)g6VjV|23b&gB7y4-S<7kOZ4I0ud=WGaA8x*x2KijzEWhGZcHkOmi*WAMZ-
zj+c_*ug`J}&v*)c;E=lGQ_1yo-7J20=`ESUAR~KvdQ^OQ#G^M;U*ktW$@QY~hn<1L
z9-X~CIeBbtR90a%)$o+%<u;gD?!Ww>Tl~?=dCAJo{6|(vp~l_ia5z^DTl(qK4akSo
zS#uI7_+6)lwDpsyyDJ+TQJ+4wId456Ber#LbTm%?4$b+dm>Y&?(%S-%eE1!+zDlEU
zbazkb>as?2q97NsqQ^h#BxtL7KAlunN`L&QI9)eqTMlY!58Qu$sx(k8Fh&53UZy?P
z`<9Ur7aQB&*(o3(pqi<6UB3NGPR{byR!~7fp19}DVh0Dkg49JQltxCzV)#@uVQRS?
z92yay|E8vj*Lo2kgwdZgEv;(-{0_zN<T!A-?-+du#9mFOp_!_wg1)h_VQpr%0__C)
ziv8UR1U9N|cye-Hb~b3<P+oaArb+cKl;s}jOiHV1=0o16&q`2AFf``Ot5)NBfK}C7
z?eXzlm#{cFhMpwhl7d<qpwg6--@kt+pb;(4&sWY2W7oQV2b6SJO5}={zpS%gIv+1P
zP*;aoRP%UQV{GDw$iO%!c8x^{hq$grv4vrG=cD>cx;Sj=zBHN#HA7$JCn$D+0-+P@
z)mEG?Pu09LZ2g<}GF(sSV%O!NcZlybhhvZ+&(060MV-;kAh9SZ_4sihP&!}9@QCQT
z^Z5Y1+|$pgsWJZkfS*9GLh6?b3{%FH<rdR`-Gpt7zdir=9I5}7sak`EDucy>BSRWs
zWTdxsJjje7G-16xz(?ImA21NzhQ1GZ2ir!)TDv(LW8*;~`&u;(G~`WCQ0%7A^;?T1
z_egtUwrjJ@PjX(&Zf~DOuLF(We)bGjMK5-^?jwE)2oSaABx$`x%cDgk85#Ds?qXpR
zn0WALoShwKr9Wxc(aE9GAeH=}?svXJl)UyiDG74NPg9gJ@F^SwBwi_F2P-g{e9QO=
z)GM}NyJUXe8rwK2{F&vOH;<hTc-h(SJkuMEjSa%Z%X?MB#>!Z-*%ltt8GS9i9zjwK
z42S{(Y&)Qy(E1KI4u1zb1f&mTmYYP+o*@s8MvKHT@gG2j_?@r!hp2|YKodH8w4Nkt
zZd<*c^V6W$y-x+bXxI$dB2P*(Fpw=+36V=Np?ca2^=G5@%YEmKl3cX3&+$S48Zw7c
z^CgJ7l*Lna8Azjva@(FRcF)O%=3m@Yv|9gG%>UkBPFp)3c%6rbSnpJQa(A+^pP2I&
zpt4cO%z@K1?Q-(vQWm07Ku_eiw*&h7{l{%%BYy+gKB?>z(dNI;Pc>B~usa65=x6N(
zk%R=JIFrbatQ@M$3>o`yIR-6`7dw^Tq$DL#U!zvJ?z62P|L}AKM??g2+C4o_Aw}`a
z;!h47V(@1qriQf3G$(q9?uOvu$sTShDaoTqu$y;uw6C0tmW%z}tQ*{zyfH(=3|OqQ
z9VE=k_(VJ$o&T@?eVQ<XQa<Q4tS`8{TJ=8ByvJ85d5ly0ie-HLx^;2x=B@BB0Rq?W
zzkmCN&c+QoNzTN}3okca64Fg4dzdPrt!XcSHK7!Ii~h;eHD~T`m6TFc^q_Kb@$z?7
zJ1IWaI)U!<jFf9f)f)w=c3MB_AC|G-{_5Ad`k5Gr&*uC>!#9Row{Ai4So*Gqnv#*x
zGBM%4x7?qYm<TlD>-+a<C5{5I3PmTDq}C$1`t|kR7Z3*t38cvRaRq`$t6i2*(ZZ`}
zCENvRDcBxtLu#pbWl%|03Q9rFc=<DEjHxEQ6FM((nU%yBmN5S$F8hr89jtj1vENPQ
zGk&b5LX7VRfq=oGp$}0k7y@UkP9xwjfye|7A2?gq;_g4{^MpTrmEEC4_0|)#Nm{RT
zRLxMFi^u)6n876E;=+UnBmjS7G$Jw_1?l7C7JPFicp1rFkoL%AZyCysh@c2PDOXFg
z%la52D`VuBsEmvhklRfZ<A(OmtNi`tfN+6De|(og;!ZfYsE<MO?24CWU;qK9oi^MV
zwKA3Ir1IOh`4HK#BlXNkAt^c@5I#A1cR=`@F%hG;5D}>&Vb@bvLf#bzcQsr584+f5
zIq!%B{S4BkKyw!s7Y_oKt1*h2(B<9SsxmTOgX;ueZ0>Y_`lhDgqoxYg?~4kFmA^-i
zUwGCgR9E{H*{eV8S@FlZVCP2a!)x61V>v6o>C~7TfK3w)o|65qUM{*j4{s0a!}DMQ
zvF_shH)H7oUsVfM+R!31ZQFC^6kuY)b}g=Y3(j=A(aslERnN`bYY=dNr^Kl61>Vj|
zG7+Hzhduie=mxFekXp#V-1_N_Gzed9wDyRrCPRz0E_k!>J16HTTO;Ha7Y1Sk6@-`X
z(PikEmUg1073Ih=aa>%y8;v+FgcFYnYPhMNUXmQsJH(WhI>8YINbR-#*S1!wB&ybZ
zrNA+JcD|k2!vieI=d}0!_0?TYaj}dPyxrtRNyK-FN=}aYypx`hv6NeBGkt$_ysE04
z-{aC+&(!&RW71e%{Y?JT*p2ca-NW_q$RJV_1P<NL&`^k`4S#tUho_=k9v3Nno6z&@
zC?!3;SxVq?U<A;Q*98?~J2O%+NJPXF&BfQzc#(ZXOvIb_N+3>XR|~X5jXqe!WYU{h
zQfxBI3bAkK1dk3Pn0u_PdEdOT&BmSGg*e38diZlvc0e+*d73DQe_)_6W8dBAI^nuH
z{G$AP$OU2|=;)YA26cio+O@;hyh6Jt`@f$=$8o)MzQ-D%z|^Z#zU8hmP%>V|p^>*}
ze~+I3CU*09XVBwxI(<v5%xEq+tkoX78950Fy#Y5;?Cjn@_9kFu<^1Rcs#AopNSV#p
zUV5dLNynGO)5F2yGi_-`{`<H5njndL70%iGd>{mgh=PKG|Cl7y-GQOZ%rfg2pv%0}
zKa&(*>t6j++8JdvnV+&$MkJZ861FzZ{J~AyhlHeAN_t#N%XP~2ndWkVBfIvX@7o9U
zQou>;hjX=Q#aw^!v0id}+EXtsExldnAc44C#9*Uz(8#*yX-h~}$76LZPa8|z>)3H=
z*;S5B9{~&-FU+qASiZA<q~qc7aFibl5X{3<jMw76L!RgVj4Y};f0tBbwu7|?J2P5K
z3;Suy<@Uet_#lC$Wk(Fo`4Ny{5Qvi#O9~igU3A6jPE8^2Ag%$AtL;4R6K9f;pjA&E
z7#fx#HHiH3d1q%kKu+$fd_3!X!9F2zfP-x>&F(dvByrEK>V@pT2B!Wv1PsJx(b*O=
z+jGG;pUas4%baT+rQqA>h<u2R4WVP`9Cc++syB}k4TWjMT#fYf9;B-{?(g?9GZu{3
z>@9TuUR;bNpy4ii(xF=e7L=Tlymu1%JqU_m`hobKlRUd=;aOb55hG4LOga8{qt<R!
z-QgcPRHfb~KhpSk94!bHE}Po?As35#|7HkuNdFJ$IvKBr4;16|a-810DXg%qCgOy^
z870`xkokhB35~edQw=Z3Ai9Egy1zs^J_?w8>FGsa`}LdH>9s#MEI^NO-2Ven$=>9;
zp&|Fo%wrXu$&tQyNf23H_+v96XudXL#`hXabmjE0MJC#DRqvMJ;@LeT{~s|iJ8j`?
zSy_W7J^ah-44&)JT)TUFatxn=yfIp^zxKXe3=dr8;#-)TtEj0lgv<Hdyh$VK29Ml+
zvneU*3<-h5%i+HJ(YhhUn)i6PJD!J#Xv;$JHsR~;L<=h$E?jj|JWtuMkCzI;76ot8
zJ4>xjoi^MZHfa#OjYeP0Q0g1bSsWighRI&0KBma}#;>btUmZ1Ee*H#^nR&+{3(0Fi
z<BsTm=1`I$qIHpayxdp+K?SJD)gnwc)Wj#&*tCWM3cj~G>_R2lCUE`qJ><BTj*mU3
zri}A+8;b8?p`$+3-_na-ACG?VV*6D-Nbka<V~z8H2ttL=%*eq(&wh1r&<~FEDeoTh
zrFC;d+*lO{2YM&d%1xSyiaApYoF8hGl#qjpfv4;yAbjb`2ZaTKodN!Vua_1J<9nk=
z`U}P;&Ys)xct2n{-tv}V_OP+6PKY7%x)4?1yv@#Tp>N#0^m!>~ce}|?y6E*CzDBuw
zB`}9pxw+?<xFc`pu_Dy|qTXSmYpiOmCB@64pt#fD&o4U+xc9X}!bpEV4`?5dR6QSH
z#1s<~gWL-W0(v=)f<lY{C)?d>NRpMz8yU#@m4^1nIquutU?S^D=3>ay)%;$N(qO&N
zA&{Ql6+gS}T&7b+rStNLo@BluQRMtr^HqWjGW!ejQ1oXLl#li@Ya*XBhmWkn#LfPw
zs~g=}2&SMKt%7gCMr=Va6|!I4Qg+sb3}x+Kcv@j|lK>GUCvM!hPv$FW=jhPY(}j+-
zb+n5~pa1B1{A7-f9*k_?Nd4#c_`wp0*3`rb8_#Fv#K$kQp7>f(Zrh*gAsdEI#V>c8
zjt7O6QZ5>R`qOv;rQ~}-8<X#=MdOV-|K|%z-x+_bp9m5#7)j7akC~XhlO-QmS(^)c
z&da%)n`72|auuby?ES(@qpLgTxmZW|hO@bqc5CbF^#jBAJwusGTrUY1gcDnL-=k(T
zK0%Ox%*?R}rh?yxzW~R7S1P*a)x*b&4LI82ZFq{lu}cMLNsf*sgz6MGv_Spl(jb4P
zqC!ka2w6ZLzPa0>bMU@Vi6=brooxtG**>2Wj7y1wQ{=MC$;<>SvdLvPmGh-smAy%N
zNC-E3erp)bzM399r$hhycRBz#I%4}z@9_BnRV^k6U1w!2Xm1a`Nrvcs{<#sAD1w5(
z<KM6mJ(!KA;VB0or?hO5Y|LD}Qr^-DBHu+k&lY}3Rbu0Ys(y+#(Kj*@cDo;Njs0Q1
zvzyEMctwOG0B{zdY7mb@rpNS^dOv-=?S%JktxJKuB`K_Y-iU{Xhc4WdMIqAJH+fpo
zFTCA|td+;M@Af612~_iYtgN`dpQxzto~?~mxVmZ&=k<yjhnWArEI@B(L}a8+k>@!;
zp!dDW$@dLE=C8Z;_bD<B?so!QN))p*Nb!C+_B&hB*!R-Z!tL;Y;{=-~OhBvp$Xs1r
zPN7R8g85MR{caQocmLmxNcI3piMNMF5cq&+>77NzdG1A8qY;Ofca0n!%{JY=m}8r&
z?vEENDE{{0yTQ)qC)?XR!HPGS_yz98a%k4uyJ*fn1we4To3QVpt6b0G^vtvV-OTP1
z3IbN_<;5x2_knY}Gi%|l#>T5eBz(cfzvoV;i%SdZmo`R!#sjhI(q!w@G$6I&=HfQZ
z&ax$FtM`jb<&>FKy!LN5rOey9;i2-X@*G}1H+e3;vIoxR|4802$boSf8~J?E2b1}|
zk8DxI<9}~nXZZgxg|H=8Sxk3N&&Q<)2|7A%8KM{nr2NT+g&p`Z`BHLA9Am?Yf@GzR
z6rLL|pb!vPS8kfzxd|+^VOhUP=JIZH^i5Jf&w!Txme+gv`ruH<1`m()<r|;7_Mm@6
z$HcfL;q~+|>Y`UrMoFpH9K&yk+w>^cLDR|U0G?%mhsVduvV*DG)u+QYr)_l0er9Lm
zc!WPrHxH(v4*&GY>G0?8xO<-^SG>}mJh8Xevypv{g)aF>N9SGHVJiVG)CK#m^v@(!
z28J8%oNmw2dwP0h|Hv2d2fW*0*oq*)UBkn}tD_5TzACdsMMWX+>Yl5CWHx9umv8>u
zUiF5F50?NBkz~_Q`*0Kose#hxzjG@YNwe>cPfj4{L!Oe85E;?*ZB$=Li8G=R&av2d
zDNm&v6Wvv0M1g5=(!Fsx;GL4r79m*F?#FMCchI3ICnrY!jSoz$8Ci_)oxAmFFBluc
zhxI3lCqB5nCDSLK2Dt(Gr%&adJsSo1ChjRU75eSV&?kKem{Z<YlQ$cI2aNpiD51fq
z$;(4GXlU7d#_|OXAV+lMZ_o3wvvZMfxtr0S$ao!=fo=Rc-Jf&T42opuVq~ahxjRvA
z2Van`XOU3o9}=Rds(OPaEKEV++xTrrJ3u|B3cF0pwTg@#jiiZBGyR1475+0v9;m#W
zxX`Kk6dij1KHRG}2j1&mNN*YoV7>pC)zP6;ttm>qvxOBJy7=ak&d;B;({%zdVj}$a
zqvZLpeNj7|-^d$FOG7^n+`~_Tv`b=0@XIQL=BsDJ5`>D(2AMW!58ZZ8m-FHA33z&F
zZu_VWhjiqh98-i2HMN<OL7$YLU!B(>=giuRO3daD-kkvfOHUI|6!Pve(1g*7=)ceR
z{qb8(gLY@j*?E(un-^Nlv*#~fJbw|J7|sJT7E~n?VQa+nftg`Bly-V_)a><ZCkQLk
z$WLlOCY6DS2^FDANF+}m+}k}^++j`UdUb1l!S0ha-kF-7pSuU-H=%;r*#Y&m&ujuI
zZ6-sc5e$?zBi?Agud}0EOH(Q}zhtHRsb0<zvh9yF_%Qb*rn#xUJ#o<SIIm8i5)deZ
zk)06-aii?S9}z!!@+AC)9*dZgKpaE@muo$o*wydGi0haP{g6+S5!>K+F$$89Mr<t4
z<4vXqy0=Kova>fG-+s@oN7$sSK-km{OMQuY2OLkA!Hmf&kN67O%*EX$P<J~O6$G&)
zBH$4?`x$uP1MDV18jG507x~WH25gbSau4-Slf)b-U-}2=FA%EaoptJnA88BNFf})e
zak1nVmrgb9yZrkunk6L36p{DF;|uDB<O_}$jiP_Hx`S~!X+J<qWsRs>GBA*mk|vra
z#<<~mgZj0(Ikq7Yc{l2(?=CK#!6El#LxV$t-OrZ${oZZ@fJ`~O4&LiMnXvoXwG(Ya
z4j=^GaCA_+$A6VOR(YINonu)Ma6PSC(|hLa-j8(n5wV~ExlTgo3A<8Xru5s2N>}UY
zo)gZtPEsz1d-pm!J4QVEzyt{=lXg1YiGYCW+s!Ey1eF|f(C=KKsF9H?C{R$lwM!=-
zLAGXk63?rgU=X~nBix+39jYuhOAD*{{FpeeU;q1+h?kWUA0ecnny^PV(a;!oTzz0;
zzQ(?(UH}@U!bV_FP?ei2Dgw_r#U>~BX8T=4o#6}LWnh3uuCNipF8&$EptQ7HU$AG0
zBFg6htwCHTcxVW`0MNQff9gD`b363ZpDo(i8Bj_d*ql@)6OCEgv2Q62p=|0+GG-S{
zl4JO(Q$V*nR#F=gC`6-OmZ4kQWu13GD{=Q~ElmV(koY#u{##uYE64I&Rc$jWjE|>8
z^u~h8g;g`S%|G@Gb>XRDGp=`#;0tSMX-7ZTV9v;(+1aN~$-zaiWJq2uzAK#CvCEex
znF|3&>EN5Zvc&pyi3Oy}b1Ljt?vLAV>E)RRZ$t^1>}56n`T0u1XjvJuDX|7!4Re}I
z{QNf&LJEq&mv*Zh4yco4A)v(;6xiiWzVKFH0y&==;dUA0SG2OKwEAamfyb=W^H|Bm
zPJuXJ9`qRC_Wh)Gf(Z%LXP>61BG2wHiHiC(5T)vl7P#1l+)hZ11*^?iVwd*=Oak{k
z<Fe?Ews7uPV9Uv$j-Hu8=E2g&hM5qHncNcYy>@75Ym1Cl%O&4B4}bw<bF-OJoROJT
zuIL*E<UwqA`6~+D?L8^KA+KFrQ>8dHNVur$gshFM3po?&ws*8Yyx15eu4p#R4ikvi
zM-T);5qZtVPi3VL1RQzW|HIQ;M^*KG;oh4D=`ImLN@=8#7EwVI>F!Wkx&-ME5K*K<
zq@=r%4(U!wDQTti&hPJi?;XRxbPUfv`|Q2en)7*{&rBIvw)8>uD`^GL3*^<ohM=V!
z&^rZg(I|RJ*j0$oG!&r+YHZmhjo9j{eyaLHDO7q$Y?hhXSv?s6VimjMGp)P*2lZ)&
zjg1mXtE-!vcka{i9W%(=q)?LG_8FL%I6nIORm5UMj&XakKHelA1p#r|59}e^&RcCb
z;4y<u!sGC@ZOR-azo1|XdJ)(!q2{3$@a$L7Ac>h|W;qIr&fO?T6k5DKhVw3FnT2Bw
z{Uaf!C=)Qtxe3#dx>1cmo4_OD#;xpJoT#IJrZv}fe%V))0;7vh6Li2~Kl`A2Y>b@x
z9upI~`wK(Ew2~5D3zN$7@}~Pz?D+*N)TUHACa=0@4|@Y9!6=XthqGQYH`IaIf7oyj
z5gxju_o2g{ychlWSz<K@p{9lot;?BHk=@VN-5+6lhUbnYE9<S-bz^qa3RF+_zqFOr
zF_();RaC&#;c2cf48r?yW~|601qnH+e`f)NL<p*q1F#?+1$}qu<^NLr@-$V_dudU2
z=<fAYsfLV+$zl&|KdUI~`8?5eagS(DVnO^Tzopr$Oi4xJ*SQP{kA{FZ;+%Nc9R!a5
zqa8_wQ9w%nP32&5MFn$AH#oFC3FyAg+-49xqo(Z9y!ZJJNZF1;WPB6!e-AnH3Sk#3
zU}HCt1J^YqROH#%C954fUw4ztH%Y}AVc$c0Gzv_I%CCOQt^q_dGp7dCi$-;}$?zJ%
zX}h_JGeM7tiQ>OnalOM{Bx+Uk{FRD_%%81*nue*Cq4vycUli4QV^4|9#Hf@F41AV5
z@R248SJ%}|hePEIx06|yaYo-W8i*G@*d@^Y9(AiPFFmd`6N?-_{Lc$%Wrvh#Vq^he
z0y3JD+EhfQik;xm85-B*N-U{_bQKSKa7-S1#s~w7goN%5=n~U49as`1jl<p?ByX{h
zg2H~IscV$%;zEt8Hw9m(MMse_Ba-exSIn<yC^Emc$gtqgX{e<e3|}5HqK@#Zt7ypo
zsCV5|7mNCiC(k=4WbC(=F8jX@1=&c?T@E53DjC@thylWZv%=ZQ?L@a$D<8e(g&;d4
zuTf|qMp2M)e-NjRo4_bowkULN;bViT3)C;jX)cV7_^_hi{9@^MFX~g<YS52@0?yA*
zKgUKpnD4dM#;44UPyhVv1@GibY7I0L$!xoXyD6L)zD-Z--xSGDX|e|8-tD-c<F(U0
zHBi_GdG>sGXidk46RQDi<=;;x3=q(($M>F+*q(qG+~9ePAUg5WvqYyTXl|CJii5*|
ze$ZWN`*p?Ef^BBDY9`~}CH(B!iQEzih+_gAta_hfV+93-u#hBiPm25P9*l-`n2v4I
zU>Mcf)zr|y(&J66v^5)DE&m}YRLXE+X;s%LJb{+f7|+hRdc&8~jmqG7@yEF=zw+zB
z=TxM(uIkek+@(=wDNR3hAu04SG$UKV`+M6UtU6Q{xwH)sB6~~i;Uo-?m%y@)L==PX
zEWeyy+#K(D3OnPy+7Fj|{SwBff5sl%9j!^P`b|?G$ok#2|Kij-(|u-l8~PC;50|dy
z?zLUL!yY;<zTr~o4*e`(e=svK$5$J>#r+h-SBnbU(Y;>ir=to-xpOf263K^EC;B?^
za~y4>_vO#uh427F#rU6_G?t@8yVNwGlrKi~9k{08xC7A$h1jh#cU`jd*bV>5%!!vj
zoZ^ivLG2|*iVHjS=~5xX8;~m-$MM6`@a>yaXFT)1B|cVCyQz-D8gUFcImc1aIKq7G
zI`wC={)xm;k6)Ypb4vd9jcJzL|1&Y~Aa*o?Nisy8Kx0OlJhE_jpVTX$BO|#(81b9O
zyVC+5lf?^7QinqsQ*hz`-jz_@lp^h(y8rZ<=kT}uq?=4H@V)6mHD!G}4UH7sFnAx;
z)kHpiD7)Z9F<0WsjVyr6$_uwWs|VuXcge!OeKQ^CqI?AX?$Aiq-*FA{QEw!%2}|^<
zB0rbfzb7Ilf3}pInBdH%`=j4sMMsn3>3eUqgR~-Ug5b^db>W_jZ=65yWy;x9uI+9k
zq?I-^AYl9g>lceo{_gkhZf<;JHcy(UZ+cVqAM)$1>u*ib(Phm#n$oyYQD7ho`5&<E
z)Hl?>SA15%`b@?v)X^uF?dHXVLDII#P~b9Q^XTlw`qd>!p5W2P{q7+eC{yEg%7-+C
z^(Biy@j70h-`A%xJvv)Iq5AcLRrKzY=PG5NGrTuP78hmRD5+XR|C1{B_s3UPZ(fKI
z&`TCJE0blycFUyq>!LF%>Xvvdgcu1Po#+u4(*;E?4;oI%M1_Z=A>jHpT~e`qZT<VD
zAV2D9?!kW{JV?lBWJu4`6unT<m|yuL3g@M^o$?E6cZ@R9eRRJNY@tLptDAHv2t@XY
zRCzhU{!SA5kcim9B;D-}&1L+3ttiy>(BTl`PJch)ojKQ#u+U#WdrVyQ7#Z(*Fbc;h
zkF!an-8cK0oc(<24CBeur?6dU+ebHy^vuvAFH}_iL8vei>-3VSm_R{(#i!J?ugH6~
zHy&*45O|H*I9hc}iKRJZ;ExacW@hRpKxS7Us$gYR8!7)kozngA)75OvXp*k3;WPoD
z4fI3XD6*B3QIXy_5fxR%_rDtJ8tU;x5-ON8zZK#*{Cz9peo9M7U#MRf+kOO{KwHVT
z*5z&v1~<mUWP=F2_qL|+WMv`lWwi`36nAceH#LcAS?MTW{Kckpk;^&km%$+HYFu$d
z@BI1mJv+PeDK~^@5MOA`d{opM24Ru0{=U{pEOwfPITg*{*EtolpH(fA!J1glM_;4W
zfr@~U$BUE{ks>>{$gE)%5;}&nI^ye{w4;C_FF!LmQ^xm-(egd@zx8(9RY?jX!}+0%
zctZOAB=N*2qusEM?UJ(IYH(|wQB|8IqM+2!RjYVA0+P{b$~EQPySbUMvCj>DG}>>|
zV0jvfzmtvwYYw>TXQPfhZ&T4x(9l3)Ed{*%1~k;v$$+{090^5Xs)RQxvSpD@^6|m)
zO{XnBB}=8Tt)sujRyRxn{&Sxd++(>FmD(QO@&_HYInaUFm13&FN0K1;9OOI~7r|r3
z5)8%EB7S4^44E(a3t(m)%jbw?aky#QcXl{o`-|i)2BtE#2p^MR<?q(uF{|+d*}fBq
zM1zzqL@)mHXZNBb86!J9Ha7ERYu#YYm-OL!doH*D3MdwV>Ff^!IMQkA?>H_6<mYn~
zrI^{inu0g+MxY<Y)E)cGR>R@Bl!NKX?rt2LcV@-9TDEYyL=aey)JuEp)lsWi-B67h
z%I-f8T1r7d!+O29R6eM^Q)*D!6TRG7qtQ^d+Pm0<A@A?^mGOPVTx*7}Ge!CfHW88Q
ziMjYr*+U<ni(X?H?C5WDU%!22e0BQiBjdf#<(d*tq6McVrYUnJo`w&9&3SzH+lzAL
zdmqb{KW553`TDWo)%*B)`rV?_zRvNun)}BD|GW;cT+Qc>+nfi)*Sz~TzabQo?t0=4
zzu&)KW?&G#JQFxo+5VPO-8S-X1>%gn37<Lm)_=UUnJ-@SvRt<lZ7{gLLejqFUqJD!
zv%g<Ikkm??P=4_H)yOKhHq!&~PdL!Vu-};#VJP5sSs)FD?z@h*HhAPpr>t+?;c0`+
zD`FU#afjPZzr;fT1NWW3QERZtN35nW;9sF${TLPCzhZL;;7leX*T9Z#(@=f+SJIt?
z)P#ad3l)KuEqSKf0`N&T|NO~$`I4Z&KaRsv)JR76<?!b7RFa+f>*ED!EQ>Y#nJR<#
z5q(!D`$Kse?Bj*Zs_azU^>0t#WM!JUJ;siBr1QgOrX^DW#jtICh$Z9EXULWaJFX^9
z6zx|M`@ASK)Y6)|&)B!z9vvhBdE}@JuKC|sK<t|GS&Fjj@97DTin1#pdJEBA8yn7e
zMHibA&i81~v^{>u@fL{6#kdhG^43<xj=LBbG)gLE3^BUj$_!%IVOOV$kJ~%ex)Dfn
zi#B}hnR`M3=hLpO*UC7gI)D^HY05d3{^B*FqtIhMp8rfjLJ60WhKi>0DdKm#STldY
zq;o630Qc`-r?bQGYM1R@xo}NqXJk-XTND-x-sMgoc6P_o3h&U31zv}5i9whN#?|is
z%<F9!(3hNQ=!NYO<N%Z4w|Ke}6Wik^83{2@&xUts7+TU)ll{p(uFn3~p`=uiA1uk!
zqoZ5h^JW)=6j`v)v5q^+!`}Qh@Ih(PdS?-`_Zak%|M)1?3YgLYO9~Dp|F)()y}jZT
zvtq&(RAo?qGJ+)?6(XM7gXyi&D%ri9oIbH%#0FA0yO_c%oB4HgkZQ*@g1I0f)RKK8
zMV9;Q?6`=ocA0=&Oe{e}*wT5os)Ejp=fJHi33h9jotd@8m9g*7Sf(QB?iA|N1<Sc(
z_<ZR8{h{kImW9Q_lr_29*vzX}aWnO%WA_j?4i1jy!qZv|2#z+JmzjyV{B8}bvMDrZ
z5FP8?QhxpY^%pMI))qlGPuKN9l!kx+US;Q!PoGAcmpcoxp94$MDPD-X;O?RCk^g3?
z852n^R1_j2)OI?1^44COQc_5GJ0zuF+Zcq*HNC4Nyt$A8>62%ikA7!b6|{J_hgrGq
z{-sjgIN1CW8=os_8d6+vb|=xxODQn;x<oAEX=cBRz1!YJ4bLbuCN))8PY;?eAt6Sg
zpW|W+20|ra9Dv==%%!TKRsgDzlVje=>4^34H;B;<Wo6CUNe!pHJj5}*@ws+wkYT3A
z(PwOw!{yDAnXrwHoVt3Y#_k+atg|rn(guOsYN`J(t=a$dWQ$*Crbo!`XBA7X<!kfU
zq-X{=@}%OS;qkY77pIG9X{%31K@P}`pNhaDT>AJiL?xc@Z_$s!`5&pVpUq5-hvl9{
z+-Z<be@QOtJiIY6&^fTX5=`i4eSR6OY|@F^M9w8(!62PI0+a)!K#`%`CPmWS*u?fN
zGvCWc>f@dRDR;7!?g}Kd_R|G3beaB*Z1AL`;7A+UP@v?fR+~>6A&7tAd=GihWJ?lr
z!gx#KeY>%lg#{WiFQ8ZJ;X!E7$X``{VIr0FEx+DmAZ0l{-MC!H*7g;3VqA6eOk&51
z(-WrQQnft&w<q=w_{qd8i1FpjR*DtA?1+1x)u-Lg&S5J{TNn!_+?bkjc=DvOCADU&
z)D#B+i_K?~@3d2KU~v^p{3WfOu=_E#@*!P}yW70PIrV)B3JL;#o@%e<pyUScnB9w1
z!gD(Y!qA7)<tCji%nGlqti&m~8^hYY>>W%S6KOv@2IFWO^=265l0#x-NJvgzUd9VH
zKSjx}FLQ(a{YvM47%Xk%W)=2(*RjTQLp3tGF|qrzK!>ob)Lh`7yqsp^=UA?*^WEe`
zq5D+taVRK|!3rHAMEK2ul%+k--1vT2NNbxkCMI8LskI>Oh9piDxZcp3e5L&ZJSa-i
z_FA#vnj^R739T#Pp#>|h&f~k+MOhhl1HTB+3UL`U)JAq+ShR=b?AbGDE2@%_kwJ(9
z6*=cg_{i265=;nmD^!Hj#-`ci&b`mI#@o}d6ZE?7z6lHK*K16=+&4MujC%gYaT)MC
zhX=*Q8sBCcygmN};B<$EKK=O<rMbDV=L?#z_C%qM%Qj>5<GM;~5n>|WstELU!!9DE
zdUPqtwi%rC<cMNt&a%E&%}run@1?f2=P6E`bK*>VZ^q6JIfWE%(~l=Tof=ll8@HWq
zGcOY=((@!BT;ZAJr52|_NO1B4?$Wfi24`kxqct&ES@miNf=Hi{WQ6u1=iT|m>HN>1
zk0R)39nX)@adFKrM>cg?v%&MK!uIL1&h?zMqL#!UYkC^B$;!y3U&7-cq}lMpW2Ssn
zleXy8l@)MvZE6(e7k)2Ikq}=U=hQb%i$AP5>}zOl|K(j4MTl%omfy{}d^T2keQt-G
zT%6tyZ*Q5QctGqw<EpGoOvBxl@jzbeozAFX>(RFKT7UWzB1=jXHOHymgcV96ki4T#
z&#&ve#e&errZH74dT&QR2JdH!RfP!f!jK%74VjCx+YHgMANg!r0swFWW#2A7_8u<w
zhqY&t#od?1n7xUT^PK}xGU+GVv+mW&W@C7G_?edcf{Ap{8LQ%SW5kpITd4_h8+IxU
z3$CFB3W4>!JX&h{-Ew<|Z1up?c|G)=T$Rh`Nohlt7D`EbbH(Y&lBEI=6mwD2!14vd
zFZKo*^e{1ekF@%fb#&@1IwLV0SH13X3Eq^rfQMBj>-pN{a_{PKYjwPcMSqHHFq`V1
z=*#otux~1U!Uw~n=)MqttH*C9<=ry^`!g029hy&?#GNYX7*6xBqf>|qH#|kZ27|nh
z<(a6*SvhbY+$`5S#`4-_#MDgj1OzdWMSOBtzR?i{l-JR1pZsQZA&sok85PrQ`kcFH
zu&ZnQ`{Bf2qF@GyD_@|Yf#&BIMfY#6y5#aV?T6U8<s(jAxD6b@QARov;umeOubA4}
zpC$98KT$>_c(xM|B`6?HO);*lwDaa+TY_27hg1Oeu<=QudGoA6S3{8{<{{%^P6VUJ
zr1jD1eG7AK?Z&r<-(gu@EGY@s$X}4ntR*mOcTapE)ZDVvwE>)j;kALJsdDpYV(u?w
z6Z1j%-4^*F<3tbCMmQ$oACeetQ!u?QezU){`Ve23zbc%kx9zv8TeY8`jEr@Da2~sV
zGf`!qadX`M@)M?)dV0w`x6C2>hav^slr5&;r>i=zauZ`>jyocpM1Q&L%(4sF5iGeL
z-Qqqsnte|#wBu%(W8E3~g-dtu?_Q1-7U63TG_03wWP*tiAJw)=zn=3rQGSU2tOhEP
zosRvo)+0>$QNzx;hG$_k_BmGHY@3=5*9Y$t6T>?kDrC#y;F5KH#{4j&9i1=!{o6PQ
zJhXZ3gS?04tMub-T#=&Ui^R@`Z%m`Bi_2@QcbZQ6B*&QrJ4{D&KpBMSLy>;t*5Yc=
z8xk8@)oy0g8tN9f6E5dRHpn_x)2vPjW+;ttZ&Ek0K%9V`eh>Yt(+xGd!L-2~HrT(h
zTz9$N*yj{}Z<(`nK+FAxYoY*0E<z-z0xiCcW#$38Zdv7Nb_oTQv8mJ9lAIiK<_uWy
zoL#a;Hc%6!?FYxgYon%FA08V41P2RYWE%@hX(6OveU=*e5Pvq7+fHlLS9Uu!Mc?`C
z5H~z>XS!f!xx5_1aZO!a)$mn0m0uX<kTsdL^gVS_*5@5wW->#%iNU`7gBL5w?=Ugb
zm6em#)OLT>ludT$X4Pujn_&0wK-J_1Sh~5O1<WCDDw>G>iE0NoTE^EOa+<?|b&}Kk
z(|OZP@jH+EB+kU>uqY+nuMCR;%IB$95OiKXceQ>`@%%+|JG6C+^^PD%YApzyRUx*U
zHVSacOUsZ?wE9Q%p(Ei({fLIfv9;<aSX*D+y^FiOt?d6Q(X>7g15qtsW>uCsFNT;E
zaMsYI91n4AKEhIVtFZ8z`?dYKAoo|yn{KmmgX=@f)=o~l65gd{rAgK{Jx>)d__ULT
zXoWvKWGtE5l8?G&RLwDMzE+Z|aZ}pn)>|=G!HLzOdt7?egNFW<-R$w*rWAiE94%j2
z1?x5D4`p;hI5yd0fUEP2I`H<v_%LHkcbq|kF?zZ;RW0tIB|o4W>TQULACE3{R9L~K
z4E_`ut(R<oRfe$6DYvN5b}mtf;J&%n=|%kWjCT6puRik7J^36B-oih>YK^M1*t#wE
zQ@Ruq<?}v7M^jr^dx`RVDDxj%czUI!|JL;Ss@tTq^2Ok&?=5l9l<>&$(P59%rS|zU
zb8o8*!q=9n;*}ajRMM98N1#w5maOEVc$oe=qqkR&w$(#v>`#{8QVGGYDVy;XlZL9^
z=bS<<a?hbd@W0LL#jbNPBN(6%kK+yh#RSIX{sNr|W8(y`-0!6yM^=H?_cc&3N}acR
zT3cVbd1A(MI7gXyt)Dl(_gb%;>?x3LJOKv>7wk6Q2;q#1d*$2H1v;8e<u3D$5S()X
z8`J4uIeV2*%vz7s2kw4V3@1`>osbhn0;E)X|F0L|1!W7B!B^!EiDEO;2|A-`I>$Q~
zoMY2^=<w8!P;wLS@|^*(K-i>1jNy|YQL2QfD6$7|NW6)Qzbm-N0lhF$tAHHn&%dsI
z)y)ezGe79*ij#0)%<j8$TR84GC&!G9EDTNw$P0)F#`=Kw-NhO%9kE~i{p3Dr3@o=3
zAl&DC7v<6%oc^q)sy3is`%TDlaOT1*cw;0yVZ*|QxzfLS&`Ii`ca(skoDf1>bffbI
z)Awe-VkT&7dxg{3OFb_tAKwb->FL2rm6Y`Q-NoJBPH^91b@lh2w+nBk-SyQA1E~OV
z%fw%X>o4#o$nYH?{bo1E@0PG=`;V$kCsE!i-rOquH#<t&-sL$V2y0CR0q7mO^Xm&F
z&!4}drj}4wf2mFo8p1;*dSGIdehD$u`9_<I6tu=h<AmVB;qjm|i!2xHbni*f9ucYM
zc&VoD0kAud*SmkQn_bWu^+lV;$u2Kt)T%V;Y$~(pd{28^P!0;ax>xFxQ<Jnt2?UJa
zq<I+eiYzxmu<&oaA4~Z9uG#SB-+ySnAGr;L)i&^_AGEkz{j=nRh!!pdx9yHv#4T}j
zY9;ofH2ZrGyy8N;zYL_(nfG=L^sT(DC@uY~{Pd^5{ubFS-@`F>eWK}La2Fy{lDtU@
z-MDb)<o*0zw|=pQ<e&tP-#f7X5F0D;=Ij6+H~cTX<m$|nc&n3R$O4`qAFA*4w06GJ
zntr_-3NTu<D8lD+*>DJPPA@h{k>V+9vM@P=`mR_1ux*|tV$t^|2o=@*{{43>&wW(M
zIx_Oj8>oFAB__mvjui#wT=M63_l>tNUqVh<*QxyW<}!xI&ucyUf=Z!~%~mQr%v!oC
z@pg~1A_G`$*FtF8SXdHpI9@ls>kK7-#>mXPLQiFBW&-0OHu&u3GDcPN^BIMKpOKSy
z_xMNDnwNj&8?na<CZ!2oU;uyccAaQ#Mng*r)+bu^f~9hIs>-ZBe?l-xCF|<a(C>~^
z?S7)Zk8WU~{b+T4V`Q0C>0<x#+)Jzu7R|5ARfPsvzF=Om?PTFPSRcbhV2eI>nOc9M
zOCOZA39*}34t2!kiZ1HoiV8h@gD)a;-a(<~RpcVVxCH2jS@}3;=fTIn(tsTntB@)3
zB4<=QnBc$QOjhl5-_U-_V2~^cK1~EBqDA$qWl)`q<y{3Ej>Oxfx<&7(s;b*Iw=Rr!
zw`QxqbeL>wOACh9qz_pJE2WetiB<q6xOuiFYGfFSg53$qtj;hCwjf56{6hVGziJ6Q
zapLe_2Q!eV5;`U!5r`8vyAkvi^Uk9vmsH7lht=Nf!_rOsrQ)Qmt<O6<>RDOS-sgX-
zSpsGD_x~jd`A8%y8T{Gus`Gwq+~cx^J=tz#X&q;2d#1TxP|p9m4QJ;L5WE^HDs;r^
zUP_UPIwvguZu2%xd-tv;lQ}3G0tIhTPz1}&)il&N-`EQ~U%06?*jsujz8CJdk$!Ht
z-ksYZtxJD&w5@}DSj@x2;og~VpnZE}9m8$J{<<mMs>)Wyyw@!$R&b!Bqp$n!+8BHP
z+sU%`ctWh%8>Fl(Z5{mv<&Tx0gdUqg6=qIPPw9FL4=16J5bv)|Tk@`8?~a_IbLbHv
zga1j>V-H)S{jr7!_=R@={`<nM{pn*8$5VyXy4p9cibV&1Tb}+1LkpCds_?nKDK8Jt
z+?D5%eWVZP-6uXLL^F<|h-#shs%k(LgRqn?J%q3Ej6X*hm1y=kkJ*RQpeKv5R_CAy
zg~xJ%;D&riiWBx8{#O2p3=ww!-8K7a<RdBRly&9HwSFIN?a}G~u6O!bVr-$dTBqq%
znQ?n2E@gt3&Ku*UqDMj!4(RQQUB}o2FVD&Er02ppf^i_(>Tl*&KF1eeEX_=rHMlX*
zn5e3%S@g#HHwxb3H6EQTX%SWcr+5*BFY<Eu*?tpu{v>cpeR$k^gz4Z-buXVXqqHz!
za&iJdL+tG5TKfGWnrd1bD~rvXuYFJHO<{Ky{<#jdU4?z)%4;_#oyz<>KaBNyz!6#I
zU;=A-mVi}%s>sL*e#y`foYnTKgwsFlj^ZH2)8z7uWyYTr9+bP<^^8;wzkIospZ`Et
zFVVWNB`I)c$1=)drPg_}P*+Qf+I#;ibZW9%gHAm>p;2VD7nHcaZ>+H#{8w#7*EQt`
z&7rgB>pa%aJ)%_j9hDv}=}9*m%E}^cvC;bje^=;nalzOqWIZ40{+tb~YNf|cx30sy
zjP}Q<nx6O0ybo^a3Dm|wwsW<eDm59&0>E@lb)BRB_kx0kFL9b$%0`?mmm~}f+^krK
zjq>&{UMi)luqvvP3W^lzw+m%(WTvI1O=UladvUhDey}r=?V2j##okqZ0~XdtQFP~E
zBw={;NV7nz)718AEp<}iOB`pUTjBTode8GCCU*Axes<Isi#oKiYj!A0XT^WOGqlde
zBEj)@wg!I0!HL})H=yToQ^bu2@W`SpjvwAN&-o%o2LW%^0dZrHmGx|#h)b{H>0W(i
zs~^TNAD_<EsYOxLfSss!_s`GkZeWRo6aJqD&-owTq^?>DS|TFIN#KyR71_uh>pcb<
zeKYf{*}5;st9>)|^#gKp92DV-EUue#bf@>Aw&t|ip3~NbqlcV1NqGAWd;$qlsuTE1
z+L&l`qho^~z7Bm7b9HfXbbR9={mStw?L}_g(XQ(ohbO=lIXc{g+|cWtWY{O4ofUgN
zd9p!B-`Ll44rhns6mjRXBRWxQh%+V^$Y`rm{Mn7)#$P()aS}>5s<LBx@cMgR)J@^0
z)1%XoY|8!=@BM?jU@X-EmQI2|%O=jsLZz{s3H^AU>n^p6OI*I4n5!+;s}1Lrl;DdC
zAP|mQ&tfB0cC!e=65}q;Wjl9q8kdC4Jvc(5ZsK#j)*3QFA(K5qcy{*4pk8z6@%X!T
zV{-2cm}X-k>2n2@jhyx5cV>mc&US$*6a5~;Ph^zWbv84%>~^21t7ApdQ~rKfi-x&Q
zKvnEC_I)5#f*Gh-Vhjw+Lm8MAA;%v--g|rXJ7A~=df>M6S8U9I=QdMXTF@InLueud
zn}>(3{+U;Jq;m}U{~@71jQpV|J$uP>a84A?HS{5dwWjQk^4dW7qfuX4S(D|C%WU@X
z{8t6*s<?{r5|`jvhrL@`KI+VRuGhF^XSP06A0SaQwjVGb_Gq!pNehX66@S+*Cr^8{
z?YY_(+ChK^9Yx2|GBAWai+KN2Zj47qU0W2$VJC5Ml40NA<Q`C6?a<K?_r7j(yrFK{
z4}&2(IyXKZ)PKIJ^53c-c&XmgP86abG2Kb8jCjX-IS%I<R$uQ><2`~!d863q++~|&
z_TH705cU7ReQfy%EKvyv-iQJ>8y3A-hxfO_LZuAPV`!@3z|j!Jw&#nZPhMWOg^2UL
z%50vh@&|AJs0I_zwJ0TPH`*_LITOu+?K3P_{~p%wt&-scMj8%^p3B`I6I=%UCjUmh
zEG_W{1wA<&U~7Tuup=&AHoBHPij0yxf?D+8iHE4VpwmkTtvaqkpD<WUt5a6SdaZvu
z|0{{-#&BJgojl>Ki?FH=Bf&)Pzg@)PKd#O~<&7``0Uy>YM%0E1kD$ZiNxEzj<`V+B
zR0;Um-0f!BewKLp#3#IYezte;m&Ej6nn=fcdY=dUs*luT>uyH(nO6<Ya#EzRPE~qP
z7V`@Ia6EU(lV~yIi4_)`r_6c*NT|SnNg`ekgo-sezSKAlnId@6pqxXNA3BrG|JI;i
zuAP`r>2mh(yvnW<pSGik?M|QAx&>S0uPMJf`$nky@D}WS_`qTS%aXXy>ig5K=qt}-
z_0VtnArBcHWJ+L($s%Pjd>aNXqu}G+PW{@^6K034?~9n1mqJ=I-B?|er6CT_rz+oy
z&;N6pT^qRODDR&VQOO!S<@}mHvQbu0P*M^6-}xI3*NX$p!1(O#5WU`)|D(yVps-Pg
z58Kz#4?J$(9n?ODu7RQz?@<UEm|zhm#K(~tG8vEZK@IxI-=BB)yZh((8qXO)l{<IV
zL>#%~AM)>5y-iHz9w*iL@Q6}9ntfWY_4`j{q8(;tJ#74y^JPof$5eO67nVEcZwOZI
z>q$%R4P|Ifwe~T3p3|dRV?i_HPt%WUW6J^h++|m7Ia=T9>$PjO>5vEa){^Um>}V$V
zpd}{Ye0Z(K3Kfv{>spsh7C$EPWTodyid#T&SJBfuxoUv+Hvz>Pb!)*HyS4ssBO{;p
zEX!O56!Q#dIUkAGjkJCPRcGPPuWIuMU-pZWD{+2dx3`;_`r0h(UBq}4A}+mV-6YKu
zi>tq8stD;H5ZOmVx%;I+o0+dhV>F8GQ5X@G3>@le6R^j422A;mw<e=g6VKsC8~#Xw
z>5pPvnN;sZ2?o4em2*q0<DC(C6$OR1Gfl8!)m7Oj)VjxrG0v8o<0F9OKsh_xthDCk
z<6ZRhW)iLNXbt-BEZLE;`iW-A#2C7aqfPh_Q9U_5sdv9T+XP@|PtVHll{%;GX$=im
zXiDB=+!8;#lT(G62Yd42(p*u@>6X@Aiq_ocSeV9}t+z6>Zjh|opX^_HPWxlAWXR(-
zk_G?Lsk+hl7=C^@?1*2V%I{^mp&SPAkDuES5(#|?c}pK5_t=4fRcvNxTpcKpgK24_
zp2u@Pymj>SA|A1*tEo5k4G=!?5@z5kjQRMHjZTx(pSQKeI6ry_f>eo$uS%!303`#R
z6p{W(%_cnnPd#Ysvh3@Km;lV6%kj=1eA<IxyjLIG&$VBE>=$^mWvn>~p6`hB<0xU*
zo%WIJ_EgCU2(@tDbw6E_J7^Ejz#_c$%FzCI6N(=h`h=<)ip%rT^*;qoI_I4eGqf?z
zPs75?3>w=^@3tuyzI}><(_{;%5We`_;~k^Y(RTCSKLSz0PTC*O;K@SK09IBctyZ}^
zb$zPBdGjEY6mpA`Erm!~<&nBf3p!~G4B3z~QB!g`dW?p4Oa6$QlHABrhn_B3PT|WV
zK#U08F{vxsg}u1^Ea}PYN)NJERzJH`^rO<ly+Zf?Wkdc}aq2v*Q<CEfNekFv@x>k=
zw?}hH5kr0932h#y2gF83n!xu9oV@G^=dt<YW`E43PN*i?=tDWB{`i@*0Fpy;w}gT3
zzbpOx8D&>EAF_f8HSU%#h@w_r!`f&ulGU!H)M9(T)@Lm;qQ>3K$~L;IQcv^u6JaN1
zmBj4@dpJ#u_V%K6M(IpVJ^+q{{>x#Q4mS7M=!eg_`Tm4~2IC!G{`Z70bO>wzpkoz`
zd^h;OvrzY^h<7)ErmIOvQb((74t4Uzug11=t_?uTP!*1&=6F1Y0So-ucgWffjr8hV
zFc7abkIA^iAKm@7+u1uTEL`PPltJPle|P7<2nZA<Qv$6bLB*B)zZ_K0U6ms`5fUnr
z(v#gEfYN%Qp;6U8@(+3!akL#`ImU7@v@B+<)^(Qv>FYKM34()(X2p%Pv108T$Xg@I
zv@W9rsUDwyn5|>b`);?dppbG#1C|a^-v%~@gLfR@!wk=EPic?4dr&m`49r`o?EVs?
zqYB9txgOxKvXXwPccoP#^O#Pu0xzhwH{Po=4GO$COYD8DpUmKIhL83*{Da{(;bbVr
zgrW1y;)ctwW64JE*4K9tHY@%xIU=^h<<UU=kB`SkMo9m^&(s9w9*QJ+4;*t)&8v>K
zCK(LR6=DJ~F>tCq+f4a14E0ze>{G-vK6Lpv8}<^rJF;PYssP2Y!&CrX(i3z{1Pv3v
z#a_Vr-&Zffax1*b<#>LcWDZ%<CpO+{YUDSnOKLsZap8mr8ZsK_c`cc8y`HU@C>n-k
zQ-0jTaVmbHE_dKCXI%J4UHj$V-$Qp$C{I;2PeSral|Q9rXG&B3I)<?(2%=VKTzZ=x
zw#c>@){1B&57aEk$x*p55byKjPJ01=23a260+BcRjp%^OzK3TcvLriuT~=Ps|A*fr
z@Rc$*cYWW$^}&9|!sY`dh1PKtiyvO67~u}fPzE?gY{T+sQhHuG(J8+tr>y|jo!E|w
z=yBAxph&^cv0pD9-ao7s;eoj`=SS^uGpSglTEFhaqWT)e{c&>K{Bk1-(pk49GAMY1
zp$h%u!_N8sJ1I%yfB&fxEKZA;=e$}s-aR1-YSR7qVE@cnaU6D=DNR|e$$EfGA^=O~
z@%kvYJv<;+kvGqj!Ampnm@&F~%@w!*PXsNmav>yn^LYDQ)(NTo)S?WZKYKQW{-~zN
zK-QBpAItBYM>VZi-Ym`6)MQOy<mF3v)_A;gIx9^J%fF$s%aIEvUhZ9aE5<G*_fm5I
z$2mc16#!;4vXGhcJulJpveL#kFmG^ZtX*AI4*ro;s}yL9&M#HTyy$H6v!8dGCS#U;
z2*9f4JlL92f!BuS*-0_%v(UqjxeAYr><2y+M7nC`fd+`vPfJrjO0^?&?O^s0SY;@;
z4VYfn%o@7+T!#e?6JjYk`4iz`qO}$zWK&cBw{&nD)Hm4+=y&z?WBPLG)f!f_)Moz<
zz4){8=$W3Lj=cPyv$}^nPUB-VuZs(GympB89nUquF1wh@se>Lx3>}Ywr2AN;o>z~D
z03yiqg2`P0b$Bospw5vr0{0jg(wp}ITnzwfn1Eqqi=sU>KmViT&cn>F1qo5XICxtR
zX-YVgbK0DOaD&SF+&<wh5*v*=Rw_!rl^CTYHO8pT_G<CuUk6nkos936wWV<X>`iu0
z;q^ZooRo@DZX4g#JY=dJdb+zgHS0B-<Xp~9jg0ZQZ?AL@#f3czBfj1@%FWG%StjdN
zHa6RzK7m%yXI=(uEihK{KFA9W#;QwcYLZfV0ztKFxQ!xqv?5?__UbIZUXJ34SHu&O
ztuq|GAKs+?MO*m^PF`m5XLOa#Y4X-FxAbq-RR0m4gBBA2#O=G`kLq*q=huHSexqdJ
zVD89N4jbO~qIqa`c6te~PbyR_lc3xdR|L00DSm*S^CB5qerhs*qXsveR9{+g1+3wf
zEJ#Z92Inz>*&V%x2%!>rV+!zXphyr<xQAjwW_5LC#of&<&5o3WM0h9;*b>Oa)uqm-
zFco0fhv```R*rD<9)zeu_zFw*ptYP)>mY5F6`a+06Az=j@i1i%nD61oiC9ElUYr8d
z`{~m^)5&5obhqCe4QGOxqUuP+CxVue<#&7@@L*17UTx;)Zs^eCg!sbY7Y&Jcq|)YL
z@Iv<_iV!-TR*MB)F*x0kFoooeyb0W7BrQMxeFD15$CyB;IhJPo0F=r;c5#oxme+T!
znG3OKX^g8Ac6?E&3XkO9IKI*3pa6*Ast}7M2?hoR|GO1}app9yV)wQFh`G6fdoi2e
z3sZm(b}uV5paaYgq!t5zZE52b=Zd}0yNh{@zFa&RvLs9qzi(}pd+8)rmlzl8a7p~F
zbYAUuF7DD^>ZY$)?_Xl~#K_N|$=5bRLa+}ohKuT8k7MK92ugNhsnip2Oin7+{^{0+
zoga&e(CO*n1$#vj*_cc21KIvXTlpQTcdDc@F&~TdVkIH(NJ1~Zw9nfG>Q5atb&HGP
zP58T=Z`nGUI#su=r89;&@(XsqWs7m@veD#yvn&Uy7la7wb!YTON4YvWb~>Dh@VHGS
zJTbSc)6i&6cy`3M0|L;Mh8BRD{LnBA(5!2lvuCflzyeR?9uvXtB3F_UN8uFz{#HRi
zXt8K$x$TS~-uNOayIBU;>(`S{WiFy2Y$ekm!CHw&CrY-*R%T6bX#2}HGwV@DC!rv}
zb?Kn2l2X4zv)>v9hQ%LxM!BGb+Oy`SCXl&fi?mFPYzl-dKYUL}`1<kVT$(h+_;}Am
zem6`i0)u)&ZEXm?qe01%n$hBPUt;2H7IXAt=yZd!4>p6>zOMxR<Oj(TaY$K0u13)p
zB^{Fhw6cCZuV@QnV!qQlIXc4VztuS=(tAnyS@H2xV|f~Ky0d0RHougWl=egeQxXyy
zJdQism<Y<~=%R3wY<4pW3L>McIfFsG?@txi*>k>faVGbQR)0rB6sSBd01ReOT8Ajd
zD|>IF`2z_Wk;)#~ool@0xRa4rTYL3^LH7OoklX6zPAgCApIKsqIZ3O2(rn)t>FVx(
zn-aZWnI>hoAcZE|Iw#|Hu$UYcc7tEU8tQK0gm>Kd+*5FfTMfAL@83W92%69Lv_-%r
z<cZ|u7Ix^)7nzwGIXuJ8$TOe%u7)b;{PFR(1{4%n{+dk>ESqNxL6Wu@I^&@TKLm;s
z5_c!S_SPqDLmn#nxrSCRhh`|%DvJS;Zj)G+m<Y=N@lC4zp|O#~<=^E{{3dFZ?KvAF
zL_RAw{=)(r3fzBu^Of5e3}fTt=7s?P?X9gDPb^pxy!rb3lfHkycaJTq!RZP5+DftQ
z=J<}ES$R;@%~yBP$z1@O&%mYhAu?5fRuHZg6Y=X$rQDNnTbSe}o__*w<P--5fc2VH
zT?iT2*~2@c4LUqqvI7LW`vTBU?C500zHOYhcSYZU-!bmXm*9lf>SV2+if})o=Ffg>
zbMdkUtf5{~#%&c=UQtRfK!_k9>>R&E&`?ocd4BfycnS<0Tne#<R)kn!s&hu|4NX~I
z7jAArmGyLE5EP{e5P4t^!z&PbZeHcbn+lc#^*?(9&Tf5k=}Ap>S2krqRjHPfs@@c1
zd6s~F_=8jVD<H;SxCz%B5=W6m03j{*Y39{w!G$sOX{7A!t!Q1h)&>ZH2KVs^c6K1{
z+P}|u<w<;IGf?T-4$ybI9bh9@XPev%1$I_exX3BvDelL?LU7<%2AhQrraW!;yFTFo
zuj<gJ+k)nRCO<vAA$#lAt=Z3aAd8H=*#Bp7dc4b6`E#<3>2%-ZaQxFW;pl|V#hJir
z=FNzBLnDXlZqi#e8P4lOE*rzE$zp*v<VgNZ?byV8sw<@uV>IlRbWKVhQ(a+&OE6nr
zUuXNK(hI0ofPB2YrfAq=_4!Yr5`O)uFenKA<Yg?Ey?>91#TrR-h^OMNh;!i}C`^Tb
zf!ot)LhxSXMQ1S3K5A=fHel$6hsT=<Tl-DP0=+s49bCZ1re|cdDq8|B?19_f?PFRv
zdIly$wzjquiwkh)e9!&$<aw&O)p;i;8+cSd>+37y;8?B)VZTsSZ;VNKySmi=?(D3u
zqBtivuV|)n+x=~0G|`b~f=NPw&2*jySOhQkli|GwFyE|tKG8e1h#Hrb8;R{;@*!na
zA{)L77diA+EXdI@pcB4B%}5q`qtEX4W}=Gf@14cyFEOnmRJTY;Z;`5;TwOv>n#mT=
z720AbO+?Y}r<nMj{U(7|?(*^y-n#ba*fkfP!amcm50-W&S10Dcn%cq6e{z=y>ICF*
zNW{vrPY6!q)m70A+^VhFsRnsMP{sNkNa8tWN;0xy)!h^oA1M)V9UI3CWn_?$+*<p6
zli<c1==u2t21bX5`j`Fd_defw@HQzan%8HDap+4D3{XxE4e4_GXI`6}4BE*{-M@MO
zYLioQ_6uzHUmGZz|4|e*PtS0#VjV_$ycqBc*t#{_z&=`L*uv}MgHQq3F4-Rq!Q<sC
zb+nhlN~YktX>7{h)`k5<mabJ>X#?B`VgG34J)Z>yea)^h{AA+(P?PFx3I2L*Gc@DT
z_H-?|_qzh|{|KW978aKE7jm(ym_5iosX#dZQ(*pq&|OpB3bq+%CnrIhX{Pt9JmuAp
z9(9}}Mqup8$Cw!0y*br5A)l*yk6$&EFiMVxhv-k1M&5^*nEO@b{GF-^TJ}IVtp1Ff
zVrEK(NB1;|W(Pb-NRtyoPg$XE&0m-XW}xsCCXf}=DF=yIl6+qEQRtvmEEpLbu4P4E
ziH6pYh@9NI71?QDvLI)64z@QwGS}GXLO?LU$M^Tmn;<G`BU`B+`(Es*P!Q+z-4yYv
zn4xnjbsZQ|T+FGjKWo=9n*wKt`|*m9vodT(?WLsTzH$_jUJ2RX-_K!;metqShZBwo
z*6N=>Kd(rAyzXn)V_;z-M@L7dd^M5X^<$Q7c=}XSG$ftxLUGYIzRH>Y@CrSX)wofU
z>(cds!IIG(dOkAZ(F?bC$0lDn_=GRs9$y95#3*EJ5yqC51U&pe8z~bvoJYSl1AFY|
ztD7&)jY3QUlO^yGAR~B9C{<C1yperH%@>~!IcJ1HTH0-fF+IXpFb5!{S?@!=G{VzF
zI3@~piH}0Haajq2_)ONhynx@w$br{DLrf7w5QK>#-qQt|!8<>m{!1EJ;doI!{D_w0
zU6k9B+(q4kFAmDLCWw>b@|zQRsb!}T)#vQ*JG@F{A9ztA!eU}*QdyRPq|D_;gAH!q
ziOvRT{qLoRNqB!9*<ci=n}^5iMpWoVZf;F`kAjBma@>y}k%e4qx1XjRj*eP?kZncR
zkne=g>U>Y1s-pTyMKxfF$C3q{fdw}n(biM{>ks?%+Z4nlz}oz~A?EPV+G{e5oE?zD
z{>_gWo0xEyn%pBhW{7z2oUinRrAne0!lX<_;a}jaf(TKUc^To~nItZzK`vD#W#Ud&
zd|tlV_>X=BDZ-u<bZZiB_n9$BvBqzs|7L-^(QY)TXvuamrDLU^=Qo5C!{YEmgluzb
zsQZpQA|)@6)p}QXDSYyT2in+%fB_Q*fpo6Y(Er1ne-024ZmvFgD6RVaGt*v6i9Z&K
z6ukGcsyp-oIl2vATKw6hVzc58K#-VIcse{bSna)x$x2|w$4}Pa4qtTp=FNI<Zxq9w
z@>lw|ZcXk4muTj{hn$Nhi~<bm3FBT;{akF^egh@}LB3a!Mdjsl25F+fhoZ{k%;!L2
ze)I_BVG3yBFD>%51=JA{|B-E2ox8i#{Bf|Wo}$<CLJ28$v|kua*@AbrcxG6Po}?we
zAoFEzlKb)Y&63bo#1NQys`o0OSIsdkCx_=Mc_aPoInMBG>oXZ^j$|e9Kz@C~#CQhL
z-~zBYPL?=ibSd3K;dZh4^)p&ny5`|0L$aIY(;>unm<IN-9sU|2hUVs&$Xb6AP;c>f
zvXhnpOq5i9%eB+k(fdo%G8=tYjhG|F+P5v*V@bg^lZ3Jec_8tFeGzU$^m|kvN&4Pb
zFON~|G8Ui{hNQs|uchq(7-)nh^|Qf~gF@lc+UMII<<3s^4<0xP@C%2^D{7;LLFip9
z5C%aIdsS4vi#z2xNMygu^>*S+G&7`_C(<;ss%RJ7Q2qL&p=B1HuU|uVWcSbd`pP28
z;U!xV-EPuX#>k&a{$|SfV-4TF!DeuJcAin#!5P64T(M=MT^u3Lk*$b=^v{P{9yMHJ
zODA|%pI&Y2z_3!JScU0N^lZMtj})17n6Z!&%S19Q3ad<<Ml;g%W2OqtH!LiS=Me^&
zPQ8Ir-il#mW%Zw-WYO;#qq&5lfkEnS0G{hILv74|EgPIruggmm=u^F1JU<o}5O|&>
zKC`eq3pdWc%P~#y7$h2Hg*zU((#2z?QLm;1^%s)9lu;|8W5e&&mqI5tY3%|TmTEOA
zIkeAD<!V*39bS&d-W~_FL#)bH+FL401UNr1X9W1$5F$k7QiE|WcJmSt^dROp2#Y5~
z`!5&=vl^d1wbHQ}yyWL+3#p?@j+tIMm_uuladqv_PS~pZT|a%Y|6QbW<o{iQ$|uGD
zUBWXjMLcYkoJO+?_!epT<)5(6{YcuveZ9})6hSBlK3drar4oRE0mY=*AM4+CxA2@5
z(05~4p8esxz`3=w)(R7YK$X;Tc0SjR$CWu&fm4#mMl<|CJ53=OsGZ&Df)lRYSe)l^
zu{Ku4N-=r@I1Ua?<a3LkOPA%2Q7Bu9nmeQJQ{ln%2hU?$UA*;~D(-}h+6v`LEx&+R
z95Lq`{|(AxdEkB5+xwFGzB$|(IK7U0@Y(JH#~FMQ70OI23UD2e)lc|9eVQ%Z4G-~b
zMDV)W&M?mJsw4`ohmqeM)G%D<nd!^n*{F=5gohEH#7Z~!bbQms?KTQO{$qQous|5;
z)l?$l1PoZ@Lt@OoSOs+*xP%%KYAt1DX~yWt8(PkeJ+YjYbJ)8n`R|TpuwY2%L!y9p
zZim4R!Voal)TFwcC|byn*K<oT3Y&d2SYnd%?Q3=x3#&!Q4K`3>ei)q}L2zR8wdJhB
z)9DK5yt?2{5K@%qSN?lUeqs3t-l6yJ-<+|umBXzRNORD@U(=cGVNMg!6ZpCYelL(l
z(R>XV2+M4#+1c}8gfJvm%^+C5#>6>5;$|`rX&4^kHf;V#CAYK}TQF5)UFUZ<v|0E)
z4%S)bVd9<+JU5Y>G9et;Xb4GFc|8>`R69@_1}Y^FmzC{TW-<%kp`~$^eoDl<{5~Q)
zJPZ#X|Nh=w_<w^5VHWCRrs3^iLgveUlB+IwJ3qxiW51$s?>=>Wd^}X<6m0_4)z#>s
zPgC_S-h_rMEEtl6s_y?=bARjE&Q#704Sfnqa+D@$B<)vXm=B~BeEr&DUUp6FcUBir
z*$E;%0*=XaMtj2-^kMs#4$7EDw;LrC_4K?iPWF+7AFkYUm5+(gpjV0t!vWB+`ReG%
zKR<Z(ocrvA*iMIuD4}|Ny@;6^AtE7RERA{N(taXkDrSW3(8r7_<={{f6oi@BcQjqv
zKGlbB=g36#MF$6`hms537smU-@?YO~N)LK0$m(OX{A_1u&h<9YQo4`uXb!+oNJ<(5
zgFnLl)<dQ-Nso6f`r}6+h)1w_$5nS2A!#ro#K;H*0Y#T-Nt{I6@cir$;c;4ju_Vlc
z2!m@4F|{xQU&Fg9P7>^&utPzFngB6kw0pY9O-AZKglW9pirnVlcrTNF@jZ8{%mfR*
z=xsI&r4$&a1Jy9hNN$>mz5b6s59&SAbfcRHALm)KDIeO=E*1jIlT&U8iG)l0!+O#n
zB0Ksl=!~FKf=CIh+NPPCI063MrvG_Q5GZ-R-3f@^LnXO&ivVetlUtLk9%GQ!ovija
zv=dE!nwcWzN<fLGO&b;}fsIx&M<~lfg$Gk&;GRU#hzXutxYzeZOL2@B>AH(B`pKjN
z92I0R6g$U+rrur-h@{B|6M&JOd4xZKiIF3}B*X=6@ZnRy;(x1LF1KF{+Mc1Uw^+(i
z#y=B-CH?j5S2dn)hMC>r3?O4bjY5{#_uo*))Kq$X^SwrPma}A@0JlyfL@HzG>hjnC
zdHh7FpSekw5T`ADeYukz@SVj#Trn2qK_II`^ZDr|xTO;^72qlUr3}hgf^c(Z`5mLO
zwyF3&b3kS-uQ#O$q*HN8Q<bC8V<IqF4rrvT2uG3-;eSsL_VMYzDUR5WABW$eVeM6B
zYQds5QJ{l`2o>txfqplt@!CR@IBKY4l8$b<+B-7&xY1XOGEV3le+{jxkcWZ6YYpyb
zNP2quiFV6!Ar+UHQAp)NE3yE%ASRLxt0zx#auQnQFpr7)S*{sE<@h^DBUY^Iv8&D`
zEXY`;v+m)BLVkekOL${iUIlo~LE=pAGv_X^>YSlSZx!FH*tgt`HE2(Q<-_y*>}ye|
z<K}-=X65MmP)0$1{+?iP_6xkC+j!IO34z6i?V-7Mc*J#=t7GOSuWy$YSu<#-bF_j;
zQ;u@RLrK>6gvQ3kkC|S=G_=OKIXHtpgwsKodBdAXSeQiBx#_3>=E?Z!n0>k(WAY1-
zM8MbNr-3Px1a>-z8+N-rUQ1fv2|U|S4J0K&YAab`<|kWa6~_&hY7tRBDm<D97~-W?
zZ?hN*Oq;2h88oS`?ic_mxFy~pgYqCv6DvYpY9hU=h@0lYD121leU(s8{@eOYZ5<L`
zdk6wqEpl@5eZe)K@|$6cQ~}aDe~tKQwt<<1d`L~C<%mDLVhxFxYYqT!fIKt<?binx
zmS!=oATAaHeCY7@1m0I9bCuYE0cSZaP%HmiFk4&jy@9Rswj#O7lrNfXdZ8JruGFY1
zk?ZHU=~RvIP%y(o0RuYXVdgTjHD95?D0?iA9VbV86Eit-2NfP|XHs?yKE8M_7)DuM
zQ0H*?y1tK?k<)_Up}}f@xBlzpU(&)e(=dQ^9()h3JG0FbA3OLd!xm`+q-p;dAw;ya
zd1+~&9|g0dJhr5kF;nJgw*5)=Nv_`KT4JuUJYlglm|Lq99pTcekNcSPzDlI!>k1z}
z@dUL4>+pVZlPlxx1vPaF1RV>Dl*eb#lr6}U2-9XDc*wGRrpm4=I9LlO0z7pOSjA`&
z85tR<miGmN=}}Qpp<egx)2}s@rj1D{N#eusUIb&5gDPlwUE$>y-#<)NIJ2`x_fIi&
z1kNTU`8PHqhCoPuJj$2XkxsP(H%1(843LQ&U0tz!6)3r8Yn*ZI9I^2oO4<BCv5ilK
z0Ec3-sB?dkh+AT-B=lzaX(E)e2a-j}?R1JwL!ycQk_PV14<tiqeZX%2uLtZy^aeJZ
z>C)2AD%1GgJ});7;<@5o#dtNRjcnUkYjUWs^(Tkw29Dk)yCVbNaX1*I2?kew5T3iC
zF;S_#!Ytg@{S})aS;;j;9Qx~dIXSwGUetDu=rSP2ZLk5@r=mo+1y-9@6Jud&>;Dzc
zo|m@=V-3hL;e-ao3;iup$E7W;#pIQ!$$=y|S3OC8aqEGb6btEDN-td)F#|T5uVCIl
zY(fHLXu(x8sjUs9dD4rYMB?z#hAmrnRbYl@uIg)TZEe~Uy@5F1*0Hg}wop<C3!GTZ
z3gcQ?)pNGIhl*B6<>iSdc>_asPEL)6j*A>;(R)fUAYXd`*%LZ%j0wDbe!em#Fr|W+
z3ERJtCKv@ypFd&pD0t|;EEymFxP~`)h(TYAO!2=}I`PbgXDBL%h~(WnSfvQiebp3V
z|Ep1}L`VW!3IYPkvXxMpV54r!d`}T*jE>WihJVh3@Z7%-vrlOeCRS#;={ia~#}Eu@
z`0*T>`Th<E;vx%6OMFE(6;+ZR2LO|eR?`r&n=S{hJG`tYCZN=LRM((L!J$a`NRwl5
zVj@-CQ&8HE#}chf<0=F|R&cQ>3zPBpmwWs61?5p=O}}M|z;q?!5==0#Y)##-?`uwh
zadaqXm~h&5QC3k<REYUHv{(5URq)g2SS21_SeoGRIXl>hNlLmoM^WLIkU+CEdRgfW
z&mBx3a6dodgw#9{rBGKB0voqs>)O|^p?Bo@;uY1@#vrgdG`)T)&dWPAJDb#JempV~
z9z8l$iL>rhn;Wfs8buEa7b|P<?I$9<nVf4RA`d)|6qS`r3Jd$^I<ijwS-_U&ivre!
z?1XsUctwDtLo%aW4Y~pV8G)gQ$R3MWUBs(*mCqr7`8oF${D({=cX@f0mzvPO>7DSv
z3{zM~AngeLWkqVq#*1^;dd`oxiSR^!dCXP=WAsMgU+~HUWv-r+1p1a7F!+WY`NqUr
zq+N;*-v&EiC5~5)UJ_cpkUE1rKaHJZTZ+qng%sEmfv5+aiSMOvN^@Vq!#zjwWPy|=
z=9S3*Oyw{`Qc!R_&6_D0=25S1ZQ&vNyu35xMV+wcd-3)B`~x^r1bU&;B|B}b1l#TK
zY^A3g0USDB@#<<j@ic@OPn6CsoT;3KB3xjsH-8<--@=|p`I^0$tzjzJN>fu)C{2Nb
zgEpJvi#Cw~>i5kq+(vIy!srT^p}k<EM4L``%7erSJ1hm_QX&gFT2pO98O*kd^@b&y
zF^{6aOhbsk9kj{+m_o^=Umr4i6j)~AYC8u@8;SP2<O*kqDj*9hD-|$AvA*w>Sb2DD
z8)iUYAVeHWrmR=`lXtWJPe)e*4Q1Pg2c?uOqmXEnX{3-Q5{j0wZ~0{@WgDb4p}x>(
zNfAvWvWztmDlL53DWois<P$3SDUuYXXog9}f6ec3j&m&Y&hxzQ{oKp7-0m*8IaO))
zG{=LQVc+rMst9^`E(4Xc^g|cfY=^M0odjpw9F82=aC*df44X@-I^j<H2?R8H1VVba
znbh9pqeenw3jSg1bW;PqxvCCZ>tAiK)`;@(@tm$GSoE$=WZ&EWn<)|+TDQ_|n6{xO
z45IhkcFD?E7dQ#LKvCL+x2LrM4>5f8YH+g@Wm&x?^k*)Tq)ow`xGG~}=IGJ0HMlnp
z9#dn|P&`85=R{~@bMvR3JNATJU5N8l_#HT&)oZxQZS1eP5c)^J>0!7Gi`M%G%S8QI
z@02I~jN;Ir_W|h&(tFVQ32cn1d;X%Sf4!LXexTr9zO6=WW<`mOjy6-2k40v^GQsC@
znBL%9=h7NW?dj8}O}~z-ED4(99%G8g5GQpd_U(jWBJv0r8N(hFB%7F)mJk>6&_bJ;
z<>~7NRjE%PhzIvu!2ohlRyrQ%8-}Q$kb?)jrKRPolq<hB8)vN_{p3q8Dz3|uPS;RZ
z|6W<x@oF$!Ucm8$aW9;>@kYGwIc+&oL&U8_Adm-YYhE;8Z1!wxZN->dd^L5EKWnMQ
z;lrR*Z4=a#7Iji<Hrv@ZW=H<{l`!$X)29r*pY+7UJ-?ZoJg+px3K0Mr5?{NM4>KTw
zR#WT7ofN?m8LV;o$K*H{`qniyHE1G+xX^rIx(Czadw1^=8lLo>O-_)+e%m{%zuvhf
zOVD|Yymf0dS=AO$l&S4^uK=C4kWf+rHc*0)fc4QOCU!ZAB`JwGaivBtbGN`lG&A#E
zOoi0e0@NjM-|{<fd*;Hb=dZmN3Xaj5!ZbI5<FhyFqpEf0N)qY4XiEu^)Rw?sFt@dR
zUmd8zq|N>Q(k;KQvFF$9RAu2nB5%0aEIfRqL002XN@C)=K=++_xw&YU(*6A<2|sIU
zC{d!j%x$0b7X~#=j=$+Jji>dN85$ab+?TdPt4o>LsDPg7HW?Wi0J8|19FCtZ<7t21
z%+ninp&&e#^_{>V1{;ocE<%eX&U{(T!zhArasVjo=>Imd%9x=@Nv`SX)6-KEBf#Vf
zlsYbtht*J8H|1fyA2uN{;zqti7#qxg);H#hncny9cQqQlsB(R9R!1U+y>NwQZXZD=
z8h?y4Cju=I!o%5#voo(Yv@KRABb%$%({uR!TTGB6SXx*R|2dY*Aefi;FM@3fBq<74
zeF3HE<CQC&vC$tG2eLM3>i=CBFLBC!`}Xb7_9iZ&DB~CLosEqR5@majA>f$ku@Xa!
z18YWdR&5@&$%;_~f8L<GyL*F#71wO|L8_URRe4Fto=>iSxLg~zYURWq4N{`n9IvCX
zm#g6~91_CEgN1iu9S8wfl$+=X6UO=<pYx?f7yL&|=2iEr)JN67)we7G&FOE51ERBp
zOEWMg##TgQgb13O-R>ERLFkKrZvb#4xO=3|a<17e%(tFjy?QnLV9gcfN7J*i7Up<<
zUwiHluA<;uDiT%X>Z&fg-2YLNylD2xql`)I)1#f!r-;mQIDW#sl_}CFZLZiN1H(DE
zHqZ0M<p=_Xt`?cL{!)W3&VYw{dY?Xz3P*x4-<5BQs_#;j9pf5e7mU&z0pN&)?h6JB
zl!FI{7%6;dJnbAt|JQW9Hw-<I&_mn<Z@Lb5dMz-+lM@rr#v(-0)?dledh%_|4tY-P
zBvBO)2-um!bo%)YV0lEMdU_7Db?*04Kk|^vpZd5_qMJk=q4^e)D_T|5+S<_KES$ZE
z=m59!6meVSr9{$eeW<Cqdw3)!CyNLyl)%q%Rm&)BUvpbTM3U3@Bg<w90Sdh^@-(N7
z&}@-XV2)s7A_~wTIoU3MMrqfkzE6zv2_!@HQvthou?X%bPXavYVBWtz@G4&`;yaHw
zfOa?lcS5;%VV8wJ!7<rNgC^2xfcG+Z)0+gYC1AV5S6PB&7*}OCnJF+6$uW8iGiAXK
z_)M8#PQPkK-kV6I61KWkz&eff1CL~CYz!BZAwPDss9BhN4nQsH&JUESRHC;J;Nj>E
zctbB@Fi4t(L>MaVawDIFV2xE;US1nAl~*vIu6(%WRC8CCG<#sZZRL1_5U>QblTUN1
ze*Of%`9;`__`q5nZEX}UMP!3Z(X`>lMR^D%u*#08+r-XGdiAi#g+b<>5tNku6=(d+
z1Gmlv!F(R+ZgPsh^wn&vF<eUETN`fR^P3Ofma6`A^~onukm4VyI~!FGJ__PdPJX^h
zy`#CW5L2=-5}abxSGRB8yg~ADI>WoO?P#&{qe`Xt*WM-00AF9%k5KfM5Nc>>_yFOo
zq&Brh&)&QVM%)K_oc10ic+ud4C;xp#bh}3rWi{)AH-3lyte(xjp@M^NSNL4HS9>ZS
zYvlu0yZWK>G1%OVnOdw*q&Oeq7zX5K7rcCKVHxb-AGFzUt+};uWMX0$><hKEwZH3F
z34aq<Tt16e$}u`;@*av2UC&#5crhy&JJ8lpn;NX%s<$=q^Z-sf4k{Q7NBIhr^QL4&
zak_;i65=BYN=ipiF2!?uddf3&{Ft{@>tn<c(hCcdP2*RNe7fPs+<U_+Q(JB0MgT&U
z{JY8D1t0{BnE*lQsv;B3?Je5@Nzk*gVVJP$QlIP?{gxvoH(Q)bP=f3W(mMckk`md&
z7n@?m7R$0K(Bs<dR1BrCJQc5H-f(5-Y<5z}O8?-u#&P8H=-f{}0EvX&qr#EcR2B;Y
zB?;wTr`UXZWRpG}nP`xbc*i`b7xQ%8BlB4-{%g%%syuo)agW0EW_f-u_vq+Upeyd*
zS9-G}WGqPVs%eP5p`pJZM)9)qAOsztMqxcT==shyGbbywwQ~!${_<R%3^n6~uW$94
zaYyqZ$1JjrPH%hrW(|!MUo?dY8CIP9d^&^vvDAy{d}1zQVMYV=i-Ig&qX>S3-bNLb
zZE#?MtEgJ#fYq_k-NTJEAyzXiO_xhZyzJ=sq*&19YeJ#OP^>XlROVlaZ1ZZN86Sy{
z3u9;eymu?+bnVg3>j=!C8KwC$%FiNpAQr_d8KlCaC(wtGTUemo)9RbYX7jjTq94ZL
zEY@_Z4N)<i=e4KxIyhYWh*JY5kZyH<^I+i+plvJcXcm@khLj(tKD-EqgYZv^Z)|n{
zR~bbUOU-`iDHWuTpKWp?W&n^fO{h;z32;*dWHNm#y=9I!4qjhC`F>&7!_@&pD7X;Q
zym<~`OE-9XYba$)=bPGI*LSdVapA^z7u;+%F@21{awH;RRoZ)DK}<qe-QrUD0%q~t
z7;~w$L{f~T73BxK@}SL#O5$esmxTpkCepUsgW+@XD@Z4g`}mOGb(Dc5DOi-G>#p3X
zkDqOGs@?Lsd;wucR~~mNd&HHj45tvz<YYGR+gO@A<NE+3vblWutAfIxxml7n{F1`M
z!>xX8#tMSLoMUu$x;Xa(aMvK=6b?O?QpV}b<#O*A6+wJ#L#GR46&~&!3}uU4ss`b(
z1}Y0?vnyQL$!Sh@4!sitE~ZYwk@fXoqQ%k=SZQUvh(np*)AL)`-|*br0shcF2XF7F
zS?CqxfJ0g{|D)3=$x}m218(rAfsR0%7P`UPFP-0E*5ym3QlSOJPGRE<yeqaru;W<I
zo#ebcRBh#P;%tkX`!|xQHMbsS&X3FGL)5K34HuUA^((-xM)l#?^Ep>X#~<TzWnFH|
z@~|H8F9$^*0EeX5qM691SZNlR*rJOU<B+dAw*brgbo<=S6-*jN```hUDj7V-cpR2b
z_zarBJ&TWh>yuIWFlnAz^2lI|i;9Z)Kg&QAo*#eHIXw;X5$LM;!O7`afFO|Jp`jlG
z(he#K@2UIxiMtn}oQFnI4Z<Uwf74P@axJC%?cw?ZL1?IxpcoY=8G<^Sh-agDW+m}b
z0xnZQKYOjLEKuG9$idE`wSE8ogb~y92{av$)gw+}hD*WIqH5Fg=FPL?fnr3326rvU
zTP=f*dTA+ovs~10aM=ZVMil5-E#$kbX3w&|v3MFKS#9MqCM~HLXAmsTHIeh+8ejwc
z;ekgZ*&}rkPQJhbs9phD38gR?ts5H~V>W;9{(ZPfgNcvr2Xu8{Ig)B9$^b-k?b@{q
z7cO9r1lH8>YT}N0`1-zm6zpHSKq8XOt}1U_Sn_2hr(O4Y!6OJS63mTlXvKToFZ>Vi
CWzWC>

literal 0
HcmV?d00001

diff --git a/doc/arm/intro-dns-bind.inc.rst b/doc/arm/intro-dns-bind.inc.rst
new file mode 100644
index 0000000000..f8a61c4c43
--- /dev/null
+++ b/doc/arm/intro-dns-bind.inc.rst
@@ -0,0 +1,197 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _dns_overview:
+
+The Domain Name System (DNS)
+----------------------------
+
+This is a brief description of the functionality and organization of the Domain Name System (DNS). 
+It is provided to familiarize users with the concepts involved, the (often confusing) terminology 
+used, and how all the parts fit together to form an operational system. 
+
+All network systems operate with network addresses, such as IPv4 and IPv6. The vast majority of 
+humans find it easier to work with names rather than seemingly endless strings of network address digits. The earliest ARPANET systems 
+(from which the Internet evolved) mapped names to addresses using a **hosts** file that was distributed to all entities 
+whenever changes occurred. Operationally, such a system became rapidly unsustainable once there were more 
+than 100 networked entities, which led to the specification and implementation of the Domain Name System that we use today.
+
+.. _dns_fundamentals:
+
+DNS Fundamentals
+~~~~~~~~~~~~~~~~
+
+The DNS naming system is organized as a tree structure comprised of multiple levels and 
+thus it naturally creates a distributed system. Each node 
+in the tree is given a label which defines its **Domain** (its area or zone) of **Authority**. 
+The topmost node in the tree is the **Root Domain**; it delegates to **Domains** at the next level which are generically
+known as the **Top-Level Domains (TLDs)**. They in turn delegate to **Second-Level Domains (SLDs)**, and so on. 
+The Top-Level Domains (TLDs) include a special group of TLDs called the **Country Code Top-Level Domains (ccTLDs)**,
+in which every country is assigned a unique two-character country code from ISO 3166 as its domain.
+
+.. Note:: The Domain Name System is controlled by ICANN (https://www.icann.org) (a 501c non-profit entity); their current policy 
+	is that any new TLD, consisting of three or more characters, may be proposed by any group of commercial sponsors and 
+	if it meets ICANN's criteria will be added to the TLDs.
+
+The concept of delegation and authority flows down the DNS tree (the DNS hierarchy) as shown:
+
+.. figure:: dns-tree.png
+   :align: center
+
+   Delegation and Authority in the DNS Name Space
+
+A domain is the label of a node in the tree. A **domain name** uniquely identifies any node in the DNS tree and is written, left to right, 
+by combining all the domain labels (each of which are unique within their parent's zone or domain of authority), with a dot
+separating each component, up to the root domain. In the above diagram the following are all domain names:
+
+.. code-block::
+
+	example.com
+	b.com
+	ac.uk
+	us
+	org
+
+The root has a unique label of "." (dot), which is normally omitted when it is written as 
+a domain name, but when it is written as a **Fully Qualified Domain Name (FQDN)** the dot must be present. Thus:
+
+.. code-block::
+
+	example.com     # domain name
+	example.com.    # FQDN
+
+Authority and Delegation
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+Each domain (node) has been **delegated** the authority from its parent domain. The delegated authority includes 
+specific responsibilities to ensure that every domain it delegates has a unique name or label within its zone or domain of authority, and 
+that it maintains an **authoritative** list of its delegated domains. The responsibilities further include an operational requirement to 
+operate two (or more) name servers (which may be contracted to a third party) which will contain the authoritative data 
+for all the domain labels within its zone of authority in a :ref:`zone file<zone_file>`. Again, the 
+tree structure ensures that the DNS name space is naturally distributed.
+
+The following diagram illustrates that **Authoritative Name Servers** exist for every level and every domain in the DNS name space:
+
+.. figure:: dns-servers.png
+   :align: center
+
+   Authoritative Name Servers in the DNS Name Space
+
+.. Note:: The difference between a domain and a zone can appear confusing. Practically, the terms are generally used synonymously in the DNS. 
+	If, however, you are into directed graphs and tree structure theory or similar exotica, a zone can be considered as 
+	an arc through any node (or domain) with the domain at its apex. The zone therefore encompasses all the name space below the domain.
+	This can, however, lead to the concept of subzones and these were indeed defined in the original DNS specifications.
+	Thankfully the term subzone has been lost in the mists of time.
+
+.. _root_servers:
+
+Root Servers
+~~~~~~~~~~~~
+
+The **root servers** are a critical part of the DNS authoritative infrastructure. There are 13 root servers (*a.root-servers.net* 
+to *m.root-servers.net*). The number 13 is historically based on the maximum amount of name and IPv4 data 
+that could be packed into a 512-byte UDP message, and not a perverse affinity for a number that certain
+cultures treat as unlucky. The 512-byte UDP data limit 
+is no longer a limiting factor and all root servers now support both IPv4 and IPv6. In addition, almost all the
+root servers use **anycast**, with well over 
+300 instances of the root servers now providing service worldwide (see further information at https://www.root-servers.org). 
+The root servers are the starting point for all **name resolution** within the DNS.
+
+Name Resolution
+~~~~~~~~~~~~~~~
+
+So far all the emphasis has been on how the DNS stores its authoritative domain (zone) data. End-user systems 
+use names (an email address or a web address) and need to access this authoritative data to obtain an IP address, which 
+they use to contact the required network resources such as web, FTP, or mail servers. The process of converting a 
+domain name to a result (typically an IP address, though other types of data may be obtained) is generically called **name resolution**, and is handled by 
+**resolvers** (also known as **caching name servers** and many other terms). The following diagram shows the typical name resolution process: 
+
+.. figure:: name-resolution.png
+   :align: center
+
+   Authoritative Name Servers and Name Resolution
+
+An end-user application, such as a browser (1), when needing to resolve a name such as **www.example.com**, makes an 
+internal system call to a minimal function resolution entity called a **stub resolver** (2). The stub resolver (using stored 
+IP addresses) contacts a resolver (a caching name server or full-service resolver) (3), which in turn contacts all the necessary 
+authoritative name servers (4, 5, and 6) to provide the answer that it then returns to the user (2, 1). To improve performance,
+all resolvers (including most stub resolvers) cache (store) their results such that a subsequent request for the same data 
+is taken from the resolver's cache, removing the need to repeat the name resolution process and use time-consuming resources. All communication between 
+the stub resolver, the resolver, and the authoritative name servers uses the DNS protocol's query and response message pair.
+
+.. _referral:
+
+.. _recursive_query:
+
+.. _iterative_query:
+
+DNS Protocol and Queries
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+DNS **queries** use the UDP protocol over the reserved port 53 (but both TCP and TLS can optionally be used in some parts of the network). 
+
+The following diagram shows the name resolution process expressed in terms of DNS queries and responses.
+
+.. figure:: recursive-query.png
+   :align: center
+
+   Resolvers and Queries
+
+The stub resolver sends a **recursive query** message (with the required domain name in the QUESTION section of the query) (2) to the resolver. 
+A **recursive** query simply requests the resolver to find the complete answer. A stub resolver only ever sends recursive queries
+and always needs the service of a resolver. The response to a recursive query can be:
+
+1. The answer to the user's QUESTION in the ANSWER section of the query response.
+
+2. An error (such as NXDOMAIN - the name does not exist).
+
+The resolver, on receipt of the user's recursive query, either responds immediately, if the ANSWER is in its cache, or accesses 
+the DNS hierarchy to obtain the answer. The resolver always starts with root servers and sends an **iterative query** (4, 5, and 6). The 
+response to an iterative query can be:
+
+1. The answer to the resolver's QUESTION in the ANSWER section of the query response.
+
+2. A **referral** (indicated by an empty ANSWER section but data in the AUTHORITY section,
+and typically IP addresses in the ADDITIONAL section of the response).
+
+3. An error (such as NXDOMAIN - the name does not exist).
+
+If the response is either an answer or an error, these are returned immediately to the user (and cached for future use). If the response 
+is a referral, the resolver needs to take additional action to respond to the user's recursive query.
+
+A referral, in essence, indicates that the queried server does not know the answer (the ANSWER section of the response is empty), but it 
+refers the resolver to the authoritative name servers (in the AUTHORITY section of the response) which it knows about in the 
+domain name supplied in the QUESTION section of the query. Thus, if the QUESTION is for the domain name **www.example.com**, the root 
+server to which the iterative query was sent adds a list of the **.com authoritative name servers** in the AUTHORITY section. 
+The resolver selects one of the servers from the AUTHORITY section and sends an 
+iterative query to it. Similarly, the .com authoritative name servers send a referral containing a list of the **example.com** authoritative name servers.  
+This process continues down the DNS hierarchy until either an ANSWER or an error is received, at which point the user's original recursive query 
+is sent a response.
+
+.. Note:: The DNS hierarchy is always accessed starting at the root servers and working down; there is no concept of "up" in the DNS hierarchy. Clearly, 
+	if the resolver has already cached the list of .com authoritative name servers and the user's recursive query QUESTION contains a domain name
+	ending in .com, it can omit access to the root servers. However, that is simply an artifact (in this case a performance benefit) of
+	caching and does not change the concept of top-down access within the DNS hierarchy.
+
+The insatiably curious may find reading :rfc:`1034` and :rfc:`1035` a useful starting point for further information.
+
+DNS and BIND 9
+~~~~~~~~~~~~~~
+
+BIND 9 is a complete implementation of the DNS protocol. BIND 9 can be configured (using its ``named.conf`` file) as
+an authoritative name server, a resolver, and, on supported hosts, a stub resolver. While large operators
+usually dedicate DNS servers to a single function per system, smaller operators will find that 
+BIND 9's flexible configuration features support multiple functions, such as a single DNS server acting
+as both an authoritative name server and a resolver.
+
+Example configurations of basic :ref:`authoritative name servers<config_auth_samples>` and
+:ref:`resolvers and forwarding resolvers<config_resolver_samples>`, as 
+well as :ref:`advanced configurations<Advanced>` and :ref:`secure configurations<Security>`, are provided.
diff --git a/doc/arm/intro-security.inc.rst b/doc/arm/intro-security.inc.rst
new file mode 100644
index 0000000000..40abef87c2
--- /dev/null
+++ b/doc/arm/intro-security.inc.rst
@@ -0,0 +1,76 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _intro_dns_security:
+
+DNS Security Overview
+---------------------
+
+DNS is a communications protocol. All communications protocols are potentially 
+vulnerable to both subversion and eavesdropping. It is important for
+users to audit their exposure to the various threats within their operational environment and implement the 
+appropriate solutions. BIND 9, a specific implementation of the DNS protocol, 
+provides an extensive set of security features. The purpose of this section 
+is to help users to select from the range of available security features those 
+required for their specific user environment.
+
+A generic DNS network is shown below, followed by text descriptions. In general, 
+the further one goes from the left-hand side of the diagram, the more complex 
+the implementation.
+
+.. Note:: Historically, DNS data was regarded as public and security was 
+	concerned, primarily, with ensuring the integrity of DNS data. DNS data privacy 
+	is increasingly regarded as an important dimension of overall security, specifically :ref:`DNS over TLS<dns_over_tls>`.
+
+.. figure:: dns-security-overview.png
+   :align: center
+
+   BIND 9 Security Overview
+
+The following notes refer to the numbered elements in the above diagram.
+
+1. A variety of system administration techniques and methods may be used to secure 
+BIND 9's local environment, including :ref:`file permissions <file_permissions>`, running 
+BIND 9 in a :ref:`jail <chroot_and_setuid>`, and the use of :ref:`Access_Control_Lists`.
+
+2. The remote name daemon control (:ref:`rndc<ops_rndc>`) program allows the system
+administrator to control the operation of a name server. The majority of BIND 9 packages 
+or ports come preconfigured with local (loopback address) security preconfigured. 
+If ``rndc`` is being invoked from a remote host, further configuration is required.
+The ``nsupdate`` tool uses **Dynamic DNS (DDNS)** features and allows users to dynamically 
+change the contents of the zone file(s). ``nsupdate`` access and security may be controlled 
+using ``named.conf`` :ref:`statements or using TSIG or SIG(0) cryptographic methods <dynamic_update_security>`.
+Clearly, if the remote hosts used for either ``rndc`` or DDNS lie within a network entirely 
+under the user's control, the security threat may be regarded as non-existent. Any implementation requirements,
+therefore, depend on the site's security policy.
+
+3. Zone transfer from a **primary** to one or more **secondary** authoritative name servers across a 
+public network carries risk. The zone transfer may be secured using 
+``named.conf`` :ref:`statements, TSIG cryptographic methods or TLS<sec_file_transfer>`.
+Clearly, if the secondary authoritative name server(s) all lie within a network entirely 
+under the user's control, the security threat may be regarded as non-existent. Any implementation requirements 
+again depend on the site's security policy.
+
+4. If the operator of an authoritative name server (primary or secondary) wishes to ensure that 
+DNS responses to user-initiated queries about the zone(s) for which they are responsible can only 
+have come from their server, that the data received by the user is the same as that sent, and that 
+non-existent names are genuine, then :ref:`DNSSEC` is the only solution. DNSSEC requires configuration 
+and operational changes both to the authoritative name servers and to any resolver which accesses 
+those servers.
+
+5. The typical Internet-connected end-user device (PCs, laptops, and even mobile phones) either has  
+a stub resolver or operates via a DNS proxy. A stub resolver requires the services of an area 
+or full-service resolver to completely answer user queries. Stub resolvers on the majority of PCs and laptops 
+typically have a caching capability to increase performance. At this time there are no standard stub resolvers or proxy 
+DNS tools that implement DNSSEC. BIND 9 may be configured to provide such capability on supported Linux or Unix platforms.
+:ref:`DNS over TLS <dns_over_tls>` may be configured to verify the integrity of the data between the stub resolver and 
+area (or full-service) resolver. However, unless the resolver and the Authoritative Name Server implements DNSSEC, end-to-end integrity (from 
+authoritative name server to stub resolver) cannot be guaranteed.
diff --git a/doc/arm/introduction.inc.rst b/doc/arm/introduction.inc.rst
index fc80fb8119..009a702347 100644
--- a/doc/arm/introduction.inc.rst
+++ b/doc/arm/introduction.inc.rst
@@ -9,25 +9,27 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
-.. _Introduction:
+.. _introduction:
 
-Introduction
-============
+Introduction to DNS and BIND 9
+==============================
 
-The Internet Domain Name System (DNS) consists of the syntax to specify
-the names of entities in the Internet in a hierarchical manner, the
-rules used for delegating authority over names, and the system
-implementation that actually maps names to Internet addresses. DNS data
-is maintained in a group of distributed hierarchical databases.
+The Internet Domain Name System (DNS) consists of:
+
+- the syntax to specify the names of entities in the Internet in a hierarchical manner,
+- the rules used for delegating authority over names, and
+- the system implementation that actually maps names to Internet addresses.
+
+DNS data is maintained in a group of distributed hierarchical databases.
 
 .. _doc_scope:
 
 Scope of Document
 -----------------
 
-The Berkeley Internet Name Domain (BIND) implements a domain name server
+The Berkeley Internet Name Domain (BIND) software implements a domain name server
 for a number of operating systems. This document provides basic
-information about the installation and care of the Internet Systems
+information about the installation and maintenance of Internet Systems
 Consortium (ISC) BIND version 9 software package for system
 administrators.
 
@@ -38,25 +40,50 @@ This manual covers BIND version |release|.
 Organization of This Document
 -----------------------------
 
-In this document, *Chapter 1* introduces the basic DNS and BIND
-concepts. *Chapter 2* describes resource requirements for running BIND
-in various environments. Information in *Chapter 3* is *task-oriented*
-in its presentation and is organized functionally, to aid in the process
-of installing the BIND 9 software. The task-oriented section is followed
-by *Chapter 4*, which is organized as a reference manual to aid in the ongoing
-maintenance of the software. *Chapter 5* contains more advanced concepts that
-the system administrator may need for implementing certain options. *Chapter 6*
-addresses security considerations, and *Chapter 7* contains troubleshooting help.
-The main body of the document is followed by several *appendices* which contain
-useful reference information, such as a *bibliography* and historic
-information related to BIND and the Domain Name System.
+:ref:`introduction` introduces the basic DNS and BIND concepts. Some tutorial material on
+:ref:`dns_overview` is presented for those unfamiliar with DNS. A
+:ref:`intro_dns_security` is provided to allow BIND operators to implement 
+appropriate security for their operational environment.
+
+:ref:`requirements` describes the hardware and environment requirements for BIND 9
+and lists both the supported and unsupported platforms.
+
+:ref:`configuration` is intended as a quickstart guide for newer users. Sample files
+are included for :ref:`config_auth_samples` (both :ref:`primary<sample_primary>` and
+:ref:`secondary<sample_secondary>`), as well as a simple :ref:`config_resolver_samples` and
+a :ref:`sample_forwarding`. Some reference material on the :ref:`Zone File<zone_file>` is included. 
+
+:ref:`ns_operations` covers basic BIND 9 software and DNS operations, including some
+useful tools, Unix signals, and plugins.
+
+:ref:`advanced` builds on the configurations of :ref:`configuration`, adding
+functions and features the system administrator may need. 
+
+:ref:`security` covers most aspects of BIND 9 security, including file permissions,
+running BIND 9 in a "jail," and securing file transfers and dynamic updates.
+
+:ref:`dnssec` describes the theory and practice of cryptographic authentication of DNS
+information. The :ref:`dnssec_guide` is a practical guide to implementing DNSSEC.
+
+:ref:`Reference` gives exhaustive descriptions of all supported clauses, statements, 
+and grammars used in BIND 9's ``named.conf`` configuration file.
+
+:ref:`troubleshooting` provides information on identifying and solving BIND 9 and DNS
+problems. Information about bug-reporting procedures is also provided.
+
+:ref:`build_bind` is a definitive guide for those occasions where the user requires 
+special options not provided in the standard Linux or Unix distributions.  
+
+The **Appendices** contain useful reference information, such as a bibliography and historic
+information related to BIND and the Domain Name System, as well as the current *man*
+pages for all the published tools.
 
 .. _conventions:
 
 Conventions Used in This Document
 ---------------------------------
 
-In this document, we generally use ``Fixed Width`` text to indicate the
+In this document, we generally use ``fixed-width`` text to indicate the
 following types of information:
 
 - pathnames
@@ -70,242 +97,4 @@ following types of information:
 - keywords
 - variables
 
-Text in "quotes," **bold**, or *italics* is also used for emphasis or clarity.
-
-.. _dns_overview:
-
-The Domain Name System (DNS)
-----------------------------
-
-This document explains the installation and upkeep
-of the BIND (Berkeley Internet Name Domain) software package. We
-begin by reviewing the fundamentals of the Domain Name System (DNS) as
-they relate to BIND.
-
-.. _dns_fundamentals:
-
-DNS Fundamentals
-~~~~~~~~~~~~~~~~
-
-The Domain Name System (DNS) is a hierarchical, distributed database. It
-stores information for mapping Internet host names to IP addresses and
-vice versa, mail routing information, and other data used by Internet
-applications.
-
-Clients look up information in the DNS by calling a *resolver* library,
-which sends queries to one or more *name servers* and interprets the
-responses. The BIND 9 software distribution contains a name server,
-:iscman:`named`, and a set of associated tools.
-
-.. _domain_names:
-
-Domains and Domain Names
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-The data stored in the DNS is identified by *domain names* that are
-organized as a tree according to organizational or administrative
-boundaries. Each node of the tree, called a *domain*, is given a label.
-The domain name of the node is the concatenation of all the labels on
-the path from the node to the *root* node. This is represented in
-written form as a string of labels listed from right to left and
-separated by dots. A label need only be unique within its parent domain.
-
-For example, a domain name for a host at the company *Example, Inc.*
-could be ``ourhost.example.com``, where ``com`` is the top-level domain
-to which ``ourhost.example.com`` belongs, ``example`` is a subdomain of
-``com``, and ``ourhost`` is the name of the host.
-
-For administrative purposes, the name space is partitioned into areas
-called *zones*, each starting at a node and extending down to the "leaf"
-nodes or to nodes where other zones start. The data for each zone is
-stored in a *name server*, which answers queries about the zone using
-the *DNS protocol*.
-
-The data associated with each domain name is stored in the form of
-*resource records* (RRs). Some of the supported resource record types
-are described in :ref:`types_of_resource_records_and_when_to_use_them`.
-
-For more detailed information about the design of the DNS and the DNS
-protocol, please refer to the standards documents listed in :ref:`rfcs`.
-
-Zones
-~~~~~
-
-To properly operate a name server, it is important to understand the
-difference between a *zone* and a *domain*.
-
-As stated previously, a zone is a point of delegation in the DNS tree. A
-zone consists of those contiguous parts of the domain tree for which a
-name server has complete information and over which it has authority. It
-contains all domain names from a certain point downward in the domain
-tree except those which are delegated to other zones. A delegation point
-is marked by one or more *NS records* in the parent zone, which should
-be matched by equivalent NS records at the root of the delegated zone.
-
-For instance, consider the ``example.com`` domain, which includes names
-such as ``host.aaa.example.com`` and ``host.bbb.example.com``, even
-though the ``example.com`` zone includes only delegations for the
-``aaa.example.com`` and ``bbb.example.com`` zones. A zone can map
-exactly to a single domain, but could also include only part of a
-domain, the rest of which could be delegated to other name servers.
-Every name in the DNS tree is a *domain*, even if it is *terminal*, that
-is, has no *subdomains*. Every subdomain is a domain and every domain
-except the root is also a subdomain. The terminology is not intuitive
-and we suggest reading :rfc:`1033`, :rfc:`1034`, and :rfc:`1035` to gain a complete
-understanding of this difficult and subtle topic.
-
-Though BIND 9 is called a "domain name server," it deals primarily in
-terms of zones. The ``primary`` and ``secondary`` declarations in the :iscman:`named.conf`
-file specify zones, not domains. When BIND asks some other site if it is
-willing to be a secondary server for a *domain*, it is actually asking
-for secondary service for some collection of *zones*.
-
-.. _auth_servers:
-
-Authoritative Name Servers
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Each zone is served by at least one *authoritative name server*, which
-contains the complete data for the zone. To make the DNS tolerant of
-server and network failures, most zones have two or more authoritative
-servers, on different networks.
-
-Responses from authoritative servers have the "authoritative answer"
-(AA) bit set in the response packets. This makes them easy to identify
-when debugging DNS configurations using tools like :iscman:`dig` (:ref:`diagnostic_tools`).
-
-.. _primary_master:
-
-The Primary Server
-^^^^^^^^^^^^^^^^^^
-
-The authoritative server, where the main copy of the zone data is
-maintained, is called the *primary* (formerly *master*) server, or simply the
-*primary*. Typically it loads the zone contents from some local file
-edited by humans or perhaps generated mechanically from some other local
-file which is edited by humans. This file is called the *zone file* or
-*master file*.
-
-In some cases, however, the master file may not be edited by humans at
-all, but may instead be the result of *dynamic update* operations.
-
-.. _secondary_server:
-
-Secondary Servers
-^^^^^^^^^^^^^^^^^
-
-The other authoritative servers, the *secondary* servers (formerly known as
-*slave* servers) load the zone contents from another server using a
-replication process known as a *zone transfer*. Typically the data is
-transferred directly from the primary, but it is also possible to
-transfer it from another secondary. In other words, a secondary server may
-itself act as a primary to a subordinate secondary server.
-
-Periodically, the secondary server must send a refresh query to determine
-whether the zone contents have been updated. This is done by sending a
-query for the zone's Start of Authority (SOA) record and checking whether the SERIAL field
-has been updated; if so, a new transfer request is initiated. The timing
-of these refresh queries is controlled by the SOA REFRESH and RETRY
-fields, but can be overridden with the ``max-refresh-time``,
-``min-refresh-time``, ``max-retry-time``, and ``min-retry-time``
-options.
-
-If the zone data cannot be updated within the time specified by the SOA
-EXPIRE option (up to a hard-coded maximum of 24 weeks), the secondary
-zone expires and no longer responds to queries.
-
-.. _stealth_server:
-
-Stealth Servers
-^^^^^^^^^^^^^^^
-
-Usually, all of the zone's authoritative servers are listed in NS
-records in the parent zone. These NS records constitute a *delegation*
-of the zone from the parent. The authoritative servers are also listed
-in the zone file itself, at the *top level* or *apex* of the zone.
-Servers that are not in the parent's NS delegation can be listed in the
-zone's top-level NS records, but servers that are not present at the
-zone's top level cannot be listed in the parent's delegation.
-
-A *stealth server* is a server that is authoritative for a zone but is
-not listed in that zone's NS records. Stealth servers can be used for
-keeping a local copy of a zone, to speed up access to the zone's records
-or to make sure that the zone is available even if all the "official"
-servers for the zone are inaccessible.
-
-A configuration where the primary server itself is a stealth
-server is often referred to as a "hidden primary" configuration. One use
-for this configuration is when the primary is behind a firewall
-and is therefore unable to communicate directly with the outside world.
-
-.. _cache_servers:
-
-Caching Name Servers
-~~~~~~~~~~~~~~~~~~~~
-
-The resolver libraries provided by most operating systems are *stub
-resolvers*, meaning that they are not capable of performing the full DNS
-resolution process by themselves by talking directly to the
-authoritative servers. Instead, they rely on a local name server to
-perform the resolution on their behalf. Such a server is called a
-*recursive* name server; it performs *recursive lookups* for local
-clients.
-
-To improve performance, recursive servers cache the results of the
-lookups they perform. Since the processes of recursion and caching are
-intimately connected, the terms *recursive server* and *caching server*
-are often used synonymously.
-
-The length of time for which a record may be retained in the cache of a
-caching name server is controlled by the Time-To-Live (TTL) field
-associated with each resource record.
-
-.. _forwarder:
-
-Forwarding
-^^^^^^^^^^
-
-Even a caching name server does not necessarily perform the complete
-recursive lookup itself. Instead, it can *forward* some or all of the
-queries that it cannot satisfy from its cache to another caching name
-server, commonly referred to as a *forwarder*.
-
-Forwarders are typically used when an administrator does not wish for
-all the servers at a given site to interact directly with the rest of
-the Internet. For example, a common scenario is when multiple internal
-DNS servers are behind an Internet firewall. Servers behind the firewall
-forward their requests to the server with external access, which queries
-Internet DNS servers on the internal servers' behalf.
-
-Another scenario (largely now superseded by Response Policy Zones) is to
-send queries first to a custom server for RBL processing before
-forwarding them to the wider Internet.
-
-There may be one or more forwarders in a given setup. The order in which
-the forwarders are listed in :iscman:`named.conf` does not determine the
-sequence in which they are queried; rather, :iscman:`named` uses the response
-times from previous queries to select the server that is likely to
-respond the most quickly. A server that has not yet been queried is
-given an initial small random response time to ensure that it is tried
-at least once. Dynamic adjustment of the recorded response times ensures
-that all forwarders are queried, even those with slower response times.
-This permits changes in behavior based on server responsiveness.
-
-.. _multi_role:
-
-Name Servers in Multiple Roles
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The BIND name server can simultaneously act as a primary for some zones,
-a secondary for other zones, and as a caching (recursive) server for a set
-of local clients.
-
-However, since the functions of authoritative name service and
-caching/recursive name service are logically separate, it is often
-advantageous to run them on separate server machines. A server that only
-provides authoritative name service (an *authoritative-only* server) can
-run with recursion disabled, improving reliability and security. A
-server that is not authoritative for any zones and only provides
-recursive service to local clients (a *caching-only* server) does not
-need to be reachable from the Internet at large and can be placed inside
-a firewall.
+Text in "quotes," **bold text**, or *italics* is also used for emphasis or clarity.
diff --git a/doc/arm/name-resolution.dia b/doc/arm/name-resolution.dia
new file mode 100644
index 0000000000000000000000000000000000000000..272169f5ad458f91727fb842f7b258300c2b6c60
GIT binary patch
literal 3084
zcmV+n4D<6JiwFP!000023+-K7Z`(K)e$THk+?N@^WyCu<nRd{2uoqy^EjFF!K(-Y}
zTUiPuC296yfBTY@bFnSOwkT?>lm<E&I~0#epY!oM7m~mJ_I;U*Zlk=2v-I5<f?zy~
z(pff-)5W{-pI`s>R*ZjpfAZ@*4u4Vq7J0ZFsVCAxzk4^nD$DC%PEYUd?m%*1gk_e4
zB)$Pfbo#$ANy1ar=yd%4WHfr-!8|NO{n_f%uq^X<dQ(QDG+ajS#?x^2ZINd;>3m$Z
zTD6;HNtTap!{pug&82ybPgmWXuJ!Xm-`C+Hn&wgXt-0$!y`*f@^>vhQcDuaJidZ!%
z@2|I-H1wnY`>f5XRiPTCi}!CnkT=y=T7B@;SKSwF6jCn3d=aPHa@5=;)kGj55JGA)
zs1!2bgu{n9Ib7VdUvWvl;_`mQ#l^*SmX~=Lm)jzzS(Zd$T1hSQo2b2<ViqP!#a<eg
z#V9W0vdngT|I08b_8CC+@uRgJYPpL%p1*9kYb_djxr^uJ)x~#5(^d6;@2L0NxQM4o
zRQK)UwCt?=`)<15{B;a^KRs@#4OMTA%fnnmG@^$u4~v_49u+&(Y`slGPgkpEr@Ll-
zv)#TEQ+>3tSQ`;Zcpv4f?ms>))1%c7yh5B&I4k4Zhj-8BB%A&xnw6`;o|j=d5A*rx
z?dW6nef-2h6a$Ip@5cWM)+cLoc&amngIlw8ojs})LV!#J2<YY%Yy(J>fa!Fz|6GkA
zOczP?C<D`pI71RpI)MzxcEX}0T3*buJl!S;-HpfyF-WpKss|L|K(U`^FK#oSt0-Pv
zmCeEg5W(7uw-Ywa@_Cf+8d?D0N(>}2fRI7dPF!)7-Cfks)ZJ_FAyU-h8(kFTeG+X7
zh|-&7)jQeIb@gFocdZQ(+8Sa2IGqqc9NM80p(J2>rYvy60irI=&~7~YSRs2<)zynS
zv_b^<n#oHs2rG<J^($ShFV{5-HVtR9%i}Qg1Fi9E^u2s$j&Nm;$krSoAZS9>dWBrB
zj7ACpoY6B32tibd<gG=PdM<YGz>PLdzo~JY*V=9P*uQ^1Z*a0-V5UuOPL`H+vh?Sp
z%WxSd_v$N!X)zuds8?&Eg5B!be?-Y`RK~OL?Z+&cKj(Xge~&E;sB<6`u@G3lBn=>j
z0ko63u7!JRVjEGLD9{+$2?9Go$|YW;%c%ZGeOj0Il~PN|53`J0^Oc$@0`3KrustYY
zG+}@+r;voTx(NkI3X7P6BnB8fen85ztbAKUxt{eO5}ATcKOrFQp=nDWJun?JFxC4m
z#NKxiNV(jMQMcX;*FvE2U-$$<K%rw7#%@^NiSbU1g;~-LLJD#M5un1YSrQ`zYqM1U
zO98=-0}EE8@>c1s(!wfP2N8G4CQ$qPj)U$JYB9=D)sc4yb>tmM>NxgpIkqFT&OwIX
z_q5LGl(UGx9_!@R)`>xY73rhUv26+^gfL^7LUUQ-)-WxHb&O^y)>3e<$trc-)^lHX
z=vFDL17BEYlLWxrX*6C*(LxYCgAzz>mCUJCS`X{!%n}2HNC%nm<Fv~l7^+=1M5Lv)
zVG@A&L;@VR&6621diheOsaY(dN+=C{rp#x`b}6HeNDnYo27@k;2~A+2w9q*;A*FPP
zDQMD5xt56rk;DIYRAdShat}|v!BdS!dVCrpKEV#~i5hK?%q==qQm}?6uGUB8a45e9
z4j`ld)2DED75(g!`8_4`>lD(1(-6U_o9aiYbkKeEqXYqbtbWvsqj%~&YucrX9+rj(
zOI_4IN{tcRF)US5AcREMKvD*)brB+T{K)k6kKaeXXUi~7J#p%-3UXU3Jwgo;p-2Y^
z1t*G0bK(}Dj1Y*J1}I4cL;Af$d;kFTXA$Kdq54LsEv@tbHAH}-9RL*31zG}f#~jLt
z39xeQu--+Y)Guf))4O)B)3vM9MGs6v1SadUSZFpALBJfxoQ#+NP$((GX9xi(bUitc
zm<n<H==52&8=1u2O{so?9~7wwtX>jh8i)WpN2*%o^hh;Cq_Qs&rpndVWhQP53lIj3
z=;}bq=o#XGOA{YwFc<(#otHP$6JKA@E1jy>%hv!>@P`8_>xyYa05N-H1E(7qDk*_l
zkPSvbyecnX11K+;`SOAuV^FmU=^4}z!AW+o$%;uG5yEbxP%AlDZ%$U|#Gna7(Lscv
zKIYk7;ki>^+^Jq8Jw6Q(pHR>NdD8AaRodW|JYkc!<C;7%AcZDRwDs{$o;<x~^0cjx
z9-NLDoW5kq{U31})oh1F*2Uut2z^wf%X3{A;6!R680$JHT{|w3-a<||Yg@8@t>)yy
z4CAoD)dXZ88qr;?Y_`{$(}j2LK}9PRKvDz<Bh<3=qbS3?ya;o}`<j)sZ3Wu1&M%TE
zUA#OZYA<BxthL>RoX%a%(PP){X6Q*oSMxK=(o`9)!k1!e>3{gk=t`lIUNaQ{m6<uL
zdi3<ywF9!7pGB)@#rm^w`{?|QFVqpKLmiMh&L<oY$6<RThUrt|G^q<9qDm+m#D>5x
zpS-)-kGol`i=NO8(c84HYDW+tqL0dVT$05BWORZ73n+$XNHaUBk%|jU$?=2J2W7CM
zhm_*UPyamsG8vtJ8D;s&mpr}=RZpLz@-EB2{p>-k9}uh6Tc2+{W)N%gNbL*XrFO`q
z31YbfF{#~BC5K3;Fbo5zE1LtgkiwP_rupiH;^jNt()tlL9kr&~(UudTe*4+=<`=2E
z1I)X!-j)5)U0Kn>m4&Nk`TDcCYge`jY^{s<wO?5s8tKxJrGPShgsfWTC1cu|r6{P<
zsYJL&+qxmvw}MvZ&3dr)VC%tlPq5tpOm+y^GRJYlCa`7pxfWTS+T`?h3kC!fLZ4no
z5n=pHZ;PSOa9fJFaE!LKV{AIF)Q04Hxb<-B;dW2BB^KOPIOeu5rMGzp>21R^rQ-y*
zsICzrk_w&R#!&A^B!JMiTP*fYaBmH-HhEpO+MVLo2UUCM^w8;{^8q?(cNuQhSB6`3
zQC7{()kw^BRkguQ&N)3p1R$t|ayEbrH~b58L))pL*IG%vt%T09LYL;{Q`?7Uh5jC8
z%Sb&n(`+uvFZEwO#rZ6W>cGi<&j;7Xiwf7+#Pu$t>Y@N7LBOkn+**oM^Aqkurg=Oo
zo!;DIJ8%2k5dr~SD`<wo;T<7e3EPjmc639C5vGCXX2%U7>q+WEL|n#6;#fq-myo<P
zS7y;`MzCOukv&t8mh+dy*B4h=9{*P@!C~^^;4Z_Yh%Ce?fYb}PGa<#zv{2ng<JObZ
z(Us-)duarKdRIDinyWHG1mF}Y+}Bt3PGsvd`1<6d$n#Oxe6&XYJR2Qgp(VE7HAD67
zEEojRB?C1=kgod<*cn!C5D$nFN|3+<IJf1)O{rJVGA!fUXk-qXI*)SwTa482^H_da
z_;aUvId`f~V||tQ5W&m-N(N!#D*C#0rv;WqjILhf<`zt3QqYo6&!s$<s@Fl!rg{Y=
zo3seV>$wflNp9nyNFuhs1%m5p6$Me!@pc(gj-#MY<6w1m5hVkTBwEj#k0km?qK_o{
zNMbt%Ogdn|#9YcAFb3UHU}7$GL0mA6{Z%14YAv--5{&)k$G)g=oichZJnTF-w%(f~
zG;PG~J?6b2N(n(qh>(h#2Ks_Ls*4zhOHFMj%`;QaOg%I8%(NXdwca8m0Y-v~2?0_t
zmwE0dK~M^LrhIv*-%<cu%k7h#5>HNhA*W6H=-KJO*(vXYopQ%HB*RWQV2|un0yKDb
zYB6b^oqBfa*{Nrz?bxa4fSu}7aJge*DilOYU4N-qsV>2n10bZ-6Vkp2>81*LE;?{7
z+Qp8b>iz>N9d8Lj+=wBjHe7Kz$N(h6-V<awbDolVO6n=8r=+bYDG54&eqru2p~Nxt
zi|U3QUCpYnpFk~?6Teg4Q_~k!(X-QGvr_^)iIhSFko!=nk^&!NrTUDu!3Rri=FL-6
zPfa~F_0+T-HANjnOSuMN<TNNzNkIx(xCxjtbBM7V054^pm-ZDh-PS`-OaD?@TD?!g
a`zU{ZQoT|C7J0aQfAW8h0JbS5)Bpekn&7hl

literal 0
HcmV?d00001

diff --git a/doc/arm/name-resolution.png b/doc/arm/name-resolution.png
new file mode 100644
index 0000000000000000000000000000000000000000..178428480eb3ee802f259e090cd1deaeff4e9ee7
GIT binary patch
literal 29727
zcmbq*WmJ`6*XALm8wu$aDd|SKyO9v2K}xzMBoqY!5$SG04hWJ8D5aD%f*>u8l;mvQ
z`My~*Yt5fo!yoj-6ZgI2iv19$qos_GLydz#An;XH6!Z`XR1*XOMGy-WUJ09?7J*-A
zkL6Siu&}UZ7PRN#zt|osrjOzGe|}K@*xf8dAQ%v;3bF?NnVVSw!K7nHpS1goUPs&`
zzRg|qXhaUfR+;n@PW8PANu0JAF3yNHg@a?qkRB$Zd$&1^>ST#BR+D3JE4Xl2`tq>^
zu{zMEoI07JBl_$sOmMtI!+sulNeHBCytaRJ5G-?XAn@_=>YRW;Z>HFBcF>FXMbUdi
z=(34#)!vMtGGIk8#J<X9Qh-;S1xvAr;SFkhPC4{4VoE$rL)Ooe(h&yqrC3SMpKack
zQgYpVhHP!IkVW62F~!4-oOLrcyGP$y-ZUg3QOFh<PqcSqYHCXD*}So<aE4Y%e@~B&
z864RBKkpF4F#B`Mh%K$Gc+qrwnp;}ZaSLXAcNAk(nZJIYlr34+iTM19QN{P~-;3y9
z(un2f@?Ca0*L$UMaN|Za-r$t$3hSZbtTW--G*3}08gUeqb9p6V^+juf3J-HSMX4Y!
zA(q;~w>fK^ajb=YaC0aRZC2WM^G&yuy{+x8bG(*RZOQsJUeQ`z&a7KWw1Ti#z$4*X
zQaU9+_RJp^X4x%a-EJv4APUqbE;O4bDx`i;#nfu4-SBsR-#=(Qm#I24#;nSI#$m>`
z!D;#6z}uR+&~I3&(4|RI`G{+Bco<$93^b@18*r`-Q57tm*vRtXHdDbM>f`maa&*bx
zYGy6$5BjtJf+5x+S25N=!pX_$;C*&#DyxNQ^#qdh$sd6@Q>BdWN(9z-GQQjA^G$Y(
z&oqC2kjqA3XngRm;>Y?==|Q#0g&|^QCI6v<FE*Z{G%aswx|dg0YH?mYN_18ZB!)$=
zZt;1p#JsBD;`I(wPKxx^oc^>^kG24_n%*PMn`Ohhm8?d$mY0{skVOi4LRqGSbr>H^
z$HQ~`BDu*Pz2;t}ddxGJL{{tYr_wG>YJby7_pd=dvyo}M<=tU9>}NXpwcclL*z5b*
zO)bn=zo{IFnJ({DjE!{voP7U~)ftC9*<4s_b!oEq<LAg5>c?^oKSo9-Ee=pxoqn*T
zS?Fu9ktV&S_6=;EbFL2@XAWYrWqs<=lu|DdfM2`%u5zZlTP}W1AH9rChnOjpNkAak
zRg~t%;l{+X@nJ_nw&b`MIHxztJF!C7X6;^@RT+7|__5&eMuW{fJC>mhgPid<`(%v7
zMwp5<``1Zp!K*kE@&-Yste1r=S>Nq{I117oze!H+^fV6)Y_hCg6&rZ--M-<iPug4L
z5}GU)1pZZ0axycLjaI3mI7!O)lcvq9ky-nCv#pUL^>yW#PT4Av!N705z3<JcFfcGO
zKOMuGJ6Izlo8U_1=DWHStn)m2V-)P1f|*z%3`F37?M&jo*`p){w|tuqqVl_I9>0cr
z$of=pXHxR7uI+uyuYr#%lxxR_Y~I(noZ;Z$Wct`5r`Fz6QBhTPm(|tv_V#)Qjg=b~
zGK<|T(Wn?^mt#_?UsNBwg<hu6!J8s7)V)p4lf78QT_7~;<wtf%z05Mvfc?dHgJ#M%
zQ_NEBpeH+)C>_7gRJkY4w6)US=8PmY{^<9NPZZD2?T8biIxONafq;Emhh{kUWQlcP
zp!kOW`r}F?7s$+=yH!RNz3~_Y!)u=Xl|0tWFZwohE5=rqmy1eD{?6g42>C`$IoI#s
zq!@AL=cSdXE;Fil{P^)y{Yx&Ez|1bSFb98LScW^C1ZZeXP-28A;dK99T4ad|l_29~
ziO|c2|1Xv2|LJW!GCWK)O;bxv)f4lhjRq~WLO*m}q68(<a;wYSGm8QyvY6H+&eT5S
zs5i-@Q~j}ka6(1=UE~K7E)tQqvm41f;Sq@`F`K>4g47905BVrlZsL35?>y_X;iE*|
zO(QqYWg`3R)-dBL{2?mM{1&!hEfSe}GtZ2V5)U?WrGr(Jh9IWX8acIlmwI&4RX9s4
zEh#CljzJcWQ;t}r-0fzt$tV#GfpX3LP&uxfxFPQ!KAs7DZBC?1GmJjqI<4Mip+g*B
z1L<L%rz7zc)2Jd<n##p&Cm+JPNOAYBx1@ZP5mGe-E=^VzB}1MPn@6SG_H?f&i5Uln
zbTpS~>0!f60J92uo-bL}MeWR1T_S-|;$DbvqhZMpRc$t;fcSvDXB1MpV+u7pag(tF
zXJ4`2gsa8LAVG;){4?8Ziicj76tiy~J2P|S*0Zf1w+5uLlOQ#3Oq@9#&+0)myUIJ6
zAf%&<K`4CT)N<#$*iACBMEqf1UoEW{Miqy-66@7QLbJ+gzZ^y|s%ifr9r<@EqbLVL
zt2P;>X}<n<4W@Lj{#KoEeur%}omnk6j9#>mGq5$=lE(Me8)9th?=3BodOZY2L)IKe
zRhqH=p(yvNjMRI2<*O(9#b~WD((~0ut(U!zE2EX)SG^aS+LMagxaS^^?&{ZZt8cr=
z&uV48zojZ4lS<o*cQA?eYINg}hcIa>>%h3;?RG)`4zlY3@6PcZh083T;|b1bhCAhT
z4>FUhnO2vcERM6LhJCS>ek>|;`7Y!z<ep+rj9-yI#oMaeR>W$f6tn7gYN9tEk#alG
zm({sASq#L5*jdD@@!;Mc@a10hk!|ubday1xY?b7gF)%M>wKn+lr;9`U5b{Tfad^pj
z596jt_f*C6<5d+%o_sakP(Pk_vrWr&IV+#O>@p8wgBMIG0S>KK_4{-~BN3hh<c#;X
zHRM&y_5K-aTnZ@HG4s^46P99CFa$qZkW!fJ8!N$5Ody<oi)3drKAd26ea-%|CPG73
z(Ua}fjd&gZ+y1^8{aQuZ>Cwl**42+JEwhm&FC9vF1Mg2YJPbUWl-n6hB9-Jd8Fdy4
zvRd+69XIYbKGtp0w>;x-ZyJg1Te+xC<-Va!p4U}yZ-q5A;LFdz6_3z!i?csx;g6#X
zAGEICAf&@XC>12N{<!qKUATC;iH?ZQBGFb?f9OY?j@|L(47$^an%siHlWH@}@NeHV
znlx#oCYSGc^9J$yPdu69*KKFVt~2Ala7v(+7&jFf)UrDGP}`tU$K15_UCgX%96~|Y
zXU#)&Ej{pO)|zoe(@sH+{!zy(MGTU^!TJ6k4pL|J&h=(5Eqpbhn`oB&NFr&qbgws?
zLK1C}p{E(FkpDeN?<DE@b;BUaZ{cGvRC%wl$qpS0hn1U<;f);MV`>Jme!IxeN{u?#
z4<XUsC`azT{)l@aD^5c&d{{6RayqcPPg8HkeK@>)TQR1SF*qt9O!Xp+zTT{AEwiF?
zfiGQy$HE|`2{{&jz<RhJ|51@4j9!O$PH_MgdsrD$y(ft8KG)4tA2QnSyV%L>+Bdh7
zxYHsXUb>$yE_^XWgk`ne_xFX|8AC>sy7{bLo&E1^Dc#&2Y5MyUq6ImSo7`7vx$x1v
zDJr|N+xQzA>d{$v{4P)B$L|?LHq{JcX>oCJ9ZFGj-^hkf={`-LNhU{2VGN6KrT37f
z5}2#B(D?g~!%n#&anB~bj>J_o<^zT#nkThT#Y%QqrNz3RKgUZaIX!>H=|lh6%L~dr
zR2X(KnLl{+bEXdMMh^XTO9f-jX*?EcGO#qxzx_Q_i>lvLXN#enL7JGLoCTs9y5kvy
zSm%jIi;1P*B-wIon6Yb<4|phA``1J`BZ0uz!Pa(2e|Le?30t>UyTh$PU8AJeRV{Xx
z%%64B2i9>jSH?njX)p6#ChpqydQiCbz+D*`E5KvUX0U=5MQHkCo~joC^u2uo&%SiL
z+bCLe-``uv@;P!j?Dc#4h=!6>`SLnUgHOI;5A8$>gxvp;Xu>A@fR{Q%JE`rvBrjWb
z4rMj3d$3Mc{d%RT!&VQOp=d9!=iyS0kT&1K6P{&?-{T{9<E#-L+b29Br*5-Gy4AWn
zgTqCtEMZejGg%rFHoxYS*R>SeUCGk6>-Tpmo7;`@_}a{rdtA&{^dujAHD0#5n?6W0
z@Uq>-Dg?s7Xns5)&o7I%m>pN2B@{2y#9R3#c^-0{h0b}OJg=@a^UXx9qfo<u*@_Sa
z(?N{)2NkW@uD{U@USFr)a<2b4j$=C5rvb=0^5aK<wq>dLz|JO7+H9}Y!^O_CwOaka
zT33nvG`*e{B;C1LH20Yr@je&lk;byQUc<XLnGOW2-M{Lq+Xy*%7#t#@-x77n%+oMN
zFktBw$STGH)*p2QY<1m_sSTpwmr4RA`Ty_RQDnZ&7KU-nru`wYN(H*u&>BNYKRw{%
z2*OBYK!w9ck+CQXs%kHKh_(#A-<Ee3zU9ouf{;}-(dXdi4msOu$npOjCmnLi!peHM
z{$sV5Jtr7m?C<M?UcASeA^Zq6ysl30Rb;}NV$lQS_oTXjC&d}W=sLttB}LqRzL5;@
z^7i(=I6Y+7&OV=V$l02%zat|PHu26PC-iiEsW*9Jtb&4+RN&Ec-N=YuQM6*q7q<op
z8Un=HP+sT!=g2%gUcDY7J0+#3vu^AKX#l@$)4tePcMAk`zG=zRg4X-q<manLU9rUZ
z%On^3zSt6}uT42*v~NIks~q=iziRYW8Cv9$;3Gjb;d;Hh>yiE|>hy4f*R)o_DT%l`
zx3^D>twbziC^H2MS@c)$2`N-xsl>F!`;+{HdRC6a``Kb}Sdwa73392|AGD7~^ckx5
z_VY*?i*6Nii#B_!V1>u?34Zk1F#6RNqDW6Va<DP6GhTIH?b%CztPqoDp@pnEhB4TN
z_E7E*klAZ!*_PJChM8`M{XcANt1YY9Q`g@c$eGC%{-)KsZ-4*coyHcd{F3k}%u+1*
z#9yIjRd)Ta-8Md{nbkWVcGHJ(gpkC}VELepDb*2FaB>W|@_w*)b9<-L@ZKywMnLgR
zS{ggj%C{Oy^~Pa-cWqW}pLVITD)!)I!9?G(B2lZiiX-%jJS9(0PaB)xgECi}p12ge
zmOzYPvv%_gV(CrVL#3uvw6xf6*}f%0`0KksA=~UeKM!7i&3*G(uPqburJL*+Cao@w
zgm2}yP$*7ox&X55k?Y>#f4tRRESKH)vK&~_P*+C_-`sTFAGSxL2s~cjXR5JaV8rC?
z&?&HL51n(A?fCMH;_Pr^l{A2;T{e3Y@qj-))*)ufm5tRvIbM!#JAWl>%-N2xL^vJ!
zPs}0FH@AGEv_G`U=uWq1KtO=4PKuPd!D^hda{RDkA$Ot(8Z-d-JWga3AFNzFtlHME
z_FwFpTT{r@zk@Qzs`|0?iAM{C;(BB@*Ue-cf5fff79QrXJ=~RdWd6|m?#fCou?rxh
zL=>6;ug9F@q;4RTU(ld@{bSc^8D~JEP97(0QSVIt9v5O+!|!7daiWgg;YM{kC%1gh
zNU1LKKdp>8eIujsLRC`wcM+v<pRmjj@F8OidLh8q^D(_1KaN|M@9F7b@C8I42q;ah
zD1RnD<}X84Ql9RDWxbh&jt&FoOQizfkAT76>O=NI7k%{3t4}lk*Te1?y3byJS$<!L
zI@O<?nEK>VUlE^D!SGa(Jdr}Y;<KCoY?+MN{;qsaW==J#D2i!3SLHRS`IJ)<?vK}M
z*W&f(R0Z>*=R+wk#~`gzmC>_6f7EcxYKo@(T_T>G`8OzrMu@o3=w_2JDr<}n5)LFI
zr}=KYBpoW|;w+Q8DECaVnvP48i|Aux@1F-Or^$rfHmh?ShSl9^&`N&wYDwdSf{bh^
zr)kRdwI$ilwvaQp-hWEcKrF%wg%P7KUB%XtY1Pz8^k}X`S3gBiU2eW_Y@D28AXkTl
zFsl;I_)aqLn~Pm5v(a-=DH0RE<tDHYmV2@e=|tABjOJt5gp6iYuh(S$<>iUKn5nUj
zZ0KObia@{K@u&jjmra#O?{z%{(P3a>xac~(6UBM`&W{ppbz_Fed^o;^m4_JfJ1DK6
zaXCAPJ}>iA@^k!=wKvFQP#|KdlU1Z-QczS>-DGw7s9<dOacLk+g03%$0gD7LmkEz}
ziRIEh?cRG<!M+p@RaMnCVq&;DhU+g$?tVg(o#4;s0(m2f#qP)0s}$tOlqWuB<Sr2%
z9bSjJ-%^DokpdQ+laZUd%Bae0;D{OzbB;7B1;hmFX}8zY^)Ah~EUB<>s(jOKwdB3a
zl9-hAxnDw-M7HsO^~03wfeYJ>L2<7J3UuNxQi_e%CaZR{w|=zacZ$1Hj!(V!jYB%0
zt!k6McF#GXyuW7B9QDYzvu0q1UE25G5Z&NF$ydE*-z^@CrjwQ_I;p^@=!F?QN4ek5
zBM-*&69eposi`#4KSz%D_V*X$JzJ_aNu5ecYh{S#u#{R<!_iJ7%bt@E34sIVlWXx<
zam{vI{?k7m(B!?{vT<sq=ik)Rw%ml)8Tj%0Gu}3icK-Lc7SgiC8tK2YbX3CSjE8H8
zn*xUNP>oCh8di*PdZs{Zn$ikCnr2a^Bou%33)j6Xl~%K;9kqE@>rbv$Rl5Hx69%=6
zx3v%O5$4i$4#yg#x-oDsN;m<VIWqM#EG3_F<BALMUkSeqK6!mZj}i7hbiF8z$FgOu
z0`sAbP2qP87JtUum_^;K>xpH(w&K2<CSG1%F$A=Q78Q~Or{W}RDGUW=u9U@4*MwOy
z^w9SDn4WKry7V+f+BWyJMT;m=6O$4m*wc7@g$Gpo3-syiW;9G|l%#?)MIy#b+D?As
zT4|=28gSyhyV;Q_ip}%4N?+4SI75>yS*zr+lkn7*?^}$}-TBY_%bpF)Vy#1X(W6#x
zSB4&J$$^HXukj$h=xrQfao8&*O@>>m4eqx6%r+$Xb!CY8ZynDzN1wTFW@WU6T^e*x
zvx*9>u}TFVoSgl-+D<Oc_WzB2K!I=V|8X|Uy520>s9?(VW|Iqvx_Xfw6yWK`;8rFi
zb3<TWoW3K-11f>mi>&L1fpJNeg>3U^ijyqwvXB<GpO8ImU(%m4za>Gyezy3zov!Sa
z$x+<u;x>9`{%<~#FmOsGM><6M^5kJoPb9ho5MR-f!jcmGE3!1IKXJzDK7K5-xV>s$
zS16*?nBRmDdN|!=X4I~iKqm<rPS<?{8#fl6lH5=6S5lq0VX`%-L8PfhJ4af=_kr0v
zqL>mo^ZYSq=p5Iw3hVCg<&Q;i>$8eYaNWdzBt7zJlc--1k}bG9XsK+nX7hJYDX8^D
z2o)TY6P`G#kCbBDnk9`MTh`<*&bYT<Tpa%j85!N4ZO#e14DegUHRK%YiX+v<9Y<H;
zU`k8R6r#rWEH7lG;~)_uNS9uZRrc~yZ1bEJ$`VQ;jl(VzJGn<ZB1BR-h^s!hZjTVX
zj5EmX@6l>)(tImoJ1Z-`Xi_lQ<l_R(ef4|B1QdCz`j3vo`B2%ubanMq(%-rjw7;Y}
z_&bS7_Qu`~U$KsL57BS-0-hF(iSkQ9pL+_$#q$LsSUjSj(2Mm*3Y#P)cHL1_8ShBm
z;&@apV61((>q&ff&o&jqed4Kg*70CY-vGnw^QCaLmp|TqGPVjS`mwI3ukW}0^WU^f
z^}i2$zFX5-5`NpwJ8ic_Js$Y`H#%kks%f>%NlWuP+B6N;d?%)JOtfBS{_*2S=paJ<
zqs~5n5bn>VdeJ-%9!Vmq7<-$M(J#F5d5M)|zZ8*cUGXOGmU)Q}MmSUx+*B%rLRZ%h
zAF?{?X7Qo-zP)oF$(b)*|J80MC`zbN3(49XTF*Z|U(7_qwdXRcTl=?~Ls50FSj2uX
zyVXJai+cFy2Z<j~Cm#-EiXmMl-a%$&i#=wOmcG0^+u4Ci?CR=T?;DTKWt)&?SzT@P
z7c`9xZ}EDwggEY`@Gr?2hh#Pl^<n(8%e6AFGLRZ%1LudCZqn@`4^<a#ms>I0{9YEM
zZ1JFJu<m?1g>=}NX?S_F+@RbPX>aH^0sR(!#%6IzxNPn1r$KQA8F8lKVY;L>XmyBt
z1)msH5Wlk(V|x@vnU+M|0GA>i2Bkgb5!IK8jPh;g`|4MH*GL@U??lYRf18)r3hL(O
z6q1luoaN^R{o`v{j2MI5`cTi(vMuoN4_pDg)SuCn7xD3Z0|NxOxXdped3R2IIG2+#
zz-kS>_;+}Zh=m9US;F~lCm}8ck7Ve1qjx?0qtfJkhYS-VkFNP%wOM_+W`?ku6()L_
zY%Wu!Qt0_!Hz|8zK0X7AN<hHJT2yGJ_f1iV3X7kJ8CN7Z<b)gnH13Qc>_!n$koNgA
zs%wUhUS^uBXwvHaXVmHYTcH~SG;f4l#-HNfQZU}13)*RI_S<=9Tx}T;Acmi>(x8ZI
zVYIu+v1wcus;;hH#@M4Dbxpq+ECznd)N1e{D0YVh)U>r7Ci;{2|5#3}k;axv{+lfi
zM<*-Ax{w9d2^H|!#o6&-rkH-C^JSV<=)e7b-n&A+n)WBV3mfBA%rjnGa@M}4SNFaO
z2OkEDWPG>$uy{WpxCanF6v<=u*pnMF_zB|UJf`EVcN4me1lGr^X1*reI^LWTa2#To
zd$+l{34}ngP!9FU{RX$;N4knCNS>wT<>7Ga5ngSU3f<iFNJ+WFi$O=hS2JYg?36Y=
zdQl1q!!oaU6S-}XY}oxy!S$~?eiWKdep!|e62{xmIC7&LPcJTiaG#W$Wj_(08kusz
zfy8h?J;}_L3VLNiS61ftSDT!iJmh2{W^9z1<fPFciVU=_g1Vt$jNfi*wIV|XgqV@C
zMS8<0?+Y_EcMu5RBb=%6EbXl19MlO<@#UT0o2(g#Bv@<SG2yy-<Y7H+$*7<WDo3^o
z7s+?=<d{q$Lm7Z{9GpR>g{%~<HF9FTcD5POeI5&Av?9cN*xRO2QY9J6J9oB)o#^1E
zr$>j+;**s$IcnXledwyqrGjZx?-3J|$^=^Nt%ZE)c<nbRm`avSw>$hAK1d(PeSChD
zkVd#=egD}=@pe|mzz=N$x>uvSCEPA?c!kwa*p?a?IKzV`Mri2**Ydt+i0u6Qhy<is
zXgk*uAmTn(*+!RiPpOS5g+WFp=lje+q+}Yhwsul({|#F@hd=14$-OMJuQDF+QG#DE
zQ~llkG1VuFg5ktbBFUr{*Vmc2n!JjrEhwLWWA$RH-q(Kj)R97NLU<iFBPmJN>%(sG
zLsb$E&~5V8lMtWr6)A~HwdKRJf3*>F{^j{nOc2wD7ctOhM>17L@h_+Lfu?PVrK`)5
z%x&Vn9}82rb<&CAN8|oTC9=Qt#?43VN&6`fc)Z>EXy(J#OvCZk%<=iZzw{vox<1FT
z=xheWP!^`^i|n_ze1m*_g{M}EIBKU{p)A^>8;S}E*>qu*zV++<58JFa)8yABBO~*`
zQ&88vuok3VPq78Xz3ibNwbN6XX&=zs5peHm1rc4hpW-F%`hIjBPnV<>_kN(A?5t3p
zAG@usrB!S()CnrPDs8p}ho?0@CfaZW6krh?O%{}JX5|+uRyPzpB{P}1Zc8dQlyx))
zJHAAES>s;g8f7+=+>7LOL=E7&EmC@B`Rcl~*2h26eB8~&8UxiP$=07KAp9yV<P3OK
zEg9P}bWzSbI|*gZXZ?OXnr-q~9muk?v%B1+#wIFd^0p@+QCBR|dtZ#blUF&h;pD~o
zAJ8o9yhN=3+*yB)fl-%)r-U-@2?hd0ay1n-bNdSn#H**4j%0y9D~&2xBi|`})Jss|
zrJmxWPN>5Tq;k5Hn=_SYuCYg^*YW;YHw*FnMx3*l$Mif_HFw5fP|^3#a^+9E$Uh5<
zJ#TCkDo>a8zbHt&8t++S{r50gYL9`9Vc6HUaJ1^C0>&;oR1K>SuIV`vim2#m@rf~x
zdaYp3tQYjuFbZ+>%4eFy-+UG=qQXHcHm!x49|d}ZJKlJPeedpixnV^t4=~jO{O|)g
zLDuyMO+&2Ii9|nITT2rb|2-Yz+Ro>;_Al1x9G2zuZdT^?VIyLj)gXdw@1<@<7k_{S
zWU{WnCiJejUO;VFIPy(eT^zWGzyuP>`%cQ=sQFzK4N>o!uMs)Ij!OvsA<1U}J%IgQ
zaiZ<LSLF^n8AU&$Y&G;C-p60iN_^EKivJ_2yS0WF7^lFl@9E4JyQ@P?a+St(_8Q=M
zj(OXgmFZNDmm|d_)w;uqWbey50kDokD;0UEoe&$xJ|I*m^v5MI^h_zvwKXX#P`60k
z;qp2`5fLXh{J7;_G7fGVRu~a~S>)1W$dVzA7Mdtk$C6+MDG#^>jq<HhbEkO^QIo7C
zBc$ZtBrQ^st?bvYmCR=9oJi9dSd{o~quWQLNx7u)h(*C7^FPM6X-d?>AL*52dGI+n
zYAm83?+~j)F0u+(k42-0Y@@pPT>M&-*KiL%i<RVsO1E+EP-%_b+(HYV2#{{zUfwK{
z!XhHZ-p-o-O0GL~=32=7{oOuQ#tmGx!D&;9x(Fo3nd>~Ik-w4fZ%yj(q!1!TN*6NO
zly3K%jEAf!_O^rwFhCE}S(+7Ml%S7r(g@d?RY6X=el)A{EyhsHv*g?szQajqAhaIq
zOeW=GO_85m%@bXc_M#p)?y&dorXnh79aaSf7*-9Au!Xw1#8_N>EGl{S`B$CujCA2Q
z86!Ae{^FABl1aR6QY(s%9n7~T9Kk_o7_}x$L!E0%Zw~%0Lto_e=di#@*QEokEuR4#
zL4^PituR~g=tw?_I*Q}I{SdL#SasSK@ZYllyY1hwuJt;OfvWorrS6QJ9YgYO6ipjL
zhZj5&=VvMN42XxosgK@MC17LmNF2z|gpya!kZ~W)LW3L~q&5ybkUtdPC{DRGkoFTI
z_V@Q4JrGq!8Q^ScWJjNXCXSU4T-Jp^5OEvd?*%&Q^+j33MR9g;^$B9<e`}nJ4J*Y*
zG=%a>XG$15smjG$g`HbE5hv!NkXy&fwmkHY7Tu)k8O02*ef5jr>P)kU73KwS;6k5%
zN6J2yv0h6L&p&#_s-E(i(KcZB^NrM-DA=fQ0!k7wq@$bMD>|wYY_zCpZJCR@5&r+^
zkJjI1E5?dTN=UnPv$T|vYExTB5RoV^ayik(`x#<80IujREiDaY#zHYscs;!C?QM$j
zI}CKp*ej0P*FOv7O$Je5YLDHy`P-_}=uY!E9Re_EVBl#iF*8|8Ia?&-I8j%af`S4_
zXVriie-vvzd;Xjynk2p^H+R0OVUC|V0T|G3MQ*HekKdDF=lV5XQqk*O3|;<0VU;Np
z7Ahy#;ZogdWNwb9MYix#=2FyowDf3e#;V1ixSj!wPFTpUYRS{J0$K@QE*_q2Ar~X~
zio{OKU(nQsS^+@;^$j{0R&MrQueJGt^J1~Kww5gArmQonp-n!R={H{UT1f{UIG*0+
z=ilF7?zfcyNPDpU!+QeEzBFE|ZTEjfg-@Tv*VyZtnKgm>wAlUfSJ>4>Sy`FS#<-zb
z{@Wfv?XO<F(#jHNwWtCRul$luQ$yq6r2&@SLr^$|N*Wve0W|l&=5F@i`wbtS1g&W-
zK0cmW!2a8v>XvJPsfeZ0X|&wXr7z_+jAJxSgHED@%M?q0?-^gpN6<`wr5x}4;w|xd
zNhjsIIY~@MXF03Ki0}YK=;Y)iKcC5gyrZ-8@87?`k<V|FM~rF=nX=iM);a1T?Z4YP
z%OU{y(7zRa1O(xJl^$ah09?(tf~xr)QP`x{CklfT2~x>~wsh;-YO?*fK_5JSKY)m_
z{pvDk=EI|E^N&nF$%%<Q|BRO1<Tg98;zTcdlB-A=;a`A(!XP4Y{Bbq=Z=Pf<M*_9b
z>8i}t?WPUbJ_T;r$Aa-nQ)J3(ls#6skbP;loy&_eK#?;g+VnZGQKAL<C0aY}SD~h+
zRQD%a0{*7nF&?il*1la9@d9x3HC*Gq|G{;tb{T+fgZ=lnF?4|{MS890`~BdEjjntD
z`}Yr);0_OumX_A#pNeX(o9ec<wiQNIbFf8Y6~+KMk#4h1aF*Hju&|xER_!eD!<7to
zO921CTYlBrsk^zkL0lH(=Yxc2TxB)}B>*7K_2**fL)U(k45kY>%=s@S^r!LqZBFiG
zxVM?M_<JsXO(-ZRkOAyZe#gjr`{zd>EkJ@AX11Vv@50>A%D42tAfWmE8C?fP7j$)T
zd`sAsl9Uu_+xu#{KMfA`UbjH0y6yB2^cy`rJs$JM#MD$n1A|fcvPH8mw|OI<q@<*<
z@X;cK{U&noRdVtz5jRPf@k&5NFrBdj0}|Ekmx0#S)=+MJcjhjD4UCoPm%!UVBc@7n
zLf@vOj25aU1C<H8IGlj~e04ZsWfinl57fwaWBd`Uhdok^i;GKII`m6CIepkUOj)>1
z*RB8j`1o4lfBP2VWDM><TRNmE=y?0=Xsf@scR`egk<l97P*3AYc=ik~XbN@?7*;>*
zEd>R|;G4Szxw#A{a`!w`usmUDYWRMc{DY9^<mA*ljgrervkZ*$TSi_x`kXxs6COa|
zXu1zKr$`Z?V|g!r#YZ?!yrb>*v<f*SM^Gjxy;v;P&LKd+O;L4wif0iZaBy+mf3@Kw
z_V)H@y5V;55x_6HJ%4^n7eIN?`-+vOTWY_D8R79~^!AIzj*bo+8yip+KR#whJf{+P
zy4Wc8cm)yu#b!a&?Nc}k!sB-rHhiqJ6C$nG^XKueFhT^g((`%IZKzPF;nBDhUNpyR
z1us!QEp*0+y?7QI>o{HsS8@fy4T6E2J7KZW?^g%~VlL#^;>98mGfc$U@y@E~yMVtd
zkPyE`w|5sh5q$o;4_+)n_MjsmVi!fX_qyqCghT9SFE*ZSH&<J>2GVqANd}N0Kok&r
zfi&SlKs<c${7I@UiGq;u-JBPF2Ppx&P1BuZSOw*mru*W!{R$(TO2FQO2DVESG5O&U
zECV(+Ho^mP?C<IzTDVa~)zSTJmmwy++uq`{yzS?|lZ#<3ntblONHP)uoNH3&NNh1a
z(&V$DE&UJuu}-5R6e{|Fr6fqTQq^QOVBIgJPuI{0C3PCyX3uuo!@$3Bu5W_il?po2
z(9}$bk8e7j3)0uqt229)%%(a0;gN*@?mQ^06J`4BVq#+4+?oZ$g07P_P#B?VLVmdo
z=YIi|Tlr&s8!E@-q)FuGp(6D(xQ17KU`pUq3$D$zo`s{J<rfq%Gc!Zj%>c_S*39_&
z_3NL*({~olP$a5D&W>P~3-sFS&qGQ1^aKs69}|2Y%6Ex&4wQ>}ryur1xw4Q>_=JS+
z6Ypk+^5kdgT`1`2=IUK0WFs-*1I4gStq|Ps71$U!0ww{C3f_;x!os?`IymzLoC+cx
zRO|SJ1TeFlAZy@?Zc$N9!3CqBVS2+0a45KNxEz=sg0`>))a&yDhEyMM3pF*hXRzxH
zZdq^NPD9>d;!`^czJ)`>Qno{BA_R#UC_hx$ph2l)$NFhyx_~9fWLVbIeyht7_zHwn
z`PiR4`50eVdT29Q;y!`U(H4LIPPx=;j2n4Nxkm+yn%XvDRAK0!;=S|>n#}2yf;07I
zL<gbt$vr2}i09C`@G1H39W*DL<iIfrDESx!1oWL`f1+jC$;Cj;Ic?G8pN=%RqhG91
zX3;E+U}0f-PA_A5{asiZ_qmpIygtVGzi`>t|9-xKN!%FB<Xvi9O*gm|5i{mIwsA-h
zBVRDw<0>F2c@75DL9}-)nYQE}`ko7=fc^84T68Mocjh01|Luny&rX1qQe-DPzw$l9
zVKDpAWR11Acil*BBg#_~Tw*AScbvG_sEUe;f{r%V$12hW?;oLET^_ejbrC$#fY^p|
z9r|yXVn-_ULVhq?3M`@#7zY)ED}&usQ-5Nh0|`}F$Wm0~L0{BuPyB25bfdbtWuha1
ztYYlXe(AiAjq6x>DsL!LEY=eN>;q^CPh(=Ppm*t-5k*0Et_>F~EG%?Q3B^KZRM_R3
zsfXb;QLQ39)lo6e-%%xU7>Ih5+SJ#KU6VI<(?|IEMj=cfT^cv}@09|Mf<&Meb}g-A
z*nSevry%OLotfzjwHC&GTvwNtKygjRH-ix`6gA559|H1{zmq@dMS<i%^2_qNC68BI
z?a&7}Q?~{l+EhQ%(}Pl<MwZeo0DumQn3$Mn13agrhe}FcA#%o?>%HIQKmiQ8Lla?e
zOHolVIyxG%7ILy0DLzqc)ehE4miT;uBPpX|fY{GAi}#x5?7dh?Y8WH^reXwree-|D
zDqI(?RaS_vpzV+BjrKUYa3+>Ud7oUPii$Ej^u26W_17T0nQ^@iJ71(95o$jppbPAg
zk;6dw@`cZtEclQ-CGD>tu}_bu$6q!UmQR(YyIrJA++;W9GK9}NAb?~}<|8p9t)bP9
zG5GipV<JH0BCIgPy((XHpa1ma@?#P({j_(vW6roZIKU*hA(I%@cw}ULWxOU<kezOD
zm$B)JJvs3&!oX&`{HN_WO;%|{%-yp%dfR_rb?qk=k7df37c9Hdb4p@w>v$J5Pa1As
zLif4ao0z`)w95_dR{{S>R;%sahFxq}Sv-~3uNVV%((*hKqBbzz4kUf)MBWF(2+=n$
zyH2z49(e0<(=sUQyu0yW)}0$MrGa!t;NN4rcaKX1OXw*fy>#%2M^O<Lb^J3%Mid?^
z-<?wWu&7dwlbtZ@O%n<s00$84>+k*5JpCLGk}zD}via!gq!1M>Wj^fOeHXg%4uWKO
zc$j2QXw$bDMs~k_gYl`tt_2U*={i+2+z*dtg!%bLx@$4{6@t<cwI~V~9^Vbg^Ahn8
z$Xv}E_oz8LoUM;R9QWO#2DP|EOHI0s>t@dYrt<R4OEY|Gd|Ug7v}fGC-WGx4C$=H$
z)$MXNOy=#|3k!>1QNnR8{QvDQ!<Ke+cgq}2KBV(4Ko|9+5r0l6W!4li>n1{pSFQ$=
zdFp=6CE0;}eyEsyfe3<dw4Mq<99je>duma2`bX!;Ld{m*XhoB@e=8Zc^@{;&Da%sv
z^MA5!s=z?`w1CLKe?e2Gr&)xWierAUQvR&MIPcN@!FmRS2hH<aH*&&w3|Cik!m|18
z`jqKImI6f7z;O5WUrsd+PK}Jy0T2gZ=CtNB!@YjW2w{Z!SgV5aTa-;Lf|6w?!<jmq
zuV%#bcRl7mL4$r3rKV;rjD}b{{Nza<77&n2SksWBOdowqq~%f6;)8FL96Y{ed9dOj
z&t~#jM>I(NqcDidlLr*H+?AFz2vvhx&~d&KGxF&{AO765fM(I7wB@CH;so}nJ%}1n
z<Mh~<*DVQ`w<R$%voZy7)OSDgYs-aW{eyZ`A5El5xKb5g#vKiLy&fbnKBi9DJxaVc
zDM7CK@2m)${hC8kIPC2BY-4}4f`A*e5KW=-^b3q=SgY*y-Kp;S`t`K1EGjArs>i>=
zvU&O6d1{$9t^-0e^=RJ^YzW$L9Ew9@<~zpkX!vb=Cal7$QV`xZhioIB<JFjKmn&IW
z3rBu8S}tgA8Y)W0ML5=*3F8zfOwQ0sJec6wvj7R{7JLs#)Jk@+T4X%m=*iKHdn=&`
zIUU{QR>QATg>0gz$!7!4<tiqh=T7~5&itE}Am$;gOy5_T{DNG2fj1htKlZkS3y4dv
z`~w5O?3N8@4e$T_8DF4cWsj^tqij2obLLBam6mn`A)W;la^1V>dJMUXDO*^xrKPaY
z7LEn|)knS!fgraoC8nV811T9WcF<3`&Zqb<X(euwk}k@ZMLd7_Dya8atp{e3P1Qk?
zYIUX&%VCo9Cm11?4mL5RSFA9!RT^@|jC?s4dT`ooCLn;c>HNL9!On2sve5!L<;q97
z=_`Sl+&Y5kgjUNPuI`?>*558fW6p;F+<>!%eC)uup1y!F)yJ3T{{T+}dbmQ*AIy=V
zr=VDUTo!?S+LX0Yh-w;t`yzN4bqPVnC-6c=XeeLt83C=hpv$<1>D|h49QyPF@7(uq
zT%`lgtRFH2*3iip2Ymg@DC4z+h45Y*lC9gXx?dAmuMz;|TiknXz5<)N9lC&^6Ch=P
z{s~G2!7?K?H8l|Ym%uoWe?Hc(@4Go<f+)?2nEO~!LVVBS<GsWfOooC#cua9Kkx%}V
z$AD-KC7#!!$-qe#fv7X<>3tG`s&c$OLwM`7cNV(`mtuaLTU(s=t_`|DxxB6dt61o{
zKP>#!QA2ycNRd}#36==nMoVST!_x-PBEb-n80YacdUSPO*0H}uT7hRHI?iLAG0Ru^
z_bBeAg>>OkdF~JcPy=9hCwq%%n0TcY_c=>l{ryjJWh3|h{-xkHTN2qr#l01da}VP|
z`RJoR<)3Y$G<@~85q!p{J&7_lH>13R=`gTyaVzvoUbs^be0-*aMnz>vhNf$gZyjh_
zrNlW@ntAhCBe4^5mKN)Kd1mHou`eg>SH0zIEK*Xl_Q<KMJ98a!Nph)bh9z3G>o>Fz
zzsDL%3U|F#7uG>Uh5O+$TL4LNgd5CbpPiovU<$ZqC?0W7(2gJlW6eoON!u?^Hvk${
znIcyJZ|{H^4>L=!EKr`CeKw9x7GHuJdJ15rZpw9x;)BE+9kfyuudJw4>$~EnY&p2O
z)y`K*n32qXgLm&bjTAx>O8#3)#_5~)2%j=vV3xm(m0nb2XK^01uPA-kU~J$a%BiNo
zR$}o+!_e%tyC<FW=H)+w6%ip7Ew9Vd3KeT8*8qX8g$V6HLjvss-xOgXyU)}J(2NJS
z)7kO~8nlC-lkHE+ggG~;{>>Cp6l8srSQoI=*&vySlY}YHAI~h1^WITNH+eYLW%Z&D
zZ~=JZlMu=Pr0%fFyYW<75n^B%%2jG+e-oL0%@h6pVFh|_Z|{@y^JXK4y+&f{==F8O
z@{i=6TQ6mna+G1F9>ckQ+U|KokIKn9d#JUO(`_nR{C5;C)p(O&Dm<-}XoR3afKB09
zX^~GS{bC#RP2Ss*AzuG}PmV5twuwzxvY0b`+t1ia$@dRyxem;~MV$kZN=koPcFIR>
zhi~9qufyP9;MFFFg7|cnd$G;-GS5uMMkj?q{LmjH1;F!|cGPUVs?>(WnyX-QxCSU_
z$fXFABQj0>4J5$q_+O5B><Kx(K(g}H`N#P|M6S)x$3(}ffUwooU1mO1jYObxSj@(q
z!&s^vNFI)3YK1jG)B%+fV%-0&Ot0Z29Ots?Y7CZhf0GDLt@}q%>PvMgi!`}w-Jg^r
z<5UaSRGt?zsT|s%4fW9RD=z6;T3&*V1PYe_uTfyP$;rv<YE$hOTkf)}1#8;V^=PST
zukD=b%?<-wdu?A`t07`kQG3BaIAKz3we1a#{?<FAE=zBFvSKb1`AVhN|7D$b*}M<_
z`(0#gL@)!M31ATAQz{*71VR&b`8Q{D)WAJLvZl^$RvdWw>A^Y#@g2nGY_kYEyK+Z=
z`%}`Jm|pf9FwLtv^coD`yOdea|CJl;eiL9?2FwAt>EG{Xye%ZtJK%s{`mRKES=!7b
zQ7H`L+{PV$K4&aBU%(A_s?cRnn9gQzqgl|>a{fbGM#_6F5mt~1oYPx^j)__&$bZhM
zwH(Y{INXLebn#yW2}Q&TjKm-loh4~Abq_h##|={RG`CX6Qg9y!LYD#hSO|A8D1EkB
zs#_4etQYnx<X8%_#l2-u$=v*>I&W(osACjX!JZA(a%wS5i`~udV2s|-#v~KHMpY&J
zYl31Q6u1MpcyS5N2YXML3Jc!;@AkcS%l~QL&x^W&3IW33wNTjof;ROgI}yx#gM-g{
zn;ZyZTj)jLK#(#jV+E&(<2eBuvN7?&L;FL1^dMRUn-WDl-8)pz*aj)y_}hD8D#?s^
ztn~NTKTQ6zN=Zw*Hg4fK+ERxpoePdXiWA&P?`x&=vobOL1~ujloDT#i;C(KETr8?=
z+L$@K$lz_Uy?tQvJK)_I4te$pv@}WDa!XFV7%8shDc}MRCHBVcX3NBDE9l~HNv$+L
ztBe>T{Owal!fsE{hSsL*H$XQ9HRuRXL8-w2U9wOXj0vQ6k^X8AyQ;D7r1PJD0s`6G
z$H(0>zK@<iQJfq1y5nccnbx_=Z|aNkN!Q6~xb$wmlmGg{dTNkUf4=WRtXcqvFXBcx
z^(PK_%A@Cwv{&z}{--+*N=pEk(J$#`v~Wr^()AkLEa;C&sHlM5DAa~PSG*?8bdr;{
z{8?g;zs9si;nllz%3Q7YW9~E)X4(}y0o77cQZjpsoR30@XOFLe;TnY}c`gg!;}=ax
z)`jT>U$C26y$=ZHOyH8oR4fQ2Jh)er`w)%{lyu(e>U1LV1|jM_FE4(c!{l6$HXw4i
zF8l!+Brz*r%Xd)PT0_o0@CM~CkUN>*&@U=3bg78NVUcB^O^wV~XdM=8Iq)b?SmO`Y
zb)b2)Z0W2+vf)u9Y0W|Md7+#%<NG+!Tu|lScb@6$>JG*ZumyC37&d7V4wl-@XRLSc
z?yZ;P3=9sYiPqS^N=5@+v-ox@&Um$7Q$tOS2VBSFm2Z2R4woHwp7AlUNi(svt$P1W
z^tn;wQXcb?RQwC#-r)KQ$0JS`=n(RAE(aj<ZOk<6fDADe%nFRhSXj?sULfSuJA3d;
zZ!-J!R4g#kXJ7P;j8;?&MopiZc?kw&^s_q?JWfITgqi#BE2m<?bG_NyI04DU3oUWj
zqH@`MEj;Hvzy-X;vpzqVY;dP{pMX3fqodpYO9vCWr`2H>&y4*+j(|qM#?B7v@U*}&
zRl<s!H|6PS1q+Fn$Llu}LF4ZZH6?gk5UmPE2m>8+^A;#A>7gZ0B7=TR@Q`OKKs(We
z0VpKOn9lOG!gDxg3|dd$oe4)lus0193K^I<Isd>wNRCXHboDvND{RTP@7!_OU+RTT
ztBfItAMcxz_$^e9p@Lq6Qp#$qpNKKM6qAGTfRtw7N5IJ4#)MR4xNkUfs!(rK5smfv
z0F->oki#*ce9yM8H5IsnhDS5LP)5KzfgzY7e0S+r2{Kpbpe3}_)ul|VgQNjUeVf;E
zA804vzI_9!&_CdX@GVC{CYOcCXLGIA->G4g>dO!IUfVSt{~f6^91y}lh;tt)j9U%i
zkWGwM!gnU15#@XM^?AZAk@)Q_;YVgwX7xXv6BipLY=&Z@n}eigmRHe0TCCD5Q;@O)
znGr@7fxG_%XfCztDs1)kpwFp;3*ll{9>|Za93!%YFhw{azV`KgBu;JOtQvVLftqW_
zKl`I|T{5TZPCMNv%$o8M&8JGozPF!ixSg%|wfpVNfnKLl^0eJ|>#gORvO(VKY6H0j
zju+%ZTfpDq``v#I{m|NMZNsPV2yRSnWf$JV;dn|IgMaHm4-uiy!cd-GWPa4{?(RFc
zss%zk9pckS7{&pI;W3O-4$#noJktE&b3|q)O~Zl0N0DmZy#DLx(9X_GO<nFiq|z<J
zifiIWt-Mi#@+O@n8vPGG!%vJ<XVu>xai7f6Q)6m0d&!hi^buF6C-k4l!!r=e2y4V4
z%3HKTL<|1><>qi->K&LIFrUz;ez7R*KDVj)Go6@OVdV3DuEeYm5oeAH(deLPPvs&)
zhhfK03*jv-oZ@fR>;qH0UAm5Wq-d3%m&SUZc9GV&P-IHo`3n#4j#lALP3f%XuzZOl
zWe4B?BCY+Lweh#x;&X#TFF<Q|AAbF>=@*jiOUPcC%acWb^uQc^VMHsY(-Xw@#}GR*
zVVA$ZJZlFf8p`B5t9DC0z3Z=M!1O~~$gTQZbdYqQsy`aaeKMo$oGvC~vt^3n^`%xd
zan<a_<ecP6!LA2C>uqkdszGFNVKg!St=!w;)br}$e-UA*iSC+WpXd>*2x-hlid@=H
zp{hyfYu@5T8dCp8%k;Z#`Ne1m++9-)Q|~yJa`IDtvMnc($atPb!q0yaL`%SzzP+ML
zBK0%9LR3}zbI>w_u4LT9;yS*R^WdR%&T=7l0*8T5`^!XB>j#ylO@1*h6Se^KLG!Jw
z{MJ3-GDc_?HP#O*9SD*!YU*!cXdG0YF)vhiif&H`QV(C%jnOiJ(DM^WjkUG4vHaV0
zrnW07iCP>B{IgLC7!JO9UEV3)eg<FYP$^M8wDkD;RKvFs7ATbnZaZ3HTH03dC7^x7
z>W2JVP8+b?e=Fp2)Pc)8`pzQ5?@sU2G<sgk7SZ67T?v~F2j_`*7fZ?7pwm@kSMicL
z7ys<@;T5!d;N}*c<j`Qe_U8HXcvlicuF<b7{koYQXZ}FZ?+n)O4Q#FWDHS&5Y+lyh
zW!d!g5WQE0SukABw@EcD9+kvwy`(bv9*tjMA?zyhmPmP&b%p*7vky_L*^#};pQ}=N
zp<3|r@c1r<e*zwPI07{UblbLzqZ#_(-Ouy`r1??N(L&CnJ?U&7>e@X&m#@&WwjhTe
zyR0uk;eSC(s%mTssscRc;Pv%6RpSS0BQ(kFzHPF7nQ+JO9h9bCsR#vOQDAV8O43*7
zj~8Zo!9oI=^=m@K&6q|Q&N3>+=<MiFdO-sY!nZC3tJ4ABQgdDT_CPjLnGgouCvkBP
zkcNen1{JaePriL?rhY-ERi849wJ{O-oo)Mh!B~W)RnnU@=+XLdMQeJL@s_;V^abu#
zlkW>`&W;{UHWE+QNBU|NC^xSFoCjnMTHpKk@3R|z`#Hn>N2NurpPP8bjrXUGJ8frk
zp=Vp5Ubh0|0D<`wsC<-9Uw=OZmkA#X#V+tfErV9@y@+=;6_zD|@~#ayaUhn*tB{+t
z7=H}?h31BKfLenRTj}GaR-%;!^PvIfCwmZL?@ZoDh;Rvm@(Ou(;wvkKI6wHIofEu|
zeLr8Xj4o*NJ&fedLW8yx)+(98dy13nvN?&Pxa^g{lwmWpfQUhJ{m_h=@3<0JE}^KZ
zj+TL6i@YO9<rL6`W!h0=(OBsFXg8F$rE_5oo?h-Lw$8_$n`(#QnC4(d!l{+9lI5kB
z3W>yzOhdotvhnkKL16=hI0Ou=3?Ub`%4;F_7m4O>G#{ALHBal+ia=+b1i=Bk+81U-
zh<W|+xNK+H4%+Z1i0xH*nD4x}-f*}zhwOl2P|xem!6s6F9otQH^t53v@R^11bV7qo
z(|^wbfQ)-}u@eTrjx2F&b<|(@C&(2k=~g^hJPE6-9mAoy5fG4=W}M`b<|nFs{g?vI
za9AM*|8S|1v4%+>@z+5h3wU&rjbL{4dGFlzB42=ME|_plF3p2!(4_*J$MK`j|40ql
zX<`2pYE_1|tMM<SU+VbhU$8G>TFn=5759Ck^aQbx(}QbW%poA+8F=U52PTFJQsP}(
zjzDAYio0NZK}cgSbfDnv?dsH<U4X$0&xmTg;d|26i53ozJS;fNxN~rF=F7YWlLExK
zRcP(kGhu|yxrN4<Uzi@g>g`47+{IRYKlAxP>5v{3RbrCv`*FF7R+ooKhZnt2$krCT
zv$buArG|?ujAVU<5ucX&$c1>K_hg`FPk~2$?d`75>7OqNO+OlGiGAZAM?*#;MC+1P
zBV1aO`1Tb~#a>^pvbFwL)l+6BCKw#|0y>kKnF-|R$3EmxWAl8O(jK@SNdYH7uV%K6
z00;VPumy=%u<@aPDi{)HI{#xh9X~la3AWr7)LGET!R`?ayKHg)L2T>bkoNj@abe*m
z7?xl(0*WBb5<bFa<|KVZ<YOmjRLY9{=e9<b^)6oK*%Y3*#TOoNA7wm=g@w9^DEzc^
zQ%|hBtn02hfJnYUreE9o^VAd=VLUku3-SS`n-=4R$pNr;><MpmY=3q9&_k1+<_GqK
z(9!c3cN&d?!90}kLe!^f{nZ`gqs2F;8dRP)6P!5W?(8}jfhDxQz7CmX*5ZHHbk)Gb
zgd-CnkHyN$YLEN~FaRC_+Jbe6<iYT*N8Wf4vtj18OBe2EWDflsnA0pENbPifyM>Nu
z@b-4&%&*%TAma~iv)8$Pv^{%PQQZ~@Vj>_WbNY4SE{o`Uc)S(lUXLrD+m?^{h44T2
zQaGv|!6uy8uwWS&bKV(W<u*&Y`Sr@Y#eXlF!qOi+>D24pE5TwVnNlBR`IE@vAFoME
zV5m>7)YXNI+fl_J`FPM2dG%C<nsJIdYN$Aq)>0FUjva9A`UeNEz!Vjv{(j57WuanK
zG4?$~DZoKjXvE-7j!h<f4S2!w^1Z>+rPnXLr{#3*8{gRoQiHnhI4~9wfm$(E?sJo;
zh-O|$#Ez%{>?vRdXCTr51zd_;K{$_<*Taj~r28dMQt089ym7l}+wc?(|7WF@bJ2J4
z73^iImpC}(9CQnob3!YI51N@nu%%R-Lh=?kxbd|2|2+M<z2~LJfJt)smpXOe*G8p1
zOd2<7`eX|{PB4tGTLHyI_=0ri!MqM^6DS2zhokxc9DV}ePGrp18jj+*G--Q;;(;|@
zb01Ng?w_|Fs_LqcUupUiJ9DLv1_bh!JxuVP;DPMG)*s7va!^_r?;}+IOjOg;?_~UR
zh9OJ`8R>%|c^m@5#2((ZzUQjrWVJ3t%ei{0UyAnxl9H0ZZPPWwY1qqAG^yKg@yKqO
zF#R6;2Hi~SFh^%WEYeYy-&RdB1T`HRegd5ob$zZ)VkTj_2DWOH1dQj($lR0UGXLV!
z(vNA{`39a+DETqGw7AkYWUZCZAs1dzYo`+ncBB;GrC-5+6Rw&+n0#88e`$D1-!#NW
z1X*-`JzN0h7bkaY(1|MXHavt;xLc>NZ|NWuC(eRaDD%h^7m>f7xy0ZQNK!UTgnY?~
zp>Fr#hBK-&iWg^$_&UABQ>QW-bHlr07*2~F@{`4rr(HxTJNpa|ec=x*fK4@gE~=;c
z_`LW`Y8lEsv|n)_wI@k*zdO^@*UK%1<Z1LRo^~D)wnH0-F+kt#pJm{gEeI&~1X|R}
zr;)Gw`h{c(I!7FMVGO?o4jrf^l5Ftl`tc1v>~s0*WeC*kX}scdMIz5wI-3cvB=-IX
zvYO1vFSDOp+Z%ki$Ir2h;-Nujp=P;^BXcXfwYIITmR8@;LWLzMef+zruYBI75_1-_
zhPJk!C=KY>f5JPx?i<C!^u#IDOL}qd(yL}R>C8&8NAG`rcT~|3eD=l3S>D=iy0S)k
zhG6jIA;t6^t>EDE>-sbxvBLoi*(jpSp+QdxldgMpWWOsjV-#=)#FxqU%^n~buO+g#
zG)YpK6K&rzpJAcur2EC8pD@G=G>jB4X|j&gMK~jFd`jv&b<&X7z(|fzro=UjkR$wJ
zTrrlOo{ky!4T+KyRSkQ(NzKwOJMjU@YRiqTdQ;Y1BjIcFyE`me_;IM5X6bS`hMYB1
zpWI@Yl>vyp!D7+<fKu+?RXX<M6-RmK#c7+D`9Axb5LDTpT?5a<UMW7n_!jmr@sv$g
zf{PZNb<X;|Ne_A+NI+Arh}?;d1hs$DXFw=2;rS+*EOAi7)w?U2o^d}fA?n3jTfF41
zq@+>}v~D8qpd}SWJFmvBdmN_7YA$$~4oucD7+`?E%m6+pkt`y2gzRBAWn2}TIhEwi
zPr6it$v&OlE>F;_a{BS=YU2|{tZ!>R&#*w7-12qCV*BCGJ`jcX0OY;@QPx*RMb*Av
z4~>9?gh+#cq;v>KcSv`ONT)PNi*!kMs<a@WfOJTQl!%lfB`vMM|C;CbetTy<A7;7c
z8Rne(zOUHV-upm@M24NjB5V3^=cMIleoyk<>F<ZQOsQ(jfp^73&Mq1T&>;RJ8z5K)
zQ{+?|Sa~|q5ltKDu|$&QnM8ROw|k5&&4;6Y@asO>Zi*e2-m=jTtml47cxSccuE-7T
zO*B+-zlD0cN%(7*?XGbVh|<VD#k)<elanDogH2l*h&0r&%W|@ft!wFGTpP7mfsX?W
z`&q2W-|>z>ic@4_48QxAm^sQ-NEbi+)`#R$ggt^UxV+rzO)alOHNGUq^7p}Vt$e>%
z)i$q5=Qd>?9C@1d+VUT!jTy72=T#LA*t}5m`+|;&gz(13ZmVr+EhHAIY&A<`a;m+K
zKKphjRES;=z}R7FHXHpmK0^-OEn*ZB^Ij<yc6JEH?XD}KU;cCJK`-mUE+FGD;zlLm
zE>3@d_*TxeoycrF*H2RCiIdS<iN@AK_YJea+eYA$FxYjr;mGefaAJ=sn0RnNRx$aD
zm<PcSrG**;Fby3mtCDiMJ|*LsfUb+Ym0UgFE!&h>AudxKdrvtIjhR~Q`Z_*E>n*kB
zz~`wC<h(F7-9Y&RWVlf0nLDro+$28f-TnHmqpxN~yHho7YYkMHUxnQndL~Q-G`B%(
zkJxNp7AX@G6MK7mnEzk52vSH@tyKt7?8I)MRy8XB<MYzdHkh-m)C$?Q_KuP_d_R}7
zws0%~v>IhKHL!?@flF4nsWu!#SJ>x($TrofHQ;c55`vAEv018mWpM;!e1!zPa_<iT
zX5}}`F?{~qfO<MxsO5qIlLlOL6czUiDl?^p&fZk6==DB;VPZQJf5i7zBY5S@Qz4&S
z0>=kN2sNo>Jr9wK{PrD6L3Kiw{Yv`RA8j4>4HR*G1u>hX<s_t}cjEdmaLJJ8e|elG
zG#n=m<qB=TWOnB*LhwwI>N*kbN^0tKtG{<C225~vTTd6EMr&xkAUo2*1r{S?xDV<w
zn`HBC&MBzM(bW?<av!ZTn6Uj&04XMNPRPRfVjf&u62~7iNU{fie&`-lb<+ZCW5vI)
zJb?>T8$dP-TFbOCdFmLrBVaqx#l<^~cXcLHvfuRr7pCt1%OO~1ew$3~Dyt8?Nmta3
zXZ~$5u5kW9Db)`Ikx9wxL+@b5V1)&|z6H__obkHm@N#D8a}EI`Ly}-h8Sn(L;tN(`
zY=;E0pjrykC8GJe*Mc(`LKn%kiSCMTA=n{`m^IaXgl>R2K0@n$o&&SvazIlk1`@6L
zY(@jF&et!QlZ8y0JvPhU<Xu1mY1D`pub<4Umi3Mn+AJV8PE;CpU_E}T?1Uf(5%MI-
zbfkB^)4U!KVJU_y5H+Yds6Ir?2tXyY5cqU>1>%y=f=PlupoIE%a5KZJPi`D3qXKTv
zsKlYq07M=jZDysXpYFCu*=6$Eju(JdO<83{knMhfo)tsnUL=s0d^U@)GVc(wULiiB
zLW~8}P|t`25e)o^Jt(vS0j5`oqbRNCSab)T0!-Y~)6<3Qr#2wmK(VT8#P9)*tGb%n
z^VKAUE7&e<oH3LI@9}QcfrwB8B}d-~KhqV#R%)H7ME+JMguy{cY2f_N`ZeM4cWgoE
zM~uwO@DaeX{0qnhkd~_JWu2e>kGy5x7GQ{sWSl@{&I3RLi3~#u1=5@HP$)|`bcmn@
zQj}N(@|n$O&J6;Bhz;>h0{Jv4!e74Yx!%r;pODfWc2328Hz=TB0a8*@V0-EV;G~`{
z7{}S<vH1nkTzQHZ4QQLa07HR!<bQt=$!H!10vGTLa1qc6Athb_uJ;31OcPRFG%0%u
zSr2;}r?J;^2a4GWXfp;B?FcnBGzg*YxfUBR3x!xuvX<+;NKZ-ix%KFaim>qt8Js+*
z3jvE&#{KaCAejJw8DIPY@Z#$`dY{k*6oe#9gMmgS;<;6V%oopqG|dR+Wvr}G&kwHu
z{TZY6-{!%Plm0gh^j<!@FN_nWBDv1sHxQWi1~U}N`c``M2;b%G_pfyG`|Rx6%6SDp
zf$s${^2pejz7Zio6C^%ZwcMSNp`m$@E=v45NCsju6r3J#$KhAeAZgh=)n=`1CeFGV
z8bG6_WubqhQ3oh8vK|0{R~x>@7j^`a5vxfrDmw4d<ue8ZggiJC1u>Yx$m{+YMj%dT
zia3R^Vcx#W%T0lb7>AVw*w16<o35RdSmC>O<JMbkaA+AKw-<mMHk`p@1)&Q03xpMb
z!ma^QbErXMZgT-jDdu}<?9%$nCW%l2iSGbu<74GhehSc|T+*q>VIX%$1Wc7hCqohY
zuw`=}`p+c%KxYT8D3wIuKiD*|R!;b|;sEy3P9^|%3}|dj^FScAxwJq6X%>c=-q2(m
z{QL~WBxLvk;x}t0Ad;*7NdQX50IlsyiIS?SD(nUj&HJtm-zk-=h;pS;&{vDpGBTow
zC2IUP24&<&K#;(91xm?z)oj5X*guHz_MmGd#T95u@CWa;FfcGcet?}e`Oyt#ikzIF
zO(;yR8(f31qLRijS7(h3=r>-5^F!@G#cd(E^G!?2y1Tm@>n6pjt8fZgBWA7dpQq{V
zYN^T%-g{=HOgB9MA9xQOP+)c-e>~E{0**fo;6Tti*wHs&TUl8t4FFMA#O+595cUKe
zX11YL)0fxtJ_Cg*5_R5RmMX<?BhU$_9|Dv)R^G}W!=zY(gJT<-Bn_jjtS*>%uYOMf
z**hC2s}?7R*{6?h-$v^D?6saI|6Qy$6>a<nohcyYChsglXfY}cK~t^<W8NQz&ckp@
zL1?IEcOa7kA9y!M8G(04+KL^?BnFCfY-D7C|7?}<oBB^EBfv7ab?cU1r2$k+;=zlj
za078qaY$_t$@%&DiHR`Z8~ZQ2P+4MY!BL~8etx{AOAz1c{!7`z;|Q4jtIx^^2Vs*A
zxltitNADm-v=9L{iT9z;1V;QLAdiAvYCuR7+IN_Wv$8r{AWJ4-N0Z*Z&CVG~04u^o
z=~0(h3RIaZ($B<$gM&y~`w9kG#`0m5#!o;_0EBA?kXk4%{N>B__4O9je{nt?FhEB(
zO+eE2hUI{i%WQ>IZ1yPdGc&Kjkt<mP)+az}f4mocZGicFeHwKAreHWk6|^VtGBC*a
zXBaHG3=9Wo?k!ZDm)cBW;$OD_2MCsyl|KE0E0y>9C^awvD)cx@t=-V3fz%wvGpF#*
zf}g^;-gae-1{jpTiT#0^+_~cFvxMJe1r!hD6r;c2LVLt>V|)c_0mOKvA)jSV5^RU8
z5uKOsAR?07zP<Ep?BPvHK^-G9A<#tuFFsTJxrmyKxt5l6fGmmyFvH+5J^4*55hw-*
zC%}=rBAZeJ>gMqfS3BGV2xTUAhTkm#eNc`e9He^S-jjcK0XaM>+=mrtlz34?pOTh_
zgA0h7QnfD#d#~ki>_LWr=y+U<T+x3(LtslS2Qbg2^>_w?@PHdti`IVaXPUdyfanQ1
zeM?DB29-cDgfdpPIu1z7s0dIiLUJhXst~WU8apdgzu3PMy;^g&-2C&cgg+=D$kf(;
z@W9IEa$BOhAg~USfy#XYw@g6W$Ot*DU8c~}O5515&3y#v<CGPC1rlKgI<z@Z#Zy?d
z$?lt+K>$OdO&%_gKEM_R;=N$dRX~x^)6pC_sVcu#Q&oT!>mg$5?p}wi!(M=HOt)gP
zkBwb9((P*gW}sd;+=Zl9eUtVLTgQHNPVeX7s)6oiI|3t~;cTJ3hFP;er74l*+wT^E
zd@l8}pD;ZZK>h8n1p!`ad1B{a!GReJ$o|92qe;LnJ#H(x_^)(f9M%Fdz}0$`%&XO`
z1l1$=S{%;nO>5aK_~)j|Za1pwP-NS}$H&LC^`5>UaVt!qMXuZR?x?We(MFy15bWvF
zdOGJxkOT<o2~$!5zW7iF7qtVnH>H66s{V@DFG&1A2R9ra`B(@B5x}wVx%%h3DFT=*
z0(4n0j#DnxD${`?R^;6!Y(<z%ZL3HT@%WGxh9;v^Lsp>$afi@SKyf`?9yhrCrF#M!
z1sLpx64*b9NAo2lo(^X$D^p_t9Vr4>*;>t^z}>BwMj)|U5i$^)^78VQ5PYw<d!^1O
z%P1+g!DCc)0*MW}ocCWseY%#ePCmeiQ=ZKf^}cVaM|37DFOQ_)192U!KTjpWy8^<$
zNi*uXy$Dr27=mrFGu>1CG?YfPXGyvO^DmMV#tk1RS=L5#=Zh5xN-++?p>Api_3tfG
z8o<+GzVcU%X3q|^7jS^XoM*^Dh(z}+UKWh;o`nOl_2iQds)^bL);PlvdBya__h(}m
z#bKB$nKpSzkr8Jz#xAuJXQ=r_MMdj*{`U>stu>J3RY1RZ9kNuJd8KRxvypallyUM=
z7llNh*gB-(8lj-+9~rs1=oSN<XJou6YPq_YZ9mzZ{5%Hr90Ya{X*daH|JUer5f(xL
z=3WkSmzZAZ#?9@5qaxZ&&by1j(c@Nt(c8VB`|1{7@bmg=@A@mZOgKO&tp|OS(fvPf
zLMbAcy#rzhC<{&#m9<}@6M;&)xvSRdvzS8@<i0%W$bPJJbstq}<SX=xmX93J;`9Bs
zST7=!$%ULv#yM56g5~2V22^>-G(ZZ&@X>>ePJ+*iF2!%K(x^fCM@Io=&JB6EIT_GL
z6~JT#>L@)U!kP?zyIYj}p8y>ML5$WTsxk0`ftVTuOn6At4_A%CDI+}Zvx=!n0JMQ7
z`S;%Bbob{dJrxRp!ub;4Plqf{_P}4MM+*24)Q9WmA~Vh+Gs5x59z|_W4NXp#HQ`b4
zzlGoggPdEQs?6HXO!ebHJdWW&L%{T_)o*3zt(OLo-!K%EFx!O6&=ZzEx~HcH_~q5c
zAL0Xs`};wD*HFjc+XwiSdX6v=Eo}`FlPQ!l07sCL{iDUEP0ENUuB8V}0ks~u;7+n2
zDwL~R&Gh0;%(ij0s2EkJ3=Hu&O~JVq24q_pTdu;;_JMtXFj!6X>i?j>wS0IZArtC6
z*oP4F*PHDvWNyzY$jbx8Le9`q>^0mj06h&_ynxg5@uhz>w{o_~|8&uSz)Ht<0nrQ8
zwaiAoKwrD1Mx>@h$>=0+r@fGjWeKsnc}N75*u@isHJWkq-Pvh`htNKqDT>JA)MGzH
zPF7$S(kHf@6~3hTvgv_H%*>oaveA1F5&=quHVwwkNMd}qj7{eM$AIdJPl9y;-xTqt
z05``i*9o`Lp_eC#aT_TLbAodr+C8Qhr+fK1Ioq|`v58nTJ{_g0QD^8n;WR)UdX<@J
zS8H%}kPsB9_Z3tKw;4A-gN!Kv>LDo8;ACst89o7e<ZWu|k+d8!-#VF>_?Thz9~rcK
ze+gvq+oSSqkGd=w=n?^UhmmCN1J(IHr{;ou!%tX{_S^>(jMWPdx1Qus9MM!vQ_#|K
z-NSmJ0x&A6M@&d4&|PUJ0bm1<7{!wI-RpkyLFc8TH;QIoAPAPqB@RIme|=mNRLg{v
z7D3ni_;HaIgKva>^gE>-?avn}7!GM5T7I(R4z@FzH*f#PnL58d*%f6gXAeT0c}IwR
zk<}3C*C0hDm(DJ5$G(eN8_X2lL(wfoOt0yYz&v5=iV;NKU*|{?Ht_A%?6SP$-AK+5
z40@bU4APRY;N|h(e=psHT+A`apJw!R|9wD3(AKoKz%}txXvui-g~S*$4o9u;O;2xc
zf(1=R5nS9Ds5wm7u<q?Fw9NMRD;};}6m`ts>vM!$1=08RqP(u5Q~UzzdC#A$xAuV-
zAFme2e>)0_a&f6&9VjYB{KeL671q++_%kvl)W{*#lz4P@B=L<cuPqO)BsVt~DdX_;
zgjOqA44E8KQ&WLo^lFtJj!@CC@Z&F`>|H$mXZw~)N>LRR6{V%W6rK2|>b=n~)$%me
ze6H`GIe(SyU;hIl1bbUs#TrA>s1u?#wjjn;ZJqhTJ3W?^X90isjP6=};6>$ZmD*vt
z5fv{YDhgf{Jx||XAEvis2hC?jf)I$wP!_~0NS>}T4JNaQuCDH3I7$w7Z*p21QWghs
zT@EW01)-y>3p%-2uf3im7NX?htSJF5on294l;xEJS$cvA??cxGik9W?4_i`+lF?-p
zOifLJ8=<GC2SuQhtu3;Uefvg7g+V|-0018~HMPo?sp)BeWQ}t$NJBYr4o+^=0`=E<
zzHww=Kxrbx0)e==xPXGIcsA+|_gbN5{cW1(F2gH0jurO|Use`7XTDJ;@Zvc+d2^rL
zslo>*$Z<M<zqzFayrq#nbaS(a$BTg{I1(IYCP-W#sx%l+!SKaf^IJ<(6Eqzv$#;}h
zZ&6TC*y;;cWA`2cu&U_oIgmy2$VuhFadd5UX<4=P@RwIw+tx+A+}s5VWuNGr87fCc
zC5@RCjh;HLX#4RkCJfKhJ~$HjX3pcW)LQ$Y-GF}Lk-ECNvhrXE8WsRfZ)ag-C~nn<
zw|OD}Ee?z%#Pey1iJt+h1+Fe61jQZ=0>$0C#X!}ClwfCXul&JVmE(zABypjEkJuu#
zeK0f~SaE$aCFi8#>!fm?MKVf2sStog909iv=~C9&8Di#QNcnU8ZQ32<q1c@^KDW*$
z%Qcm<N|~9PEozI;ZHjnas#IN%qutvtpUBJ0TU~wP;P4xoDFZrO-ppa-9+$tgcX0UJ
z*Qckie|mcA?db_L2XT-E0<81!;ls<zOV|`hNrM}ij<EX*%cJneNIXJWnT?e-Y1e9D
zuI<kJ?{WQizvU5comjcbn(i)`G3UXRGcz%Pr!cz+;X$MkQGC{ZI6r0MlX`qZp)bK(
zJ(KhE*;!f5LDyI1<>i)?u1(*suCBVeq!Dy1Z`(;v|0an8iz)DDoDg;>c%Bg+r12ab
zW_@SqrD11d8#l)kQ(#F$_N1Wx5)~b)j%hl<9VIP6bo_b!8K2o1(Gkao8f-Be_iX2O
zk7;zJ6Dxt&!pF_rR)lNqeoyA7C+@D(xjQQHWxFCRY&9G)j)q##?rp6~BO(ta$XBT%
zcGZ^UD1RFjebHXl>}yUNS`aEs>k_?1Q>dDmoedPFKp+&=?J73!^QhKM&(3;7Bb$+t
zF*vA9KjI@slkoYKvCdZ?L2mBx>FM6bwItNo4`IF->xY>c?ks-c@|@4~THRsJ-YBn7
zRbIL*-j4}>0;Nq#Z7V)PSP;e6+E9RV44o$Xa+O!vg;cE+vD|rr7QE_UUa+lF?!>CT
zEQcnU`0VRD>YLP`s3{67fqu$qAlc5DEle~>mOkWUZ?EM+LOudK<YifwBIrOsX|~Yf
zt>RtEplmV4zUyeNgReE8*h_^l;SdW+CT<XsEpwQi)8$c7FA`H`=H|Vtcda@7E6p0D
ziEW(ctcKL6l1d}F+7E6_#rH32x*5)E<pu2E+Rxo1ETj_iKjC0xd~&iq2j#Q-ZyonD
zG3hxZ^7iDiz2a+6n1X`bDF9DUrLC<!HT2fGTrVv_ERUX)u954Ep&&A&Lvy;n&$X?#
z!m`1wMg*@>48$tpyA-*M^Qn1Mjgva(Ou(+MeqVv0d%8J5x6WNxjBds+G#W{1Bb)a8
zi95BR^n;Dv-TR>Z<huROMPPI#TB8vlk9tV)(4BzQ60}C~Q^P|;L(|i#2UrO5V}GLT
zi63M}=&WPL``?%*paI+|P7qJ_Ls83hzx$h0=WCLaMm0l{0M&6(R5ht2S>~3iC#Qq)
z;DD57J<r`5j^B@0ZXDuVJe?HvcYsBF5|vi9mTFyys!2D0gC6b)pe@A>4XFX5=%%m&
z&!ESJ(##C>sh}FPdhEu$`UZg@&O<&U;4w_x);z^Ph9*V>Ub`w+E0*L{Ne=N(K6mzv
z<nCnarwP=vl-%m~jg<6ad~+jT=piOT+f>Elw&7~w4QX^HQyuZVL8X57A!&B~3C=0a
z$pf@YH^pDA*N5RR<$uX4DY0^JRDS$;2G%(;r?_ChaJ}PlW*SM(+z2`+Q_}_7z%wZ?
z)0C<2QmL7n`4taQY@G=Z$u-YI+UW27>8Bj9>)O7TjuLD|9K1WoIV4LQ4hJfcK&kCS
zPHBW1i&zN$i&sN5Uwzu-X~r1A)(ZRX=|yU2$TkQax`(IdlK<Yr-U#~Y*;a;tEH4h1
zpc0;!?D;~^*;!d%L_`1$<OeiFND;2*A8mmBfQ(R5RmHjLh1ZQvPEP*u<HwE7O{LRX
zncG7ML}pwB=_*y)<*K`x;Y?E~NeD*%YA{<Cv+U0t1h?tZXlD;+$ZfTmq^V<JnS8XM
zVY>LKq<!pPl5my1y)Q;y&*65-*I;KyyQ{aBsy#1MmHHR2?P8bU!F`#LL|s^OWN~}N
z=KJLBR|6)skL5HqCy;Q*#zy4*Hjop7BwN$bf?Qq{$peC;WPRzbVr8nLnP%R{@$k;C
zphOY1NWnGjd5t0El#~7wTkD&35NuErcxM_^4Lk!&;$>qsW-2QycNbe#S`MlX42UAu
z{-6}l1-_(uWUaN_7RdYxsagaQ-Rsg)sMTxUz6B6K1}T@0kB^uB(a9~s29By{`-L$v
zF+j`Gp<x;9$(D33#&O3d&Wnp^d+$*~^Fl)T?2R--N?BuLBLM$sXlRg&UZ8UeCXW&c
zlKy&))siSc<@@8yWWCiBC!y_LxO!Z!Gm{T}_L;S1Z-g~n?)}ybu_@w~cVc#>zVzBC
zE-^dC?|s4x+HXG~A_HnL_x-yVkLFh;YVwF1XS3~B4d6BaJDW{}5D!sMSLc54qZc3w
zZ4bI1N&G}>+xRXOY}x5qL|J2}7l*FLaky%7O{+b|w&F_}-6Qj~tgeiOe@A=91FqiI
zkjil_SGT#Lu)OjuJP&{(qG9e1s-eA^ecz`kJcMlp+k4|XA%lb8wqsuxnIPWb8{W<u
zQ!wwNa(42HNaT+Vq}tl4>$Bj7P6}@E@0At$m%H4KU9Qib&DUAuKIjc*P0Pz$1bBh$
ze#-CPj*Rzmb&EGxn4aGw$ae{x@jjF+!==`W43yI+<m79NEKU+hJ6S!QvN3X%Ssqh3
zgZne^Gp8SOBW|%uofcb+>>+yY1wYC8+a%|7YRs^eJ&8_&r4H`RET}Y~s0H-C2(1%=
zz`J>qn3x!#MN;ZWAI99fvTry_v07|14ebmKiWzFEw(cNScdnOER5zkOnx$U53{fB7
zcrr>^W>U;7SI5L=_VPJhge8A!W~MJF=>T__aL`h&#kAaC|J0p2qP}IWE4W`Voicsg
z5R2zIJaSYiV<Mz{xC(^@uslaIc#t4*qF%i_ogIU0j9ON-J3H@}@$*o)y_|d%jpe+j
zxly;OWy&s7v4TikH!?RwGOv$v#bhhLYLL|%-&tuEAd9P0zC|8k`BT=}c^7)O?VTMr
z29jPE_51mQN&(+ogA&gs^StXjX%X=zOMfHEK7X4NMK`NtgFwFqeFX+4<`;INcya#n
zz10xR8xti)+M4$TBuIPqY}p2<;hq;KVP8awbzRwgtL1SFXNg>z(9?Z7yi(+-O#Qg3
zUlA?XGT{LUhG!00H@A^--ID<TK`#IOlXtoBs|eC<SZR6SKU&2F+`#@&9kj5^Q?{TO
zktWyq1Qikg`QDx0;o)s4`2Yn<;V|$eE@Lop-Cd01ROv_iHF2YvMZ(ZkCOV<7a8rbn
z?<Ds0E(+p#$_I&CJK`kXEh5b-L$Pr<!XBDkHh#~2g>Afr&+l503-WxON4^pkcaOb9
z*0ZfX5D?P!wQS(9zYinc@j_=hAH^fPyzk_+!=&=0?W@@qH1Xf}4-RSrgr*$EK1Aa`
zm2M(xsz3Qq(c9aLkB=W6kI~IsIW;u}EHfmj1rATQpoX^Qtj47H`zFQFkT}|bS#b${
zR}aTi-r$3Qf7iIKIHVu1_Coir0(ahnDF;NT6u;KWN=Miqi;Ig;a9iQ&6YaOi^WYWN
zHa9nihKBa_$v-%4VSd4PMD1whRlAQa;;dBJ^3hFx!-tukaUc{Si8we;bxMzU6!o<Y
z`V25l0V288t|q-JLl1XspE#&1KoSpdws~Hz8HbqWyw;=VceA7m_;|uU*@~{u=_=LH
zNh6XvVyYdg2uo{QTc2B5{e(2fw5>Dxzpv2I(E;~lVDm1K`7(3eK}fe2t<G&~Y>>`x
z(8UzOe(rdY5dQrN$YtWbhv?KfFf(GJ=fsNY)KpOq@3eSlzyal_CPf0RFwtXjc`E>Y
zv$C?FSE6h!JDR$3`yuB03(_&a!C)MpG!q5I4rBY<s3*2ohqW^E+WB`i{uO%1CEr`X
z753pNfB(j*gqEJ3eg*6jW@cs>uKIPk@=cp0{BlqCS7e|o`Bs(Q8AaI5O))t;oB!b1
z>+0(2?|!m#k$#8Wy<Nl`ET!SP>wJx~h1y<WIo-VQhKoNUDxQF<k>`dfdhn;Z%H%B3
zw>%<UU68svV#xYmu;6+4)C6ZI1QK0^nLs8%j{7b=&b%FOdTyVvaP^`i1Oytu{sLT6
zV$O!$Q140Ob=z_PBOOGIn_o(CVo`2Bl0T=F75MSm`viwy(kf%4-j6;m&XcnYi|?U}
zpK9I`t~8ePz|MY2CD!@{rr(PmDsZ7AC(p>`?7MTyHBU)#Hr+LEU~HV8k^-`7{`pct
zngq)(Zam@%7()URff}HI;b9U|nPb||TUx18-=kVc3{}pt1t=S9_wU`?FCzAtkiL+{
zTGB54MN8CrdxH9!GtjtWR+^&z!v`>p@dtSofXZncsEI@-|E&;=e5@=imI3}*ow=Kp
zS^QLZ%dmwp1tZK<=&55(%%KF!rvpWepDfp5t1J~AD=%bh*pmjIW;$AYG=Df~Ck8)1
zBqRjHHED8tbz#Kx5CczuKO`?JI}DD2dAUV}D(=nrH;tJ0izZB{vv5m_;%(x;W#9<N
z$LMG#Or5X<TY9@49eGEc^F@_ZRmk~-fpQoqljxY3gGJtRoifGb5fcWI$X9TVsOfGS
zYsl?fD7DM+Cu(dClZzkSM@Q&fI}xbHwvhN%)BQ4$!Z}{Fq)b2;c(g26Jn|RH=Pi`e
zsXMaeyI1$=U5Ha<_03=IV}eozTKc*Tqt{p2*zA0x)7Ca@f+;s%f4EF7lIeIC#l_D4
z8&vSH`*wGC-GB4<KiF0^<MmvUPJBkLY{UqKREVW2eH=!$h6~lVj1>K}U!y0~7k0$$
zdiD7-j;ayK`<ORx-URHtp|$lAa8zrOFb)<zay%woPrAr9uePGFObzl54J}<8-h*Yn
zhye|d4>>wk0<IuNO#knJJ}b^QTb`7IC%6w3q@gv15#3EZyb?o(96p;zK?$nzuXymf
zpEyAff~MWs+3JCqOVMNA)YObYh^^A!z^Xx3{%X%)CO8-oN{65W|Aqb}BK@34TGJ$p
z4P|AUaOC6S;(GB6JNK!OOSZPW98BPIC%UwJVv+N5E_2}3(F>vRi3!8n$1kS-rV5C;
zzO*EddkzFaD*SaohNAJG1l&0eIDh+=rO!1yB@D6bBs%Cmet77P|MERJq}SfnW68lr
z1~xeTz!Qpyz?8${Z3}l3r*2KkAjj+T&+A(JaT5W^3bcfvQc3pP<9+e+zfcJMBhZ-u
z?KhkViRC(xe-A*4s9#AF`WMIOhGt$BA4*ZtmaHraz++fX*s(tT7x^G&wY7=wT>VN7
z^IQ}y`P-qs{yE{BJTy7x=H|x6#?7Wf6pzATD}9AtAEJ2M-(6AoMY|mCrY<5cIIG_H
z8jewVE)pSV#C!@~zizahV6Z!8|9?RYIC%gNgE(K)gYKv1zi57D8Jz3>3bu-%T4C!W
zF9fv2f`WoRf6*f>GycKeg%^uRw3~hO>(0DHtCq<bqFbNb)O3|NeQ&B~vVJN21D}Q-
zqWA-)jjLQF+}PCgbepG7XQrlDL=xQwhwK;A=|A_G+%9J;W2$MjFSKEQ{1*yKVDf`(
zI<87o?tf8F)N_j@eW=xAGr0)uPWz|IHKt0DnnLCiR5D`Ip*``BoPK2J!RurB&zimi
zToE;&{&+<e`PZ60egyNC&c#JDxWNv5v8LD5=ROD7l;lOJ5rfKXnty(@EoC^py}Ri4
z8PXCc(K2A7mC>a`E~bF|-(lndFIEv8zpvY;(-99ug9iWl%O7N71|E-N;$e21j6Dtc
zlZEkKk1x||03Xs3FrQO}wS2q(3)L;)#{sZCbbPB@Tjd)DwvwivUnurA1QsV+FBcMi
z@1+We2WXj>6ux#Uba8k%(&?A=^Xnn)CV0rhVnVHKY1vInEg=5COSy!R6x6UV*db2F
z7WF&(8+fjfr#Ydb@1me>Y$|oGHsMm{#7TSN2Wbw*wWw%lZm?bOUcCaW27<W1pC69h
z<owdJ-)_y{rTua<Gcx}D$-n03;enO@VOhZUmK(2|x#Zu!f1RDRdqv&h+(JS^{QNo|
zBwE4$g*q>wkwfn!ub|Klw0o!#!r*?_7{2eDoa7S})SIY{L~+UQfXvLs&hE0%tgEm8
zW<!!25e%ydP#bc{3UJGEG%|<z!|>L@p#m_U*RNj}S#=iF)YLRKru9CCnT8tji;&5N
zd%Gdxf2SlPgB&v~DVgER9Ck)!YDx+`?crPN55#{NNmW7NGhj2&p#BHVL90zhMs@^5
zW-<O~OY(@;wg2t972V>WIBNQFY~Y-)Fu`L%9ucPr)*=x0cDA<x#~B+F;^x-S*Iz&I
z0aajQLxYoxOFImgRa9ci%IxIidSQl}q52w1b);h#%n-qzq0XQ(HZ~SO?5}fko*o`1
zP41;lO>@J;m34K80JJ0Es)B$w0EHg(iZEGa1<^h@!_Uk#wzT{O?K?yzs7I%#kq;>#
zr=rRc@wA5_wVBx>j3D{>`C(kRyVUMtWd(SYKV)2Zpn-vb!PLx*S$p7f3kwU#ZeWWx
zHZlS%iMrRX*O0od=xAu=FflP<W@lh-E&(ih*wp|DpB^8>t*wG~TjKgW0d`he+6)Xh
zVxprtI5}^Geso=tc5<pJEwz@Bk%1_yuAUGQ0<r=EuovftGN7RWm`tVy2EridV}6yH
zmuIG}ZDnUS_w}m}jL>&?on>UYVdq=h*f`kQ+B!H~gUbS3IUjf`YHB`!xv8!$Y4(V-
zz5O7v_TA>^<@Nh_<_6>VnBFfF69c28ZT_d#V2@N@ZV%57fV;iCT+q_u4{rdqC%M#@
zp@MKj?t~oZLsJLR)(aS9BEWntoemqCNwOF@!XB_xLFrgp%BPEjcW9ETs(4a_g@uKP
zeVC)(LbtTHFE1&PCG3IH0?{!$n@$%AQe(u|_cjDlgur#fK#B%J>ELNv2s}JI9X&nN
z;13^!qzHkbg9rv<#4Yq%aH2yjANZh4!E&QW>g(%2fBq2R<Ksh!egFz$6iE*cet1Np
zkPBuoJe4n$j*6NZC3tKd4iOp{!o0^01uY#F0xT(s(1}P%F%STap-X)N_YlN5#ORqB
zOavShcx>TER}=)8$iq(s>KV#1D6ko^!Ji8av9+}YFfvNV%uE_xB-{qn4j3QZ2$lSd
zMI#ZILl+562%03^vW^Y}qQJx-hFb`O_fKz15rT~|6Qbnx>s#n6zklN*fCa{cEp2Ex
z*V9wd+>A6i1E}BqygQxZe?^j)mse+JCou3`TwLJSue&z^vBlZWE>plEt-bxaqeBw5
z$A=Fez)cU{L_|a+BqV@&n}Wj2%*;FKfMiWOIXQWHdF4q2UBQRFz2UPTU^QJ_xMF$_
zq3fuv-Q3vV=HXd!Z-UjXs;WYYq$MR0QiPBqp<95k(AwGxmn$wV4qFw<KnSdXfq~FJ
z!c4*4)fFCb2~NE`J3GkdpsgI8oIp}ST5c^awiOq5kB^U!jky2}8Xz77(<N{M)7R1h
z7#W@g1B?VO7nd4vwT7{-&2YxV+?*ZMgX`-y78V`rf8ZODA+4zBaBG?!|0N%A79i0A
zR1Cr(5n*9Kjnr~QrpLy{`uiit*5~Ku&j0?cC@X7dY;+d}+0@$6@i9;4FuV~K5%Kc$
zggNo~#YI*|#{PK#B_(B0P!L(n@!>BOE-o%w+I;wCL<XNt{Hs^m`uekQ<O7~RhdO`$
z+qcT9DnPdHsbw9(ht<``;0YKQSXlnPzN{B}FMO_OZ{F*@?_xYZk9@ADlH4QNYH5qm
F{{v6+{=fhL

literal 0
HcmV?d00001

diff --git a/doc/arm/recursive-query.dia b/doc/arm/recursive-query.dia
new file mode 100644
index 0000000000000000000000000000000000000000..6b16e01fba167a4262417669a67ff6c66b2cec20
GIT binary patch
literal 3377
zcmV-14bJi(iwFP!000021MOXHbK5o&{_bDFQNK7d3QT|iK~zmTNqaAy>E+U<_t`^9
zu*@q(`bf%-@5BA}+Xdysk|;|S2}Mkx87F!Hu>`pL;92Yf_~FNo^VGZ5MVaK;s{tkc
zz|+|zpC;Mt)!<)${Pkrt`0@4G57Q+69{y%UJon&=ti(^R2G><}^Zmue-Q68Y@5{K#
z3z8-aQtFHU#c3K}K%tAl>od=LT){N1V*GCTZCq7FGG0{L%i_6yH5kW}KW9b0$fkq3
z)Uw<pPxHdNjnh|y@2<>iaIviBVx^uZ>b{9*dR*xE&+S$F@KWlKs&90$UhVuQFB2$I
z-QR2!*-{Vw`>4#aR0)N$+3WA#@bBtdT7L1luBIE^Dx{jn#VpA-<v`!0bw@A~F~*=X
zgo>0exug$$@_cdQ<BCg<E3P=MxTL(i$&0FplWJ4sIL}iZXSLL-Sm?v$l#@6G6?>{#
zEn0DvR8_v?{;%S++@}Hc*PpEIxt2RClIhciyHa9HEqBSZy1x8qsk`dh?=97So0Q2o
z)lGMwWL0O?-*;2}`qMG!{rU2i+ECZFb$FOYT4?e7;bFE&rn=mrW~*hk)O5WpcCoA1
z*URnOG4)q#gS8Qn#`n5dR{!?%FzqcL@Dg#ncv2;|51$_ONk0C!o>a@meyHMX8W&UV
zrS~@fIQYy#fPo~_SA&20tDUvpJg5wCaHF?w@=q$o7~#W+_+q^aHUVUtfbn>}{sLMM
zXR}m)k`ahuG-8SfF{B|;hY8cEo?lM#BHJVg-L=RFF-Wr6ss|L21lZ4`mu%CZYn{xl
ztL?%f68S4Hd6=+qUQBhdt7$%=OEHuypVE-B!^D->`Q2p$P2D{PKSv4-zWTDP?o+)k
zKxd12T|3`Vb^T>+cLy6HZEJ`=kz&XRw`hkT0we@t1Qs}ygbABw*seYMSYh}{RhKVe
z(Fz%nD<-d^URYt0!Be_i9j+S&Y!Oc;SEpg<&$Pxr^vCLvInt#$vbN?(31>qA;}x?x
zG8!qIgj|YIKo|vyGCEXZg<Y|O2CkLa_DGH2yi#t>#s2x-hb=z#6U20zmy>5zlPvt+
zyNc&YdJnf0XXU^%NDo6Ipl*Hb-*tMct7H<te4D4!$8_)c_pt#1P5uM$iYUOB5<U&6
zPus~{Rl>a$@eon#Ah2~}$M@R_0*`o>&2{rb{X8u1E2WW<KhH95%`I(b2*FV>DQJ&L
z0UL&dhgK0OKy{M<NSsIpV|YlypbwB#<azb7)CKnYH;GODx})H8`{1;pkq(-A2u-{-
zG=+q*VL*J}E?+WY7`WenPYhfbE<h;j1wLW?M}LgxH>oBd!#n@&-J5^><%OeB$DvV;
z3hKb>l)<WbrbV=$X^Ge{B4H@(&b3GsLd|T898yXIwLIa{u32u%#Z9@iFw3xm2~ahp
zjEKmtS#l#JK(mCmg7CodG-#_<IjeM5*}^Ji2k}7_4rxF*w;Uo=6vY4`#5f_P7$;;(
zSdJ97Y}*N1XD@?=ds^psEJH279_x%+TPHX)0gygHE!$=ULU?E_GeR!Q?HXpwW}Tv0
zMk@&eUz1g0mg!?(x9?V|T2F=r82gS$Ag#`YffN+N#E2@Q&?-Z#R@u5)Cuf!cVT^Z>
z$8(x?>HB@P%Pq6iv~{){<%G$hB7x;;Y9j_L1*fTj$NC}26oCuuyBX<Sy69%4dl){W
zv<qNjL+XPTT1O@ZN=Gr{h)N<P3T3^>Ir?3fIe<dp@absy)S!|Mp!x_<tOI}&MjKRU
z7oKV<tR_xUF@cT^?FDx_|0$ka>lZHh=t#*&O)BZ&sgLj!bds*EKnLxoYeytf59!)C
zIy$$`(WYIR=uoMTsKh%+*j9)U(lRR5QhYw*gogMQ5$g0o$)rL4@$1iyFdZ#hds7`9
zH1!dhL<i6W^o0}2?IM#A;tMenCZ~fFMf<>)9wll!bUGS3ZD^zer#^yH*a0|k%*%?X
zv`m~#GAKe4_;WNcSjDCD=bS&cLl+$|^%0m_XTu5%*<zlJRfo<<@i8lP#6aQA95_)z
z_98|%SwOGfY7ZWU_e-UV7`Hj{ep~1w(d9RaS)A4{6$HYM{J=J5HL9tDtUf|k`xIdT
z{ywIe*u^Y{%n7ptIj@)I!T^nP4I%fV(}%4O)na_+@(YeiteO?`Yd|Ub&7oB5lxctu
zZWhV<)GkPIlkkK|(<~&R$t~zb^3(am<rW-qGOAG@9fRs2HZi}0MOLB0siDB`bktH#
z0PaE!PZ&c+xuO?SQg4g=u5|3_SnR1;DIG-h5u#`Z^eJGtnL%KgKA{v&!Wy5z-^2YA
z9Dj2BX)lFz;B?C1^gd7Te@!youp*YVP9Fy{BZh+5+}b51k}DJv1e9`I+`<&YRpeZT
zhbFDxK%ZQiW<0NPjr)()g~YB>ZC2Qt?a+5FLuE@8U<w#!z}SH)AY~O7)n!}&@7u1V
zjJ2-(GS%7a=@yChLU#7rp$n0-sjWWxRJFYx`YfWW{+Z-i28IjxQf>_W55IWVfJ!)K
z0svLH*<IiJ{Oih&{@br*%WKu@wRH2WkF^`>h|~ogkUA-c5@?p~nR^fu8ZUFi1X1um
zNDX^I>)!w5{LSO|n~loo7+oLT&DMGCj1tE2a1YD*SrMT=Zt%+^PJ<E7$@&2YsEU}c
z*y)4Q8!%Y!A*y(G{>z8=Ll6J*;_Q8q+{RGVJ6+x7#h-2$;3J_}qvE=l<0+%qHlMV8
z3cNy>Oc52?MKOhrDahf9(h<WvQ?qc83wogAg^cwQnE6h}w7G@b_FIE;;=qo8XFs`F
zzmcY63!O9ToY`;PnN<fkvvhfFw0dpOwKKa7Y+I-Fvyk}p&XG1<SwTdI`^dsDufh;x
z6auIs##9AxNXuy3)WqgewAH4w4s0FRI<VanY}WuYd=A)3%QJ`Dz*e@8wy1jNCaXtW
zfFDky2)D2kjE8cBi(~{f+*U9dSw`E&Hg4Orv<=C3aO>dK!R?-KD_U?{WtrPP72u9K
z2yh#osVs-Mqxvi%u0(_(?ttRzL{7LkbeYB8A?}UlHHNS2QoDoPxLdV@P6wS1Iv=1j
z>@LO~9xKM(dfi84&PKDmtK@?av#BIT0Q$74<nQ`Q7e$=9%*EqmE;ebT3v>7Jxb60*
z1^9&G@y2$yyj==0;KWFPtNo?JCWlRXDx|}vK4KH?0GoWX{zusjUO$Lo3egEq+QzJY
z+KUxwZ?f|48(on0Wx%OHBON@Q96bF^=W`8LO>j<37gzYpPf0OJbrVvt4wlctpoQmO
zhn82*`VYr!W2#^%aVCl$dgeCtP`nGLrpctTd<<gCp4;cdHK=|CC}?Ey#I>%3?KcV7
z(Rph|7-G+2$9Ze3i1Zv0S4o;$7SZvMZcp`<8UD6|n7=W#^+-Vu?7uX*xxCJc<i9W&
z$LW)eyNc6Nw-5sui6gl+A?0FRLiKuZa3^&{QiCpbPLSsGbKB4#8tBKA9}eUcNh+RG
z-UE(GzaTx`WT#*2P6?YzXpNU%nU~|Gws~p$MJzs^ekX~ti%pmegHn){GURg#8ETJ7
zY1?jdoYZkr$4MP0J&coz4%RMGJj6>`O+;S`@dLAkv%sK^B2=C}A7ze@+FygXp@5E!
z_A!VPb`ZqjTnsrlu9ky1C?+5>9ARbyl_)dngL~}Y=m=q(1|4*ObW}iUlQ$TwEmMg)
zN&b7DGv0c|ih|(~5h}6@gbG0qrBIUySZ^1``|ORk?l<R+J8#^1<IWpDi~&a-Fkpcj
zvP6+x{tH3^OiUS>E!`R7KBcEme*;H<?bF{41$5-M=dmHx4IPz86s^-y32yl(I;uzz
z_MVQm=r>149UXOa)X~v{=qT@E#SfRm$TIHNQZOgLOviE)9P)V&renF|qeqyI-OxZs
zNc&AlIqim!0!cguBLy*!C@BrT22R?h>l`U{q|}j8M@kPPrK}558esx+L@kq2vn`ME
zg`uT_8SMA@>C;l-Xz3AX>4pwETH3>`B_4FZMcI&s2M190WTMKP9|z9yh(<&z31}pV
z--}ae{t{2FJ$SBTUFfNYgSl7en?jeMj^$bG{b!+z`-|8tPxo%(r1-}0>kF(-Z&F&f
zHocGd)q3HNG)H@bD%jlCrxpVECB-Nr%D`7hf?jOv^DeLS_io#a;{a2WHacMHBQUjI
zn&O*<su&lr2uu$`m>-0=B9X~J4e^W`CVJrM{Zi?<cg|jTN$KI)T9XAlg<D-Ss*#sx
z=51*bWoPh1X}-d{Ni~S6Dc2d+QhMjXi=lVU;U9Rk-nn?;#fA3Zw<4|{>P(=9yXyq#
z+&sPq5?3vX%+pDA4a6;m&-MOi!?QSB){Uoo!CMc$&)wETN5ar1!*LkeM+^<ylRJu<
z5DBZ?&d8vl7@4;b@mU{uo%1s7lerD;b2#)xaj5>B#`n5-eO7;fzgZE_U!VOS<JSFU
H*yR8K!e^iC

literal 0
HcmV?d00001

diff --git a/doc/arm/recursive-query.png b/doc/arm/recursive-query.png
new file mode 100644
index 0000000000000000000000000000000000000000..0c9b20ea47269d56c88800e23ecc88ce263b208e
GIT binary patch
literal 42576
zcmb@tbyS<t(=Lh@cPsA2-KDq&iaQi2QlPjy1ShxzD-Na5;=ziBQrxAuySw{Izu)=p
zJ@@`|&L3yxT`O5{cHTXEX3sOT=b3;s)D*GM$<X28;INdH<h0=65TxPY;6qT~!0voP
zvJQv6y|GYHl!JTy_bO;FO@)J_fm4=~*73<X%C*TPoSp=(VjXp*NDnAWONAE6xvQB=
z=@1hBiW~#R6qpbc`DhMD$IuiZ&}9-4(P!ckp`kM)r0_APAX$C-)ImKxa&zT%>!H4o
zyX=>5lea8V+hX&*wM9*rQiD)l^Z(@1O04f9E<maqDdt2vf^UR_B5)yUr_k!eSmsR~
zOFefHGW3A1#UGB%Nax6U?&RT_=Cz+6y_v@mg;9ht%fd~<(&6$EHba8ZKeWs#U5_bf
z#!walt7#+XKLbAHv2h`5gH$Vad9+?t3#e;&2hTAGxaPI*AHCUX5KryL^QD@)@VOPV
z?&~zc7Rnlo%t$$g%qico{R(4oKzgA;iLOsw-6}Ua&oA%gYYxXh!k()7?ZBp(xhGvo
za*(0`k$Y(J=6NgnJJ<!k5~<_@izUt4y9i|+ebl1>LxYkT`7crn;w8HyHXI3YWKB#F
zA@!4~D!I`@6`)=tCX`j$^c&>J%MA$am;BD;dP^{ZVA@pw5yY$<Q^c&fersXWH|dqD
z*!s0oqdVD;;EbFbGguAyAw;v2uJ|;uGhV7i<<YTs=mX2;&!(AcxjgP!nuOI^dI^$u
zQE-WHlJqaA_90v$uZX+>qsG{Cw%}J}9oId55?8n7$j6@d>6hf7)R5Xvge_qq1otHC
z7$eTWiatMvGyIylB*%9y)EYcpZBdBDA(B9>&e=|120gR|g<sph_x<rlnz1k1L-)p-
zGmd`TJhz5CS!OA0No7s;dk-I3-r~e;x0vH!2|ov&fHD^u_B;WagmkO6lOe>N`st1N
zE%lCJa<0OatIjBDw@I4_<{2uhI4*kO7QU0W7Xq11cHT%eE5*m9gl(O_MjrD@s+z)7
zy^Rmdyvh={pA;<0hJNkXBaY7%<~NK`Wpu;>e{x>tp&xndxx?LF?qw9@LmNKU?=GC)
zqHnm5=31#YoUSqq36ne?xfhp=85n<LpGA&7`HyVmMXhQqF*3g~eq1*o_SZFtz~yXn
ztBGvw_a0iD30;6KONlR#4yKz*qmIt?Le=W)ANge#ab0r9e7S1>KJU>?Rj2zs_Hh1F
zqzZkUeTS*%-eIX3YV-Qyj~MY<g@bGdM&@+)<6D2CQ}+`^G}fQ1l83+4h*_D)j30*U
zrhD8zM&JCel7zly8=z`NJGqkX3aYf$_RF)98*cdZXbJTfo=T}a)2$g4gjTNVQ$hNE
zB0Y!SiHp=O+SXCKuCPa$lqniK1aG>pO!iOZ7zT%zoY<<|i=rEKScpKA?^Y&*F)h5t
z<kD;X3=fD!uNw0DtfdsY`-%n6B1=YtiV=RzYDpprql-XG5mi7>_X>0ir;6<VbjX_S
zPPIR$b^K`a(tCrnmui_h3t*p(uuYsg-OY<`rfoR{7ct-I1K+`qyzjmLdPe>0+PeKr
zl!cFv<9gR<5Jx&_DK?q>XZBGot8`y0HL*SWaU?A|SwHf-*(65`pl>Bf-S6}ZCiZQ0
zk*nD4C%<I)fHxJ~y+42^9$fHm;G7M6U#1G7*Wy$*<>mH27Wc+)QHq_YHOBO2LH+s8
z3`NgD-ELLS0o4}ocasx1(mH~Zf)QVZr1B@zMP?TdESfpx{Bwe;nLwHUF?Hx=A}^w=
zUf_Th6jKwhG^ctO(RtjkRCubO5@=_fo2^}+eH3&!(t_xtn1NZi#!~@Dg=i$tbDGuY
zI+<i?V$b4yJkFJVc^LK3KUF#l`8Mmjq$nLV<Dt^7t?=2sN(9?emwxy#$`(ppn_~}M
zWs82vQ50>|d3>pCysF-+Q%6+EUv==T&1wDrDp0P&9J8tZe$Fx{@a_@*b$h~FpTb%_
zR>OJ5F_Bx*&Ya?;?-E->5NNU=F2<dQne)jP+Ap7AFzU>Z(7jB`H;E;ZPM)yud;^mG
z_&u?f9<S2jzosuY81?;TsRDBV#q<|7-{730o~rsQ-#$H(Ay3+c&8x>|CJU$N6VVc8
z^klBalH~XP!(JJ!^?V}@C`s23GzK5q=iwi+0&{NgSQBq+k=uV$A+`Z8rxq^Z`x+IH
z<KG2<EDBWe|A|o{R4CqUcSFQrRK`}Dt62TusIZI~)v_Sbn;=&Y>4BMOkYY$Akzf61
z;Hy*P@N0?e^DFQaSdP0bjCDVn8F&;FQ)@y}^j-~`?@zbWh`;qurk9{L5`%@x-g}fU
zBg}y@l~rUZryDlrp|Y#<=^adlgKRXCJ7ytGln+^j(<sbk;*>BU??p~Ltm=9V`%^v&
zLUer4@nswmYT4K39N8UjaH)(=b~H$b?&G^9dw)HKd~R%sWxo`CzuoIr_cBnnsPa3S
z#Qx2?6`S-w?eX@xjna>#ep!WHgd6uz)lVDO$#Kci?Nsdcb%YcDmjdIW@ClEXCQM5S
z<$u2>-nuVwY0;?Le|}cqifZ{zKf(2R*&jQw@^D^~PN*Bx_<k4rxdLq}l18tb-wG?h
zFWmCde+dIs(#gI3RYv9hfVsDE(5WMbo$g(2&Z?5ZC10*3I1QeYUOaqxz*T^laSvYQ
z*~6;u%wvt8K~b$JjmBNXNoc*p=D&q)x4LDM)qHpf33oQOzDEM#SD44`gH>3=<#c>0
zjmHmV>ibA>{^1eD$Ui`SdiBXB2wHDYywqWOvU6hNPCF~9M<k4+>3VA~v`*60-guiK
zdPV-pK6Q7TOOJ7nDoW%?8D3G5r%@N4+bmFgq0cRdo~P$sA5~W>k&&6TL!hN*=oj1$
zLNXaT!>53tpy<D=eiGg(ui=zK%{OfB?7K@UUQk}blGFSFcWhotsSf&^!!TcMZ$KC6
z|D(+zk%XOprvL54PtS3@>QN?%aa%D)yY!3&_Y(H_VT~h0q5%~L%hSK72x*(<oo!R?
ztCZ@rbf1$IITKDZsvq9a{dE!6s1T_(ORbT0Rqb`WJQ~70!&F|<RNEYr5!%DJV5z_$
z^Md=a{tnDJ80NKM$hMt;>Ms1;NKLy$_8+_cuZ{teBr552n2c^IxbGVtz7dqn_hBK1
z-8y&I@@WdlmBa*n-=DZ(f6A@>ohhlb<h_!@v@<Tsi4U_hjV2Ke+-34M$b=#0Gpa>Z
zqSsMAyJK$pV@@;-=v?{FBrX_QaGF7F==DgVNx`31-tgC6#p<FV*hXy?F2v=miiAJ*
zFaXegf*b}QSRx&#4%ZVohcvv3{-g8*c`>V!Yz;}Pi<k`fU%2omZs=V|AlYpK--5sX
zc{^cBq8dtN(*`cE-4R6d%hmdqhA|=!z(3H($lS`L|0geF+_x$q4`YR88vl1M31v11
zc-V|!{2_)lrnTfQ;%`X<Z%pAXfGeF6Dj(muu(*(E;2B`GVGX;H+T+(?|3XG>{;Mdu
zJB{T#0~aX1Gmma^%%jF<9z7J0D*lj_`J908f)aowzFD0APgX)-nY&g}V(&;q6kwgh
zwgAv9>C!5Y5-xJXp`UxvWS2K1-~9z>ontB9iw1Aw7k3%j7jR?g=4bdAk8*>!E0^@~
zUs|e#pc~rVMSze8Nwb0D!;9F(E1<IA`GOH(f7LwuNnAT*E{0iC?b>v=jj(2gcl2$B
z*XL&x&TFEOT&hdt=c6H7y&5d3dAMiTqX2}JNwJ3!*q&pEvtr=jP!q5i${rt*0bIaa
zmnzy$B%0;IQ8i+SI4`_Ua;W-pT5?G;E$24Q;$SwZbu}VENEDEsVkZ{~6Rry06w&m}
zC^7)?IYbC(lk9%{*BjNPX~K!nC35IoWEqv7vW}V;SPs+&W&qVVk0Bx1$?iO4!iyyz
z*?0fMdUQ|Lk@eS3UrUXSNs%<~BD^9*%^k>edUxh`8e<32vrsR`3pT-Pf862jL!+I^
zdceL8bZy+bOZ$U%nIp^+4BH0iZUoDis!eG^ikt=IX!=qINx`+)lQ7rPM9F2txh=J4
zD*@VtbK!&o#T<{R_y=2!27Adb>l?t7I9sA|O$5RVg5MV}y4@BZO$tC`9o`}o#m@?R
zx0&tzNZ*Cyc$Q{3QO-qbn_5@pM{UQVNNh--ojl7P3FjhOr;E!cZr`97GQsPUy_&6Q
zo%Uj`amoD_TeJ;Mlx@YWnY(+;tmMSHLp0duG2;hlkk#}janYNb{o7}MxVPx++iBk`
zzl;nX_<wqk9F8j*JJ%fbY)iD<v#ifW)sZDEzmJ}BuvBT)iq<vfgFLy0OpKjGKOomE
zzGWg{M!e!(kZ`oO9}E)Hp!zke<wXwR|73)DBqUY0tSH4{*|AEwCAeth93GT7k1>UC
z&N&WOhR|jS&b7C*2_m)(k;U6xjOf46R>`o8*$MDDPnjtFF1!404JENdAikrR!b)Il
z-zM7K-8aKe%rV}t9Qj;dE^Evq%ZBVssE9u+N2TLps|3lB`yj_uErz6%rucN9^BQIj
z#=PPrjP1?dM^$tBd!Z^c1z*t`^gE70iHXtesQe_R72b5nrb}a7J;DuL%&4DL7U!Z?
zegZQ=KI!Qp;x4U<9xXa&b~tWCC&LhPwharLBe;Ek+?zyWTI=%);jxO?4Y^g4rI)2(
zP5c>ou;UtaR|eKDqA{vjq-bBJeN9--L>>-TkSzN<wIf+VWg%YI*P~(g1-RO)_q$ro
zHsTlWe_FG&j_$et7!v>9vrne7Y}L)GH)1IvbZFFHj3Xsh{34y<2Ll^qG}@KuC3a3Z
z&YWkUGj6OBasmCl`sKt8s3f064DT@Edfx}a)2o7gj6&+^+aKShMtl+OtUJEsBus0`
z=|3NZZLJn~OdQ7=&KB<U97a_~u!wsYPT7hx;}qqUHqazDza4iI;8RO<H(25%c2-h3
z?1xFz-(=-G;DWNzG({U4H;vb0O}@VS%2%BDY?8HUMW0@fAAj*D{{G#<!aV4+2xj*e
z5}7B6MX%Ee3@lkV+c4vhMitWoZ{Rj@?T1^V)#aJCx+EncC2FrO=`hYwn)?f@ie%@x
zdRLF5t7CGbfUk5y6}Px5{p@R&8TXeIgV;X(_SR9yfmP>1Db$MNmR@uyBClRY5F63@
zMf)dDH>1SufM3bmyqwX{4;bAz@2tQdkep<|r8^4qlc?^Pvgrp3h<$$btrJO17`vCj
z_#0w^V|sb90ke<rOf<id_dBCe-Q<TPdsip(D*r){Fi~>p^M3!xh>iq+UTD9hKjlyO
z+sE$7vDmceB8w7s{9KQS$~OEI8s`$8S90u4N2GMz6I*|VlbIZY!6Oy%zPH;q%!2-}
zX?K#Jh4eHu(AeYUy00PN$~Wor3zYW#{QRLg(t~XVp~4TMJmYW2ekL8sq;HeaCOgv>
zG~kdXNP{ckIj=t(JW-GslD&PdoDn`0{t$nAN}t~5%Xv&Uupi~8u*y`lSI!)xRrFT<
zC1ni6xn0^@sLuYplp|%v|6pRx!si@!!``u(l&ynuk<r81*l<ta>LyT0L6o$eBgZUF
zTM&CLfmj<Eftsl2en7pIxjee46vg95YCWU$vsS^-doxfpMUN&N8vPR%eNSofjRm4w
zWN}~1B=Hm<Fd6utyya@WjEXK(*3lT2mVc~x9GqC6TCE4lO$Y_HA8lqf$I3+OvZRPl
zuu5lWjH4*SqJ-<3&Q@r1r(Tf6C~>UqKXo2|)}S`LL8VQ$=ZkyIph1rd4B%t^L3qK?
zk?gX&g{RQkqx6!&;q!>p^Al;C_Wnyc*{Px^MR7ZH)zT}Qynxfq0R>m_&@MW0Fu>|Z
z-xjJ|)?A{&*$a2?Q+nvoCy-XCYUxJy#{+f63P}{){Om+LjC9|G)9>b}?b(<jTTxew
zhc+}5w(~b?#KYebKL12~6#h=vKnY5ZWl%>w-QyNwytVFLFzk`l`{#D&r3L_Ln=P&W
z_(_%x=CA)YZ;NZA)J0Dw_McO@D8qvh>zY+GXb5E(JJgUe09FFX6X^B1OlG=)sXIG~
zxpKMx;_pY{$9duFM2}(9z~x>atX=M_^v>Prh%I$1GuF~JahS-1q?a!t0qQxnF#!p|
zbbWjTzbHWF7@98oQ!0^llm{a<KK^n!1ebV{O_))xkYsnqu|62u$@|SePRn&@s|~gP
z%RjXC<XVR{wRkScmht6R@szxdQ@Y5b>2KB}IHLbWec?iY1~&w^eBP_zQ)kCMILEq>
zE$K9UN|5fqe$4<Y-3Uj~c4)Yt-3+n(;Fo`D>gZn0^Z)nd|ILe#XA<2Q?qASR^IStV
z#~Lq9vOW)++9`VkLV@bQfdQgEl2l+mP!Zi27dEO$^~08o2x%r3JMW9yo5;7<G5G3K
zQeLJw@O^|3_8?SwA1oH}36qK3V<LG?6JaDDEZ>xPj}RQv<6cBvbXkKE15I=T^%rk@
z)%BQ745kP=0$X%d<O|@#05L1VPb8LvJ-1A)lmR3K_;z3%^TVm4laUZDNsv4mz}p;Q
zoa7grFnk$?gO{xsS|;)nA_a;AatHhh??D~#FpkHIbX%LU*Y1r88bty#%20@FCw@L}
z6c7hEitQOix_OOY>REQnwz=LpEhTG?Q}fmb(O`RAa8Yn)v6F;~*M@#KfQoxga1_a$
z^Gt)#P4OWBhC?x!$H}o-)I;juX4MKj-Foz6(D-nNEbP`CwjMnaRg52Rog|BdLkz&*
zMe3WU1bfe=s$^SpJ0~QpZy-N)xDQ@8HFouTRe<f-$BiQWnPGPibBim~(mO1jP6cfx
z6|oa1JIvcR|8pvRdXh39W~m)EoW11XFb%D|#(wYJPb%}(onN{Ec70D(AH$Y1E3bGC
z-XTl_cRB;QKQ-5uER*z)K%03KNxQ$mlD`|4rVM<KYR%QI!qMtDHe7oxjth?ZYuwnR
zX*b0C7adq=4=Dylbix;uL=Df9S+}!WJJUlqzi18~U*G@BMbWD0ItCM;r#XD1ioOYN
z;>9X*sLXrz-|lHe-Oz5mIqg=Dmj4k~awOcvK@5ZEN50L#z%}tTr{dgI>ulT_cum&f
zSu67p&07;p-cWX?5tqHwdaL);bD;*|s-rx;^{lF1jAgtQc-a<hT#3w4+RV{r&FvD@
zCD9vK^@YqmX_iS$y>h%%&7{NXXX1b_+LU`SOFoJQgDT{~k8r2LSH>s2rtaNZ7cC{j
zZ5`P&F^E#+-F}dXq~Cya>fcyj;7CNkW*BYwVR1B{Za(5smk9KW7{%Ycolh%PP`cW2
zQkhrXbe6@rZ$ijN%uR|O<HKXzjeooK=5|a`ldwc%09JA&utVlGTTCu>l6U=M(tGYV
z|7_NlUYHYLJ3PCX?v+SxogLzhB_gWub}^yBk*r8{Ii4No{pQ42bzE9VDXwJBeCKKZ
zg(sCu<eyA0raee+rd~wv{#^_C_A_n|+ia$oQFB<1EX<X@@rG`}jBRh=hOMG3JzR4q
z!g-CAME;`E=vJM51VA^U9-{j}T~z~ilw)VN=CD@$H>2?)mBR8e&)}XMx#f{-<Hd9*
zukn1X!eSww6=xKZBD*Z%uS5&5aT*P5>oO1}#hUP@6$JLS#aQ&!OI=;qUP?f^wWqaq
zJW~TF%AkW<g5%6}p9^0ITss6g(ujaK^l^@T<;SVf)88$@yx-x~;ldmOarhS6ZP}>p
z!QMhErSvmdxa-M=PP|a%7v~#5AN@tJlP;PTVTlrN4l`jEHl=8|LOdDK!_}0!Y_UQ-
zdV}4RLZvi7JQLnQ=3?@fE7=8Q%h131D--XU!*TO7Nqb*aQ1yF1#O_%zjExXqK&#I+
zLV0m_Hyou>nXLoj1BQkf*0j6v#7JsU4Mh;<LYPgbLL}pOpo{^^3m<l3<6D-at^3iS
zZsqvkqAQso)CX2lF6gJ49#8|44zR`hl<MJrH(!=g)B`n*Mf=^~Hs8x}FpIX#$5t;a
z-q8aFs^S!~%unYx8qQ2R^aJoCWo1f2^Tg3zH3aAPz9_W?1_RRRpqaPFJBUILZx;dI
z8g-MoZ{?+Wn6233?>L`Bn3=MZqZ=DJFB{}?a$e=xKaSycEbTJ73l`P1A8U~4IO&FJ
zfe)2WctbkSZv|pf<QW-Q-;Mizl?e1JvmQ$SWZm#(8lA%s!q6{_;u74V1H&BjtT5V(
zsQlGjOXuKvZfi~a{)+*Ed*8Bbs739LThScVPB(!%yGD9mp4tzs5VwL7+QJSe+CQ+c
z0HAf#Km&{ozAKk0=>p3u(`1zl$vNqW+mRf?k&=?u+fIa*=J~~BJGHRb-rkhqe}jc7
zh6yVWz_nDN0<prlDdDGX`DCd&wZ!w)RKc>nywkr>L-^+F_y?8~aKch|HkrVe@p?P$
zs+I%RhpT;pdVi3>Zx+}PPaQO^7_rt3o_>h+(B5*ZkoS_S;&|0-w`I`3qxuVME<*1O
z;_n?E`&vJB>zuhMlXcI(n!!>M5El&gdvZ^U_OC9-B&T2k)Id_zC9<;kY+9~dtd00D
z*<dRJDW=hs{JIoO`5=hP)pmwp*&A1=TdudYwdHcsynC^gs_yo9+=N2<4#$UUZ|R>Z
z+{X8~OMbb-&C?YaCaH0C+|dnXaFsf*c2M~36|x)D0P99YW3LZqQAj_3O6rZ-kP$pX
zDAKuAXavIzs67#!MOOyCgAhpB7oexK`_e&dG6`<j`)Dl_pg`xO<sF=EH#p7yH1;f5
z+#Cjs*Ne48w5t#GGqhS*f2o&@_p>oQS}0X*Fsg6AR90fk>~mV6TrOKE!WyaO+zTgL
z$nS%hbROcu>F@1O;!yd(FMP|(D)5Es5C(x6JpJF}LNY}?S+z^m;yq2}L20G9+v^k;
zL^QxyiiLF9bfEG4;3<-mVk5X_lRrV(d5yq|Z_)sqP~gTW`%WJ85zXlFxG!N_WtCdx
z4@T)^(ApV7Ou~FAAhp<bt~ukB=hExcV$gH9<~s5I(>8_~WpC{>RiScIC+G;A@;kM&
zU22<Q)KKfzPJ3g>u5+Y6$V@w+o*I)P-l0ttd;aj}dv3COiJ*wO?QO(@y6r%g0znAc
znS3Wv^z=KUqGYxSUKT(=K<GivB<Q5hdpz(4yJci)Fd}tl;@9Cd`=g7vBo6u7!fA%h
ziRIX8cEA|lYs7Ddj~8r}4^N4lX6z-0-sB>dTZ-UH!$c9;)6a{O$mhZoB|dKIDZ7u(
zDZAP+)cae`UZUeR`BnW+2Z{7z)2A|oaf?ZgCY-k-qY~zfF6HMh?D^05Ec$KMyaNh^
zBcNz4uSVHy<xaQ)oHJ2w1d(@)J)l-g4<o-f+Xoa1*<$(MR<cOyY&R~C3>v;kwaOY(
zDjI!e`7G&LdRnXh!8iX)WkRvxSO>UDD}I<)M90}5z4B2KyAZd$LxWnUCrz{Sf?=eA
zaG6yWl*^a2UCflU{P+0`WgHmV+7yg<<jI`a4eed606rgeYghRUASH##xnQHTz|Yc(
zO|ClId*hwqLL9u2UBcwC86%W!Jq$LhW@VYTezm22tVOSM4hBzaui7m02OHz*l+8xx
z9_rUQ?<Uk-98{{)wd)W+dO0P=E&*ywI9vgFd%x8zspLUKQ=%7YKnWZg6@_x(ZOCgf
z^qWp(09y<-Z^&cZYbnZJhEnqe3qf>GBPB#mAIlJ8jD(3`Bw7z8*6iQ~CT?&;wfY(O
zMJr^U72u8xYUgS@e*1njJRdk5_Pg@>*&qVa64@5-v-kbe9^h-q^e%Tb?!Zy)yH@dz
zj-4OBz(Q{C_Ufy$QH#P8Tb={F8p7w4%+sJeo|i_XxJt0ND4Yrq3;sb>Hr?Hc?;$&;
z*Q<bwd#1$9zl$C+NRO8$kc3)qz>z)CpJtl{#|hs^H#*aryjR!JY18kPF|BT=nX{u4
zgNrsz24U5M?=GB=_qrATvl86M>wH%by{Rj9gQP|-0s7LH*STY6bH1pO$Ws~Yy>dDi
zPDBl*;;K#C7~xWiJ{c8Ge8jmR6cHNTWM#})=v-ia2t+eM{VOLk!394<KM}*!eDx!Q
z{ocgt$`PeP76Dxi*{wK<UavWYR-1lJs4IhfB(4n0(J{3lr-~st+$i+oCGAvK!S41w
z!_dr6#Ub)H+_&=~{KBVh*mnEvDH_GgKmOW!v%<kV-g4^5ZkSvolN4t~u30on^Eh*J
z^Bq*nAq(d(N)X)F?oVy2A)7$TWHMF&90d2!0yj^VB9WSR#aSNT>m^~U@*vWk*wddu
zuMMP7B{ziRhO=bJ20Mf|kfYrc5{lt}L3^+n;e{KV6&bGkICawgW9b(oA9YI_qVLIS
z-F)KhZc_%e<efyh4C6sw5G|7=4?IveAH`5q--01)eFt{Z87FjgdlDPu5k$;@AJIfs
z0!bc*_`yG##NAcS-A~;a8$cI}SZ5W`jRJ;IilwqN)BZ9P0>-~`Nx~KExZ3zNs;G<=
zJa?`;nAK)RRAak4Hr-?ous^O%BW#zHQ=ms%D=9PE^?!J^DbS-G!sl8+!iM*wOQ(I*
zF3f%3c`JpprV%Pq$qK;Tp&b&C_Bwt>0(G^dJ{|g#jj!IlmI@CDg3RrhVt$&K!ABu3
z$KUR!znJwYzbipa#Syl_|L<M^ZbsWbINF9!4@zI^#nOIqEXX;SH4jYiw_kh?@*j9#
z>s(1N`g!(Y`sw9>TLvXguCNdnqfZiJ&7O*pRdw5j^NhF#li5i*s~3@pCYhBI7^H+R
zbUBT4uFQ;>gW9GiY{AMHeVfeuZ3y9tG|oVuO181&j>2`X9mUX(jFM@dQ-&f#`(srU
zUU0{`QvE#LnpSu6qKJL9Rz-BI`uNW3XX+&h%hwJQFK3g!n{5n{Z`Q_YZ#RN>f$2h+
z<|7%@HSW)>eGkO5%L5C}lAllNZtJ!xNq&qM@QBS;@8nOb{P6M7Cj0o5??aJ*KkBPg
z)VLXUOKYyQ4oW2qq6<?09)r(8O)~*#g6G;8W3t97Lc)|uLCZ^EzfF*#h}lf0>oRFU
zhw!*+rrD!ioLw@w@D|~|x9|UE>;{J0C_*~E_n-Q0B2_Y&zB{hhH?gtss&!hy8PYYw
zr;<^4+&*@8%`w{HA~JpGGCEg%f89gtaJO$SIQmt=tA~~UzzwU?$rlI%N*Hd-vrF#M
z4<;^a2jb&@Dq#j#%!9;T#N!!u$(_o%ew`Q9;NPhOeV2M&>0$#=cI4q7q`8|z`;lq~
zuGt`5#^T$WTH%>#1t)c3k70h-Kjzmx#vULI2NR#hF+z5A0+J);EHRN1T+481l}8EX
zm9go8<w@4r>d7U0T~=Hdxb<)65sJ$+bhfo(gwe2)^|c~B7;O3iJ2k0}S7a~Om;t==
zDnZ;`#+~QgOp<EsS8`O*F=X<(oF%Bm0F8ln<iGF+k``!W7R9Y{O*Fw<kkF#El%g`$
z|91!j;y@xF?&|=8H%%-1<0pGU-e;AqGY>J8r20qcdF8Wio5yI*p)2fAkuRa*`;W`q
zQvg@-Q{U*ipRf#NNt3Z`>(h6TGg*xp(Pjzr4=Mh^(gE^*Q!Q9R<*tLq>Pr#hKnlwU
zve0?1Mq;uFVYlr(7OzwK5|zH**`Rh{!V0SJ%k%(E0O}Vs)+`69oI(`DCc60~`u8Hv
zD4d=7)c}6A9Fgc^FI?W}6A+X_gVj7=O95J-!*KUULC{SiG^OG)FM&c|BgJ>clGcdP
zHsv_5|Lq~y8u{ACC#JRRaE7A*27qA<LTb{-Rp;OHcFn>R#gx!K55g3uE&Hty9TtWd
zF#grpLCKLpbNB*NzW!VhnD9k`_g6=pT+qj`M=dG&0<4r@A2ee`iEtU`afIk`klw-S
zQ6#>9uN7{_THu0Xl4cFgw+I>hFA>q+E{aE*0W-u8iW!q3im|JfUlWC&aO6|Og7UaQ
zgz7PW-RAl}E?&;Ikw$PRC|hB<5a6@i;GYPEywdsGumCh|Q1Cf+chhVR$%owLP?RP$
zFVm1IK7+mGig;u3SK$<yd=i*|WN2@1$?>`T>6+1M!STq0#8u3U8JGnEF4AfAiG?@H
zFC5(N`ToGbR<D|%2NEm&3RSO?pZ|hj<~H>Q^Vt?%9q~515J$eHgI$SRxZszI_l1a$
z_ckMLGLN^~9VhEmm(`Cae0u7>8ICH%8sCjL0BIc5dQiuGg!B%f$Xt8<L2=T1oCvRZ
zl{AjACruo8^HtNqSx29m<&d_(;o$X8H>dX*=-1@PRI}nt$yOiU7!!|LFMH?155vD}
z<zIXgfTSwLF3Ewa4<16y24;a$bu?2(?Rtl{$cq-G18`Gn@32(n;kUf6-$Ra`aEfq4
z*mL>iAa%FMqf$<h7;%vNqz~_<)7e+$sC2#?_6iM=|D$azU#L@1uitKcvWYDjVPF8%
z<GbJ&ReWgrYeT!}d4)VGKgq&=>rRLHhICW+O#;%2S6Nd&7xZ$$8v1siqJ8o0)ZnEQ
z<<^3YHLAsPp4^LDZkAYOK94sia-D~Npwo@zAkWSz_LG#)*ZB6%&jlzD?*(sWWu}Ae
zn$^DT>KJgPW)wOWS)K2TdVud#1X$#o=&RF8_u$yd#$TJ&_j9A=D-_O`)pc`EhwN})
zsDi(5F4a+=j!`?e`<y*Lkx*^4p{;5+>a~Yisy;*AMUt3sJnTDOlC<-JhO}=e*<Q`J
zOP$@;zxjT%?zc0%z87Qn*;XDUz4iRNsgTkT4Wal&)~vLI<3S&6x6WzB*Vi>_RL*?f
zby5mO?b{2Eht6#8#G;x>hyWep;gK_R-I7sK{ehphcGV8TnML$Uj(s-U1MOP5AclM5
zixdJBJ8a0R@`RYFud+d}(y*vNuE}gFn~oqEGrn@#<~1*gyZ|2sM{TqqpqNfKOQYxH
z&H}-9VS@O#8K#HjG<l`J%+d}y&K!rfNeHnKB{7Z{hhX5Dsfty@BPO|Dy`3oa)F@*3
zzFl(^qx;Kh(Cr|18X0J277(6u&>-@fJMZDM<~#Gs9r2;=l3K0pVC1>$>-B-+?Yx++
z=V4gYWmTqlvS_Kt#>J_S>rEz?NK#W`d>!<?!RupYY1u-XK!&Q}sNGmcUnDhjtGZdz
zZ*ZkTU((Cb;LpL2`;Pe7cjD>|mg?WWT+V1Fk}J>9jpA>yl+YI4ZNWDrm-54S1_mRv
zLAl0nAucMh0}at#DIrZMXKx@B%RO2%Sk10RmF!`05aRyYZ5r~7bjAQgZFg-AceJq<
z_v;VQbQhu;%Wn_$t#Imksdz<s;Lm+YLkv>e&%~-f-XuiJxFW2hnO6(G%*e9~zMG}n
z^{+2Ef<`0oW0yrTbHyfI&QD6~RgYD&o)Hy==f<~M^MnUfMbSv80a8H9Xg~dX<*oE3
zw$>gwVt2KRk6FHD3>M9t+o;SJ`F0#04+oxv)XYXwe@D=$)#MW#c}S-|g@$~nE1fvM
zrnd9>lo<9b_$nA%fu3e?x8UyZ^^&q=P=D)mHTVYH4pWAXb09tx%9`+y{W)-GMsjDW
zLVq>0H=e;hrUqRzfQ)`H>ER7a56FjA`Z#$T|MHsABH|a8;fi0+Oi;4sj?L(85+k@g
z?sgkbWqh_XU%^n+f-)<TeeCZWHRLa3*A0PGeQEt#BMrTC7)kb0@74!X%$(%Xdm<TJ
zOfQ#A?Vm;%UQMJs5Hb_k!#JeU%Tzg~1G@d_@d7XL4h_l1rv)=+cfFV)-;AhTmtH0c
z<I~jRpg)m_5P0OHtkbFqZzP;=Ie8%}h)KzenoW;hCubj>`&!zpv@Y-XM6CC+*}n>h
zLU&#|Pc8E-erGbl&SqO-#Mv->gq*aFsZzg%b8B)$Bk$uBix${Bl=wI&d}&V%l}G_#
zWosUW*Wt`4@;NaWYR3`vBkvn@2d~|B5h-eJgnmR@Apc`9Q&NJvaajA-hZs~*&qa@N
zUOOLSpd(5P7|H7Y6TOV`0}B#fhgbXE;5-`@B9fwb<f)S73x!2H1OvPND`5*#w^$&^
zdgZ>;!HRy`AMa4ZbIoguulcQEktkkS6tl1%8R>JSos{ZpUu0vWY5wAQ?<!7m|1YHq
z?w6VK2|W;>D^@a>aWS^oY$eiKe!~Ujzz@?!@AhTTf(cz+o!`MD#bgnd;w@D_6vie#
zUw*Awk77X~iiHRqjGq<dQOsWo-t4{%b)AoC6+iFeZCCp~W$8FArOYQ@+w>ijPzdcs
zAoP)VEGa?0GfOJMiYY9z;vCY{xWiib9#ulPt6$lGb+{47?~SvgaP5y*6_x|ciO*bt
zzL2DCzS5*qTQ|9oJ6=!4^n!#B<854s^dXlarqMD2*tMUbu?8NZw1ay-#;dC6?~(+F
zEFOP?W_KI04ZpSy`Mf8V{yYUO_Xzg_AVinr|6OaVdb*k1WcT&ww}(E0hbOJe0w<e0
z4$B*DhaUD*IM>fGs*7Zv=_z&%@8=gCj9Y+zL`{Du=&Hb#{oN|7@!e@Z!xhuxvR+JC
zz4QM~f$iv-Q*9{>u`vt!b!z1HbNc&>NCvTRM*$2^bv3~<Or!}D=Nq!!TCNxtBX@D3
z<hwUW=?Im$DuhZNdbl(6c5f<3$|0T1OT{YmwbZWsc@e^lOcpD%$xC9-c&~Xv$<e>m
zajiF<tg;R`y6Cs1*loOG6Zg&PSNfLT)y4aMq3KYC!kPKhR}=S80CJ-3^9nw{f1Ipw
z=h}&<7(R(V6t<pQgawhv(+2{opork6r-350KZdXEkKW(^JdbIY3{0@U?g=z<8TV@n
zEi2}xitUU|l~ZGJ9Skf~OIpnKHc%`&qfRg8938$r$oJ&2wx2HEPZLVbBMowl`wTNC
zD~#OvmV#eTp!o({k;>wDeVb<X`u&#TH{H%<vRcyJZz*Opqn&#BUl;N6bH898KVM)#
z*nRR<0+W1mtyU8Z0@S1=W;GS=sk#BPxFXKQEdBcZzQ;~&>WW3@G%a8>A-cZD7M?0{
z$9O14ai%ONnSagCT&I{*f9k|^WaXoY;ls+?&)Cga-L;0rt!tW#kK)}{FWAWW746Jn
zIb(o+ZC~EHK#3S(^C05F+>H@AhQYxtKruTrZ74^SZ^P}+*0+W`4<wqHUJD0`G@5$B
zG-~sGDbSLbz+uJYxOp?$gpSYH#Sfh(TmJ7c&IP_C8e|&L&wRB_<U+ZNe_}|Pd7!y$
z83<x6s((tjdz+P$DCf%Ydmg%n%8;R9*qzn<RZ|dafZjTC66JpBfF`~0L#L~-v)C0c
zeuQyY=nM<vZ^9pO6EP`rCy@3xH0T?NNQ+H}o?8Pq@LeD72G%&YLaVzKSPes^(!Cn#
zB_zC%QLR|^?6&-u;0<D#<<&410-{98xKeeM${uW#HhL7IBeor$Sfosk6e<|hkg{e!
z+&CvAMR6@G1Sg2E2|KRC7g6K_w^+W!Gh2+2Sw1dbj*J?uX<3O(Qjwx=tgT>ae$j<z
zMT+^m@+l_8ib{6oL^=n*T4s2w9d{Ryn%<wfY{UTR@kkFKR1UongUHn`C{ow0vTrH-
z@Zvii>b$`h^hdY|zel?Voq+G~xEPr^+z3{W+Yj85$?M5mlNrA)I&O0b*DoXUyO8b*
z(WJ*yv?r`%B>F*NI;4^TGl@L{S@C+Gh=iGBvJ3JTJ(h|u@)XjqPU5*sQ)pmSRl-j=
z_d@_(j%`X@_g}unN1<}NKm!Y@JcDdnlGQP~tJ)hx%^c!p@UpCrX&MS%YRmg)C_ed*
z&#-zdiauNhz2SY>H-N@QG-nhGW0p29#&B^z!Mu<{vq1Ujd!?$RFa1;dB1(C9{lN$R
z!*{Pv)Pbrmf(NS?%!eW0Ho2m#S~=vmN_7~8VMW@3?<^3LTOxev?}V@#gBF07GA<)+
zaX>$ESdcG7EbewO$riix7$@|~mt+7Ct7ypAUD!Z-pUg9`8rXDK3`k0GAg0yy2hhSk
zYNhZ5hC=ZAhH8~gh}gE1%Tg{mtaZ<O)u~HS`Tge`qMcK&-%<WOl>^1GO2=r)Xfi5k
zc28W<chf%5GqiLsDSHdxcRe8CW3N(Y;(uzheGoq9PRaF$D>7)O?s*Ha`d5ucNOd@s
z?e{+C>K1+G9M$|{rv&V6j`p;}!(XfA(F`SKf(-%(yhF51Lb9JqwsIgy(pc(MLJbgW
z%jk-RBoaI(;V!(=WQ(zaX!HD|SOE3Hjzkud<RI*Jpo@H&IKFA{_sYQF?tLToXn85h
zVj{+zp#Bfzm`p*KwFf3~>}ku=TSv7MSFRiQ49<h{N(lsvJY|eZEUW=Q1FvCy;(KLA
zF*-bJJyU6X5p1LbIuMl@?R~K+y`=K@jZmXda7s+J^N81$g#`qrO@DWwYtjCujv&F=
zLWcZv*hUzuG(gjux(5Fjk?&j4*e8dbK044_6x!^auK}TQ=|P|)`ch+QpMrE45d;v0
z8Bd<lom$v_vL`mVJM$04LU4qG<VHPLj)gRbbW9Q0<7hqrM&rcbXKgtP+h21yBpm%{
zTrM#~Vc3&Bm-@#h0YqUYk3m01OT=eO+`=e_f0Da<u_Q`z^j*?G?ngmME7(qDg82PZ
zSR>ZQKAK()EBaLcv$IZ_bP(78b)MRh2a<d^70xEun&fZ+z@*R##XcIbu3lj#l4tS#
z#|{ulNC}$W{Lw;Jh&A-ZocG$zerwG-V}-B@Y{D?cWwa~%Ue3G@8~BY*JJ~TvO&Y(=
z=!fIq5ZLyBaTF-N{gYw$T4u^6+^Cw|_VpxLo%rUYDVfvX@GamM5*_~j{KuLnd?ToW
z6LC~2U>=|;!$-0}UWhf|Dy44@X(Y4UKe>X9K*s{caC#bsvq>kX#~!QL#NcxkX@<fr
z&>6ox#aqSXfgG|5|2;_uZU!!qP6b(S5WfoP*n@NvVGW}|FVyNEeFLjQpyJR2MzQ5c
zf0~2!=}gcTzU-$aIEbCaYToKV!gc>^42VP^sS-ui+J?i09$(&4H}pjgoFAKPja(j4
z<~LcQ_n$$C^r-qiGW|PXFO_kGC@<L*uB!hc{{aEQn4qFsHsNGb<B-7!n(F`DUGhm=
z1B|yv(ETW4Mq{e1LDm4%DSRlv8OJ}TXNkHCb3ocb9D^rE{~*e!_Z1#W7bF=phr};;
zWB0G25^T{&+iBlvc2|e_gdB(RlQ6OdFx&<TW*d)>U?~1K0Rvcd%^KY)d+jz2B~GEq
zP)T56?ey|v2!r;&b%QPB{jEUsWZQi&3uyIfRd;~60JW{L2K_>1{kC72^JR}>3>Quz
z=dZ$RlQLix7~Lx8CID$R7bm1C*DX`z#gPGluziB_plhqnN-Rp=TNDqV-bIWjOb<3f
zWmq=>09PN+4EFFz4Bvw@j+6Y&`v_)zR(IZ-n7v?0HXs4w=sd=pMO$8D+P;6_>27-w
z7&U>`?=_!>xUe|IQwpG(6MJbR+|C^V__V?l1TAht9L`>DcHcdh+LL^}AFI+}u77FX
z&0G9_dL8)f)+Wcb*92BF0-$FpO}4rzXWFBrn4C)C?`Rb<!RqBA3wlBC&a5wblnvd0
zhDr}1J`gxpi&cUj>**ZEeu!f>Ha4lLsj^N^oUPuc3af|y)wgzbc9t7Yxw>Gw*r{|h
zPym+7=qDB)H<9)HMQ|4p)3y>*<94-DHIdxS$U$0eZhJY5tD==ZADXMRlob&X@&9|S
z&Vr@`_rkR>%3)M*e!9{w-MXy$qP7i~*rqfGod=`7)rf|`+#|#fjRFdfKd>wB<>cfv
zda~R~z#OTy#9bjhAHfk-#1OVFchB%OFOTZsr1ey$P(!Iwx+lZ5fA?DN6Gn;!CY^8k
z^rQGzziGX#<|>RPC4x9gD>L34%@Y{4dL0X2!;l}rK4f9SqwV=-@rTY2d_)v%1`dw1
zF>5SPAV3XC5rK)Q5m)&gVsjymV&ed_GP|7H4N?hzP3{(B>aaX}dBVGS4Q7w`+^otF
z=ANjD2o7Ko!&g9bnA=+E*dJ^$c7FexBMmPvFJ{7+L3|J3mas)%>Y?(=RC@>dD^caf
znbCOj!E80P-@|^XY$}sFcKll&y1y{qumF<ao-7|23hvC5kp6mN#&Tk!1|~;NBol~P
zbZU)XT3WK*RYPn+sFo9xD%8Y3mSzOm9!uVPU`_tAoBFQ$l^-M#_`vP5CS_D_`x~b9
zX4v}f56Y{bu-%bI4cn%fl+fb#3BJKlZOM-0L#cgLb7YB1#>MmPYM*GZzm_JNDB4F8
z=Fv7Kc7O&+fld;3qQnF9?UFl=S-?3m9N*{RwU)!GO&A+p8u)k<6g7ar2`2$bOEiY*
zS#7z+Gmxp{5JsG;q_cyTG+2n^-tvUfCkWG3ROnZmdK~=S*VPRLZ>Yt0QhxbcU<M7!
zap^)k&xGoUztIHKb$^f+<9AxhbcQ|)Rydq*^zhpg3pb395bA`wW%JwN_ha(A@2Kt!
zXAyWfG0M-^S}KM>j*c9@%vR-=|630WW&Ix*`#J`MN2CZA*3@`M6~+v}+sG`S%mL>%
zIxa$7*1HO1MI3dO%02cc)mJ^HK8Qbi)O^HMh=a=xkz!G}I>B;!19jc(oq+B4JUvFG
zKe8&sAv0InnIEOaU_XiA{MbUsj1wUPCtckAf+h+rB6MZ#6_rv@c!Tr)3KzD8Fc%t9
zWDWmHNFOgq+cPx)ScrAb`v2~15qKDOF=~Og>O^f(m>8J|(d7x~a8f=r`Ap5<ND!1E
z<U~B`mhh$2n+uOR9p>UW|MaIgxJVK%6zM09j-vHXZ^C5#h0n-SO(PEDv{m!Ov&JM7
z!6>zGq}bLWfuV#w(@cBaipxc~X&aqat+}CWF#@Z!K}Zoj^)fkPA^~e!5@f&L_<%xT
z1nTbFwH7$b6S<tm-GxDFlt_dod3-$<)yb(TQbC8eZ2DDJd*g)@nCstoQEt#!W45+`
z|8nKF!FHHOh@yP6+$uYS#B!S}Ci{5fk~kHnfYv$9R0g9RNg~AolgzGw@x@N0oO~LB
z4^(HSw8Pl}oCxnoUr$l==<Xp=^cZi|o39?ZTqItWXHgI?fqhBUZX#<;R@&g8&iyiZ
z=JW7qx??#tHEb9!zCI$fy48ML^kNuJF<1nXg!O0%jVTw&-Er`FGx5)Op-Xm{+v{=D
z*|h%ITG+(MeaIqAn%`GwlkI=N8>8^%t`%W&&4k2rhjj)?@cc-5vgv>FdhZE@@zCl|
z2+WU~;)1*prb8gn8<&`F{sDYneh|HGAs=hBc-XD@?ovkLP*cSsAk~Z&vTt7^VNsx7
z?)<h){M{R0L>PF_$Zrex{P4RPN_^yg@MBUDggwQi1Y`CYxW9*w7<>Fe)>O;M6D_Ah
zpIjuw^z$m_v9MlnVv{5qptI!C$N#-kK=}rXth*aTaDUP|$IFipECP=I=RZ)L1_b!F
zYvLRqx+PyGooa0Bp|1VXKYU|S%t+1);K$KO>J@d#f!9P>+GZ1Ys@vhtB>uo`;+ZC=
z^&y{Xb(3}Q>R>vy!G88j9!-hd8G{R#h6u>rN!sb0F}t_dOelLUt<$GKsHh*D$h{KQ
zX(tu9>8!G5u%^0ZCPjUi@>{1sF$r7WEKp$jr>^DG-8u3Bf{`KAg;~Wnzo0k%(>(87
z2PLbK#i`nRA_(N$QcN?r!PWA&HAj;*XXynO6r3^8pIqc~jb@SiK~puKrrnB}F~X|#
z^;u}(lIX)vvS4q&dSCdtn6e+q!lcbud6>g+ZxBfkJ%RegB-&_l=7~E8)8(n@={t8Z
zf0o(-8Jy1^(4gng1YIkiGiie+?1R~;Sgy#&(<tT0#AWDfm-|>mlMuwyWkUV}Ixk4Z
z*-j|v09*|UqfZQfdH%FNx!0#c)EiH(I1jOgp&koQ96~yiT~*1q4Lwp&=kO$WbK*O^
z#X4ySvtY6?;vMcB5Z2Ttf8l2Kq2loq%S$FkH)E=;R3ki81YFvtK0d(ohs3OZm6Xr?
z%v>|_;BSaNLD`ai85|cBQ{ao#<<8k(?HXrl)tt;<BC+TP1mD1N3;6OE-M}OM9Zk4l
zhe|B^`a_I*nWDBF6SEIa$W)NF>bN5->xYF7s)#rM|B`<Aj;e1y4UlgXh$Bf@KAg^R
zcG9X*PHYk=(0u~fRxQ_CM?)TQTq5QG3<t=g{m&g&i#)(fAl%Z!<lB3<h|eE%a9(wO
zn}d4Hn-m~}k(?vx)P~b`q+vR8*D8?Y0k{%JdCKj+e?iFe{xRe@`EB4Nhl0!9a$;x3
zc%3%Z&8(T%V;|u&&GI1+>n&|*H-c2N+xlr;UHc*l(?+BB-2bmXWJF;1U(1Llj2&25
zxn~frKvQomCf7BtFT9`jCM?4^9<#jP0y!88XS9noYBlNwlI8f5rjZFGUTeTQG`RX-
zWLN18KX3F%N};UX3MXVO1Vn~c<%d`WCv@{DRpm#CFL=nMa7$ocDN+>5Mjwhv>}qcG
zct#t2#jLt6Q@IzHK850x0DcDw8tV(lHm{ONHIEIZFmkYw3yC&;Y!!TZwxCaw4}0^n
ztD>88gB=^wuo`q^&~f!#%ire0dW?e2Rj`*C_>*5GCNdY}-Kje{AFP7--NYN)_%)MS
zuj6d`6UE{w-d7Kdw&q$b-mJuKl4m%6&>tTtVxOjP5Waj^e*dZjJ&6G#yVTz<A%wU~
z8jJTv>speyXiZRzS`2=9nVna-ue3vU07z!IoYcDo`g`TJROWAO>Kc6s+<x^8ibt!|
zlT$rpm){DPn!Ghma72)9PPq(BOR+0zo`P;pGhA~sCCw^Sms^y34}OQ0JcVLdh~??f
zR7psCs_o0cs^NPQ{wT|zowmD_FKw5u{n7)4^YWvxT#j#t_-<==Pd{|*X1#WqH*(&m
z=>@(hW^koXUbn{Q@LbRj&Q$c}6nfV=?uWv-S1sPT&?T8_8o#=i&kU62?f?i3`S3K=
zB&2kP9y;Z^SG<&fu5L-TJVFO_==xk%=jUt;LgQG`+8*--p=>;EV%&@&o55;ZN<-jV
zG%{h03JLFJ#zpHKcWiz~R^Py{0%5Q28Yk85#2v7|uy$9hpDwrl>572xIFzcn+^usv
zWIitGe?%_Lp}YL>73sZy*Lh#xGj1#e+9etQ#=)E9{;_r6P5mo&X+iuUAdj*f{lq%h
zwtQ1*h`r~C>E!DD%}<t7?aFCa{=@l<N!_2xhVP;d9MuawU;AhYEv88rEu#<^tJ*+I
z-~H*DPT%7#oJu<#zX!^Oc;mBvWW|NFHzHCaF1w5^63_)_V~N=)mN~=4A<xjN{Uyii
z`2jE=NV{_pOgUy*iGv@#p5WXL3_X}h>yB#o1Ih1{SN~Il5KI$>DBD46Qe{R&68CbZ
z@50`If+rdsxjk9IoLFP6KH9oJ8Ad1gK1(@qKAi@i0nkA9@!9H0B=N1LV+TJ@>uwek
z?Pltnf58!zk3ZZf-hW#2tjP94ZaBBJl>6^q0Cfqj4IiQdfsOnIwz(#El#;>i)_Q$d
z&3?ZGGS{R%)x)aEm-mF>>u=>-o>vkiQ1mnmfSAOjpkK*(dHRFrytBp-PvG*d=OtiE
zka}|IO}Jj|a4<AzhM4;*yuo}+!^PI_9|h$?8yz$49%1T_h0%BLHI@;VGas-<4+mq^
zO>Jh1o3txOl);1NH`<Q>ySAA(tt_tVOq(TgMRl@<EZqt-c=HquWfP>D?kamH^JrTv
z-Hw3><Dj+dib&kmd@3YkQ#Ba=G2X+{UNqfMSa~u~)Vaz3OZvaQn7)iA%at?f`sPdJ
zSueQhg!ds+k?I!b<n;3}GHoV^j})l2%{u;&&?o#9%C^bWR>Yiqz5w!LD6+*=PGJvX
zS#Pyr%B1W>j=r6NgB@t&TV)7khy|JGSHS{!z3PgB@{PPs6GieOo`*9ZKJq1{c=%l(
z$d{_+;<tJmtU!yhY`~nG3*Q|o{p#C3!MW#CDurEg?k1(L`0o7c%OE>eLpDE6aCG?k
zKHireg>UnBHnaXN_fJY~1o0Na5*mSIa*d)?Y2q!qu4nIyq@4LCn!+O?nuJM!D+47O
zXJ&l&URDLX6aPzfs8!4twV;!;Wu>RJQlz1BPjU@B5P<KQS}W+3oAI8(`m`o^h8?jW
zAoq{>qQLP=_F%j*?`5H}NYZW|r`OHq^ZoJmlK~XQ@Ra#KMC3emBf;qfR!RI+ewRg_
z!n$%K)yU@q?s_rdP5#w7(HXR693|+V?8sY%RHfLs<zXp;Pqs=4OB69-E#;gfXxXO;
z;e%q14f}t0wXAS>OWpiO>7Z`jZ>SX7j9O^PyF0dJ^ZwEziXaXp6+iwdJ|<?!xD8a|
zpFi$>ttJq!{U2n#b9i3S^2Zyajcq$=Y}<C4G`4Nqwj0}aW1~qM+g4-UopXNYdG38~
z|9jInd#}CrtXVVP`K-wiR(>4QB~d=gkpBM$&!!i--v0lmYdS`5s^3hRC-|w_5~Po5
z!oUo%l@o<g_Yya{>mZd78op}zcYJl&@lEcJO=IRzXlBqo6LIzF#fB{;gwGCfDmijP
z4mly-OXY%U!{x+r7+_nDv99n0uypdl`>S3UW>eDpV2OC=GzvmoC+$CDM2>#`YX^2B
zH)JtjYw$be!;s<oW@spthbg-}8`j{Vq?<L+{zH9`z%C9!zU>ue^JqX5rAH_g<65fR
zES431PRqfSS)#EqX~)2~y;AZQ)~wO$&C=J;1?wmHa0(lm;kG+0$rVc+3aSLr_{?P=
zET^4*J{kc75$Ntdl8HI2V<8pZ#H{^p?VA}F%GmKd{8F%W#4^e?QT;0FGbztttw`#!
za5%a-;`SJ9E{G|~Q_#C8T2V=O_0}Scqb}&H%=^0$QKTwVA|wq?yPU3gmBb73AL3>%
zTv)6}q~&AyJy|buW?2Z4u}z|49D6BO*ZUeEvTC%+;)kJq|1302^-h@rC}+B>1V_)s
zd`Mhp%OOznDqAZer-Z}a^~whDo%~7SKR-^jb=)Wc+G%{v?DBBnt2RK)<UAcE{-wjZ
zMMFollP-+<Kn*KY!Yd1~_Gct)|5ilW+9t{60x%}H^%m)>LJR&W;vUU`KX&{xzO8uY
z#JT&y3DU8Avp%OJ%E-`VC$o%QLc5_#$2D)9E5Rs8_9vrX5_?2RwP?l;5G}!ngcC_F
zk(^Nc;ZL{4w)-X!PJYDNKck7%E|gqn6>r|Ya6o3PbnBF#Q+;8uM@N}tBT2R*<mluy
zfk42U4n)}Yn?4Wq9=8W%QAI^K4pXR2z>Wyr+Cin(!W-7Y9gDH}p5|%h0*ls?tJMK#
zbLkUWYv&Nz8IpbC!fAH4`1-tq#Qyq^4cAPLw9^nB$E7_~y_HwcG-E+7RZX-!(%7my
z<VvSY+hKE3ky=Nb_&%v4wc*Psi8A4qm@#gki$m7jB!<nQi70GcBM4QDrmF1ZH=A>e
zl-O_-CkRJTu5gqE)aAqhV`@W(23@ep)w>3m8x8T)X?`enB47Rw5{v@#eJD=e{w}dR
z*YFCD7MVBUo7Pb|_8Bmr`hC*P9v>b=fmg<XQ25<YT-$uVkN1TtEf!)hXV*5l6dK4d
z0-9C*Y(0p15$6j!ZTq#tW8$4O%CeWUtxiby|2KjZuc7Nhj-V=-jroH8vFeeU*dr%8
zM~-=&kG-#$7PQ7`E8Jy8FyfO&|B*gtKx|BH3AZ!KJ5&6oJD9jz#JPN%)8kJUHYMES
zfScf6fQj5Wh%Mg9D=Ji<X!6?pLdN9)*-&;1)c`AsVMrXQZYyc>byg|-#tC$z-Iw6k
z=CT~b2T@dh9GBX~N^{gtkuYY%L71BM1DuPlTltg4IJ@v2Xo7MK@mMr5BS~Z##BFjX
zDN<^Wz~tmYI(u5fHwUMRH|UQHos|A<6VV8lRXlcFSiK&CM+hzEEY#a73qhB`16ADm
zzYDAz+T|f-fB*W#yAl8VcVBuqzJ$S#l(yE=SGh+k#71R)&E(Yd_lEc-Bs`K6&w*AT
zEihMAXir`)RxJ6;r6h&{Ujas@t_u37UR_fnY_c16A>C6&1wMyBi}lU9PsV6s*N->8
z(Of<+EG9#ULW#H%i8ul{EJptU#JIeOi-IWQ-fu}=yqX<ow(Vl<-@3P<!W%D&2P2C1
zV3n0ae~%Ww66~=b3`vshu~8jM`Xcg}*!P5^kKBmPU?)58-LE6NXStWKodswHLJ_%!
z#HMyMCX7}r`d3Cb{0yIo`Ljy~u@<pL1FbbaRn}-NvwYmgNoHBeW0=R-T_}G`Y{#`H
zoBl3xUtCAzSV|xfpBLOGmEcf-VaOo^dw;$<LR;I_|9HK7JXZ+a-rf$ILCK=RPJ++(
zot^&eUVAxyVS1zc>bK0*+e5>f*kX-+Nzh5VH&-+^_(bX$fxcX3AG!u7t$KU=wvnzY
zcJ_HoyhT&*jWp-8`EuB#?nVXrnwy?|JC9pvi_K4OkH>3?G97GrKD8AL^27$WbmhG<
zup03|kJCqUKM)UbesH&93h+bnCgss;aca*Z@HFrr5qL8Dc_T<-Wjs5)HY>$YL^K+R
zgC*&<3mjnYM#p)fk4Ie*OXbY*Lp|-I91or{tDut3z&E&_70B2xjLFRE32OwC^O;9c
z^6+~dOEF4Ga<$2KbnEOk`E|X{*=W=%l4m_Ca3Y^U!-o2OUPK)pFFIcv<_fp#N4DfA
ze0MH;z5)Tb7i}Cb$@rf+iNmz>4fxU=C>FDWwC;Z>ypKd{e!Y#+%gYT?r=)R$n>__h
zAl|R_lRlZ}+rMhp2)&Vd&Qfy`4#hTbSdW3wrej%sY@gfsSKq&mD-rG+olP80D2KPE
z-V@Ri>lYdH{DK)MvMU~bW1^P8@o;5>=cxq=;i(z1#BX$v^g@ZaD}N5tkY<{O#NX)1
zBxaraMK0q6TUz;0mC{>?ZMX8adXl<xV#B|0!XDaLA+@W7nG70HvqFxJkM96pLVqlg
ze4$#K!!ZmC%eE-Yd^f(?WKU9wtivTpE^DiGGv7pJ`RX5HRFKcdyCRT<Xj4vD|3s?#
z4(WB@$J5f)r@%}6MX^@*>M)PdE?2V%3O-PekHD&?4eb35bEB~+%>B(}Iry$&qJQ-{
zWp!^qZOF07Pe4Zza6-U?tCzMSi5?zR6(OLm;&pw$Bu)9jk>Y;CVc3ctyTm2#z&Bm<
zNBSD@ouIrQy|?}^uyO6ThNz5FH@?t`@MF`yYe7`5q%C}uEgi{O7so_2r?+h{=%Dc#
z8B#O3eAt}!MDRGQAo+4x?2{QRVats_U94(1E{ckUVsKDwOcK+eY1R8Kd!zJboo3L_
z7JItsoT_!<O`;((1>Rvs2nlV~sPzakIl{16`d=<L8Kfgq3S$GCt@cxl++}^<xw5@#
z=q%s~vKbox#95rGbA=`;gi@<)<@x1%x^Qkoco4>{Sy&YKf73bo(4mNAx6z-*OXu@q
zueKp{2E_9$4m<U{d=yy~W9%yEF{Tj0KCVzxM3i`)#ED(D7AfwAsy~y3@RC)3z{5G@
z4716SRku}kT__xXaFPqZoP>kzG*L@8xT7ILQjwAd0jo7J037;vnNndeOr1la)8L;8
zh5<JDV`6{EuY<j%S>%6&a}z9oSt=bbA#ZqojpYP8`HQ|^qRV&9bfT}KmPVg~>l;fh
zCdxCQV3Q#c89tt}o$X`{Ydrv!&aFl#qQUt%_>_V>NLW!;$S*YRIEcALOy*mPiJV&o
z2Sv=oA7;PtFmgV|5O);=n>^@1u<>OUfh=Wf9%8doih4tqO_!2HSMkuZ2|wEX2Rf8m
zJm18Z_}tv-{WQI4a713gBnn&5#Oq&86~V#{aBQa0oY*r?GKc|m$mc8jRlGK>yc9iG
zfxwQE3CZIc-hX#odbJZ}xX-m4{o3N;Q2-odVy-!m_mxrytd9Q~X2V^iN<d3%b|{yC
z#D9(GDKV1UVFI<Nh<5@RbN-j4`KycjrQ-r>1c~G3u{yOiR9o_;sE%hINe7HT@g5_-
zQpqaOW@!{vI?E9m+0@?Q7&<&sTrJqohcsPJ>L4ii0w8*jLZ|p9mzr?VgKN2nVI?<}
zd9xv3{ax`V*ko(b_oZf;{^M#`3|fuQQtM-4)0x!KN)0`DjX=u<U{BHN;`HNZpzl(o
zlN<<}P+n|59ABFo&!Is(<rM<x%)aIt&(owbfVP2N)!OumNy<%;J01^HJWP(=Q++s<
z$X2crqNhUycO!zm%U%;fl%SJ5VNz!00_U7oZ^6~-a0h#&Jw~A}pS0dGG)`;sO6U?)
zk4yd_uGt=2<1PeqtY(H~vtF|Q6%32|y{VP^2n~hLGo0MK59IpK@e)(l`&lD-#Yywx
z77gj2{@I_52Ey+s>PH{TJeOBA73BUOV8=fnP$HWYAuUKE(S*bXZ_vKN)B}Q91c_!Y
z5sk7aGS3o7XE;@UV7MeQsD-i!L#S?Xh+yK&dwOR(dF$a{W8Y1;USl_fjK=-5GcG4n
zSwo|wWU}EYsNssnHqI=P;|16f*#L$f|6D$ke`d+cV!>}T3|^7wsN@H@jb1PkDh9dZ
z_)=)*0zz3O(QZJ2)-&39I+;jfzsl#<W2O5UGNra{SSS|k7x5s^1Qr?8y^;T$=kE_<
zS27$Py4Sk<GY0~#Hx8Wkn#dj6(*%Fw0c1bJ?)VV&YGg#2UvLG_Fc@Z$y&y9-n?2oJ
z2LBA$O{1xV0rBBxe`j-KtNl=ag;gna!&@aao<R@6<)p9sK{~UHs($Y2*^24x+jrI1
zhpHd6^J;I;%YT9DNJD?6o1Oc^kBrRK7CE@wPLC~;otjQjSZT?4YJLfK5;rn~B?w64
zh}UC3*9ME5(;}a11Z)XJZdoV5s@N5B`Y!T%hLdwloUG5a2e|6~X~>^15C2q)YPXl3
z#E`#S|25|_F*eS5*zlf9tFZqLf>VMpzHWQJ1XH_WxYzA9B-P>DlOFs<O_S+{$+6+f
ztMx3CakC`6G3S~m1TnUeO$3U(GvmiJskAklaX>qbU}W!7<RgX*lsM77N#WHRvXC!z
z?BH+~qE4*r2wP-a9HD^uY(7!MR&IgV&~S;fg%VAbjj82AeDT4e9z*45i(S~NZIGUC
z!ZAe<qCl`vkn#7^G`&IgG7A;W2C~cFFC8vJ0S1TD1*|!|u;9@B3IY)gJF&R7{)yyb
z1~dnQ84;z95?@qGWQnP%$3EDFBo?dn-~BI)&Bk|9V)D9%;q_jHgrCOMEmB$h`sB!x
zD<y~LM9y+=;qf<`2DevPO}eJ2WSxac(6yV*HVg7VVT)Go8pQ@vS|V~V6$>KKemYC5
ze1{{LxCFN|`bcaia|`c_P`u;{Sptz0v<`zJ-7w4(e?9E@E19By!`iU-WMb^8q69W%
zV4N_xD(Sy(6~HA__V8tpt@v(KMaR_Cbf?|v*LkF@Ed|I#YRdjitofQ|bT)7>m*FP|
zAfw3UQpgSJub@vG$3~$Jjp65xo?mnYe+`w3-)w$xxr{54eJfdGx1-G2cndhYJ>;zO
z4v@>dOA=4etf%4d?M!4J*fjX~?Sc2beUw7Z*$^cS(JKriXe2SkA$FiLb=LIJOXvPk
zavERS>_LaePD!ZXwV3(P+i|2Met}SUnxrzKf;cxsfv6BJz_@As(j=c@diM(#DJU%7
zGg$76&^2bELwEnM9vP@e0&>TdqQ7i-$nuEm3nr<?4g4!|4;zC5sgR-%@p`sjeP?iF
zM&YQ_olN}6OGuZBoyzauzoB9XFIV7%m8zuV<jDE>)`8bG!cki?q*9Bb(Seup-EA*+
z$fI;1)=o>}PM$-Bj3SlBhP-X;x~aE(>373QgJ)@0xsQsSEZ1@s4o5J~;$6P_gKm05
zqvq|flYHqinA{wvU$AwgxnukmC`<g$BSGecv3JS@{kUA;XP*diq<&xhjHssfVRMoE
z-o%+5URy77Ku<0DZn(itOmUY~{hK#P)Wi*WchqVaWZ$2je@{-l-_bk3Jw#pLFc+o5
z{01b0nwlD!jl_moD)?zUCFce8hEhS`Tjf~C<CSbt>BM-w?Rx$Xo{tIO@V+T(vd=ac
zlhkw|)K{&;=>r;6F{7c$w;gQlMdoW08W1EkQ4Eqnj5J0yC9x?_?eO8XX@aG%g39|R
z#N`6fqhP*p!hA;Y#qCO?;qrQ9U(_mobWn`aKJZ(=;m3#@2HSxRlQ8wK?=#)3hsu8Z
zajQohtY2#!rCp~fP#~rNuctZ%Z(_TAK~nN35E9oxFpSVKxwLX8W`^bYGE%Ybx@Q?J
z5$Lm|0;OcED^#U<rWMB-@(6J)WIg5H=xxVin~CCD6q+R$&qE=H;wOA}+Np4g2q$8r
zCn=8+bf(+AHHrN(jxPQAkgCPplr2@H?LHii^t$@Hl(kC5Hkjk=Et-zxYSIUjJ?kLZ
z@|&=NhC>xCkYdZ7MKFjhJ}<;#1x95{I~9si%2-@+CZfevf8N={zxoY`E&73weve^7
znV)@S$(XQD8Q~@j-$_0&-eg%4*CPyA`i2(iE-U{8$5h;UulWzTpr<EfXm`?UG-WB4
zyzhicw3rnO;Wa|EYT)&QP1D;nPFUQo>g}g@)T02DlIvgM>mk8m(Awdh;}afhN=+Q1
z)0_?Q8h3YBvB;44C5R_!@lXi1^LYtjc`WNqdZu4HJI2lG`{ON781!hnhh<bu#<rFZ
z?fdk88O#mAz7Mu-Z?0t;Gxv|rcRP<vTv}+knw2yC*SqAwBdc~i_daM5k3$Oaqyju?
zYxbC@lrbc`M?%vVn*#wRy-Gb9)!5=wHEwm=1NGKf_n^m7eiYpN0Tt(g2J8uG1C?n@
zkKhe<aSptcrzDguHHWi$U(0XvUcOY+=GzzX-Ao}Og^4L?8KxXy>qG9$6hShgUb}Zf
zc!XrcBNvzQO&Zz5d5{x0)Yo#{besoNsb|E=qGH&Rn^VlfMD2j0WZv0Yr$lCsLKNSn
z|0@m8>ambazPCbh^A1H}h0B1;35Z5n4_pG#ii5Wm6b`x&Eg3Q;Nh%|fR<Uw=R~zNr
zM%g>TU5lj>udF^%>rbHuSdIvw)E5O)m_NfGL@HrC*8VHcZ`@feRI8qlO<G(JP9m&O
z{8ytoA=E&a3;`)#YUeA_mqdew*WWTb|LSU<o^)DdQ|ED!PkUeFyCiX0&53$~H+*qJ
z5#U#uzSJ_lLhM^{ThAw7<9#==5?ab%EL=GAgzofv&qQ5i|82b$rD|z&T3v3CH&X5+
zL*v)`fO3d%QTT>CFG;0AEl}_{Id|u`UnB0cK(PCmTDx(0_Rh!J@j?9^;eJ*}?;6@B
z{_^@~xPz0;7VMT=Co5(Aq7F0}nkX&exJ#NDw@1#`l}oGeN7-_CRmMvvK0+NV%^)h8
zzv=d8QENSzD-hnXR7_!0FIC_*Ricx<6Ql_>)A4SO|HKEY%_wj0nJSGYkmjEk<2%dH
zP;xeK2JQ_)z&%pzNm<Cr_jL+fwyGFS4`i{`%B}7K7_G5b?dacq4yJ;f4z0n{eV?hF
z&uQkBZV#gx47*V#fB43iUGlh&zTX~-Ap|KE4sLI64-`;M<<QDpSGT{pMws_{Hh)Y5
z1#p=&MhWD@sKMbm)1}TP?E9K|Z!yDN^SghiO`gv#apNwn=he}<sk?G~(tV8L_B%+o
z%VYlCLh25C&1UC~`E)hcWO0R(fA3!i1Swpq3ir|cFN?e#A(-S_N}xP6f_?~=j9iQ~
z99)tP>a{o1(p#bS$qt&;(MIov2AbHkc;Q6&a;#eBH77!(mb2Z}p}`gnkBr0-GU|gQ
z)CpTp;jG4E5^XbXc%zP|Vd@Fow{T>!OAS8Y^N1>eMm%0v_{Jw>e{aq=m0RXFb(vw%
zrjU+DE-6%{zLs%L`EyiefYxmoVgf;v$YdA>Iq@r{U@uM9IFJM#8@XfXWJz~$!UZip
zTsD2Og`p2Y?}pQmjM?HhcE)!VL5#CiKM`lKs`{#K8SjYbYpszwKLl*CXY`DQhEfXV
z-w*|&F@hyiyv5vxBzD4oF?+(RY2YyQj-+&xD}y7$8(_H|A;y<|h>T4;Tsa@-Bv7)d
zEL3FB+)kT?E^dPM+qQY<xa&@i=NY|PuoUC4Ntp>6Ul<un{vx2qBL?|D0e~e43$E5Y
z3-W~Kz+w2)DfB4BNK_jF*r^qPgboA^DZ*OM6|vv1B8<9a+f6}Z-b-mR*-O6BroTS^
zch>H34LerMv-3jB-N>D}@8Ka!Uzg<5+6yroDC!uPk-6cb5}E^$qZ>jo_i28T6ud%^
zlS`?(TUq{1Mka|jKPMHJl>8EOn45H5qvscbjld7Lw(ll!ce0Z_XPj8xgsC@)i+1<w
z5%mfg@Sl+qF~Tsp`4BQ0;0JYyUy3FtQU*ZEJALiha~QPg;~Yes)3KH)`@)dpznGwT
zXEOO>NmO%@E37*Ed(`nM!PTRbR364xP<FDnmFFFzZc0boVNaSH;o~s<=jhFAEpo^y
zTOa@E9+)vrbzdk9ogzT{<$rJ1Z(N5KzT7~ey6Xeg>b{#`u-{Kf-DP5Ow7xM;=g;A7
zo4AbC?KU2J|66Uy2-v{6Dwbx!!XgzBA(U_Z=j`rIwjAgUIyL`-+;e#j$J~ER9GUAu
z9}ToJLz92WR~2P@1<@V>vk4Gb+p~$`WUv><+X-3OKy41_{>t=nuDOMOJA=#>zP9dQ
zr&SURj%<RuP@W{JC*Z4-S`E&79Sp(y_Uc5Xt5Z_MtxbJDUplb$>uLbee%+-Zc^${?
zX`RWL3XhixRNKgKkbRW@`85!dImOg&2CW>6T?l|qBX|68h>eVPfsTNQKhZ~M`33Rl
zd~qy=&=4c2vho*Hu{aR;9|e;Ukv91W{pbWFnrz{tbiA?JChRV?mwb8HF*ZCTd}Bw)
zkUcux($dW#L7M>{n!HX{FwjFZ(W%)dyz9;W(pU%<lVqHtOo=ptPQbUz#`($qAPCX8
zVsfQbsmN#vq8w;*A+28)i$&LqX(`l|PqPED{igV}z+Fi62^K7!5p+5?2JUj=<vt?&
z?OCW2?4JS9oX_BsDn$_`p?B51J87VM>xOv*N|b8eXx(~!{BY4r2A@v{)XHQ<mm#RP
z1N02TK0iu_N0coYNW1F~BB%hwGSJ+@m}Fcb9)+MR4?t*vde&BBUcP)zzWE%8RB<q#
z*UZ{q&O6kmJ&PCn$^YE2<<S~-?}WS@%{qGp;{5H8(xC7sPzo#4)dKr`-nuzDJ&jN#
zYcMkVQ$(vyA9N!1TcKn^e=|izaL`dhtaac8Os?eTg?2E3UvT`V{4W?F+nBuWtz9qH
z#;$iqK&ezp;DC-J1zryqYrZe%{3*EREq0sJdt*uM?$;zTY4pXw|NO+D-UD7>2un>u
z0oC*ov@97yINqjHWUDb)0lO^NbC_!CYZ4A7=EDWRi=lvTvpq*K^lbgn&@%x<bz>8g
zc3E6hRFU1`7>|?k(zch2&Nup~+J6`8Su^}EaQ^Z++)RG&ufS;#&q;QnjGw6@O37CR
zgeZ=xej&RY38STi`T*XSH<m}I(>ANx?dg&?V>6Y>CKrXta9=6gQ|EbSsggh<W^Jt9
z?r2gr^o0wRQl1r*0v|Aqq0D|xC{+wiL|$-N*m}BO!^{+D?SsX|#qee7)hq6PA=7Pl
zf3=@B_*FaOJ|AB;i+zg0<f*@TQFj7p3}b!2?s1soefLL$IFX8XbaHa<Xs%F21Yjnq
zq|2TNZ$i9buBJ3aVW}yS#ux?!&1Q1h0GVL+lGHW^hmG09*!WRIv=&gWT0}e|(Wnhq
zI$W$~_hCgSAkQh(l3{)_Gk!^juY&kJ>1PIBn;u6C8Ky~uKk?Pj-F!&Nn~05`{^D#m
zP9V3o)c}AWdrErO-YoxCS&UCl-_Lih@?kRQva*@a_LcJjz?|Z&F{}iILaw#6tSm2K
zwzjHLf0kpPSsya*>1-^}J>Eo^xN1kk)5yzaCO^`)Xd5#tKNg<{Y7MH=>2TWDGo<sd
zFpl4mTE^SE>$oofTquchjnO&~%-4-Z8VeQP8^U;7yEGNjTc2JcLiTU`Lx(Stas--P
zgp7=g*X!AGBY!Va7=U@%LykUn|NAZD>z%?wK}tHHS||?R+5muyBwG!^w1+c!9L1%j
znC!TMVq^P`TXgToOVc3V0%?18plgP%?<S!#!xZU<WMrS}V8=&C8Ha|4q2ypAqoP<$
zOiiD!U2@X^pz05))_59&9k<(sj-Uyw(*lJgb@EzR*U{^8y9u!ht@Iuv=HcRPE7Ewe
zyF`z5AW(eXpJ&-@G*d_#Grpm=%j5TXeIlu>@!I+y3(&efnm}5TNG{_^Hvz~yU=%W(
zfR8|@-&~FadjKH>fA4vS0#gaNx{fbtD*&Ax8oG`ZJR}+`*h9=S3Ip}No#N0vJO(h$
zZ{HvJA8|+bk3WgKO}~#j&bKVP9<3wcaDQ@F&9Z&PWPL~Mp4AU`77}NRI-H`%N$9rT
zRI97rhN?%xJe$B0g}jS-Cw_+=Q59L)Xkf55WH5|V*<ACRLAWLBoo-n>ySv?~`@l7?
zJL$G#S0JcEV$8Q#1JwMZH+zpJShCAOjJKAXW#JQ|BQevxn_y4Y+MRlGU6RJ!$d3Td
z^!AWv-IzH;w%hCBUMf|+`uo$5R2U(fz+~ZpP6!E5W?wsqQmshDuIR(XYa&HnRzn(s
zoklrDfcO$Afk>g%n69<E1$ejv*toe0HQM=np&;vf;PdoClf^vm&FlNirEd!5no<@~
zF{2XL(WzYMKp3JCbH>eU*B0`^i#=ze|6|H^a%7(oXrkCPBL6CchY`=NoqR6u@#0M=
z0=_iBDk>={t-0^UeD>l&r&YIKHc4A9s?=(vsMM%6Jy|GU06e<eM`dl#iH1i%KH&Mk
zpxW&YVSWeJnk<j&+3Z|?U<3oG;fGksY%*}rK8xt)Df+N9x~z<<H^%Z6Xh8M(mNS8S
zS+2A@l}<6ymikllEwtKgt{Gv{>oCe?bIz%jE0d$@e{VF6*);y*2A4$yIFT>lt?o%}
zKx?Kdo%Y{^ckd&FAymGkU)<Niyvb+nakgbmrKQKY{2&$JF(@v@Q-3(Vzk0M-FZTnk
zqJ1w>#yS@8154JFWMq5qgn$<WIJ~7M3seQZJG3MUbOO|jwl>ZR_3F%W0K1)~hE%<#
z2qH|$H_lHN_@eyU4?p_b-71y1vabpo^wprXmLVR6s6F{L0f&%Kz;`xZNY^YnGV+T*
z=daqAzuI=ihC`7EaqY^1Z~*c*1rW;shnoKRBqg#L!ph3Zga9!dIGr;J<3G}5y_^_{
zPTK%DPiAIj&1OsVMLoZ61{VoXx5q>!SQrJ(w_f}s&?d<H)naW(9mpoo65?1kBmX&}
zc%^Fsz+MXqMKG@^fPYkX*#dUBq^$h>8x||lK*98TcHOT!SY_a7%Td!kyU5ecJ}593
z(C9R(TYz+Jdb2myLnEB_k|=e}lLqu$`=eVvS~lGpo-?S`*(7z)JAq8zLc`4M%yuHk
zgqM++n#yht0F=6BbQ(1}AcNO%g?ZP|_l0~lv0ON?G|@#RC5gGY{C^aKv_YDMspC;p
z)j@egzKO<PJ<peDHJY-o0-QAwH+Lp7sW_wAG@f15ttE{-EY=&6$X%NMuIorPwGdR8
zKc+vdd32jS8IY0;QM%3L@VFh!D+t`R@)9_lH!nU{SN#fto-dL@CGfub#apPIOCw}9
zoehAI#l9)D*-X}f(dQ9+e&o^bB!`DnDBF@|{JxxK#nLJN*#i<E7WG+`9c1J%N6s`5
zPZA$T`^^M|to~NPY6*1tzIpamJAYanH4V+UYV~)vd4Oh>TV7snA9=n%w^F$TKHA&>
z%>E)PK%%SE8xF||e7rXP$36vw*lCP1pr)wQ|NL#xq2|Qf><VRhaSi((t#9;^a+zwg
z+A>$JLir9L=4(FJ*VlMFu9Ioc3jdk<&L4PA94JM>9Kcd!v-%s2LN09&EHaSr{cPo8
z>A5xsqu!K7pblQs^K6MhuOs>K{+7XP^2G?~BQ;K2>&%VP<a8+iS@z?9+Cv3Q$Q%%V
zYgOKnBMeZD3nBir-|?Tk9`-1X6+xt<*S@BmZ~CBEG6hcQ+Ob%#cccK%a|;|cIJh|7
z=;i^UmfPZYz8+)cz(^XQgsJ4Frlvv5KNTK!Xb@emHxqDpoU@zE?bY*}aM;YjAzv}U
z>VU3cpDo91+xIcfQU(B8+<x(g+cgjn9YD#)L`E7;rZf4bQD*}>Td{Vlt%`^lPA%0h
z1E!tsWh3!eys?K(zZrmH*KD!I{?XyQ4VYyK@L)X)y`yQe(uzvtR1Me56fj%$BLqf+
z;mAF)|2*XYGxpd+uI(U;J6dU`jltzG1!9}_m!6OJ7haj`Fa-Qe%1hw>Ky?PQh7Ioo
zpk(Q=WU~280UP1H>I09)<%k75;%)E8TO3f_Zm^iAusfXw>$zo5LUC4wjkNZ@M>W3M
z4kLV4!dvwIHzxr~%|SyG33O+pnek1+EsbVkV(PjXrv*)*&Q=l-k~ScQUfQwwwD38g
z{Td1iiupzt*X`lVL-EDb=S0Q=6B#qZE(F!O=J@qVsesqyYU`Kt<p!Vr{-(>~4>C$h
zuar{Y)W8B@AA%?$44(s*4IW3Tn8nr?qpE-qW9NT?Z8*4F)GGyoKwlJU24I4J^aUjk
z4-bEKSM$v7F&<0oy6XQLfJzn3^!gc9qd^UWQU>ZAIuQAFH=xjcKGiD*&smzD?@zbO
z4PT_OR3P-5!6Y=|cldaFP-!rhiu;X#!%9_zKq?aPpAF3{P)BcL%!6F#^A(J>%Ehw*
zEzeBW+8lgg%aQT%r+^Lm@o_iqjR?TVsFVVGd|o=_H0lk-YJtvzIF_hIXzUayybQ~$
z0b6&T(!TW?fh4qe?TL0-L|(bxH&Q^vGaSRQaio$z4{Qpy9mf>FPcZ)NKY)C^UHV1D
z#JFUbF4Y;J(W<-e@>I&jD`Q!NAWoxp??ty0kUP#M<c|(BunXOP-Wizpdb1gV=Z8xL
zN5=-45GvqZ?d=&8cpec02V({Ro<uMLh5VH!sT7!Lry0HnPQHyg0}<f+grX7sh%Z1s
zp^U|e&;+gy643V0IJut(C%7!VRYxccw0Uh9P0J&4Q>|2w0qm5}e|IE~1qgT8f#V#f
z!Hi5y2|z=|xn?U3z}KQvF?E@a#uI-YW5~|V<{bfyTMD4>M2OTL^#M8Wl|=L3-a7lL
zl2~B`tyZRVnp=_Qq4tjhnKH!?b&=r!@M_PwBsY~72N|4oGad~fwlq9EW8m!Z_=YK;
zLsTveZ>hT(r0jz8v;t9V-v9+0_yoN*Q@=GYh}&mnCM-QV2h0ft8$ZAAD-if!J($Py
znT#iI0}I<Vj}cB%N@{z>s&>jK9yrWmW!v*~fFy;^FPp&}5=Q9T7B?fU_}ov3f3eAL
z#N2H6oHCK;xB4^DXpc6@k-FJV>aJ|9%E>I_Vap|Zsbkvo<DlGb)_ayp`GR0e1~s{V
zf;%6o4o&h}#3Rd})_)6%NclD7)8sd80>69-f<~M!gowdr8K&eZ4Gh(@4oqBiD?A)m
z`KRL%*{PAeRdV@JvVs4$#B{5o-g})r(Pc&P8h1N_;GsIx@u0Ue*mB2;`$+QfWWwV{
z$3Mz;IYm<L=%U{J&Pv&8H>tpq+&|`!&u@>pRoVMmD2SMkTmd4+jOibxzB=b`RjEv#
z4HGV>D72MnRr3=ld$zA~tl5KqHk`~6Gzi{&gAhZfmagBEG3PSI`@^#-y@GjZZ#lyr
zW--Ch8CZ6NrQX9mSlI9|nI#lrsxezPvpbkpF8JRHP3h29y*_jOA!dwh{^R7LAXh#j
zGqdxC-1F_I>UX<*-YXlyVwJ#<6-Y69-&<5wBqqZUF$sy==hNCS&CDy}eBZ#6^*KaY
zic%F*2l9#8ort-!Hy5ZEjJLCvE)<}9lj(;peQy2RQq58UzL=q5yZeD&?`SoeB|l^h
z1Pan>u26WR$SwzrxedQB`jwXXpek6fd<1Z>J5<%#w)2+NG5{8T*zjVY2B7~p1}rS!
zK(GexDpB|d5l73k+ju#)&W&F+c|Ciza|((-O?V7Za#qXOk3Z;c2~UO}IM|B}Cn~Ac
zN|8-YIEs}|W7nQW3<@HTr2U3!={P=;`++mA2~i{LLY3;(1wcF|ghc%c#5fX);6tI{
zpC{n<$5RmEAQu!At;d-Cu~<6`?to6s_RkQ0y>EdN&ghwXQX{RsrNXzgTpjNW?B1NA
zVnJTayP;^VZ;!>jgX(C-R|V3Fdj;%5k&6((Rn$Yx_r!KlbxLF^lyfNF@{G>2W>gwa
zbCRug)<$%S|KgV|bbx~Z3uSM1T<rC2Lxv8Q$=`4+O>w)S#WzXML59v=fDwK(CK5Oa
ztXMmj5VZ(Qzj{Zq+sh<;GOu*_va3BlqC)qyNv8h_M9#YzG{{gAgF{w}?@So=k6Kt-
zUEk>Jswjl{Dm<Qac*2;e_1JGpk(N2OJ0}_f(E2kv&2sQ4uziX|`1N@}Pc~|*Bgy{_
zp4D|p;MNZ${{}s0y(ET4IT=`6S$=Ld2Db|wcqLLFKI}Zc>6vDJ-WfOk(QwqD<T!1Z
zOEA$;<Cz~c(n3Nh`J-ZQ5Y)Or9`xkHeb)C|Z~125OVx5cpdp5jMUXb<ck**Lfx$pn
zEjO?3{<zgLu!6HndW3?!pdyKz#s&`*HX*Ls2!^Z*0(AR6{JGU%N=d&Y6riC2I|85_
z6&I7MSE_%b5*HdUTQh6KS7A-f+&`J8FUDmX|NAu*CX!I{zuWdxBP@4^fr;&7^jTC!
zHcwlepPOxoPLjIL(>SGW%AcYSr&pE_=;^b~q(jYJ=&<;nD~Z27T+ue0vIU}3p4rR2
zY4cvKDh=vBCu^Q|zL`Jw$Z?J$s03WjV>A5Ig6I<pATaJw(b^$cUDNqwTBpVu?TA@2
zI`-5qI-e~rY*Am!t|K2FhbWF->qUwfUK9R>2sr+`+$U438BQS;D4CGB4X0K6TiH;s
zi)wy%1`#%bLQCPaz6ZI`QBTRWyo~p1g^W3qT`=u;Q92Rk6d|vOD=wgf=77@%n=Y&i
z38N2%;wr541%(?07{WS5na%oX2FD)AZ781ph03w_?I^cr6G0zk)JWZn`S;m9MQ_SY
z-$2irf8V72E4@=zogF=S%cWgbx~_T@Txe{mBTZH&5_XLA!F0bwibkU7e9pD7C8{b}
z1yym<`26AcFYm^kAMBTUa#N0XHoxKW90;jXG82%p1`pmUsW9{sOa83<?s=C3(V6V&
zoAL9T4)yUvCQOoid0w|rYUBgqL9jDEA>3{28T+B5G~zlmuYH^QQ$0l7*~&9+>OBrK
zW@onCIrrioLrF=D)7}x$Y0+=!J;^IPCbsZ<#)`AK{a17uvemtb@t#qIQ+~7Ep5E{{
zseGTeEOXu66J8tF#au}ueRd&fQ6;pArZmc=Wj|8gB<+{-cM?G<ft3AlQ6hRl6A92_
zFje+Z>8?kRR6TBg6QJENbfog=(*x!Gp-5O7X;}UW1Q+Rf9}Y;O%;LC{^>GUq`@A_Y
zB6A-pN)ToSQ^v>2RmWTK*RBgE<yy~3uN8iwn1;Kh_?~RP8T>}2Kv%-`{z<kZYQ3&6
z96BpWWmFkUT#nBmdJKMH(=oP`G!-yWt?#3>EYR^OMxD>k6DD@o&+D5?mBOST4UY88
zd#40d3ayV3Z^xH29(8XYZMQcPytWEOTbNly<c8E>Yv8<bX5(=}Ec%9mWXj1`{q0}9
z$k$*h<d6hc-v6{i{iaBY00v@o`>v*=b_tcKYPHL{ne;=i)TwYaf*vKQ^D+zlGSO8Z
zev!Q=$QM7<;p~i9H+MO&TxQt8WW7d5xd(KSwJQg^l7B02m#0j<gdGHU50HHc^DkQ6
zW)2slbJ;F>@kZkZp(WiQ>23ND`;i(4F}ebZ+~vGt1(A-A3;Y*v`QM^iCa2W`O{+8d
zpa1PUTieqj>fMr1&fxE+Xn{W(Uz^udt)}cTd!+D4oJXL60ih$TS14(HgEMtd0jIb`
zAW2yMDg?fO7pEKR-pskva+4o9g>1SkS2`otq)N3levO@@8$pP{^<P42!0rNmh^sKy
z(>0HC>}|_481xVJH)Vk6_#OZ7r{V-z=F*znWaVp()?@bu_a93h$iCB4Zq)e_QxSQ)
zt%5y5ouV1r036o<tQ-VgTGiwpm8ZRReRhr6cl94WIqLY8@#5m=cQW^t-CsNEjSr2l
zM_Rg=_;Z>mm0`@!7|G9`z|3Lya?aGyAf3sm5@9;z6jwVIS$5R5Ky!e3>Ko&e)wv?^
zv(6eI)b=~5@Z{JVQ)xGb4>LIzsE_hY$wa|4$`Gp2dt&BtRaTc-q}hxIe#mUM%X-oK
zjIDl_JrmI=;a)ZmlWO~)E9|U=%v($9{n}P}aevIjbegdIaf*XcGDUV5)S^nI8`72z
zL6cl2ohHs_u2?K)+p#XuiiC?lLfZ(ncQG+N2ByCmkwef*sjQfl-#>-1C6$lLOtV+c
z+=QXIEy3mJ@Asye%XjEM36f$126kM`0?tX;ccTDNcXk{88n8pg`Ls4IkTL4ByX4c2
z5*xfgQ6{OXRFPUURG1@ib9mogwZygg69w(Z!gaWmt2}%C+%>{{rYu+cONZ`C5^OJ=
z$#Se-M(ehfVc~9D%Qe0#UBYDeC855-ifroTV@i5Ky|e8CDaYpSVr;SZ^|&=xU1}qy
zywmHMf%@5N4B?{h@DWeXUIWfK2va1#-*vVKCWsl!Exo4W-&{#Ri9++=ob0{tV-%%!
z6vNN|YR}r|2x#c;(z7;!cuI6V5Ja@yT|b?bJ?`_?Y#J}~c2PVltm`A&U%1)ZLLU5Z
zr<>3(8}|FYuW+<Q>|7U{0~3p46m|Wlp_R*-Cg=Xnq*tsa@!#cRpxl!-;`<b-O0C&O
zs71T9;<6#SR5a~$(TnedoZI^j*GBpaTH4~pj#?JUXMLec3q}XL3EbBqp$6+pRgny6
zjc^@Z7mja=MT4uNmFuV#Q~BxddTpK&;^*>eQ>9pgP5;zR%B7)c1Xe0{)H`hI8Sm@t
z4VU<U0M2kXvSYFSW6!q1siAHAw{E+KY<l{?mnhjcqinexauj1GV_9eGiyn-$CbPwa
zsmV?Adba2L+K9=`fB2L$=v|k(z=-hbA=(hkgR1Z*cuKy;fz*PA1yQ8|B0o!@Evj)h
zHysaUl*q^Xz(t{UnPvmd51h?yH7&l{M+TXe_rW7VLZgGsv20$qXdg<~-$mbX>1%Cp
z{Ti*3awj)Ab8t*f=Qx*l%8NwavNC!dxYcA93oPzh+FuI8cOElDUUS)#Y@ipFiX@fj
zO-&khufz+YhG(lS>}a_N%#>E>#6KRXSk(O_(ZnQq>N07H8MZqp+@2jX`!j{jP@C?n
zw^gm@V#jUPp<UE8p`5|L6OYfvXudW8JdOXapU84bXhWfZ>%guY=-Z*ImnkGz+kDqT
zG3stCul?SEVfQa{Y!H%EGp{E)c*$^WWk(2DV;MS|0#Iq{y@52vmcOers+|T?)131)
zy`=z?Wl?xi(D~ptiBj8%vvK0|^b~Mlf?cRwNcO75k?xk3bDCEJEcj7ZfYIVtRF#6B
zytOml`H4%R-iQI&FvdfLT!P@wM%Wcrv0Oy8z^)yJEs8DXLDM5sQEVKLXmEs3c~+nn
zLo~`R1nk*YUb!;k9Qyz8_1eEtMpBjhdtsS*KO$k8#5&^CkpM32!^5kvi7?aot=F{u
zx$F1t*VbciF6iyg<V4<fb2Jojq|WKUY)_{ND`;P5bnntl&v<i(OMR7L-xe27w>vn7
zFwO{oOB@VOJ+q9gHgTo{ihCV_v;m>|`(%hp1JdEY4Sc*Gt=U!4P9DE6^|<4@d#CkR
zn-FjC9>je$vfs@pvnYDyfm|crfwdOF{{O?urPQ*AAY1usBM%%&3DRBZNRk6aj@;i*
zAsIn;V}t7K{HFK1^5E&%U`&22@YVFUZx^RE4GONrK}6vzR~O-Wul7LfWoezq39j?Y
za6^YDFwW}-9#Y5FMFsB=D}f9JK%)Y|Zf6p=11Ug7DPOAKd%=j9FByy+bAGc%b|{|U
zlI``nXax#&H3~O8Q;oKex6sa%JS?QG@EqRP(6IZoS#b<z@BUc;&5#gX7`DWBh|Aq&
z!Nh#qB4;ovpD)0Og9V`qMe>m(sFW;8QB*&WJUUnhd*eZ7J`eCXElOW)vs#m4?R-Z9
z1P+~yt4-1`euK^!jZd2njRsi1y5mv1@rhoaG&{vzJ|ELoG@bY3M<F^+c{PrXb&LiG
z_%)Z4ax+CtgmsHV{W1dB!I5n>8FQ9bK6)>2vO|R8Mquph$3}^fP6KH&$B%#EVyoVg
zL@F^}=z2;2b_*mj-(@+jcI7yGK0r6j<n8v|K(>!8D&U9#NYL8jx%3L0U)Y<>p@aE;
zfp;^t>@p-A1VYGn;E$_(;rl;mjPUoYfpl;}W~Q{K=d)^FN`4{kJ4uTuHM`$EMwt3H
ziV}CJSex%TUc5cB9yokgXdiUxVhL^TI0Bpt6dy73?*-=*gboxwl!pp<pj$ibEbJB)
zZXFpb9Cttx>;qcn@B`7(<x=debEvTR%~{p)#WuNOHGNz|M`Y|fJRk;C&)o3rJRba6
zXg~Mekxnc8OwH;aiJEPjunO=u8)BuaSN_YY)u#AZ_#IZt8OX=JkQvC48>^lM0EJbm
z$Qk33qM~dW*#$|;$U~r#$gdFggV!t6C+cu%>B%^k*EXrd@T)_=YK1zuVPr}jSIcf#
z`74{H;)OFB2!%Ff-T(1oJ2?O^=D!Q58Tch}v}zO&A4h{lYZkP6`>m8O{g8%<+1g`f
zIXp6RoY${ftm=Vjdb~!b7W1p@)S&wg`c(FykFYr_D#?;$|C20c=ZJ;?bTXqKP;Ayl
z4ioZ=q{npFugE=Xc!zTQ@OFNO<rZ3Yp4$Ab%DCcnC?0n-|6_R1P~SZB^pb-~{iByU
zXCr6q&u+G6p@bOM#$|BQDhFshz#6J_wklVhkUu2~DCE-o;i@;m2jRkGsPp|z6>Fnu
zp>mMn(+SF%Ltn3sLaRQdk(KPP1XpkOj0gLRaaJgEPEcb@cTmdM2HHYU2Zk4s7YYlr
zE0)Xe$E|Ck#|wL<_gjEObxT(IL^~oAe{0%4`yiW;j|RL-vT!IMqUk2t2?%}W*_)TW
zljYs3T<tdCBkVN=-i@@5aUZv<h@Z|x{&L!Qes59hZP-b*XD4$FIgVtGDO<oZKBrOO
zFz<=wc9UdlD{@oo#+k+p@vK;K&KwX>Znb<Rd_(Blx9R@^#ydP0l)c^?20r0i=-tT9
z4rFQebgLykg3mj75wQyPm73JVg$#;#TF-tMN|NGWf1Mgckn<!%51#R6;g)Pt4r~Sk
zihf0f%LIt@`5{A|V&@07cir_lJFVNL-v)7(=|EtCdc1=>w<ZngGi<r@RTZG|3*+#}
zM##bm2=T{3u*u?!o@c$p_vmAoA(qU0&(f+|Q#)`v(Hl1$#C#-p-@$+8s|O0vJAhxb
zeme+Sdp*~Ei!K`fv;6Q9_xaGTtuR!JMd$!pw%dQ~*KT=MDoV+jN9sy0Fe**&HE;se
zO;BvQ$g}izyO_Pyl3)t1R|FV-D)S4k{JFOB(@S?6r<*<D`DVJfaJ#gxMb?f+0Wzcs
zcf*bio+3)yrqGI?zo(#?6ONZ#osU1Ezv$K%(THP+Y^Vc})~tE#6=$P-upK{Y0>)G_
z{ve3bYX4~dAJ94`8jDP~4vQ05=*9LwKZOWju?%Bgi012^no%kq3Os};)8{=En7{(m
za>23@=^7<{QI-3Cul2_TYP?dM6fp*6@*2E1s5hcD)1{0UN!}u4!_<pxUsia(D%vQR
zIOxpxlx8#~>jSV#V6b6NnhM4p=geCw`MiqAN04g~vVMP<OZkGSgm9-;AF@uFdu-)K
z*-rD~Txq3+$UZC5>!9FJWF3vL-+_wJH|>@p+hQ4y);K3j8foLk^DS<ITu=P}Nip;3
zHi4}E70Ogh!oF*PvMlgo>XAPJtEUjc4IwawM&C2qVU?0;hzhx^KuODH=(czbX&12S
zPr0D}35t7`Xr-v&)qi8&qee__t~?D6J6B2W7ZqKC$Y8u4%0o?We4of)c-Zbws9Ncs
zE$xz!C)^qcA=S$3S({M~L43MLEuun}rp)I`MI!p!i{6){o4N?DiO?hgml_2cO1xxY
z96XAp`v#dFMy2PlByV*-WayV1zC<&1uZ$r^9W5H1m;V{B?hP3MNtC?e$&2UH>KSj>
zSZUXOl!ocZHhgsE9V0g8^s`pORo@k=s=i^^osP%24~bZUQvSD5su;dnP(5%BQt|QJ
zS=5Zb&uEfNmyNE9Z175L2q0NV#YgnU<JKu^9Ww!GNH2vl33El{1mpQsAsP9@2)7}V
zRkyNQ%&GJ-UbAJEm1}P=3TK9Msmp_+BXjldQ_0loa}=8$e(%P+J?Mf!sM-<w9UW&G
z&n>OjU6}ea@d=ZE6Y2C^m!emhIC!if&3ZCg#T&=0on(WzBkeGky{HGx(cSwMw{kmh
z64zciW#r3^x-HTJNIudKzmc$uJz(nV>&>`#;Jp}gX@wAp*j*k#OXJBe{!ZYVfoAw`
ze_vx1t;_uajuj+3whpT!Dqe(<PZi12zo9Vu8Z-a&u*T%6d%d~llXYKfJgUJrI?0XL
zmo~9sywlyQ+@e{$b`Gco<8lHnW1JgZX6!DsKTec<{fD$o8x0TbK)hR=d6O<)Vk(No
zkXO3=&=tHLXtlU@D(%Mp=D8oYl(&0Srd3buyL4QA4!&`!P*kaIt#fZxA-+JAC<`fz
zz)XC5IsE61+`&23mPO_6{VIrdK<p^1Ci<31=Wc1dntu1>D)i(&uTk0sSi?dOy)v}c
z|5yM#l%#W)&fVA(bu@A?>%jLl{xqC@Wk+-*f9fc`V)-Eo@0TN};k75W3``cy=GB|?
zyVGGiiyxJ!jZo)Xe|Sn0Qk)V}Ix*d|3H28fSWE7;htqj_4}{ez{A@qSAC`bQASrfa
z>G5#}ul@HJn9}KMCi46x>s6z4ZFG(Wdf9iDz0X642#|Sz?rCV`a4=p1LaT_?hd{<;
zeQ(3pmMXy=S7dCcmATlKsTJh9g!ge2AePPb!SJGRaWL3k2$J2{FyoL$m@k(@uS%~L
zBu!okYELuJ&|(Pa2@AE}*z@n6g#Ja3DArtUsl#K{PV=l%J$U|2;8u<j`Cq<-<`JoV
z-WiCX&TInZP4Nni4Y9L)FdG@-v9u>Ga`P5_er5IY=J5Q0)NlAwxkoP`Xjm2O5gC~%
zm4}x^zGgHW!a}#o6lcP7uz$gmVt~s%p8lQ3;Uav(lLUEyLb7z=zZd_{<_qux!r#JF
zc8pNCvMg|kx(vrGtp&P3{j1KRyq`y`ity_ouHONv;Y8KCe~G7eJ49PxOr@mr^`cC%
zfCh-AXS#@?)87W^m1}W?vsQjs|JGq##T^<!<CRGM?^%fQxY++AvX)jM)PULO9%)%Q
zJ6$_+EqP~(-8DmSxZ3p7Z1y6KN&H4TQV=By<f+65wvU<Q+P;(jxzo|Y6*~n3fync9
z&KY+@1Tan3CH){k_6aUHgfh0l%0Z%-^<Rn$>7HFEO|3W5?jv*b_?D8IK<|tHsy5$X
z4{B$6?=jD38mj;DG1nDJ?mS<o&2RWS5c##;hW;DFaUbF8!BX-ueJ{^N$1Bk5h;Q=J
zLICLpS?D{yUcS~Ht<CS(?gzwzg2=skGa49RGhjDh0qUy!G|d-C!u8354R4)ecslhU
ztk$6gRFE)9V+)8LaqVQP1}uP*CEOdwb0hd-)()spLF#tCj2VvZTZNV7>Miu7c(NlQ
zEV;o`jJE+(lC$@h{7i;2{~^}MknVj0EmLKF0(xY6k0S~P`>BYsPK09AUMk_od-lIw
z9_*F#bHykWBw!;BMQMucnqEx~oS0Vp3iyB>%Ki<YZn|xyd+;l6^%ii?uMaCsKQTtg
zC1&vU3PTv?tC#tTRBbUV9l!#+<z~s8JpsK>EQ0s**NoZzPL8yOeTR#q(x^gVdG91&
zFoZz613WqKcMc!`?-GyV`#)~(bCAhb16QBj*FM3#G0|YTcobb=f&dOLml3CJV(k62
zo2ryxcAWvmBW`SHhR`Go^=JHuS`G!}2W`tMnk6Vn@+Y<()bC=Fj*|O-9D!O2(GY4V
zn2J9X!oAy7K{k9}imeJ{EES~yx%<(RtNfzkSEQf+7tGSR|HM!3``o2l2T5pQ*1HFB
zKome9K>mh46b4}B^La?bXM)UtKV+Q#qR-<flzaO5ZHJx&ToT$-8=n?_5@Z?_7u0L9
ziUTw(pu2C1{)7>f10)Pd19EW%zfr;J?PI@>qYqIKGoO5CWydPN{Kp1;-({a{;~5nB
z)Hx^oD_n9z<*vaN1LE&gw#(Hh9V>-;yQD^^?Fw576Hl5}*dwSjumjM2Z@NQneHO>s
zDsXO3s?J9Ctg3gMkIo8_`uxxEqD(G+=i9vhL3pc$8J6^*NO(W%{K=By?I!zDEKxJl
zp$GCKR=TZ5Nh>h??Qi;Micnaf(aqfKP?`|Q(7K?ytrM#VWkF2?>uuf|`Rt4+?jv8H
zbV2w<bfa1PxBFD}39rh3tZWFHHBORN-}l1MfmVPtCb)i|hcn+7T1n`03%^MrB>%JA
zZckatmpcw`FHj)p8+P7)U6MW4w;SHig6BT<bs4{zYy714y0?-W?JH2^b&oMXEfSfJ
zq)bO5-@>}WV_tFUv;3GpaCQpF937qZ^JfT<?*r>}jQ&Sdh+`6<9e@$OvjFQ6@z@C;
zYkv<X3Z5aTbbIe;Og5~wtQPNt0-ZhNiZ;n_gS`b250YJ9F<?v?ch>^Tb!l<HJq?})
z(mA!C-BK}c>{1n}b#HlK)JuH0xMfB+&q%TNe11)Ij<Q8_`|<x&_SI2Qe&4$^(jeU>
zk^%zKHOLG~2#9o-0}?|I9RiZVAX1V73QBjE)BrMoNDd`6bT`7>;q&?aZm)IMo%R0v
zu6Oo6d!O^1eV+ZC)6hrKN@-`imA8u+YxElmjucXmcoI0084c)8G2phA43d&(o!1U;
zlnHto;D2L2@!2REL!V>TDKn`%-22+2LM!={NEnlm|DhS)8QSY>$JCX<emVrB@5C=$
zA!JnW05Y#e9y}0R_Pjro*4W_=rg+7i9vV;Sj9Z$UNGfH|E`hEy$jWm6@m&*=1Lz(%
z`FgqUTH>*@tto|8h~53DZR-5~huriUa@%^A!~nhD1<lGPfqKlYe4De9Nwh+eLk63u
z9LRoR*W1Y9Z<PmYSNspJV>TD<F#HpstgRZW$77+vAAZM+A6y5861>iy4tE^E;W~U5
zbbf#Y73Vjl?kJ<*>?JwXRnw~aUT*S3an%AwDK(34(D$8FI`LWpA5x5)2$~OAz}NWq
zR%`q9ny>{-Zy<|={w4^zp5S5`H)b*KwUQl#n|_qdU1_iaLoDkxG{Au@Pp8_8=nVZ0
zVLe_9DNR604~XOW89%`3rj(1-aU-f^kOo?qCe?Koz)8voZTeRsXP<^#-!ep?qQJu;
z*BsoY1g2D(7;SgJk~Y14qk0Rm40|0cCH%IJS*C4Rj#L-H4*W_S#1AIRPw&Ad3*!!k
z1(ArcqMozH;$tdrtso3Yy8PqElBgb-P#WmRzz|hhSZ&~t$|>jx!sR#cv%pbQHV|)%
z-c74fGK^|EruJg5{<Q_}X&?B6X{Th1N;*?o=FKQ&jF{FO##S5z8=EGjLBv<HnB=2M
zWo6^}u*+xv2<(y=kyh}o>lt7eB9H}p%vo}P^T>OtHBu014jM><c%=jnmdd|iI8!g*
z(h<T;iM>vkxfruKI*hF8#5$6NGRJ8?X^q$Hnu}&2VLnk!Wmm#<1uwj9JrTr);?Pqe
z^Y9J);`Qx4kN9hN<FH<*hY+xv-h|wLe0EmoZ0OyjejR>^+DLDaW%&{`4!Gf^<o43G
z^GrFTaf_R%zuA(2R?B=J@ki><mk*vl*e6`K3?9s&knr*Nnd#}=)<$3oCAj-vnCg13
z6NaC8_>Rxn&?_uHb$Wk96%;nek$sNSA|F6$nqnk01Q+4399*Ns9}M1XDrm-tx{}_#
z!Gu8zYX3r!KBvq)OvQ1`-r4?~C<Q0ZnwsW~%s=o*>5j*%5PY^{oGfQhZni1#F7K9j
zx&j!7Y4VK3Fkvz=I*didHL7<|D*thY=FPqMu=bagm&%xMx&t|&f5J-XPA*s-pnP}U
zSy0tY!_&%7Qc8%S^5YVdJe2nY=kXD+^^@z-;Bxz<my_##JXjU(0qa`73{|G(=neR-
z4O@P4N1bu51*$06adZI#TArDbrxWg|=7(gKCS>gVGJ&M2(xi<?vwwN%v&ja^0t)v?
z4oW|ZxB?m=&#l~*H`INom%m)Yj2E2B63hvmB~hk?UaBm5d%gM2wUTLLv#sVd(@{Mv
z$F&LxqMQp|P)^h@#psffGhdUae9XZyzanNLSGQhy^g#3t;{%#5BYH<mz}s*2cx(sx
z3G_)z8Tv3cPVSuqDNME1TBXmLxz)4SSP|CfWS?|Eo&#T?Eq>o4SCg<Q$>__X`}!Sj
z1?Siv6x%R;+zZfZ4V8p6sHwQJ9OWw@8rfx{7Ok1%hBKZ1l#>JR64D7{|I73k5Ldn2
z3PlN;dHM3$D8#2fxL(7s`^~ksP*vW`N;3ErPJXTQ4+|gaR2>o`pZ<F6bDJ1G$N>W#
zMtYFDYLqU$VNp#bKNPxK)gO^17p|05h-p*O-qxWx_<;fScO(Lppko2`%3?B2We|@~
zl3_;G>-Gt>yKgyOcK@WY;X89#r+~EbPNnGOBkcQf!&aHb7TR`D9&O?S;YudP`KFoH
z4&q8?zIUn*Mc%~|q$u08F{&p^-F+@X?Xi*7X-CnnF1KSZx8_5=4xNryDbaQ>i}%fe
zM08FtDwqM>E4fHrN2{gQ*vMj!b~oW>D_>LX^d?fXt*l?{i4T6|Z{cjg8FPNXqyzvb
zfJq1d%6k2&Aq2EsZ=87Ri)6cAnJkbdDZ4$dRoL6op$Yxn*w|Q;sC4UFY+0<1_t@{q
zPS3_>+3$|eN|J^Zm$ZT6o-Z^fJ5d9HEGp&d={LgoXbW}|T=3acKu|W-udQZ>_YX+L
z1U}d<Ofg>wu~(bc5Hyl84!?<xzhcmQx&tGPgb3%S2im6eA<w48NvqWSX^dR!7N^em
zV!1sqL}LsW6vN~bjW6^zZOC@H<2g+?(oVlE&1+_#Dj@Bp<gr#79TDCghR1#l>eTn?
zSGP6Rs-tso_5P_F#FMniVQa_VX9hMFvBPMtdy!RQW45=<agQaG#qxchJcdlEftm(U
z1qx>#CqTrw#A=p5k`2S6mH%w%?7Rb3x;fF?ovm}Cz}CdjBd>njiRq8I%=^^epmIYd
z1CIuHC)Raz<vDajRz7zwVWqIXc@?Jn7RUl~I1O=}pLC&UpamX=Dz}b`06~tign2t|
z|7ek8F0{wGxQ=Y6pMGi)6@!n_JiD7A{=c4HC7LH_Rx(vw<S_CywEo#no)tB|JmGJk
z4Li03!QK<}Jb~S(b6(t$PYvh(I`u(v;k^!dH4_!M_n!yQ-~YvtMKmF!_k$T6q$)ip
z@`odw%QxVW%H^Ie@#BZi;Q$K`h#TB$j6KHj_hjolm99rU7H?7%_kh3+iz;??g4QbO
zwGRPFa<V1UpZ#{ZS13&)NY*LUAGeN(aMIYN-MV{gEo%G`4BP+_tPrdYE~%x7=rap?
z(?{(@`Gvm;B(Y}<>=~ItbUm9xl5`WApSks|bONQ09$+b9jfXY-yjBE!%zgc=a2p&t
z|Ev%as=ppo6vo5$5iM75$s>gW#nHmF2p7$N#2#hah{PL}Cu8wQzQwm99VKV5z73&p
z%WXoW7&w||+lI<M(-|>X7eg4a)}XgMYR&I&yfaHISidPpgt;Tma74JO3`<8WN$-;>
zPz_CGwn$1B(26ZLFf;z~oT9rH(S)8Cjh%^iDtjX9XX@5~CH20?v`DO`oVuUhC?i&8
z7vXDxJQ9zNtjeMNAsLd@OB~dBWQpRBG4a$z&z0!)bukK@r&;i&k$}mxU@n^Th?3i`
zY|VFO3nwceIpL?EMyVOr5bU9rUh|f~pmXVNeWl%jOQ_fIHpe-VZPn}n=lRR$Ry8t~
zArFiWi7D)$le~g}J`>Xh_A=4420*QsEn0}s-UyAr5-+Piw_*M~OBIw9Rb4*OKHQ0S
zjPCtuuK-SiJiI?6H>h=aX2}CV4g}&9Z+?vj?;M$7nfMxuz+dGMUF1$ELQxmQOIZ_#
z-O9A|r_!^M!O-;cCON`MdrdWq#xaBb>-6#3vr00AL!#<qDeNM7=eW~)sdE%-XIdv!
zUPO4kM8n|9fT5%5YV(dL`epzyFJo|;+jGWp?Sa4vYB!t5)Sd3BovxnGNiVCf0-aPW
zM$7FE`W3b{l&E3@ewd?|UOap%47qZ@K8a)fh}sN7ZMXDO?Oi!SQHwKAM9A&13Vv=j
zXCzjLLzw$5Pj!6Mf~xQ1%z4{!a7$>w2$%d<e^}V3p(Natj#6Ay+PU`db0i>`>#+KT
ztlGkF-g%67n;|BA`rp48Hnm@+IZ!xSn<nsE+K1}(JuEzaredR%0jqF>p58i^2S|vr
zUH*8?X{k-Hhd7ikS;-zg`r7P}Td-R&?PIft2=itv8%9D+SuMi@y#r<mz(28raR)in
zD;h++wfD5Q>!nm=0R{1Vs|%UiVWnq3fnS|$!&-iNd)Jl(P~^{9+AgpyNA4utJGnes
zZ}05A{hPzA_7jf|$3D#6b#^Q9zv86jzsE`6p+?v?99eXEl;wZD=N{1#JUf30^&SRW
zF#^~UfuFyJ#>;2GlBBhfPK%i6D2%3eL~_g?B*V3W?+-;vrjrMfw%RV--cOIWe^6AN
zDJ$G9Hf;ZXAnW|e>Q@sx=-kDX!+WT+G8^pMGw>))(jqNc5_6lR$9On6sS}BXfyw>D
zm${ww;y%y>Qyl6fs(8z!q$+;4-!8*mp24^fL>F;Qt9C|%9Ow8)+ct-AaT6SN&Zj?Y
z=L@|fitdu<eJ8XtB#fz(Ec(xlpyKZ!#(bC=R<Pv0lWW>~K;g>Y`Bw8mjhS5{j6>FD
z+*E@{-iy!hV)s`Dy32L5pO=cDxL*B}Hq;rN*TH`Y?H<?(ADJ~>F`RxeZ(ltu%=PiU
zH8($Ygx4C0tIo(r1gd(2K%PF>A%2`KLAj-PNe<`FJ@^xTCM`JBRg{`D*&-&=kL4Y2
zGwpA;U7NqlC!kcFxGAP3SNrP09hVTG)Ed&0Iv-a1^qqDtu$|bT5q^wyz$TXKyi{(^
z;iIh0eMU6Jm96gGBC&^XXE};oCPL7dUHd^GBV7!IxV!Oul+2Z^2Is4a?yB;s^{k%B
zle$RxZ&U5NBDf71XahCSHl065i9#=o)2*`fOwci{Puf+UdD7)zEeroD@bbu6nyUlV
zXPf~ZMx(dGNH5#KK{E888+qqWDRSU=3+F47=ZlPXCq0bqwL@w0IVa=gh>j8`MG~2i
zL{9b>;gmJ+*x(M+cqJZzn`s|8mP>1@q*8G+NZ8)aJ&WlSwW>E~(o<ZMi7R_gp!}q#
z(v@hGRs#jrYSj;hY+wti?FephXZM`C9>uGIN@Q^x{EgY+>J7$l(bJXAM+W_K*(>w#
zDHb^F%x%e|r5ck?!RbiGg`9Ai&P8~ZpVU!sOn^tOv<+{n2wa1e1v({Zxn&+_78d~H
zpVTc+ma`YJaUed5ymye8cG;GqFp3(Q5BgJ__|K?w`&c`A>QVeco#&i>$-URBP{llT
z6J8|dhfI`ujMh>?jJ%+CoUa?2f+i|l?iOLjd>pQJ8MMA@3Ht^&r39X21`d|vQGvMu
zLofu6o%bZ&l4lQbJKHbpy1tt?LXer5Qj5yhIQgqAss{d{q?U*(bv@)?XkyywsVdu&
zb{NfZd!6f%nd-aneISS`&|cERm6r>3$hS9gSOk9)HyE9?P#68yp^|Nb?BlVDq$Q%u
zsHSuiuG93SeSw#qTm6|gOGoW|-SCvZB~EkZP{V!}DEZvNvj^3A+}XWejga9RG7pB>
zQ=D9SKrN-WxLK0!RtW7R`au2FA?CS`#$(TstE2dc<s7#uCA?*m(0Ev2xTYYObKDl;
zHYFU=7I1{rZfRK`56uk2jlLN(>p{FBthSlqVA$8{rI=<em{2yLGgE$drQ9yG0I--O
zqzs@lwD+}fb{R2R<rJ{3+qX2U0AXi9hWl<PzXdJ$cjDOHgDTYv)@6+`RXvxDWPtnq
z5(Yb}b6MIferlM{UXfm1gZ2f^Erizch)IRe`OX8{5?0-y<Sc73p!UAqwc|oEL^SAK
zg*Gm`Z1I#ivb9Z#>?N#XB**7^W!O)?iYgX&0l4ESximffd&2wQ0B>p$VL7ErnEhvY
zH0m)}Aw3ck<5W*75j(<||4aK{^Ba=~sGC?^&@qin({IakYYR^HX4i)Pvmzk(%KeD!
z)OS3Oee69M&k6?G&otCIdyT5Zf5*uKDT~4v301jxUg4E^rpL!C)78xy(p*-HTQeS!
zLy7gkS3;>k$}}#QeRf%Q;wO=t?Rp>cL~%2&JnSk__qw}lc?Dq~;heB+Cz_*P$q6&<
z@8J@bTqPAYEG#5y#N$H_kCt0q<;7;bsp87w?wb*h2Nm%FKFf;rpmPWvOSn=`_X%Hd
z@zCHkd(MZ>$yF@RY_+=;iMGX?aBINCVY*A`2!kvYE$im}|0~wxBC-X>2Ssf9KdWpj
zOAw1p=X((P#{2;RC0q<eNM*QbTKV24E57vMfGUgOWyy>1F1W|@mAT6T#gJt_|3>Z|
zq!G*E(C?Wo@JDJ_7m0flK|954+9LrE?!Rzhem~cOU^(#<ENM9+X8JQX6>ua^-?N>9
zB_AsdmQTE>C#L&z;!H>zuu@MFQBjpy#Z+46*FtN<(S&`-UrTlP({Y$()!zK4wl|Yk
zUzN30@b)op4wLX~LltZJjd-LUGntAvyWIC84(9lGdPq%pRCLM80(`5y^({#H{4_^?
z1pm-KDDlh4F8ykA_vQ>aao@91l4$UlWfHa9lYFwtUIRhrx2-}>+!kUrWrJc8@ceZz
zG?$69dC%^JyR({u^76O2n8x<Ss8V82AkOl8FWG}szeTmq*F9~QLOqVNuFkks<tob^
zS$zSJ?1U|e3u5EXue0PreiQymwRl$hXWYo<GBgXta9kz4ZhKY*7JiE98&Km?L=J%y
z3nUlfBly3?<K?o1?YnqQuoY<WP-$27SM?-%dUwby<Nx(!m;2Cb%$zlm9O|375EozE
zYkloa8}9o-tLMmm+a&;?h_eUWy9DpfI->Pa8-gR|*$IfKF-gea;fZlYxb!8`wp@fr
zMw=%I#p0=8$l;!4fz=L@ABL)x$9W40s#Q+{EQHH`o@Q0au9wTJUHm$iY0kAt3gE%k
z_~-!(SOYrm(}F#Gk6C0|p!4%m30sGSmL3r$*L_#BGRdd-bCx2OIZ(C6?S7U&Lr<F6
zo2HZiKiV#4A%4iTFc)@{;>yX}te~3)fQ0-1f*855Uy?1<YlPsqpYFxB!ySO;B|%PA
zzSoZ+!rOj?eqgTd*ahJzpI5xmf<9oj(qlc0q)Sd3$u!7bGGpy=0tVo<);*Oqqy9w|
zkUt~$W<?Et4=H-=t_Gk|a4cv!vx5F5KURdEXLA1yVrQ;yd=p;dUy9C6;NzdPesh&R
z&hP>q=m-hu>24-EjNdLZG}GSl@=|Pl)Sn4%llE9-%z?IK9GBL}x%QyNIJ<P-SBqD+
zCGOg{;SkYV7b=mys?ym1F0bZ`Ja1~wZCB-rHSO1t*rQdWTFf5!GvK*8(6;T298>u7
z9pftAk^C0a%={^)B?=nBdy~%n*IO&lF{&XbBdJK|Jsx9Y%O(IsoXSCQd<q|E85ACI
zRE=YGSh%IXR1f;qsxT^W!*4e&g5A^!{^@7_m?S2~PFr_X(D(7tGGv+K{aBK($4YZa
z4PSl?I{rAbZ|X{tlfwJ{=zv*YjX}Q_e9FoE!RtgK)AI`@+z!sqYM>U_2$PzNS<G&C
zb$n~py8NBD7+hpycjJD{->lyYneRWV_Vv&*(~7E-ge<yv2a+A7Y=1LLNDp5#(RSmA
zYH|55S0TYc1gS}|LnDhyT9}9tH65z>-3MKgp_7wjVY_TFj}y2?=$p@`c?#+t<XX}2
zJo(R)MVJh+pCqa|sSDPPM8W6(CpR@z%Op=s{O?}sxT?l^U&Dt{z6uZQQi$n^l6h_+
zGCZC%{bWDAp+oh@eN9n_VZC|_cGEq*%a8yRlarxt@1bSbtj#z4=Ne45TBWtm1ZZ5;
zCj^KLc#KFQXfzA3UGgKWdL#&RA}CTZw<Yj&^%L5_zH)kmm!;yx#vEOAc2j=R5$(~*
zQ&b->G%&S@Jh}Lzl#FRA$`Y?(FFKzKm=bB4fp$#(ls%rVnJQJ#c<hYuK0jNL2Wfly
zC2($!sQb%(Q20|nM2-6X)sI%p6J0zK<UKCO?0rI_TSVc1O*WIjc0aNCMlakmSEXYG
zu!M?q?2~=*lnf=phlT1bE?og`s(T5I5x#<w<6ZNdmXUusmHw&mjl9j5AZ3DL?l!XX
zC5>Q(db>?3XWV?(GXwrFj(r_!`ZD^+t9zfSO=8)cuXVG{A{QJi0dYM3Y^n)WAwJhP
zHur>|0^%q*lF|H~kOHUg@Z(pT*H;ro^r4Hmi%;Eag$Yu1=(-W872n!|SJ@j=B3~Q?
zAvc31F9Nj33Mm{4G`F_Kd@Ln5H)w&1z0ML99kSANQ1W2cu@QYX59IlrWR|2cu36$&
zh^tD$m`ENWNMv2i2XQ9*>QWmNp2s`Nd@fS3eY;x^K1s6tv|d(h<43)M@8HD-Vy?(s
z@UJ!TVJPR!arGZ^x!GqSe+~ZJptEs%D`UedS9}~yG+dz+Aw(ZnaQ%;C`mQKG{%(-{
z2!DV4^7~UISGA56fs;_=`vv&-Rl(N}tE-h4AUvl(^gg{tG;s44y)j)3vv}PeM}W1c
zhAlLeUwjA!O<gZ8r6bP*nlh=(7UKkt<n^!G&4Om5zapjbX-{(T*aYFYwTlV<n>pX9
zZ?3-3xYQj6ujv=H6*>GOtkr$!eafI}Dfw+f|9K)$!Y*)q*bxrcr<1^;*nIUY;L(8u
zlX6z%0$g}-?wA16N(IpMn`%V2Eh=xteaQ%m7byH?777|u9Ni}F18J9MF1Wx2YKR+4
zm)r6hR_*uDBqaOKH!ob4K3Rp3$G&BGnQv<zq`qaE(0nTWu;{5kc6wA&@`^cpWG!JM
zFgtMfvmCA8i{-y^UbY8cxZX7!GN-}6%}!DjY_hYro>57>_vUBnnX}|h%rQ(_qh5^;
z6m$#5^~(_mvMg8JRl)75;07;Ai}}%d*e8E)Y4RVZ)8DpyF6Z<KB=YHONb6W4-d~g0
z-}r5g3hNX2(;FTu!7FuJsx7y)-7PD8EG+zi=c<5Ldiz7XBeJV4HIe0!)`sgj3LAo<
zutkhWo#B|*a6o)L+?TF-*U7boD8of>YW)|f8iMsCHN;k9vn@^&WmwSA^?fdUfrDPp
zVn9zeArI8hmz^0E_(a8qRqyvi(fg}O0|mq;Or5v)b=s}cnAh`X*?~6%3LNyXU?T;J
zKwK@yuSfF+nTUaJ<CAKm^s(14_U;!;PMt#=Lp{yT0L#vwY6&ftDwf?W+Um1C+M`o1
zM)dZrQ3EMj-}lzHv`k->g?!m9ea_V8Fe@T8Jnp-xdo}mzpa-GD4zSc>0e*EDH60fj
ztsPLb3)|%7Zs@ponZ*Ja7m%V~^%Q4X4HT7@B)MezOOLO&bGoz``m?r(n*<b9?RWO-
z6K5OCz}D9W7GIVO-v*vl)L9X?Qd0K@r}6Se>aW9_;sTinA%<M7Ir=Rl!`zSLunGu2
zfo`IP*RwClA3X0@|Ni3jtziE-yf%oTQ7&m+%#Jk(_rh^G@cAd6wUlJNqOuSytr!>Y
z>tplgD*eJY*Xd!iy;Nya(|!#-j8b3UuwksVvAZ-<lkuL_{l`>R@D`0e(&o8biHVd3
zYnaBM5HMTJaXUvg$hgsRt;wE+_iq}t)T(g2G&UKmzCfhKC;!LI>yAvO!kGtchk4%;
z`rJg<+IP}>=E8+)d0&@{#{)#Ea!mD7T{^eDP^B6NC7c0}t7}-Do&Sj3r!O-S|Gso#
z8=e<4EMd3VOrNr*e<LClA0~G9+6R32Uv$ZjZKVkL)sUd9U(VcZhgJd`(lb?n(H^kW
z8&jxgZ^!Io(r(fJ$5RmMMixt=V^x>3A^7>Gt4V7^yeXxVe!l60ub`HFIYGH9Ha&XH
zE|Bz*+ZhuviwsFwp$y?gX3M@@XVGTg!>b6nddf1zZChl7Uq-kAw*q|H$XZ4*Ve;ig
zaWcE`z6J1%V=ymw?_2BXAjDLb>76x0pN>2ARqG_0^$T<IJ?M^++byMuM=(rmKXwnD
zD5u1XzjZ9wAKaUL?%w^^k3G{dQUf_OlLU84N6^L`-&~L$JTyU|wLpZurCb4&_ONk<
zl!o6`^<EMfL*qZM08gwkBj39E=oEsr35_ifs$;ow@#e1WE*a>jB~-cbZ0l;FkS0%L
zXh#b=1OyEgr7(Ue>qUQfjT>7fMvw0zA6v@L$!gb@o;k+f`+}x>J&3PfH)_m1OWmF#
zpVXtd=qOcoGBp8X$GgW87g*oHxJ94&ll}IlcQ$5s9WbrjySbl|=3lM5N-#9i1KSkn
zjk%P&XhrZ-^Bo$m!^G#%hItp7A>LEv%HuZ7bGMul%CX@i3Ro=gjgQOn(0$z{PUucD
zpTSGonQ*@F`}2B!afx+b3NT-@CM64|tYs^sVG&MbtuVMsMf&G{pcbpn95ll<qX;C|
zqP?LsR?Y#8%R&k^4mET{+cLxII@7}BaAj(eAY)rgMgmLVm=LX4JsgDvAEfk&YRnGc
zBOnGdG`;<^zsBwY<sAW<vW?8x)L=}GI6(i?pc#q$`>e<j6^iA!xu$N1*gis^0K5z8
zYVu*MJ&M&G;5cYp$L_>5l+bClh&~{xMilPIyu|)wl{BAp_E*~@Rx(WZ**YAg=0U?Q
zJ108V9u2q(c(PtqJCamRvm$A;*s+DN&p1OqWy3Ak?3ZSin#(q}tAL#{ogRHJBEL-I
z$rH<GHMt5N*e;nYmB8H_5z4ld_Bw{=AG0L?Gu~aMZ-v!fG^FKqsWMBXG_m=T8waH3
zMIEq*AIpV8H?F>1NPxIx8Va5@rhVr4%*?Pm^ugw#8}7m7+dx->JpxG_c95R-HSt~?
zqblR?F$LhiA^PrdPgXPmCu{S#%iTa*Gw8j&hT+@$@2UKs`DB}ZspQi26Luc}F~`FE
No&#T~maAC3{cqoB5kmj~

literal 0
HcmV?d00001


From 4f95b818881eab4521a1d3e171dbf93966e61cac Mon Sep 17 00:00:00 2001
From: Ron Aitchison <ron@zytrax.com>
Date: Mon, 21 Mar 2022 21:41:50 +0000
Subject: [PATCH 07/15] Add new ARM section Installing BIND 9

(cherry picked from commit 63e12b511f7cb5e8250bb9cf507e899341cfc4aa)
---
 doc/arm/platforms.inc.rst | 37 +++++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/doc/arm/platforms.inc.rst b/doc/arm/platforms.inc.rst
index ef2eea4938..ea888572c6 100644
--- a/doc/arm/platforms.inc.rst
+++ b/doc/arm/platforms.inc.rst
@@ -14,7 +14,7 @@
 Supported Platforms
 -------------------
 
-Current support status of various platforms and BIND 9 versions can be
+The current support status of BIND 9 versions across various platforms can be
 found in the ISC Knowledgebase:
 
 https://kb.isc.org/docs/supported-platforms
@@ -27,22 +27,22 @@ the :ref:`required libraries <build_dependencies>`.
 The following C11 features are used in BIND 9:
 
 -  Atomic operations support, either in the form of C11 atomics or
-   ``__atomic`` builtin operations.
+   **__atomic** builtin operations.
 
 -  Thread Local Storage support, either in the form of C11
-   ``_Thread_local``/``thread_local``, or the ``__thread`` GCC
+   **_Thread_local**/**thread_local**, or the **__thread** GCC
    extension.
 
 The C11 variants are preferred.
 
 ISC regularly tests BIND on many operating systems and architectures,
 but lacks the resources to test all of them. Consequently, ISC is only
-able to offer support on a “best effort” basis for some.
+able to offer support on a “best-effort” basis for some.
 
-Regularly tested platforms
+Regularly Tested Platforms
 ~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-As of Jan 2022, BIND 9.18 is fully supported and regularly tested on the
+As of April 2022, current versions of BIND 9 are fully supported and regularly tested on the
 following systems:
 
 -  Debian 9, 10, 11
@@ -53,10 +53,10 @@ following systems:
 -  OpenBSD 7.0
 -  Alpine Linux 3.15
 
-The amd64, i386, armhf and arm64 CPU architectures are all fully
+The amd64, i386, armhf, and arm64 CPU architectures are all fully
 supported.
 
-Best effort
+Best-Effort
 ~~~~~~~~~~~
 
 The following are platforms on which BIND is known to build and run. ISC
@@ -77,11 +77,11 @@ regularly by ISC.
 -  OpenWRT/LEDE 17.01+
 -  Other CPU architectures (mips, mipsel, sparc, …)
 
-Community maintained
+Community-Maintained
 ~~~~~~~~~~~~~~~~~~~~
 
 These systems may not all have the required dependencies for building
-BIND easily available, although it will be possible in many cases to
+BIND easily available, although it is possible in many cases to
 compile those directly from source. The community and interested parties
 may wish to help with maintenance, and we welcome patch contributions,
 although we cannot guarantee that we will accept them. All contributions
@@ -98,13 +98,22 @@ supported platforms.
 Unsupported Platforms
 ---------------------
 
-These are platforms on which BIND 9.18 is known *not* to build or run:
+These are platforms on which current versions of BIND 9 are known *not* to build or run:
 
 -  Platforms without at least OpenSSL 1.0.2
 -  Windows
 -  Solaris 10 and older
--  Platforms that don’t support IPv6 Advanced Socket API (RFC 3542)
--  Platforms that don’t support atomic operations (via compiler or
+-  Platforms that do not support IPv6 Advanced Socket API (RFC 3542)
+-  Platforms that do not support atomic operations (via compiler or
    library)
 -  Linux without NPTL (Native POSIX Thread Library)
--  Platforms on which ``libuv`` cannot be compiled
+-  Platforms on which **libuv** cannot be compiled
+
+Installing BIND 9
+-----------------
+
+:ref:`build_bind` contains complete instructions for how to build BIND 9.
+
+The ISC `Knowledgebase <https://kb.isc.org/>`_ contains many useful articles about installing
+BIND 9 on specific platforms.
+

From 8e49e918db1180b523e7020f8583af8a9de26353 Mon Sep 17 00:00:00 2001
From: Ron Aitchison <ron@zytrax.com>
Date: Mon, 21 Mar 2022 22:13:29 +0000
Subject: [PATCH 08/15] Split Configuration chapter in the ARM into chapters 3
 and 4

(cherry picked from commit cd1c230ff6a8dffff08ef39b2a211c2bca516bed)
---
 doc/arm/Makefile.am                           |   5 +-
 doc/arm/chapter3.rst                          |  12 ++
 doc/arm/chapter4.rst                          |  13 ++
 doc/arm/configuration.inc.rst                 | 128 ++++++++++++++++++
 .../{configuration.rst => dns-ops.inc.rst}    | 120 +---------------
 doc/arm/index.rst                             |   3 +-
 doc/arm/plugins.inc.rst                       |   2 +-
 7 files changed, 162 insertions(+), 121 deletions(-)
 create mode 100644 doc/arm/chapter3.rst
 create mode 100644 doc/arm/chapter4.rst
 create mode 100644 doc/arm/configuration.inc.rst
 rename doc/arm/{configuration.rst => dns-ops.inc.rst} (68%)

diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am
index 52bc19b9fb..2b97c8ed7e 100644
--- a/doc/arm/Makefile.am
+++ b/doc/arm/Makefile.am
@@ -8,9 +8,12 @@ EXTRA_DIST =					\
 	chapter10.rst				\
 	chapter1.rst				\
 	chapter2.rst				\
-	configuration.rst			\
+	chapter3.rst				\
+	chapter4.rst				\
+	configuration.inc.rst			\
 	conf.py					\
 	dlz.inc.rst				\
+	dns-ops.inc.rst				\
 	dnssec-guide.rst			\
 	dnssec.inc.rst				\
 	dns-security-overview.dia		\
diff --git a/doc/arm/chapter3.rst b/doc/arm/chapter3.rst
new file mode 100644
index 0000000000..9a51e7e77a
--- /dev/null
+++ b/doc/arm/chapter3.rst
@@ -0,0 +1,12 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. include:: configuration.inc.rst
\ No newline at end of file
diff --git a/doc/arm/chapter4.rst b/doc/arm/chapter4.rst
new file mode 100644
index 0000000000..305a27517d
--- /dev/null
+++ b/doc/arm/chapter4.rst
@@ -0,0 +1,13 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. include:: dns-ops.inc.rst
+.. include:: plugins.inc.rst
\ No newline at end of file
diff --git a/doc/arm/configuration.inc.rst b/doc/arm/configuration.inc.rst
new file mode 100644
index 0000000000..2c6684737a
--- /dev/null
+++ b/doc/arm/configuration.inc.rst
@@ -0,0 +1,128 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _configuration:
+
+Configurations and Zone Files
+=============================
+
+In this chapter we provide some suggested configurations, along with
+guidelines for their use. We suggest reasonable values for certain
+option settings.
+
+.. _sample_configuration:
+
+Sample Configurations
+---------------------
+
+.. _cache_only_sample:
+
+A Caching-only Name Server
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following sample configuration is appropriate for a caching-only
+name server for use by clients internal to a corporation. All queries
+from outside clients are refused using the ``allow-query`` option.
+The same effect can be achieved using suitable firewall
+rules.
+
+::
+
+   // Two corporate subnets we wish to allow queries from.
+   acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
+   options {
+        allow-query { corpnets; };
+   };
+   // Provide a reverse mapping for the loopback
+   // address 127.0.0.1
+   zone "0.0.127.in-addr.arpa" {
+        type primary;
+        file "localhost.rev";
+        notify no;
+   };
+
+.. _auth_only_sample:
+
+An Authoritative-only Name Server
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This sample configuration is for an authoritative-only server that is
+the primary server for ``example.com`` and a secondary server for the subdomain
+``eng.example.com``.
+
+::
+
+   options {
+        // Do not allow access to cache
+        allow-query-cache { none; };
+        // This is the default
+        allow-query { any; };
+        // Do not provide recursive service
+        recursion no;
+   };
+
+   // Provide a reverse mapping for the loopback
+   // address 127.0.0.1
+   zone "0.0.127.in-addr.arpa" {
+        type primary;
+        file "localhost.rev";
+        notify no;
+   };
+   // We are the primary server for example.com
+   zone "example.com" {
+        type primary;
+        file "example.com.db";
+        // IP addresses of secondary servers allowed to
+        // transfer example.com
+        allow-transfer {
+         192.168.4.14;
+         192.168.5.53;
+        };
+   };
+   // We are a secondary server for eng.example.com
+   zone "eng.example.com" {
+        type secondary;
+        file "eng.example.com.bk";
+        // IP address of eng.example.com primary server
+        primaries { 192.168.4.12; };
+   };
+
+.. _load_balancing:
+
+Load Balancing
+--------------
+
+A primitive form of load balancing can be achieved in the DNS by using
+multiple records (such as multiple A records) for one name.
+
+For example, assuming three HTTP servers with network addresses of
+10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following
+means that clients will connect to each machine one-third of the time:
+
++-----------+------+----------+----------+----------------------------+
+| Name      | TTL  | CLASS    | TYPE     | Resource Record (RR) Data  |
++-----------+------+----------+----------+----------------------------+
+| www       | 600  |   IN     |   A      |   10.0.0.1                 |
++-----------+------+----------+----------+----------------------------+
+|           | 600  |   IN     |   A      |   10.0.0.2                 |
++-----------+------+----------+----------+----------------------------+
+|           | 600  |   IN     |   A      |   10.0.0.3                 |
++-----------+------+----------+----------+----------------------------+
+
+When a resolver queries for these records, BIND rotates them and
+responds to the query with the records in a different order. In the
+example above, clients randomly receive records in the order 1, 2,
+3; 2, 3, 1; and 3, 1, 2. Most clients use the first record returned
+and discard the rest.
+
+For more detail on ordering responses, check the ``rrset-order``
+sub-statement in the ``options`` statement; see :ref:`rrset_ordering`.
+
diff --git a/doc/arm/configuration.rst b/doc/arm/dns-ops.inc.rst
similarity index 68%
rename from doc/arm/configuration.rst
rename to doc/arm/dns-ops.inc.rst
index 807891c5a3..8bffba9bfe 100644
--- a/doc/arm/configuration.rst
+++ b/doc/arm/dns-ops.inc.rst
@@ -9,123 +9,6 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
-.. Configuration:
-
-Name Server Configuration
-=========================
-
-In this chapter we provide some suggested configurations, along with
-guidelines for their use. We suggest reasonable values for certain
-option settings.
-
-.. _sample_configuration:
-
-Sample Configurations
----------------------
-
-.. _cache_only_sample:
-
-A Caching-only Name Server
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The following sample configuration is appropriate for a caching-only
-name server for use by clients internal to a corporation. All queries
-from outside clients are refused using the ``allow-query`` option.
-The same effect can be achieved using suitable firewall
-rules.
-
-::
-
-   // Two corporate subnets we wish to allow queries from.
-   acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
-   options {
-        allow-query { corpnets; };
-   };
-   // Provide a reverse mapping for the loopback
-   // address 127.0.0.1
-   zone "0.0.127.in-addr.arpa" {
-        type primary;
-        file "localhost.rev";
-        notify no;
-   };
-
-.. _auth_only_sample:
-
-An Authoritative-only Name Server
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-This sample configuration is for an authoritative-only server that is
-the primary server for ``example.com`` and a secondary server for the subdomain
-``eng.example.com``.
-
-::
-
-   options {
-        // Do not allow access to cache
-        allow-query-cache { none; };
-        // This is the default
-        allow-query { any; };
-        // Do not provide recursive service
-        recursion no;
-   };
-
-   // Provide a reverse mapping for the loopback
-   // address 127.0.0.1
-   zone "0.0.127.in-addr.arpa" {
-        type primary;
-        file "localhost.rev";
-        notify no;
-   };
-   // We are the primary server for example.com
-   zone "example.com" {
-        type primary;
-        file "example.com.db";
-        // IP addresses of secondary servers allowed to
-        // transfer example.com
-        allow-transfer {
-         192.168.4.14;
-         192.168.5.53;
-        };
-   };
-   // We are a secondary server for eng.example.com
-   zone "eng.example.com" {
-        type secondary;
-        file "eng.example.com.bk";
-        // IP address of eng.example.com primary server
-        primaries { 192.168.4.12; };
-   };
-
-.. _load_balancing:
-
-Load Balancing
---------------
-
-A primitive form of load balancing can be achieved in the DNS by using
-multiple records (such as multiple A records) for one name.
-
-For example, assuming three HTTP servers with network addresses of
-10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following
-means that clients will connect to each machine one-third of the time:
-
-+-----------+------+----------+----------+----------------------------+
-| Name      | TTL  | CLASS    | TYPE     | Resource Record (RR) Data  |
-+-----------+------+----------+----------+----------------------------+
-| www       | 600  |   IN     |   A      |   10.0.0.1                 |
-+-----------+------+----------+----------+----------------------------+
-|           | 600  |   IN     |   A      |   10.0.0.2                 |
-+-----------+------+----------+----------+----------------------------+
-|           | 600  |   IN     |   A      |   10.0.0.3                 |
-+-----------+------+----------+----------+----------------------------+
-
-When a resolver queries for these records, BIND rotates them and
-responds to the query with the records in a different order. In the
-example above, clients randomly receive records in the order 1, 2,
-3; 2, 3, 1; and 3, 1, 2. Most clients use the first record returned
-and discard the rest.
-
-For more detail on ordering responses, check the ``rrset-order``
-sub-statement in the ``options`` statement; see :ref:`rrset_ordering`.
-
 .. _ns_operations:
 
 Name Server Operations
@@ -206,6 +89,8 @@ server.
    For more information and a list of available commands and options,
    see :ref:`man_named-compilezone`.
 
+.. _ops_rndc:
+
 :iscman:`rndc`
    The remote name daemon control (:iscman:`rndc`) program allows the system
    administrator to control the operation of a name server.
@@ -312,4 +197,3 @@ described in the following table. These signals can be sent using the
 | ``SIGINT``   | Causes the server to clean up and exit.                     |
 +--------------+-------------------------------------------------------------+
 
-.. include:: plugins.inc.rst
diff --git a/doc/arm/index.rst b/doc/arm/index.rst
index 771e8405c7..684a20e9fe 100644
--- a/doc/arm/index.rst
+++ b/doc/arm/index.rst
@@ -19,7 +19,8 @@ BIND 9 Administrator Reference Manual
 
    chapter1
    chapter2
-   configuration
+   chapter3
+   chapter4
    reference
    advanced
    security
diff --git a/doc/arm/plugins.inc.rst b/doc/arm/plugins.inc.rst
index 09b79439e6..86a6bdbba1 100644
--- a/doc/arm/plugins.inc.rst
+++ b/doc/arm/plugins.inc.rst
@@ -12,7 +12,7 @@
 .. _module-info:
 
 Plugins
--------
+~~~~~~~
 
 Plugins are a mechanism to extend the functionality of :iscman:`named` using
 dynamically loadable libraries. By using plugins, core server

From 820cdffbc66bf9b8fc8461090e32e7bd539eb1b0 Mon Sep 17 00:00:00 2001
From: Ron Aitchison <ron@zytrax.com>
Date: Tue, 22 Mar 2022 00:38:26 +0000
Subject: [PATCH 09/15] Split chapter Advanced DNS Features in the ARM into
 chapters 5, 6, 7

(cherry picked from commit 25eb91d23c5a2056f36902c90dfe8ca69f6a9400)
---
 doc/arm/Makefile.am                        |  10 +-
 doc/arm/advanced.inc.rst                   | 401 ++++++++++
 doc/arm/advanced.rst                       | 842 ---------------------
 doc/arm/chapter5.rst                       |  15 +
 doc/arm/chapter6.rst                       |  15 +
 doc/arm/chapter7.rst                       |  14 +
 doc/arm/dnssec.inc.rst                     | 242 +++++-
 doc/arm/index.rst                          |   5 +-
 doc/arm/managed-keys.inc.rst               |   6 +-
 doc/arm/pkcs11.inc.rst                     |  14 +-
 doc/arm/{security.rst => security.inc.rst} |  14 +-
 doc/arm/sig0.inc.rst                       |  28 +
 doc/arm/tkey.inc.rst                       |  40 +
 doc/arm/tsig.inc.rst                       | 165 ++++
 14 files changed, 936 insertions(+), 875 deletions(-)
 create mode 100644 doc/arm/advanced.inc.rst
 delete mode 100644 doc/arm/advanced.rst
 create mode 100644 doc/arm/chapter5.rst
 create mode 100644 doc/arm/chapter6.rst
 create mode 100644 doc/arm/chapter7.rst
 rename doc/arm/{security.rst => security.inc.rst} (98%)
 create mode 100644 doc/arm/sig0.inc.rst
 create mode 100644 doc/arm/tkey.inc.rst
 create mode 100644 doc/arm/tsig.inc.rst

diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am
index 2b97c8ed7e..fa09192a31 100644
--- a/doc/arm/Makefile.am
+++ b/doc/arm/Makefile.am
@@ -2,7 +2,7 @@ include $(top_srcdir)/Makefile.top
 include $(top_srcdir)/Makefile.docs
 
 EXTRA_DIST =					\
-	advanced.rst				\
+	advanced.inc.rst			\
 	build.inc.rst				\
 	catz.inc.rst				\
 	chapter10.rst				\
@@ -10,6 +10,9 @@ EXTRA_DIST =					\
 	chapter2.rst				\
 	chapter3.rst				\
 	chapter4.rst				\
+	chapter5.rst				\
+	chapter6.rst				\
+	chapter7.rst				\
 	configuration.inc.rst			\
 	conf.py					\
 	dlz.inc.rst				\
@@ -44,8 +47,11 @@ EXTRA_DIST =					\
 	reference.rst				\
 	requirements.inc.rst			\
 	requirements.txt			\
-	security.rst				\
+	security.inc.rst			\
+	sig0.inc.rst				\
+	tkey.inc.rst				\
 	troubleshooting.rst			\
+	tsig.inc.rst				\
 	../dnssec-guide				\
 	../misc/acl.grammar.rst			\
 	../misc/controls.grammar.rst		\
diff --git a/doc/arm/advanced.inc.rst b/doc/arm/advanced.inc.rst
new file mode 100644
index 0000000000..0be6df020d
--- /dev/null
+++ b/doc/arm/advanced.inc.rst
@@ -0,0 +1,401 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _advanced:
+
+Advanced Configurations
+=======================
+
+.. _dynamic_update:
+
+Dynamic Update
+--------------
+
+Dynamic update is a method for adding, replacing, or deleting records in
+a primary server by sending it a special form of DNS messages. The format
+and meaning of these messages is specified in :rfc:`2136`.
+
+Dynamic update is enabled by including an ``allow-update`` or an
+``update-policy`` clause in the ``zone`` statement.
+
+If the zone's ``update-policy`` is set to ``local``, updates to the zone
+are permitted for the key ``local-ddns``, which is generated by
+:iscman:`named` at startup. See :ref:`dynamic_update_policies` for more details.
+
+Dynamic updates using Kerberos-signed requests can be made using the
+TKEY/GSS protocol, either by setting the ``tkey-gssapi-keytab`` option
+or by setting both the ``tkey-gssapi-credential`` and
+``tkey-domain`` options. Once enabled, Kerberos-signed requests are
+matched against the update policies for the zone, using the Kerberos
+principal as the signer for the request.
+
+Updating of secure zones (zones using DNSSEC) follows :rfc:`3007`: RRSIG,
+NSEC, and NSEC3 records affected by updates are automatically regenerated
+by the server using an online zone key. Update authorization is based on
+transaction signatures and an explicit server policy.
+
+.. _journal:
+
+The Journal File
+~~~~~~~~~~~~~~~~
+
+All changes made to a zone using dynamic update are stored in the zone's
+journal file. This file is automatically created by the server when the
+first dynamic update takes place. The name of the journal file is formed
+by appending the extension ``.jnl`` to the name of the corresponding
+zone file unless specifically overridden. The journal file is in a
+binary format and should not be edited manually.
+
+The server also occasionally writes ("dumps") the complete contents
+of the updated zone to its zone file. This is not done immediately after
+each dynamic update because that would be too slow when a large zone is
+updated frequently. Instead, the dump is delayed by up to 15 minutes,
+allowing additional updates to take place. During the dump process,
+transient files are created with the extensions ``.jnw`` and
+``.jbk``; under ordinary circumstances, these are removed when the
+dump is complete, and can be safely ignored.
+
+When a server is restarted after a shutdown or crash, it replays the
+journal file to incorporate into the zone any updates that took place
+after the last zone dump.
+
+Changes that result from incoming incremental zone transfers are also
+journaled in a similar way.
+
+The zone files of dynamic zones cannot normally be edited by hand
+because they are not guaranteed to contain the most recent dynamic
+changes; those are only in the journal file. The only way to ensure
+that the zone file of a dynamic zone is up-to-date is to run
+:option:`rndc stop`.
+
+To make changes to a dynamic zone manually, follow these steps:
+first, disable dynamic updates to the zone using
+:option:`rndc freeze zone <rndc freeze>`. This updates the zone file with the
+changes stored in its ``.jnl`` file. Then, edit the zone file. Finally, run
+:option:`rndc thaw zone <rndc thaw>` to reload the changed zone and re-enable dynamic
+updates.
+
+:option:`rndc sync zone <rndc sync>` updates the zone file with changes from the
+journal file without stopping dynamic updates; this may be useful for
+viewing the current zone state. To remove the ``.jnl`` file after
+updating the zone file, use :option:`rndc sync -clean <rndc sync>`.
+
+.. _incremental_zone_transfers:
+
+Incremental Zone Transfers (IXFR)
+---------------------------------
+
+The incremental zone transfer (IXFR) protocol is a way for secondary servers
+to transfer only changed data, instead of having to transfer an entire
+zone. The IXFR protocol is specified in :rfc:`1995`.
+
+When acting as a primary server, BIND 9 supports IXFR for those zones where the
+necessary change history information is available. These include primary
+zones maintained by dynamic update and secondary zones whose data was
+obtained by IXFR. For manually maintained primary zones, and for secondary
+zones obtained by performing a full zone transfer (AXFR), IXFR is
+supported only if the option ``ixfr-from-differences`` is set to
+``yes``.
+
+When acting as a secondary server, BIND 9 attempts to use IXFR unless it is
+explicitly disabled. For more information about disabling IXFR, see the
+description of the ``request-ixfr`` clause of the ``server`` statement.
+
+When a secondary server receives a zone via AXFR, it creates a new copy of the
+zone database and then swaps it into place; during the loading process, queries
+continue to be served from the old database with no interference. When receiving
+a zone via IXFR, however, changes are applied to the running zone, which may
+degrade query performance during the transfer. If a server receiving an IXFR
+request determines that the response size would be similar in size to an AXFR
+response, it may wish to send AXFR instead. The threshold at which this
+determination is made can be configured using the
+``max-ixfr-ratio`` option.
+
+.. _split_dns:
+
+Split DNS
+---------
+
+Setting up different views of the DNS space to internal
+and external resolvers is usually referred to as a *split DNS* setup.
+There are several reasons an organization might want to set up its DNS
+this way.
+
+One common reason to use split DNS is to hide
+"internal" DNS information from "external" clients on the Internet.
+There is some debate as to whether this is actually useful.
+Internal DNS information leaks out in many ways (via email headers, for
+example) and most savvy "attackers" can find the information they need
+using other means. However, since listing addresses of internal servers
+that external clients cannot possibly reach can result in connection
+delays and other annoyances, an organization may choose to use split
+DNS to present a consistent view of itself to the outside world.
+
+Another common reason for setting up a split DNS system is to allow
+internal networks that are behind filters or in :rfc:`1918` space (reserved
+IP space, as documented in :rfc:`1918`) to resolve DNS on the Internet.
+Split DNS can also be used to allow mail from outside back into the
+internal network.
+
+.. _split_dns_sample:
+
+Example Split DNS Setup
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Let's say a company named *Example, Inc.* (``example.com``) has several
+corporate sites that have an internal network with reserved Internet
+Protocol (IP) space and an external demilitarized zone (DMZ), or
+"outside" section of a network, that is available to the public.
+
+Example, Inc. wants its internal clients to be able to resolve
+external hostnames and to exchange mail with people on the outside. The
+company also wants its internal resolvers to have access to certain
+internal-only zones that are not available at all outside of the
+internal network.
+
+To accomplish this, the company sets up two sets of name
+servers. One set is on the inside network (in the reserved IP
+space) and the other set is on bastion hosts, which are "proxy"
+hosts in the DMZ that can talk to both sides of its network.
+
+The internal servers are configured to forward all queries, except
+queries for ``site1.internal``, ``site2.internal``,
+``site1.example.com``, and ``site2.example.com``, to the servers in the
+DMZ. These internal servers have complete sets of information for
+``site1.example.com``, ``site2.example.com``, ``site1.internal``, and
+``site2.internal``.
+
+To protect the ``site1.internal`` and ``site2.internal`` domains, the
+internal name servers must be configured to disallow all queries to
+these domains from any external hosts, including the bastion hosts.
+
+The external servers, which are on the bastion hosts, are configured
+to serve the "public" version of the ``site1.example.com`` and ``site2.example.com``
+zones. This could include things such as the host records for public
+servers (``www.example.com`` and ``ftp.example.com``) and mail exchange
+(MX) records (``a.mx.example.com`` and ``b.mx.example.com``).
+
+In addition, the public ``site1.example.com`` and ``site2.example.com`` zones should
+have special MX records that contain wildcard (``*``) records pointing to
+the bastion hosts. This is needed because external mail servers
+have no other way of determining how to deliver mail to those internal
+hosts. With the wildcard records, the mail is delivered to the
+bastion host, which can then forward it on to internal hosts.
+
+Here's an example of a wildcard MX record:
+
+::
+
+   *   IN MX 10 external1.example.com.
+
+Now that they accept mail on behalf of anything in the internal network,
+the bastion hosts need to know how to deliver mail to internal
+hosts. The resolvers on the bastion
+hosts need to be configured to point to the internal name servers
+for DNS resolution.
+
+Queries for internal hostnames are answered by the internal servers,
+and queries for external hostnames are forwarded back out to the DNS
+servers on the bastion hosts.
+
+For all of this to work properly, internal clients need to be
+configured to query *only* the internal name servers for DNS queries.
+This could also be enforced via selective filtering on the network.
+
+If everything has been set properly, Example, Inc.'s internal clients
+are now able to:
+
+-  Look up any hostnames in the ``site1.example.com`` and ``site2.example.com``
+   zones.
+
+-  Look up any hostnames in the ``site1.internal`` and
+   ``site2.internal`` domains.
+
+-  Look up any hostnames on the Internet.
+
+-  Exchange mail with both internal and external users.
+
+Hosts on the Internet are able to:
+
+-  Look up any hostnames in the ``site1.example.com`` and ``site2.example.com``
+   zones.
+
+-  Exchange mail with anyone in the ``site1.example.com`` and ``site2.example.com``
+   zones.
+
+Here is an example configuration for the setup just described above.
+Note that this is only configuration information; for information on how
+to configure the zone files, see :ref:`sample_configuration`.
+
+Internal DNS server config:
+
+::
+
+
+   acl internals { 172.16.72.0/24; 192.168.1.0/24; };
+
+   acl externals { bastion-ips-go-here; };
+
+   options {
+       ...
+       ...
+       forward only;
+       // forward to external servers
+       forwarders {
+       bastion-ips-go-here;
+       };
+       // sample allow-transfer (no one)
+       allow-transfer { none; };
+       // restrict query access
+       allow-query { internals; externals; };
+       // restrict recursion
+       allow-recursion { internals; };
+       ...
+       ...
+   };
+
+   // sample primary zone
+   zone "site1.example.com" {
+     type primary;
+     file "m/site1.example.com";
+     // do normal iterative resolution (do not forward)
+     forwarders { };
+     allow-query { internals; externals; };
+     allow-transfer { internals; };
+   };
+
+   // sample secondary zone
+   zone "site2.example.com" {
+     type secondary;
+     file "s/site2.example.com";
+     primaries { 172.16.72.3; };
+     forwarders { };
+     allow-query { internals; externals; };
+     allow-transfer { internals; };
+   };
+
+   zone "site1.internal" {
+     type primary;
+     file "m/site1.internal";
+     forwarders { };
+     allow-query { internals; };
+     allow-transfer { internals; }
+   };
+
+   zone "site2.internal" {
+     type secondary;
+     file "s/site2.internal";
+     primaries { 172.16.72.3; };
+     forwarders { };
+     allow-query { internals };
+     allow-transfer { internals; }
+   };
+
+External (bastion host) DNS server configuration:
+
+::
+
+   acl internals { 172.16.72.0/24; 192.168.1.0/24; };
+
+   acl externals { bastion-ips-go-here; };
+
+   options {
+     ...
+     ...
+     // sample allow-transfer (no one)
+     allow-transfer { none; };
+     // default query access
+     allow-query { any; };
+     // restrict cache access
+     allow-query-cache { internals; externals; };
+     // restrict recursion
+     allow-recursion { internals; externals; };
+     ...
+     ...
+   };
+
+   // sample secondary zone
+   zone "site1.example.com" {
+     type primary;
+     file "m/site1.foo.com";
+     allow-transfer { internals; externals; };
+   };
+
+   zone "site2.example.com" {
+     type secondary;
+     file "s/site2.foo.com";
+     primaries { another_bastion_host_maybe; };
+     allow-transfer { internals; externals; }
+   };
+
+In the ``resolv.conf`` (or equivalent) on the bastion host(s):
+
+::
+
+   search ...
+   nameserver 172.16.72.2
+   nameserver 172.16.72.3
+   nameserver 172.16.72.4
+
+.. _ipv6:
+
+IPv6 Support in BIND 9
+----------------------
+
+BIND 9 fully supports all currently defined forms of IPv6 name-to-address
+and address-to-name lookups. It also uses IPv6 addresses to
+make queries when running on an IPv6-capable system.
+
+For forward lookups, BIND 9 supports only AAAA records. :rfc:`3363`
+deprecated the use of A6 records, and client-side support for A6 records
+was accordingly removed from BIND 9. However, authoritative BIND 9 name
+servers still load zone files containing A6 records correctly, answer
+queries for A6 records, and accept zone transfer for a zone containing
+A6 records.
+
+For IPv6 reverse lookups, BIND 9 supports the traditional "nibble"
+format used in the ``ip6.arpa`` domain, as well as the older, deprecated
+``ip6.int`` domain. Older versions of BIND 9 supported the "binary label"
+(also known as "bitstring") format, but support of binary labels has
+been completely removed per :rfc:`3363`. Many applications in BIND 9 do not
+understand the binary label format at all anymore, and return an
+error if one is given. In particular, an authoritative BIND 9 name server will
+not load a zone file containing binary labels.
+
+Address Lookups Using AAAA Records
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the
+deprecated A6 record, specifies the entire IPv6 address in a single
+record. For example:
+
+::
+
+   $ORIGIN example.com.
+   host            3600    IN      AAAA    2001:db8::1
+
+Use of IPv4-in-IPv6 mapped addresses is not recommended. If a host has
+an IPv4 address, use an A record, not a AAAA, with
+``::ffff:192.168.42.1`` as the address.
+
+Address-to-Name Lookups Using Nibble Format
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+When looking up an address in nibble format, the address components are
+simply reversed, just as in IPv4, and ``ip6.arpa.`` is appended to the
+resulting name. For example, the following commands produce a reverse name
+lookup for a host with address ``2001:db8::1``:
+
+::
+
+   $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
+   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  14400   IN    PTR    (
+                       host.example.com. )
diff --git a/doc/arm/advanced.rst b/doc/arm/advanced.rst
deleted file mode 100644
index 10457c87fd..0000000000
--- a/doc/arm/advanced.rst
+++ /dev/null
@@ -1,842 +0,0 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-.. Advanced:
-
-Advanced DNS Features
-=====================
-
-.. _notify:
-
-Notify
-------
-
-DNS NOTIFY is a mechanism that allows primary servers to notify their
-secondary servers of changes to a zone's data. In response to a ``NOTIFY``
-from a primary server, the secondary checks to see that its version of
-the zone is the current version and, if not, initiates a zone transfer.
-
-For more information about DNS ``NOTIFY``, see the description of the
-``notify`` option in :ref:`boolean_options` and the
-description of the zone option ``also-notify`` in :ref:`zone_transfers`.
-The ``NOTIFY`` protocol is specified in :rfc:`1996`.
-
-.. note::
-
-   As a secondary zone can also be a primary to other secondaries, :iscman:`named`, by
-   default, sends ``NOTIFY`` messages for every zone it loads.
-   Specifying ``notify primary-only;`` causes :iscman:`named` to only send
-   ``NOTIFY`` for primary zones that it loads.
-
-.. _dynamic_update:
-
-Dynamic Update
---------------
-
-Dynamic update is a method for adding, replacing, or deleting records in
-a primary server by sending it a special form of DNS messages. The format
-and meaning of these messages is specified in :rfc:`2136`.
-
-Dynamic update is enabled by including an ``allow-update`` or an
-``update-policy`` clause in the ``zone`` statement.
-
-If the zone's ``update-policy`` is set to ``local``, updates to the zone
-are permitted for the key ``local-ddns``, which is generated by
-:iscman:`named` at startup. See :ref:`dynamic_update_policies` for more details.
-
-Dynamic updates using Kerberos-signed requests can be made using the
-TKEY/GSS protocol, either by setting the ``tkey-gssapi-keytab`` option
-or by setting both the ``tkey-gssapi-credential`` and
-``tkey-domain`` options. Once enabled, Kerberos-signed requests are
-matched against the update policies for the zone, using the Kerberos
-principal as the signer for the request.
-
-Updating of secure zones (zones using DNSSEC) follows :rfc:`3007`: RRSIG,
-NSEC, and NSEC3 records affected by updates are automatically regenerated
-by the server using an online zone key. Update authorization is based on
-transaction signatures and an explicit server policy.
-
-.. _journal:
-
-The Journal File
-~~~~~~~~~~~~~~~~
-
-All changes made to a zone using dynamic update are stored in the zone's
-journal file. This file is automatically created by the server when the
-first dynamic update takes place. The name of the journal file is formed
-by appending the extension ``.jnl`` to the name of the corresponding
-zone file unless specifically overridden. The journal file is in a
-binary format and should not be edited manually.
-
-The server also occasionally writes ("dumps") the complete contents
-of the updated zone to its zone file. This is not done immediately after
-each dynamic update because that would be too slow when a large zone is
-updated frequently. Instead, the dump is delayed by up to 15 minutes,
-allowing additional updates to take place. During the dump process,
-transient files are created with the extensions ``.jnw`` and
-``.jbk``; under ordinary circumstances, these are removed when the
-dump is complete, and can be safely ignored.
-
-When a server is restarted after a shutdown or crash, it replays the
-journal file to incorporate into the zone any updates that took place
-after the last zone dump.
-
-Changes that result from incoming incremental zone transfers are also
-journaled in a similar way.
-
-The zone files of dynamic zones cannot normally be edited by hand
-because they are not guaranteed to contain the most recent dynamic
-changes; those are only in the journal file. The only way to ensure
-that the zone file of a dynamic zone is up-to-date is to run
-:option:`rndc stop`.
-
-To make changes to a dynamic zone manually, follow these steps:
-first, disable dynamic updates to the zone using
-:option:`rndc freeze zone <rndc freeze>`. This updates the zone file with the
-changes stored in its ``.jnl`` file. Then, edit the zone file. Finally, run
-:option:`rndc thaw zone <rndc thaw>` to reload the changed zone and re-enable dynamic
-updates.
-
-:option:`rndc sync zone <rndc sync>` updates the zone file with changes from the
-journal file without stopping dynamic updates; this may be useful for
-viewing the current zone state. To remove the ``.jnl`` file after
-updating the zone file, use :option:`rndc sync -clean <rndc sync>`.
-
-.. _incremental_zone_transfers:
-
-Incremental Zone Transfers (IXFR)
----------------------------------
-
-The incremental zone transfer (IXFR) protocol is a way for secondary servers
-to transfer only changed data, instead of having to transfer an entire
-zone. The IXFR protocol is specified in :rfc:`1995`.
-
-When acting as a primary server, BIND 9 supports IXFR for those zones where the
-necessary change history information is available. These include primary
-zones maintained by dynamic update and secondary zones whose data was
-obtained by IXFR. For manually maintained primary zones, and for secondary
-zones obtained by performing a full zone transfer (AXFR), IXFR is
-supported only if the option ``ixfr-from-differences`` is set to
-``yes``.
-
-When acting as a secondary server, BIND 9 attempts to use IXFR unless it is
-explicitly disabled. For more information about disabling IXFR, see the
-description of the ``request-ixfr`` clause of the ``server`` statement.
-
-When a secondary server receives a zone via AXFR, it creates a new copy of the
-zone database and then swaps it into place; during the loading process, queries
-continue to be served from the old database with no interference. When receiving
-a zone via IXFR, however, changes are applied to the running zone, which may
-degrade query performance during the transfer. If a server receiving an IXFR
-request determines that the response size would be similar in size to an AXFR
-response, it may wish to send AXFR instead. The threshold at which this
-determination is made can be configured using the
-``max-ixfr-ratio`` option.
-
-.. _split_dns:
-
-Split DNS
----------
-
-Setting up different views of the DNS space to internal
-and external resolvers is usually referred to as a *split DNS* setup.
-There are several reasons an organization might want to set up its DNS
-this way.
-
-One common reason to use split DNS is to hide
-"internal" DNS information from "external" clients on the Internet.
-There is some debate as to whether this is actually useful.
-Internal DNS information leaks out in many ways (via email headers, for
-example) and most savvy "attackers" can find the information they need
-using other means. However, since listing addresses of internal servers
-that external clients cannot possibly reach can result in connection
-delays and other annoyances, an organization may choose to use split
-DNS to present a consistent view of itself to the outside world.
-
-Another common reason for setting up a split DNS system is to allow
-internal networks that are behind filters or in :rfc:`1918` space (reserved
-IP space, as documented in :rfc:`1918`) to resolve DNS on the Internet.
-Split DNS can also be used to allow mail from outside back into the
-internal network.
-
-.. _split_dns_sample:
-
-Example Split DNS Setup
-~~~~~~~~~~~~~~~~~~~~~~~
-
-Let's say a company named *Example, Inc.* (``example.com``) has several
-corporate sites that have an internal network with reserved Internet
-Protocol (IP) space and an external demilitarized zone (DMZ), or
-"outside" section of a network, that is available to the public.
-
-Example, Inc. wants its internal clients to be able to resolve
-external hostnames and to exchange mail with people on the outside. The
-company also wants its internal resolvers to have access to certain
-internal-only zones that are not available at all outside of the
-internal network.
-
-To accomplish this, the company sets up two sets of name
-servers. One set is on the inside network (in the reserved IP
-space) and the other set is on bastion hosts, which are "proxy"
-hosts in the DMZ that can talk to both sides of its network.
-
-The internal servers are configured to forward all queries, except
-queries for ``site1.internal``, ``site2.internal``,
-``site1.example.com``, and ``site2.example.com``, to the servers in the
-DMZ. These internal servers have complete sets of information for
-``site1.example.com``, ``site2.example.com``, ``site1.internal``, and
-``site2.internal``.
-
-To protect the ``site1.internal`` and ``site2.internal`` domains, the
-internal name servers must be configured to disallow all queries to
-these domains from any external hosts, including the bastion hosts.
-
-The external servers, which are on the bastion hosts, are configured
-to serve the "public" version of the ``site1.example.com`` and ``site2.example.com``
-zones. This could include things such as the host records for public
-servers (``www.example.com`` and ``ftp.example.com``) and mail exchange
-(MX) records (``a.mx.example.com`` and ``b.mx.example.com``).
-
-In addition, the public ``site1.example.com`` and ``site2.example.com`` zones should
-have special MX records that contain wildcard (``*``) records pointing to
-the bastion hosts. This is needed because external mail servers
-have no other way of determining how to deliver mail to those internal
-hosts. With the wildcard records, the mail is delivered to the
-bastion host, which can then forward it on to internal hosts.
-
-Here's an example of a wildcard MX record:
-
-::
-
-   *   IN MX 10 external1.example.com.
-
-Now that they accept mail on behalf of anything in the internal network,
-the bastion hosts need to know how to deliver mail to internal
-hosts. The resolvers on the bastion
-hosts need to be configured to point to the internal name servers
-for DNS resolution.
-
-Queries for internal hostnames are answered by the internal servers,
-and queries for external hostnames are forwarded back out to the DNS
-servers on the bastion hosts.
-
-For all of this to work properly, internal clients need to be
-configured to query *only* the internal name servers for DNS queries.
-This could also be enforced via selective filtering on the network.
-
-If everything has been set properly, Example, Inc.'s internal clients
-are now able to:
-
--  Look up any hostnames in the ``site1.example.com`` and ``site2.example.com``
-   zones.
-
--  Look up any hostnames in the ``site1.internal`` and
-   ``site2.internal`` domains.
-
--  Look up any hostnames on the Internet.
-
--  Exchange mail with both internal and external users.
-
-Hosts on the Internet are able to:
-
--  Look up any hostnames in the ``site1.example.com`` and ``site2.example.com``
-   zones.
-
--  Exchange mail with anyone in the ``site1.example.com`` and ``site2.example.com``
-   zones.
-
-Here is an example configuration for the setup just described above.
-Note that this is only configuration information; for information on how
-to configure the zone files, see :ref:`sample_configuration`.
-
-Internal DNS server config:
-
-::
-
-
-   acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-   acl externals { bastion-ips-go-here; };
-
-   options {
-       ...
-       ...
-       forward only;
-       // forward to external servers
-       forwarders {
-       bastion-ips-go-here;
-       };
-       // sample allow-transfer (no one)
-       allow-transfer { none; };
-       // restrict query access
-       allow-query { internals; externals; };
-       // restrict recursion
-       allow-recursion { internals; };
-       ...
-       ...
-   };
-
-   // sample primary zone
-   zone "site1.example.com" {
-     type primary;
-     file "m/site1.example.com";
-     // do normal iterative resolution (do not forward)
-     forwarders { };
-     allow-query { internals; externals; };
-     allow-transfer { internals; };
-   };
-
-   // sample secondary zone
-   zone "site2.example.com" {
-     type secondary;
-     file "s/site2.example.com";
-     primaries { 172.16.72.3; };
-     forwarders { };
-     allow-query { internals; externals; };
-     allow-transfer { internals; };
-   };
-
-   zone "site1.internal" {
-     type primary;
-     file "m/site1.internal";
-     forwarders { };
-     allow-query { internals; };
-     allow-transfer { internals; }
-   };
-
-   zone "site2.internal" {
-     type secondary;
-     file "s/site2.internal";
-     primaries { 172.16.72.3; };
-     forwarders { };
-     allow-query { internals };
-     allow-transfer { internals; }
-   };
-
-External (bastion host) DNS server configuration:
-
-::
-
-   acl internals { 172.16.72.0/24; 192.168.1.0/24; };
-
-   acl externals { bastion-ips-go-here; };
-
-   options {
-     ...
-     ...
-     // sample allow-transfer (no one)
-     allow-transfer { none; };
-     // default query access
-     allow-query { any; };
-     // restrict cache access
-     allow-query-cache { internals; externals; };
-     // restrict recursion
-     allow-recursion { internals; externals; };
-     ...
-     ...
-   };
-
-   // sample secondary zone
-   zone "site1.example.com" {
-     type primary;
-     file "m/site1.foo.com";
-     allow-transfer { internals; externals; };
-   };
-
-   zone "site2.example.com" {
-     type secondary;
-     file "s/site2.foo.com";
-     primaries { another_bastion_host_maybe; };
-     allow-transfer { internals; externals; }
-   };
-
-In the ``resolv.conf`` (or equivalent) on the bastion host(s):
-
-::
-
-   search ...
-   nameserver 172.16.72.2
-   nameserver 172.16.72.3
-   nameserver 172.16.72.4
-
-.. _tsig:
-
-TSIG
-----
-
-TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
-messages, originally specified in :rfc:`2845`. It allows DNS messages to be
-cryptographically signed using a shared secret. TSIG can be used in any
-DNS transaction, as a way to restrict access to certain server functions
-(e.g., recursive queries) to authorized clients when IP-based access
-control is insufficient or needs to be overridden, or as a way to ensure
-message authenticity when it is critical to the integrity of the server,
-such as with dynamic UPDATE messages or zone transfers from a primary to
-a secondary server.
-
-This section is a guide to setting up TSIG in BIND. It describes the
-configuration syntax and the process of creating TSIG keys.
-
-:iscman:`named` supports TSIG for server-to-server communication, and some of
-the tools included with BIND support it for sending messages to
-:iscman:`named`:
-
-   * :ref:`man_nsupdate` supports TSIG via the :option:`-k <nsupdate -k>`, :option:`-l <nsupdate -l>`, and :option:`-y <nsupdate -y>` command-line options, or via the ``key`` command when running interactively.
-   * :ref:`man_dig` supports TSIG via the :option:`-k <dig -k>` and :option:`-y <dig -y>` command-line options.
-
-Generating a Shared Key
-~~~~~~~~~~~~~~~~~~~~~~~
-
-TSIG keys can be generated using the :iscman:`tsig-keygen` command; the output
-of the command is a ``key`` directive suitable for inclusion in
-:iscman:`named.conf`. The key name, algorithm, and size can be specified by
-command-line parameters; the defaults are "tsig-key", HMAC-SHA256, and
-256 bits, respectively.
-
-Any string which is a valid DNS name can be used as a key name. For
-example, a key to be shared between servers called ``host1`` and ``host2``
-could be called "host1-host2.", and this key can be generated using:
-
-::
-
-     $ tsig-keygen host1-host2. > host1-host2.key
-
-This key may then be copied to both hosts. The key name and secret must
-be identical on both hosts. (Note: copying a shared secret from one
-server to another is beyond the scope of the DNS. A secure transport
-mechanism should be used: secure FTP, SSL, ssh, telephone, encrypted
-email, etc.)
-
-:iscman:`tsig-keygen` can also be run as :iscman:`ddns-confgen`, in which case its
-output includes additional configuration text for setting up dynamic DNS
-in :iscman:`named`. See :ref:`man_ddns-confgen` for details.
-
-Loading a New Key
-~~~~~~~~~~~~~~~~~
-
-For a key shared between servers called ``host1`` and ``host2``, the
-following could be added to each server's :iscman:`named.conf` file:
-
-::
-
-   key "host1-host2." {
-       algorithm hmac-sha256;
-       secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
-   };
-
-(This is the same key generated above using :iscman:`tsig-keygen`.)
-
-Since this text contains a secret, it is recommended that either
-:iscman:`named.conf` not be world-readable, or that the ``key`` directive be
-stored in a file which is not world-readable and which is included in
-:iscman:`named.conf` via the ``include`` directive.
-
-Once a key has been added to :iscman:`named.conf` and the server has been
-restarted or reconfigured, the server can recognize the key. If the
-server receives a message signed by the key, it is able to verify
-the signature. If the signature is valid, the response is signed
-using the same key.
-
-TSIG keys that are known to a server can be listed using the command
-:option:`rndc tsig-list`.
-
-Instructing the Server to Use a Key
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-A server sending a request to another server must be told whether to use
-a key, and if so, which key to use.
-
-For example, a key may be specified for each server in the ``primaries``
-statement in the definition of a secondary zone; in this case, all SOA QUERY
-messages, NOTIFY messages, and zone transfer requests (AXFR or IXFR)
-are signed using the specified key. Keys may also be specified in
-the ``also-notify`` statement of a primary or secondary zone, causing NOTIFY
-messages to be signed using the specified key.
-
-Keys can also be specified in a ``server`` directive. Adding the
-following on ``host1``, if the IP address of ``host2`` is 10.1.2.3, would
-cause *all* requests from ``host1`` to ``host2``, including normal DNS
-queries, to be signed using the ``host1-host2.`` key:
-
-::
-
-   server 10.1.2.3 {
-       keys { host1-host2. ;};
-   };
-
-Multiple keys may be present in the ``keys`` statement, but only the
-first one is used. As this directive does not contain secrets, it can be
-used in a world-readable file.
-
-Requests sent by ``host2`` to ``host1`` would *not* be signed, unless a
-similar ``server`` directive were in ``host2``'s configuration file.
-
-When any server sends a TSIG-signed DNS request, it expects the
-response to be signed with the same key. If a response is not signed, or
-if the signature is not valid, the response is rejected.
-
-TSIG-Based Access Control
-~~~~~~~~~~~~~~~~~~~~~~~~~
-
-TSIG keys may be specified in ACL definitions and ACL directives such as
-``allow-query``, ``allow-transfer``, and ``allow-update``. The above key
-would be denoted in an ACL element as ``key host1-host2.``
-
-Here is an example of an ``allow-update`` directive using a TSIG key:
-
-::
-
-   allow-update { !{ !localnets; any; }; key host1-host2. ;};
-
-This allows dynamic updates to succeed only if the UPDATE request comes
-from an address in ``localnets``, *and* if it is signed using the
-``host1-host2.`` key.
-
-See :ref:`dynamic_update_policies` for a
-discussion of the more flexible ``update-policy`` statement.
-
-Errors
-~~~~~~
-
-Processing of TSIG-signed messages can result in several errors:
-
--  If a TSIG-aware server receives a message signed by an unknown key,
-   the response will be unsigned, with the TSIG extended error code set
-   to BADKEY.
--  If a TSIG-aware server receives a message from a known key but with
-   an invalid signature, the response will be unsigned, with the TSIG
-   extended error code set to BADSIG.
--  If a TSIG-aware server receives a message with a time outside of the
-   allowed range, the response will be signed but the TSIG extended
-   error code set to BADTIME, and the time values will be adjusted so
-   that the response can be successfully verified.
-
-In all of the above cases, the server returns a response code of
-NOTAUTH (not authenticated).
-
-TKEY
-----
-
-TKEY (Transaction KEY) is a mechanism for automatically negotiating a
-shared secret between two hosts, originally specified in :rfc:`2930`.
-
-There are several TKEY "modes" that specify how a key is to be generated
-or assigned. BIND 9 implements only one of these modes: Diffie-Hellman
-key exchange. Both hosts are required to have a KEY record with
-algorithm DH (though this record is not required to be present in a
-zone).
-
-The TKEY process is initiated by a client or server by sending a query
-of type TKEY to a TKEY-aware server. The query must include an
-appropriate KEY record in the additional section, and must be signed
-using either TSIG or SIG(0) with a previously established key. The
-server's response, if successful, contains a TKEY record in its
-answer section. After this transaction, both participants have
-enough information to calculate a shared secret using Diffie-Hellman key
-exchange. The shared secret can then be used to sign subsequent
-transactions between the two servers.
-
-TSIG keys known by the server, including TKEY-negotiated keys, can be
-listed using :option:`rndc tsig-list`.
-
-TKEY-negotiated keys can be deleted from a server using
-:option:`rndc tsig-delete`. This can also be done via the TKEY protocol
-itself, by sending an authenticated TKEY query specifying the "key
-deletion" mode.
-
-SIG(0)
-------
-
-BIND partially supports DNSSEC SIG(0) transaction signatures as
-specified in :rfc:`2535` and :rfc:`2931`. SIG(0) uses public/private keys to
-authenticate messages. Access control is performed in the same manner as with
-TSIG keys; privileges can be granted or denied in ACL directives based
-on the key name.
-
-When a SIG(0) signed message is received, it is only verified if
-the key is known and trusted by the server. The server does not attempt
-to recursively fetch or validate the key.
-
-SIG(0) signing of multiple-message TCP streams is not supported.
-
-The only tool shipped with BIND 9 that generates SIG(0) signed messages
-is :iscman:`nsupdate`.
-
-.. _DNSSEC:
-
-DNSSEC
-------
-
-Cryptographic authentication of DNS information is possible through the
-DNS Security ("DNSSEC-bis") extensions, defined in :rfc:`4033`, :rfc:`4034`,
-and :rfc:`4035`. This section describes the creation and use of DNSSEC
-signed zones.
-
-In order to set up a DNSSEC secure zone, there are a series of steps
-which must be followed. BIND 9 ships with several tools that are used in
-this process, which are explained in more detail below. In all cases,
-the ``-h`` option prints a full list of parameters. Note that the DNSSEC
-tools require the keyset files to be in the working directory or the
-directory specified by the ``-d`` option.
-
-There must also be communication with the administrators of the parent
-and/or child zone to transmit keys. A zone's security status must be
-indicated by the parent zone for a DNSSEC-capable resolver to trust its
-data. This is done through the presence or absence of a ``DS`` record at
-the delegation point.
-
-For other servers to trust data in this zone, they must be
-statically configured with either this zone's zone key or the zone key of
-another zone above this one in the DNS tree.
-
-.. _generating_dnssec_keys:
-
-Generating Keys
-~~~~~~~~~~~~~~~
-
-The :iscman:`dnssec-keygen` program is used to generate keys.
-
-A secure zone must contain one or more zone keys. The zone keys
-sign all other records in the zone, as well as the zone keys of any
-secure delegated zones. Zone keys must have the same name as the zone, have a
-name type of ``ZONE``, and be usable for authentication. It is
-recommended that zone keys use a cryptographic algorithm designated as
-"mandatory to implement" by the IETF. Currently there are two algorithms,
-RSASHA256 and ECDSAP256SHA256; ECDSAP256SHA256 is recommended for
-current and future deployments.
-
-The following command generates an ECDSAP256SHA256 key for the
-``child.example`` zone:
-
-``dnssec-keygen -a ECDSAP256SHA256 -n ZONE child.example.``
-
-Two output files are produced: ``Kchild.example.+013+12345.key`` and
-``Kchild.example.+013+12345.private`` (where 12345 is an example of a
-key tag). The key filenames contain the key name (``child.example.``),
-the algorithm (5 is RSASHA1, 8 is RSASHA256, 13 is ECDSAP256SHA256, 15 is
-ED25519, etc.), and the key tag (12345 in this case). The private key (in
-the ``.private`` file) is used to generate signatures, and the public
-key (in the ``.key`` file) is used for signature verification.
-
-To generate another key with the same properties but with a different
-key tag, repeat the above command.
-
-The :iscman:`dnssec-keyfromlabel` program is used to get a key pair from a
-crypto hardware device and build the key files. Its usage is similar to
-:iscman:`dnssec-keygen`.
-
-The public keys should be inserted into the zone file by including the
-``.key`` files using ``$INCLUDE`` statements.
-
-.. _dnssec_zone_signing:
-
-Signing the Zone
-~~~~~~~~~~~~~~~~
-
-The :iscman:`dnssec-signzone` program is used to sign a zone.
-
-Any ``keyset`` files corresponding to secure sub-zones should be
-present. The zone signer generates ``NSEC``, ``NSEC3``, and ``RRSIG``
-records for the zone, as well as ``DS`` for the child zones if :option:`-g <dnssec-signzone -g>`
-is specified. If :option:`-g <dnssec-signzone -g>` is not specified, then DS RRsets for the
-secure child zones need to be added manually.
-
-By default, all zone keys which have an available private key are used
-to generate signatures. The following command signs the zone, assuming
-it is in a file called ``zone.child.example``:
-
-``dnssec-signzone -o child.example zone.child.example``
-
-One output file is produced: ``zone.child.example.signed``. This file
-should be referenced by :iscman:`named.conf` as the input file for the zone.
-
-:iscman:`dnssec-signzone` also produces keyset and dsset files. These are used
-to provide the parent zone administrators with the ``DNSKEYs`` (or their
-corresponding ``DS`` records) that are the secure entry point to the zone.
-
-.. _dnssec_config:
-
-Configuring Servers for DNSSEC
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-To enable :iscman:`named` to validate answers received from other servers, the
-``dnssec-validation`` option must be set to either ``yes`` or ``auto``.
-
-When ``dnssec-validation`` is set to ``auto``, a trust anchor for the
-DNS root zone is automatically used. This trust anchor is provided
-as part of BIND and is kept up to date using :rfc:`5011` key management.
-
-When ``dnssec-validation`` is set to ``yes``, DNSSEC validation
-only occurs if at least one trust anchor has been explicitly configured
-in :iscman:`named.conf`, using a ``trust-anchors`` statement (or the
-``managed-keys`` and ``trusted-keys`` statements, both deprecated).
-
-When ``dnssec-validation`` is set to ``no``, DNSSEC validation does not
-occur.
-
-The default is ``auto`` unless BIND is built with
-``configure --disable-auto-validation``, in which case the default is
-``yes``.
-
-The keys specified in ``trust-anchors`` are copies of DNSKEY RRs for zones that are
-used to form the first link in the cryptographic chain of trust. Keys configured
-with the keyword ``static-key`` or ``static-ds`` are loaded directly into the
-table of trust anchors, and can only be changed by altering the
-configuration. Keys configured with ``initial-key`` or ``initial-ds`` are used
-to initialize :rfc:`5011` trust anchor maintenance, and are kept up-to-date
-automatically after the first time :iscman:`named` runs.
-
-``trust-anchors`` is described in more detail later in this document.
-
-BIND 9 does not verify signatures on load, so zone keys
-for authoritative zones do not need to be specified in the configuration
-file.
-
-After DNSSEC is established, a typical DNSSEC configuration looks
-something like the following. It has one or more public keys for the
-root, which allows answers from outside the organization to be validated.
-It also has several keys for parts of the namespace that the
-organization controls. These are here to ensure that :iscman:`named` is immune
-to compromised security in the DNSSEC components of parent zones.
-
-::
-
-   trust-anchors {
-       /* Root Key */
-       "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
-                    JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
-                    aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
-                    4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
-                    hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
-                    5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
-                    g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
-                    66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
-                    97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
-                    dgxbcDTClU0CRBdiieyLMNzXG3";
-       /* Key for our organization's forward zone */
-       example.com. static-ds 54135 5 2 "8EF922C97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D"
-
-       /* Key for our reverse zone. */
-       2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
-                          xOdNax071L18QqZnQQQAVVr+i
-                          LhGTnNGp3HoWQLUIzKrJVZ3zg
-                          gy3WwNT6kZo6c0tszYqbtvchm
-                          gQC8CzKojM/W16i6MG/eafGU3
-                          siaOdS0yOI6BgPsw+YZdzlYMa
-                          IJGf4M4dyoKIhzdZyQ2bYQrjy
-                          Q4LB0lC7aOnsMyYKHHYeRvPxj
-                          IQXmdqgOJGq+vsevG06zW+1xg
-                          YJh9rCIfnm1GX/KMgxLPG2vXT
-                          D/RnLX+D3T3UL7HJYHJhAZD5L
-                          59VvjSPsZJHeDCUyWYrvPZesZ
-                          DIRvhDD52SKvbheeTJUm6Ehkz
-                          ytNN2SN96QRk8j/iI8ib";
-   };
-
-   options {
-       ...
-       dnssec-validation yes;
-   };
-
-..
-
-.. note::
-
-   None of the keys listed in this example are valid. In particular, the
-   root key is not valid.
-
-When DNSSEC validation is enabled and properly configured, the resolver
-rejects any answers from signed, secure zones which fail to
-validate, and returns SERVFAIL to the client.
-
-Responses may fail to validate for any of several reasons, including
-missing, expired, or invalid signatures, a key which does not match the
-DS RRset in the parent zone, or an insecure response from a zone which,
-according to its parent, should have been secure.
-
-.. note::
-
-   When the validator receives a response from an unsigned zone that has
-   a signed parent, it must confirm with the parent that the zone was
-   intentionally left unsigned. It does this by verifying, via signed
-   and validated NSEC/NSEC3 records, that the parent zone contains no DS
-   records for the child.
-
-   If the validator *can* prove that the zone is insecure, then the
-   response is accepted. However, if it cannot, the validator must assume an
-   insecure response to be a forgery; it rejects the response and logs
-   an error.
-
-   The logged error reads "insecurity proof failed" and "got insecure
-   response; parent indicates it should be secure."
-
-
-.. include:: dnssec.inc.rst
-.. include:: managed-keys.inc.rst
-.. include:: pkcs11.inc.rst
-.. include:: dlz.inc.rst
-.. include:: dyndb.inc.rst
-.. include:: catz.inc.rst
-
-.. _ipv6:
-
-IPv6 Support in BIND 9
-----------------------
-
-BIND 9 fully supports all currently defined forms of IPv6 name-to-address
-and address-to-name lookups. It also uses IPv6 addresses to
-make queries when running on an IPv6-capable system.
-
-For forward lookups, BIND 9 supports only AAAA records. :rfc:`3363`
-deprecated the use of A6 records, and client-side support for A6 records
-was accordingly removed from BIND 9. However, authoritative BIND 9 name
-servers still load zone files containing A6 records correctly, answer
-queries for A6 records, and accept zone transfer for a zone containing
-A6 records.
-
-For IPv6 reverse lookups, BIND 9 supports the traditional "nibble"
-format used in the ``ip6.arpa`` domain, as well as the older, deprecated
-``ip6.int`` domain. Older versions of BIND 9 supported the "binary label"
-(also known as "bitstring") format, but support of binary labels has
-been completely removed per :rfc:`3363`. Many applications in BIND 9 do not
-understand the binary label format at all anymore, and return an
-error if one is given. In particular, an authoritative BIND 9 name server will
-not load a zone file containing binary labels.
-
-Address Lookups Using AAAA Records
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The IPv6 AAAA record is a parallel to the IPv4 A record, and, unlike the
-deprecated A6 record, specifies the entire IPv6 address in a single
-record. For example:
-
-::
-
-   $ORIGIN example.com.
-   host            3600    IN      AAAA    2001:db8::1
-
-Use of IPv4-in-IPv6 mapped addresses is not recommended. If a host has
-an IPv4 address, use an A record, not a AAAA, with
-``::ffff:192.168.42.1`` as the address.
-
-Address-to-Name Lookups Using Nibble Format
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-When looking up an address in nibble format, the address components are
-simply reversed, just as in IPv4, and ``ip6.arpa.`` is appended to the
-resulting name. For example, the following commands produce a reverse name
-lookup for a host with address ``2001:db8::1``:
-
-::
-
-   $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
-   1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0  14400   IN    PTR    (
-                       host.example.com. )
diff --git a/doc/arm/chapter5.rst b/doc/arm/chapter5.rst
new file mode 100644
index 0000000000..d1c9015cd5
--- /dev/null
+++ b/doc/arm/chapter5.rst
@@ -0,0 +1,15 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. include:: advanced.inc.rst
+.. include:: dlz.inc.rst
+.. include:: dyndb.inc.rst
+.. include:: catz.inc.rst
diff --git a/doc/arm/chapter6.rst b/doc/arm/chapter6.rst
new file mode 100644
index 0000000000..429acea283
--- /dev/null
+++ b/doc/arm/chapter6.rst
@@ -0,0 +1,15 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. include:: security.inc.rst
+.. include:: tsig.inc.rst
+.. include:: tkey.inc.rst
+.. include:: sig0.inc.rst
diff --git a/doc/arm/chapter7.rst b/doc/arm/chapter7.rst
new file mode 100644
index 0000000000..365deb45f1
--- /dev/null
+++ b/doc/arm/chapter7.rst
@@ -0,0 +1,14 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. include:: dnssec.inc.rst
+.. include:: managed-keys.inc.rst
+.. include:: pkcs11.inc.rst
diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst
index a90e8cacfa..dee2736106 100644
--- a/doc/arm/dnssec.inc.rst
+++ b/doc/arm/dnssec.inc.rst
@@ -9,13 +9,225 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
-.. _dnssec.dynamic.zones:
+.. _dnssec:
+
+DNSSEC
+------
+
+Cryptographic authentication of DNS information is possible through the
+DNS Security ("DNSSEC-bis") extensions, defined in :rfc:`4033`, :rfc:`4034`,
+and :rfc:`4035`. This section describes the creation and use of DNSSEC
+signed zones.
+
+In order to set up a DNSSEC secure zone, there are a series of steps
+which must be followed. BIND 9 ships with several tools that are used in
+this process, which are explained in more detail below. In all cases,
+the ``-h`` option prints a full list of parameters. Note that the DNSSEC
+tools require the keyset files to be in the working directory or the
+directory specified by the ``-d`` option.
+
+There must also be communication with the administrators of the parent
+and/or child zone to transmit keys. A zone's security status must be
+indicated by the parent zone for a DNSSEC-capable resolver to trust its
+data. This is done through the presence or absence of a ``DS`` record at
+the delegation point.
+
+For other servers to trust data in this zone, they must be
+statically configured with either this zone's zone key or the zone key of
+another zone above this one in the DNS tree.
+
+.. _generating_dnssec_keys:
+
+DNSSEC Keys
+~~~~~~~~~~~
+
+Generating Keys
+^^^^^^^^^^^^^^^
+
+The :iscman:`dnssec-keygen` program is used to generate keys.
+
+A secure zone must contain one or more zone keys. The zone keys
+sign all other records in the zone, as well as the zone keys of any
+secure delegated zones. Zone keys must have the same name as the zone, have a
+name type of ``ZONE``, and be usable for authentication. It is
+recommended that zone keys use a cryptographic algorithm designated as
+"mandatory to implement" by the IETF. Currently there are two algorithms,
+RSASHA256 and ECDSAP256SHA256; ECDSAP256SHA256 is recommended for
+current and future deployments.
+
+The following command generates an ECDSAP256SHA256 key for the
+``child.example`` zone:
+
+``dnssec-keygen -a ECDSAP256SHA256 -n ZONE child.example.``
+
+Two output files are produced: ``Kchild.example.+013+12345.key`` and
+``Kchild.example.+013+12345.private`` (where 12345 is an example of a
+key tag). The key filenames contain the key name (``child.example.``),
+the algorithm (5 is RSASHA1, 8 is RSASHA256, 13 is ECDSAP256SHA256, 15 is
+ED25519, etc.), and the key tag (12345 in this case). The private key (in
+the ``.private`` file) is used to generate signatures, and the public
+key (in the ``.key`` file) is used for signature verification.
+
+To generate another key with the same properties but with a different
+key tag, repeat the above command.
+
+The :iscman:`dnssec-keyfromlabel` program is used to get a key pair from a
+crypto hardware device and build the key files. Its usage is similar to
+:iscman:`dnssec-keygen`.
+
+The public keys should be inserted into the zone file by including the
+``.key`` files using ``$INCLUDE`` statements.
+
+.. _dnssec_zone_signing:
+
+Signing the Zone
+^^^^^^^^^^^^^^^^
+
+The :iscman:`dnssec-signzone` program is used to sign a zone.
+
+Any ``keyset`` files corresponding to secure sub-zones should be
+present. The zone signer generates ``NSEC``, ``NSEC3``, and ``RRSIG``
+records for the zone, as well as ``DS`` for the child zones if :option:`-g <dnssec-signzone -g>`
+is specified. If :option:`-g <dnssec-signzone -g>` is not specified, then DS RRsets for the
+secure child zones need to be added manually.
+
+By default, all zone keys which have an available private key are used
+to generate signatures. The following command signs the zone, assuming
+it is in a file called ``zone.child.example``:
+
+``dnssec-signzone -o child.example zone.child.example``
+
+One output file is produced: ``zone.child.example.signed``. This file
+should be referenced by :iscman:`named.conf` as the input file for the zone.
+
+:iscman:`dnssec-signzone` also produces keyset and dsset files. These are used
+to provide the parent zone administrators with the ``DNSKEYs`` (or their
+corresponding ``DS`` records) that are the secure entry point to the zone.
+
+.. _dnssec_config:
+
+Configuring Servers for DNSSEC
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+To enable :iscman:`named` to validate answers received from other servers, the
+``dnssec-validation`` option must be set to either ``yes`` or ``auto``.
+
+When ``dnssec-validation`` is set to ``auto``, a trust anchor for the
+DNS root zone is automatically used. This trust anchor is provided
+as part of BIND and is kept up to date using :rfc:`5011` key management.
+
+When ``dnssec-validation`` is set to ``yes``, DNSSEC validation
+only occurs if at least one trust anchor has been explicitly configured
+in :iscman:`named.conf`, using a ``trust-anchors`` statement (or the
+``managed-keys`` and ``trusted-keys`` statements, both deprecated).
+
+When ``dnssec-validation`` is set to ``no``, DNSSEC validation does not
+occur.
+
+The default is ``auto`` unless BIND is built with
+``configure --disable-auto-validation``, in which case the default is
+``yes``.
+
+The keys specified in ``trust-anchors`` are copies of DNSKEY RRs for zones that are
+used to form the first link in the cryptographic chain of trust. Keys configured
+with the keyword ``static-key`` or ``static-ds`` are loaded directly into the
+table of trust anchors, and can only be changed by altering the
+configuration. Keys configured with ``initial-key`` or ``initial-ds`` are used
+to initialize :rfc:`5011` trust anchor maintenance, and are kept up-to-date
+automatically after the first time :iscman:`named` runs.
+
+``trust-anchors`` is described in more detail later in this document.
+
+BIND 9 does not verify signatures on load, so zone keys
+for authoritative zones do not need to be specified in the configuration
+file.
+
+After DNSSEC is established, a typical DNSSEC configuration looks
+something like the following. It has one or more public keys for the
+root, which allows answers from outside the organization to be validated.
+It also has several keys for parts of the namespace that the
+organization controls. These are here to ensure that :iscman:`named` is immune
+to compromised security in the DNSSEC components of parent zones.
+
+::
+
+   trust-anchors {
+       /* Root Key */
+       "." initial-key 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwS
+                    JxrGkxJWoZu6I7PzJu/E9gx4UC1zGAHlXKdE4zYIpRh
+                    aBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3zy2Xy
+                    4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYg
+                    hf+6fElrmLkdaz MQ2OCnACR817DF4BBa7UR/beDHyp
+                    5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M/lUUVRbke
+                    g1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq
+                    66gKodQj+MiA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ
+                    97S+LKUTpQcq27R7AT3/V5hRQxScINqwcz4jYqZD2fQ
+                    dgxbcDTClU0CRBdiieyLMNzXG3";
+       /* Key for our organization's forward zone */
+       example.com. static-ds 54135 5 2 "8EF922C97F1D07B23134440F19682E7519ADDAE180E20B1B1EC52E7F58B2831D"
+
+       /* Key for our reverse zone. */
+       2.0.192.IN-ADDRPA.NET. static-key 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwc
+                          xOdNax071L18QqZnQQQAVVr+i
+                          LhGTnNGp3HoWQLUIzKrJVZ3zg
+                          gy3WwNT6kZo6c0tszYqbtvchm
+                          gQC8CzKojM/W16i6MG/eafGU3
+                          siaOdS0yOI6BgPsw+YZdzlYMa
+                          IJGf4M4dyoKIhzdZyQ2bYQrjy
+                          Q4LB0lC7aOnsMyYKHHYeRvPxj
+                          IQXmdqgOJGq+vsevG06zW+1xg
+                          YJh9rCIfnm1GX/KMgxLPG2vXT
+                          D/RnLX+D3T3UL7HJYHJhAZD5L
+                          59VvjSPsZJHeDCUyWYrvPZesZ
+                          DIRvhDD52SKvbheeTJUm6Ehkz
+                          ytNN2SN96QRk8j/iI8ib";
+   };
+
+   options {
+       ...
+       dnssec-validation yes;
+   };
+
+..
+
+.. note::
+
+   None of the keys listed in this example are valid. In particular, the
+   root key is not valid.
+
+When DNSSEC validation is enabled and properly configured, the resolver
+rejects any answers from signed, secure zones which fail to
+validate, and returns SERVFAIL to the client.
+
+Responses may fail to validate for any of several reasons, including
+missing, expired, or invalid signatures, a key which does not match the
+DS RRset in the parent zone, or an insecure response from a zone which,
+according to its parent, should have been secure.
+
+.. note::
+
+   When the validator receives a response from an unsigned zone that has
+   a signed parent, it must confirm with the parent that the zone was
+   intentionally left unsigned. It does this by verifying, via signed
+   and validated NSEC/NSEC3 records, that the parent zone contains no DS
+   records for the child.
+
+   If the validator *can* prove that the zone is insecure, then the
+   response is accepted. However, if it cannot, the validator must assume an
+   insecure response to be a forgery; it rejects the response and logs
+   an error.
+
+   The logged error reads "insecurity proof failed" and "got insecure
+   response; parent indicates it should be secure."
+
+
+.. _dnssec_dynamic_zones:
 
 DNSSEC, Dynamic Zones, and Automatic Signing
---------------------------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Converting From Insecure to Secure
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 A zone can be changed from insecure to secure in three ways: using a
 dynamic DNS update, via the ``auto-dnssec`` zone option, or by setting a
@@ -55,7 +267,7 @@ For example:
 	};
 
 Dynamic DNS Update Method
-~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^
 
 To insert the keys via dynamic update:
 
@@ -96,7 +308,7 @@ While the initial signing and NSEC/NSEC3 chain generation is happening,
 other updates are possible as well.
 
 Fully Automatic Zone Signing
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 To enable automatic signing, set a ``dnssec-policy`` or add the
 ``auto-dnssec`` option to the zone statement in :iscman:`named.conf`.
@@ -149,7 +361,7 @@ allow dynamic updates, by adding an ``allow-update`` or
 been done, the configuration fails.
 
 Private Type Records
-~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^
 
 The state of the signing process is signaled by private type records
 (with a default type value of 65534). When signing is complete, those
@@ -186,14 +398,14 @@ perform based on the flag bits:
    0x20 NONSEC
 
 DNSKEY Rollovers
-~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^
 
 As with insecure-to-secure conversions, DNSSEC keyrolls can be done
 in two ways: using a dynamic DNS update, or via the ``auto-dnssec`` zone
 option.
 
 Dynamic DNS Update Method
-~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^
 
 To perform key rollovers via a dynamic update, the ``K*``
 files for the new keys must be added so that :iscman:`named` can find them.
@@ -215,7 +427,7 @@ correct key. :iscman:`named` cleans out any signatures generated by the
 old key after the update completes.
 
 Automatic Key Rollovers
-~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^
 
 When a new key reaches its activation date (as set by :iscman:`dnssec-keygen`
 or :iscman:`dnssec-settime`), and if the ``auto-dnssec`` zone option is set to
@@ -229,7 +441,7 @@ validity periods expire. By default, this rollover completes in 30 days,
 after which it is safe to remove the old key from the DNSKEY RRset.
 
 NSEC3PARAM Rollovers via UPDATE
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 The new NSEC3PARAM record can be added via dynamic update. When the new NSEC3
 chain has been generated, the NSEC3PARAM flag field is set to zero. At
@@ -237,7 +449,7 @@ that point, the old NSEC3PARAM record can be removed. The old chain is
 removed after the update request completes.
 
 Converting From NSEC to NSEC3
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 Add a ``nsec3param`` option to your ``dnssec-policy`` and
 run :option:`rndc reconfig`.
@@ -248,7 +460,7 @@ In both cases, the NSEC3 chain is generated and the NSEC3PARAM record is
 added before the NSEC chain is destroyed.
 
 Converting From NSEC3 to NSEC
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 To do this, remove the ``nsec3param`` option from the ``dnssec-policy`` and
 run :option:`rndc reconfig`.
@@ -258,7 +470,7 @@ zero flag field. The NSEC chain is generated before the NSEC3 chain
 is removed.
 
 Converting From Secure to Insecure
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 To convert a signed zone to unsigned using dynamic DNS, delete all the
 DNSKEY records from the zone apex using :iscman:`nsupdate`. All signatures,
@@ -272,7 +484,7 @@ In addition, if the ``auto-dnssec maintain`` zone statement is used, it
 should be removed or changed to ``allow`` instead; otherwise it will re-sign.
 
 Periodic Re-signing
-~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^
 
 In any secure zone which supports dynamic updates, :iscman:`named`
 periodically re-signs RRsets which have not been re-signed as a result of
@@ -280,7 +492,7 @@ some update action. The signature lifetimes are adjusted to
 spread the re-sign load over time rather than all at once.
 
 NSEC3 and OPTOUT
-~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^
 
 :iscman:`named` only supports creating new NSEC3 chains where all the NSEC3
 records in the zone have the same OPTOUT state. :iscman:`named` supports
diff --git a/doc/arm/index.rst b/doc/arm/index.rst
index 684a20e9fe..aeeefe1902 100644
--- a/doc/arm/index.rst
+++ b/doc/arm/index.rst
@@ -21,9 +21,10 @@ BIND 9 Administrator Reference Manual
    chapter2
    chapter3
    chapter4
+   chapter5
+   chapter6
+   chapter7
    reference
-   advanced
-   security
    troubleshooting
    chapter10
 
diff --git a/doc/arm/managed-keys.inc.rst b/doc/arm/managed-keys.inc.rst
index 41ea724c04..9690d67b68 100644
--- a/doc/arm/managed-keys.inc.rst
+++ b/doc/arm/managed-keys.inc.rst
@@ -12,7 +12,7 @@
 .. _rfc5011.support:
 
 Dynamic Trust Anchor Management
--------------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 BIND is able to maintain DNSSEC trust anchors using :rfc:`5011` key
 management. This feature allows :iscman:`named` to keep track of changes to
@@ -20,7 +20,7 @@ critical DNSSEC keys without any need for the operator to make changes
 to configuration files.
 
 Validating Resolver
-~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^
 
 To configure a validating resolver to use :rfc:`5011` to maintain a trust
 anchor, configure the trust anchor using a ``trust-anchors`` statement and
@@ -28,7 +28,7 @@ the ``initial-key`` keyword. Information about this can be found in
 :ref:`trust-anchors`.
 
 Authoritative Server
-~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^
 
 To set up an authoritative zone for :rfc:`5011` trust anchor maintenance,
 generate two (or more) key signing keys (KSKs) for the zone. Sign the
diff --git a/doc/arm/pkcs11.inc.rst b/doc/arm/pkcs11.inc.rst
index 0dcc664ccf..e9dc6c5ef8 100644
--- a/doc/arm/pkcs11.inc.rst
+++ b/doc/arm/pkcs11.inc.rst
@@ -12,7 +12,7 @@
 .. _pkcs11:
 
 PKCS#11 (Cryptoki) Support
---------------------------
+~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 Public Key Cryptography Standard #11 (PKCS#11) defines a
 platform-independent API for the control of hardware security modules
@@ -32,7 +32,7 @@ OpenSSL instead.
 .. _OpenSC: https://github.com/OpenSC/libp11
 
 Prerequisites
-~~~~~~~~~~~~~
+^^^^^^^^^^^^^
 
 See the documentation provided by the HSM vendor for information about
 installing, initializing, testing, and troubleshooting the HSM.
@@ -65,7 +65,7 @@ with BIND.
    $  /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2
 
 OpenSSL-based PKCS#11
-~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^
 
 OpenSSL-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project.
 
@@ -83,7 +83,7 @@ For more detailed howto including the examples, we recommend reading:
 https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11
 
 Using the HSM
-~~~~~~~~~~~~~
+^^^^^^^^^^^^^
 
 The canonical documentation for configuring engine_pkcs11 is in the
 `libp11/README.md`_, but here's copy of working configuration for
@@ -132,7 +132,7 @@ Add following lines at the bottom of the file:
    init = 0
 
 Key Generation
-~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^
 
 HSM keys can now be created and used.  We are going to assume that you already
 have a BIND 9 installed, either from a package, or from the sources, and the
@@ -213,7 +213,7 @@ this is when creating ECDSA keys, you should specify a unique ID:
 
 
 Specifying the Engine on the Command Line
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 When using OpenSSL-based PKCS#11, the "engine" to be used by OpenSSL can be
 specified in :iscman:`named` and all of the BIND ``dnssec-*`` tools by using the ``-E
@@ -228,7 +228,7 @@ provide the name of the OpenSSL engine using the -E command line option.
    dnssec-signzone -E pkcs11 -S -o example.net example.net
 
 Running :iscman:`named` With Automatic Zone Re-signing
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 The zone can also be signed automatically by named. Again, we need to provide
 the name of the OpenSSL engine using the :option:`-E <named -E>` command line option.
diff --git a/doc/arm/security.rst b/doc/arm/security.inc.rst
similarity index 98%
rename from doc/arm/security.rst
rename to doc/arm/security.inc.rst
index b00d79af63..3eab21aa7c 100644
--- a/doc/arm/security.rst
+++ b/doc/arm/security.inc.rst
@@ -9,12 +9,14 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
-.. Security:
+.. _security:
 
-BIND 9 Security Considerations
-==============================
+Security Configurations
+=======================
 
-.. _Access_Control_Lists:
+.. _file_permissions:
+
+.. _access_Control_Lists:
 
 Access Control Lists
 --------------------
@@ -226,3 +228,7 @@ Some sites choose to keep all dynamically updated DNS data in a
 subdomain and delegate that subdomain to a separate zone. This way, the
 top-level zone containing critical data, such as the IP addresses of
 public web and mail servers, need not allow dynamic updates at all.
+
+.. _sec_file_transfer:
+
+.. _dns_over_tls:
diff --git a/doc/arm/sig0.inc.rst b/doc/arm/sig0.inc.rst
new file mode 100644
index 0000000000..048dbeae7c
--- /dev/null
+++ b/doc/arm/sig0.inc.rst
@@ -0,0 +1,28 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+SIG(0)
+------
+
+BIND partially supports DNSSEC SIG(0) transaction signatures as
+specified in :rfc:`2535` and :rfc:`2931`. SIG(0) uses public/private keys to
+authenticate messages. Access control is performed in the same manner as with
+TSIG keys; privileges can be granted or denied in ACL directives based
+on the key name.
+
+When a SIG(0) signed message is received, it is only verified if
+the key is known and trusted by the server. The server does not attempt
+to recursively fetch or validate the key.
+
+SIG(0) signing of multiple-message TCP streams is not supported.
+
+The only tool shipped with BIND 9 that generates SIG(0) signed messages
+is :iscman:`nsupdate`.
diff --git a/doc/arm/tkey.inc.rst b/doc/arm/tkey.inc.rst
new file mode 100644
index 0000000000..bc854e3e28
--- /dev/null
+++ b/doc/arm/tkey.inc.rst
@@ -0,0 +1,40 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+TKEY
+----
+
+TKEY (Transaction KEY) is a mechanism for automatically negotiating a
+shared secret between two hosts, originally specified in :rfc:`2930`.
+
+There are several TKEY "modes" that specify how a key is to be generated
+or assigned. BIND 9 implements only one of these modes: Diffie-Hellman
+key exchange. Both hosts are required to have a KEY record with
+algorithm DH (though this record is not required to be present in a
+zone).
+
+The TKEY process is initiated by a client or server by sending a query
+of type TKEY to a TKEY-aware server. The query must include an
+appropriate KEY record in the additional section, and must be signed
+using either TSIG or SIG(0) with a previously established key. The
+server's response, if successful, contains a TKEY record in its
+answer section. After this transaction, both participants have
+enough information to calculate a shared secret using Diffie-Hellman key
+exchange. The shared secret can then be used to sign subsequent
+transactions between the two servers.
+
+TSIG keys known by the server, including TKEY-negotiated keys, can be
+listed using :option:`rndc tsig-list`.
+
+TKEY-negotiated keys can be deleted from a server using
+:option:`rndc tsig-delete`. This can also be done via the TKEY protocol
+itself, by sending an authenticated TKEY query specifying the "key
+deletion" mode.
diff --git a/doc/arm/tsig.inc.rst b/doc/arm/tsig.inc.rst
new file mode 100644
index 0000000000..e1fc2efe81
--- /dev/null
+++ b/doc/arm/tsig.inc.rst
@@ -0,0 +1,165 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _tsig:
+
+TSIG
+----
+
+TSIG (Transaction SIGnatures) is a mechanism for authenticating DNS
+messages, originally specified in :rfc:`2845`. It allows DNS messages to be
+cryptographically signed using a shared secret. TSIG can be used in any
+DNS transaction, as a way to restrict access to certain server functions
+(e.g., recursive queries) to authorized clients when IP-based access
+control is insufficient or needs to be overridden, or as a way to ensure
+message authenticity when it is critical to the integrity of the server,
+such as with dynamic UPDATE messages or zone transfers from a primary to
+a secondary server.
+
+This section is a guide to setting up TSIG in BIND. It describes the
+configuration syntax and the process of creating TSIG keys.
+
+:iscman:`named` supports TSIG for server-to-server communication, and some of
+the tools included with BIND support it for sending messages to
+:iscman:`named`:
+
+   * :ref:`man_nsupdate` supports TSIG via the :option:`-k <nsupdate -k>`, :option:`-l <nsupdate -l>`, and :option:`-y <nsupdate -y>` command-line options, or via the ``key`` command when running interactively.
+   * :ref:`man_dig` supports TSIG via the :option:`-k <dig -k>` and :option:`-y <dig -y>` command-line options.
+
+Generating a Shared Key
+~~~~~~~~~~~~~~~~~~~~~~~
+
+TSIG keys can be generated using the :iscman:`tsig-keygen` command; the output
+of the command is a ``key`` directive suitable for inclusion in
+:iscman:`named.conf`. The key name, algorithm, and size can be specified by
+command-line parameters; the defaults are "tsig-key", HMAC-SHA256, and
+256 bits, respectively.
+
+Any string which is a valid DNS name can be used as a key name. For
+example, a key to be shared between servers called ``host1`` and ``host2``
+could be called "host1-host2.", and this key can be generated using:
+
+::
+
+     $ tsig-keygen host1-host2. > host1-host2.key
+
+This key may then be copied to both hosts. The key name and secret must
+be identical on both hosts. (Note: copying a shared secret from one
+server to another is beyond the scope of the DNS. A secure transport
+mechanism should be used: secure FTP, SSL, ssh, telephone, encrypted
+email, etc.)
+
+:iscman:`tsig-keygen` can also be run as :iscman:`ddns-confgen`, in which case its
+output includes additional configuration text for setting up dynamic DNS
+in :iscman:`named`. See :ref:`man_ddns-confgen` for details.
+
+Loading a New Key
+~~~~~~~~~~~~~~~~~
+
+For a key shared between servers called ``host1`` and ``host2``, the
+following could be added to each server's :iscman:`named.conf` file:
+
+::
+
+   key "host1-host2." {
+       algorithm hmac-sha256;
+       secret "DAopyf1mhCbFVZw7pgmNPBoLUq8wEUT7UuPoLENP2HY=";
+   };
+
+(This is the same key generated above using :iscman:`tsig-keygen`.)
+
+Since this text contains a secret, it is recommended that either
+:iscman:`named.conf` not be world-readable, or that the ``key`` directive be
+stored in a file which is not world-readable and which is included in
+:iscman:`named.conf` via the ``include`` directive.
+
+Once a key has been added to :iscman:`named.conf` and the server has been
+restarted or reconfigured, the server can recognize the key. If the
+server receives a message signed by the key, it is able to verify
+the signature. If the signature is valid, the response is signed
+using the same key.
+
+TSIG keys that are known to a server can be listed using the command
+:option:`rndc tsig-list`.
+
+Instructing the Server to Use a Key
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+A server sending a request to another server must be told whether to use
+a key, and if so, which key to use.
+
+For example, a key may be specified for each server in the ``primaries``
+statement in the definition of a secondary zone; in this case, all SOA QUERY
+messages, NOTIFY messages, and zone transfer requests (AXFR or IXFR)
+are signed using the specified key. Keys may also be specified in
+the ``also-notify`` statement of a primary or secondary zone, causing NOTIFY
+messages to be signed using the specified key.
+
+Keys can also be specified in a ``server`` directive. Adding the
+following on ``host1``, if the IP address of ``host2`` is 10.1.2.3, would
+cause *all* requests from ``host1`` to ``host2``, including normal DNS
+queries, to be signed using the ``host1-host2.`` key:
+
+::
+
+   server 10.1.2.3 {
+       keys { host1-host2. ;};
+   };
+
+Multiple keys may be present in the ``keys`` statement, but only the
+first one is used. As this directive does not contain secrets, it can be
+used in a world-readable file.
+
+Requests sent by ``host2`` to ``host1`` would *not* be signed, unless a
+similar ``server`` directive were in ``host2``'s configuration file.
+
+When any server sends a TSIG-signed DNS request, it expects the
+response to be signed with the same key. If a response is not signed, or
+if the signature is not valid, the response is rejected.
+
+TSIG-Based Access Control
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+TSIG keys may be specified in ACL definitions and ACL directives such as
+``allow-query``, ``allow-transfer``, and ``allow-update``. The above key
+would be denoted in an ACL element as ``key host1-host2.``
+
+Here is an example of an ``allow-update`` directive using a TSIG key:
+
+::
+
+   allow-update { !{ !localnets; any; }; key host1-host2. ;};
+
+This allows dynamic updates to succeed only if the UPDATE request comes
+from an address in ``localnets``, *and* if it is signed using the
+``host1-host2.`` key.
+
+See :ref:`dynamic_update_policies` for a
+discussion of the more flexible ``update-policy`` statement.
+
+Errors
+~~~~~~
+
+Processing of TSIG-signed messages can result in several errors:
+
+-  If a TSIG-aware server receives a message signed by an unknown key,
+   the response will be unsigned, with the TSIG extended error code set
+   to BADKEY.
+-  If a TSIG-aware server receives a message from a known key but with
+   an invalid signature, the response will be unsigned, with the TSIG
+   extended error code set to BADSIG.
+-  If a TSIG-aware server receives a message with a time outside of the
+   allowed range, the response will be signed but the TSIG extended
+   error code set to BADTIME, and the time values will be adjusted so
+   that the response can be successfully verified.
+
+In all of the above cases, the server returns a response code of
+NOTAUTH (not authenticated).

From 0040b99c6f9c0990a25a500706eba0c531595920 Mon Sep 17 00:00:00 2001
From: Ron Aitchison <ron@zytrax.com>
Date: Tue, 22 Mar 2022 01:11:02 +0000
Subject: [PATCH 10/15] Restructure includes for chapter 9 Troubleshooting

(cherry picked from commit 7842a0ca8f37af879b36abceafa7b206c739cc16)
---
 doc/arm/Makefile.am                                 |  3 ++-
 doc/arm/chapter9.rst                                | 13 +++++++++++++
 doc/arm/index.rst                                   |  2 +-
 ...{troubleshooting.rst => troubleshooting.inc.rst} |  2 +-
 4 files changed, 17 insertions(+), 3 deletions(-)
 create mode 100644 doc/arm/chapter9.rst
 rename doc/arm/{troubleshooting.rst => troubleshooting.inc.rst} (99%)

diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am
index fa09192a31..ba734687a5 100644
--- a/doc/arm/Makefile.am
+++ b/doc/arm/Makefile.am
@@ -13,6 +13,7 @@ EXTRA_DIST =					\
 	chapter5.rst				\
 	chapter6.rst				\
 	chapter7.rst				\
+	chapter9.rst				\
 	configuration.inc.rst			\
 	conf.py					\
 	dlz.inc.rst				\
@@ -50,7 +51,7 @@ EXTRA_DIST =					\
 	security.inc.rst			\
 	sig0.inc.rst				\
 	tkey.inc.rst				\
-	troubleshooting.rst			\
+	troubleshooting.inc.rst			\
 	tsig.inc.rst				\
 	../dnssec-guide				\
 	../misc/acl.grammar.rst			\
diff --git a/doc/arm/chapter9.rst b/doc/arm/chapter9.rst
new file mode 100644
index 0000000000..afe54e3dfe
--- /dev/null
+++ b/doc/arm/chapter9.rst
@@ -0,0 +1,13 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. include:: troubleshooting.inc.rst
+
diff --git a/doc/arm/index.rst b/doc/arm/index.rst
index aeeefe1902..765a0dc40c 100644
--- a/doc/arm/index.rst
+++ b/doc/arm/index.rst
@@ -25,7 +25,7 @@ BIND 9 Administrator Reference Manual
    chapter6
    chapter7
    reference
-   troubleshooting
+   chapter9
    chapter10
 
 .. toctree::
diff --git a/doc/arm/troubleshooting.rst b/doc/arm/troubleshooting.inc.rst
similarity index 99%
rename from doc/arm/troubleshooting.rst
rename to doc/arm/troubleshooting.inc.rst
index 9b86fca1c4..ba1855eede 100644
--- a/doc/arm/troubleshooting.rst
+++ b/doc/arm/troubleshooting.inc.rst
@@ -9,7 +9,7 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
-.. Troubleshooting:
+.. _troubleshooting:
 
 Troubleshooting
 ===============

From f43ff3f9c8c92e91f3faaf950f6771b3cf53a007 Mon Sep 17 00:00:00 2001
From: Ron Aitchison <ron@zytrax.com>
Date: Tue, 22 Mar 2022 01:21:33 +0000
Subject: [PATCH 11/15] Minor DNSSEC guide tweaks

(cherry picked from commit 4ac383e9aeee3e9e1560f5f7d4e4e1424cd42b93)
---
 doc/arm/dnssec-guide.rst          | 2 ++
 doc/dnssec-guide/introduction.rst | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/doc/arm/dnssec-guide.rst b/doc/arm/dnssec-guide.rst
index 0c28849de8..c3a9a0a3a4 100644
--- a/doc/arm/dnssec-guide.rst
+++ b/doc/arm/dnssec-guide.rst
@@ -9,6 +9,8 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
+.. _dnssec_guide:
+
 DNSSEC Guide
 ============
 
diff --git a/doc/dnssec-guide/introduction.rst b/doc/dnssec-guide/introduction.rst
index 1d051270f1..818c7e2681 100644
--- a/doc/dnssec-guide/introduction.rst
+++ b/doc/dnssec-guide/introduction.rst
@@ -219,7 +219,7 @@ trust one key: the root key.
 .. _dnssec_12_steps:
 
 The 12-Step DNSSEC Validation Process (Simplified)
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The following example shows the 12 steps of the DNSSEC validating process 
 at a very high level, looking up the name ``www.isc.org`` :
@@ -306,7 +306,7 @@ at a very high level, looking up the name ``www.isc.org`` :
 .. _chain_of_trust:
 
 Chain of Trust
-^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~
 
 But what about the root server itself? Who do we go to verify root's
 keys? There's no parent zone for root. In security, you have to trust

From 98143a2b939bfcbcc149d2d9ee4efc1aa115ecc0 Mon Sep 17 00:00:00 2001
From: Ron Aitchison <ron@zytrax.com>
Date: Fri, 1 Apr 2022 16:47:03 +0000
Subject: [PATCH 12/15] Move zone file material from Reference to new
 subsection of chapter 3

(cherry picked from commit d505090965b70e84f9a70c37528624b33e3e60d4)
---
 doc/arm/Makefile.am   |   1 +
 doc/arm/chapter3.rst  |   3 +-
 doc/arm/reference.rst | 432 ----------------------------------------
 doc/arm/zones.inc.rst | 443 ++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 446 insertions(+), 433 deletions(-)
 create mode 100644 doc/arm/zones.inc.rst

diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am
index ba734687a5..f22b365717 100644
--- a/doc/arm/Makefile.am
+++ b/doc/arm/Makefile.am
@@ -53,6 +53,7 @@ EXTRA_DIST =					\
 	tkey.inc.rst				\
 	troubleshooting.inc.rst			\
 	tsig.inc.rst				\
+	zones.inc.rst				\
 	../dnssec-guide				\
 	../misc/acl.grammar.rst			\
 	../misc/controls.grammar.rst		\
diff --git a/doc/arm/chapter3.rst b/doc/arm/chapter3.rst
index 9a51e7e77a..a9d263f609 100644
--- a/doc/arm/chapter3.rst
+++ b/doc/arm/chapter3.rst
@@ -9,4 +9,5 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
-.. include:: configuration.inc.rst
\ No newline at end of file
+.. include:: configuration.inc.rst
+.. include:: zones.inc.rst
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index ed72dfca50..0fcda08291 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6419,438 +6419,6 @@ An ``in-view`` zone cannot be used as a response policy zone.
 
 An ``in-view`` zone is not intended to reference a ``forward`` zone.
 
-.. _zone_file:
-
-Zone File
----------
-
-.. _types_of_resource_records_and_when_to_use_them:
-
-Types of Resource Records and When to Use Them
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-This section, largely borrowed from :rfc:`1034`, describes the concept of a
-Resource Record (RR) and explains when each type is used. Since the
-publication of :rfc:`1034`, several new RRs have been identified and
-implemented in the DNS. These are also included.
-
-Resource Records
-^^^^^^^^^^^^^^^^
-
-A domain name identifies a node. Each node has a set of resource
-information, which may be empty. The set of resource information
-associated with a particular name is composed of separate RRs. The order
-of RRs in a set is not significant and need not be preserved by name
-servers, resolvers, or other parts of the DNS. However, sorting of
-multiple RRs is permitted for optimization purposes: for example, to
-specify that a particular nearby server be tried first. See
-:ref:`the_sortlist_statement` and :ref:`rrset_ordering`.
-
-The components of a Resource Record are:
-
-owner name
-    The domain name where the RR is found.
-
-type
-    An encoded 16-bit value that specifies the type of the resource record.
-
-TTL
-    The time-to-live of the RR. This field is a 32-bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded.
-
-class
-    An encoded 16-bit value that identifies a protocol family or an instance of a protocol.
-
-RDATA
-    The resource data. The format of the data is type- and sometimes class-specific.
-
-For a complete list of *types* of valid RRs, including those that have been obsoleted, please refer to https://en.wikipedia.org/wiki/List_of_DNS_record_types.
-
-The following *classes* of resource records are currently valid in the
-DNS:
-
-IN
-    The Internet.
-
-CH
-    Chaosnet, a LAN protocol created at MIT in the mid-1970s. It was rarely used for its historical purpose, but was reused for BIND's built-in server information zones, e.g., ``version.bind``.
-
-HS
-    Hesiod, an information service developed by MIT's Project Athena. It was used to share information about various systems databases, such as users, groups, printers, etc.
-
-The owner name is often implicit, rather than forming an integral part
-of the RR. For example, many name servers internally form tree or hash
-structures for the name space, and chain RRs off nodes. The remaining RR
-parts are the fixed header (type, class, TTL), which is consistent for
-all RRs, and a variable part (RDATA) that fits the needs of the resource
-being described.
-
-The TTL field is a time limit on how long an RR can be
-kept in a cache. This limit does not apply to authoritative data in
-zones; that also times out, but follows the refreshing policies for the
-zone. The TTL is assigned by the administrator for the zone where the
-data originates. While short TTLs can be used to minimize caching, and a
-zero TTL prohibits caching, the realities of Internet performance
-suggest that these times should be on the order of days for the typical
-host. If a change is anticipated, the TTL can be reduced prior to
-the change to minimize inconsistency, and then
-increased back to its former value following the change.
-
-The data in the RDATA section of RRs is carried as a combination of
-binary strings and domain names. The domain names are frequently used as
-"pointers" to other data in the DNS.
-
-.. _rr_text:
-
-Textual Expression of RRs
-^^^^^^^^^^^^^^^^^^^^^^^^^
-
-RRs are represented in binary form in the packets of the DNS protocol,
-and are usually represented in highly encoded form when stored in a name
-server or resolver. In the examples provided in :rfc:`1034`, a style
-similar to that used in primary files was employed in order to show the
-contents of RRs. In this format, most RRs are shown on a single line,
-although continuation lines are possible using parentheses.
-
-The start of the line gives the owner of the RR. If a line begins with a
-blank, then the owner is assumed to be the same as that of the previous
-RR. Blank lines are often included for readability.
-
-Following the owner are listed the TTL, type, and class of the RR. Class
-and type use the mnemonics defined above, and TTL is an integer before
-the type field. To avoid ambiguity in parsing, type and class
-mnemonics are disjoint, TTLs are integers, and the type mnemonic is
-always last. The IN class and TTL values are often omitted from examples
-in the interest of clarity.
-
-The resource data or RDATA section of the RR is given using knowledge
-of the typical representation for the data.
-
-For example, the RRs carried in a message might be shown as:
-
- +---------------------+---------------+--------------------------------+
- | ``ISI.EDU.``        | ``MX``        | ``10 VENERA.ISI.EDU.``         |
- +---------------------+---------------+--------------------------------+
- |                     | ``MX``        | ``10 VAXA.ISI.EDU``            |
- +---------------------+---------------+--------------------------------+
- | ``VENERA.ISI.EDU``  | ``A``         | ``128.9.0.32``                 |
- +---------------------+---------------+--------------------------------+
- |                     | ``A``         | ``10.1.0.52``                  |
- +---------------------+---------------+--------------------------------+
- | ``VAXA.ISI.EDU``    | ``A``         | ``10.2.0.27``                  |
- +---------------------+---------------+--------------------------------+
- |                     | ``A``         | ``128.9.0.33``                 |
- +---------------------+---------------+--------------------------------+
-
-The MX RRs have an RDATA section which consists of a 16-bit number
-followed by a domain name. The address RRs use a standard IP address
-format to contain a 32-bit Internet address.
-
-The above example shows six RRs, with two RRs at each of three domain
-names.
-
-Here is another possible example:
-
- +----------------------+---------------+-------------------------------+
- | ``XX.LCS.MIT.EDU.``  | ``IN A``      | ``10.0.0.44``                 |
- +----------------------+---------------+-------------------------------+
- |                      | ``CH A``      | ``MIT.EDU. 2420``             |
- +----------------------+---------------+-------------------------------+
-
-This shows two addresses for ``XX.LCS.MIT.EDU``, each of a
-different class.
-
-.. _mx_records:
-
-Discussion of MX Records
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-As described above, domain servers store information as a series of
-resource records, each of which contains a particular piece of
-information about a given domain name (which is usually, but not always,
-a host). The simplest way to think of an RR is as a typed pair of data, a
-domain name matched with a relevant datum and stored with some
-additional type information, to help systems determine when the RR is
-relevant.
-
-MX records are used to control delivery of email. The data specified in
-the record is a priority and a domain name. The priority controls the
-order in which email delivery is attempted, with the lowest number
-first. If two priorities are the same, a server is chosen randomly. If
-no servers at a given priority are responding, the mail transport agent
-falls back to the next largest priority. Priority numbers do not
-have any absolute meaning; they are relevant only respective to other
-MX records for that domain name. The domain name given is the machine to
-which the mail is delivered. It *must* have an associated address
-record (A or AAAA); CNAME is not sufficient.
-
-For a given domain, if there is both a CNAME record and an MX record,
-the MX record is in error and is ignored. Instead, the mail is
-delivered to the server specified in the MX record pointed to by the
-CNAME. For example:
-
- +------------------------+--------+--------+--------------+------------------------+
- | ``example.com.``       | ``IN`` | ``MX`` | ``10``       | ``mail.example.com.``  |
- +------------------------+--------+--------+--------------+------------------------+
- |                        | ``IN`` | ``MX`` | ``10``       | ``mail2.example.com.`` |
- +------------------------+--------+--------+--------------+------------------------+
- |                        | ``IN`` | ``MX`` | ``20``       | ``mail.backup.org.``   |
- +------------------------+--------+--------+--------------+------------------------+
- | ``mail.example.com.``  | ``IN`` | ``A``  | ``10.0.0.1`` |                        |
- +------------------------+--------+--------+--------------+------------------------+
- | ``mail2.example.com.`` | ``IN`` | ``A``  | ``10.0.0.2`` |                        |
- +------------------------+--------+--------+--------------+------------------------+
-
-Mail delivery is attempted to ``mail.example.com`` and
-``mail2.example.com`` (in any order); if neither of those succeeds,
-delivery to ``mail.backup.org`` is attempted.
-
-.. _Setting_TTLs:
-
-Setting TTLs
-~~~~~~~~~~~~
-
-The time-to-live (TTL) of the RR field is a 32-bit integer represented in
-units of seconds, and is primarily used by resolvers when they cache
-RRs. The TTL describes how long an RR can be cached before it should be
-discarded. The following three types of TTLs are currently used in a zone
-file.
-
-SOA
-    The last field in the SOA is the negative caching TTL. This controls how long other servers cache no-such-domain (NXDOMAIN) responses from this server.
-
-    The maximum time for negative caching is 3 hours (3h).
-
-$TTL
-    The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.
-
-RR TTLs
-    Each RR can have a TTL as the second field in the RR, which controls how long other servers can cache it.
-
-All of these TTLs default to units of seconds, though units can be
-explicitly specified: for example, ``1h30m``.
-
-.. _ipv4_reverse:
-
-Inverse Mapping in IPv4
-~~~~~~~~~~~~~~~~~~~~~~~
-
-Reverse name resolution (that is, translation from IP address to name)
-is achieved by means of the ``in-addr.arpa`` domain and PTR records.
-Entries in the in-addr.arpa domain are made in least-to-most significant
-order, read left to right. This is the opposite order to the way IP
-addresses are usually written. Thus, a machine with an IP address of
-10.1.2.3 would have a corresponding in-addr.arpa name of
-3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose
-data field is the name of the machine or, optionally, multiple PTR
-records if the machine has more than one name. For example, in the
-``example.com`` domain:
-
- +--------------+-------------------------------------------------------+
- | ``$ORIGIN``  | ``2.1.10.in-addr.arpa``                               |
- +--------------+-------------------------------------------------------+
- | ``3``        | ``IN PTR foo.example.com.``                           |
- +--------------+-------------------------------------------------------+
-
-.. note::
-
-   The ``$ORIGIN`` line in this example is only to provide context;
-   it does not necessarily appear in the actual
-   usage. It is only used here to indicate that the example is
-   relative to the listed origin.
-
-.. _zone_directives:
-
-Other Zone File Directives
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The DNS "master file" format was initially defined in :rfc:`1035` and has
-subsequently been extended. While the format itself is class-independent,
-all records in a zone file must be of the same class.
-
-Master file directives include ``$ORIGIN``, ``$INCLUDE``, and ``$TTL.``
-
-.. _atsign:
-
-The ``@`` (at-sign)
-^^^^^^^^^^^^^^^^^^^
-
-When used in the label (or name) field, the asperand or at-sign (@)
-symbol represents the current origin. At the start of the zone file, it
-is the <``zone_name``>, followed by a trailing dot (.).
-
-.. _origin_directive:
-
-The ``$ORIGIN`` Directive
-^^^^^^^^^^^^^^^^^^^^^^^^^
-
-Syntax: ``$ORIGIN`` domain-name [comment]
-
-``$ORIGIN`` sets the domain name that is appended to any
-unqualified records. When a zone is first read, there is an implicit
-``$ORIGIN`` <``zone_name``>``.``; note the trailing dot. The
-current ``$ORIGIN`` is appended to the domain specified in the
-``$ORIGIN`` argument if it is not absolute.
-
-::
-
-   $ORIGIN example.com.
-   WWW     CNAME   MAIN-SERVER
-
-is equivalent to
-
-::
-
-   WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
-
-.. _include_directive:
-
-The ``$INCLUDE`` Directive
-^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-Syntax: ``$INCLUDE`` filename [origin] [comment]
-
-This reads and processes the file ``filename`` as if it were included in the
-file at this point. The ``filename`` can be an absolute path, or a relative
-path. In the latter case it is read from :iscman:`named`'s working directory. If
-``origin`` is specified, the file is processed with ``$ORIGIN`` set to that
-value; otherwise, the current ``$ORIGIN`` is used.
-
-The origin and the current domain name revert to the values they had
-prior to the ``$INCLUDE`` once the file has been read.
-
-.. note::
-
-   :rfc:`1035` specifies that the current origin should be restored after
-   an ``$INCLUDE``, but it is silent on whether the current domain name
-   should also be restored. BIND 9 restores both of them. This could be
-   construed as a deviation from :rfc:`1035`, a feature, or both.
-
-.. _ttl_directive:
-
-The ``$TTL`` Directive
-^^^^^^^^^^^^^^^^^^^^^^
-
-Syntax: ``$TTL`` default-ttl [comment]
-
-This sets the default Time-To-Live (TTL) for subsequent records with undefined
-TTLs. Valid TTLs are of the range 0-2147483647 seconds.
-
-``$TTL`` is defined in :rfc:`2308`.
-
-.. _generate_directive:
-
-BIND Primary File Extension: the ``$GENERATE`` Directive
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Syntax: ``$GENERATE`` range lhs [ttl] [class] type rhs [comment]
-
-``$GENERATE`` is used to create a series of resource records that only
-differ from each other by an iterator. ``$GENERATE`` can be used to
-easily generate the sets of records required to support sub-/24 reverse
-delegations described in :rfc:`2317`.
-
-::
-
-   $ORIGIN 0.0.192.IN-ADDR.ARPA.
-   $GENERATE 1-2 @ NS SERVER$.EXAMPLE.
-   $GENERATE 1-127 $ CNAME $.0
-
-is equivalent to
-
-::
-
-   0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
-   0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
-   1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
-   2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
-   ...
-   127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
-
-Both generate a set of A and MX records. Note the MX's right-hand side is a
-quoted string. The quotes are stripped when the right-hand side is
-processed.
-
-::
-
-   $ORIGIN EXAMPLE.
-   $GENERATE 1-127 HOST-$ A 1.2.3.$
-   $GENERATE 1-127 HOST-$ MX "0 ."
-
-is equivalent to
-
-::
-
-   HOST-1.EXAMPLE.   A  1.2.3.1
-   HOST-1.EXAMPLE.   MX 0 .
-   HOST-2.EXAMPLE.   A  1.2.3.2
-   HOST-2.EXAMPLE.   MX 0 .
-   HOST-3.EXAMPLE.   A  1.2.3.3
-   HOST-3.EXAMPLE.   MX 0 .
-   ...
-   HOST-127.EXAMPLE. A  1.2.3.127
-   HOST-127.EXAMPLE. MX 0 .
-
-``range``
-    This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. "start", "stop", and "step" must be positive integers between 0 and (2^31)-1. "start" must not be larger than "stop".
-
-``owner``
-    This describes the owner name of the resource records to be created. Any single ``$`` (dollar sign) symbols within the ``owner`` string are replaced by the iterator value. To get a ``$`` in the output, escape the ``$`` using a backslash ``\``, e.g., ``\$``. The ``$`` may optionally be followed by modifiers which change the offset from the iterator, field width, and base.
-
-    Modifiers are introduced by a ``{`` (left brace) immediately following the ``$``, as in  ``${offset[,width[,base]]}``. For example, ``${-20,3,d}`` subtracts 20 from the current value and prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (``d``), octal (``o``), hexadecimal (``x`` or ``X`` for uppercase), and nibble (``n`` or ``N`` for uppercase).
-
-    The default modifier is ``${0,0,d}``. If the ``owner`` is not absolute, the current ``$ORIGIN`` is appended to the name.
-
-    In nibble mode, the value is treated as if it were a reversed hexadecimal string, with each hexadecimal digit as a separate label. The width field includes the label separator.
-
-    For compatibility with earlier versions, ``$$`` is still recognized as indicating a literal $ in the output.
-
-``ttl``
-    This specifies the time-to-live of the generated records. If not specified, this is inherited using the normal TTL inheritance rules.
-
-    ``class`` and ``ttl`` can be entered in either order.
-
-``class``
-    This specifies the class of the generated records. This must match the zone class if it is specified.
-
-    ``class`` and ``ttl`` can be entered in either order.
-
-``type``
-    This can be any valid type.
-
-``rdata``
-    This is a string containing the RDATA of the resource record to be created. It may be quoted if there are spaces in the string; the quotation marks do not appear in the generated record.
-
-The ``$GENERATE`` directive is a BIND extension and not part of the
-standard zone file format.
-
-.. _zonefile_format:
-
-Additional File Formats
-~~~~~~~~~~~~~~~~~~~~~~~
-
-In addition to the standard text format, BIND 9 supports the ability
-to read or dump to zone files in other formats.
-
-The ``raw`` format is a binary representation of zone data in a manner
-similar to that used in zone transfers. Since it does not require
-parsing text, load time is significantly reduced.
-
-For a primary server, a zone file in ``raw`` format is expected
-to be generated from a text zone file by the :iscman:`named-compilezone` command.
-For a secondary server or a dynamic zone, the zone file is automatically
-generated when :iscman:`named` dumps the zone contents after zone transfer or
-when applying prior updates, if one of these formats is specified by the
-``masterfile-format`` option.
-
-If a zone file in ``raw`` format needs manual modification, it first must
-be converted to ``text`` format by the :iscman:`named-compilezone` command,
-then converted back after editing.  For example:
-
-::
-
-    named-compilezone -f raw -F text -o zonefile.text <origin> zonefile.raw
-    [edit zonefile.text]
-    named-compilezone -f text -F raw -o zonefile.raw <origin> zonefile.text
 
 .. _statistics:
 
diff --git a/doc/arm/zones.inc.rst b/doc/arm/zones.inc.rst
new file mode 100644
index 0000000000..71a7acbe98
--- /dev/null
+++ b/doc/arm/zones.inc.rst
@@ -0,0 +1,443 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _zone_file:
+
+Zone File
+---------
+
+.. _types_of_resource_records_and_when_to_use_them:
+
+Types of Resource Records and When to Use Them
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This section, largely borrowed from :rfc:`1034`, describes the concept of a
+Resource Record (RR) and explains when each type is used. Since the
+publication of :rfc:`1034`, several new RRs have been identified and
+implemented in the DNS. These are also included.
+
+Resource Records
+^^^^^^^^^^^^^^^^
+
+A domain name identifies a node. Each node has a set of resource
+information, which may be empty. The set of resource information
+associated with a particular name is composed of separate RRs. The order
+of RRs in a set is not significant and need not be preserved by name
+servers, resolvers, or other parts of the DNS. However, sorting of
+multiple RRs is permitted for optimization purposes: for example, to
+specify that a particular nearby server be tried first. See
+:ref:`the_sortlist_statement` and :ref:`rrset_ordering`.
+
+The components of a Resource Record are:
+
+owner name
+    The domain name where the RR is found.
+
+type
+    An encoded 16-bit value that specifies the type of the resource record.
+
+TTL
+    The time-to-live of the RR. This field is a 32-bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded.
+
+class
+    An encoded 16-bit value that identifies a protocol family or an instance of a protocol.
+
+RDATA
+    The resource data. The format of the data is type- and sometimes class-specific.
+
+For a complete list of *types* of valid RRs, including those that have been obsoleted, please refer to https://en.wikipedia.org/wiki/List_of_DNS_record_types.
+
+The following *classes* of resource records are currently valid in the
+DNS:
+
+IN
+    The Internet.
+
+CH
+    Chaosnet, a LAN protocol created at MIT in the mid-1970s. It was rarely used for its historical purpose, but was reused for BIND's built-in server information zones, e.g., ``version.bind``.
+
+HS
+    Hesiod, an information service developed by MIT's Project Athena. It was used to share information about various systems databases, such as users, groups, printers, etc.
+
+The owner name is often implicit, rather than forming an integral part
+of the RR. For example, many name servers internally form tree or hash
+structures for the name space, and chain RRs off nodes. The remaining RR
+parts are the fixed header (type, class, TTL), which is consistent for
+all RRs, and a variable part (RDATA) that fits the needs of the resource
+being described.
+
+The TTL field is a time limit on how long an RR can be
+kept in a cache. This limit does not apply to authoritative data in
+zones; that also times out, but follows the refreshing policies for the
+zone. The TTL is assigned by the administrator for the zone where the
+data originates. While short TTLs can be used to minimize caching, and a
+zero TTL prohibits caching, the realities of Internet performance
+suggest that these times should be on the order of days for the typical
+host. If a change is anticipated, the TTL can be reduced prior to
+the change to minimize inconsistency, and then
+increased back to its former value following the change.
+
+The data in the RDATA section of RRs is carried as a combination of
+binary strings and domain names. The domain names are frequently used as
+"pointers" to other data in the DNS.
+
+.. _rr_text:
+
+Textual Expression of RRs
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+RRs are represented in binary form in the packets of the DNS protocol,
+and are usually represented in highly encoded form when stored in a name
+server or resolver. In the examples provided in :rfc:`1034`, a style
+similar to that used in primary files was employed in order to show the
+contents of RRs. In this format, most RRs are shown on a single line,
+although continuation lines are possible using parentheses.
+
+The start of the line gives the owner of the RR. If a line begins with a
+blank, then the owner is assumed to be the same as that of the previous
+RR. Blank lines are often included for readability.
+
+Following the owner are listed the TTL, type, and class of the RR. Class
+and type use the mnemonics defined above, and TTL is an integer before
+the type field. To avoid ambiguity in parsing, type and class
+mnemonics are disjoint, TTLs are integers, and the type mnemonic is
+always last. The IN class and TTL values are often omitted from examples
+in the interest of clarity.
+
+The resource data or RDATA section of the RR is given using knowledge
+of the typical representation for the data.
+
+For example, the RRs carried in a message might be shown as:
+
+ +---------------------+---------------+--------------------------------+
+ | ``ISI.EDU.``        | ``MX``        | ``10 VENERA.ISI.EDU.``         |
+ +---------------------+---------------+--------------------------------+
+ |                     | ``MX``        | ``10 VAXA.ISI.EDU``            |
+ +---------------------+---------------+--------------------------------+
+ | ``VENERA.ISI.EDU``  | ``A``         | ``128.9.0.32``                 |
+ +---------------------+---------------+--------------------------------+
+ |                     | ``A``         | ``10.1.0.52``                  |
+ +---------------------+---------------+--------------------------------+
+ | ``VAXA.ISI.EDU``    | ``A``         | ``10.2.0.27``                  |
+ +---------------------+---------------+--------------------------------+
+ |                     | ``A``         | ``128.9.0.33``                 |
+ +---------------------+---------------+--------------------------------+
+
+The MX RRs have an RDATA section which consists of a 16-bit number
+followed by a domain name. The address RRs use a standard IP address
+format to contain a 32-bit Internet address.
+
+The above example shows six RRs, with two RRs at each of three domain
+names.
+
+Here is another possible example:
+
+ +----------------------+---------------+-------------------------------+
+ | ``XX.LCS.MIT.EDU.``  | ``IN A``      | ``10.0.0.44``                 |
+ +----------------------+---------------+-------------------------------+
+ |                      | ``CH A``      | ``MIT.EDU. 2420``             |
+ +----------------------+---------------+-------------------------------+
+
+This shows two addresses for ``XX.LCS.MIT.EDU``, each of a
+different class.
+
+.. _mx_records:
+
+Discussion of MX Records
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+As described above, domain servers store information as a series of
+resource records, each of which contains a particular piece of
+information about a given domain name (which is usually, but not always,
+a host). The simplest way to think of an RR is as a typed pair of data, a
+domain name matched with a relevant datum and stored with some
+additional type information, to help systems determine when the RR is
+relevant.
+
+MX records are used to control delivery of email. The data specified in
+the record is a priority and a domain name. The priority controls the
+order in which email delivery is attempted, with the lowest number
+first. If two priorities are the same, a server is chosen randomly. If
+no servers at a given priority are responding, the mail transport agent
+falls back to the next largest priority. Priority numbers do not
+have any absolute meaning; they are relevant only respective to other
+MX records for that domain name. The domain name given is the machine to
+which the mail is delivered. It *must* have an associated address
+record (A or AAAA); CNAME is not sufficient.
+
+For a given domain, if there is both a CNAME record and an MX record,
+the MX record is in error and is ignored. Instead, the mail is
+delivered to the server specified in the MX record pointed to by the
+CNAME. For example:
+
+ +------------------------+--------+--------+--------------+------------------------+
+ | ``example.com.``       | ``IN`` | ``MX`` | ``10``       | ``mail.example.com.``  |
+ +------------------------+--------+--------+--------------+------------------------+
+ |                        | ``IN`` | ``MX`` | ``10``       | ``mail2.example.com.`` |
+ +------------------------+--------+--------+--------------+------------------------+
+ |                        | ``IN`` | ``MX`` | ``20``       | ``mail.backup.org.``   |
+ +------------------------+--------+--------+--------------+------------------------+
+ | ``mail.example.com.``  | ``IN`` | ``A``  | ``10.0.0.1`` |                        |
+ +------------------------+--------+--------+--------------+------------------------+
+ | ``mail2.example.com.`` | ``IN`` | ``A``  | ``10.0.0.2`` |                        |
+ +------------------------+--------+--------+--------------+------------------------+
+
+Mail delivery is attempted to ``mail.example.com`` and
+``mail2.example.com`` (in any order); if neither of those succeeds,
+delivery to ``mail.backup.org`` is attempted.
+
+.. _Setting_TTLs:
+
+Setting TTLs
+~~~~~~~~~~~~
+
+The time-to-live (TTL) of the RR field is a 32-bit integer represented in
+units of seconds, and is primarily used by resolvers when they cache
+RRs. The TTL describes how long an RR can be cached before it should be
+discarded. The following three types of TTLs are currently used in a zone
+file.
+
+SOA
+    The last field in the SOA is the negative caching TTL. This controls how long other servers cache no-such-domain (NXDOMAIN) responses from this server.
+
+    The maximum time for negative caching is 3 hours (3h).
+
+$TTL
+    The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.
+
+RR TTLs
+    Each RR can have a TTL as the second field in the RR, which controls how long other servers can cache it.
+
+All of these TTLs default to units of seconds, though units can be
+explicitly specified: for example, ``1h30m``.
+
+.. _ipv4_reverse:
+
+Inverse Mapping in IPv4
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Reverse name resolution (that is, translation from IP address to name)
+is achieved by means of the ``in-addr.arpa`` domain and PTR records.
+Entries in the in-addr.arpa domain are made in least-to-most significant
+order, read left to right. This is the opposite order to the way IP
+addresses are usually written. Thus, a machine with an IP address of
+10.1.2.3 would have a corresponding in-addr.arpa name of
+3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose
+data field is the name of the machine or, optionally, multiple PTR
+records if the machine has more than one name. For example, in the
+``example.com`` domain:
+
+ +--------------+-------------------------------------------------------+
+ | ``$ORIGIN``  | ``2.1.10.in-addr.arpa``                               |
+ +--------------+-------------------------------------------------------+
+ | ``3``        | ``IN PTR foo.example.com.``                           |
+ +--------------+-------------------------------------------------------+
+
+.. note::
+
+   The ``$ORIGIN`` line in this example is only to provide context;
+   it does not necessarily appear in the actual
+   usage. It is only used here to indicate that the example is
+   relative to the listed origin.
+
+.. _zone_directives:
+
+Other Zone File Directives
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The DNS "master file" format was initially defined in :rfc:`1035` and has
+subsequently been extended. While the format itself is class-independent,
+all records in a zone file must be of the same class.
+
+Master file directives include ``$ORIGIN``, ``$INCLUDE``, and ``$TTL.``
+
+.. _atsign:
+
+The ``@`` (at-sign)
+^^^^^^^^^^^^^^^^^^^
+
+When used in the label (or name) field, the asperand or at-sign (@)
+symbol represents the current origin. At the start of the zone file, it
+is the <``zone_name``>, followed by a trailing dot (.).
+
+.. _origin_directive:
+
+The ``$ORIGIN`` Directive
+^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Syntax: ``$ORIGIN`` domain-name [comment]
+
+``$ORIGIN`` sets the domain name that is appended to any
+unqualified records. When a zone is first read, there is an implicit
+``$ORIGIN`` <``zone_name``>``.``; note the trailing dot. The
+current ``$ORIGIN`` is appended to the domain specified in the
+``$ORIGIN`` argument if it is not absolute.
+
+::
+
+   $ORIGIN example.com.
+   WWW     CNAME   MAIN-SERVER
+
+is equivalent to
+
+::
+
+   WWW.EXAMPLE.COM. CNAME MAIN-SERVER.EXAMPLE.COM.
+
+.. _include_directive:
+
+The ``$INCLUDE`` Directive
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Syntax: ``$INCLUDE`` filename [origin] [comment]
+
+This reads and processes the file ``filename`` as if it were included in the
+file at this point. The ``filename`` can be an absolute path, or a relative
+path. In the latter case it is read from :iscman:`named`'s working directory. If
+``origin`` is specified, the file is processed with ``$ORIGIN`` set to that
+value; otherwise, the current ``$ORIGIN`` is used.
+
+The origin and the current domain name revert to the values they had
+prior to the ``$INCLUDE`` once the file has been read.
+
+.. note::
+
+   :rfc:`1035` specifies that the current origin should be restored after
+   an ``$INCLUDE``, but it is silent on whether the current domain name
+   should also be restored. BIND 9 restores both of them. This could be
+   construed as a deviation from :rfc:`1035`, a feature, or both.
+
+.. _ttl_directive:
+
+The ``$TTL`` Directive
+^^^^^^^^^^^^^^^^^^^^^^
+
+Syntax: ``$TTL`` default-ttl [comment]
+
+This sets the default Time-To-Live (TTL) for subsequent records with undefined
+TTLs. Valid TTLs are of the range 0-2147483647 seconds.
+
+``$TTL`` is defined in :rfc:`2308`.
+
+.. _generate_directive:
+
+BIND Primary File Extension: the ``$GENERATE`` Directive
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Syntax: ``$GENERATE`` range lhs [ttl] [class] type rhs [comment]
+
+``$GENERATE`` is used to create a series of resource records that only
+differ from each other by an iterator. ``$GENERATE`` can be used to
+easily generate the sets of records required to support sub-/24 reverse
+delegations described in :rfc:`2317`.
+
+::
+
+   $ORIGIN 0.0.192.IN-ADDR.ARPA.
+   $GENERATE 1-2 @ NS SERVER$.EXAMPLE.
+   $GENERATE 1-127 $ CNAME $.0
+
+is equivalent to
+
+::
+
+   0.0.0.192.IN-ADDR.ARPA. NS SERVER1.EXAMPLE.
+   0.0.0.192.IN-ADDR.ARPA. NS SERVER2.EXAMPLE.
+   1.0.0.192.IN-ADDR.ARPA. CNAME 1.0.0.0.192.IN-ADDR.ARPA.
+   2.0.0.192.IN-ADDR.ARPA. CNAME 2.0.0.0.192.IN-ADDR.ARPA.
+   ...
+   127.0.0.192.IN-ADDR.ARPA. CNAME 127.0.0.0.192.IN-ADDR.ARPA.
+
+Both generate a set of A and MX records. Note the MX's right-hand side is a
+quoted string. The quotes are stripped when the right-hand side is
+processed.
+
+::
+
+   $ORIGIN EXAMPLE.
+   $GENERATE 1-127 HOST-$ A 1.2.3.$
+   $GENERATE 1-127 HOST-$ MX "0 ."
+
+is equivalent to
+
+::
+
+   HOST-1.EXAMPLE.   A  1.2.3.1
+   HOST-1.EXAMPLE.   MX 0 .
+   HOST-2.EXAMPLE.   A  1.2.3.2
+   HOST-2.EXAMPLE.   MX 0 .
+   HOST-3.EXAMPLE.   A  1.2.3.3
+   HOST-3.EXAMPLE.   MX 0 .
+   ...
+   HOST-127.EXAMPLE. A  1.2.3.127
+   HOST-127.EXAMPLE. MX 0 .
+
+``range``
+    This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. "start", "stop", and "step" must be positive integers between 0 and (2^31)-1. "start" must not be larger than "stop".
+
+``owner``
+    This describes the owner name of the resource records to be created. Any single ``$`` (dollar sign) symbols within the ``owner`` string are replaced by the iterator value. To get a ``$`` in the output, escape the ``$`` using a backslash ``\``, e.g., ``\$``. The ``$`` may optionally be followed by modifiers which change the offset from the iterator, field width, and base.
+
+    Modifiers are introduced by a ``{`` (left brace) immediately following the ``$``, as in  ``${offset[,width[,base]]}``. For example, ``${-20,3,d}`` subtracts 20 from the current value and prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (``d``), octal (``o``), hexadecimal (``x`` or ``X`` for uppercase), and nibble (``n`` or ``N`` for uppercase).
+
+    The default modifier is ``${0,0,d}``. If the ``owner`` is not absolute, the current ``$ORIGIN`` is appended to the name.
+
+    In nibble mode, the value is treated as if it were a reversed hexadecimal string, with each hexadecimal digit as a separate label. The width field includes the label separator.
+
+    For compatibility with earlier versions, ``$$`` is still recognized as indicating a literal $ in the output.
+
+``ttl``
+    This specifies the time-to-live of the generated records. If not specified, this is inherited using the normal TTL inheritance rules.
+
+    ``class`` and ``ttl`` can be entered in either order.
+
+``class``
+    This specifies the class of the generated records. This must match the zone class if it is specified.
+
+    ``class`` and ``ttl`` can be entered in either order.
+
+``type``
+    This can be any valid type.
+
+``rdata``
+    This is a string containing the RDATA of the resource record to be created. It may be quoted if there are spaces in the string; the quotation marks do not appear in the generated record.
+
+The ``$GENERATE`` directive is a BIND extension and not part of the
+standard zone file format.
+
+.. _zonefile_format:
+
+Additional File Formats
+~~~~~~~~~~~~~~~~~~~~~~~
+
+In addition to the standard text format, BIND 9 supports the ability
+to read or dump to zone files in other formats.
+
+The ``raw`` format is a binary representation of zone data in a manner
+similar to that used in zone transfers. Since it does not require
+parsing text, load time is significantly reduced.
+
+For a primary server, a zone file in ``raw`` format is expected
+to be generated from a text zone file by the :iscman:`named-compilezone` command.
+For a secondary server or a dynamic zone, the zone file is automatically
+generated when :iscman:`named` dumps the zone contents after zone transfer or
+when applying prior updates, if one of these formats is specified by the
+``masterfile-format`` option.
+
+If a zone file in ``raw`` format needs manual modification, it first must
+be converted to ``text`` format by the :iscman:`named-compilezone` command,
+then converted back after editing.  For example:
+
+::
+
+    named-compilezone -f raw -F text -o zonefile.text <origin> zonefile.raw
+    [edit zonefile.text]
+    named-compilezone -f text -F raw -o zonefile.raw <origin> zonefile.text

From 55d325e42079fd02524730fee8e33ef12bb230cc Mon Sep 17 00:00:00 2001
From: Ron Aitchison <ron@zytrax.com>
Date: Tue, 5 Apr 2022 06:30:26 +0000
Subject: [PATCH 13/15] Tweak zones.inc.rst now separated from Reference
 section

(cherry picked from commit 178fc50b42d08488d53c59ec5cb9e5f196a198e8)
---
 doc/arm/zones.inc.rst | 206 ++++++++++++++++++++++--------------------
 1 file changed, 106 insertions(+), 100 deletions(-)

diff --git a/doc/arm/zones.inc.rst b/doc/arm/zones.inc.rst
index 71a7acbe98..56830e31ae 100644
--- a/doc/arm/zones.inc.rst
+++ b/doc/arm/zones.inc.rst
@@ -11,23 +11,18 @@
 
 .. _zone_file:
 
+.. _soa_rr:
+
 Zone File
 ---------
 
-.. _types_of_resource_records_and_when_to_use_them:
-
-Types of Resource Records and When to Use Them
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
 This section, largely borrowed from :rfc:`1034`, describes the concept of a
-Resource Record (RR) and explains when each type is used. Since the
-publication of :rfc:`1034`, several new RRs have been identified and
-implemented in the DNS. These are also included.
+Resource Record (RR) and explains how to use them.
 
 Resource Records
-^^^^^^^^^^^^^^^^
+~~~~~~~~~~~~~~~~
 
-A domain name identifies a node. Each node has a set of resource
+A domain name identifies a node in the DNS tree namespace. Each node has a set of resource
 information, which may be empty. The set of resource information
 associated with a particular name is composed of separate RRs. The order
 of RRs in a set is not significant and need not be preserved by name
@@ -38,36 +33,43 @@ specify that a particular nearby server be tried first. See
 
 The components of a Resource Record are:
 
-owner name
-    The domain name where the RR is found.
+.. glossary::
 
-type
-    An encoded 16-bit value that specifies the type of the resource record.
+   owner name
+      The domain name where the RR is found.
 
-TTL
-    The time-to-live of the RR. This field is a 32-bit integer in units of seconds, and is primarily used by resolvers when they cache RRs. The TTL describes how long a RR can be cached before it should be discarded.
+   type
+      An encoded 16-bit value that specifies the type of the resource record.
+      For a list of *types* of valid RRs, including those that have been obsoleted, please refer to
+      `https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-4`.
 
-class
-    An encoded 16-bit value that identifies a protocol family or an instance of a protocol.
+   TTL
+      The time-to-live of the RR. This field is a 32-bit integer in units of seconds,
+      and is primarily used by resolvers when they cache RRs. The TTL describes how long
+      a RR can be cached before it should be discarded.
 
-RDATA
-    The resource data. The format of the data is type- and sometimes class-specific.
+   class
+      An encoded 16-bit value that identifies a protocol family or an instance of a protocol.
+
+   RDATA
+      The resource data. The format of the data is type- and sometimes class-specific.
 
-For a complete list of *types* of valid RRs, including those that have been obsoleted, please refer to https://en.wikipedia.org/wiki/List_of_DNS_record_types.
 
 The following *classes* of resource records are currently valid in the
 DNS:
 
-IN
-    The Internet.
+.. glossary::
 
-CH
-    Chaosnet, a LAN protocol created at MIT in the mid-1970s. It was rarely used for its historical purpose, but was reused for BIND's built-in server information zones, e.g., ``version.bind``.
+   IN
+      The Internet. The only widely :term:`class` used today.
 
-HS
-    Hesiod, an information service developed by MIT's Project Athena. It was used to share information about various systems databases, such as users, groups, printers, etc.
+   CH
+      Chaosnet, a LAN protocol created at MIT in the mid-1970s. It was rarely used for its historical purpose, but was reused for BIND's built-in server information zones, e.g., **version.bind**.
 
-The owner name is often implicit, rather than forming an integral part
+   HS
+      Hesiod, an information service developed by MIT's Project Athena. It was used to share information about various systems databases, such as users, groups, printers, etc.
+
+The :term:`owner name` is often implicit, rather than forming an integral part
 of the RR. For example, many name servers internally form tree or hash
 structures for the name space, and chain RRs off nodes. The remaining RR
 parts are the fixed header (type, class, TTL), which is consistent for
@@ -118,17 +120,17 @@ of the typical representation for the data.
 For example, the RRs carried in a message might be shown as:
 
  +---------------------+---------------+--------------------------------+
- | ``ISI.EDU.``        | ``MX``        | ``10 VENERA.ISI.EDU.``         |
+ | **ISI.EDU.**        | **MX**        | **10 VENERA.ISI.EDU.**         |
  +---------------------+---------------+--------------------------------+
- |                     | ``MX``        | ``10 VAXA.ISI.EDU``            |
+ |                     | **MX**        | **10 VAXA.ISI.EDU**            |
  +---------------------+---------------+--------------------------------+
- | ``VENERA.ISI.EDU``  | ``A``         | ``128.9.0.32``                 |
+ | **VENERA.ISI.EDU**  | **A**         | **128.9.0.32**                 |
  +---------------------+---------------+--------------------------------+
- |                     | ``A``         | ``10.1.0.52``                  |
+ |                     | **A**         | **10.1.0.52**                  |
  +---------------------+---------------+--------------------------------+
- | ``VAXA.ISI.EDU``    | ``A``         | ``10.2.0.27``                  |
+ | **VAXA.ISI.EDU**    | **A**         | **10.2.0.27**                  |
  +---------------------+---------------+--------------------------------+
- |                     | ``A``         | ``128.9.0.33``                 |
+ |                     | **A**         | **128.9.0.33**                 |
  +---------------------+---------------+--------------------------------+
 
 The MX RRs have an RDATA section which consists of a 16-bit number
@@ -141,12 +143,12 @@ names.
 Here is another possible example:
 
  +----------------------+---------------+-------------------------------+
- | ``XX.LCS.MIT.EDU.``  | ``IN A``      | ``10.0.0.44``                 |
+ | **XX.LCS.MIT.EDU.**  | **IN A**      | **10.0.0.44**                 |
  +----------------------+---------------+-------------------------------+
- |                      | ``CH A``      | ``MIT.EDU. 2420``             |
+ |                      | **CH A**      | **MIT.EDU. 2420**             |
  +----------------------+---------------+-------------------------------+
 
-This shows two addresses for ``XX.LCS.MIT.EDU``, each of a
+This shows two addresses for **XX.LCS.MIT.EDU**, each of a
 different class.
 
 .. _mx_records:
@@ -179,20 +181,20 @@ delivered to the server specified in the MX record pointed to by the
 CNAME. For example:
 
  +------------------------+--------+--------+--------------+------------------------+
- | ``example.com.``       | ``IN`` | ``MX`` | ``10``       | ``mail.example.com.``  |
+ | **example.com.**       | **IN** | **MX** | **10**       | **mail.example.com.**  |
  +------------------------+--------+--------+--------------+------------------------+
- |                        | ``IN`` | ``MX`` | ``10``       | ``mail2.example.com.`` |
+ |                        | **IN** | **MX** | **10**       | **mail2.example.com.** |
  +------------------------+--------+--------+--------------+------------------------+
- |                        | ``IN`` | ``MX`` | ``20``       | ``mail.backup.org.``   |
+ |                        | **IN** | **MX** | **20**       | **mail.backup.org.**   |
  +------------------------+--------+--------+--------------+------------------------+
- | ``mail.example.com.``  | ``IN`` | ``A``  | ``10.0.0.1`` |                        |
+ | **mail.example.com.**  | **IN** | **A**  | **10.0.0.1** |                        |
  +------------------------+--------+--------+--------------+------------------------+
- | ``mail2.example.com.`` | ``IN`` | ``A``  | ``10.0.0.2`` |                        |
+ | **mail2.example.com.** | **IN** | **A**  | **10.0.0.2** |                        |
  +------------------------+--------+--------+--------------+------------------------+
 
-Mail delivery is attempted to ``mail.example.com`` and
-``mail2.example.com`` (in any order); if neither of those succeeds,
-delivery to ``mail.backup.org`` is attempted.
+Mail delivery is attempted to **mail.example.com** and
+**mail2.example.com** (in any order); if neither of those succeeds,
+delivery to **mail.backup.org** is attempted.
 
 .. _Setting_TTLs:
 
@@ -205,19 +207,23 @@ RRs. The TTL describes how long an RR can be cached before it should be
 discarded. The following three types of TTLs are currently used in a zone
 file.
 
-SOA
-    The last field in the SOA is the negative caching TTL. This controls how long other servers cache no-such-domain (NXDOMAIN) responses from this server.
+.. glossary::
 
-    The maximum time for negative caching is 3 hours (3h).
+   SOA minimum
+       The last field in the SOA is the negative caching TTL.
+       This controls how long other servers cache no-such-domain (NXDOMAIN)
+       responses from this server. Further details can be found in :rfc:`2308`.
 
-$TTL
-    The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.
+       The maximum time for negative caching is 3 hours (3h).
 
-RR TTLs
-    Each RR can have a TTL as the second field in the RR, which controls how long other servers can cache it.
+   $TTL
+       The $TTL directive at the top of the zone file (before the SOA) gives a default TTL for every RR without a specific TTL set.
+
+   RR TTLs
+       Each RR can have a TTL as the second field in the RR, which controls how long other servers can cache it.
 
 All of these TTLs default to units of seconds, though units can be
-explicitly specified: for example, ``1h30m``.
+explicitly specified: for example, **1h30m**.
 
 .. _ipv4_reverse:
 
@@ -225,7 +231,7 @@ Inverse Mapping in IPv4
 ~~~~~~~~~~~~~~~~~~~~~~~
 
 Reverse name resolution (that is, translation from IP address to name)
-is achieved by means of the ``in-addr.arpa`` domain and PTR records.
+is achieved by means of the **in-addr.arpa** domain and PTR records.
 Entries in the in-addr.arpa domain are made in least-to-most significant
 order, read left to right. This is the opposite order to the way IP
 addresses are usually written. Thus, a machine with an IP address of
@@ -233,17 +239,17 @@ addresses are usually written. Thus, a machine with an IP address of
 3.2.1.10.in-addr.arpa. This name should have a PTR resource record whose
 data field is the name of the machine or, optionally, multiple PTR
 records if the machine has more than one name. For example, in the
-``example.com`` domain:
+**example.com** domain:
 
  +--------------+-------------------------------------------------------+
- | ``$ORIGIN``  | ``2.1.10.in-addr.arpa``                               |
+ | **$ORIGIN**  | **2.1.10.in-addr.arpa**                               |
  +--------------+-------------------------------------------------------+
- | ``3``        | ``IN PTR foo.example.com.``                           |
+ | **3**        | **IN PTR foo.example.com.**                           |
  +--------------+-------------------------------------------------------+
 
 .. note::
 
-   The ``$ORIGIN`` line in this example is only to provide context;
+   The **$ORIGIN** line in this example is only to provide context;
    it does not necessarily appear in the actual
    usage. It is only used here to indicate that the example is
    relative to the listed origin.
@@ -257,29 +263,29 @@ The DNS "master file" format was initially defined in :rfc:`1035` and has
 subsequently been extended. While the format itself is class-independent,
 all records in a zone file must be of the same class.
 
-Master file directives include ``$ORIGIN``, ``$INCLUDE``, and ``$TTL.``
+Master file directives include **$ORIGIN**, **$INCLUDE**, and **$TTL.**
 
 .. _atsign:
 
-The ``@`` (at-sign)
+The **@** (at-sign)
 ^^^^^^^^^^^^^^^^^^^
 
 When used in the label (or name) field, the asperand or at-sign (@)
 symbol represents the current origin. At the start of the zone file, it
-is the <``zone_name``>, followed by a trailing dot (.).
+is the <**zone_name**>, followed by a trailing dot (.).
 
 .. _origin_directive:
 
-The ``$ORIGIN`` Directive
+The **$ORIGIN** Directive
 ^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Syntax: ``$ORIGIN`` domain-name [comment]
+Syntax: **$ORIGIN** domain-name [comment]
 
-``$ORIGIN`` sets the domain name that is appended to any
+**$ORIGIN** sets the domain name that is appended to any
 unqualified records. When a zone is first read, there is an implicit
-``$ORIGIN`` <``zone_name``>``.``; note the trailing dot. The
-current ``$ORIGIN`` is appended to the domain specified in the
-``$ORIGIN`` argument if it is not absolute.
+``$ORIGIN <zone_name>.``; note the trailing dot. The
+current **$ORIGIN** is appended to the domain specified in the
+**$ORIGIN** argument if it is not absolute.
 
 ::
 
@@ -294,48 +300,48 @@ is equivalent to
 
 .. _include_directive:
 
-The ``$INCLUDE`` Directive
+The **$INCLUDE** Directive
 ^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-Syntax: ``$INCLUDE`` filename [origin] [comment]
+Syntax: **$INCLUDE** filename [origin] [comment]
 
-This reads and processes the file ``filename`` as if it were included in the
-file at this point. The ``filename`` can be an absolute path, or a relative
+This reads and processes the file **filename** as if it were included in the
+file at this point. The **filename** can be an absolute path, or a relative
 path. In the latter case it is read from :iscman:`named`'s working directory. If
-``origin`` is specified, the file is processed with ``$ORIGIN`` set to that
-value; otherwise, the current ``$ORIGIN`` is used.
+**origin** is specified, the file is processed with **$ORIGIN** set to that
+value; otherwise, the current **$ORIGIN** is used.
 
 The origin and the current domain name revert to the values they had
-prior to the ``$INCLUDE`` once the file has been read.
+prior to the **$INCLUDE** once the file has been read.
 
 .. note::
 
    :rfc:`1035` specifies that the current origin should be restored after
-   an ``$INCLUDE``, but it is silent on whether the current domain name
+   an **$INCLUDE**, but it is silent on whether the current domain name
    should also be restored. BIND 9 restores both of them. This could be
    construed as a deviation from :rfc:`1035`, a feature, or both.
 
 .. _ttl_directive:
 
-The ``$TTL`` Directive
+The **$TTL** Directive
 ^^^^^^^^^^^^^^^^^^^^^^
 
-Syntax: ``$TTL`` default-ttl [comment]
+Syntax: **$TTL** default-ttl [comment]
 
 This sets the default Time-To-Live (TTL) for subsequent records with undefined
 TTLs. Valid TTLs are of the range 0-2147483647 seconds.
 
-``$TTL`` is defined in :rfc:`2308`.
+**$TTL** is defined in :rfc:`2308`.
 
 .. _generate_directive:
 
-BIND Primary File Extension: the ``$GENERATE`` Directive
+BIND Primary File Extension: the **$GENERATE** Directive
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Syntax: ``$GENERATE`` range lhs [ttl] [class] type rhs [comment]
+Syntax: **$GENERATE** range lhs [ttl] [class] type rhs [comment]
 
-``$GENERATE`` is used to create a series of resource records that only
-differ from each other by an iterator. ``$GENERATE`` can be used to
+**$GENERATE** is used to create a series of resource records that only
+differ from each other by an iterator. **$GENERATE** can be used to
 easily generate the sets of records required to support sub-/24 reverse
 delegations described in :rfc:`2317`.
 
@@ -380,37 +386,37 @@ is equivalent to
    HOST-127.EXAMPLE. A  1.2.3.127
    HOST-127.EXAMPLE. MX 0 .
 
-``range``
+**range**
     This can be one of two forms: start-stop or start-stop/step. If the first form is used, then step is set to 1. "start", "stop", and "step" must be positive integers between 0 and (2^31)-1. "start" must not be larger than "stop".
 
-``owner``
-    This describes the owner name of the resource records to be created. Any single ``$`` (dollar sign) symbols within the ``owner`` string are replaced by the iterator value. To get a ``$`` in the output, escape the ``$`` using a backslash ``\``, e.g., ``\$``. The ``$`` may optionally be followed by modifiers which change the offset from the iterator, field width, and base.
+**owner**
+    This describes the owner name of the resource records to be created. Any single **$** (dollar sign) symbols within the **owner** string are replaced by the iterator value. To get a **$** in the output, escape the **$** using a backslash **\\**, e.g., ``\$``. The **$** may optionally be followed by modifiers which change the offset from the iterator, field width, and base.
 
-    Modifiers are introduced by a ``{`` (left brace) immediately following the ``$``, as in  ``${offset[,width[,base]]}``. For example, ``${-20,3,d}`` subtracts 20 from the current value and prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (``d``), octal (``o``), hexadecimal (``x`` or ``X`` for uppercase), and nibble (``n`` or ``N`` for uppercase).
+    Modifiers are introduced by a **{** (left brace) immediately following the **$**, as in  **${offset[,width[,base]]}**. For example, **${-20,3,d}** subtracts 20 from the current value and prints the result as a decimal in a zero-padded field of width 3. Available output forms are decimal (**d**), octal (**o**), hexadecimal (**x** or **X** for uppercase), and nibble (**n** or **N** for uppercase).
 
-    The default modifier is ``${0,0,d}``. If the ``owner`` is not absolute, the current ``$ORIGIN`` is appended to the name.
+    The default modifier is **${0,0,d}**. If the **owner** is not absolute, the current **$ORIGIN** is appended to the name.
 
     In nibble mode, the value is treated as if it were a reversed hexadecimal string, with each hexadecimal digit as a separate label. The width field includes the label separator.
 
-    For compatibility with earlier versions, ``$$`` is still recognized as indicating a literal $ in the output.
+    For compatibility with earlier versions, **$$** is still recognized as indicating a literal **$** in the output.
 
-``ttl``
+**ttl**
     This specifies the time-to-live of the generated records. If not specified, this is inherited using the normal TTL inheritance rules.
 
-    ``class`` and ``ttl`` can be entered in either order.
+    **class** and **ttl** can be entered in either order.
 
-``class``
+**class**
     This specifies the class of the generated records. This must match the zone class if it is specified.
 
-    ``class`` and ``ttl`` can be entered in either order.
+    **class** and **ttl** can be entered in either order.
 
-``type``
+**type**
     This can be any valid type.
 
-``rdata``
+**rdata**
     This is a string containing the RDATA of the resource record to be created. It may be quoted if there are spaces in the string; the quotation marks do not appear in the generated record.
 
-The ``$GENERATE`` directive is a BIND extension and not part of the
+The **$GENERATE** directive is a BIND extension and not part of the
 standard zone file format.
 
 .. _zonefile_format:
@@ -421,19 +427,19 @@ Additional File Formats
 In addition to the standard text format, BIND 9 supports the ability
 to read or dump to zone files in other formats.
 
-The ``raw`` format is a binary representation of zone data in a manner
+The **raw** format is a binary representation of zone data in a manner
 similar to that used in zone transfers. Since it does not require
 parsing text, load time is significantly reduced.
 
-For a primary server, a zone file in ``raw`` format is expected
+For a primary server, a zone file in **raw** format is expected
 to be generated from a text zone file by the :iscman:`named-compilezone` command.
 For a secondary server or a dynamic zone, the zone file is automatically
 generated when :iscman:`named` dumps the zone contents after zone transfer or
 when applying prior updates, if one of these formats is specified by the
-``masterfile-format`` option.
+**masterfile-format** option.
 
-If a zone file in ``raw`` format needs manual modification, it first must
-be converted to ``text`` format by the :iscman:`named-compilezone` command,
+If a zone file in **raw** format needs manual modification, it first must
+be converted to **text** format by the :iscman:`named-compilezone` command,
 then converted back after editing.  For example:
 
 ::

From 3f816768ccdb3f11687bdcb5389186f8bc75d650 Mon Sep 17 00:00:00 2001
From: Ron Aitchison <ron@zytrax.com>
Date: Mon, 4 Apr 2022 20:37:36 +0000
Subject: [PATCH 14/15] Rewrite Configurations and Zone Files section in the
 ARM

(cherry picked from commit 5d432d40a1d63c4c251c7e04b54034092cd9427b)
---
 doc/arm/Makefile.am            |   8 +-
 doc/arm/chapter3.rst           |   6 +-
 doc/arm/config-auth.inc.rst    | 272 ++++++++++++++++
 doc/arm/config-intro.inc.rst   | 208 ++++++++++++
 doc/arm/config-resolve.inc.rst | 570 +++++++++++++++++++++++++++++++++
 doc/arm/configuration.inc.rst  | 128 --------
 doc/arm/primary-secondary.dia  | Bin 0 -> 2550 bytes
 doc/arm/primary-secondary.png  | Bin 0 -> 18617 bytes
 doc/arm/resolver-forward.dia   | Bin 0 -> 2573 bytes
 doc/arm/resolver-forward.png   | Bin 0 -> 15644 bytes
 10 files changed, 1062 insertions(+), 130 deletions(-)
 create mode 100644 doc/arm/config-auth.inc.rst
 create mode 100644 doc/arm/config-intro.inc.rst
 create mode 100644 doc/arm/config-resolve.inc.rst
 delete mode 100644 doc/arm/configuration.inc.rst
 create mode 100644 doc/arm/primary-secondary.dia
 create mode 100644 doc/arm/primary-secondary.png
 create mode 100644 doc/arm/resolver-forward.dia
 create mode 100644 doc/arm/resolver-forward.png

diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am
index f22b365717..972af604e9 100644
--- a/doc/arm/Makefile.am
+++ b/doc/arm/Makefile.am
@@ -14,7 +14,9 @@ EXTRA_DIST =					\
 	chapter6.rst				\
 	chapter7.rst				\
 	chapter9.rst				\
-	configuration.inc.rst			\
+	config-auth.inc.rst			\
+	config-intro.inc.rst			\
+	config-resolve.inc.rst			\
 	conf.py					\
 	dlz.inc.rst				\
 	dns-ops.inc.rst				\
@@ -43,11 +45,15 @@ EXTRA_DIST =					\
 	pkcs11.inc.rst				\
 	platforms.inc.rst			\
 	plugins.inc.rst				\
+	primary-secondary.dia			\
+	primary-secondary.png			\
 	recursive-query.dia			\
 	recursive-query.png			\
 	reference.rst				\
 	requirements.inc.rst			\
 	requirements.txt			\
+	resolver-forward.dia			\
+	resolver-forward.png			\
 	security.inc.rst			\
 	sig0.inc.rst				\
 	tkey.inc.rst				\
diff --git a/doc/arm/chapter3.rst b/doc/arm/chapter3.rst
index a9d263f609..509dc489e6 100644
--- a/doc/arm/chapter3.rst
+++ b/doc/arm/chapter3.rst
@@ -9,5 +9,9 @@
 .. See the COPYRIGHT file distributed with this work for additional
 .. information regarding copyright ownership.
 
-.. include:: configuration.inc.rst
+.. highlight:: none
+
+.. include:: config-intro.inc.rst
+.. include:: config-auth.inc.rst
+.. include:: config-resolve.inc.rst
 .. include:: zones.inc.rst
diff --git a/doc/arm/config-auth.inc.rst b/doc/arm/config-auth.inc.rst
new file mode 100644
index 0000000000..6c4272efd0
--- /dev/null
+++ b/doc/arm/config-auth.inc.rst
@@ -0,0 +1,272 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _config_auth_samples:
+
+Authoritative Name Servers
+--------------------------
+
+These provide authoritative answers to user queries for the zones
+they support: for instance, the zone data describing the domain name **example.com**. An
+authoritative name server may support one or many zones.
+
+Each zone may be defined as either a **primary** or a **secondary**. A primary zone
+reads its zone data directly from a file system. A secondary zone obtains its zone
+data from the primary zone using a process called **zone transfer**. Both the primary
+and the secondary zones provide authoritative data for their zone; there is no difference
+in the answer to a query from a primary or a secondary zone. An authoritative name server
+may support any combination of primary and secondary zones.
+
+.. Note:: The terms **primary** and **secondary** do not imply any access
+   priority. Resolvers (name servers that provide the complete answers to user
+   queries) are not aware of (and cannot find out) whether an authoritative
+   answer comes from the primary or secondary name server. Instead, the
+   resolver uses the list of authoritative servers for the zone (there must be
+   at least two) and maintains a Round Trip Time (RTT) - the time taken to
+   respond to the query - for each server in the list.  The resolver uses the
+   lowest-value server (the fastest) as its preferred server for the zone and
+   continues to do so until its RTT becomes higher than the next slowest in its
+   list, at which time that one becomes the preferred server.
+
+   For reasons of backward compatibility BIND 9 treats "primary" and "master" as
+   synonyms, as well as "secondary" and "slave."
+
+.. _notify:
+
+The following diagram shows the relationship between the primary and secondary
+name servers. The text below explains the process in detail.
+
+.. figure:: primary-secondary.png
+   :align: center
+
+   Authoritative Primary and Secondary Name Servers
+
+The numbers in parentheses in the following text refer to the numbered items in the diagram above.
+
+1. The authoritative primary name server always loads (or reloads) its zone
+   files from (1) a local or networked filestore.
+
+2. The authoritative secondary name server always loads its zone data from a
+   primary via a **zone transfer** operation.  Zone transfer may use **AXFR**
+   (complete zone transfer) or **IXFR** (incremental zone transfer), but only
+   if both primary and secondary name servers support the service. The zone
+   transfer process (either AXFR or IXFR) works as follows:
+
+   a) The secondary name server for the zone reads (3 and 4) the
+      :ref:`SOA RR<soa_rr>` periodically. The interval is defined by the **refresh**
+      parameter of the Start of Authority (SOA) RR.
+
+   b) The secondary compares the **serial number** parameter of the SOA RR
+      received from the primary with the serial number in the SOA RR of its
+      current zone data.
+
+   c) If the received serial number is arithmetically greater (higher) than the
+      current one, the secondary initiates a zone transfer (5) using AXFR or IXFR
+      (depending on the primary and secondary configuration), using TCP over
+      port 53 (6).
+
+3. The typically recommended zone refresh times for the SOA RR (the time
+   interval when the secondary reads or polls the primary for the zone SOA RR)
+   are multiples of hours to reduce traffic loads. Worst-case zone change
+   propagation can therefore take extended periods.
+
+4. The optional NOTIFY (:rfc:`1996`) feature (2) is automatically configured;
+   use the :ref:`notify <notify_st>` statement to turn off the feature.
+   Whenever the primary loads or reloads a zone, it sends a NOTIFY message to
+   the configured secondary (or secondaries) and may optionally be configured
+   to send the NOTIFY message to other hosts using the
+   :ref:`also-notify<also-notify>` statement.  The NOTIFY message simply
+   indicates to the secondary that the primary has loaded or reloaded the zone.
+   On receipt of the NOTIFY message, the secondary respons to indicate it has received the NOTIFY and immediately reads the SOA RR
+   from the primary (as described in section 2 a. above). If the zone file has
+   changed, propagation is practically immediate.
+
+The authoritative samples all use NOTIFY but identify the statements used, so
+that they can be removed if not required.
+
+.. _sample_primary:
+
+Primary Authoritative Name Server
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The zone files are unmodified :ref:`from the base samples<base_zone_file>` but
+the :iscman:`named.conf` file has been modified as shown:
+
+.. code-block:: c
+        :linenos:
+
+        // authoritative primary named.conf file
+        // options clause defining the server-wide properties
+        options {
+          // all relative paths use this directory as a base
+          directory "/var";
+          // version statement for security to avoid hacking known weaknesses
+          // if the real version number is revealed
+          version "not currently available";
+          // This is the default - allows user queries from any IP
+          allow-query { any; };
+          // normal server operations may place items in the cache
+          // this prevents any user query from accessing these items
+          // only authoritative zone data will be returned
+          allow-query-cache { none; };
+          // Do not provide recursive service to user queries
+          recursion no;
+        };
+        // logging clause
+        // log to /var/log/named/example.log all events from info UP in severity (no debug)
+        // uses 3 files in rotation swaps files when size reaches 250K
+        // failure messages that occur before logging is established are
+        // in syslog (/var/log/messages)
+        //
+        logging {
+          channel example_log {
+            // uses a relative path name and the directory statement to
+            // expand to /var/log/named/example.log
+            file "log/named/example.log" versions 3 size 250k;
+            // only log info and up messages - all others discarded
+            severity info;
+          };
+          category default {
+            example_log;
+          };
+        };
+        // Provide forward mapping zone for localhost
+        // (optional)
+        zone "localhost" {
+          type primary;
+          file "master/localhost-forward.db";
+          notify no;
+        };
+        // Provide reverse mapping zone for the loopback
+        // address 127.0.0.1
+        zone "0.0.127.in-addr.arpa" {
+          type primary;
+          file "localhost.rev";
+          notify no;
+        };
+        // We are the primary server for example.com
+        zone "example.com" {
+          // this is the primary name server for the zone
+          type primary;
+          file "example.com";
+          // this is the default
+          notify yes;
+          // IP addresses of secondary servers allowed to
+          // transfer example.com from this server
+          allow-transfer {
+            192.168.4.14;
+            192.168.5.53;
+          };
+        };
+
+The added statements and clauses are commented in the above file.
+
+The :ref:`zone<zone_clause>` clause, and :ref:`allow-query<allow-query>`,
+:ref:`allow-query-cache<allow-query-cache>`,
+:ref:`allow-transfer<allow-transfer>`, :ref:`file<file>`,
+:ref:`notify<notify_st>`, :ref:`recursion<recursion>`, and :ref:`type<type>`
+statements are described in detail in the appropriate sections.
+
+.. _sample_secondary:
+
+Secondary Authoritative Name Server
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The zone files ``local-host-forward.db`` and ``localhost.rev`` are unmodified
+:ref:`from the base samples<base_zone_file>`. The **example.com** zone file is
+not required (the zone file is obtained from the primary via zone transfer).
+The :iscman:`named.conf` file has been modified as shown:
+
+.. code-block:: c
+        :linenos:
+
+        // authoritative secondary named.conf file
+        // options clause defining the server-wide properties
+        options {
+          // all relative paths use this directory as a base
+          directory "/var";
+          // version statement for security to avoid hacking known weaknesses
+          // if the real version number is revealed
+          version "not currently available";
+          // This is the default - allows user queries from any IP
+          allow-query { any; };
+          // normal server operations may place items in the cache
+          // this prevents any user query from accessing these items
+          // only authoritative zone data will be returned
+          allow-query-cache { none; };
+          // Do not provide recursive service to user queries
+          recursion no;
+        };
+        // logging clause
+        // log to /var/log/named/example.log all events from info UP in severity (no debug)
+        // uses 3 files in rotation swaps files when size reaches 250K
+        // failure messages that occur before logging is established are
+        // in syslog (/var/log/messages)
+        //
+        logging {
+          channel example_log {
+            // uses a relative path name and the directory statement to
+            // expand to /var/log/named/example.log
+            file "log/named/example.log" versions 3 size 250k;
+            // only log info and up messages - all others discarded
+            severity info;
+           };
+           category default {
+             example_log;
+          };
+        };
+        // Provide forward mapping zone for localhost
+        // (optional)
+        zone "localhost" {
+          type primary;
+          file "master/localhost-forward.db";
+          notify no;
+        };
+        // Provide reverse mapping zone for the loopback
+        // address 127.0.0.1
+        zone "0.0.127.in-addr.arpa" {
+          type primary;
+          file "localhost.rev";
+          notify no;
+        };
+        // We are the secondary server for example.com
+        zone "example.com" {
+          // this is a secondary server for the zone
+          type secondary;
+          // the file statement here allows the secondary to save
+          // each zone transfer so that in the event of a program restart
+          // the zone can be loaded immediately and the server can start
+          // to respond to queries without waiting for a zone transfer
+          file "example.com.saved";
+          // IP address of example.com primary server
+          primaries { 192.168.254.2; };
+        };
+
+The statements and clauses added are all commented in the above file.
+
+The :ref:`zone<zone_clause>` clause, and :ref:`allow-query<allow-query>`,
+:ref:`allow-query-cache<allow-query-cache>`,
+:ref:`allow-transfer<allow-transfer>`, :ref:`file<file>`,
+:ref:`notify<notify_st>`, :ref:`primaries<primaries>`,
+:ref:`recursion<recursion>`, and :ref:`type<type>` statements are described in
+detail in the appropriate sections.
+
+If NOTIFY is not being used, no changes are required in this
+:iscman:`named.conf` file, since it is the primary that initiates the NOTIFY
+message.
+
+.. note::
+   Just when the reader thought they understood primary and secondary, things
+   can get more complicated.  A secondary zone can also be a primary to other
+   secondaries: :iscman:`named`, by default, sends NOTIFY messages for every
+   zone it loads.  Specifying :ref:`notify primary-only;<notify>` in the
+   :ref:`zone<zone_clause>` clause for the secondary causes :iscman:`named` to
+   only send NOTIFY messages for primary zones that it loads.
diff --git a/doc/arm/config-intro.inc.rst b/doc/arm/config-intro.inc.rst
new file mode 100644
index 0000000000..7598c6571e
--- /dev/null
+++ b/doc/arm/config-intro.inc.rst
@@ -0,0 +1,208 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _configuration:
+
+.. _sample_configuration:
+
+Configurations and Zone Files
+=============================
+
+Introduction
+------------
+
+BIND 9 uses a single configuration file called :iscman:`named.conf`.
+:iscman:`named.conf` is typically located in either /etc/namedb or
+/usr/local/etc/namedb.
+
+   .. Note:: If :ref:`rndc<ops_rndc>` is being used locally (on the same host
+      as BIND 9) then an additional file :iscman:`rndc.conf` may be present, though
+      :iscman:`rndc` operates without this file. If :iscman:`rndc` is being run
+      from a remote host then an :iscman:`rndc.conf` file must be present as it
+      defines the link characteristics and properties.
+
+Depending on the functionality of the system, one or more zone files is
+required.
+
+The samples given throughout this and subsequent chapters use a standard base
+format for both the :iscman:`named.conf` and the zone files for **example.com**. The
+intent is for the reader to see the evolution from a common base as features
+are added or removed.
+
+.. _base_named_conf:
+
+``named.conf`` Base File
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+This file illustrates the typical format and layout style used for
+:iscman:`named.conf` and provides a basic logging service, which may be extended
+as required by the user.
+
+.. code-block:: c
+        :linenos:
+
+        // base named.conf file
+        // Recommended that you always maintain a change log in this file as shown here
+        // options clause defining the server-wide properties
+        options {
+          // all relative paths use this directory as a base
+          directory "/var";
+          // version statement for security to avoid hacking known weaknesses
+          // if the real version number is revealed
+          version "not currently available";
+        };
+
+        // logging clause
+        // log to /var/log/named/example.log all events from info UP in severity (no debug)
+        // uses 3 files in rotation swaps files when size reaches 250K
+        // failure messages that occur before logging is established are
+        // in syslog (/var/log/messages)
+        //
+        logging {
+          channel example_log {
+            // uses a relative path name and the directory statement to
+            // expand to /var/log/named/example.log
+            file "log/named/example.log" versions 3 size 250k;
+            // only log info and up messages - all others discarded
+            severity info;
+          };
+          category default {
+            example_log;
+          };
+        };
+
+The :ref:`logging<logging_grammar>` and :ref:`options<options_grammar>` clauses
+and :ref:`category<the_category_phrase>`, :ref:`channel<channel>`,
+:ref:`directory<directory>`, :ref:`file<file>`, and :ref:`severity<severity>`
+statements are all described further in the appropriate sections of this ARM.
+
+.. _base_zone_file:
+
+**example.com** base zone file
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+The following is a complete zone file for the domain **example.com**, which
+illustrates a number of common features. Comments in the file explain these
+features where appropriate.  Zone files consist of :ref:`Resource Records (RR)
+<zone_file>`, which describe the zone's characteristics or properties.
+
+.. code-block::
+        :linenos:
+
+        ; base zone file for example.com
+        $TTL 2d    ; default TTL for zone
+        $ORIGIN example.com. ; base domain-name
+        ; Start of Authority RR defining the key characteristics of the zone (domain)
+        @         IN      SOA   ns1.example.com. hostmaster.example.com. (
+                                        2003080800 ; serial number
+                                        12h        ; refresh
+                                        15m        ; update retry
+                                        3w         ; expiry
+                                        2h         ; minimum
+                                        )
+        ; name server RR for the domain
+                   IN      NS      ns1.example.com.
+        ; the second name server is external to this zone (domain)
+                   IN      NS      ns2.example.net.
+        ; mail server RRs for the zone (domain)
+                3w IN      MX  10  mail.example.com.
+        ; the second  mail servers is  external to the zone (domain)
+                   IN      MX  20  mail.example.net.
+        ; domain hosts includes NS and MX records defined above
+        ; plus any others required
+        ; for instance a user query for the A RR of joe.example.com will
+        ; return the IPv4 address 192.168.254.6 from this zone file
+        ns1        IN      A       192.168.254.2
+        mail       IN      A       192.168.254.4
+        joe        IN      A       192.168.254.6
+        www        IN      A       192.168.254.7
+        ; aliases ftp (ftp server) to an external domain
+        ftp        IN      CNAME   ftp.example.net.
+
+This type of zone file is frequently referred to as a **forward-mapped zone
+file**, since it maps domain names to some other value, while a
+:ref:`reverse-mapped zone file<ipv4_reverse>` maps an IP address to a domain
+name.  The zone file is called **example.com** for no good reason except that
+it is the domain name of the zone it describes; as always, users are free to
+use whatever file-naming convention is appropriate to their needs.
+
+Other Zone Files
+~~~~~~~~~~~~~~~~
+
+Depending on the configuration additional zone files may or should be present.
+Their format and functionality are briefly described here.
+
+localhost Zone File
+~~~~~~~~~~~~~~~~~~~
+
+All end-user systems are shipped with a ``hosts`` file (usually located in
+/etc). This file is normally configured to map the name **localhost** (the name
+used by applications when they run locally) to the loopback address. It is
+argued, reasonably, that a forward-mapped zone file for **localhost** is
+therefore not strictly required. This manual does use the BIND 9 distribution
+file ``localhost-forward.db`` (normally in /etc/namedb/master or
+/usr/local/etc/namedb/master) in all configuration samples for the following
+reasons:
+
+1. Many users elect to delete the ``hosts`` file for security reasons (it is a
+   potential target of serious domain name redirection/poisoning attacks).
+
+2. Systems normally lookup any name (including domain names) using the
+   ``hosts`` file first (if present), followed by DNS. However, the
+   ``nsswitch.conf`` file (typically in /etc) controls this order (normally
+   **hosts: file dns**), allowing the order to be changed or the **file** value
+   to be deleted entirely depending on local needs.  Unless the BIND
+   administrator controls this file and knows its values, it is unsafe to
+   assume that **localhost** is forward-mapped correctly.
+
+3. As a reminder to users that unnecessary queries for **localhost** form a
+   non-trivial volume of DNS queries on the public network, which affects DNS
+   performance for all users.
+
+Users may, however, elect at their discretion not to implement this file since,
+depending on the operational environment, it may not be essential.
+
+The BIND 9 distribution file ``localhost-forward.db`` format is shown for
+completeness and provides for both IPv4 and IPv6 localhost resolution. The zone
+(domain) name is **localhost.**
+
+.. code-block::
+        :linenos:
+
+        $TTL 3h
+        localhost.  SOA      localhost.  nobody.localhost. 42  1d  12h  1w  3h
+                    NS       localhost.
+                    A        127.0.0.1
+                    AAAA     ::1
+
+.. NOTE:: Readers of a certain age or disposition may note the reference in this file to the late,
+	lamented Douglas Noel Adams.
+
+localhost Reverse-Mapped Zone File
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This zone file allows any query requesting the name associated with the
+loopback IP (127.0.0.1).  This file is required to prevent unnecessary queries
+from reaching the public DNS hierarchy. The BIND 9 distribution file
+``localhost.rev`` is shown for completeness:
+
+.. code-block::
+        :linenos:
+
+        $TTL 1D
+        @        IN        SOA  localhost. root.localhost. (
+                                2007091701 ; serial
+                                30800      ; refresh
+                                7200       ; retry
+                                604800     ; expire
+                                300 )      ; minimum
+                 IN        NS    localhost.
+        1        IN        PTR   localhost.
diff --git a/doc/arm/config-resolve.inc.rst b/doc/arm/config-resolve.inc.rst
new file mode 100644
index 0000000000..ab05742bac
--- /dev/null
+++ b/doc/arm/config-resolve.inc.rst
@@ -0,0 +1,570 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. _config_resolver_samples:
+
+Resolver (Caching Name Servers)
+-------------------------------
+
+Resolvers handle :ref:`recursive user queries <recursive_query>` and provide
+complete answers; that is, they issue one or more :ref:`iterative queries
+<iterative_query>` to the DNS hierarchy.  Having obtained a complete answer (or
+an error), a resolver passes the answer to the user and places it in its cache.
+Subsequent user requests for the same query will be answered from the
+resolver's cache until the :term:`TTL` of the cached answer has expired, when
+it will be flushed from the cache; the next user query that requests the same
+information results in a new series of queries to the DNS hierarchy.
+
+Resolvers are frequently referred to by a bewildering variety of names,
+including caching name servers, recursive name servers, forwarding resolvers,
+area resolvers, and full-service resolvers.
+
+The following diagram shows how resolvers can function in a typical networked
+environment:
+
+.. figure:: resolver-forward.png
+   :align: center
+
+Resolver and Forwarding Resolver
+
+1. End-user systems are all distributed with a local **stub resolver** as a
+   standard feature. Today, the majority of stub resolvers also provide a local
+   cache service to speed up user response times.
+
+2. A stub resolver has limited functionality; specifically, it cannot follow
+   :ref:`referrals<referral>`. When a stub resolver receives a request for a
+   name from a local program, such as a browser, and the answer is not in its
+   local cache, it sends a :ref:`recursive user query<recursive_query>` (1) to
+   a locally configured resolver (5), which may have the answer available in
+   its cache. If it does not, it issues :ref:`iterative
+   queries<iterative_query>` (2) to the DNS hierarchy to obtain the answer. The
+   resolver to which the local system sends the user query is configured, for
+   Linux and Unix hosts, in ``/etc/resolv.conf``; for Windows users it is
+   configured or changed via the Control Panel or Settings interface.
+
+3. Alternatively, the user query can be sent to a **forwarding resolver** (4).
+   Forwarding resolvers on first glance look fairly pointless, since they
+   appear to be acting as a simple pass-though and, like the stub resolver,
+   require a full-service resolver (5). However, forwarding resolvers can be
+   very powerful additions to a network for the following reasons:
+
+   a) Cost and Performance. Each **recursive user query** (1) at the forwarding
+      resolver (4) results in two messages - the query and its answer. The resolver
+      (5) may have to issue three, four, or more query pairs (2) to get the required
+      answer. Traffic is reduced dramatically, increasing performance or reducing
+      cost (if the link is tariffed). Additionally, since the forwarding resolver is
+      typically shared across multiple hosts, its cache is more likely to contain
+      answers, again improving user performance.
+
+   b) Network Maintenance. Forwarding resolvers (4) can be used to ease the burden
+      of local administration by providing a single point at which changes to remote
+      name servers can be managed, rather than having to update all hosts. Thus, all
+      hosts in a particular network section or area can be configured to point to a
+      forwarding resolver, which can be configured to stream DNS traffic as desired
+      and changed over time with minimal effort.
+
+   c) Sanitizing Traffic. Especially in larger private networks it may be sensible
+      to stream DNS traffic using a forwarding resolver structure.  The forwarding
+      resolver (4) may be configured, for example, to handle all in-domain traffic
+      (relatively safe) and forward all external traffic to a **hardened** resolver
+      (5).
+
+   d) Stealth Networks. Forwarding resolvers are extensively used in :ref:`stealth
+      or split networks<split_dns_sample>`.
+
+4. Forwarding resolvers (4) can be configured to forward all traffic to a
+   resolver (5), or to only forward selective traffic (5) while directly
+   resolving other traffic (3).
+
+.. Attention:: While the diagram above shows **recursive user queries**
+   arriving via interface (1), there is nothing to stop them from arriving via
+   interface (2) via the public network. If no limits are placed on the source
+   IPs that can send such queries, the resolver is termed an **open resolver**.
+   Indeed, when the world was young this was the way things worked on the
+   Internet. Much has changed and what seems to be a friendly, generous action
+   can be used by rogue actors to cause all kinds of problems including
+   **Denial of Service (DoS)** attacks. Resolvers should always be configured
+   to limit the IP addresses that can use their services. BIND 9 provides a
+   number of statements and clauses to simplify defining these IP limits and
+   configuring a **closed resolver**. The resolver samples given here all
+   configure closed resolvers using a variety of techniques.
+
+Additional Zone Files
+~~~~~~~~~~~~~~~~~~~~~
+
+Root Servers (Hint) Zone File
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Resolvers (although not necessarily forwarding resolvers) need to access the
+DNS hierarchy. To do this, they need to know the addresses (IPv4 and/or IPv6)
+of the 13 :ref:`root servers<root_servers>`. This is done by the provision of a
+root server zone file, which is contained in the standard BIND 9 distribution
+as the file ``named.root`` (normally found in /etc/namedb or
+/usr/local/namedb). This file may also be obtained from the IANA website
+(https://www.iana.org/domains/root/files).
+
+
+   .. Note:: Many distributions rename this file for historical reasons.
+      Consult the appropriate distribution documentation for the actual file name.
+
+
+The hint zone file is referenced using the :ref:`type hint;<type>` statement and
+a zone (domain) name of "." (the generally silent dot).
+
+   .. Note:: The root server IP addresses have been stable for a number of
+      years and are likely to remain stable for the near future. BIND 9 has a
+      root-server list in its executable such that even if this file is omitted,
+      out-of-date, or corrupt BIND 9 can still function. For this reason, many
+      sample configurations omit the hints file. All the samples given here
+      include the hints file primarily as a reminder of the functionality of the
+      configuration, rather than as an absolute necessity.
+
+Private IP Reverse Map Zone Files
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Resolvers are configured to send :ref:`iterative queries<iterative_query>` to
+the public DNS hierarchy when the information requested is not in their cache
+or not defined in any local zone file. Many networks make extensive use of
+private IP addresses (defined by :rfc:`1918`, :rfc:`2193`, :rfc:`5737`, and
+:rfc:`6598`).  By their nature these IP addresses are forward-mapped in various
+user zone files. However, certain applications may issue **reverse map**
+queries (mapping an IP address to a name). If the private IP addresses are not
+defined in one or more reverse-mapped zone file(s), the resolver sends them to
+the DNS hierarchy where they are simply useless traffic, slowing down DNS
+responses for all users.
+
+Private IP addresses may be defined using standard :ref:`reverse-mapping
+techniques<ipv4_reverse>` or using the
+:ref:`empty-zones-enable<empty-zones-enable>` statement. By
+default this statement is set to ``empty-zones-enable yes;`` and thus automatically prevents
+unnecessary DNS traffic by sending an NXDOMAIN error response (indicating the
+name does not exist) to any request.  However, some applications may require a
+genuine answer to such reverse-mapped requests or they will fail to function.
+Mail systems in particular perform reverse DNS queries as a first-line spam
+check; in this case a reverse-mapped zone file is essential.  The sample
+configuration files given here for both the resolver and the forwarding
+resolver provide a reverse-mapping zone file for the private IP address
+192.168.254.4, which is the mail server address in the :ref:`base zone
+file<base_zone_file>`, as an illustration of the reverse-map technique. The
+file is named ``192.168.254.rev`` and has a zone name of
+**254.168.192.in-addr.arpa**.
+
+.. code-block::
+	:linenos:
+
+	; reverse map zone file for 192.168.254.4 only
+	$TTL 2d  ; 172800 seconds
+	$ORIGIN 254.168.192.IN-ADDR.ARPA.
+	@     IN      SOA   ns1.example.com. hostmaster.example.com. (
+						2003080800 ; serial number
+						3h         ; refresh
+						15m        ; update retry
+						3w         ; expiry
+						3h         ; nx = nxdomain ttl
+						)
+	; only one NS is required for this local file
+	; and is an out of zone name
+	      IN      NS      ns1.example.com.
+	; other IP addresses can be added as required
+	; this maps 192.168.254.4 as shown
+	4     IN      PTR     mail.example.com. ; fully qualified domain name (FQDN)
+
+.. _sample_resolver:
+
+Resolver Configuration
+~~~~~~~~~~~~~~~~~~~~~~
+
+The resolver provides :ref:`recursive query support<recursive_query>` to a defined set of IP addresses.
+It is therefore a **closed** resolver and cannot be used in wider network attacks.
+
+.. code-block:: c
+        :linenos:
+
+        // resolver named.conf file
+        // Two corporate subnets we wish to allow queries from
+        // defined in an acl clause
+        acl corpnets {
+          192.168.4.0/24;
+          192.168.7.0/24;
+        };
+
+        // options clause defining the server-wide properties
+        options {
+          // all relative paths use this directory as a base
+          directory "/var";
+          // version statement for security to avoid hacking known weaknesses
+          // if the real version number is revealed
+          version "not currently available";
+          // this is the default
+          recursion yes;
+          // recursive queries only allowed from these ips
+          // and references the acl clause
+          allow-query { corpnets; };
+          // this ensures that any reverse map for private IPs
+          // not defined in a zone file will *not* be passed to the public network
+          // it is the default value
+          empty-zones-enable yes;
+        };
+
+        // logging clause
+        // log to /var/log/named/example.log all events from info UP in severity (no debug)
+        // uses 3 files in rotation swaps files when size reaches 250K
+        // failure messages that occur before logging is established are
+        // in syslog (/var/log/messages)
+        //
+        logging {
+          channel example_log {
+            // uses a relative path name and the directory statement to
+            // expand to /var/log/named/example.log
+            file "log/named/example.log" versions 3 size 250k;
+            // only log info and up messages - all others discarded
+            severity info;
+           };
+           category default {
+             example_log;
+          };
+        };
+
+        // zone file for the root servers
+        // discretionary zone (see root server discussion above)
+        zone "." {
+          type hint;
+          file "named.root";
+        };
+
+        // zone file for the localhost forward map
+        // discretionary zone depending on hosts file (see discussion)
+        zone "localhost" {
+          type primary;
+          file "masters/localhost-forward.db";
+          notify no;
+        };
+
+        // zone file for the loopback address
+        // necessary zone
+        zone "0.0.127.in-addr.arpa" {
+          type primary;
+          file "localhost.rev";
+          notify no;
+        };
+
+        // zone file for local IP reverse map
+        // discretionary file depending on requirements
+        zone "254.168.192.in-addr.arpa" {
+          type primary;
+          file "192.168.254.rev";
+          notify no;
+        };
+
+The :ref:`zone<zone_clause>` and :ref:`acl<acl_grammar>` clauses, and the
+:ref:`allow-query<allow-query>`, :ref:`empty-zones-enable<empty-zones-enable>`,
+:ref:`file<file>`, :ref:`notify<notify_st>`, :ref:`recursion<recursion>`, and
+:ref:`type<type>` statements are described in detail in the appropriate
+sections.
+
+As a reminder, the configuration of this resolver does **not** access the DNS
+hierarchy (does not use the public network) for any recursive query for which:
+
+1. The answer is already in the cache.
+
+2. The domain name is **localhost** (zone localhost).
+
+3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa).
+
+4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa).
+
+5. Is a reverse-map query for any local IP (``empty-zones-enable``
+   statement).
+
+All other recursive queries will result in access to the DNS hierarchy to
+resolve the query.
+
+.. _sample_forwarding:
+
+Forwarding Resolver Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This forwarding resolver configuration forwards all recursive queries, other
+than those for the defined zones and those for which the answer is already in
+its cache, to a full-service resolver at the IP address 192.168.250.3, with an
+alternative at 192.168.230.27. The forwarding resolver will cache all responses
+from these servers.  The configuration is closed, in that it defines those IPs
+from which it will accept recursive queries.
+
+A second configuration in which selective forwarding occurs :ref:`is also
+provided<selective_forward_sample>`.
+
+.. code-block:: c
+        :linenos:
+
+        // forwarding named.conf file
+        // Two corporate subnets we wish to allow queries from
+        // defined in an acl clause
+        acl corpnets {
+          192.168.4.0/24;
+          192.168.7.0/24;
+        };
+
+        // options clause defining the server-wide properties
+        options {
+          // all relative paths use this directory as a base
+          directory "/var";
+          // version statement for security to avoid hacking known weaknesses
+          // if the real version number is revealed
+          version "not currently available";
+          // this is the default
+          recursion yes;
+          // recursive queries only allowed from these ips
+          // and references the acl clause
+          allow-query { corpnets; };
+          // this ensures that any reverse map for private IPs
+          // not defined in a zone file will *not* be passed to the public network
+          // it is the default value
+          empty-zones-enable yes;
+          // this defines the addresses of the resolvers to which queries will be forwarded
+          forwarders {
+            192.168.250.3;
+            192.168.230.27;
+          };
+          // indicates all queries will be forwarded other than for defined zones
+          forward only;
+        };
+
+        // logging clause
+        // log to /var/log/named/example.log all events from info UP in severity (no debug)
+        // uses 3 files in rotation swaps files when size reaches 250K
+        // failure messages that occur before logging is established are
+        // in syslog (/var/log/messages)
+        //
+        logging {
+          channel example_log {
+            // uses a relative path name and the directory statement to
+            // expand to /var/log/named/example.log
+            file "log/named/example.log" versions 3 size 250k;
+            // only log info and up messages - all others discarded
+            severity info;
+          };
+          category default {
+            example_log;
+          };
+        };
+
+        // hints zone file is not required
+
+        // zone file for the localhost forward map
+        // discretionary zone depending on hosts file (see discussion)
+        zone "localhost" {
+          type primary;
+          file "masters/localhost-forward.db";
+          notify no;
+        };
+
+        // zone file for the loopback address
+        // necessary zone
+        zone "0.0.127.in-addr.arpa" {
+          type primary;
+          file "localhost.rev";
+          notify no;
+        };
+
+        // zone file for local IP reverse map
+        // discretionary file depending on requirements
+        zone "254.168.192.in-addr.arpa" {
+          type primary;
+          file "192.168.254.rev";
+          notify no;
+        };
+
+The :ref:`zone<zone_clause>` and :ref:`acl<acl_grammar>` clauses, and the
+:ref:`allow-query<allow-query>`, :ref:`empty-zones-enable<empty-zones-enable>`,
+:ref:`file<file>`, :ref:`forward<forward>`, :ref:`forwarders<forwarders>`,
+:ref:`notify<notify_st>`, :ref:`recursion<recursion>`, and :ref:`type<type>`
+statements are described in detail in the appropriate sections.
+
+As a reminder, the configuration of this forwarding resolver does **not**
+forward any recursive query for which:
+
+1. The answer is already in the cache.
+
+2. The domain name is **localhost** (zone localhost).
+
+3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa).
+
+4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa).
+
+5. Is a reverse-map query for any local IP (``empty-zones-enable`` statement).
+
+All other recursive queries will be forwarded to resolve the query.
+
+.. _selective_forward_sample:
+
+Selective Forwarding Resolver Configuration
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+This forwarding resolver configuration only forwards recursive queries for the
+zone **example.com** to the resolvers at 192.168.250.3 and 192.168.230.27. All
+other recursive queries, other than those for the defined zones and those for
+which the answer is already in its cache, are handled by this resolver. The
+forwarding resolver will cache all responses from both the public network and
+from the forwarded resolvers.  The configuration is closed, in that it defines
+those IPs from which it will accept recursive queries.
+
+.. code-block:: c
+        :linenos:
+
+        // selective forwarding named.conf file
+        // Two corporate subnets we wish to allow queries from
+        // defined in an acl clause
+        acl corpnets {
+          192.168.4.0/24;
+          192.168.7.0/24;
+        };
+
+        // options clause defining the server-wide properties
+        options {
+          // all relative paths use this directory as a base
+          directory "/var";
+          // version statement for security to avoid hacking known weaknesses
+          // if the real version number is revealed
+          version "not currently available";
+          // this is the default
+          recursion yes;
+          // recursive queries only allowed from these ips
+          // and references the acl clause
+          allow-query { corpnets; };
+          // this ensures that any reverse map for private IPs
+          // not defined in a zone file will *not* be passed to the public network
+          // it is the default value
+          empty-zones-enable yes;
+
+          // forwarding is not global but selective by zone in this configuration
+        };
+
+        // logging clause
+        // log to /var/log/named/example.log all events from info UP in severity (no debug)
+        // uses 3 files in rotation swaps files when size reaches 250K
+        // failure messages that occur before logging is established are
+        // in syslog (/var/log/messages)
+        //
+        logging {
+          channel example_log {
+            // uses a relative path name and the directory statement to
+            // expand to /var/log/named/example.log
+            file "log/named/example.log" versions 3 size 250k;
+            // only log info and up messages - all others discarded
+            severity info;
+           };
+           category default {
+             example_log;
+          };
+        };
+
+        // zone file for the root servers
+        // discretionary zone (see root server discussion above)
+        zone "." {
+          type hint;
+          file "named.root";
+        };
+
+        // zone file for the localhost forward map
+        // discretionary zone depending on hosts file (see discussion)
+        zone "localhost" {
+          type primary;
+          file "masters/localhost-forward.db";
+          notify no;
+        };
+
+        // zone file for the loopback address
+        // necessary zone
+        zone "0.0.127.in-addr.arpa" {
+          type primary;
+          file "localhost.rev";
+          notify no;
+        };
+
+        // zone file for local IP reverse map
+        // discretionary file depending on requirements
+        zone "254.168.192.in-addr.arpa" {
+          type primary;
+          file "192.168.254.rev";
+          notify no;
+        };
+        // zone file forwarded example.com
+        zone "example.com" {
+          type forward;
+          // this defines the addresses of the resolvers to
+          // which queries for this zone will be forwarded
+          forwarders {
+            192.168.250.3;
+            192.168.230.27;
+          };
+          // indicates all queries for this zone will be forwarded
+          forward only;
+        };
+
+
+The :ref:`zone<zone_clause>` and :ref:`acl<acl_grammar>` clauses, and the
+:ref:`allow-query<allow-query>`, :ref:`empty-zones-enable<empty-zones-enable>`,
+:ref:`file<file>`, :ref:`forward<forward>`, :ref:`forwarders<forwarders>`,
+:ref:`notify<notify_st>`, :ref:`recursion<recursion>`, and :ref:`type<type>`
+statements are described in detail in the appropriate sections.
+
+As a reminder, the configuration of this resolver does **not** access the DNS
+hierarchy (does not use the public network) for any recursive query for which:
+
+1. The answer is already in the cache.
+
+2. The domain name is **localhost** (zone localhost).
+
+3. Is a reverse-map query for 127.0.0.1 (zone 0.0.127.in-addr.arpa).
+
+4. Is a reverse-map query for 192.168.254/24 (zone 254.168.192.in-addr.arpa).
+
+5. Is a reverse-map query for any local IP (empty-zones-enable statement).
+
+6. Is a query for the domain name **example.com**, in which case it will be
+   forwarded to either 192.168.250.3 or 192.168.230.27 (zone example.com).
+
+All other recursive queries will result in access to the DNS hierarchy to
+resolve the query.
+
+.. _load_balancing:
+
+Load Balancing
+--------------
+
+A primitive form of load balancing can be achieved in the DNS by using multiple
+resource records (RRs) in a :ref:`zone file<zone_file>` (such as multiple A
+records) for one name.
+
+For example, assuming three HTTP servers with network addresses of
+10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following
+means that clients will connect to each machine one-third of the time:
+
++-----------+------+----------+----------+----------------------------+
+| Name      | TTL  | CLASS    | TYPE     | Resource Record (RR) Data  |
++-----------+------+----------+----------+----------------------------+
+| www       | 600  |   IN     |   A      |   10.0.0.1                 |
++-----------+------+----------+----------+----------------------------+
+|           | 600  |   IN     |   A      |   10.0.0.2                 |
++-----------+------+----------+----------+----------------------------+
+|           | 600  |   IN     |   A      |   10.0.0.3                 |
++-----------+------+----------+----------+----------------------------+
+
+When a resolver queries for these records, BIND rotates them and
+responds to the query with the records in a random order. In the
+example above, clients randomly receive records in the order 1, 2,
+3; 2, 3, 1; and 3, 1, 2. Most clients use the first record returned
+and discard the rest.
+
+For more detail on ordering responses, refer to the
+:ref:`rrset-order<rrset_ordering>` statement in the
+:ref:`options<options_grammar>` clause.
diff --git a/doc/arm/configuration.inc.rst b/doc/arm/configuration.inc.rst
deleted file mode 100644
index 2c6684737a..0000000000
--- a/doc/arm/configuration.inc.rst
+++ /dev/null
@@ -1,128 +0,0 @@
-.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-..
-.. SPDX-License-Identifier: MPL-2.0
-..
-.. This Source Code Form is subject to the terms of the Mozilla Public
-.. License, v. 2.0.  If a copy of the MPL was not distributed with this
-.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
-..
-.. See the COPYRIGHT file distributed with this work for additional
-.. information regarding copyright ownership.
-
-.. _configuration:
-
-Configurations and Zone Files
-=============================
-
-In this chapter we provide some suggested configurations, along with
-guidelines for their use. We suggest reasonable values for certain
-option settings.
-
-.. _sample_configuration:
-
-Sample Configurations
----------------------
-
-.. _cache_only_sample:
-
-A Caching-only Name Server
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The following sample configuration is appropriate for a caching-only
-name server for use by clients internal to a corporation. All queries
-from outside clients are refused using the ``allow-query`` option.
-The same effect can be achieved using suitable firewall
-rules.
-
-::
-
-   // Two corporate subnets we wish to allow queries from.
-   acl corpnets { 192.168.4.0/24; 192.168.7.0/24; };
-   options {
-        allow-query { corpnets; };
-   };
-   // Provide a reverse mapping for the loopback
-   // address 127.0.0.1
-   zone "0.0.127.in-addr.arpa" {
-        type primary;
-        file "localhost.rev";
-        notify no;
-   };
-
-.. _auth_only_sample:
-
-An Authoritative-only Name Server
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-This sample configuration is for an authoritative-only server that is
-the primary server for ``example.com`` and a secondary server for the subdomain
-``eng.example.com``.
-
-::
-
-   options {
-        // Do not allow access to cache
-        allow-query-cache { none; };
-        // This is the default
-        allow-query { any; };
-        // Do not provide recursive service
-        recursion no;
-   };
-
-   // Provide a reverse mapping for the loopback
-   // address 127.0.0.1
-   zone "0.0.127.in-addr.arpa" {
-        type primary;
-        file "localhost.rev";
-        notify no;
-   };
-   // We are the primary server for example.com
-   zone "example.com" {
-        type primary;
-        file "example.com.db";
-        // IP addresses of secondary servers allowed to
-        // transfer example.com
-        allow-transfer {
-         192.168.4.14;
-         192.168.5.53;
-        };
-   };
-   // We are a secondary server for eng.example.com
-   zone "eng.example.com" {
-        type secondary;
-        file "eng.example.com.bk";
-        // IP address of eng.example.com primary server
-        primaries { 192.168.4.12; };
-   };
-
-.. _load_balancing:
-
-Load Balancing
---------------
-
-A primitive form of load balancing can be achieved in the DNS by using
-multiple records (such as multiple A records) for one name.
-
-For example, assuming three HTTP servers with network addresses of
-10.0.0.1, 10.0.0.2, and 10.0.0.3, a set of records such as the following
-means that clients will connect to each machine one-third of the time:
-
-+-----------+------+----------+----------+----------------------------+
-| Name      | TTL  | CLASS    | TYPE     | Resource Record (RR) Data  |
-+-----------+------+----------+----------+----------------------------+
-| www       | 600  |   IN     |   A      |   10.0.0.1                 |
-+-----------+------+----------+----------+----------------------------+
-|           | 600  |   IN     |   A      |   10.0.0.2                 |
-+-----------+------+----------+----------+----------------------------+
-|           | 600  |   IN     |   A      |   10.0.0.3                 |
-+-----------+------+----------+----------+----------------------------+
-
-When a resolver queries for these records, BIND rotates them and
-responds to the query with the records in a different order. In the
-example above, clients randomly receive records in the order 1, 2,
-3; 2, 3, 1; and 3, 1, 2. Most clients use the first record returned
-and discard the rest.
-
-For more detail on ordering responses, check the ``rrset-order``
-sub-statement in the ``options`` statement; see :ref:`rrset_ordering`.
-
diff --git a/doc/arm/primary-secondary.dia b/doc/arm/primary-secondary.dia
new file mode 100644
index 0000000000000000000000000000000000000000..795625a2d834f874e31354b18b68ff3c547f1262
GIT binary patch
literal 2550
zcmV<S2?_QeiwFP!000023+-KPZ`;Tb{+?eUC|_DYS?&AF>FmR$McM<3+@VQ<wqFcN
zqGdJ|X;8Es_rv}6o2BFzNt7*dwT$Vk06USq+K0QGnSEw<X8Ge!U*~D>IxZGTo}Kgw
z!u?*HP4a1y%})CN`uyRY?*DZ9=ErFg{Qy6+BAWN$8`;9XJLzAP<>e2<;myqrN^ciY
znHMNcuFxVL{vM@iG=xUO{^^@u?{NpysEq7qt52h{ERyk68TYbi9-s8b(d5gl$gi?#
zf7xo)Zjz^Y(Yub)lm6TD>eU~vx*4wZ^F-g5(JUSpar9+(*BD;LH0k;>E;hTJU*?Mh
znv}PfTTOQKV}Cztvud?~M%nE2?a%z}@{(2`JoHs}p*um!c~s1jY#RsWCS6VhMVe9y
zlOc>YSaC(}=Hzg=al3G7yKqIjaLMBAGB3&^O3H1>ah|7flr2%q;wo;AvzSCFh}cuZ
zau~&VQkMBM*MA<Ri+u*L{P<qm4%OUQkxZXf+_e@vdbvra<;B@oPt&#R{nk_O*U2Io
zr*YlYCs}#4?r)FN{pQ`NtoOs$9i?H}+s@@-s$&t0!<UEIRWgki&xqN2n;kt}teOp<
zoAu3h`%cXAqm9M7f=Hv=xL9@n{$ZK!t#0tj;`E|PnOxt!do(Bc_<!-FTn+Y98D-O`
znD*ZF-sfNY4;%y-NHRU?|BBZqYjb$e8Q8(C*}BXhL`ow;2Mif0HYZ`*gzSPCk2ett
z7(<lJ()b>QD~m$Jh)P7%Kp{>VBF1SvKbz!5w#^fcIj{<*GAY}GyE7*WN&NUlxC7Qj
zoXjrD-Cztc^Z2DyGq7=9OylCYp<zVs2W2oJlF(*wi;Mi`tcI^XzZlmWj^TrrG*%np
ztTqZ!J`f0NpIW03F&2c4C`Z~1K%|*hopBshP?^`OGSpRNFfs#)u+L=%BP|AU1ZpA%
z26<gx+(r`=<v5CxWN??x*4bzc9~IGLa^6W@{2YHRA1NbQDI;@LMuu?3!7%lyj}?kU
z5?G(K&b@#YOiHX9E@GvfjA#6ujW)Y(Y84n-Yqt?Y`s>F}Z+<J1c~so)2qrz@f$ehV
z^Q^4Hw4e9Rqj{3v!lgyoqTgGTx7JnAV11Y0{d=5V$7M2!-o4M$>0`g<@axzz26c`y
z*f!1V%Lq&u!Nd)7T^#oo$tF;n=3r+86Js}^C{1SBJg&c~adtIdS-U+^YF*F6G~~Lv
zq)i=pxD?ikb>gnpNh3uE1To>&I#nnbF%Y;BB}f8yfZz1x+oqLWf*bHDp5*pse6Kc&
zljX}WCa}iLw~eY5%wVHlvW@yjlEpRdjBt(s2<vPZB)wWF$+h8tg0W;H0uBeT<pBZy
ztRC-<90CjmBRh+;X*HAs2Uw>N+Im_I%{1Ke$>ruH)J3}w=`@8K{=5UiR{jSu6dS5d
z!`rwhqoO>EiXy++Ezy)ZcYc<}+3e{N33rfZXH6VIH$TSZO<sJlt5=y9(JZcE5YpMd
z84!ZB!alW=A|omoiY53r@PCPvG7a7Id0a-%5r}CrDSZYt9A|Bxs0Kq^tVK15$EXIk
zPK>6oTpM5tN=oL_q!7IRa<N~Q23$QE)7T^jhd`VsX}Sl*dIHHe4VyeQR}~N4ZGG|9
z`c=Cfd<g7iG@Y(<bYH^Ird#n1eTZ!r!oT-`k>0pR+_(F{!F{Nf32TsEmjglCb0E&s
z<nrtyFOvU*JVoh~rez~L=3p3LCRQ4~fh?}ZHianeH#Skn3E3!D!bO4lSjpDJE8|*%
zP$EVOabD?CQ|jKPY5i}W#k~(n8ZZ8|`15xetN8}jwoW8Ntfqsp8trPFVBH-Ua6CMk
zCXNV|iU15Xn#+-Ze-#J$qX<*#J65wjz@6m7#lZ{lnpYODxi@542I34#x7b<`@BY%e
z05x54^)jy#LV6E>J?U?U32VMfR^OHD-^JVcmm3$fk0JS6oX=wz-UKYkZ*g&M|MHil
zn51<PCgU9cMbhe==e$WIsRaSP!w{ubdqvZ<$(Imda-Fn&B1|wv>z=pv7-2dV*kKVS
z$E=x`6Jc_Jc-0Z6;Nu?O$0gX^$+b2Zdp7!aC`2hS0w+dVvrn2rw&~`Q?<|Daev(wJ
z1bTC7H#Y!+Q|pC`5^@wW%9<OA{mCeR+>udmC_B$Z9p)@>(ZEFm7Y$sr85gBT;Gzml
zaMP-geVM2=kv82Ch^Quj$N0;qp)}A?|1@+{_yP&-V5UBCE+jIDS7Axww~}ZHgAoJr
zNw_U02Tax&vrTLC^S?j*bNCDV3Ux%S*rs}k3>&{M**xv2(swQ-A`&rb>va7(#?mf_
zfMQR#V93}l4&nK93)g{#3gp*Ns=sSl7e_eX!q9<2%&+29C=!V((oK=!%MxJ<%SAUz
zgunL!ytWtjTDc5sdk2%ch&)0C9v1_Kl;0x^h^V5(T$m9cN*e=Vg11n8w>7xBntA3h
z0o_mM+9x7PLZ(<tm3@0Cy>gE?Fdz)XYp8*6t?V&a0&}IT(sNkc>^UY%G_7>qTkp5V
zS8E!8CN)2NC}eR4-K^71eS`&B344T#=TkelHU#8ft122Okagg|ZNQv0ExtWuS>76A
zT~)k+HbFgudLGfIH%ADDaSF?t^c@W2HaA3DpS~*30!ZD3?6t6M=-qp-lfbZX*sAyL
zRPuq>>o#=zbsH2Pfu%^hd2NVSGbn7f9JiKlWRKOgVNNc)oG#}&Z6RMS<jaM8xsWf{
zi2YJ>1olgm3l-g${Z=S=#eS7^*`#fg{j#uw)fNZdmczh-yIsLSozr=hrHjIIWtl?4
zik>YeHp_>wbh?_@b<P4K4U9A}(!fZYF;eD!$~jhAXt2T<OYU{cWC>&s&eCRNpTV%i
zrHyghWTreY(^i=2E_n>(wBzKIA0cEaY}TD;-&xqY4nQGQ$P`ycT9IytOx>m}5Y#|W
z13?W0wHZMbM+li>Hqc<d{6<VG5UgkwF|7_f!yP!&RRmhvR={*i3IiqWI3;yX{<qH)
zw1=&F-Nd)g^8gSc1vt%2*#czM<vo1YNeg^5@X^3W10QY1N0s{?8LJL~pq@9$m^G5z
z?%*qAs>iMIF6`jTKuB95q_tug7-<J<P^oq=N5hIxxqPlQWnMRN47F~utV&*p0#IOb
zOepQWB5lVIYXhE`66>r<(s(vP{Y$8SsiP0ZojzcDeknG7*#m%3ggK}wK?>U%ZYH~M
zPSwX>KmYRKKjA^rtvpD&P8P#479FGz%)K5(+g(DA1jC$o4Q64+g#oEE);MWf&LQk+
z&YJoznynvUU3`iux0wh>T09j}%cj0q$$i)UILQOV(HY6|eHz`y#p#>n8~B+O(fsty
MA5<os`Tdyy0R2PcLjV8(

literal 0
HcmV?d00001

diff --git a/doc/arm/primary-secondary.png b/doc/arm/primary-secondary.png
new file mode 100644
index 0000000000000000000000000000000000000000..573cb0f18216f47f8fa9532521b590c06a313abd
GIT binary patch
literal 18617
zcmeIabyQVt^fh__3F#I=TDrSKM7jh-q(kX$X+=P!1f)x(rKP(;1*AI#6lsu@{1)$T
zd}G{u$NlH~|J&pB6%Xg^v-k5nYpprwn$Hf?P?N{OB*#P`5IBkovYH44(i!|w#XyEv
zEbBx^;V%?d8AWXj42;>I>Pzs?+fEA4ToDNLp_@NQ_2Fxo2m}p6QTBnhSK9XcOE04F
z8N^<kgIlOf7AD6~EV177hw(SFSXQszgp<lj-(q{q!W{dSy_)#J#}`D38e_7ru)dbI
zF%5mCOT916_2?G+hc`7NUx@Xrtg$$%22Oen)}rE`$Eq+UEB?L8IG<xmPZL>FeeJ0B
zBTXdKlAoLau1I~Y(*yoO7$A*EAP`=t3MUA}5(&+`4|}>=Z>0(ie!;kn&!%?KxEBs#
zSl3-sAMAPqPJ9f7-FjKN$3^3!=~3H%(t=N8B~D*7uqd1ueK+CG$<4ie3%LemUwZ0J
ziDn@`8FtqSTF`^+Vfe-NTzy>0RG?6h+wM3v8p?Cuo-kRunumxsZ20V}!8MB8&w1}&
zeP}l+_tTbVjbDymU0oGs(mi2J><bI9sn)xo)GE~WmCP(@Lj=0*MiOJ9@~o__t(oJg
zg#KnAyzSp*hg4)qFiO2&H=Pxbu4d`+HTA>85<#WnS8kl^v1ltReUqhzozz9ztXUdw
zuUX=ij=Y<da(R8|)`PW-4d8}yI$Y}KwrqJyCaQAQQ(53^^OH)F$$~f%UyCnwy8Fm2
zWmV~MT(QJ?pU7p$B)N5&RZIuvlrlG0mQRGW>%RMLcUSpZr;vgnS9>|EYggogfm?x{
zbmge;Ij_E2me<cb>a^|P!bSCXrQpP>v)i9quT^-iF72z_IQNMMPo3r|4|kf07qaCs
zx_f(5Nr$ZXbJ!wlxP21ZO}NF<>?ef@WxkHQKpU0I)nwUMH)HEs@KjQIw_P&(_SAwk
zUP(FKAx$kmn{1QG&>)M`&Zin9tE!5>(y=9XP(na}B%oNQC|)Uddu^tJL(-tO_xJ?I
ziS*rqM4@en=b^$SWARfp@nM_Y46n4QL53b_akZ`2*428Fnd)2aDLPTT<^tNww)b0n
z?_8`1ol}!%4&Djx&Y_762oTzP`l^}a)cN8m@;V2@(NLHp<G$N+>O&h`smZNW>q2VP
z&-cU>-rY?;+>u!6bhq8h^I|WO%2d6!%{ooC(`(agsMV&pGG;$wj$<(k`Eoe${ODKe
zZ>}PGj)Vp2BBWGC$q@>N;}Yovd8u;Guut6Xt2vgcz52`xDx)35@v~I4Q6+ejV(lhT
zPgf59c{eX?Y2`%aM6#!MuN{Ql;oulvcOwjY<0hb<Jv?Nk%}h)f&GqcdE!ry2U89Sy
zNj&DoJrAQbn7cT?rKp~DWtH?La;@|#I>x|D>b-J&%$RZb$|)@(U8Y2%Vu)h@9pZQ*
zbHQJCsY~@?73Y>4Pb9cVtk@;bb0zjYq9Zsu<=T%8deSwl&t9_ht-Gg;THfTqsoaP}
za74y;!cFvDyUEfe<-Q+{A;M|Z;dW)BP1-=Gq=69X`T|>0RPvuA?-2&B34*dK0`!;b
zmp`O26mvDrEaQZaTu=9Y>Zsqr47La$7!AMA#1tyLtkP7V5JbN?iYus!Hz{ebduyG_
z3E9~{SeKpApF|{f=I!+_qFx+`l5Nq#Z@*mh^C(OWw@M8gm*oq%%rSyx%uIvYrFnja
z>W;Woy*c$CAv^q7V30qWyxru}AG*0iGmr9P*oxnaGfv@t)!H#F*7dK^oyRlG92_`}
zQg4%D6yxp?5fKe9_I|`cLs=(ISIgHaf+!UH`;fexG)%UO|6P0+Rb0<d*oh*+qPlkw
zRbKqcFd>tz-trEN-hsIo0)c<#lS#nSuoVH9>@H)-N3WkftYHw^<x`iOob1J;oWGR4
z-PLikjN#zFP&Xr8sB@;jqS9;FH9g*%7HlCMCEE9>P{tkmC9&J-t~Jz%o<>8AIj~R=
zrux(~=XZa<ie_-JaTU!EdSc9ALAB)SqVn-r*7$eF=QQz3_Vq;xWDzI6bp~iKa=|iL
zG^$3#;oVV#lyo?f!sntHGFd}5)x635{3rYWeC;HKtuas=8SO-!iTXm|9KtrHHQYJ}
zJ&_cuMe*OB=P^|4l>}MG9GaREH8blB97Nzv&hP&j;77C>zE2>6GjS^qnzx18-uW|+
zf)_d;6!hxuG!>epL1SC4-cp4M7wt%k@a;Nyf!u@}-HTmQ4nMrRoFTk75HAsptRKnf
z0b|?)(LL?GpEDTV|K;hAo_Gj^(f=oPqaXsG2D<&9|6&jsQa(LC#w}u0mCWuwh5LlB
zq@~$eViep&DIe+Um|7-NRWu9M8>q2DHdb9>dZczee+w~%HX?D3jTWR=Qq$a|mQRFn
zi!MeXdzcIx%}jzkQtm#X;(bD<H`eGQI%7(?v4;%zA*IH2_7EfL5IH_-y7ex(kqi|B
zB4PC-ALO!4n_G)DnBV%y<>%!sN4txrYZi80!-U{E#Ni;yQQ-sS%|YsOZ<7btAce0O
zYqOG6$gr<q1<R}~hIN}Yk?p%hZ1Wua^UW5)3`S;?-m0X)M)Oq&O*$ixDd#~&lp?KX
zu-UCI#i6wyc}r9nv&Sn{LpINEHkXZvQ_AfsBehcq<&SuH@eUawOp@c1@ROdZ=J^^5
zI_^^R0He~#$A1gWKFM!mBsKrbry<S=6RaGc<Da)hIXEI4?pGMwu{@5t%ZC<FJh@33
z6~#*Su3kcT1fOW1g{%juEuLn+GTQ6O=vLYzY-bm&eOBf$$T8Gf#>4J7Bkyr>;dD+s
z3MXlS#^d*++`X_zjl{865KG?gcSIhr#?OqjuMsQrx%QJX9{n;ULq|*oxeb!&h@A>X
zjZ6vuUNJLl^ysE`Wnx7%VdnUh(s=A8vOhDc!RC3am(o+|x~6u)vniyHgs4LqkqBL)
z^o^7=uW8%+*}30qk-z`mL045#(Ue~r5l8{2rA=V0SW;kv$wW4zHZIYL+o=!k%R(UT
z<@h*!>+jFuEO%a!yQpY4QBYRyWNIQhKlhbfER5ShLO7t0NYp}R*}!elU>>un9(yX*
zZN{_e4cI5g=SRg%J0vjgW}~9<cim=Y3u_1e%qnz?#yj}s5rHfjhT$}NM}1tacGF*e
z^(XUncXz9*s!p{J4Gq0{^X3%_x>_=C?!!=AY(aDcqD`(p=R71N1Qm<a_h|fSe0=;E
zL!<j<jm`My)z#;{6sT>eR8szF>FJkO=etq|{d{)4$bk>Z$oi*i9gP(f6g)g?#towJ
z8{F1M-qSubGdJ(+>!WleM_6KEVlMA{Ra8{)CT~rY=-Y*&ApCHTb|}cnH8nNg7X6+1
zvA7s;d3Hp^sPb`M6j8dr)E+c7HTC)P=e9QKLTypcow*wO*)NpD2#*89Iw#s@KKQ7a
znVJ9jwvczekbuDUbY=dNA{{tI_EQu@DFHF@;h*8`I3{&Le*QEGpW~vkmIf$I(Nq#0
z9UW7+I0&(!-Fd0&i-S9y22SFy9a}FwzJFkennVdafN8wII6Qncn<e6Ly-`%g8@ov$
zqgi-3R;U%BjT#syD=XWd#1rI|Q(EdUkRp&S>i(L?Z;A8I;f{K`=uvdQMNm7<OqI2k
zj!utBFoOF>RZw(LhNKggThGoTy5Y`Hyt~++YHB7H7o}KO!rDcVOh_ePJDw3otfSPL
zc<%b2A8$K0?T3t;$z*Z!@evv0wE_Ce%OgxQW4eujQBYQvUwZH(T?`c!)#FikcvRHR
zSRqlfYj}7#+>E;Sn#aZ%i>PSILOr|zMlH*8$8}KR&fU9;yK{>H*YgP?)fUZr9avRy
z^V5}<n;RQ{(%FbHFE20G(|!J~DpFjt6_l1z2{{<p+jBg+`)3_xhqsZI0CicCWNdun
z$lF&wDlP3^_OQa-$Ih_?4*h~uqgH>3?ZkgSL#b!Zm7K9i*+0(jY>XFK*Pb8GI*vMc
zp6tw5%~Fbcac_GZ{QYZHt9*V=M(eh_AThIj_V3@Y!(?n*Tiabei@BzkaUR+*TrJAg
zI5;@}{{5@@pv@YO{0g!AL-{`8b9;fLvX-;&r6!0a_PY02!e3k5T1`9Ad>QW9<WZE8
zW20>h#KW*yKIKL@-Agz$H#fKZk!Jne&6yQpRn9e^De0GD#0QmU19R)>=tw<7JnN|x
zVvhLUJ#oLYLlM{CdtTx-=12=aTHFFwdT_i4Oj2ERXI_(>^il^56;UHfZ{y--z}t>C
zC!dz+q4pIaahC7Wku*R43gaP}S*Fd(V)5GqP{8rU!Jxi3EY=#X)(hT91isAv{{Eqw
zECvMLutTli`Ek{(-%kCSRqbqpyY0+&3rvQjB>!%!>vP;s3isbdM&^2QZd;3BWF;DT
z7gkgZ_jIiNNUs#NXAu_m+88UWv>Xg!#}n>u2}`<t`}Wf^qw1npa0wN<#oDZ@@&~Hh
zGu5`R^gYIR6;o1DcIN6)h)#t!zsAsy*?RiuehSzusrA^N>GmKFMB1LM<zi+occlCM
z@j=j*4N7W&_4#k5`uh4GN&a1a?(Xi!en(FRGbD;Wf1Zj$)#W#7LnvRnRb-{k);d;F
z(#Q2gQQA%h>;_hfy8SWXC*P*%4+{&cXy%?Mo3!GeVpq|3+ng9E^%9r%^MknDOyo4w
z)6|TOk0+s``r#ql)<iEKm1H>gt<(E3uf}fr?~H9(1tsdo!m29b#pSUUx5Zk=Mb%Wn
zX-!R_72Re*?Iu2@ctHEGv8&jqYUNZ8F|u?@^i(q?)3-kcKFahzV_ARO%j6xAnQ2^U
zF)$T{JVcC-A1GC``);mrx5aklk$AF72>$ZHzpllQF(MwH!#}1^xp#_MTCO(BT1hc(
z?KYoKB|xb2S^juaDq$JZaLm1lR!4vCeS(C91d~`}P?F2jcQXga8Ot6D65jXRwncDv
zXM7Z+sl4ttuFVc)NX*`KK0QAd`yz{dlDs{<^3itih3+Jk_hH-obovgHddAk*GzVqL
zi@k?4uFWD*qQmrmW?UD($FtE6qu@zfa<swy{$!)zqoboU`}g-3w$4|Agb)XXo6}TR
zSNj}q!78*6!$;hE#59jbA!s-B@j-7Cr8(={68&1<CnWMyNq=G#C;eBy#vJNl-@g41
zvNXgs1Y4oD((YUorC6y^Go%Ixu7lqL*`5v%6}-H>f6{%HyKV=|JlHh|ll{BXxH}?t
z5=!kq_2mUtv#S;ynwo#o&yOaJsYTu1_Jm#k8w~hUjZqi&TWL`~>fZWXePz1|<j{Dw
zr??b?{rld+9mlfKwC>vw`pRYVzXwuB#RzC&P14V7d+aWxdo+@ekW|f9`%R;0F)%Px
z&Du|vQf_-diGb|T{Pb2e)*a3vhdW+`DeDWpy=x=6%EQCM@R2BfDaVDTXO$Krnkb%A
zsecF}W>63YZ?DFOA%jo|IW(Ovhaak)932@pdsmMO@Xmh)Tp@M#hkn*oLZ-lTcY)gm
z58;Fp%Gh}e9evYHv|4X_bJKP*?D6BrKyMNrjm~|YsxVhpQi36|GbZ^vl=biqmyw%|
zHUbf7YO=Eei^%8t>e6%JWp4rlzNp7mo%Lv*nCH%r(MCd_UbPKW%O~2}&&@}K$Roo^
zIb0r?AP^>t$X|8*4hG<*-?fYWjeh5XEd!<+8X5)$X&THb%F5ZgKNdQ*wY7b({;e7N
z?mu#O7kI=&747-61NGwd8kFZh0zk!u-2P~IuSxn}oI+7M{DFgo1(*5BbLaB>#CkV+
zB2P6{((i0Y>;%Rd>e)w6hfrL~29Ir}U4x)@_%i9;IZnfdp@oJ^7|cUKM!gEN?r(8S
zo?BBq7X4)2swfljA3jt$F17#;fHZ}j?;~xdJQA>7J?Ve?6aA?iY9I%|@mlj<T!j;d
z$fO;K138_Y@)ur~FvHxhVNeAXPD-WI4^3}TBbJcg?-+*Ctv^JkUYaO=#%I>`HYtfr
zN=hoT_4MCA_pK>sSe@KE=vKh<Y%Jm=-S!?B8m1d?;^E)`+CM+p<>KJ5x3lXyd1qy3
z2f0)VzT^CCv#i!?*leNcC6orcQ0zJE93PJ)M!!ExK9%#0o}r<kZ1LY`X7q}JAy<8=
ztnBRQz@?VldOa1`8<;Gz)oHnleV6x^|7V}nyu7>^dikrvQT0Q$Okrm_XQ^QT1i*qq
zWFA6-Vr6671bm{cO|0dPJe!-J-+DNrjH@G)mK<bIQzY?G=kep1<m6}C+Fc$rZMl2)
z+18tjtx`s_yRFwdCia11E!S5*z1OcyYYp7~47FSFj~LM5aF@R5O9;QiWg&*SqzS0k
z&G*?f<d_I5iImgEa;<zdo9dZ%8>H|APDAh2uLM0s!N4=be*gF{D&;<(?e|hAav4i{
z?ig$hmY0{e2ch$6@|kpp;83JJ<}mn-8i+bsW^7#V!VpCABUPxZsVS`;^VQlbI0=?q
zB>9Ufab+3Sc&OdW7<OuExJS55k&%(v^3fhLIc=`e4d`v-Kt;N9^b55=YZfXbI(3^>
z=oIBHnE&kxBRWiwK`}xG5vw#IJzdpMI(zu7EFD#J@5;U`9f7~d<c3G}qTdN6A1$&v
zuw=y3>=v1#8@3vzmfv|bw(eHL748S9LOuv318YR$W3)F*fXT#o(NkL+8#^v8V$4uH
z>L`hthR)L<bi6<EXyTMPKGLD>CSFjaj<;ufJ!p2;5{>;Ua+7Y9gb|RcBr_ek$wo#-
zOavvIZsquxWG*i+vuNerzkfeX(vRGu`QwAK$x-3(!8IsbsopNQh%uns`tb<~YN>)H
zu4_MFa&4`wPES{&FE5q^C2lg&w5Ce_=>FBGVJmzYUr8wbk!n%6Uc3q?Z4FT829tOm
z(%}0-1OsGvfN`^am%GC3dVeKcTwZQVy!aN&Fon{4X9{Tn8*b1A7Aqtu_l>djaIThu
zqN2{|!E~`ixfx`Ptf?v84P?#24{lmdEG+Wkf{=}n{3B2fSXo&m&$lW8ER493E4sNI
z<|xMLhJ8or>h0C%peGH7=~#D0yCZ~VgfSvPQ&e1R0NG6@%j<M6YZ}@0cfa*SadLR}
zU$TcG*jb!`s;$WqK7x{N=G<h5-j}fq%6s2V5krXeg-8JbfuGTSzGP&HMWv-Wtnrxv
zS0deq+m@Mr{{i3HU)r!NRBz=-8G1MYyrre3&6$F_KJ?{99|WaVSD8-H`apfeyLS*G
z+0Jx(XzzFCRbIUKB~R_=1|tG<a(3o@;RV?Sa!+h*ER<#va&j9-s9V*>{{MbKkz-?J
zEl~E@nR^Lwyp{KOBZyczx_(NTtND4#4uK5Zz;ugWBcGn{zh8;9cGJrdDX-A?f*uLZ
zJ#ui^$&m12=Wsbc-CrpJ%+u`sq(n#RWX?6y?|8c0w9~Hecz>mL5vJ+yuRi-N5+ErT
z@Yb5p?ST{wsn)lo?7B-iZc;9*Upe$^`1$$g>Ro&99-(+=y!?F^gi@*!$bE2~#EmKA
z<Kuq&-FE=Ky%5ukcE3DxS9WY!@p+FdG%_?~G8q*F3`P3KOw;?`mHeD9=N<@U8wb+(
z^z(76tV{)3A)#8R;DF#M_^sZrS3*Sq{3_Vx#H!rv^JWO(Y4)d2<mBW@HsQT15AMVU
zIV`pecwk(wgyI7`@>?r06(cl}`>CFa<8!5YemFBT1FQd8_Hfb<H0$9{kBp2K;PxQc
z)zdWa$i}9otkw$wgR>I9TOZBm8=p8?41oLg%CkXH**`h4+*6)^;8d8<=#Vby;!%;k
z{;{yo8ssiOlbgfY=<9_LVP!yXVKUfsicbNpQ%iWSn&=xWZEkL^+#EqtG%ow?P*b$t
zoB@)!hPOccxL!QT&(D8YimvmZVXc5k;0e>Jd4!4zueFtx7mOSm8ygBTvPve5V2MoD
zO{4){J_7KdZ<y-2)b^^Z`Ix-XdTitYRrK2F>@OwAAM=pHDGhWFOKKPN8r)d4Xp!*H
z)-$rB)O@<9zD_x|^+r=i-{lK2t3E6!C?H|e0Tyd{v@s5=DmRy+7+=P6Fk>FDiow#0
z@9I*QA3)=RWVKQ>KRM|+{pAH<K^Hlbwu8155d*iiey)?UiypglsmsGrNJNEwvT|}3
zFJ6$`xx=MfPD4l6VV4YF_s}@@nQ{Vqz4wugw)O`@%WB)n(t-jE7m0GnP@JNv0zvzt
zk#gCQwz_h%vg`(R<#lz!aO1qZBUNos=Jho-JKO?|I3y*nV9ry89CxNFvN?iJwx+f8
z^vH>bRxXAD*8<%JMULW6Y#nD)RKketN=UD^YZsaG&|=?&hFU&<PE0~lqFeELY`?gy
ztT%BL6+4C7R0g2Rg9i`f<mBAk_+^-BXlNku!2xiQg~hu4HEM8hFwj1o6K3=_Vo(OY
zEmqC+#EOWBc#O|YO`YxrT+fzj$vk`r17@hJTL*Wy>~#rs#BMGRWr|HwQj(1g>zt*=
zYWNdS2RI<`p+=hh><HGGR7Yzg1Q|ukyFc$GIp{$8^mk@AzRGP*mgN&@IysdaaJKqi
zo&ouQq#2FxeRjCM+#PPMjryOM^P|wm<WlWvmIia&H+&hon6IVZDet=CVPpFO=sxsr
z)+>n$51(y%$=7WE6bVs$Gc=Lz6ONvc@-b+0HLZ7%|2%o}gunAlSz5XcaG1V^#vY88
z!)(n!`wRlXiE^+blK*XnV{+<!GjtI8ejV#j-Mgp4SKNAVaNu*kU3<443mdUSKGe8I
z^<DpA1+5Qo^cV%JG1caxkmk7^P8~$kT^O+aeZI;uq}!Q;y=%tHsVN|}6}h_i@6;eQ
zB}mgOU8YOZyjQrN7xczUQB&$+{-|kh*sNpWxQ*t3Zgr`bVjFKM_U|o<>B@$j_g?qe
z89CYWv?f_x=^9V?^uLsFzg$Y8-e383XOJo-EdqZdHET8cY`14RWS*kbPKVI8=QBgb
zR{{SA?dlm5`dsqixjrwD+CcFOYX3NFb<+`92$IW&W{PIvm?jQD1~)ACV!aS^RF7qc
z-Ij)&y@Z{;tZ(0XEt@QA+BoJ-J9lu11;{)czYZkCv^*-eNyh$QowY5hA<mZAr#R2!
zOP6Oo*r#n~MrZ!YyXf!VzfiWIOn#xnh=XR)u{lBNelRl^ZizvC>?c<CNl^bvbi&8s
zUSIIuZ5b6c!CD*fTNBEQlsa*`s1HqFObVf_&lO9nwJDwMcq+)o^7;Ef0_~d)v*nOt
zsfclr=a)Z!II3WUhnb7pp}D*K*5NDfdbdJHPoF9NvSaNaUoBnFz@Xnl7+Z^(m^B{L
zr&v4o`W&blC}1Ysy6KGEzNb#W0wqW>gJJFEZGVY!U8kDd%>L!acXeJ?Vlq3KW7%o8
z4Bz)z8I!}0XlVwQ>>VEZBahviH_;y(n2774xqA!5udQrGqyz;8#l^;^J+7?%2l>g*
z*H@eMiLdX)2NtbT<5r-iDs;GG`0}efz_sOmx7=3vpp^SxWA69|3EGd&dADf%j?g6n
znY<Oj+e9zE&IutYw%3$J4|)xh`#k*DT^S+&2V2tLza+z_{rE3o*e#0jirgF&=U3M+
zkEbp3RZ~O$3y%i(P0-0=Q&RLaG}=52BHGc7{vI4CszYnS&Lc24K<#u6DN-&jA%T%F
ztX#P|Z}DDRw{SWX%F{OGCj>9|jjjq5?SsEz&?*O=PgP=M={I!NPk(tB7gu|XyD0R9
z>FBN09c<m2u(i%Tc_MuL8*$NM^Uwl7P<OtF06)LoOx1e*S_Xxbf0MQUp*Uns4B8v{
zaxEh+F31?sb{9JYVDZ<}t!3|q{0aB(_udS_vZ|Cgd1dS0#f4acfp)EYac}Un{qeRL
z!%9*KA0J;_p-(YFrT}VSPPzpJ1x2m>ETHLH9`hc9Ca;*1HnLZPpLl%isf|171;#Jj
z8G~hB8D>2x)b_HZrj@N|$8|y~&G+#&QazaB%o~*R*bQYk9L4%d)XLo~sTXCKwVj&P
zC3cRHHL`M^j?W%<7V!5;B?h1Ez$ggpzXvl1we1mnwiCtW<=i9f0Q8}_9c@j!0^e90
z%(P_SMknCv)Jt(H)L<^RtpVazr41b_m|IAYa@hoVznqZrM<w=o*`4oY7EH?bRoK=9
zP%YROW_;bbJk4grF*sN`b;T2r<X8*v^$pqWKf*FwDlLHfYxJ><ONF&;+0Wfd5IJl$
z*XZfEyU;8jLFRm1>|?;+@%5L>1#j_s5_U|kZ4L4(Y0gBV-j`!G0>`ejl9CxeonA@Q
zxunJyHa&6O?<>zU=aq$JRX@!;YFl$IcWftSVimgj__Y5Xg!I&4a5=8S&?H90+lxuO
zHGie`;lsn*+e$JrGN3(?l97EiF}XK9HujvKJXJ;5YpApXgp2m}_GqeP<MAI>{5y-S
z0l;B_=cP*pv^4i6HpFTc-e+(C`ACDASuI8>*XLwMz%XFegga>>1Z260l`QXQ0C&*8
z6Vv^cF6Oz{o2Gn%I@`j?uv62qYDCSEFB~joqq)9+nJ1+FB#}5}B4qu&`1gGcLmJ`F
zhDtxiJ9n`QTOO=Mbpb_XfA-}$2vo)Sk1VUYPaC(z(ebFnz4n$s?S(0la$1tE>CA$B
zfQtOU!h%uKHbVxWvUS7LLT$LL@y(;ISu4Q9k?zO_-ZzJ65Qz)t{0ckACleh=v?`;1
zi`XyVO2!!`!-OVkNH!Z)dj7W;fN@rrN&c3cY}AyW<Zh)1>TGMpC3`@?^+2jnG^N<_
zsJayB%2}hIP&|aaZ=_>+$PlomuK)INRZ`;0U`+dO#!bh9favx_8`PAFF644U6%`dA
z`ecQev+ttV))$WTGy4-FwiX;ABjyBMJdR_JJZ(%js?<63+KoH--v8-xmVA?1>jO3(
zUZ$w~2GmDDO87F8D(Zi3;flWe``pFF1=fwLtE;KvV`<a%kzB`?e~dvSGMr8n{_R<Q
zQaTai2{@N0Jnerx>6aT(`5o`#QxV`({k%g4^<*@E5Ll?ulPA@_|6JH7=@m}q;*yf;
z%zL9CjmeavbN0k9NR%5El{V|SZ$A=u`E@SP%EF6|Lq68*<Ed#1ZzrIpzW&CP89^cR
zV{(!u{5e7zXQVmw;45cNw1_xW^nOqcv83Cd_v5POz`9^;q)a<*NlBe@;g+La?Z2!;
zLP2BKEf2)9j%g3FYc0HX1+)heqZaWWP*N-`ENpB(x3;$SeL`+yS2&?^XbXf7V4H|x
zMpt|7n<=Y5l9vbA({%7d?9`nYF@*|zG6k1P-0C=L8c2$ugoGh$y!Yz7eVbpqyEwv%
zcYCJRdemb4^AiBXnLOrb+Xew3Y5}nZC7Fo!aF6z-H&5Ho*;T!HTT~Nq+Ib2O$Eg`H
zU)x=$s4~~v;@@D3Z`xGwovXlcFtM;eFTP7m{M^wVluuCL(J}`eLBIe;22>8D9>zBs
z9v&VhCMHlR-rObv0l75+4RuOx&d2EmcdwhR%Nq?{6@w1h<lZ?}RPoyj)zNR?CW*M_
zsW9>xQjU@Wh0hRm|E!kJ*DOJzWo%qFxq0M$2|6(v?!8lh$9#1|WOnpBPlV?idnfX0
zt9))F?Eb;)(bQ6a&<~&^1Bmd2g~dqU5pQxagu@i+f({mRJ}4!;tCSNtZv?&JglFZE
zbx(g9Gzc{ch#a-ttif`vB~OG?Bw*beP)SP43261@!Eb&WW-hMi=xC5iBRRq{zFP5H
zSXzQcmfmjaS2X)J4$ZfJN48*e{q2kUgtx76p1&h6&o3vq@5`qK{mU5+WzNJEfh5W@
zrbwlq?kNfF9i6is1lb*U-u)hp26y{;#-Zw-nkB@CTtM<HN20citn6DXX`7Ix2-wLo
zJqek!yDL-R7(zIB+SQSNCkOIINOxEBX(8(uAE~CMX|1<BRV0jf1_$)}Z>Pzex@KyQ
zaeJw-p9M@s>O9Z3;3o&+a^n{tR%%KLjNpyTG$SxJHU@2{+)tlgd*FbQvjI|<vojBU
zX0T>qlgGB6l9Cd*R8;Sj+%FA`Zug+;9~|s`svyV_RPrG?F7DyuP7n(#kcF33Nx)Wf
zpYW$~DA*h7&KOB6#}o60t!^Q|nm(F;yZIPAC+r;{b((E9{(PA^xaQL@laaPLKf64%
z`h4_=iv`nMu?f)F(CX?<I)`Q$0HMbhZgsh0O^(mii+Gl#WJ~R?c3Z74J~`{Eq*<<>
z_4M>W;QB+-acX=IQ$k<gQdn51U+WOH>fH|k<a5k_9X;xyQ%f+p?xsui;oI|`R+HHb
z=6I#z+3-YKT+Bjk)-Cd&Y0C-^0dkxQp^{;%J)OPuC*{bZ>9~DIzLM0`ZoI0?pm8dE
z)GWl80YrINi&4P=VoreLU2L?iM}YDO#drZ?p)Wq)S#oG#a(FTR`nnZ|&v6}h1w}Hi
z$Ru`dgmMR}?=e?b6tUfTircM4G~2EWEU)U7L5Z!@ELn`3)US3*+a1W&Yiy|b*6-!g
z%hv6{tSTdkP=097fk+H@M8u?aPt1co-@(RR9%>K=C#OZuXSS!MO~)w@pVkyR&`0g6
z7HG5Xx8pPwMcKE!N}L8?!U92pQm!tpz&ZOuA=A$4kF|sSs&L0QuSsZhUQ6I(22XkD
z$>tz2j1~=9%yuj-`T}tSbINJA&4z^0+zn0za8~gw{!~Ft-;}o^=pHGNeDmz>$GR%_
z1RGvYN{hd?f3ADE79chGH{9|hax1L5rP@<?Up~;fI)`j8(upge_S41kGhdCb#~LCK
zCp*)XYyZ|Vsl`0DU>Oh+63RtW4R~nmsOFDSinzRK#{`<UvJ@g8Wk;{3GJ!$6@c?h6
za%$XUIWR(+rhJC3A{Ht&VdluX8}Oj5G&;>Ri`nn}{asX6{3#5|2`15Dj&ISI3>ug)
z!^1XHv+hS`gm$}q$q!L`)9Xx}pJ*%|j(7fEo5V1;fOHg4*;YHp{Lh=%q9PJ{=qZMd
zd+*PD<4M8e>^(mRK3-m56F=472uiVpX-pujL6p7`<Mv&Vzu$Yej3x3b4vx$=C+OZ@
z_rbkJg|)GVL_KQ@5W6djW9tD}pbURH-&?!dWWbG$m~w4@5of<gOKDdSDm-Hz4q?5w
z8Wp`Rk9TpW@<BsS*2B=VlilmGfXmH`e+Q=zUP<ruP&k&8#iO6LUZ1y)jA(A~>Kf15
zm@$AZJp<zNdhm013TI!9U}1H+{88}HGzCQ@Dyph>_klUi?r+4j<^FBHu&`^2{9Nhc
zThU0=MojJAm$0I_?C3{VcT8tpoH^$!aU0b%{P(xkQAyFS`gv7%9E5ldLBzj4?Uf3_
zrL<`v?uY&zc2SksA5fA#H3t$1GoMTeE>Dr@jd%$qm<G$x3f4sr#I=71T{BlR3@<f_
z0}yuz&RCKk>82!zZxjbC3rB)v*k0H<NOv#TkZilF0-u12ciPu;_&KC8$nDzr)Z$kt
zBa`DcrN5QS7sG5h3|c_uQ(gpUnWZbFReIYXaPb4i0iicp5-_nCRLx2GU#9(~`4+dW
zC54Z^aD(EIe}_=eNS(ZyAiP_zgp``$DKoKNNrG<3;2I>HWsNZFyLMbI7ti9A9({h0
zs~KZqs!4D7B;nh0uS>El4Fx;6Dvq}YPJ6p}(e3juPdG`Zn~fK-f5i_d*`2l=P>hP+
zkN)D<z?26Oc}ik&aUQhd;_52(Z#52tSIrNK>gt}2{}NRLCZXs4{Plj2uVkxyG?m55
zx4yojvNF$+@RGtp7FJehPFA1DQq&TF-#|x*C!h1-{QLDV3n2-(+MEX*ns-NaRM;w<
zg*+_sXXWMOW}aL@kyQ~;?TUAE?3-9k_?|TXdakN`oIdX;N$s%88Oyyk$syqC;vZDE
zt;N>N23@FP(Akjuw@NhmTqO^;;kU&7e|w#H9FbE~?$h`Lf5F6f<8E2+ca9y+S07b4
z3B+i9grI#c+BZr7Y8&>19L3X-W_0FOFVfu^CY9C0g2i0r#G9gLIY_0yvsCu^bH`dP
zk`1vjU(Fn{4XNNxOj449M1~eLNy_{KX&0*d)((=J6`;}MN1oVX#a^O>)3cN8?Av1-
z%6RQ*fh$>^8B}Ue&+9N(2a@E@Li6mxxL)8B;`J-&kO=C?G-cgZm)7B;0NcTouGGgK
zNLH!!NrY-xEA$0Jjh19Jym+&ZlbGU_CQI~tC!|A#K6*KJc6Qnqz8VWoRJeay`$d~I
zmu#dE+87*iCK-m4k@KMBSiIjsUC9%$oq!@?4vj%*o7wd)CzDf9a7c_7#`zI7Z*?!x
zowjK`XgHyJ_39PWlPi!(&O!0<0SWBUqeph~tHhGGT3T8p8Phz=q0lFM+JKzQ(GDnN
zIry1bV%(X{HaG<=XJ=8G?&SEC0c8X)7n5qr;pNF9mtn)$MpM<&(h|r7pfFV=$!&}N
zNvRz+>I}iD%q8<MCDs2P^VY1I>kYogQ-aH-Ku>Uz=7L0ibAkzdNBhMV323c=2%MlK
z>3vuLr&(WLFU1}_sIr^p6&0P?pu?n#Vdmr0qQPIP#WH2{c+4datj=op4Q>;<e4|X8
zfUlq5jlc^;WEa#l06+=vO7yBROK*ufj4^L|E|}`GKeoeqLCS7<%MNLsiiVmRP+^Zj
zos%hu@?1@OudQE!o(0<R%+aftNnl~K+#+3CSpmYx-cy8{0T!E6E~;oD(1?K|Z!fmC
z8cY4<XvYj*zPdawzSRS!8P($*QfS(5LiXaL`UWcG!-o&=mXUf<DV!`hdWkQ9?`JSg
z#C30}9gyu(FSMdS1n)L8F#s)<&w3;W==AJvrVPeSKM?eF><|J1f(Je#Doggzq&Nt{
zzWWy%(Nq%NZg7UF7?^D!lF{=8!VG|YOLTgBd(|@~FF}s2Nn2i9JL$xe;ugq(Qy&0#
z;n5_yQRM4C6=r4WR<1zGefg9~XeW%C-)ab23og*Kh73J1HYP0}TL7nlX@kHvZuH>D
z98B!{1xAqy?+FmnTQ2@8_v)|hdqF?-{uMGxAh}A{^XYL8+wg#e$4|VfD_Www3=;oE
zIaap)b~ZF)a4c_eYf-p=1_cpl3n;x$baY5bNV*-w=XfBnp~-NUR{QDGd~Md&%j4OT
z1s_MSNrNJgC%oBwvH+5)ew9@Wy=s|m1+pM5!s93H8!t&o$5j_IKeaL!fA^m1^o_iH
z_2PuXeMeF$!EMy~?iVa&zOBE79{q-qPT=x9Q~Lvbi}DhZ$1X0s*0uX!YXUKRFh!sU
z+(5)kRKiY60HOmfPAi%@Lf*XD0(BCa<{rJ62H-eq&AK^WVO@{6nc!l5=eo3<Z2MEB
z-%`aeN&hA#W5W2-f1vc$FiGM;8fEGegVU#dEC*|YOq2l6p4HerGccHA%Jlua)Q+Oe
z1ntHPSSa8nsVJ(4AAo05yGVRQ8fh-NtnmMp^^Hraq{0!GTIP@SKxa@K+I7VhpQS9S
z6=b`!HK}WB?~9+Eq0l4*9rR{Ma#>O#jKPW_<S+-4<Je-hzrQ~V3rnrTyr|!qo3u27
zFAIgM^C1Q;RkYM!`vjDIT#|rQ3Ff*#CJY4WjkVsTclH%>uU!7+UcX0k#ibOz@#RuQ
z%j@ZfxOK%yO-rOV2m;t^yeHv(n44(yiTS3_13~Gx*N#3$v<khhe=E^aH*FN?tNi-)
z3uyY=w{K73N?8cQK(^{|8*3v0>lS1n5#FTE3km-~jvTjEv+j5Gu4`Y&@EQ#+=Hn6*
zE!~3}Kp=r;+&N?sJY3uw@&Gxx9)RX|z4;J*!m&G-#XGOokrKF!uYhQuY>fALKh7^K
zDERvItBDN?3srO?Ncjzf3NysBeYHI8Mv~pghoz9cn!$=wtXIt{At3=KL2ugz@Ujum
z%hj<9E@}VJ6%WGA&KL7OWR_v(;i-Tb?&c<2^!o%XX^aEJex6x66OGv#`&KXvG&G1#
zUL2sbS@C;c<?7k#Z(m$o0OqbF>4fXH-c_;xcGD#=j!8V(5!r#4_$>O9cwf9D@W4hZ
zUH-Xl1S0TFYbQU`|NF%805EM2x$3b^8kvSQc1S?5@-91qv7iI+`}?5p5~^3md_7Dj
zc_iAk>wJUz58c@Jde5L6JSc9itQaiA0}$NK7z^yfb6r1T8$EaR8eSbhKLK2HwrAnP
zR(5pdo9gK5mNkNn-(9yeYs<=Z!D$T{0o?}&dGcV@EnsI(WJH3U5->J1v(tXnFFdIW
zjVujaj=agueVhm<YisMVyVu##l4o0dNnz^2XGO1Lb~8ZzbzbQipPbZs^Ao%V&^n8V
zz@`u?K@EIa+Mv+(`l+$s_~DU17y>zQI}^gIKrhoZE!2KTNq`v)Kc8kMxb4hMcXOd9
z#eREEoEg*FdcFEB4&2MLrpS(K70u_cuEAD3dN>XoAL`9hhpp+)PuMmhAH0#t(kXf*
zc=&5T$H>TNN5i*`N62wu_23^+@H}<YTennF_*o<*nnA?ijK)In<`=)69vb?nQ?$SN
z305w*Ph!2+ix)4FFB#c5I6y}no9D3@pP10R^Jk`-?U;s#hah_TKlhy8d`?wfUe7+p
zD|%?N+oWuwpr9<iTuX=5+SAolPDp~V;67FU2@A8?`{+y6Gj(Wm#l^)z3MaE0j=i|>
zeK-3DdUrN9HU{`;JsV?Sjx}93C<+pRexlnn7E<07SQRV=QV67CmX=KF4g3#&tJXY3
z35-Y%OM>2!Jxn%)E(|ogyTvZFyPyw8%At3-J$nL8JIfqHWiTzIva3I2hm6?hQKE%H
z^X2llb);P9%D$I)hQj@hDBbk-XNHE`8cuCI&z?OyC7F5u{yhXN2`MRfdK#eHwuOck
zco)~-5X>a^85w70nWKA^)zvLm&%b{#Dmyu-<W(TKd-vbo&xcH?(u7o0YLwUujY2*e
z%*2{$(0Os4Y{E48TwXr3xJXS4GQlyp4i=kz61U$XJ}ztQUV(%I%_lGp9cNhalP7ZM
z3xZhpPEy#uFM*@dTkOfpm-QTR^mm8hOdH6ct>$<oc%LrV{Azod!2S$K5-(H(P>r^>
z>^3Ni5hm2zT<?Gk3b*vz!C`Jr@49Hzv%G9p-1*`ONNONc4w{T6H2wX~rV}*0c_f$3
z!^DJs4$T3xHE=R)5P>DhV2?1c@ZGz2#l`HC2I0to1pK3yK**9Bo)toY!*0p29^IOn
z5CBoSJ&)r?Nhy(gz2-@{5d%UtlnBE;LIi>;(4qkk3#(G1NKe4^w~CxmKgfaGDH_zI
zq~KJNkW0z4u&yDz*|czWnglMpqI${u_q$NrQ4r!N>BC7d{ybu|vW40S@$n)?gMe-Z
z7Pie4-QADgk+9u!ocvs2-mAxvJ-U7i8EKabw)$-3oI|AX5Yr&q4yOH{+QZs~g?86i
zPxC$@_(;FUkOQIwj&KfUsm33exVSC;mkp81Ny8IR*I;OU%(F=e2{oTRvv$XY%QxBD
znGZPq8CtXIZTIcY)}1%w4{pDC5AF>k>$cBO{|F9PU=b)P(#GG$#DxAKGS4FbUsiw!
zqpEDNq@-G5ym<B3;H@;1D2OeS-9PHjpXZE=l3)fKl_e_WPOUoYk4VT^fxuGLoAbS|
zFD#KL1dlo+G4bSZT}zV)N))uD$|hTHM7vuVV8e=yC7e;6<z!*`_B*=!-Gd;sdKwc%
zAX5d`{GB^@X5-_xlujr`-9BFOf_xbLBsMKALS2U^eT*6(U)q;rG*7j2ClI7j*6qA)
z2*o>%3(}Rab_|F(5N&Z&i94gCquWX<9=SeH$#w;_b#$Or37yY%aH{0wD{PLRo}I;F
zg8Zk&nFw~FPvzzBjW#`Ao*i1dxm6kN(kiN`^aE>1C#G_4_X8&7olsYrrc)#!0e+D<
zR@#mX0sFVQfw~;H`kdPAq!hO&llS(f-eDqY&5awVL1hbOf1Y8uPDLy0sJ99w9*<J=
z`7z7LpPF394`5UVOU;N?N(Q9s+0t49A&_&|9_4BlzO^@9kAL&wVdU>G9NS&*Dh>sL
zD24PR;tLQ?V#m4X&@+8@w%g9`GuoV6tV&^BE%OGyQfPk!NOJX?H@9XNzd>b#3?d?M
zzd~2VX3VaPG(d-))cn#RLWQvtb4ig%%Itd;wtv^5Et=1}F;SN521!=LT$CT5D>zHG
zSRH}!uv)P38~)C!sEC<n{6m0o3!<1wEe-72A9ZPydsi4388g5MB_(A{gD)&_-&f06
zyf@jfAN`sD8jpMNV*h+wf^6}B+6JVQQkZg+F`v!bJwgqfg*oN(;VWV3u_R65l<bdj
zi&j)p`aU@5Xk`UEtf11|cs^mcL8^lvguoL6ToY)~1!NX%we^Zyi;rO3S44K&UZLbM
zz(}p{BGz6!WG@FGq;<#DSsPKu(CCkKv1xq$rO3qx-Ic7>$fm*MIT({GRlU%f&Q-|i
zYTe>vPZMH$p0FQvg=I4ncQWR*ld^}cnCjY$bw5U0irU(o7xU>G0Pl?j+v=7HZvG!P
z(V+G~iJs%Z4lZ}jXJ5MPUM^?y>$LU2wl%w940c4aiX6E=?9YMDV**tWTQ+hV<#ghX
z{j>An8t_{18s)E>MDgiNd3tv7c(V_{r?%96r8AiY1maKgVP9Tj6JDXb3cdM^aO}!5
z%&`{CF|dKDx;pyfMZyV1{!0dj8=$>~*+Y7dx^WFdygoG;Z_|9$MdV5gLA}{l7Bz#V
z+;VC_o~x;7=Kx3tBMWGZZb@%E+)v(?5#Jj1^=arhFKiOD#65ZjT%}rwtjL7Bmv#A(
zo>}c3>OtDl<7}vqyJ)b)n@Cxq&D{%|clLin7iVupFlx0<7#7Hf`Spzb+!k)YI`AE0
zE8`s|QBQR7$de<Im$L7n1tC$Bv{z>6viHdS3*)1qTt^0%c+*qP#J*u;^ZgnXDfbsJ
zKU|HYejuuX;pe;8JpfeZO=`EAeJGZ)5Aw_zPsil!oHD1hdQP6*{}Jd`juoMf=nk2$
zkW)<*U~qQUjskB$<Cf7b6=?N8JHLKa7(HUN?o4Pj{Ve#YuCDIWC%WYrU?E*yUBcNM
zZS1e4O}NRdF3xWuk{($K747Zqxo=K9qYSToEGyg9;&)C~_?;O0cO8qJL&18w76LJ2
zwa_gJUM;X9f!r-J<*T7F1X4gpXD4NGFCkgKv)0rqXH7PuEqiEv-W)8SaNM&NV`c`A
zNda^YqqJpkZuSEOW@SRp6-q8BYZ#cApPY9<NeTcHO+f*(JaRea?|Bpiq9+S_!m$eX
zL4x@9?ORRe^5$kE?6&~2Am)gTjvgce=W*trr+<Ttj0|A>5c*wE2ZBRFG(Ui&>I|SS
zY-dPwmXCkNodl;NgSFu>{0UXivn4O@_YIK;ezl*R0;$srP#828O=l)O1Y!3Q0)d_W
z^28y>xYZxXLKpqZmoI_pBJ1zN?o)k(`FRhX|K1c4n(tGmjRj}MQ$OMMfNe}<Wy&Wv
z-?gWP?TGrL;rsXR(24`5HaT%~EVKq>YA*r91=0(K6H`-DsEdx!YXRcHmW7N6WUK$x
zpVreOm#+3yPft%*S65pb%-%rk9Omm?^NWik<m`c2+0RtH{GDtGrjSXPp`@fFaKm8T
zdJR70lq+GlLZM$&>sL^VVIPJo;6Ly;MN$ZH8Z}uJJ_is0mRfL-kwXC>C*QbE%*$iU
z9-bN-gNuaY1ngaqbm4&O9vdG|E`iij2F4aJ*l)vyK$8>j^Um2h8Vo(loazZs8j+WO
zbL6r`0EvVVF}-y@J3E6S-wbmN|A9d5nkr~N1MLKmXW;~+Rs}HjJD{cR%(HQFw!nNr
ztbh;#O$LS$$Ka12Kf*RzIH2zU4QF{{Dg>gA^v>udeB2+*yzpiz??VhRSPEj`frUE<
zc2fic1ZQx5Kn7`XU|^uxYkwK;A9_4Snwqbr1e})IfW_Q^UT`9z#=xbo2!GfCK=8C!
z7d*S~zJFKR`ijNX#BDdlU7^cP7?w1n8e9V|O1MrTA)ymkDnRSyG5(#O!#VxI{SSKt
zwt8R;betJ(_CR=pRS)`Q@)*IPp#g`(@;8l#BAt?{s6OoMVXv*J3b3kzirr<!e|CDB
zlb;{(_Zt)JaWNO;M<B}IUb-y~4RHhij8_WAe-|Ep4xrcg<u8(n^S?EqaJEB7bF%o^
z=+qP$6_r2y8;WElY}r91^|~}T+SrhTWDbNR@F?aEhu*4(D>V+<Lns;40T(}acLTtT
z9HY?XAq%hut#92Q>K_yjJWNbcu(U0<_&tm0A^@fjjkz8e;SBKoL53h3M?yH^rxJaO
zlv@F79Dxjsulpi2UH%>&%~zPq!}Nl)?-Hy+Unp_mI@&E7T3;SmC@LyiSy?G5VTPM>
zzwTX$q?XF)T^Vkyyn{fbMGm+b8yZI9e=aF0`TW_82RqNIS}%LJ4)%K0pg_FwO{ttf
zNMO)r4+}$$C+#$mH8uSSMs0i<xMXuNQUroK=<<;X=s_?k@?gNV-X`A>19S;2xZ-rS
z%DU47*1iea`TA9|Wyb!&!EB|ax}Dt?M8y<tuOt`{K`90V20u7Cav%cxrqpk~5F#7G
z3HZv7I_DLT+FQYmy|XLw#K1rt8kf)^)ydWTDKv4jMGB$Y<=-HW;l8_Y2_8Q%MBK*1
zlY-3y@WD@?KIN%rMwMu`dAJ1}02!#(yZoK%*wft&J)kc&H6BytrcX-^o;A1?&d$@I
zA@*3)6izT`fy&}Zo-V=JK!Q{C_4R%9s2idh7}5=o0#yzo+^lcCd>N!Mh@})U&zs6c
zPe%ter^aD^V{<b#A;AOo)kMmHs5kWv2Z6BbDjC26BhDziWn{$v`tk&})=-PM+?SFH
z_@7Mj=w=z8fWZu;Xy8xEDk_jG-$h4TiibeU?Dgx{Kr3PQ(Iu=pKs3-_?a8#CD88|S
z8U<V)0rWom=e&87oiXpJ>Pm=z>+44#Fl29@3*ddI!5WW|1+x3~;`L=F<ODF%!Y!x)
z28ZoaO-a$w>M&cdm?G^RM?e_?9j_X6%0sTM`Qmb%lJb(`jg5`ZSDHFHA@+`c*D?cO
z|Lh7RjhyYi%Zm%}3PGrWuP))kht=KP-Hlqfh<iQ5ZqcyEfgBVacr(5X>_UPKAx!`P
z1FjA-;a(tVWJ0nL3%C-m<bd!42QVC9(yxFu3~4PgI@&XwL=*`Th&(we@fduK<=ZIW
zoO(xTZDVtjmLTO+lz?R42S!_P=@u0gfzR5;);9AhxOe5>>CJHq?Y{#R72+S5wm2Q#
zC*TQF6RWVrf`^9({$I`nVEdp>t3l}3%E~B!S`Z}5DKQWTCrUSSBt#n<SjG{EG6b~e
z5lzTBJ_y7f=6l$q_<w)#{~8jzJfDDofHxW-y#u?2Jd@khbno)$6Qp!o$RLm^U_BRq
z{(SZ;(O4Hdh(+q^lwO8eL?n4z8n$6#C!o7RKOq!9MbKXF@neF<7-6gKcO)<wIN+HC
z2rwOmia_+6h|C9oVAt$(!pY9QHC{9cTl%JPLNXvc9)*(*fb+a}rEq)$1fohxcrHa!
zJEY;^Pu&n2XgK6IAmk2gIRR!2R)npP=Z)|&916j%o*qu!@;2Cy3Dh1q`g1X6NNLgV
zXp8A6BuGlYSt0paf<hxs<v3RGIF3=3T-2=~Gn0BYEBR)-AJp(t{o2xx9}%=;kgwpB
zH#>9edf|#mo$2Py!Svkh^s@uPU5KBb<_#b+U?ak?!zD}>ie;aN8wRbmfq^d=xWPw8
zDdm69XAzWxFJHdEezU%n{i!I(<ONR5^X5v*%HR|K0`Lw-4@Ha+AAbnwM$Uf+gw-Qi
z**e|~u!~>8_7Mm*agVJjfH4(8kWI@#T1a(l5rI0I^zt^s2@6b3br6FPoBN<$L9*?l
zx$&06wweF2*xpoqh$=xrU@&9tza!*UK*fRWNQIM|H+J+Jd;8N;Vq)U4$;p)$$S5ei
z5qJ5ZB;E`)8k*=79e@Ku&ryj|z!b2L^yX?nW`pSh2ZKr<Y>cUPT)Zg<VUXcKe8a@V
z#KyLpD874jeRXvOrM$GPtPFM&TwjA6o12>pa{!Wkz0XPMbnPc734>DC;>WXepm(9!
zBM=VXaYiI!hOO8+IGX<^f}jbB43O#g*qE>`Uv#f6@N94{0Z!UC#)BPuFdPxGFs55B
zm2QsTpy)cz)jihv?*O~;#@EU5aS6Y(v8q05GP0=}d;Kk;2e3cpa1IGU)&KD30VfEX
zayrKU=W|Z}e>Tfw(83<|m*N@HG&B+(<ucWJs*gi@SK7zap}>{D-+>1l4Bp#V{UZ#I
z7nvzA;PjN!SIQ-%y&tc{^8M>`-Z$^#kl}j>Nk{zD)S_afi^dy-5nxEIE!AMgm%$9~
zu;S;f9+OOHhi%dB6~LEh-r(L7Zd1rcAfzLIwckruV<HU0m*Gvu-o%2PU$3MC-J4O7
zU%@UF<z*@4e#!7mh8Tq{oFH#Ruja3=OwhP*;i2^{f#5#I06k)vuO{3}OaOZi%9D4(
z>Zvwgn9GAPSEp#)rusj(NX!>gfB%+YEAVEZ1<}GoL1=S;fmOo(Rk>_ur`7bYn!gCc
zWV46C+pzUi1~3o6!3r&SR*OslaQmrDVg_)!%3xd*0RZ{>m5Lovp&LQnjwTIO+<o<8
zgyioaoNoB6xc|trE;CsR`N(p!DQ?lsK_-d3f_u@bxtavC9s0D*%%ib6cOX@(b?fa?
zZPJH#FN0=vL1TR=E-ATiC~JrP2187_P@8bA!Jx%=T6453%~mfpGTz)=fIO0sgG2Q`
zA*hYY=DanDw-AUmQ>J;WTgXA}ZScU4daBDK%D|h_9$8H*gMRO!1Y1w3#()lIyb_dj
z!H%HFZ{Y2_MbHwtm*!A-|7^3dYpa$V@<w>DTlAXuXfpSI{!(E1qw8*>>2lfac$#eu
zgHz8iXw%i?S8Pg}<NJQOfFFw(6CT2H93N<D&z`>`#l@^-mVGfrObO+OGZFjlB~Aj4
zs;Pt(O#PjugMX)OSk@|O!XD9=isD$UoJz9fmrS3?8f&#hBz>c4qgu@cmgL#vyOwDM
z;eLLgfEIu%_+9;S;rlNaX!Z{(!J5kdd$XN<mdEQOP#}=+0sq&)29t#ECWg?U`BBHs
qi3mJ-z3|^-e01pmw={KJqtyIaiYH6v_zFuBq4-Emwp7OC_5T8tOYT?z

literal 0
HcmV?d00001

diff --git a/doc/arm/resolver-forward.dia b/doc/arm/resolver-forward.dia
new file mode 100644
index 0000000000000000000000000000000000000000..9faf84e24332d5dbef531dc24c11d7d411bb68c0
GIT binary patch
literal 2573
zcmV+o3i9<IiwFP!000023+-K9Z`(K)eb28D+?N(`8SzUb$CC`U1!m`AG1J-3JO{F^
zINHimAj?g&5BuBql2V%3mSRUVUAv`#7LY^ni1g**xxAP3&%b<`XTj&BT%<*QF~BGs
z1W7(ArfELA82tU$uW#kxm&>!Cr)m5X{F{~WJb)+ig}%EO+*H-=Pv_@%cXueeU&K{W
zqAXpaMRNYXILqR5D0Du!JPU%S6-?tQ)}J+>##L3O<7Jfuc|1=p2IF}0X;v1?d^)I0
zHRUEnR+Pc#IJ+3Ux;EF~ys74VrJiT%zKv(exJ=?t-BpKhDb=Uy+oW8tc79tdQYcd0
z-)<D?s7L?*q)bz40fq9}<*R?NSM@73A3WC8_M)92)jTd|X}*aAeUsH4L69VbKxc3z
zRVbLi4}J1-xbb1(vctlahlNWQSGPr3m2p~aLXL|fOX9pnt;%K6A7?R%Gcd8|nq|?7
z>$IwhE$@FFXNz4LP=EY&w7qoX&dPN9{J>o)(NW7?I<0Q5zBuZxy7qfVwSP_*={QT;
z-agH%y;Xm|pX%4Y9mC#_k6T(pU0dh$FqH{U_{*n<*)p9bi!ElhTBf6>o2J<Lwq9Q^
zw`<4LAFWN+1|o~^ld`G)-QzSJG+%JTI6*wA($5cfPx_=7|0kJLO=CY+aXyX9Y4A39
zS9}>fY7kH$>GWdoN4VNq>&=78fCo2v>$do6QVa>shZHG6_<ApFa!41(c)Si#LL=gQ
zmL*?dLIXnxA7P4^97ag?#!Rwgel;n|d{ZjywQUB+(8^}}9w<ekNbvCSiY%aRl5}=c
zbz{L4`4kGK%6?$uqMRn>ww8qmH!zr~5aS4wesF0HU)0qqX|$@!>+3M=2eG&*?yg!?
z@%Aadou1Ag$Knoy^RMJf^<;G7W^`iP(aBLrh8$txa%>t9hNu*LqyP&5X<xufcf^*d
zXst}w7izToO1U+e|L<f`WYFgwV*i;LvP*6idDRA}KM$_sd79nBd&T);5G<;DP301J
zxPJDx1YV^|C-K{NMK*mp@4WmyHdvrd$e@r*sxQSuOmT?qFjwtxS6l3Zv`zz^4(3xT
z=mP}Ge3s9X_U|;wm-B|@c0_4a1}_^OpUo?+kB`S!p$B0lV#`V)Oy7J+kfIJ*=>ddN
zK9Wd9dLj?y@w3v0<v2?x!S6|RSCpTEKbJ|FCW{}Eqe3LZ)r+|%sW#K}Bz1x$MQuq6
zbI{7b8Q7(CszC_ioR3I|cqlX^J${z@djUSG=ca>lQ=3J4ZaQXeYF~3<w$wy0lFBSh
zaHo!)#$g5rcxglgQdqCL^akB+)nyN@+hy5>YfboM_)_NAT~1<Agj)|E0u(xANVyz3
z4F)A<;1Don@O>r07$5)S{;^t)gV&RIas#(-&K}lDg4ZA3zxhEYdm$pMFCI}w6vNIZ
z`xYbhbNw;T_5Vuqq-C;?_B7dZM5WUR3#Nz&CBWo_Qdo?@07J$p04o{Fo-WCx$n&ct
zpPKgcXl08Crikg6qN=Yr00WrZuD?oKi1a0uX7KHApO$GeD`Q1MMWpH(>RD8ASzX0t
zS=@D-HzC%QUu8)?d%i{79%O5;^%a5n)KwpSt=e4=JwoiOfAm;{ArI`d*w7IVe+h1Y
z&-7di^i>tcR|y{fy26>=&*J9UaP?WX86;nOq5bGXVI4FZMlPdeKwc~~L2SxE6-K>R
zm<}lkU%#)_VDLLU5PVEZ==L{$;pZ?5KPv|5Rp9BZ_(=OK8zuP=1J@I$Nj8ca6edQP
zBND+4$SvYF$HuZ{yR7v<^@OPUBAh8E-LCa8_4JB-j?ED-Cn@_J8v+K5ks!ovmJKoE
z1cs;{oR}L>)f@DX>fzU-yn`=6>j$57bKs<#Hskaf;shhwINSqM(IF;?GspRW8V0zD
z*SWe}fSUubkrLk1@t)2Wx@xgdPgkes@?gA=FkS78xQ)|=waY_BL?Voh%R`0J0Jmks
ze02Lej&5VJhjBw|=YV0S9?1g`%oDWE4`C58Gd&30$cMRon0u!%cdN1bDgOjx-FP2K
zw*=P<8_aRuZ5UCdfhd+(2fGQ!*ho);mE&M{M=QIOf(ecLShtUL`&hTrShwtqS8tDX
zgS*oeDBn-8yNhzIlZjR10J+?YCBfH`iVY(ai7=8Qg`$Y^$T&e9OUHEE(!$n4is)#(
z?7gDy$<~vtC)<9>LD8Z3lG|@yjZ6xU+pVigsZb3Wl9<R5Ln`EOt5Y%iE*kC3mYePC
zIvB$zVS29gTzPn|JeanO?70#Mf*3bjQR$R1CHU`x8Hb)zJ_7$<GO22Zo^$7%+1}39
zbSKJ$sC|F@qjIMKGs~Ubw7@(qds;qfT3%Z(kb9x!e<sB|fmfUWFMmkNYyFq^X*tP~
zwqTKUt~=JJsDaMpF5Q0(qECooa)c#f1ib9NC$T`^#M|OS({xg~jNjV!*-ja&Xf>jW
zU1qHA3v9PJWKYps1EwQ8%Psk;tMQ(fKwPI;<``nnF=&hVHr$Xct*4&8sQ<F`_Ufi6
z)BhHE6=%;jZtWP_7sCKI>PV?Gki~MW&+1JEy*p`7`2p5@39vv^pV7x$3i29+p-AZ*
zK!H>Qh|vigzlD8b@<9@l+pN%8(0}zLdmr?7B}c9IQbb6RA+UvV8T>c$P3YMBNC&2d
z3h}<l2FD;rZTrm2Q7=cm9QAUv-&wHMn^J^c5Ri`Zy&4eAh35Pa1LtGLy&CmuwA%>1
z8a-__O7I>$Wo1H2Sh;nTr3oEjHo^)q6SNZSgx5!HyUi<7uSmTj^@_BgBDLN?rDIe~
zlQ4Ff<kg_)d<DHks!(WlzV_Xy=T+%<xJKG$h+dYSxGc5bB!wa|q+l9OcSxa#=$|4`
zd_)n^(fi&Dj7OnKE&I$%QZGrpB=wTCpCq;a#Rr5<0+q|t{|p92kvXy+39O^{<oLxX
z@nZBKVzk8sy%asgU+=U3{S2gpIkD5J05vEI2_3Sbh?^60#3{sVz9k`T^3nH6MJ)#C
z$>^YDWV6wpMBhAfp4k5`hxUqrpOjk?#D)Z!=D>Q}5IyBwCEHH(Zn$^Dy&LY`@P5iy
z*mJ&6=DfQo!cJMgh6#m?fcL4?ydU<)Jf!%g-WxxV1a7lLuYpfIHYE3Onv>8c*t+%2
z0fm^K22p$jMi{{jN8u^QhphX}D^ssby)yO6w4X9n_Po!D<RBCo;xb}RxxYc8AVH+k
z{ExAWG_vT8d`OAPyhJ^SMC~+5uToE2rBdrXKl*2^#E>BDbn#T95RJk>rRsB_hO~bK
z=_rzzY`e{iR4-D!NcAGMmq?}d`>8Nu5=hwXb}9ox5DST+{ZN=R*5lWu-0RZAWYxD=
jp_ioJRFc;BS$v<AmuK}2{F{~W{POJol8MYyJ*5Bu6%`bD

literal 0
HcmV?d00001

diff --git a/doc/arm/resolver-forward.png b/doc/arm/resolver-forward.png
new file mode 100644
index 0000000000000000000000000000000000000000..188e834a3ea873415869ea29901f675a5a439801
GIT binary patch
literal 15644
zcmb8WbyU?~^euV_Y3Y`3X#oM@P)avaf`mv2igX+r2_=*cNdXZ=QbJNn8fgKMkWOik
zka&yly}x(=x?{X|hC?`<`0UT#d(Ac1oNI?`YbssGqs2oY5Z6_d<?ka9=v?soG!8oa
z&rr&s13xfa@2cqG;NVQoY0bh@Tqk8CR|Eok5PnCXNu7yYLm-$CD)MrAsPxSY9~7DX
zY3Fad5&S_)Ogyfx54rkJN%*?huj!DmZ)zz_w=eN?<Kn&LBG--x#Bnjb-`4)4-2Uqh
z7k6a+a8`L;4sI5D5MQ;TF_$(sg>i)TufdaZ=kI^kzFP^YaHzyLzT+g)627w{<@mDu
zq+fC+{Ya3v7d@!Ua$~F*{{36af49EAP79A4H!L4NcBos+tE{X{5q=UycSq<aAqx&E
zx*!)ajLxP%-A**^1}!aHkK4xB^Y#deg^oA)Zw+yRLRjGS8}_1;t3&Sx-pL45G#D34
zqjny_x1X<51Tkf+$(PZ~rru`sKb{-RzPD6Ji1@krx5TubLB@Y7z>FD(bQr~p^z!l|
z_(uIkacChWC1r{c&ui85wc`6#F+4=ynaT6%I`=<6Kby6+jgF4m+1W94!}s#N!Wlkt
zX5-{sSz5Z5_q@a|tq%(!n)XI~_KWJQLaR*$J13{>lbet7xx)TTR&Q$soW_r9J%&3t
zJ=!iUQiFkG2goChi<7L43P+z-Pab+p>7Z{9uDS8{Qc_a(l<xg{R_Zlv@~Eq;t88-9
zpfJ(eD7YnSe1n2SMxbB688siy=}ULXBOvfj$U5Tw1rrXbsEF5(ydm34V?G2q1;x<k
z(4BB?2M2yC=3U-Bym)LQ%%Ohc!ck*h%IqK3Ha0FAF<Se3dk5Z9;}V}0(Mi(!6wx_`
z`R}|<PFAYcY$Z1f>3o)4sLaTAJ*Cg)jUonuBR>2Xp}{IRLq&D?Zd}Av;Q<3?tU)tF
zkKgg!tERKP$U-eORn?z)HN*WuK|$;5Pn&APnUs}><x%#cY3+~E0xK&;)}B7CN{x(R
zV~C=8(=jz=LaO<hSFO&T87tVLH;Jzyf-<t*UNk;!>-B2_1WbiZMM}a-k+rooT5}TL
z!!Py|IipYE8i;0xYK-Q&Z?9ZkT~#cK4SFLNm5=XMhQy?&+gDHa*;Huezt5Ox^po69
z|2X>8rH-w!W-uT;&ouEJ(o2ZS?wXLO_r=M|bkfkqp#w#%^~A~k3eP4z%Uxkc0eRw7
znUK!Mp9KlxV`H-o3Tq$w;3|7+MZ}t!kq=w1EG{ZP6i!iR3!K$wGrjS7`%|)(h6ejm
zG^32P_kpbw78l$eHI1+h0U|dy7lGh(#0q|KL=VGM(C?IFJEIciGc_w5tvlb=PWtre
zlX<|o{>^7;VvYtqdI(~V-wvJhQXj5GQL*4eb66sIdy^6pxQ6$=BMb^Dq7IxqPaBQ{
zU!tB>Px4W!85<kBxCpJag^PIie0e?@f*oFvlf$xwGlW&`&D0sNws-B?HFkFP-0j})
z-w&++Xh`1>b4bvA-S)&`p$r0Uc=&#(2|l**EQ&d3$4NLNwWx#Gqchi)^PGu>k~Gw9
z!eyCoad9yw-`7oHW?#%O2HX5;mGS$b*9=mrA6wtvvb1GgjEq@TA`fnnRZI&Z;^`9p
zs$XajyRBA-8{E=NL7d4ReU{8sI%L}wsA^!4)c!cuaga*-{6KdN9fn0iL$mlY1F6cc
zC2nd_WlZ5NC>|D79Uk>v<u&V<=H0uPBrjg4I*|}v*V0j@xt|$K@Ykuc%9w9}X<9CR
zj*`$!Wti?sObHIcgpWm7cG@{UZmJDghkPEAkgpWJDm0}XvpP{`Tx?R`u%7co<wt<U
z$N>%Ud1IyX&?RetY=G_^V!H&KgeL=;^wa}>O2@8<mD?(s`1FZ!mqIS4v08Sl4Xv2j
zBwILsUN`~-W<0GNHQXf)q@r(_TF|Gc<ha<}B<y$eP<Z(GMk;f+Xy3G4Xu8BwGR$1o
z@5skGn4(^_6wb%)gneOgCR^y?$-cxP<rTD!da~*!u_sU18FFVT>Z>GOR5L0^{6JU8
zaN#+_o5iZitDC+S+G#m8Gy6(ncXyZc-MU*{YwO*TZP;&5tA06Dt8qCu`Ja<}3^~SJ
z8aP<c(CD%DaML;NyRi`&&%io{k=4xN;gT%(XYly-!Nt6<7fhz;VG}VB%#ZJq&!89_
z3F17p-K;d{b<zg?QPET^VO%wQ=&kt>mp5;!+<f-=^Jl|SGyNW8aXBGp+bZL9j5n1c
zJ32R7^Wo3V&d#bv`wnvYYKTt!SW0|FWEhTGGQWG8<6RC;&GgmL!eo{_VoY2jZ4|My
zgvX!bNynxWTQ*kKh5GGA-8M!{xmK(uoak?Jf+^|`s~x_gcITIRlS@r%hihF|B)1z}
z+rmf!PI}FqbQfc;usd4jqDFvnety3HoeblR8-)q~AtoNamYv-i>_7jrT_wY7EUc`I
zUW>8SGu}M6Zt1jmkOY+34&}5*Qu!DrTfCjF_avefQ8r43VPTM`nK&)=P!t=aB_yzA
zOCX%iPY;V9R(q`fu=`bMr+WL%akxSxW%mT5T$t*I)8mC`9d}|(5`~no{DuZ3JNt){
zlK%I`p40B*p1=L5=;=4>F~Tk%R69%;8C5JkVYHq6vY9F6<M8#+pvgOwNqIFVa3>w<
zRj&0;dZu_(SzR6J^S4O#!`={fTdAI*;j^k=Qa*o`sUjmHQbp{B>)bb-sEOo=aeXN=
z@u~PB!Sy9m1Rc%zY#W;UEkzP3KN5Fc{$6g~3z2T1qa$Z73QJ{L??Es4sCl_Bjg`g8
znmUNdVMiaO_?mjI-oD7Z$^Z0VO`28?UB%LJVd%Y5Z%>cn8`{vv!AxOF$85+~g!FX_
zQIhg}t8R6F{@C+#Caz*VqvK9o|5f$uX8<!!P$i}>tqF~oL;A<{m<(A?txWa%JE`g%
z!7bYN@6U4wG=7_V@cD7On!wk^NMW2H%(opK9lw74dgMd$SYBRUnKRH47sa^yV|=``
zqob!tGs4=+s^-_VTv+#|rKK4!mc=y3Mz7s=s>Je_m~SPwYAhj{xBNwS)-p1pS-!WI
zz;9Zor>BQG8OgNZ*H&TOOL>jzU8c0(>DkG?YB6_lNy$u8fJ`NZ?fWn(wm?0EW&}Q;
zL+w&h{Z<{%PqPp#%1HK~{37@bRGCE5$Fepm{2TQLd9Qx^|J$^TmRhcoVJX5w8LRjx
zGublQV-pj3&Az}MD}G32FK{>b1qL?vu`Q?Du0OIVH&<TsGlXC{Mxt41GQZbsGg@he
z95JTc-D}&d40i@5#7ASPr{|hCTj6iU=>F*~e`41W&7t^IXDb9jOgO{pJ7%a{*CMY^
zu-zt~S9@(<{gsp(C4d9~ERi0z6_IyGG(W8>*A$_B6Vif)fra`%Z_$!EOel=D7rnvy
zQhxQD;P)8jdkr2~axvPR0s_$%)bEG5OkZ12hl_AERw@vBTcjVL9Hf-Q;hyD!u@n>(
zZZ36Z$pt$FV6vTY2?z-A@_ru}80hZ4$;I`tw3O(Jl7FYIh|5uGcX#)qhi=}-u3LnN
zJ9qBjiGQM_eWO@xu(G_2H5nVzlHYyJvg5T*PxQE%kH$^iJ{(pA#_UEP4XOA4CN;YC
z9-DQZ+nI@px82u&d{9f4K3R;vb?a8Kah0luh7@GQGQR_SpjWlEwLo@|rUN}a_s9Gl
z97^DszwP#IiHs;~BZuj1r5MN5<mCKH-MMhB*7$etN|oOZS3MgiVO2bK=)C@VHZ(4f
zs}JTDi--aFs5wwe`Xo0mPw_!kNy%1MEUVw?fr_f?=|I2*8H(t<2e`pnHAlS4`=Q09
zrC4iUxH#KZHU`rS2LJt+@@mKhHdIdZ$PmSoq~IhpGZl-6K-~U@Jc+=c77`X-TS%W=
z<oBKY@*FSoyI=?BT=<(e88QKl(G2p6idb$k3_J+@W^`LL-j7mYac}#UH8UhOr|S(h
z=Z1%eV_B6%tMe75<5E-c5R{RjZezI{<5xt620?&@(OV8<Y7H_jwlNw5OyBg#{0mGC
zO;%ME&+C~8?b>ROl~8O<Xx8Y{D>jI4p;E_JF#(iDfw67}57=pB``yNCVgV6~%jMo}
z<L=1PhP|Hiqu<++p^$u?4e!e`H+h~)d`7dnze_A&n<t~1C%rTphYHIeXhsZ@@d~9G
zI4=dhk(mEN!KPdU5e&#TUTU6f9%?-SD;MEm!HhRVUCtOW?J&M^m>IPZ^Tc4$B6Zp!
znXA_CpNFl)jAg|{TztF=@7*T~WJ$S`E*k^`gt!ih(F~gxy-fVtkI>eV&HdL7)mN#^
zeRo5t%yy=+t-BCq;`dni0yEctzd=wUiiM525kHp`i0hKjn8w}76-q3&8hfy0{b{Gp
z--Td=JlDj|b)bo5dL){*(wDYkI!!O>@tRS_%qSozOf#S7=1t}o=;D&k6qMD}Faj4k
zqwBc^z4ol?ryWGoOcmHJI!5~iaEQ!9SLWLzB|W#!=3X%(`?hIFNOs2_Iu;vMDCT^J
z>f++x@5|H0cbM{snj5sk?KcozW$d+L^Zr7M_gBz`ugfwAb{MH`6e%1u4~rDdQ7@b&
zl(icfMq$X(%eQ^}^yw-;1P>o{$8)~(`)g#*Yd_O)GNL7;-@~X?P+DqUX*&c-%~#A?
zgw~5WO5R+ZEkum}Zb$@@Wg#3JH@K$Lh>ea!nng`b4OZ8!ZQ)aHKCvXwTar2r!pGEX
zRAUeOGo_vhQj?OBYNm_JMLpn60_5+p6Jcjx`nTPbJkkS&%qt?si^FkqpT$YWars7J
zX(j<?<8@ubYNaCKggI>t+kzTQ1VI9Q`O2r1PaoWOZ=P3IVvObWha7ESQA@aeRJxqb
z*Ls(E%Tlq>pxFO(jWe2?Tj6)3pQ-73XlSU(tu-`6qUs@B4ZA%c$vT<e6bdv+$U-Ce
zTD_(E#>RLE;V1ozQBDIB7ssJ@Ug<wbT8fHPWP_lVSHAq0Q83y{c^wNwyLY(zVNlB>
zU}J;ihU{y%IQPU>5W7Z|fgdLis$G3Lw(2%Y0PVYEzRg95wccaPhmDNb`7S)LBi+~6
z_jU8jr2Nrmg91HB@f#3Zi`9oq$>wo&-(C@2t{0YCjm42N6jtzXHlb?@hmf}V&>Wk0
z-k7^38I4mV--<@gK$U*S)n@s73gk<~&QHte?xqs*#r**pDzkNDS6208?8-#N6YM3P
zGG3px;SYrL5(rs)`#-N~gnN2>mwu4qX(0mhyeWCZ;z+Dnf|M?jutHzWrtG9k`Hb0$
zkanX5e*DPAKSctWIjQO5uoR{z1=2YrQFwfHbzU9Jo)XZ_JFB5$uyEuj$2An-u~vN$
z>7ej~L!4;OO7UuhXh1{#pc)BZL?FHiViVHsY@zSRLatNp#qFZZjG~vsTH+yw>Zikt
zl#EQ+@6@e&kBoc{m!%=B2mk!u9CH^%W<&&@u?vot%z34G2J4@x+W4b?4ga?4FZbVF
zD(l6vBa5<*IGqL>zb6pb7AzoXvikPg?&+zmDo=ASXAi;{@FZrJsinLthsQHa^tg|F
zBD=^L5I-xPXq7c~0WJWWQ<fwnBio;H9mtSy@6k_8;y^YAx88FSKvGap2sG@VZ+jAM
zwbEPDh}ys1;pAqPaS44jp8YWG6S|fl>KoF4s%i@BmQ4>%>45tZ0*|P-oPWz75oq!D
z{NK^PeRQ{QCv7?Mlh*yS{Q>NyNMf^qbN6gD$RQ(n8j@anxn)Sa==`i5;@ptV#6@Cs
zvMu5eIik)oi*F%&to+Dhyzu0=JLwSX?NsLW({)v=w|BZ&qcPW27yp|rWAsd%fsZ=x
zgAPp}Bo!AIYpAP}yYos&7?+MGCngRpVQ?T1b{g-ao@-x(MG=!T1Rd)JxvumV12eT3
zHLrD1s0>v7P`8rlgTj@0@L5VF6#FYrQc{xQ7~lT!-$_TM*VMP{f0kV(CYEhN(g)l;
zJcf|_EWTkGCbN7Ky!VRmd@)|D*{jdVknr5#xK!X;jm+Qe-=%+!q?~4(VXK_4)J~%N
z{rgMN$9CV`+)*@5?D?+)_(<c~UN59i;=^~nQTMb9N1>qeS1n$~cPrP)9+;SzfV|nz
z_x<~#jZNX`dR!bSKl?{FJS=&<Ok$Pa#-gq-uiyCMx}r(Rni=DNhc&aOrw4ZWtJM!(
z_x#()NadB3v@#^BDl7HeByNkd;*!#Y^+)_AZ)aurbt`*dHvN^xWnVe(3L<4#aXHin
zQxO?*so`BxRFr=EnZf=0!{(Q#hK8QWed&%(=YKE$Z8M76{{%z|+Qgrix_<pS!~rB@
z<FDTCVP+9?8h(D~Pz+?m#j#`*y`WlkTDx5vlIHgEhQu64#$bH%cFN2|BsJUT$U$*|
zUe2#HZv`i~HieA}boKP)dDHrAwj!Ov3vaQ1j6P#VzIpQoZk;3kCV~ITZ@(i`e}Dh7
zud)p*fa#76yB*t2mkjnw<bk|Q>_<PQ_&kJt4;JZ*ep<Q`)&+2`-Bt-h^q)tnyu87m
z$uupYvf9l)zewsws{B#Tg*b-u5fB}c+x>EXMpn|3?GsjnZ>7O9lk&tMrE)?vaBiS3
zh%>{&!aQfZ@@r~PXUDs-v9T?O-Bd3LXv!@+que*f!UKwC4RE~p<J_0$Ug9%6UU=6H
zML{Nr4w91f8fl^}u4*(Wqk~Y--`P-PqzYO005vx(dcbTPXqDgJ)dj08uc^#J_tk7b
zkU-_Uo4tLmTQDOm-WH=<@g7qrA0>Wxh_bt32U_zZ!L9_aUr!`@<j&;cyRTiLqtEu&
z>PIa>>}pBAJ1y9xULGK)c^_@{eYK{3X()?o>wLV@pAp~Be%q=m26n6T@oX@HDf4fH
z+jF<N3UzMR)H=Jo_1QRVSuDw71TEr*?8{3j5p*X>u1{!q=|&4@Z?I&q$4s*A+vRI!
z7?hZ#WMq8xK3s1)-*ikCF!#`Z_~HKH_HP*>p*R!KsrGwKi6^n1*Q77c_FullQs~G0
zCI|(c_{2{!L}n!A@yW_N&&^*;J@*n-Z(Fp6q^HyE?F;bmkn!b>KE=n!?=JJTvEeuh
z>3Lc;Oz$lx*Rt3hPxDfza1_`okW`0yAE7d>J+pfwQ?|&39M@Q!oNmSNfrHqD1oFuC
z`+9ndJv{2T>ry3H0Z|N65*DqP;j1g}qowz@cgPgn-4CyeP0jYiw*+Hv|NI=xzwJUF
zUAOkowoWQq$#T}}PLzBEy}8+xF{3wHfzx#KJm0XIdGUpP)Da7Q=64MaDyOs4jZy%J
zH<6L9?r6LZzwkav&WUke=;%Jq=zhF2+ah<y!rN>1)f>obNls&d-Y1|5@s%TV!}0hJ
zo;qb}3bKY=BwVBsR6i&-u%NshR3<S%X2=&5*?q0`abP_DSzy|=T++RfYRBIj<E7Xg
zy-)*=juMSN{*2Qbi9@tjU-eij!#0{o1Ankk>H1^#TJ{enL|dN_JYCq_Kal-6hzDtS
z(H~zm1kb9|U~9w+;7HB6pXaRe80-9G31inx)E)nI5YX9<KD@s&FpwrDAT4e7(;f;!
z$ij=4z1r!&11?Qt{ZMFu-@6G|AgEpr^1v$D4d(*a!tbr8U>KH*uXan-L_A94n9BX<
zSI4$CrEvI~k|NvLZZ13ijjC44`;5g(RU1`pW-cVA(aP4(&z3oRWN)*SM5bs&Y-2ty
z63d6YqRMjet805MZm7tDhQ^0wd~1$`Qcye7ww-rm>3aVxMjH!5|GhfCUmV*!gGQg(
z$qo6mO)L~j8UziAJxy#(zpPOusHf=a>mLrQ3E(b0f$V)zdunydbIW8W#p2t`YrBxs
z9~v5t7e5sH^#L^0a57E?NssUPi81{qh?+nV6pHCrXB2&!xHAi%%nMv^)Lc~MB5?y1
z0}lmHV8v_WBEjd{cTpkNY@an?o7|nV$Ovtj5Qy|vu4X3}t;mX4^<1G4)}F!R+3V*_
z7FRshm>xTnN8#w}>%+8aDJ#zs!1^^pfl?dUZ|Tr@V$)K67<hbqTxeK|H3WnTX!pPg
z84b-H*qylD%psLKnAafpVBcu@kel1E-!BRDZh3KK<y`;=Psh2EhDINxitgXRSl79E
zd8aC#TxB$*sC=Hh%lmLEmJdz`&O(9HUhy;Pe_6-wrzHhBG7LXvrQ;t(OVDmDGxbn#
z(j-Q#q~myt@m9Ovv5NlTu{t<cHEzbk$Jf{0&AjJ2*Lp2kmj<I10Lhd+%^Cljprps2
zS)u3Hp|Fej%p2(tptW>HGn$*2oNd)_V?ELG&b>CfOPHH}rk*OI^5Op1)Ad3?=Zl@!
zWe(GIkyHYNbmB3}QAd*#as1I~6p9?$YX!x3*Kh~zel-4I`dR)<DeSh8oL>KF1zisr
zVdg7_+uRX4g13=IW(raE>y8<(+*N3Z#2oE^H=f6_tEsA~QSm+)1QrZYWmf0bElk!k
zROkMzewyEvRX(+*rUnC>5YumOtK-cL9&YZADEfzbdIun&OuO{*wH#vOIyOw5N`Q=$
zl{LFF_ib%$?c!l0P(JpwzAun_zxo_;mj&0MHEZ6y9!@QUphk2QsDMingC;8=CyYjo
z;O&oVt&(K0Kp#Y3L>JskxHlqFPI9QN`5x=Z`^9!vibwVPtWtrLS=wd_gc<up4he?-
z)0-N6sJs9EZkqcYjzVP!sxUb@Im+@bGthbve=||@xI+r)IR{(Q^*K2?Aldl4f9E57
z^}eX6=;KG*{pCJD^=D2Qa>kgAGR6D9{lA*YRC%TpUPrzY-5jTqVi<XBK9<MXvR_<!
zXMJPiYvD&;K<2og1Zi0Yg);yCR6O!o=MnE%xGCOo&#CEE;={A#j#vgM11tjzpP5I`
zXp3yqc+>5}ZOQ)yFslg!_xFkY_65RvdU|^M*;vEn#Xs;mK==FVvZR_O`uxY!!`YT#
z5Q2PHGCZ*+H862$@o<RdX?hMTlwCO_Bu+mhn|ZH&NDkV>2@;WPpj)`oNr<;)=dOOD
z<KYoqDIeOP4Pwg01O~MRGl6PEPR;=DVav+efoDu;*Fv%3&A41#NO-0!EBC)Xs`?=R
z`-y=NtI#mAmhwuiIhl_X;LuE`zEW$*I5kD$UkA0Y7lr0G*M=j4nEV$2Z6L1kzfdvX
zgQ_KH^X`tt15pBD0|Pz1KhyPMKh2IK!3wf~g^8r(!~4Q|kpmp<+so_li7+21a)7!A
zZz_b5z=M&I(Ow`(9fhYwJ@WJC+ssUVfOin?2xvvPer~~_Q3RU&IJcxPju(QliO`#$
zmENqP61y6FOBiQDjsLkf6jaf4chC_8-~Rk=x{Q+C!ug^LcbEBsM2l+|h!fc;8sdLd
zS0({4H4O-$YuWGs-4GlVd`~tOmYk0tKf+VF13Wq6HeJDaTpH2mzvRKi5)l>UhwSqJ
zte+qhwjwgS1!4oL^WNTGuTFjLQ3z$9qb+*!(*OO%gU$A$`1;rgI>OGqrCy9}Sdy^u
zM{Q*2CbcdfJhx|n9*~`jNJ!Lybpanl`+IdkNw^@|jPJgN;U^5l;o%{VVF^L54BSFv
zAc>Z1{+BPJH*Xev`lOnp4s{b?tOKyHK(A0HocY_-yCR<I9PyRw2w79p>D1fL&=;;Q
z8U3hjq^K6P`}qF-`|j>llX0LdfB5hLs(gY#u=D==;tHF?^-&i+Yy`h~qrFhd+2+*;
zx8Z}ncLFYafq;T^+&u{s^W%qJ9CJcUT-@X8$s0Frbc1FynUt6a6Ty$u$bu8pg~gh=
z+zYoGzTVc+A$>IE3ho2csQiLYe|&^>mx84u_=b=Ld_6tf2wvcU>)30fQg1?4HeF_M
z4|cwp?`}Knvxbx9G@#?Ks1l|eLPC3ACLR8P3J`F%+gVh^ivU&IBqRhhKP2u(acSE1
zD`E^f1BllFfB#GX3$(GZiK4#6!g5#j5U~HU6<>h*O-Eas{8pAWs*4c-36z8hfC7Ly
zsBB(>DjVR758<I8JGaXUdU)@^fB--L@=FUGD@s`i^fCC76`4z;N(W6%O?cf4+Z30`
zqAP|O3L&KLaT$6ED^Aeyb>AP$RA79*y5ZO`^hodwDlFva+%f0|ov&#|zyv)z^PS7T
zJBs#V=c69W(e;9Y0<+rJ5UNbtsDvj_&H}6^D7)O#)zuXSc@LM2qw6Lw{Vwdd5KJy4
zp0NKJN+2)kE1(5b<em?|&p8b`>Ohd=D!}KhI$qO&x%IbX3oeAJ_z?Q2EtpA}I<WOU
zH8@{~paHK%hQhj^oo@#ua|Hq@{I3^540b)#v9Ms?fSoAc8fI1s56{D!S0G}6z>5}w
zJ$8e%0vDt@nwM7|-ljMmVYt5d6>x;0aUpxMW-msz8~>FQMqdFAE`~OWym`(E6lE^!
zO^}6Pb5oov_e%i!#MltxMWg$|BKB~cT&%v2mXEglpFtunFOHfLZ=?SFyfw7&Ki`eV
zbc?7@QZo~I)0>Ve2JC69tQ`?0u&p_U7N}ufuAXxtCSGaCq0krB#jl2(jRTh;pb?U<
zLm0_E6-`5vEjEZx%%y$Pq3;EzmNy;XUW_0jR0%ClJ%z;-ikBseiV2g%fvzrMsi^;%
z6~yMRs`|N?HxkMz$;cL-CSzWKXDfo7!5a1Fb7z9k?WaGu3>oLp@BhzVH;SttTUz>6
zgLDkFARVC+1lx}89g=}W9z$PG42bQ3tcG#a9Rz}|;;I*5hbvh1gK^oT7uz10-s=Uh
zVRSy+*LW*v0U{wNMR_ubW}UhwCP@FY;|xj9(=99rl}p(<o!6lF)dJUPd;kW#lE1(7
ziO<$ltxW|G^$A-M0|SG&;1ZThsPttZ)~Z2-2YhDmUS&4-l_kd972`sxmIqv3%zX9n
zF|39f38d?(NeF;xzoTh)cXtqOAvtG?InF>tagb+%r}M<x`Z~4Xl}7}8LoJC{$5)30
z#!@cWV^b{;;I;`DS?nT-etP(4!W95`bFw<0$p2(1nFzUqI1*)MX6EKzhxaT*O?j<k
zfZ{Sc^HhWuis<46fFCq;R)$cW0zKeg{oUQMGUHx9%Pat&kfUgUAV3k)iiG)G5eH*;
zM4$mZ;z7ApxFJ7;+Eq4dDzoa21LM2c;0CPGCv|!GwqPP@)cTJCFl%bLg#o)#_-4RB
zI-2%;*BJ%)gh>Yh>UlLdV0sr|Z&X!P-M)RBUcyaTON;T2%OcF_!u)*hMmcX<X66NG
zjJ40(pH`_Z&O)lRlZL(LDSf*7{+4Bja&q_g?^BI_K9A1erCk#8%w<hWOG{(p)HeHT
zFD<Sx;Ntur_An1%N@>e2cojz1E6~KNGdrZjs4xnNI0VP7P1oGK$)+zA41Az)W22)m
za6ZUE0EYlkkXZYAdhl|EvxC0P)f|pJ3^-Y$np1*I2`;0$ni_t?6@br>h|d*#{78Mr
z#md?FvwR9jSO9~+ZAGv;J`l6W$OOQAv@XDRO*eSC&YoY5HdPi!%hK|_X8u3WW%(<L
z0mT`Rs4}H!h6@kg5HKtZ3rE2@I*?0L)i*Io2epIuzpU20ZHa`WWLoDoQRDpHH?**z
z0IEc=nGOprvlZOj4nY1xVS_yx_6fkHYwmYg=bRION<vbSx1k@%OII#J4nwFQ5FHIw
zRSC~6I<Fh_^nTFn0g#O~dJ`rqde^Z{_)#;W6jEoNW=4-s&5t;{(NCjb{MA&0<|guq
z5Mn%xk(I%4VUA%4c56JR7WcdswbRMo5|n{Z610Om_Fu~h)+FnH-)Px(?{}t8Ux98u
zRMKnp89Pk;{88#BK7S{kT-lDeI%gESV88Q%4Mw61%_rZm9q3?NR8M<M!Xiq#uan!G
zUuE?cbCLmUMqeh=W-Fn@goH9p@T5%>kzj^^0g~t;sAmVh<hXgjo2%Pjofnw9$-@(W
z{KHBJO%}Qbz6lb1TU=fSBLXJWa0$xzlA2f9YA!A=Wu{lL$<Ty+y6`+>jnZL5-EdNr
zh)&#Td**A8_$#I`#^b$S0qA;Q02cNdlm{^w-A^-2v_zTL5arPfiJW$qe3X%e=%5dp
zNm^DJ%be}pD=lQT=otQ>wy>}O42$}{w)PHCAneIVVpbU$#!${da!N|*GT5u0b_m$4
z8aGL_AN`a#UQA9!)dYZVW~kKq8ag%J?;J;iar?z#S^~U2M7`&>Sp&+s>?;m!3wh@E
z@9KN6x~+t$2@DEHN8f*eO?>+6fpjyD`E#c1J|u#`@BDih2`e!0piKoFZ9_vUd#a#t
z^N@Tf0vHm-Xy0H3qanbI>$4%F)P6*2_#`m1@t5q~8)E-nvqDll6DoWTd!vW8ZAuV!
zx<#;g2q!bMoW$y_6m=`b+eeg$KOXhAH5iEZO3?;m_h7Br9vnZT9{?wgO`6@yyk_*h
zk&zK#T1is=6(8CEF6_Tcdc}IhFH%je@;+=B6<$&y+BZU;wC(3*B!K3)0SZW99w>-l
zziKiPlGwDgje2@;A;Z9#erYi^lO{y)O(RPG3!lp%{(@+lM$`%)os3QX#cVJU6c)ZB
z<uFz1-(E8@M-16or9;P3yqrl&4ojyv0`?f!>_-<{5!x!_H`Tqv$2us;8NfVy!*I6K
zYQTX8<S)rmo0H{0V95GcC?c?$$8R()%OCr_r&KpHV^I0lb$yBZnT(j2VX*-?Sk`@{
zZW0-8dyjFu#QJ)Bb$=D?v@}V^5Hd<%*=Z$7p{l~Domqj#<Gaqu7l9-`;aUaHT5z;T
zRPQ2g^6^bqJxliVGj|P4)|;^svJ**#8~kcUg!upM-mzi-1PCEVrdYfT2*pM~y2%Ef
z0W<Ec_YBe*>=}cCv-Afoc+K|(nx^iYkdYzqXSe;sCDn`(_)nu5oyF-K!OFk9IDem$
zL;VuOOj>DQlz{=|H^K1maG*M+MMVT(q8Vh%V~ltyhmGP(%=1T}O$s4MO~Bhb+{+yT
zeMd>w#Ri4b4l8zAIyxj*{Xj9*itl5iO4K>XaE)+`iw#Q0$*PFKMH5QvD;f6O{eKO<
z<kLt+mTBpE&pEU}Yz9=;moFaQ-`;Y$`wr+~06@eIQG1*~Oa9My-r3&z;mWtg>LM6@
zDl*~~(yZ-RyLX_pn8^E0=uYMzmf2aUx1`3i`g18g<i3)2T@`Mp<86{U4NCYa8cp_@
zk;bHiZ1^lg-}9by=x>y0+6Z@82~|BEU7vXJZn`O;>D%0_pRvCFm5v4C(80#I<3OgA
z-0q-mSO?r50=m+?zs`&})9-zcK&n?vZj!Qt=0T{@=>w*9^)6mU;DZNo4!y;~NJ+Mu
zme7}(q&Rc`nMz>EB_$_AO>>@?=0HkmJNilg>C>mq&buI#1<M3TU^LG+jEEr?Bc_)f
zT|3Y?0?AiMvb<IH-e%(<5H<gpC7M;Sx+vVnkiBg*^&=@m2!34@KJNpx9|+1%xB}`b
z_ug^+AGdM8o*ZHCnn`yjKUtO^b8Bm4`5;A7xWss6HsiZZ_wGWc&*AzZuyLG2#V(Mr
zMQHmV3!g8l-@6waH0CBjKd~Jve<!!XAOyN(5HUZ)EcO<=J?f|JMe8G!&#rH!vA@`B
z)ipCSGdCAF)fq1_1#%w%yg4;B6~yR^cr9roXxaho1{(iLOlt3&nEc_scMSTg|M{U|
zyJ_g_yy`{FVK2K3tr_K4)+DbHLt^Tdh-Ml*duIl=CY&6_n~#g5^YCiQzq=}8XL+1F
zKc*Dv7jXZHtt$fFWj*@i!C4Vy+9e6fy~A385;QK%!7k~qA-DRqa37|-Pk-spZhOs{
zWbOIqXLca-EeOM@YDe?6H)Np~AY9u2_^1OED&pTh!0?kNPk8p!wQ3Bsas)U?TW?S?
z-&J6U-E9jFk(*lJb*bj|l?T_ureb0>tW#e_i`fIZ@mSo_=-LF8@eJ-<(TmG}O_x6K
zlcKWQ83<1F4Y4a@KGT4$+IVL>ZwTv!SjV?FR*1kC5_ctRD}-MkFSOMPDql*})Q#nJ
z*wwt1{ZT$ha~jr?ajmYb^5#%7adB2%7rVlV;+2^>C_jI&*GRIhd+NA0rl7Svf<Ro!
z*#Wyy1z&8KU)F(S=IY{t{JOKKZD6q6o5TogFL0h8L=1OGTHq>T1<!#?u*VYxSqlOC
zt%h~VRTN#UsI{Ee(?o=2=xJ5JnSDmgE(HTyMcL@n55Gy3zxd3ox#-6+xUvMe5)!{t
zzz?g_2#{PGQK;mWkukrZA>>RTVPLtl=)B(O_mBK@ckp+o$k(swWc<&72`?EE#O&B+
zSlfQrz>hC9-SkzHetywv=}v1X#<%@NqF5^3G82!;GYR!uv(BCUs^^e^PMjDqzpzmF
z=~F|U{q*cVLUibxi12B5KL!61j8_@=^@MceyK}gRLA`;XYdS(X>he2Xze%%pj@yoY
z2WZ($$MB45%@H!QvIbYq$DTo7YinaP{~uM9xDMLNb?GC6jhs?9o*SejfmE%m&wGk@
za5nL;*LfS=)E&+@yfP(K)1?$bpTNu>tjB<bed@a#A?Wkh-boIsF++847d<Ph#kG<A
zME9b`#zr7bCS*fHLlPNVZQ*3YRY5FBxezKHuTKG7NVB_aucQwz@I7%FtfjyxA>&YY
z;*nv%k9IR$RYk2vYEOzBkZkf4>si?KRthiYiAs?&*y*}}!zWj<UtC+zlWHo?;q0xj
z6yl$0K~cl`tFF3r|2I@*AU@{(3I+*8&%l7&o4JCw_X2jW!@hS6Zi~Z{rPBomN2nhg
z3?TDCId#_tFKl=?q*KYbW(Or)8>rmh`~t(vRgVES?7@MX06~w{Vpr^e-|FGU_;27b
zlMeOI=i9<b;~zG>AQ+7)z^+AL(LA$Wy)AnaVfSP5R=<pT{|7;WW~<MfIwk2kk{J`r
z-uA45d0h{rlCQU|r)zeIKX>8$L_AxzkHQM9vzuBNT3hO{9n~19kl)CJ?ujh`1)r_j
zCx8?O&R@++o25h0q0#vMey0b-=rM1wN<7EVH(|u!;9!~ENFMmWAg``L70@I4s!|*o
zR{;F7t|zrq@H-H}bGB$YC>v^RH?C%wQxoa&=WSU8sx4T6KThypQ?|{X3&}2sUY-!>
zIpYum#oXN7XU^<Lt3%&59d&KmFc4rd7*2fyPpebk6~5%E11};XVs#HK616(#_hIK(
z)^`$mW<KP6Y#Qw&2qYj>c~98)YQPVLt~D$KaBC-Vx|=s|QVE!WY`F?`oQcU46iTp<
z>)kh?TTMq-H$FYx#N0dpkh86=4NUd~XciI`<zQ#mH#EEiHwB7}s}^e&6%}9Kvo~Th
z4~&ewK+uPj`SRsU_#c|G{4dXs8bI@Cx_}MfFw@{QRpX3L$=ghGFmHvvC?5P0iNFt}
zm8G)E59)%Mq2f0=hAdXgy#qCUCP*TGCSa$C;>CDrquS=2(k0wgTLjAOC(5B|_L>wM
zFaxM{aMSAj&rg9*mw}(J#OUYN5_Ao^1j!B~{x1&fG^0!$FwPPpy~0t@l}uE%*T@NQ
z7^{aXpA0Zm_m*}o20<@k#Z~DxQ}xU+$y(*_3#dlpt(~KhdpN!2SJeXo_Ho?kIMlHg
zMqfY#zAA8yJm9j3GRscFa?;h$oeY*nf4e!~VFrHs#O>mG%esf$?uj1vXs${;V43Dw
zXV^-Bz_XDmNtfkoAtR9yC_)D0G2FIyvV!2Fu4q&c4w!Gqy)H1|xFj-Y(_=ADb|e1p
zZf|dXs1owNB~so6I<0s~R*6@4AB-I?JLVV`uR7zh!cyORNf2AM<|IA?<@1jpKOk$1
z?K3{l8bTy!(>s6Ucy|yER*}qZ8yRdXkf=_yqD%DU$&;*Q&JRYQ$IW-YPmHu3^@1?j
zEMBcf<w;F8nZq!yl-EgSx15AIXSiudhnJCbw_MPFK5*>{KQ}i^QlE|RkwVR4@mta#
z_$GK-US20qS#!Cz{Jm21t8-jfoITgpkG4PcEJVv}jj^-HU|<o{xUI!awkr3|HU8V0
zEVqu789S?f0My^iYl&iQQtp2&VT4r*X1CL~cCy@uoVZf8^64fyTIjg9l?l;ZT#+{4
zsdX0U+N6tv8m!(U--S;A4G{7RUtA-(w(Ts{`eA1ZZU?Gk)2gS5={Kd=6flW&?(FJW
zhUkNo>{XbmprWpB0<Dsu1^Sx5e-%Oo+;eQ>5KyzlgN-gMGSUZXe`o}P@cFZz5clT?
zbOu5Xc^7WV^}_KDnwQK4GPSwl4b5SiZ7P*7ww`u5Lk}1W^Zn^W=PR-)r1aMI-5M9R
z4qid`wdcPoQ$U@r7?7@qN&>=N#Y#;Q8t{C5kt!FlF)^}=wvXY6Ma>*m`Gf4MnEO?U
z76^@x)u5KLu&@XTl|P^S0&N!vVk#=n^HX<3SVV-XvNBUWvlA9b37|v3yWjy$xquP5
zj{MM&0=Iq+Z6WRL?J9omSh9tK3wcO{RG?f;cpRPKr^KYd>rD6lsB?FMyKn{#Sbd;}
zF7+gyoSftYuh4;{6$yOWsZ~%t1R+2;Ha6xD#DR1Z&Of+d6j~jlA%uj4R{!~>0%iaM
zz9&b-%EAJv8%m7AhDaDV^n`kQcz8U1oO6IX{<I1jm#iL03k%2l+_kPUUL*XPmGuZf
zhv3`C(RC<wz-F$VmZJH|=~bF-=OB{lOga|El4_rDtj-9~^Z5ZUXip^#t+*PQ%&xqv
zAR2?%oe<^^=QXtQI*${<$e!6lPX!1A1<kC{H>HF{x;C&Vn}q)j+eayya+{3ETcJF+
zyi}YUe4K~qGbCDciKP5?g^Fv9?KYyRPPPwUS+}^YgD4EjFHC!VUC!3mBQqJ(?#69A
zt$nE0xVPr;1sa%s830m4QgAY;J6J?dqD{{y`;L<>^Wl<1)xOF&)aVCJ>pD`)qzZ?h
zg9;}SO_N_6XJBlX_{7;gdcQQ_yjRQ2<!piRlK6R@ZocN-ZswZrCRq-rl&N`p2X}9<
z-A5en&HEd<^<XsN5orlre?h^J<8|@Cbn!9$0Hpl#iVD;APVlS}Wl9zy{e+3G(1SFc
zQof~cV1Rch&cR^=vTljctGfTsPO#>GPB4Qj=pht51~^NdzvZHBYeqo*fIS+nN+>6f
zQvThiHp22}Erdp9Z7;xN`!V~d#>lX(Db=HEYZxJ^oiu2OXS#FXxQSo1X9yQ(=?vK_
zvRqHKRTv@>v*3Sv$Gte{lKv8(Xb#A`z}JH~CwV9EvMy@gLL%Vu7;6C0PtN%Wc=<gs
z5_<aL@r@4^p)cKf=$fzPzG(kv@*HHhyC=KP1}p4FIO_PS<L(iYFqj3l9<Gu4Q5q^%
z>T+P&-5QL*jV=p(u_w=Clfv)lgvH22x$DF*{Cr5%%lyTRt?XUrQS^2SgGDKVTrH9-
zk9zDKbH;0v=imfP@{~3VmzYYPs{R87p5klFrEGznzyZTRgww^D7ypHBfgZH`>e<;9
zOd3P7eUTrEAANMA1){1iMR*0sRd2EYG%K*)Q67sqJ<}y^nR5bdDB)}x7HqW8@SV8x
zV{jR)`h(1~#3Gg{g<}7><xED_PK)V32z<cWJvFsOYn>C9tAbLlPP}`r#^oZadOv+4
z!^74MVUv&iS&$+1fyc$C+_}CwR)NZDKrF>QSOW|)03{OxgD)Uz{@t9655`mE6nQpQ
zv^%YAVqyXfy#HJ>%RDxJ!Pt}(6*YmT0NsaUCXj0L%Qcwz=*&Htph+T4($m4t?q=*e
zkXUZk)bsTL&3aNjd8a$&_Oqm;xO>a<t|JeWn|Raz3ehxgIZS>=y#Mg`1=eq5E-TU^
zztolgHakhT#{_iAE|BxZd4*8wfrA|+q3{vF3N&Uo98}tL;r;mWJScW3*L3o^lqZ?H
z&bhBFs3Y4+|2sH<aN3=3zkWmXHNE5)aEi0CWFPYr1)<&uJv4XS+Xw#91l~>rwiMwj
z(4hkQQg6$<u;np#2f2AoCD;qO8fr}kk9cX1Anf&!axA#!)qT&Oz9~|Vso1%rL_87L
zd@q`oqJ5RXSv+n@f3Yj?V$AD7a)KRJJyvIDCp1`;R#v)!n-%bH^7k1@&*j007C`S|
z-6=?uFA3>CWyv6}wkr56S52fz4;^&Igo2#7Sdk$xRImNzb5KMZy$?SH*`R?C@b`Z=
z&if_O5n=>p+^0=a{V^bZy8sUM2_aUi1~?GGuFo(O2jzV5Cb*al{}`okrRK%H`S{9(
z_O|#9b^(S0#AF8J&_>LZ!Qw1wv<um-#qsHxA9t^~W*;b;|DDjGkePuX@jF-@y5UgM
zG7>@XjTa;~h~9{L5#M8{J1G?;ZJa^Kj>P~I4%|?iB=-1B+rh`?1_7CvMAeOi)WB`8
z>cFK-8&FRgkLM#F`Sf9PQlT(4`E3iz`k1l<-$Wo>&?@~+J~PtVB7RbOlIFaBf5i^w
z=O34U4s+|y2M3}x6rWWoir}>)&OFiLR%h_>wc!C499e*WD2lADmvR&$LE|yd)g2ie
zl)bM42lQ^;xnuNx2>O~qu)g-2mt_te>=zMMP<0!i9j_dYRD|%Lj=-e*|7bn`k8ABj
z4=zrG9BB^bBz|t~$m5U|g67YU{sm$tr#_M#M4#Qve#MkiNj;Zx<xjH}sc31H78hR!
z16uKDYdU!IuG6DdY5p1L+2DNVOKL9=v)l^zR_m8Rf{BYaCxGOOhi-tqy*<dOKqikq
zfaZse)BhBo5kh(&IvLs6*x)qU+qd99LzjKKpgJgN;97u=*78U)j0p!FoLE$u<8SF=
z10O(>wZ|ZJnUq^~SK5isz)=)IxjEeDV2hAxAwL5lKhcML=2$TSGk(4T#~8!F$75E9
z^!`rT59s8UT{|Q=2-RueH5WTz0n5{pXA;{q2ciKW?3XxzBMQR>l`zpA7d#|B@meOm
z6KFL3Qw2vKK=P1wSyaAuCF;lGDk7O7uXgiQPtE_kG&M7u`B9)t;S8UW=YVUfczd4$
zvG=VWfn@~K<o6~lOcyp|RVV}WnIylLC?d<yT=}G~p`l@6k)1OGr&4OrLOBn>jtQO=
z0=g|!%x6+FDCP-5I1&S1fQ=@Qi~m-gqsllVEe(#zO&jy@^BZ&tfDCJtwG+ZH?2<FG
zMu2q>plirB!4i&<Xfij!r>$PJl6ixLXvk<MLR&GxYYx_q^@O?qi30ODygU`$N@f7`
z0hKEe0t{T{1ezCEF!Oa^F+jlt`biEW#ecf>oOAtjW_tRco>@R;*mOm213)8=1BcyP
zd9fDU87r<X+ZZ@WqD}wOLi<YQXX8R<D?NSsDQL{N+Mzh>HVm}-YM?|?2Qfio|DnTw
zf19P&TGcT!f*yUU4@D3rT2LP7_RzxOJp_AR3a*u&nD`;AAkCo;S0BtoL@<e#@_kd&
zjJI#OK4&R$P)1rq1sG8STc3sOHR^60pf;ar-47*J-8^-<E9++mM%k*KBDBPKdHl-L
z{i>G|_AB=~SQ}xya19G6xJ7_U3UJT3kDCJKs@7l40zP@>;PSi6vz7JHLWuQ6L%{Sg
zP$C%NfRxOYL&Mgr^n9)v+<IXlAs}&VIxj8W!YQ2%@aP&LEn+Ogxuq~-^30v=#zv5Q
zDagqal9R_rNAJ)PCRu||0Bjk~^3FnUr9~V%rd%q<|85RB30S|>K-<vzY6!@OP*Kp7
KFS+|D=>Gw{NaP0q

literal 0
HcmV?d00001


From 1369885c2bf3fa21da5d9a0c729926535ac37df2 Mon Sep 17 00:00:00 2001
From: Suzanne Goldlust <sgoldlust@isc.org>
Date: Thu, 21 Apr 2022 13:49:16 +0000
Subject: [PATCH 15/15] Add RPZ section to the ARM

Closes: #1223

(cherry picked from commit 8a3c4cbcddbc6658ecad907e8594de38cd1f1887)
---
 doc/arm/Makefile.am  |   1 +
 doc/arm/chapter5.rst |   1 +
 doc/arm/rpz.inc.rst  | 782 +++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 784 insertions(+)
 create mode 100644 doc/arm/rpz.inc.rst

diff --git a/doc/arm/Makefile.am b/doc/arm/Makefile.am
index 972af604e9..e8024040f0 100644
--- a/doc/arm/Makefile.am
+++ b/doc/arm/Makefile.am
@@ -54,6 +54,7 @@ EXTRA_DIST =					\
 	requirements.txt			\
 	resolver-forward.dia			\
 	resolver-forward.png			\
+	rpz.inc.rst				\
 	security.inc.rst			\
 	sig0.inc.rst				\
 	tkey.inc.rst				\
diff --git a/doc/arm/chapter5.rst b/doc/arm/chapter5.rst
index d1c9015cd5..68d98bced0 100644
--- a/doc/arm/chapter5.rst
+++ b/doc/arm/chapter5.rst
@@ -13,3 +13,4 @@
 .. include:: dlz.inc.rst
 .. include:: dyndb.inc.rst
 .. include:: catz.inc.rst
+.. include:: rpz.inc.rst
diff --git a/doc/arm/rpz.inc.rst b/doc/arm/rpz.inc.rst
new file mode 100644
index 0000000000..0b981da00f
--- /dev/null
+++ b/doc/arm/rpz.inc.rst
@@ -0,0 +1,782 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0.  If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight:: none
+
+.. dns_firewalls_rpz:
+
+DNS Firewalls and Response Policy Zones
+---------------------------------------
+
+A DNS firewall examines DNS traffic and allows some responses to pass
+through while blocking others. This examination can be based on several
+criteria, including the name requested, the data (such as an IP address)
+associated with that name, or the name or IP address of the name server
+that is authoritative for the requested name.  Based on these criteria, a
+DNS firewall can be configured to discard, modify, or replace the original
+response, allowing administrators more control over what systems can access
+or be accessed from their networks.
+
+DNS Response Policy Zones (RPZ) are a form of DNS firewall in which the
+firewall rules are expressed within the DNS itself - encoded in an open,
+vendor-neutral format as records in specially constructed DNS zones.
+
+Using DNS zones to configure policy allows policy to be shared from
+one server to another using the standard DNS zone transfer mechanism.
+This allows a DNS operator to maintain their own firewall policies and
+share them easily amongst their internal name servers, or to subscribe to
+external firewall policies such as commercial or cooperative "threat
+feeds," or both.
+
+:iscman:`named` can subscribe to up to 64 Response Policy Zones, each of which
+encodes a separate policy rule set.  Each rule is stored in a DNS resource
+record set (RRset) within the RPZ, and consists of a **trigger** and an
+**action**.  There are four types of triggers and four types of actions.
+
+A response policy rule in a DNS RPZ can be triggered as follows:
+
+- by the query name
+- by an address which would be present in a truthful response
+- by the name or address of an authoritative name server responsible for
+  publishing the original response
+
+A response policy action can be one of the following:
+
+- to synthesize a "domain does not exist" (NXDOMAIN) response
+- to synthesize a "name exists but there are no records of the requested
+  type" (NODATA) response
+- to replace/override the response's data with specific data (provided
+  within the response policy zone)
+- to exempt the response from further policy processing
+
+The most common use of a DNS firewall is to "poison" a domain name, IP
+address, name server name, or name server IP address. Poisoning is usually
+done by forcing a synthetic "domain does not exist" (NXDOMAIN) response.
+This means that if an administrator maintains a list of known "phishing"
+domains, these names can be made unreachable by customers or end users just
+by adding a firewall policy into the recursive DNS server, with a trigger
+for each known "phishing" domain, and an action in every case forcing a
+synthetic NXDOMAIN response. It is also possible to use a data-replacement
+action such as answering for these known "phishing" domains with the name
+of a local web server that can display a warning page. Such a web server
+would be called a "walled garden."
+
+.. note::
+
+  Authoritative name servers can be responsible for many different domains.
+  If DNS RPZ is used to poison all domains served by some authoritative
+  name server name or address, the effects can be quite far-reaching. Users
+  are advised to ensure that such authoritative name servers do not also
+  serve domains that should not be poisoned.
+
+.. _why_dns_firewall:
+
+Why Use a DNS Firewall?
+~~~~~~~~~~~~~~~~~~~~~~~
+
+Criminal and network abuse traffic on the Internet often uses the Domain
+Name System (DNS), so protection against these threats should include DNS
+firewalling.  A DNS firewall can selectively intercept DNS queries for
+known network assets including domain names, IP addresses, and name
+servers. Interception can mean rewriting a DNS response to direct a web
+browser to a "walled garden," or simply making any malicious network assets
+invisible and unreachable.
+
+.. _what_dns_firewalls_do:
+
+What Can a DNS Firewall Do?
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Firewalls work by applying a set of rules to a traffic flow, where each
+rule consists of a trigger and an action. Triggers determine which messages
+within the traffic flow are handled specially, and actions determine what
+that special handling is. For a DNS firewall, the traffic flow to be
+controlled consists of responses sent by a recursive DNS server to its
+end-user clients. Some true responses are not safe for all clients, so the
+policy rules in a DNS firewall allow some responses to be intercepted and
+replaced with safer content.
+
+.. _rpz_rule_sets:
+
+Creating and Maintaining RPZ Rule Sets
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In DNS RPZ, the DNS firewall policy rule set is stored in a DNS zone, which
+is maintained and synchronized using the same tools and methods as for any
+other DNS zone. The primary name server for a DNS RPZ may be an internal
+server, if an administrator is creating and maintaining their own DNS
+policy zone, or it may be an external name server (such as a security
+vendor's server), if importing a policy zone published externally. The
+primary copy of the DNS firewall policy can be a DNS "zone file" which is
+either edited by hand or generated from a database. A DNS zone can also be
+edited indirectly using DNS dynamic updates (for example, using the
+"nsupdate" shell level utility).
+
+DNS RPZ allows firewall rules to be expressed in a DNS zone format and then
+carried to subscribers as DNS data. A recursive DNS server which is capable
+of processing DNS RPZ synchronizes these DNS firewall rules using the same
+standard DNS tools and protocols used for secondary name service. The DNS
+policy information is then promoted to the DNS control plane inside the
+customer's DNS resolver, making that server into a DNS firewall.
+
+A security company whose products include threat intelligence feeds can use
+a DNS Response Policy Zone (RPZ) as a delivery channel to customers.
+Threats can be expressed as known-malicious IP addresses and subnets,
+known-malicious domain names, and known-malicious domain name servers. By
+feeding this threat information directly into customers' local DNS
+resolvers, providers can transform these DNS servers into a distributed DNS
+firewall.
+
+When a customer's DNS resolver is connected by a realtime subscription to a
+threat intelligence feed, the provider can protect the customer's end users
+from malicious network elements (including IP addresses and subnets, domain
+names, and name servers) immediately as they are discovered. While it may
+take days or weeks to "take down" criminal and abusive infrastructure once
+reported, a distributed DNS firewall can respond instantly.
+
+Other distributed TCP/IP firewalls have been on the market for many years,
+and enterprise users are now comfortable importing real-time threat
+intelligence from their security vendors directly into their firewalls.
+This intelligence can take the form of known-malicious IP addresses or
+subnets, or of patterns which identify known-malicious email attachments,
+file downloads, or web addresses (URLs). In some products it is also
+possible to block DNS packets based on the names or addresses they carry.
+
+.. _rpz_limitations:
+
+Limitations of DNS RPZ
+~~~~~~~~~~~~~~~~~~~~~~
+
+We're often asked if DNS RPZ could be used to set up redirection to a CDN.
+For example, if "mydomain.com" is a normal domain with SOA, NS, MX, TXT
+records etc., then if someone sends an A or AAAA query for "mydomain.com",
+can we use DNS RPZ on an authoritative nameserver to return "CNAME
+mydomain.com.my-cdn-provider.net"?
+
+The problem with this suggestion is that there is no way to CNAME only A
+and AAAA queries, not even with RPZ.
+
+The underlying reason is that if the authoritative server answers with a
+CNAME, the recursive server making that query will cache the response.
+Thereafter (while the CNAME is still in cache), it assumes that there are
+no records of any non-CNAME type for the name that was being queried, and
+directs subsequent queries for all other types directly to the target name
+of the CNAME record.
+
+To be clear, this is not a limitation of RPZ; it is a function of the way
+the DNS protocol works. It's simply not possible to use "partial" CNAMES to
+help when setting up CDNs because doing this will break other functionality
+such as email routing.
+
+Similarly, following the DNS protocol definition, wildcards in the form of
+``*.example`` records might behave in unintuitive ways. For a detailed
+definition of wildcards in DNS, please see :rfc:`4592`, especially section 2.
+
+.. _dns_firewall_examples:
+
+DNS Firewall Usage Examples
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Here are some scenarios in which a DNS firewall might be useful.
+
+Some known threats are based on an IP address or subnet (IP address range).
+For example, an analysis may show that all addresses in a "class C" network
+are used by a criminal gang for "phishing" web servers. With a DNS firewall
+based on DNS RPZ, a firewall policy can be created such as "if a DNS lookup
+would result in an address from this class C network, then answer instead
+with an NXDOMAIN indication." That simple rule would prevent any end users
+inside customers' networks from being able to look up any domain name used
+in this phishing attack – without having to know in advance what those
+names might be.
+
+Other known threats are based on domain names. An analysis may determine
+that a certain domain name or set of domain names is being or will shortly
+be used for spamming, phishing, or other Internet-based attacks which all
+require working domain names. By adding name-triggered rules to a
+distributed DNS firewall, providers can protect customers' end users from
+any attacks which require them to be able to look up any of these malicious
+names. The names can be wildcards (for example, \*.evil.com), and these
+wildcards can have exceptions if some domains are not as malicious as
+others (if \*.evil.com is bad, then not.evil.com might be an exception).
+
+Alongside growth in electronic crime has come growth of electronic criminal
+expertise. Many criminal gangs now maintain their own extensive DNS
+infrastructure to support a large number of domain names and a diverse set
+of IP addressing resources. Analyses show in many cases that the only truly
+fixed assets criminal organizations have are their name servers, which are
+by nature slightly less mobile than other network assets. In such cases,
+DNS administrators can anchor their DNS firewall policies in the abusive
+name server names or name server addresses, and thus protect their
+customers' end users from threats where neither the domain name nor the IP
+address of that threat is known in advance.
+
+Electronic criminals rely on the full resiliency of DNS just as the rest of
+digital society does. By targeting criminal assets at the DNS level we can
+deny these criminals the resilience they need. A distributed DNS firewall
+can leverage the high skills of a security company to protect a large
+number of end users. DNS RPZ, as the first open and vendor-neutral
+distributed DNS firewall, can be an effective way to deliver threat
+intelligence to customers.
+
+A Real-World Example of DNS RPZ's Value
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The Conficker malware worm (https://en.wikipedia.org/wiki/Conficker) was
+first detected in 2008. Although it is no longer an active threat, the
+techniques described here can be applied to other DNS threats.
+
+Conficker used a domain generation algorithm (DGA) to choose up to 50,000
+command and control domains per day. It would be impractical to create
+an RPZ that contains so many domain names and changes so much on a daily
+basis. Instead, we can trigger RPZ rules based on the names of the name
+servers that are authoritative for the command and control domains, rather
+than trying to trigger on each of 50,000 different (daily) query names.
+Since the well-known name server names for Conficker's domain names are
+never used by nonmalicious domains, it is safe to poison all lookups that
+rely on these name servers.  Here is an example that achieves this result:
+
+::
+
+  $ORIGIN rpz.example.com.
+  ns.0xc0f1c3a5.com.rpz-nsdname  CNAME  *.walled-garden.example.com.
+  ns.0xc0f1c3a5.net.rpz-nsdname  CNAME  *.walled-garden.example.com.
+  ns.0xc0f1c3a5.org.rpz-nsdname  CNAME  *.walled-garden.example.com.
+
+The ``*`` at the beginning of these CNAME target names is special, and it
+causes the original query name to be prepended to the CNAME target. So if a
+user tries to visit the Conficker command and control domain
+http://racaldftn.com.ai/ (which was a valid Conficker command and control
+domain name on 19-October-2011), the RPZ-configured recursive name server
+will send back this answer:
+
+::
+
+  racaldftn.com.ai.     CNAME     racaldftn.com.ai.walled-garden.example.com.
+  racaldftn.com.ai.walled-garden.example.com.     A      192.168.50.3
+
+This example presumes that the following DNS content has also been created,
+which is not part of the RPZ zone itself but is in another domain:
+
+::
+
+  $ORIGIN walled-garden.example.com.
+  *     A     192.168.50.3
+
+Assuming that we're running a web server listening on 192.168.50.3 that
+always displays a warning message no matter what uniform resource
+identifier (URI) is used, the above RPZ configuration will instruct the web
+browser of any infected end user to connect to a "server name" consisting
+of their original lookup name (racaldftn.com.ai) prepended to the walled
+garden domain name (walled-garden.example.com). This is the name that will
+appear in the web server's log file, and having the full name in that log
+file will facilitate an analysis as to which users are infected with what
+virus.
+
+.. _firewall_updates:
+
+Keeping Firewall Policies Updated
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+It is vital for overall system performance that incremental zone transfers
+(see :rfc:`1995`) and real-time change notification (see :rfc:`1996`) be
+used to synchronize DNS firewall rule sets between the publisher's primary
+copy of the rule set and the subscribers' working copies of the rule set.
+
+If DNS dynamic updates are used to maintain a DNS RPZ rule set, the name
+server automatically calculates a stream of deltas for use when sending
+incremental zone transfers to the subscribing name servers. Sending a
+stream of deltas – known as an "incremental zone transfer" or IXFR – is
+usually much faster than sending the full zone every time it changes, so
+it's worth the effort to use an editing method that makes such incremental
+transfers possible.
+
+Administrators who edit or periodically regenerate a DNS RPZ rule set and
+whose primary name server uses BIND can enable the
+``ixfr-from-differences`` option, which tells the primary name server to
+calculate the differences between each new zone and the preceding version,
+and to make these differences available as a stream of deltas for use in
+incremental zone transfers to the subscribing name servers. This will look
+something like the following:
+
+.. code-block:: c
+
+       options {
+                 // ...
+                 ixfr-from-differences yes;
+                 // ...
+       };
+
+As mentioned above, the simplest and most common use of a DNS firewall is
+to poison domain names known to be purely malicious, by simply making them
+disappear. All DNS RPZ rules are expressed as resource record sets
+(RRsets), and the way to express a "force a name-does-not-exist condition"
+is by adding a CNAME pointing to the root domain (``.``). In practice this
+looks like:
+
+::
+
+  $ORIGIN rpz.example.com.
+  malicious1.org          CNAME .
+  *.malicious1.org        CNAME .
+  malicious2.org          CNAME .
+  *.malicious2.org        CNAME .
+
+Two things are noteworthy in this example. First, the malicious names are
+made relative within the response policy zone. Since there is no trailing
+dot following ".org" in the above example, the actual RRsets created within
+this response policy zone are, after expansion:
+
+::
+
+  malicious1.org.rpz.example.com.         CNAME .
+  *.malicious1.org.rpz.example.com.       CNAME .
+  malicious2.org.rpz.example.com.         CNAME .
+  *.malicious2.org.rpz.example.com.       CNAME .
+
+Second, for each name being poisoned, a wildcard name is also listed.
+This is because a malicious domain name probably has or may potentially
+have malicious subdomains.
+
+In the above example, the relative domain names `malicious1.org` and
+`malicious2.org` will match only the real domain names `malicious1.org`
+and `malicious2.org`, respectively. The relative domain names
+`*.malicious1.org` and `*.malicious2.org` will match any
+`subdomain.of.malicious1.org` or `subdomain.of.malicious2.org`,
+respectively.
+
+This example forces an NXDOMAIN condition as its policy action, but other
+policy actions are also possible.
+
+.. _multiple_rpz_performance:
+
+Performance and Scalability When Using Multiple RPZs
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Since version 9.10, BIND can be configured to have different response
+policies depending on the identity of the querying client and the nature of
+the query. To configure BIND response policy, the information is placed
+into a zone file whose only purpose is conveying the policy information to
+BIND. A zone file containing response policy information is called a
+Response Policy Zone, or RPZ, and the mechanism in BIND that uses the
+information in those zones is called DNS RPZ.
+
+It is possible to use as many as 64 separate RPZ files in a single instance
+of BIND, and BIND is not significantly slowed by such heavy use of RPZ.
+
+(Note: by default, BIND 9.11 only supports up to 32 RPZ files, but this
+can be increased to 64 at compile time. All other supported versions of
+BIND support 64 by default.)
+
+Each one of the policy zone files can specify policy for as many
+different domains as necessary. The limit of 64 is on the number of
+independently-specified policy collections and not the number of zones
+for which they specify policy.
+
+Policy information from all of the policy zones together are stored in a
+special data structure allowing simultaneous lookups across all policy
+zones to be performed very rapidly. Looking up a policy rule is
+proportional to the logarithm of the number of rules in the largest
+single policy zone.
+
+.. _rpz_practical_tips:
+
+Practical Tips for DNS Firewalls and DNS RPZ
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Administrators who subscribe to an externally published DNS policy zone and
+who have a large number of internal recursive name servers should create an
+internal name server called a "distribution master" (DM). The DM is a
+secondary (stealth secondary) name server from the publisher's point of
+view; that is, the DM is fetching zone content from the external server.
+The DM is also a primary name server from the internal recursive name
+servers' point of view: they fetch zone content from the DM.  In this
+configuration the DM is acting as a gateway between the external publisher
+and the internal subscribers.
+
+The primary server must know the unicast listener address of every
+subscribing recursive server, and must enumerate all of these addresses as
+destinations for real time zone change notification (as described in
+:rfc:`1996`). So if an enterprise-wide RPZ is called "rpz.example.com" and
+if the unicast listener addresses of four of the subscribing recursive name
+servers are 192.0.200.1, 192.0.201.1, 192.0.202.1, and 192.0.203.1, the
+primary server's configuration looks like this:
+
+.. code-block:: c
+
+  zone "rpz.example.com" {
+       type primary;
+       file "primary/rpz.example.com";
+       notify explicit;
+       also-notify { 192.0.200.1;
+                     192.0.201.1;
+                     192.0.202.1;
+                     192.0.203.1; };
+       allow-transfer { 192.0.200.1;
+                        192.0.201.1;
+                        192.0.202.1;
+                        192.0.203.1; };
+       allow-query { localhost; };
+  };
+
+Each recursive DNS server that subscribes to the policy zone must be
+configured as a secondary server for the zone, and must also be configured
+to use the policy zone for local response policy. To subscribe a recursive
+name server to a response policy zone where the unicast listener address
+of the primary server is 192.0.220.2, the server's configuration should
+look like this:
+
+.. code-block:: c
+
+  options {
+       // ...
+       response-policy {
+            zone "rpz.example.com";
+       };
+       // ...
+  };
+
+  zone "rpz.example.com";
+       type secondary;
+       primaries { 192.0.222.2; };
+       file "secondary/rpz.example.com";
+       allow-query { localhost; };
+       allow-transfer { none; };
+  };
+
+Note that queries are restricted to "localhost," since query access is
+never used by DNS RPZ itself, but may be useful to DNS operators for use in
+debugging. Transfers should be disallowed to prevent policy information
+leaks.
+
+If an organization's business continuity depends on full connectivity with
+another company whose ISP also serves some criminal or abusive customers,
+it's possible that one or more external RPZ providers – that is, security
+feed vendors – may eventually add some RPZ rules that could hurt a
+company's connectivity to its business partner. Users can protect
+themselves from this risk by using an internal RPZ in addition to any
+external RPZs, and by putting into their internal RPZ some "pass-through"
+rules to prevent any policy action from affecting a DNS response that
+involves a business partner.
+
+A recursive DNS server can be connected to more than one RPZ, and these are
+searched in order. Therefore, to protect a network from dangerous policies
+which may someday appear in external RPZ zones, administrators should list
+the internal RPZ zones first.
+
+
+.. code-block:: c
+
+  options {
+       // ...
+       response-policy {
+            zone "rpz.example.com";
+            zone "rpz.security-vendor-1.com";
+            zone "rpz.security-vendor-2.com";
+       };
+       // ...
+  };
+
+Within an internal RPZ, there need to be rules describing the network
+assets of business partners whose communications need to be protected.
+Although it is not generally possible to know what domain names they use,
+administrators will be aware of what address space they have and perhaps
+what name server names they use.
+
+::
+
+  $ORIGIN rpz.example.com.
+  8.0.0.0.10.rpz-ip                CNAME   rpz-passthru.
+  16.0.0.45.128.rpz-nsip           CNAME   rpz-passthru.
+  ns.partner1.com.rpz-nsdname      CNAME   rpz-passthru.
+  ns.partner2.com.rpz-nsdname      CNAME   rpz-passthru.
+
+Here, we know that answers in address block 10.0.0.0/8 indicate a business
+partner, as well as answers involving any name server whose address is in
+the 128.45.0.0/16 address block, and answers involving the name servers
+whose names are ns.partner1.com or ns.partner2.com.
+
+The above example demonstrates that when matching by answer IP address (the
+.rpz-ip owner), or by name server IP address (the .rpz-nsip owner) or by
+name server domain name (the .rpz-nsdname owner), the special RPZ marker
+(.rpz-ip, .rpz-nsip, or .rpz-nsdname) does not appear as part of the CNAME
+target name.
+
+By triggering these rules using the known network assets of a partner,
+and using the "pass-through" policy action, no later RPZ processing
+(which in the above example refers to the "rpz.security-vendor-1.com" and
+"rpz.security-vendor-2.com" policy zones) will have any effect on DNS
+responses for partner assets.
+
+.. _walled_garden_ip_address:
+
+Creating a Simple Walled Garden Triggered by IP Address
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+It may be the case that the only thing known about an attacker is the IP
+address block they are using for their "phishing" web servers. If the
+domain names and name servers they use are unknown, but it is known that
+every one of their "phishing" web servers is within a small block of IP
+addresses, a response can be triggered on all answers that would include
+records in this address range, using RPZ rules that look like the following
+example:
+
+::
+
+  $ORIGIN rpz.example.com.
+  22.0.212.94.109.rpz-ip          CNAME   drop.garden.example.com.
+  *.212.94.109.in-addr.arpa       CNAME   .
+  *.213.94.109.in-addr.arpa       CNAME   .
+  *.214.94.109.in-addr.arpa       CNAME   .
+  *.215.94.109.in-addr.arpa       CNAME   .
+
+Here, if a truthful answer would include an A (address) RR (resource
+record) whose value were within the 109.94.212.0/22 address block, then a
+synthetic answer is sent instead of the truthful answer. Assuming the query
+is for www.malicious.net, the synthetic answer is:
+
+::
+
+  www.malicious.net.              CNAME   drop.garden.example.com.
+  drop.garden.example.com.        A       192.168.7.89
+
+This assumes that `drop.garden.example.com` has been created as real DNS
+content, outside of the RPZ:
+
+::
+
+  $ORIGIN example.com.
+  drop.garden                     A       192.168.7.89
+
+In this example, there is no "\*" in the CNAME target name, so the original
+query name will not be present in the walled garden web server's log file.
+This is an undesirable loss of information, and is shown here for example
+purposes only.
+
+The above example RPZ rules would also affect address-to-name (also
+known as "reverse DNS") lookups for the unwanted addresses. If a mail
+or web server receives a connection from an address in the example's
+109.94.212.0/22 address block, it will perform a PTR record lookup to
+find the domain name associated with that IP address.
+
+This kind of address-to-name translation is usually used for diagnostic or
+logging purposes, but it is also common for email servers to reject any
+email from IP addresses which have no address-to-name translation. Most
+mail from such IP addresses is spam, so the lack of a PTR record here has
+some predictive value.  By using the "force name-does-not-exist" policy
+trigger on all lookups in the PTR name space associated with an address
+block, DNS administrators can give their servers a hint that these IP
+addresses are probably sending junk.
+
+.. _known_rpz_inconsistency:
+
+A Known Inconsistency in DNS RPZ's NSDNAME and NSIP Rules
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Response Policy Zones define several possible triggers for each rule, and
+among these two are known to produce inconsistent results. This is not a
+bug; rather, it relates to inconsistencies in the DNS delegation model.
+
+DNS Delegation
+^^^^^^^^^^^^^^
+
+In DNS authority data, an NS RRset that is not at the apex of a DNS zone
+creates a sub-zone.  That sub-zone’s data is separate from the current (or
+"parent") zone, and it can have different authoritative name servers than
+the current zone. In this way, the root zone leads to COM, NET, ORG, and so
+on, each of which have their own name servers and their own way of managing
+their authoritative data. Similarly, ORG has delegations to ISC.ORG and to
+millions of other “dot-ORG” zones, each of which can have its own set of
+authoritative name servers. In the parlance of the protocol, these NS
+RRsets below the apex of a zone are called “delegation points.” An
+NS RRset at a delegation point contains a list of authoritative servers
+to which the parent zone is delegating authority for all names at or below
+the delegation point.
+
+At the apex of every zone there is also an NS RRset. Ideally, this
+so-called “apex NS RRset” should be identical to the “delegation point NS
+RRset” in the parent zone, but this ideal is not always achieved. In the
+real DNS, it’s almost always easier for a zone administrator to update one
+of these NS RRsets than the other, so that one will be correct and the
+other out of date. This inconsistency is so common that it’s been
+necessarily rendered harmless: domains that are inconsistent in this way
+are less reliable and perhaps slower, but they still function as long as
+there is some overlap between each of the NS RRsets and the truth. (“Truth”
+in this case refers to the actual set of name servers that are
+authoritative for the zone.)
+
+A Quick Review of DNS Iteration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+In DNS recursive name servers, an incoming query that cannot be answered
+from the local cache is sent to the closest known delegation point for the
+query name. For example, if a server is looking up XYZZY.ISC.ORG and it
+the name servers for ISC.ORG, then it sends the query to those servers
+directly; however, if it has never heard of ISC.ORG before, it must first
+send the query to the name servers for ORG (or perhaps even to the root
+zone that is the parent of ORG).
+
+When it asks one of the parent name servers, that server will not have an
+answer, so it sends a “referral” consisting only of the “delegation point
+NS RRset.” Once the server receives this referral, it “iterates” by sending
+the same query again, but this time to name servers for a more specific
+part of the query name.  Eventually this iteration terminates, usually by
+getting an answer or a “name error” (NXDOMAIN) from the query name’s
+authoritative server, or by encountering some type of server failure.
+
+When an authoritative server for the query name sends an answer, it has the
+option of including a copy of the zone’s apex NS RRset. If this occurs, the
+recursive name server caches this NS RRset, replacing the delegation point
+NS RRset that it had received during the iteration process. In the parlance
+of the DNS, the delegation point NS RRset is “glue,” meaning
+non-authoritative data, or more of a hint than a real truth. On the other
+hand, the apex NS RRset is authoritative data, coming as it does from the
+zone itself, and it is considered more credible than the “glue.” For this
+reason, it’s a little bit more important that the apex NS RRset be correct
+than that the delegation point NS RRset be correct, since the former will
+quickly replace the latter, and will be used more often for a longer total
+period of time.
+
+Importantly, the authoritative name server need not include its apex NS
+RRset in any answers, and recursive name servers do not ordinarily query
+directly for this RRset. Therefore it is possible for the apex NS RRset to
+be completely wrong without any operational ill-effects, since the wrong
+data need not be exposed. Of course, if a query comes in for this NS RRset,
+most recursive name servers will forward the query to the zone’s authority
+servers, since it’s bad form to return “glue” data when asked a specific
+question. In these corner cases, bad apex NS RRset data can cause a zone to
+become unreachable unpredictably, according to what other queries the
+recursive name server has processed.
+
+There is another kind of “glue," for name servers whose names are below
+delegation points. If ORG delegates ISC.ORG to NS-EXT.ISC.ORG, the ORG
+server needs to know an address for NS-EXT.ISC.ORG and return this address
+as part of the delegation response. However, the name-to-address binding
+for this name server is only authoritative inside the ISC.ORG zone;
+therefore, the A or AAAA RRset given out with the delegation is
+non-authoritative “glue,” which is replaced by an authoritative RRset if
+one is seen. As with apex NS RRsets, the real A or AAAA RRset is not
+automatically queried for by the recursive name server, but is queried for
+if an incoming query asks for this RRset.
+
+Enter RPZ
+^^^^^^^^^
+
+RPZ has two trigger types that are intended to allow policy zone authors to
+target entire groups of domains based on those domains all being served by
+the same DNS servers: NSDNAME and NSIP. The NSDNAME and NSIP rules are
+matched against the name and IP address (respectively) of the nameservers
+of the zone the answer is in, and all of its parent zones. In its default
+configuration, BIND actively fetches any missing NS RRsets and address
+records.  If, in the process of attempting to resolve the names of all of
+these delegated server names, BIND receives a SERVFAIL response for any of
+the queries, then it aborts the policy rule evaluation and returns SERVFAIL
+for the query. This is technically neither a match nor a non-match of the
+rule.
+
+Every "." in a fully qualified domain name (FQDN) represents a potential
+delegation point. When BIND goes searching for parent zone NS RRsets (and,
+in the case of NSIP, their accompanying address records), it has to check
+every possible delegation point. This can become a problem for some
+specialized pseudo-domains, such as some domain name and network reputation
+systems, that have many "." characters in the names. It is further
+complicated if that system also has non-compliant DNS servers that silently
+drop queries for NS and SOA records. This forces BIND to wait for those
+queries to time out before it can finish evaluating the policy rule, even
+if this takes longer than a reasonable client typically waits for an answer
+(delays of over 60 seconds have been observed).
+
+While both of these cases do involve configurations and/or servers that are
+technically "broken," they may still "work" outside of RPZ NSIP and NSDNAME
+rules because of redundancy and iteration optimizations.
+
+There are two RPZ options, ``nsip-wait-recurse`` and ``nsdname-wait-recurse``,
+that alter BIND's behavior by allowing it to use only those records that
+already exist in the cache when evaluating NSIP and NSDNAME rules,
+respectively.
+
+Therefore NSDNAME and NSIP rules are unreliable. The rules may be matched
+against either the apex NS RRset or the "glue" NS RRset, each with their
+associated addresses (that also might or might not be "glue"). It’s in the
+administrator's interests to discover both the delegation name server names
+and addresses, and the apex name server names and authoritative address
+records, to ensure correct use of NS and NSIP triggers in RPZ. Even then,
+there may be collateral damage to completely unrelated domains that
+otherwise "work," just by having NSIP and NSDNAME rules.
+
+.. _rpz_disable_mozilla_doh:
+
+Example: Using RPZ to Disable Mozilla DoH-by-Default
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Mozilla announced in September 2019 that they would enable DNS-over-HTTPS
+(DoH) for all US-based users of the Firefox browser, sending all their DNS
+queries to predefined DoH providers (Cloudflare's 1.1.1.1 service in
+particular). This is a concern for some network administrators who do not
+want their users' DNS queries to be rerouted unexpectedly. However,
+Mozilla provides a mechanism to disable the DoH-by-default setting:
+if the Mozilla-owned domain `use-application-dns.net
+<https://use-application-dns.net>`_ returns an NXDOMAIN response code, Firefox
+will not use DoH.
+
+To accomplish this using RPZ:
+
+1. Create a polizy zone file called ``mozilla.rpz.db`` configured so
+   that NXDOMAIN will be returned for any query to ``use-application-dns.net``:
+
+::
+
+  $TTL	604800
+  $ORIGIN	mozilla.rpz.
+  @	IN	SOA	localhost. root.localhost. 1 604800 86400 2419200 604800
+  @	IN	NS	localhost.
+  use-application-dns.net CNAME .
+
+2. Add the zone into the BIND configuration (usually :iscman:`named.conf`):
+
+.. code-block:: c
+
+  zone mozilla.rpz {
+      type primary;
+      file "/<PATH_TO>/mozilla.rpz.db";
+      allow-query { localhost; };
+  };
+
+3. Enable use of the Response Policy Zone for all incoming queries
+   by adding the ``response-policy`` directive into the ``options {}``
+   section:
+
+.. code-block:: c
+
+  options {
+  	response-policy { zone mozilla.rpz; } break-dnssec yes;
+  };
+
+4. Reload the configuration and test whether the Response Policy
+   Zone that was just added is in effect:
+
+.. code-block:: shell-session
+
+  # rndc reload
+  # dig IN A use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER>
+  # dig IN AAAA use-application-dns.net @<IP_ADDRESS_OF_YOUR_RESOLVER>
+
+The response should return NXDOMAIN instead of the list of IP addresses,
+and the BIND 9 log should contain lines like this:
+
+.. code-block:: none
+
+  09-Sep-2019 18:50:49.439 client @0x7faf8e004a00 ::1#54175 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz
+  09-Sep-2019 18:50:49.439 client @0x7faf8e007800 127.0.0.1#62915 (use-application-dns.net): rpz QNAME NXDOMAIN rewrite use-application-dns.net/AAAA/IN via use-application-dns.net.mozilla.rpz
+
+Note that this is the simplest possible configuration; specific
+configurations may be different, especially for administrators who are
+already using other response policy zones, or whose servers are configured
+with multiple views.